FMEA Procedure K-Pos

Document Frontpage
CODE 1 ACCEPTED
ACCEPTED WITH
CODE 2
COMMENTS INCORPORATED
NOT ACCEPTED
CODE 3
REVISE AND RESUBMIT
CODE 4 FOR INFORMATION ONLY
B 22.01.2009 As Built ToS TLT THoe

A 04.06.2008 Issued for approval ToS TLT SMa
Proj. Issued Date Description Made Chk'd Appr.
Rev. by by by
Package Title :
IAS Package
Acceptance Code 1: Supplier:

Accepted
Acceptance Code 2: Suppliers Doc No:

Accepted with comments
incorporated. Revise and resubmit
440-1057.100-F-012
Acceptance Code 3: Subsuppliers Doc No:
Not accepted.
Revise and resubmit NA
Acceptance Code 4: Tag No./Line No.:

For information only
NA
Reviewer Signature: Date: SDRL Code: SFI Code: Area: System: Res. Unit:
C09 408 NA NA Automation
Contractor: Note: Where not applicable use NA

Document title:
NA
Client:
FMEA Procedure K-Pos DP-1, K-Pos DP-2
and cJoy
Project name: Client Doc No: Client rev;
B
SM452 Sevan 650 Drilling Unit 452-790-SP-101509
Hull no: PO Number: Pages:
N111 440-1057.000-1301-0001 1 of 111
Comments, remarks or acceptance from Sevan shall not

in any way limit the suppliers responsibility with respect
to fulfillment of all applicable rules, regulations and
statutory requirements and obligations in accordance
with his contract or purchase order.
FMEA Procedure
K-Pos DP-1, K-Pos DP-2 and cJoy
Sevan Deepsea Driller
Project: 28540
Product K-Pos DP-1, K-Pos DP-2 and cJoy
Synopsis: FMEA for the Kongsberg Maritime deliverery.
Classification society: DNV AUTRO
Document number: 1059180 Revision: A
Customer doc number: Document version: 1.0
Contract number: Number of pages: 89
Rev. Date Reason for issue Made by Checked Approved
A 17.10.2007 For approval NN JRK TMF
Kongsberg Maritime AS
Table of contents
1 ABOUT THIS DOCUMENT ..................................................................................6
1.1 Document history ..................................................................................................6
1.2 References .............................................................................................................6
1.3 Definitions / Abbreviations ...................................................................................6
2 INTRODUCTION....................................................................................................8
2.1 Purpose ..................................................................................................................8
2.2 Scope .....................................................................................................................8
2.3 Assumptions and limitations .................................................................................8
3 ANALYSIS METHOD AND TOOLS..................................................................10

3.1 Analysis approach ...............................................................................................10
3.1.1 Top level FMEA using the Preliminary Safety Analysis (PSA) ................ 10
3.1.2 Detailed FMEA on component level .......................................................... 11
3.2 Description of Forms ...........................................................................................11
3.2.1 PSA Form ................................................................................................... 11
3.2.2 FME(C)A Form .......................................................................................... 12
3.3 Primary failure modes addressed.........................................................................14
4 SYSTEM DESCRIPTION ....................................................................................15

4.1 Outline of the system...........................................................................................15
4.1.1 Operator Stations ........................................................................................ 15
4.1.2 Controllers .................................................................................................. 16
4.1.3 Power supply .............................................................................................. 16
4.1.4 Network ...................................................................................................... 16
4.1.5 Position reference systems and sensors ...................................................... 16
4.2 Dynamic Positioning ...........................................................................................17
4.2.1 Software control in the DP system ............................................................. 17
4.2.2 Experienced reliability for DP control system software............................. 17
1059180 / / Page 2 of 110

5 RESULT OF FMEA ..............................................................................................18

5.1 PSA: OS, Networks and UPS systems ...............................................................19
5.1.1 K-Pos OS 1/2/3........................................................................................... 19
5.1.2 K-Pos Network ........................................................................................... 21
5.1.3 UPS 1/2/3.................................................................................................... 23
5.2 PSA: Dynamic Positioning Controller ...............................................................25
5.2.1 DPC-2 ......................................................................................................... 25
5.2.2 DPC-1 ......................................................................................................... 31
5.3 PSA: Independent Control System .....................................................................34
5.3.1 cC-1 ............................................................................................................ 34
5.4 PSA: Fire Backup Switch ...................................................................................36
5.5 PSA: Reference systems.....................................................................................39
5.5.1 DGPS 1/2.................................................................................................... 39
5.5.2 HiPAP 1/2................................................................................................... 42
5.5.3 Interface LTW 1/2 ...................................................................................... 44
5.6 PSA: Sensors ......................................................................................................46
5.6.1 Gyro 1/2/3................................................................................................... 46
5.6.2 Wind Sensor 1/2/3 ...................................................................................... 48
5.6.3 MRU 1/2/3.................................................................................................. 50
APPENDIX A LAYOUT DRAWING .........................................................................53
APPENDIX B I/O SPECIFICATION .........................................................................57
APPENDIX C TECHNICAL DRAWINGS ................................................................97
1059180 / / Page 3 of 110

Table of figures
Figure 1:.......................................................................................................................... 53
Figure 2:.......................................................................................................................... 54
Figure 3:.......................................................................................................................... 55
Figure 4:.......................................................................................................................... 56
Figure 1: Power and wiring diagram for Operator Station............................................. 97
Figure 2: Network Structure, 2xOS and DPC-2............................................................. 98
Figure 3: Principle block diagram, DPC-2 ..................................................................... 99
Figure 4: Principle block diagram of I/O signals, DPC-2 ............................................ 100
Figure 5: Power & Wiring Diagram, DPC-2................................................................ 101
Figure 6: Power & Wiring Diagram, RBUS A-Section, DPC-2 .................................. 102
Figure 7: Power & Wiring Diagram, RBUS B-Section, DPC-2 .................................. 103
Figure 8: Termination Diagram, 88ch I/O Serial ch1-8 A-Section, DPC-2 ................. 104
Figure 9: Termination Diagram, 88ch I/O Serial ch9-16 B-Section, DPC-2 ............... 105
Figure 10: Change over switch, 3-position................................................................... 106
Figure 11: Principle block diagram, cC-1 .................................................................... 107
Figure 12: Principle block diagram of I/O signals, cC-1.............................................. 108
Figure 1: Principle block diagram, cC-1 ...................................................................... 109
Figure 2: Principle block diagram of I/O signals, cC-1................................................ 110
1059180 / / Page 4 of 110

Summary and Conclusions

This report documents the Failure Mode and Effect Analysis performed for KM
delivery.
The various system elements have been analysed with respect to effects if a single
failure should occur.
In addition to this analysis, all major hardware equipment are subject to detailed
FMEAs, as a part of Kongsberg Maritimes development process.
The analysis has not revealed any single failure in the main system that could have
critical consequences with regards to personnel or operational safety.
The most serious single points that are detected through the analysis are loss of one
RMP module. Failure in these different modules may cause a loss of one generator /
thruster and may cause reduction of positioning performance, dependent on weather /
force conditions. Operator intervention may be needed to maintain DP-function.
A single joystick is provided and is independent of the other control systems. The
system is hardwired to each thruster and operates independent of the dual network.
A single fire backup switch switches between the main and the backup system. In case
of failure of the switch, it may not be possible to switch between different modes. The
criticality of this depends on the current operating mode before failure. If none of the
modes are functioning, you have to operate each thruster manually. The reliability for
this fire backup switch is, however, considered high and the probability for critical
failure is low.
1059180 / / Page 5 of 110

1 ABOUT THIS DOCUMENT
1.1 Document history
Revision Description of Change
A First issue
1.2 References
Documentation used for the FMEA is included in the appendix of this report.
In addition, product descriptions for the generic products are used.
1.3 Definitions / Abbreviations

AI Analogue Input
AIO Analogue Input Output
AO Analogue Output
cJoy Compact Joystick
DGPS Differential Global Positioning System
DO Digital Output
DI Digital Input
DPC Dynamic Positioning Controller
FMEA Failure Mode and Effect Analysis
FME(c)A Failure mode and Effect (criticality) Analysis
FS Field Station (Cabinet with controller and/or RIO modules)
IAS Integrated Automation System
I/O Input / output
JC Joystick Cabinet
KM Kongsberg Maritime
K-POS Kongsberg Positioning System
LAN Local Area Network
1059180 / / Page 6 of 110

LCL Lever Communication Link
MTTF Mean Time To Failure
MTTR Mean Time to Repair
MRU Motion Reference Unit
N/A Not Applicable
NC Normally Closed
NDU Net Distribution Unit
NO Normally Open
OS Operator Station
PMS Power Management System
PSA Preliminary Safety Analysis
RBUS Remote serial data BUS
RCS Remote Control System
RCU Remote Controller Unit
RDUM RMP Dummy module
RHUB RBUS HUB module
RIO Remote Input Output Unit
RPB Remote Push Button
RSER Remote Serial I/O module
TC Thruster Control
SBC Single Board Computer
SDP Kongsberg (Simrad) Dynamic Positioning
STBD Starboard
SW Software
TB Terminal Board
TBAI TB (Analogue Input)
TBAIO TB (Analogue Input and Output)
TBAO TB (Analogue Output)
TBDI TB (Digital Input)
TBDO TB (Digital Output)
TBSS TB (Serial line)
THR Thruster
UPS Uninterruptible Power Supply
VRS Vertical Reference Unit
1059180 / / Page 7 of 110

2 INTRODUCTION
2.1 Purpose
This document is a Failure Mode and Effect Analysis (FMEA) for KM delivery. This
document covers some general information in addition to the project specific FMEA.
2.2 Scope
The scope of the analysis is Kongsberg Maritimes delivery. Which sensors and position
reference systems that are KM delivery, is presented in section 4.1.5. Interfaces are
prepared for the sensors and systems that are not delivered by KM, but they are not
included in the analysis.
The software, thrusters and ship supply are not part of the analysis.
2.3 Assumptions and limitations

The basis for the FMEA is:
Vessel fully operational
All operator stations (OSs) working
All control systems operational
No errors present prior to analysis
The control system in the computers has not been analysed, as it is a part of the
computer's software. Ideally, it could be assumed that after the system is tuned up and
tested, no errors will arise from the computer software. This is however not always true,
but there are no requirement that this assessment should be included in the FMEA.
As software errors are difficult to predict within a reasonable confidence level, the
software error probabilities are based on experienced data from similar systems and
applications.
This is among others due to the nature of the software, and to the fact that there is no
known good method for calculation of predicted software reliability data. Reference is
made to section 4.2.2 Experienced reliability for DP control system software.
Hardware is discussed on a detail level represented by failure modes which in each case
is considered being relevant and sufficient for the item in question with respect to
critical effect on primary functions.
Only functions / items that are considered to have influence on vital functions are
analysed, hence peripheral equipment like printers, data logging equipment etc. are not
analysed.
1059180 / / Page 8 of 110

Units with redundancy like reference systems, sensors etc. are discussed in the same
manner, as there are backup systems / units for each of them.
The dynamic positioning controller A and B is discussed on block level. Blocks that in
the pre analysis (PSA) are found to have common components are analysed further for
potential common mode/cause failures.
The Autopilot is not analysed.
Possible failures that may be caused by external environmental influences like lightning,
collisions by other vessels, sabotage etc. are not considered here.
1059180 / / Page 9 of 110

3 ANALYSIS METHOD AND TOOLS

This section gives an introduction to the FMEA method and tools used to perform the
analysis.
3.1 Analysis approach

The purpose of the FMEA is to give a description of different failure modes of the
equipment referred to their functional objectives, and to detect possible critical points in
the system at block level.
The monitoring and control systems and their subsystems are broken down to block
level. The breakdown is performed to such a level of detail that the main system units
are shown.
The analysis is performed in two major steps:
1. Top level Failure Mode and Effect Analysis (FMEA) utilising the
Preliminary Safety Analysis (PSA) method (described in section 3.1.1) and
if relevant:
2. Detailed FMEA on component level (described in section 3.1.2)
As a general rule a detailed FMEA is performed on component level on all Kongsberg

Maritime equipment that builds the systems.
3.1.1 Top level FMEA using the Preliminary Safety

Analysis (PSA)
In systems with a fair degree of redundancy a top down approach is initially used to
identify the most critical system blocks with regard to system integrity.
The first step is to analyse on the block / unit level where the relevant failure modes of
the block are identified, partly based on some standard failure modes, and partly based
on knowledge and experience with similar equipment, in other words:
PSA is an initiating, systematic screening of the subsystems at block level in order to
identify if there can be any failure modes present which may have a critical effect on
system level (i.e. possible loss of station keeping capability for given operating
conditions).
If no critical failure modes are detected on block level, a more detailed FMEA of this
block is not performed.
If critical failure modes/points are detected, these are notified in the PSA table, for
further investigation in the detailed FMEA table.
1059180 / / Page 10 of 110

3.1.2 Detailed FMEA on component level

The failure modes that were found to be critical in the PSA are further analysed in the
detailed FMEA table.
The analysis includes a description of each physically and functionally independent
item, its mode of operation, the associated failure modes with their possible failure
causes, a description of the subsequent effect of each failure mode locally and of the
primary function and barriers to compensate the failure effect.
The FMEA is based on a standard form. The following paragraphs give brief
instructions on how the form is used.
3.2 Description of Forms

The FMEAs are based on standard forms. The following paragraphs give brief
description on how the forms are defined.
3.2.1 PSA Form

PSA: The analysed unit / item
Element: The analysed unit / item
Function: ________________________
Fig.: ________________________
Table 1 PSA Form
ITEM DESCRIPTION FAILURE DESCRIPTION ADDITIONAL INFO
(1) (2) (3) (4) (5) (6) (7) (8)
Unit/ Function Redun- Failure Failure Failure Compensating Detailed

dancy mode conse- measures FMEA
Module detection
quence
(Y/N) (Y/N)
The PSA is as shown in Table 1 divided in 3 major parts; Item description, Failure
description and Additional info. The meaning of the different parameters is explained
below:
1059180 / / Page 11 of 110

Table 2 PSA parameters
Main part Parameters Description
Item Unit/Module Subunit/module being analysed

description
Function Main function of the subunit/module
Redundancy Ticked as Yes if there is one, or more than one, identical unit
providing full redundancy function
Failure Failure mode Main failure modes addressed in the PSA are:
description
Power failure (too high, too low etc.)
Power fuse faulty
Signal missing/faulty
Unit/Module faulty (loss of main function)
Additional failure modes are used where relevant as listed in
chapter 3.3
Failure detection Main failure detection method, e.g. if failure is evident (e.g.
alarm) or dormant (revealed when operated/tested)
Failure consequence Immediate consequence on DP- system capability
Additional Compensating Measures available for eliminating or reducing the

info measures consequence on the DP-system capability (e.g. redundancy)
Detailed FMEA Ticked as Yes if detailed FMEA is carried out, otherwise No
3.2.2 FME(C)A Form

The form gives a description of the physically and functionally independent item to be
analysed. The item is here most commonly a unit or a subsystem.
An evaluation of the criticality of each failure is not required for the DP and thruster
control system. An FMECA is therefore not performed.
The parameters analysed and their meaning is shown in Table 3.
1059180 / / Page 12 of 110

Table 3 FMEA parameters
A: ELEMENT LEVEL: B: FUNCTION

The analysed element (unit, component or Element main function
group of components).
PARAMETER DESCRIPTION
1. Item/Component ident. The analysed item/component (Compartment) identified by a
(or Compartment ident.) number or by name.
2. Function Main function of the analyzed component
3. Mode of operation Assumed operational mode of the item before failure occurs or
the event phase in which the failure occurs.
4. Failure mode Failure modes associated with the element.
5. Failure cause(s) Failure cause(s)/mechanism(s) of each failure mode.
6. Detection method Method by which the failure mode is normally detected. It
should in particular be stated whether the failure will be
immediately detected (e.g. alarm) or only be detected upon
testing or on-demand (hidden failure).
7. Failure effect locally (or Local effects of failure mode (on Component/ Item level)
other)
8. Failure Effect on Effect of a failure mode on the performance of functions of
Primary (DP) Functions higher level, normally the DP-function. A column explaining
Other effects may also be included where relevant.
9. Compensating How the failure mode may be compensated for (e.g.
provisions redundancy, safety devices etc.)
10.Comments Additional information as deemed required for assessing the
effect of this failure.
Examples: (1) Recommended additional measures to eliminate
a failure mode or minimise its effect on main functions. (2)
Possible pre-planned alternative methods of operation.
1059180 / / Page 13 of 110

3.3 Primary failure modes addressed

Standard failure modes used in the FMEA are:
- Power failure (or too low power)

- Open circuit
- Short circuit
- Overload
- Fail to start/activate (upon command)
- Fail to stop
- Spurious stop/closure
- Spurious start/activation
- Fail to close
- Fail to open
- Function failure, i.e. primary function of the unit fails or do not perform as
intended
- Signal failure (additionally specify type of signal, e.g. input, output, command)
- Common cause failure
In addition to the standard failure modes, there will most probably be necessary to
define other failure modes that are relevant for the actual situation.
1059180 / / Page 14 of 110

4 SYSTEM DESCRIPTION
This section includes an outline of the specific system in addition to some general
information on the Kongsberg Maritime systems.
4.1 Outline of the system

The major system areas and functions subject to this analysis are:
Dynamic Positioning Control system
Independent Joystick
Table 4 Thrusters and generators
Thruster name Thruster no. Generator/Motor
Th. 1 1 G1/G2
Th. 2 2 G1/G2
Th. 3 3 G5/G6
Th. 4 4 G5/G6
Th. 5. 5 G3/G4
Th. 6 6 G3/G4
Th. 7 7 G7/G8
Th. 8 8 G7/G8
4.1.1 Operator Stations

The following operator stations are installed on this vessel:
2 DP Operator Stations
1 DP Operator Stations for backup system
cJoy Operator Terminal
1059180 / / Page 15 of 110

4.1.2 Controllers
The following controllers are installed on this vessel:
dual DP controller
backup controller
joystick controller (independent joystick system)
All logic with respect to safety, control and monitoring is located in the controllers.
4.1.3 Power supply

The redundant DPC have dual power supplies. Two 115/230 VAC feeders (from UPSs)
are fed to two (100 %) 24 V DC power supplies. There are two UPSs for the main
system (UPS 1 and UPS 2).
4.1.4 Network
There is a redundant network, with Net A and Net B. This is shown in Appendix C.
Net switch for Net A is located in DP OS 1, and net switch for Net B is located in DP
OS 3 / backup OS.
4.1.5 Position reference systems and sensors

The following systems are installed:
Table 5 Reference systems and sensors
Position reference KM delivery of Included in Main Included in

system and total system Backup system
sensors
DGPS 2 of 2 1 and 2 1 and 2
LTW 0 of 2 1 1
RAM 0 of 1 1 -
HiPAP 2 of 2 1 and 2 1 and 2
Gyros 3 of 3 1, 2 and 3 1
Wind sensors 3 of 3 1, 2 and 3 1
MRU (VRS) 3 of 3 1, 2 and 3 1
1059180 / / Page 16 of 110

4.2 Dynamic Positioning

4.2.1 Software control in the DP system
In the Kongsberg Maritime Dynamic Positioning Control System the redundancy is
implemented by having two or three controller computers working in parallel. Within
each controller computer there is no software module redundancy. The required
reliability is achieved by the implemented diagnostics system that monitors all input
signals to the system. All critical results that are computed, such as position estimate,
are also checked between the computers. System diagnostics are further described in the
Product Description for K-Pos.
In a dual redundant system there will be an automatic change-over to the other computer
if a critical software or hardware error occurs. The operator can also at any time initiate
a bumpless switch-over to the other computer as well as force the off-line computer
equal to the on-line computer.
4.2.2 Experienced reliability for DP control system

software
This is a new generation of DP system, however this is based on previous generation of
DP Control systems
To obtain average critical software failure rate, the accumulated effective running
system hours (estimated to 20% of full time) in 2006 is 1.749.300 hours.
During this year there were registered 4 specific critical software failures. (Half of the
unspecified failures are also included).
Hence, the average critical software failure rate is 2.28 E-06 per hour (0.020 failures per
year).
However, one should be aware that such figures are only indicative, never absolute.
1059180 / / Page 17 of 110

5 RESULT OF FMEA
In the following the system is broken down into manageable sub systems/functions and
a Top Level FMEA (PSA) for each main system/function is performed. This is done
using the PSA as a tool to determine if a detailed FMEA is needed for any of these.
1059180 / / Page 18 of 110

5.1 PSA: OS, Networks and UPS systems

5.1.1 K-Pos OS 1/2/3
Element: K-Pos Operator Station 1/2/3 Element function: Operator communication with the DP-controllers
DESCRIPTION FAILURE ASSESSMENT ADDITIONAL INFO

(1) (2) (3) (4) (5) (6) (7) (8)
Module/ Function Redun- Failure Failure Failure consequence
dancy mode Compensating Detailed
unit detection
measures FMEA
(Y/N)
OS 1/2/3 Main Yes 1. Power Alarm reported Not critical. The other OS is No
operator failure from other OS. The OS will loose its power supplied from other
interface (115/230 Alarm buzzer on and is not operating. source and is still
VAC) effected OS operating.
activated.
OS 1/2/3 Main Yes 2. Function Alarm Not critical. The other OS is No
operator failure OS is not operating. functioning as normal.
interface
Computer Comm- Yes 3. Loose Alarm Not critical. Other OS is No
USB cable unication plug Panel system is not operating. functioning as normal.
to panel with panel (open
Operator input is not possible.
system system loop)
1059180 / / Page 19 of 110

DESCRIPTION FAILURE ASSESSMENT ADDITIONAL INFO

(1) (2) (3) (4) (5) (6) (7) (8)
Module/ Function Redun- Failure Failure Failure consequence
dancy mode Compensating Detailed
unit detection
measures FMEA
(Y/N)
PSU 24VDC Yes 4. Power Alarm Not critical. Other OS is No
power failure Panel system is not operating. functioning as normal.
supply
Operator input is not possible.
Joystick Operator Yes 5. Loose Alarm Not Critical. Other OS is No
input to wire Joystick input disabled by functioning as normal.
DP (open system.
loop)
In autopilot mode, last valid
setpoint is used by system.
In all other modes, zero
setpoint form joystick is used
by system.
Comments:
1059180 / / Page 20 of 110

5.1.2 K-Pos Network
Element: Network A/B Element function: Communication between system components

(1) (2) (3) (4) (5) (6) (7) (8)
Module/unit Function Redun- Failure mode Failure Failure consequence Compensating measures Detailed
dancy detection FMEA
(Y/N) (Y/N)
Net switch A Power No 1. Power Alarm Not critical. Power to each net switch is No
or B failure from separate sources.
The other net is functioning.
Net switch A Network Yes 2. Function Alarm Not critical. The other net is functioning. No
or B failure
Net cable, Electrical Yes 3. Function Alarm Not critical. The other net is functioning. No
Net A or B connection failure
Network A Network Yes 4. Function Alarm Not critical.1) The other net is functioning. No
or B failure.
(Network
Storm)
1059180 / / Page 21 of 110

Comments:
Equipment not delivered by KM is connected to Net C (Adm. Net.) through a router or firewall.
1)
All applications are carefully tested regarding network load. It is also proved that the distributed solution will work with a very high network load,
although this is not the normal case.
Periodic network verification will also be done to ensure that both networks with their components are ok. Hence, the probability for such a double
failure is considered to be very small, and is not treated further here.
Data provided from field experience statistics for IAS (Integrated systems) networks shows that the MTTF is about 100 years. This is based on
experienced critical failures on 100 installations during the last 5 years
1059180 / / Page 22 of 110

5.1.3 UPS 1/2/3
Element: UPS (Uniterruptable Power Supply) 1/2/3 Element function: Electrical power supply

(1) (2) (3) (4) (5) (6) (7) (8)
Module/unit Function Redun- Failure Failure Failure consequence Compensating measures Detailed
dancy mode detection FMEA
(Y/N) (Y/N)
UPS 1/2/3 Power No 1.Power Alarm Not critical. The other UPS maintain the DP No
supply failure function.
Redundancy is lost.
Units connected to UPS 1 Units connected to UPS 2 Units connected to UPS 3

DPC-2 PU1 DGPS 1 DPC-2 PU2 Hipap OS 2 DPC- 1 DGPS 2
Kpos-2 OS 1 Gyro 2 Kpos-2 OS 2 Hipap Transciver 2 Kpos-1 OS 3 Hipap OS 1

Wind 2
Alarm Printer 1 Net Printer Gyro 3 Alarm Printer 2 Hipap
Wind 3 Transciver 1
History Station
Gyro 1
1059180 / / Page 23 of 110

Units connected to UPS 1 Units connected to UPS 2 Units connected to UPS 3

Wind 1
1059180 / / Page 24 of 110

5.2 PSA: Dynamic Positioning Controller

5.2.1 DPC-2
Element: Main Controller (DPC-2) Element function: Control of DP functions

(1) (2) (3) (4) (5) (6) (7) (8)
Module/unit Function Redun- Failure mode Failure Failure consequence Compensating Detailed
dancy detection measures FMEA
(Y/N) (Y/N)
Power input 1 Power Yes 1. Power Alarm Not critical. The other unit is supplied No
or 2 supply failure External loads (e.g. MRU, cJoy from other input source
and cWing) powered from and is still operating.
DPC will lose power. External loads powered
from other unit are still
operational. All DPC
modules have redundant
power supplies and are
operational.
1059180 / / Page 25 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Net filter (for Input power Yes 2. Function Alarm Not critical. The other unit is supplied No
power input 1 filter failure External loads (e.g. MRU, cJoy from other input source
or 2) and cWing) powered from and is still operating.
operational.
PSU 1/2 or 3/4 24VDC Yes 3. Power Alarm Not critical. The other unit is supplied No
Power failure External loads (e.g. MRU, cJoy from other input source
supply and cWing) powered from and is still operating.
operational.
1059180 / / Page 26 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Fuse in X11, Power Yes 4. Short Alarm Not critical. The other distribution is No
X13, X81 or distribution circuit in Load in circuit is now single supplied from other input
X83 wiring powered. source and is not
from fuse affected. All DPC
External loads (single modules and external
powered) on same power loads powered from other
supply may reset due to power distribution are not
dip. affected.
RCU A or B Processing Yes 5. Function Alarm Not critical. The other unit is No
controller failure processing as normal.
RCU A and B Processing Yes 6. Common Alarm Critical. Switch to other control No
controller cause If both units stop at the same system.
failure time due to a common root Experience data shows
cause failure. that the probability of
No processing / control of such common root cause
main DP control system. failure is very small and
is therefore not treated
further. (ref. 4.2.2)
RCU Rednet Inter RCU Yes 7. Plug P10 Alarm Not Critical. Other network is No
Cable Next or network for or P11 is functioning as normal.
Previous redundancy loose (open
data loop)
1059180 / / Page 27 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
RCU Network Process Yes 8. Plug P8 or Alarm Not Critical. Other network is No
cable A or B network P9 is loose functioning as normal.
(open loop)
RHUB A or B RBUS Yes 9. Function Alarm Not Critical. Other unit No
Network failure communicating as
Hub normal.
RHUB A or B RBUS Yes 10. Plug P1 or Alarm Not Critical. Other unit No
upstream cable Network P2 is loose communicating as
Hub (open loop) normal.
RHUB A or B RBUS Yes 11. Plug P4, Alarm Not Critical. Other unit No
downstream Network P5, P6 or communicating as
cable Hub P7 is loose normal.
(open loop)
RBUS A or B Prevent Yes 12. Loose end Alarm is Not Critical. Other RBUS functioning No
end reflection of terminator reported if Communication on affected leg as normal.
termination signals at (open loop) too many may be unreliable 1).
end of data
RBUS. packets
are lost.
1059180 / / Page 28 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
RSER (all Serial data Yes 13. Function Alarm Not Critical. Other units with same No
modules) input and failure (one information are still
output module at a available and connected
time) to other modules, see IO
spec.
RMP (all Analogue No 14. Function Alarm Not Critical. This may cause reduction No
modules) and digital failure Loss of one Generator / of positioning
input and Thruster. performance, dependent
output on weather / force
conditions. See IO spec.
1059180 / / Page 29 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Comments:
Voltage output signal failure may not be detected directly. Voltage input signal failure will not be detected directly. Prediction Error alarm will be
given when setpoint and feedback differ over time.
Current input/output signal (4-20mA) failures will be detected by loop monitoring and cause loss of ready signals from thrusters or rudders.
1) The probability of unreliable communication on the internal RBUS is small due to the short length of the cable.
1059180 / / Page 30 of 110

5.2.2 DPC-1
Element: Main Controller (DPC-1) Element function: Control of DP functions

(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Power input Power No 1. Power Alarm Critical. Switch to manual levers. No
supply failure Controller not operating.
Net filter Input power No 2. Function Alarm Critical. Switch to manual levers. No
filter failure Controller not operating.
PSU 1/2 24VDC No 3. Power Alarm Critical. Switch to manual levers. No
Power failure Controller not operating.
supply
RCU A Processing No 4. Function Alarm Critical. Switch to manual levers. No
controller failure Controller not operating.
RCU network Process No 5. Plug P8 is Alarm Critical. Switch to manual levers. No
cable A network loose (open No communication with
loop) controller.
RHUB A RBUS No 6. Function Alarm Critical. Switch to manual levers. No
Network failure No communication between
1059180 / / Page 31 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Hub controller and RMP modules
(I/O).
RHUB A RBUS No 7. Plug P1 is Alarm Critical. Switch to manual levers. No
upstream cable comm.- loose (open No communication between
unication loop) controller and RMP modules
(I/O).
RHUB A RBUS No 8. Plug P4, P5, Alarm Critical. Other half of system No
downstream comm.- P6 or P7 is Loss of up to half of system functioning as normal.
cable unication loose (open I/O, see I/O-Spec for details. Switch to manual levers.
loop)
No communication between
controller and affected RMP
modules (I/O).
RBUS A end Prevent No 9. Loose end Alarm is Critical. Other half of system I/O No
termination reflection of terminator reported if Communication on affected leg functioning as normal.
signals at (open loop) too many may be unreliable 1). Loss of Switch to manual levers.
end of data up to half of system I/O, see
RBUS. packets I/O-Spec for details.
are lost.
1059180 / / Page 32 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
RSER (all Serial data No 10. Function Alarm Critical. Switch to manual levers. No
modules) input and failure (one See I/O-Spec for details.
output module at a Loss of gyro or reference
time) system is critical.
RMP (all Analogue No 11. Function Alarm Critical. Switch to manual levers. No
modules) and digital failure (one See I/O-Spec for details.
input and module at a Loss of gyro is critical.
output time) Loss of Generator/Thruster/
Rudder may be critical or
reduce station keeping ability
(vessel dependant).
Comments:
1059180 / / Page 33 of 110

5.3 PSA: Independent Control System

5.3.1 cC-1
Element: Joystick Controller (cC-1) Element function: Independent control of thrusters

(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Power input Power No 1. Power Alarm Critical. Switch to manual levers. No
supply failure Controller not operating.
Net filter Input power No 2. Power Alarm Critical. Switch to manual levers. No
filter failure Controller not operating.
PSU 1 24VDC No 3. Power Alarm Critical. Switch to manual levers. No
Power failure Controller not operating.
supply
Network switch Process No 4. Power Alarm Critical. Switch to manual levers. No
network failure No communication between
switch cJoy operator terminal and
controller.
1059180 / / Page 34 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
RCU Processing No 5. Function Alarm Critical. Switch to manual levers. No
controller failure Controller not operating.
RCU RBUS No 6. Plug P19 is Alarm Critical. Switch to manual levers. No
RBUS cable comm- loose (open No communication between
unication loop) controller and RMP modules
(I/O).
RBUS end Prevent No 7. Loose end Alarm is Critical. Switch to manual levers. No
termination reflection of terminator reported if Communication on RBUS
signals at (open loop) too many may be unreliable1).
end of data
RBUS. packets
are lost.
RSER (all Serial data No 8. Function Alarm Critical. Switch to manual levers. No
modules) input and failure (one See I/O-Spec for details.
output module at a Loss of gyro or reference
time) system is critical.
1059180 / / Page 35 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
RMP (all Analogue No 9. Function Alarm Critical. Switch to manual levers. No
modules) and digital failure (one See I/O-Spec for details.
input and module at a
output time) Loss of Gyro is critical.
Loss of Generator/Thruster/
Rudder may be critical or
reduce station keeping ability
(vessel dependant)
Comments:
5.4 PSA: Fire Backup Switch
1059180 / / Page 36 of 110

Element: Fire Backup Switch Element function: Switch between main and backup systems

(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Power input Power to No 1. Power Observation Not critical. Only power to lamp No
(24VDC) lamp failure indicators will be lost.
indicators
Mechanical Switch No 2. Stuck at Observation Critical. Take control of No
switch between current Not possible to change individual thrusters.
main and position control system.
fire backup
control
systems
Mechanical Switch No 3. Stuck Observation Critical. Take control of No
switch between between No system in control of individual thrusters.
main and positions. thrusters.
fire backup
control
systems
Mechanical Switch No 4. Spurious Alarm or Critical. Lost ready signal from No
switch between out of observation Spuriously no system thrusters.
main and position controlling the thrusters. Take control of
fire backup individual thrusters.
control
systems
1059180 / / Page 37 of 110

Comments:
A single change over switch switches between the different modes; DP, independent joystick and manual levers (The fire backup switch switches
between main DP and backup DP systems). In case of failure of the switch, it may not be possible to switch between different modes. The
criticality of this depends on the current operating mode before failure. If none of the modes are functioning, you have to operate each thruster
manually. The reliability for this change over switch is, however, considered high and the probability for critical failure is low.
If fault in one contact, only one thruster will be lost.
1059180 / / Page 38 of 110

5.5 PSA: Reference systems

5.5.1 DGPS 1/2
Element: DGPS 1/2 Element function: Provide position reference data

(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Power Provide No 1. Power Alarm Data not available to the DP The system uses pos. ref. No
supply el.power to failure system. data from the other
DGPS reference sensors.
DGPS Provide No 2. Sensor Alarm Faulty data not used by DP The system uses pos. ref. No
position input failure system data from the other
Invalid reference sensors.
status or
telegram
1059180 / / Page 39 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
DGPS Provide No 3. Signal Warning Result depends on overall The system uses pos. ref. No
position input failure - mixture of Position Reference data from the other
Output Systems and their relative reference sensors.
signal weight. The faulty position (Automatic or based on
freeze 1) reference data might be operator interaction if
rejected by the DP system, but needed).
the DP system might also
reject the valid position
reference systems.
1059180 / / Page 40 of 110


DGPS Provide No 4. Signal Warning Result depends on magnitude The system uses pos. ref. No
position input failure - and speed of drift and the data from the other
Output overall mixture of Position reference sensors.
signal drift Reference Systems and their (Automatic or based on
2)
relative weight. The faulty operator interaction if
position reference data might needed).
be rejected by the DP system,
but the DP system might also
reference systems.
DGPS Provide No 5. Signal Warning The faulty data is rejected by The system uses pos. ref. No
position input failure - the DP system data from the other
Output reference sensors
signal jump
DGPS Provide No 6. Signal Alarm Data not available to the DP The system uses pos. ref. No
position input failure system. data from the other
Output reference sensors
signal lost
Comments:
1)
Frozen time in the telegram from a GPS receiver is automatically rejected. Frozen position data is a very unlikely error mode; this will result
in an invalid status (failure mode #2)
2)
Drift in GPS position data might be common between two or more GPS systems (due to failure in GPS satellites or correction data). Use of
two or more GPS systems as input to the DP systems increases the risk of faulty action by the DP system.
1059180 / / Page 41 of 110

5.5.2 HiPAP 1/2
Element: HiPAP 1/2 Element function: Provide position reference data

(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Power Provide No 1. Power Alarm Data not available to the DP The system uses pos. ref. No
supply el.power to failure system. data from the other
the HiPAP reference sensors
HiPAP Provide No 2. Sensor Alarm Faulty data not used by DP The system uses pos. ref. No
position failure system. data from the other
input Invalid reference sensors.
status or
telegram
HiPAP Provide No 3. Signal Warning Result depends on overall The system uses pos. ref. No
position failure - mixture of Position Reference data from the other
input Output Systems and their relative reference sensors.
freeze 1) reference data might be rejected operator interaction if
by the DP system, but the DP needed).
system might also reject the
valid position reference systems.
1059180 / / Page 42 of 110

HiPAP Provide No 4. Signal Warning Result depends on magnitude The system uses pos. ref. No
position failure - and speed of drift and the data from the other
input Output overall mixture of Position reference sensors.
signal drift Reference Systems and their (Automatic or based on
relative weight. The faulty operator interaction if
position reference data might be needed).
rejected by the DP system, but
the DP system might also reject
the valid position reference
systems.
HiPAP Provide No 5. Signal Warning The faulty data is rejected by the The system uses pos. ref. No
position failure - DP system data from the other
input Output reference sensors
signal jump
HiPAP Provide No 6. Signal Alarm. Data not available to the DP The system uses pos. ref. No
position failure system data from the other
input Output reference sensors.
signal lost
Sensor input Provide No 7. Signal Alarm. Faulty data not used by DP The system uses pos. ref. No
VRS and failure system data from the other
heading reference sensors.
signal
Comments:
1)
Frozen position data is a very unlikely error mode; this will result in an invalid status (failure mode #2)
1059180 / / Page 43 of 110

5.5.3 Interface LTW 1/2
Element: Interface Taut Wire 1/2 Element function: Provide Position data

(1) (2) (3) (4) (5) (6) (7) (8)
dancy detectio FMEA
(Y/N) n (Y/N)
Power Provide No 1. Power Alarm The faulty data is rejected by The system uses pos. ref. No
supply el.power to failure the system. data from the other
the LTW reference sensors.
LTW Provide No 2. Signal Warning Result depends on overall The system uses pos. ref. No
position data failure - mixture of Position Reference data from the other
1) Input Systems and their relative reference sensors.
freeze reference data might be operator interaction if
rejected by the DP system, but needed).
the DP system might also
reference systems.
LTW Provide No 3. Sensor Alarm Faulty data not used by DP The system uses pos. ref. No
position failure system. data from the other
input Invalid reference sensors.
status
1059180 / / Page 44 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
dancy detectio FMEA
(Y/N) n (Y/N)
LTW Provide No 4. Signal Warning Result depends on magnitude The system uses pos. ref. No
position data failure - and speed of drift and the data from the other
Input overall mixture of Position reference sensors.
signal Reference Systems and their (Automatic or based on
drift relative weight. The faulty operator interaction if
position reference data might needed).
be rejected by the DP system,
but the DP system might also
reference systems.
LTW Provide No 5. Signal Warning The faulty data is rejected by The system uses pos. ref. No
position data failure - the DP system data from the other
Input reference sensors
signal
jump
LTW Provide No 6. Signal Alarm. Similar to failure mode #2 The system uses pos. ref. No
position data failure data from the other
Input reference sensors.
signal lost (Automatic or based on
operator interaction if
needed).
Comments:
1)
The LTW provides raw sensor data (X-angle, Y-angle, wire-length) to the DP system. The DP system calculates position based on these raw
data combined with VRS measurements and heading.
1059180 / / Page 45 of 110

5.6 PSA: Sensors

5.6.1 Gyro 1/2/3
Element: Gyro 1/2/3 Element function: Provide heading course data

(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Power Provide Yes 1. Power Internal Not critical; the gyros are No
supply el.power to failure Gyro supplied from two separate
the gyros Alarm sources.
Gyro Provide Yes 2. Sensor Alarm Gyros different. Operator has to select No
heading failure - Freeze correct sensor. 1).
signal The system uses data
from the other Gyro.
Gyro Provide Yes 3. Sensor Alarm Gyro different. Operator has to select No
heading failure Slow correct sensor. 1)
signal drifting The system uses data
from the other Gyro.
1059180 / / Page 46 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Gyro Provide Yes 4. Sensor Alarm Not critical. Gyros different. The system uses data No
heading failure Jump Gyros data changes too fast. from the other Gyro.
signal or fast drifting
Gyro Provide Yes 5. Sensor Alarm Not critical. Lost telegram, The system uses data No
heading failure - Lost ready signal OK. from the other Gyro.
signal
Gyro Gyro ready Yes 6. Signal Alarm. Not critical. Loss of ready The system uses data No
failure signal. from the other Gyro.
Comments:
1) If three Gyros are available, the faulty Gyro is excluded by the voting.
1059180 / / Page 47 of 110

5.6.2 Wind Sensor 1/2/3
Element: Wind sensor 1/2/3 Element function: Provide wind direction and speed

(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Power Provide No 1. Power Alarm Lost sensor, but each sensor is System uses the other No
supply el.power to failure supplied from different UPS sensor.
the Wind
sensor
Wind sensor Provide Yes 2. Sensor Alarm Wind sensor different. Operator has to select No
wind, speed failure - correct sensor.
and direction Freeze The system uses data
signal from the other Wind
sensor.
Wind sensor Provide Yes 3. Sensor Alarm Wind sensor different. Operator has to select No
wind, speed failure correct sensor.
and direction Slow The system uses data
signal drifting from the other Wind
sensor.
1059180 / / Page 48 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Wind sensor Provide Yes 4. Sensor Alarm Failed sensor is rejected. The system uses data No
wind, speed failure from the other Wind
and direction Jump or sensor.
signal fast
drifting
Wind sensor Provide Yes 5. Sensor Alarm Data not available to the The system uses data No
wind, speed failure - system. from the other Wind
and direction Lost sensor.
signal
Comments:
If only one wind sensor is enabled by the operator, difference alarm and automatic switch over to other sensor is not possible.
Operator intervention is required.
1059180 / / Page 49 of 110

5.6.3 MRU 1/2/3
Element: MRU 1/2/3 Element function: Provide Pitch and Roll data

(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
Power Provide No 1. Power Alarm Lost sensor The system uses data No
supply el.power to failure from the other MRU.
the MRU
MRU Provide Yes 2. Sensor Alarm MRUs different. Operator has to select No
pitch, roll failure - correct sensor.
signal Freeze The system uses data
from the selected MRU.
MRU Provide Yes 3. Sensor Alarm MRUs different. Operator has to select No
pitch, roll failure - correct sensor.
signal Drifting The system uses data
from the selected MRU.
MRU Provide Yes 4. Sensor Alarm Faulty sensor is rejected. The system uses data No
pitch, roll failure - from the other MRU.
signal Jump
1059180 / / Page 50 of 110


(1) (2) (3) (4) (5) (6) (7) (8)
(Y/N) (Y/N)
MRU Provide Yes 5. Sensor Alarm MRUs different. Ready signal Operator has to select No
pitch, roll failure - OK. The system may use the correct sensor.
signal Lost faulty sensor, similar to failure The system uses data
mode #2 from the other MRU.
MRU MRU ready Yes 6. Signal Alarm. Loss of Ready signal. The The system uses data No
failure faulty MRU is rejected by the from the other MRU.
system.
Comments:
If three MRUs are available, the faulty MRU is excluded by the voting.
1059180 / / Page 51 of 110

1059180 / / Page 52 of 110

APPENDIX A LAYOUT DRAWING
Figure 1:
1059180 / / Page 53 of 110

Figure 2:
1059180 / / Page 54 of 110

Figure 3:
1059180 / / Page 55 of 110

Figure 4:
1059180 / / Page 56 of 110

APPENDIX B I/O SPECIFICATION

I/O specification for KPos-2 is generated from I/O database 1053732 Rev. B
I/O Card Pos: 32

IO-PCB (Location) : RSER200-4
TB-PCB:
WU-no: WU3
Channel Unit No Equipment Field Terminal Polarity Signal
1 U 32 WIND(1), NMEA X1 : 1 rx+ RS 422, Baud 9600, 8, N, 1
WIND(1), NMEA X1 : 2 rx- RS 422, Baud 9600, 8, N, 1
2 GYRO (1) NMEA X2 : 1 rx+ RS 422, Baud 9600, 8, N, 1
GYRO (1) NMEA X2 : 2 rx- RS 422, Baud 9600, 8, N, 1
4 DGPS (2) NMEA X4 : 1 rx+ RS 422, Baud 4800, 8, N, 1
DGPS (2) NMEA X4 : 2 rx- RS 422, Baud 4800, 8, N, 1
1059180 / / Page 57 of 110

I/O Card Pos: 33

TB-PCB:
WU-no: WU3
1 U 33 WIND(3), NMEA X1 : 1 rx+ RS- 422, Baud 4800, N, 8, 1
WIND(3), NMEA X1 : 2 rx- RS- 422, Baud 4800, N, 8, 1
2 MRU (1), NMEA X2 : 1 rx+ RS- 422, Baud 4800, N, 8, 1
MRU (1), NMEA X2 : 2 rx- RS- 422, Baud 4800, N, 8, 1
3 GYRO (2) NMEA X3 : 1 rx+ RS 422, Baud 4800, N, 8, 1
GYRO (2) NMEA X3 : 2 rx- RS 422, Baud 4800, N, 8, 1
4 Raiser Angle, NMEA X4 : 1 rx+ RS 422 Baud 4800, 8, N, 1
Raiser Angle, NMEA X4 : 2 rx- RS 422 Baud 4800, 8, N, 1
Raiser Angle, NMEA X4 : 4 tx+ RS 422 Baud 4800, 8, N, 1
Raiser Angle, NMEA X4 : 5 tx- RS 422 Baud 4800, 8, N, 1
1059180 / / Page 58 of 110

I/O Card Pos: 34

IO-PCB (Location) : RMP200-8
TB-PCB:
WU-no: WU3
1 U 34 Thr. 1 Ready X1 : 1 s DI
Thr. 1 Ready X1 : 3 c DI
2 Thr. 1 RPM Feedback X1 : 5 c AI(4-20 mA)
Thr. 1 RPM Feedback X1 : 6 s AI(4-20 mA)
3 Thr. 1 Azimuth Feedback X2 : 2 c AI(4-20 mA)
Thr. 1 Azimuth Feedback X2 : 3 s AI(4-20 mA)
4 Thr. 1 Power limitation X2 : 4 s DI
Thr. 1 Power limitation X2 : 6 c DI
5 Generator 1 load X3 : 2 c AI(4-20 mA)
Generator 1 load X3 : 3 s AI(4-20 mA)
6 Thr. 1 RPM Command X3 : 4 s AO(4-20 mA)
Thr. 1 RPM Command X3 : 5 c AO(4-20 mA)
7 Generator 1 connected X4 : 1 s DI
Generator 1 connected X4 : 3 c DI
8 Thr. 1 Azimuth Command X4 : 4 s AO(4-20 mA)
Thr. 1 Azimuth Command X4 : 5 c AO(4-20 mA)
1059180 / / Page 59 of 110

I/O Card Pos: 35

TB-PCB:
WU-no: WU3
1059180 / / Page 60 of 110

I/O Card Pos: 36

TB-PCB:
WU-no: WU3
1059180 / / Page 61 of 110

I/O Card Pos: 37

TB-PCB:
WU-no: WU3
1059180 / / Page 62 of 110

I/O Card Pos: 41

TB-PCB:
WU-no: WU4
1 U 41 Bus tie AB (in) X1 : 1 s DI
Bus tie AB (in) X1 : 3 c DI
3 UPS 1 Alarm X2 : 1 s DI
UPS 1 Alarm X2 : 3 c DI
4 UPS 1 Earth Failure X2 : 4 s DI
UPS 1 Earth Failure X2 : 6 c DI
5 BU Switch DPC-1 X3 : 2 c AI
BU Switch DPC-1 X3 : 3 s AI
7 BU Switch DPC-2 X4 : 1 s DI
BU Switch DPC-2 X4 : 3 c DI
1059180 / / Page 63 of 110

I/O Card Pos: 42

TB-PCB:
WU-no: WU4
1 U 42 MRU (3) Roll X1 : 2 c AI (10V)
MRU (3) Roll X1 : 3 s AI (10V)
2 MRU (3) Pitch X1 : 5 c AI (10V)
MRU (3) Pitch X1 : 6 s AI (10V)
3 MRU (3) Heave X2 : 2 c AI (10V)
MRU (3) Heave X2 : 3 s AI (10V)
4 MRU (3) OK X2 : 4 s DI
MRU (3) OK X2 : 6 c DI
5 Bus tie CD (in) X3 : 1 s DI
Bus tie CD (in) X3 : 3 c DI
7 GYRO (2) OK X4 : 1 s DI
GYRO (2) OK X4 : 3 c DI
1059180 / / Page 64 of 110

I/O Card Pos: 43

TB-PCB:
WU-no: WU4
1 U 43 Draught Aft X1 : 2 c AI(10V/4-20 mA)
Draught Aft X1 : 3 s AI(10V/4-20 mA)
2 Draught Stbd X1 : 5 c AI(10V/4-20 mA)
Draught Stbd X1 : 6 s AI(10V/4-20 mA)
3 Draught Port X2 : 2 c AI(10V/4-20 mA)
Draught Port X2 : 3 s AI(10V/4-20 mA)
4 Draught Fore X2 : 5 c AI(10V/4-20 mA)
Draught Fore X2 : 6 s AI(10V/4-20 mA)
1059180 / / Page 65 of 110

I/O Card Pos: 62

TB-PCB:
WU-no: WU6
1 U 62 WIND(2), NMEA X1 : 1 rx+ RS- 422, Baud 4800, N, 8, 1
WIND(2), NMEA X1 : 2 rx- RS- 422, Baud 4800, N, 8, 1
3 GYRO (3) NMEA X2 : 1 rx+ RS- 422, Baud 4800, 8, N, 1
GYRO (3) NMEA X2 : 2 rx- RS- 422, Baud 4800, 8, N, 1
1059180 / / Page 66 of 110

I/O Card Pos: 64

TB-PCB:
WU-no: WU6
1059180 / / Page 67 of 110

I/O Card Pos: 65

TB-PCB:
WU-no: WU6
1059180 / / Page 68 of 110

I/O Card Pos: 66

TB-PCB:
WU-no: WU6
1059180 / / Page 69 of 110

I/O Card Pos: 67

TB-PCB:
WU-no: WU6
1059180 / / Page 70 of 110

I/O Card Pos: 71

TB-PCB:
WU-no: WU7
1 U 71 Bus tie BC (in) X1 : 1 s DI
Bus tie BC (in) X1 : 3 c DI
1059180 / / Page 71 of 110

I/O Card Pos: 72

TB-PCB:
WU-no: WU7
1 U 72 MRU (2) Roll X1 : 2 c AI 10V
MRU (2) Roll X1 : 3 s AI 10V
2 MRU (2) Pitch X1 : 5 c AI 10V
MRU (2) Pitch X1 : 6 s AI 10V
3 MRU (2) Heave X2 : 2 c AI 10V
MRU (2) Heave X2 : 3 s AI 10V
4 MRU (2) OK X2 : 4 s DI
1059180 / / Page 72 of 110

I/O Card Pos: 73

TB-PCB:
WU-no: WU7
1 U 73 OFF X1 : 1 s DI
OFF X1 : 3 c DI
2 DRILLING X1 : 4 s DI
DRILLING X1 : 6 c DI
3 PREPARE TO DISCONNECT X2 : 1 s DI
PREPARE TO DISCONNECT X2 : 3 c DI
4 DISCONNECT X2 : 4 s DI
DISCONNECT X2 : 6 c DI
1059180 / / Page 73 of 110

I/O specification for KcJoy is generated from I/O database 1053732 Rev. B
I/O Card Pos: 31

Channel Unit No Equipment Terminal Polarity Signal
1 U 31 Wind Sensor 1 X1 : 1 rx+ RS 422, Baud 4800, 8, N, 1
Wind Sensor 1 X1 : 2 rx- RS 422, Baud 4800, 8, N, 1
2 GYRO (3) NMEA X2 : 1 rx+ RS 422, Baud 4800, 8, N, 1
GYRO (3) NMEA X2 : 2 rx- RS 422, Baud 4800, 8, N, 1
1059180 / / Page 74 of 110

I/O Card Pos: 41

2 Thr. 1 RPM Feedback X1 : 5 c AI(10V/4-20 mA)
Thr. 1 RPM Feedback X1 : 6 s AI(10V/4-20 mA)
3 Thr. 1 Azimuth Feedback X2 : 2 c AI(10V/4-20 mA)
Thr. 1 Azimuth Feedback X2 : 3 s AI(10V/4-20 mA)
4 Thr. 1 Power Limitation Activated X2 : 4 s DI
Thr. 1 Power Limitation Activated X2 : 6 c DI
6 Thr. 1 RPM Command X3 : 4 s AO(10V/4-20 mA)
Thr. 1 RPM Command X3 : 5 c AO(10V/4-20 mA)
8 Thr. 1 Azimuth Command X4 : 4 s AO(10V/4-20 mA)
Thr. 1 Azimuth Command X4 : 5 c AO(10V/4-20 mA)
1059180 / / Page 75 of 110

I/O Card Pos: 42

1059180 / / Page 76 of 110

I/O Card Pos: 43

1059180 / / Page 77 of 110

I/O Card Pos: 44

1059180 / / Page 78 of 110

I/O Card Pos: 45

1059180 / / Page 79 of 110

I/O Card Pos: 46

1059180 / / Page 80 of 110

I/O Card Pos: 47

1059180 / / Page 81 of 110

I/O Card Pos: 48

1059180 / / Page 82 of 110

I/O specification for KPos-1 is generated from I/O database 1053732 Rev. B
I/O Card Pos: 32

2 U 32 GYRO (1) NMEA X2 : 1 rx+ RS 422, Baud 4800, N, 8, 1
GYRO (1) NMEA X2 : 2 rx- RS 422, Baud 4800, N, 8, 1
1059180 / / Page 83 of 110

I/O Card Pos: 34

5 Generator 1 load X3 : 2 c AI(10V/4-20 mA)
Generator 1 load X3 : 3 s AI(10V/4-20 mA)
1059180 / / Page 84 of 110

I/O Card Pos: 35

1059180 / / Page 85 of 110

I/O Card Pos: 36

1059180 / / Page 86 of 110

I/O Card Pos: 37

1059180 / / Page 87 of 110

I/O Card Pos: 41

1 U 41 Draught Aft X1 : 2 c AI(10V/4-20 mA)
Draught Aft X1 : 3 s AI(10V/4-20 mA)
2 Draught Stbd X1 : 5 c AI(10V/4-20 mA)
Draught Stbd X1 : 6 s AI(10V/4-20 mA)
3 DraughtPort X2 : 2 c AI(10V/4-20 mA)
Draught Port X2 : 3 s AI(10V/4-20 mA)
4 Draught Fore X2 : 5 c AI(10V/4-20 mA)
Draughtt Fore X2 : 6 s AI(10V/4-20 mA)
5 Bus tie AB (in) X3 : 1 s DI
Bus tie AB (in) X3 : 3 c DI
1059180 / / Page 88 of 110

I/O Card Pos: 42

1 U 42 Bus tie CD (in) X1 : 1 s DI
Bus tie CD (in) X1 : 3 c DI
1059180 / / Page 89 of 110

I/O Card Pos: 62

2 U 62 Wind Sensor 1 X1 : 1 rx+
Wind Sensor 1 X1 : 2 rx-
1059180 / / Page 90 of 110

I/O Card Pos: 64

1059180 / / Page 91 of 110

I/O Card Pos: 65

1059180 / / Page 92 of 110

I/O Card Pos: 66

1059180 / / Page 93 of 110

I/O Card Pos: 67

1059180 / / Page 94 of 110

I/O Card Pos: 71

1 U 71 Bus tie BC (in) X1 : 1 s DI
Bus tie BC (in) X1 : 3 c DI
2 MRU (1) Roll X1 : 5 c AI 10V
MRU (1) Roll X1 : 6 s AI 10V
3 MRU (1) Pitch X2 : 2 c AI 10V
MRU (1) Pitch X2 : 3 s AI 10V
4 MRU (1) Heave X2 : 5 c AI 10V
MRU (1) Heave X2 : 6 s AI 10V
5 MRU (1) OK X3 : 1 s DI
1059180 / / Page 95 of 110

1059180 / / Page 96 of 110

APPENDIX C TECHNICAL DRAWINGS

This appendix includes general technical drawings used in the FMEA
Figure 5: Power and wiring diagram for Operator Station
1059180 / / Page 97 of 110

Figure 6: Network Structure, 2xOS and DPC-2
1059180 / / Page 98 of 110

Figure 7: Principle block diagram, DPC-2
1059180 / / Page 99 of 110

Figure 8: Principle block diagram of I/O signals, DPC-2
1059180 / / Page 100 of 110

Figure 9: Power & Wiring Diagram, DPC-2
1059180 / / Page 101 of 110

Figure 10: Power & Wiring Diagram, RBUS A-Section, DPC-2
1059180 / / Page 102 of 110

Figure 11: Power & Wiring Diagram, RBUS B-Section, DPC-2
1059180 / / Page 103 of 110

Figure 12: Termination Diagram, 88ch I/O Serial ch1-8 A-Section, DPC-2
1059180 / / Page 104 of 110

Figure 13: Termination Diagram, 88ch I/O Serial ch9-16 B-Section, DPC-2
1059180 / / Page 105 of 110

Figure 14: Change over switch, 3-position
1059180 / / Page 106 of 110

cC-1
To RCU
Switch
Field 501
A
A
U41-49
U31-33
UPS1 PWR
PSU
A
1 M
Legend:
RBUS A
NET A
SERIAL
Figure 15: Principle block diagram, cC-1
1059180 / / Page 107 of 110

Figure 16: Principle block diagram of I/O signals, cC-1
1059180 / / Page 108 of 110

cC-1
To RCU
Switch
Field 501
A
A
U41-49
U31-33
UPS1 PWR
PSU
A
1 M
Legend:
RBUS A
NET A
SERIAL
Figure 17: Principle block diagram, cC-1
1059180 / / Page 109 of 110

Figure 18: Principle block diagram of I/O signals, cC-1
1059180 / / Page 110 of 110

FMEA Procedure K-Pos

Uploaded by

Copyright:

Available Formats

You might also like

FMEA Procedure K-Pos

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FMEA Procedure K-Pos

Uploaded by

Copyright:

Available Formats

Document Frontpage

CODE 4 FOR INFORMATION ONLY

B 22.01.2009 As Built ToS TLT THoe

Acceptance Code 1: Supplier:

Acceptance Code 2: Suppliers Doc No:

Acceptance Code 4: Tag No./Line No.:

C09 408 NA NA Automation

Contractor: Note: Where not applicable use NA

N111 440-1057.000-1301-0001 1 of 111

Comments, remarks or acceptance from Sevan shall not

K-Pos DP-1, K-Pos DP-2 and cJoy

Sevan Deepsea Driller

A 17.10.2007 For approval NN JRK TMF

3 ANALYSIS METHOD AND TOOLS..................................................................10

4 SYSTEM DESCRIPTION ....................................................................................15

1059180 / / Page 2 of 110

5 RESULT OF FMEA ..............................................................................................18

APPENDIX A LAYOUT DRAWING .........................................................................53

APPENDIX B I/O SPECIFICATION .........................................................................57

APPENDIX C TECHNICAL DRAWINGS ................................................................97

1059180 / / Page 3 of 110

1059180 / / Page 4 of 110

Summary and Conclusions

1059180 / / Page 5 of 110

1 ABOUT THIS DOCUMENT

1.1 Document history

Revision Description of Change

1.3 Definitions / Abbreviations

AIO Analogue Input Output

cJoy Compact Joystick

DGPS Differential Global Positioning System

DPC Dynamic Positioning Controller

FMEA Failure Mode and Effect Analysis

FME(c)A Failure mode and Effect (criticality) Analysis

FS Field Station (Cabinet with controller and/or RIO modules)

IAS Integrated Automation System

I/O Input / output

K-POS Kongsberg Positioning System

LAN Local Area Network

1059180 / / Page 6 of 110

LCL Lever Communication Link

MTTF Mean Time To Failure

MTTR Mean Time to Repair

MRU Motion Reference Unit

N/A Not Applicable

NDU Net Distribution Unit

PMS Power Management System

PSA Preliminary Safety Analysis

RBUS Remote serial data BUS

RCS Remote Control System

RCU Remote Controller Unit

RDUM RMP Dummy module

RHUB RBUS HUB module

RIO Remote Input Output Unit

RPB Remote Push Button

RSER Remote Serial I/O module

SBC Single Board Computer

SDP Kongsberg (Simrad) Dynamic Positioning