Warning to offshore industry on blocking of data communications in dynamic positioning systems
|Health and Safety Executive - Safety Notice|
|Department Name:||Offshore Safety Division|
|Bulletin No:||OSD 1-2013|
|Issue Date:||23 January 2013|
|Target Audience:||Suppliers of dynamic positioning (DP) systems, operators of offshore installations, marine classification societies, verification bodies and marine consultancies - Offshore oil and gas, Diving, Offshore, Others marine.|
Vessels may lose position during critical operations due to failure of their dynamic positioning system (DPS).
The cause can be blocking of data communications in dynamic positioning (DP) systems dependent on data communications via a shared medium (e.g. data bus).
A serious incident occurred where a diving support vessel's dynamic positioning (DP) system, designated as IMO class 2, failed resulting in the vessel drifting off position while divers were deployed subsea. Investigations have shown that a probable cause of the DP failure was a single fault which caused blocking of the DP system's internal data communications.
Dynamically positioned (DP) vessels undertake a range of safety critical activities such as diving support, drilling for hydrocarbons and operations adjacent to offshore production installations. In many cases the safety of critical activities depends on the continued availability of DP functions. Many DP systems rely on bus-oriented communications networks. Investigation of the incident referenced above found that communications dependent on a dual bus network can be totally lost because of a single fault.
Dynamic positioning systems are categorised into classes according to criteria from the International Marine Organisation, IMO. The classification criteria are given in IMO MSC Circular 645 and include the requirement, "For equipment class 2, the DP-control system should consist of at least two independent computer systems. Common facilities such as self-checking routines, data transfer arrangements, and plant interfaces should not be capable of causing the failure of both / all systems".
Various configurations have been used in data communication networks (e.g. dual bus networks, star networks and hybrids). An example of a dual bus network is illustrated in Figure 1 and an example of a star configuration is illustrated in Figure 2. For illustrative purposes modules which need to communicate are designated as M1, M2, M3, M4 and C1, C2, where 'C' could indicate a controller module and 'M' could indicate a module which interfaces to plant.
In a dual data bus communications network the communications media, the data buses, are shared between system modules. In configurations with a dual bus architecture, if a single module has access to both buses (e.g. M1 and C1 as illustrated in Figure 1), and the module persists in trying to communicate, then it can block both buses. Thus, in the absence of further protective measures, a single fault in a DP system which depends on a dual bus architecture, can prevent all critical information from reaching the modules that need this information in order for the DP system to function satisfactorily. Other network topologies, such as dual star networks (Figure 2), may not have such shared communication media.
Where the safety case for an offshore installation includes claims in relation to performance of dynamic positioning systems the safety case duty holder should verify that the claims can be met. In particular where the safety case claims that a dynamic positioning system achieves IMO Class 2 or better the duty holder for the safety case should investigate the communications architecture for the relevant DP system. If the dynamic positioning functions are dependent on a shared communication medium such as a dual data bus network, then the duty holder should ensure that appropriate measures are in place to prevent a single fault causing failure of the DP system.
Manufacturers and suppliers of dynamic positioning systems who claim their products satisfy IMO Class 2 or better should investigate the communications architecture for the relevant dynamic positioning systems. If the dynamic positioning functions are dependent on a shared communication medium such as a dual data bus network, then the manufacturer / supplier should check that appropriate measures are in place to prevent a single fault causing failure of the DP system. If such measures are not in place, then the relevant manufacturer or supplier should ensure that the users of the dynamic positioning system are provided with adequate information regarding the vulnerability of the dynamic positioning system to single faults.
Relevant legal documents:
- Health and Safety at Work etc Act 1974
- Offshore Installations (Safety Case) Regulations 2005
- Provision and Use of Work Equipment Regulations
- Offshore Installations and Wells (Design and Construction, etc.) Regulations
- Diving at Work Regulations 1997
- Merchant Shipping (Diving Safety) Regulations 2002
- Health and Safety at Work etc. Act 1974 (Application Outside Great Britain) Order 2001 and associated Variation Order.
- International Maritime Organization (IMO) Maritime Safety Committee (MSC) Circular 645 'Guidelines for Vessels with Dynamic Positioning systems'.
For further information regarding this Safety Notice please contact firstname.lastname@example.org
Please pass this information to a colleague who may have responsibility for a DP system which utilises a dual communications bus.