Loading (50 kb)...'
National
United States Regulations
46 CFR PART 62—VITAL SYSTEM AUTOMATION
Title 46: Shipping
PART 62—VITAL SYSTEM AUTOMATION
--------------------------------------------------------------------------------
Authority: 46 U.S.C. 3306, 3703, 8105; E.O. 12234, 45 FR 58801, 3 CFR, 1980 Comp., p. 277; Department of Homeland Security Delegation No. 0170.1.
Source: CGD 81–030, 53 FR 17838, May 18, 1988, unless otherwise noted.
Subpart 62.01—General Provisions
top
§ 62.01-1 Purpose.
top
The purpose of this part is to make sure that the safety of a vessel with automated vital systems, in maneuvering and all other sailing conditions, is equal to that of the vessel with the vital systems under direct manual operator supervision.
§ 62.01-3 Scope.
top
(a) This part contains the minimum requirements for vessel automated vital systems. Specifically, this part contains—
(1) In subpart 62.25, the general requirements for all vital system automation;
(2) In subpart 62.30, the criteria used to evaluate the designed reliability and safety of all automated vital systems;
(3) In subpart 62.35, the minimum additional equipment, configuration, and functional requirements necessary when certain vital systems are automated; and
(4) In subpart 62.50, the minimum additional requirements when automated systems are provided to replace specific personnel or to reduce overall crew requirements.
§ 62.01-5 Applicability.
top
(a) Vessels. This part applies to self-propelled vessels of 500 gross tons and over that are certificated under subchapters D, I, or U and to self-propelled vessels of 100 gross tons and over that are certificated under subchapter H.
(b) Systems and equipment. Except as noted in §62.01–5(c), this part applies to automation of vital systems or equipment that—
(1) Is automatically controlled or monitored;
(2) Is remotely controlled or monitored; or
(3) Utilizes automation for the purpose of replacing specific personnel or to reduce overall crew requirements.
(c) Exceptions. This part does not apply to the following systems and equipment unless they are specifically addressed or unless their failure would degrade the safety and reliability of the systems required by this part:
(1) Automatic auxiliary heating equipment (see part 63 of this subchapter).
(2) Steering systems (see subparts 58.25 and 111.93 of this chapter).
(3) Non-vital and industrial systems.
(4) The communication and alarm systems in part 113 of this chapter.
(d) Central control rooms. The requirements of subpart 62.50 only apply to vessels automated to replace specific personnel or to reduce overall crew requirements, except where the main propulsion or ship service electrical generating plants are automatically or remotely controlled from a control room. In this case, §62.50–20(a)(3) (except the provision in paragraph 62.50–20(a)(3)(ii) relating to electrical power distribution), (b)(3), (c), (e)(1), (e)(2), (e)(4), and (f)(2) apply, regardless of manning.
[CGD 81–030, 53 FR 17838, May 18, 1988, as amended by USCG–2000–7790, 65 FR 58460, Sept. 29, 2000]
Subpart 62.05—Reference Specifications
top
§ 62.05-1 Incorporation by reference.
top
(a) Certain material is incorporated by reference into this part with the approval of the Director of the Federal Register. To enforce any edition other than the one listed in paragraph (b) of this section, notice of the change must be published in the Federal Register and the material made available to the public. All approved material is on file at the Office of the Federal Register, Washington, DC 20408 and at Marine Safety and Environmental Protection (G-MSE), U.S. Coast Guard Headquarters Building, 2100 Second Street SW., Washington, DC 20593–0001.
(b) The material approved for incorporation by reference in this part is:
Rules for Building and Classing Steel Vessels, 1986, issued by the American Bureau of Shipping. This document is available from: American Bureau of Shipping, ABS Plaza, 16855 Northchase Drive, Houston, TX 77060. Sections affected by this incorporation by reference are: 62.25–1(c), 62.25–5(a), 62.25–30(a)(1), (a)(2), (a)(3), (a)(5), 62.35–5(d), 62.35–35(a), 62.35–40(c), 62.35–50, 62.50–30(c), and 62.50–30(k).
[CGD 81–030, 53 FR 17838, May 18, 1988, as amended by CGD 95–072, 60 FR 50463, Sept. 29, 1995; CGD 96–041, 61 FR 50728, Sept. 27, 1996; CGD 97–057, 62 FR 51044, Sept. 30, 1997; USCG–2000–7790, 65 FR 58460, Sept. 29, 2000]
Subpart 62.10—Terms Used
top
§ 62.10-1 Definitions.
top
(a) For the purpose of this part:
Alarm means an audible and visual indication of a hazardous or potentially hazardous condition that requires attention.
Automated means the use of automatic or remote control, instrumentation, or alarms.
Automatic control means self-regulating in attaining or carrying out an operator-specified equipment response or sequence.
Boiler low-low water level is the minimum safe level in the boiler, in no case lower than that visible in the gage glass (see §52.01–110 of this chapter, Water Level Indicators).
Engineering Control Center (ECC) means the centralized engineering control, monitoring, and communications location.
Failsafe means that upon failure or malfunction of a component, subsystem, or system, the output automatically reverts to a pre-determined design state of least critical consequence. Typical failsafe states are listed in Table 62.10–1(a).
Table 62.10-1(a)_Typical Failsafe States
------------------------------------------------------------------------
System or component Preferred failsafe state
------------------------------------------------------------------------
Cooling water valve....................... As is or open.
Alarm system.............................. Annunciate.
Safety system............................. Shut down, limited, or as is
& alarm.
Burner valve.............................. Closed.
Propulsion speed control.................. As is.
Feedwater valve........................... As is or open.
Controllable pitch propeller.............. As is.
Propulsion safety trip.................... As is & alarm.
Fuel tank valve........................... See § 56.50-60(d).
------------------------------------------------------------------------
Flooding safety refers to flooding detection, watertight integrity, and dewatering systems.
Independent refers to equipment arranged to perform its required function regardless of the state of operation, or failure, of other equipment.
Limit control means a function of an automatic control system to restrict operation to a specified operating range or sequence without stopping the machinery.
Local control means operator control from a location where the equipment and its output can be directly manipulated and observed, e.g., at the switchboard, motor controller, propulsion engine, or other equipment.
Manual control means operation by direct or power-assisted operator intervention.
Monitor means the use of direct observation, instrumentation, alarms, or a combination of these to determine equipment operation.
Remote control means non-local automatic or manual control.
Safety trip control system means a manually or automatically operated system that rapidly shuts down another system or subsystem.
System means a grouping or arrangement of elements that interact to perform a specific function and typically includes the following, as applicable:
A fuel or power source.
Power conversion elements.
Control elements.
Power transmission elements.
Instrumentation.
Safety control elements.
Conditioning elements.
Vital system or equipment is essential to the safety of the vessel, its passengers and crew. This typically includes, but is not limited to, the following:
Fire detection, alarm, and extinguishing systems.
Flooding safety systems.
Ship service and emergency electrical generators, switchgear, and motor control circuits serving vital electrical loads.
The emergency equipment and systems listed in §112.15 of this chapter.
Propulsion systems, including those provided to meet §58.01–35.
Steering systems.
Subpart 62.15—Equivalents
top
§ 62.15-1 Conditions under which equivalents may be used.
top
(a) The Coast Guard accepts a substitute or alternate for the requirements of this part if it provides an equivalent level of safety and reliability. Demonstration of functional equivalence must include comparison of a qualitative failure analysis based on the requirements of this part with a comparable analysis of the proposed substitute or alternate.
Subpart 62.20—Plan Submittal
top
§ 62.20-1 Plans for approval.
top
(a) The following plans must be submitted to the Coast Guard for approval in accordance with §50.20–5 and §50.20–10 of this chapter:
(1) A general arrangement plan of control and monitoring equipment, control locations, and the systems served.
(2) Control and monitoring console, panel, and enclosure layouts.
(3) Schematic or logic diagrams including functional relationships, a written description of operation, and sequences of events for all modes of operation.
(4) A description of control or monitoring system connections to non-vital systems.
(5) A description of programable features.
(6) A description of built-in test features and diagnostics.
(7) Design Verification and Periodic Safety test procedures described in subpart 61.40 of this chapter.
(8) Control system normal and emergency operating instructions.
§ 62.20-3 Plans for information.
top
(a) One copy of the following plans must be submitted to the Officer in Charge, Marine Inspection, for use in the evaluation of automated systems provided to replace specific personnel or to reduce overall crew requirements:
(1) Proposed manning, crew organization and utilization, including routine maintenance, all operational evolutions, and emergencies.
(2) A planned maintenance program for all vital systems.
(b) One copy of a qualitative failure analysis must be submitted in accordance with §50.20–5 of this chapter for the following:
(1) Propulsion controls.
(2) Microprocessor-based system hardware.
(3) Safety controls.
(4) Automated electric power management.
(5) Automation required to be independent that is not physically separate.
(6) Any other automation that, in the judgement of the Commandant, potentially constitutes a safety hazard to the vessel or personnel in case of failure.
Note: The qualitative failure analysis is intended to assist in evaluating the safety and reliability of the design. It should be conducted to a level of detail necessary to demonstrate compliance with applicable requirements and should follow standard qualitative analysis procedures. Assumptions, operating conditions considered, failures considered, cause and effect relationships, how failures are detected by the crew, alternatives available to the crew, and possible design verification tests necessary should be included. Questions regarding failure analysis should be referred to the Marine Safety Center at an early stage of design.
§ 62.20-5 Self-certification.
top
(a) The designer or manufacturer of an automated system shall certify to the Coast Guard, in writing, that the automation is designed to meet the environmental design standards of §62.25–30. Plan review, shipboard testing, or independent testing to these standards is not required.
(b) [Reserved]
Note: Self-certification should normally accompany plan submittal.
Subpart 62.25—General Requirements for All Automated Vital Systems
top
§ 62.25-1 General.
top
(a) Vital systems that are automatically or remotely controlled must be provided with—
(1) An effective primary control system;
(2) A manual alternate control system;
(3) A safety control system, if required by §62.25–15;
(4) Instrumentation to monitor system parameters necessary for the safe and effective operation of the system; and
(5) An alarm system if instrumentation is not continuously monitored or is inappropriate for detection of a failure or unsafe condition.
(b) Automation systems or subsystems that control or monitor more than one safety control, interlock, or operating sequence must perform all assigned tasks continuously, i.e., the detection of unsafe conditions must not prevent control or monitoring of other conditions.
(c) Vital control and alarm system consoles and similar enclosures that rely upon forced cooling for proper system operation must meet section 41.23.2 of the American Bureau of Shipping's “Rules for Building and Classing Steel Vessels.”
§ 62.25-5 All control systems.
top
(a) Controls for engines and turbines equipped with jacking or turning gear must meet section 41.21.4 of the American Bureau of Shipping's “Rules for Building and Classing Steel Vessels.”
(b) Automatic control systems must be stable over the entire range of normal operation.
(c) Inadvertent grounding of an electrical or electronic safety control system must not cause safety control operation or safety control bypassing.
§ 62.25-10 Manual alternate control systems.
top
(a) Manual alternate control systems must—
(1) Be operable in an emergency and after a remote or automatic primary control system failure;
(2) Be suitable for manual control for prolonged periods;
(3) Be readily accessible and operable; and
(4) Include means to override automatic controls and interlocks, as applicable.
(b) Permanent communications must be provided between primary remote control locations and manual alternate control locations if operator attendance is necessary to maintain safe alternate control.
Note: Typically, this includes main boiler fronts and local propulsion control.
§ 62.25-15 Safety control systems.
top
(a) Minimum safety trip controls required for specific types of automated vital systems are listed in Table 62.35–50.
Note: Safety control systems include automatic and manual safety trip controls and automatic safety limit controls.
(b) Safety trip controls must not operate as a result of failure of the normal electrical power source unless it is determined to be the failsafe state.
(c) Automatic operation of a safety control must be alarmed in the machinery spaces and at the cognizant remote control location.
(d) Local manual safety trip controls must be provided for all main boilers, turbines, and internal combustion engines.
(e) Automatic safety trip control systems must—
(1) Be provided where there is an immediate danger that a failure will result in serious damage, complete breakdown, fire, or explosion;
(2) Require manual reset prior to renewed operation of the equipment; and
(3) Not be provided if safety limit controls provide a safe alternative and trip would result in loss of propulsion.
§ 62.25-20 Instrumentation, alarms, and centralized stations.
top
(a) General. Minimum instrumentation and alarms required for specific types of automated vital systems are listed in Table 62.35–50.
(b) Instrumentation Location. (1) Manual control locations, including remote manual control and manual alternate control, must be provided with the instrumentation necessary for safe operation from that location.
Note: Typically, instrumentation includes means to monitor the output of the monitored system.
(2) Systems with remote instrumentation must have provisions for the installation of instrumentation at the monitored system equipment.
(3) The status of automatically or remotely controlled vital auxiliaries, power sources, switches, and valves must be visually indicated in the machinery spaces or the cognizant remote control location, as applicable.
Note: Status indicators include run, standby, off, open, closed, tripped, and on, as applicable. Status indicators at remote control locations other than the ECC, if provided, may be summarized. Equipment normally provided with status indicators are addressed in Table 62.35–50 and subparts 58.01, 56.50, and 112.45.
(4) Sequential interlocks provided in control systems to ensure safe operation, such as boiler programing control or reversing of propulsion diesels, must have summary indicators in the machinery spaces and at the cognizant control location to show if the interlocks are satisfied.
(5) Instrumentation listed in Table 62.35–50 must be of the continuous display type or the demand display type. Displays must be in the ECC or in the machinery spaces if an ECC is not provided.
(c) Instrumentation details. Demand instrumentation displays must be clearly readable and immediately available to the operator.
(d) Alarms. (1) All alarms must clearly distinguish among—
(i) Normal, alarm, and acknowledged alarm conditions; and
(ii) Fire, general alarm, CO2/halon, vital machinery, flooding, engineers' assistance-needed, and non-vital alarms.
(2) Required alarms in high ambient noise areas must be supplemented by visual means, such as rotating beacons, that are visible throughout these areas. Red beacons must only be used for general or fire alarm purposes.
(3) Automatic transfer to required backup or redundant systems or power sources must be alarmed in the machinery spaces.
(4) Flooding safety, fire, loss of power, and engineers' assistance-needed alarms extended from the machinery spaces to a remote location must not have a duty crewmember selector.
Note: Other alarms may be provided with such a selector, provided there is no off position.
(5) Automation alarms must be separate and independent of the following:
(i) The fire detection and alarm systems.
(ii) The general alarm.
(iii) CO2/halon release alarms.
(6) Failure of an automatic control, remote control, or alarm system must be immediately alarmed in the machinery spaces and at the ECC, if provided.
(e) Alarm details. (1) All alarms must—
(i) Have a manual acknowledgement device (No other means to reduce or eliminate the annunciated signal may be provided except dimmers described in paragraph (g)(2) of this section);
(ii) Be continuously powered;
(iii) Be provided with a means to test audible and visual annunciators;
(iv) Provide for normal equipment starting and operating transients and vessel motions, as applicable, without actuating the alarm;
(v) Be able to simultaneously indicate more than one alarm condition, as applicable;
(vi) Visually annunciate until the alarm is manually acknowledged and the alarm condition is cleared;
(vii) Audibly annunciate until manually acknowledged;
(viii) Not prevent annunciation of subsequent alarms because of previous alarm acknowledgement; and
(ix) Automatically reset to the normal operating condition only after the alarm has been manually acknowledged and the alarm condition is cleared.
(2) Visual alarms must initially indicate the equipment or system malfunction without operator intervention.
(3) Power failure alarms must monitor on the load side of the last supply protective device.
(f) Summarized and grouped alarms. Visual alarms at a control location that are summarized or grouped by function, system, or item of equipment must—
(1) Be sufficiently specific to allow any necessary action to be taken; and
(2) Have a display at the equipment or an appropriate control location to identify the specific alarm condition or location.
(g) Central control locations. (1) Central control locations must—
(i) Be arranged to allow the operator to safely and efficiently communicate, control, and monitor the vital systems under normal and emergency conditions, with a minimum of operator confusion and distraction;
(ii) Be on a single deck level; and
(iii) Co-locate control devices and instrumentation to allow visual assessment of system response to control input.
(2) Visual alarms and instruments on the navigating bridge must not interfere with the crew's vision. Dimmers must not eliminate visual indications.
(3) Alarms and instrumentation at the main navigating bridge control location must be limited to those that require the attention or action of the officer on watch, are required by this chapter, or that would result in increased safety.
§ 62.25-25 Programable systems and devices.
top
(a) Programable control or alarm system logic must not be altered after Design Verification testing without the approval of the cognizant Officer in Charge, Marine Inspection (OCMI). (See subpart 61.40 of this subchapter, Design Verification Tests). Safety control or automatic alarm systems must be provided with means, acceptable to the cognizant OCMI, to make sure setpoints remain within the safe operating range of the equipment.
(b) Operating programs for microprocessor-based or computer-based vital control, alarm, and monitoring systems must be stored in non-volatile memory and automatically operate on supply power resumption.
(c) If a microprocessor-based or computer-based system serves both vital and non-vital systems, hardware and software priorities must favor the vital systems.
(d) At least one copy of all required manuals, records, and instructions for automatic or remote control or monitoring systems required to be aboard the vessel must not be stored in electronic or magnetic memory.
[CGD 81–030, 53 FR 17838, May 18, 1988; 53 FR 19090, May 26, 1988]
§ 62.25-30 Environmental design standards.
top
(a) All automation must be suitable for the marine environment and must be designed and constructed to operate indefinitely under the following conditions:
(1) Ship motion and vibration described in section 41.37 of the American Bureau of Shipping's “Rules for Building and Classing Steel Vessels.”
Note: Inclination requirements for fire and flooding safety systems are described in §112.05–5(c) of this chapter.
(2) Ambient air temperatures described in section 41.29.1 and 41.29.2 of the American Bureau of Shipping's “Rules for Building and Classing Steel Vessels.”
(3) Electrical voltage and frequency tolerances described in section 41.29.3 of the American Bureau of Shipping's “Rules for Building and Classing Steel Vessels.”
(4) Relative humidity of 0 to 95% at 45 °C.
(5) Hydraulic and pneumatic pressure variations described in section 41.39.3e of the American Bureau of Shipping's “Rules for Building and Classing Steel Vessels.”
Note: Considerations should include normal dynamic conditions that might exceed these values, such as switching, valve closure, power supply transfer, starting, and shutdown.
(b) Low voltage electronics must be designed with due consideration for static discharge, electromagnetic interference, voltage transients, fungal growth, and contact corrosion.
Subpart 62.30—Reliability and Safety Criteria, All Automated Vital Systems
top
§ 62.30-1 Failsafe.
top
(a) The failsafe state must be evaluated for each subsystem, system, or vessel to determine the least critical consequence.
(b) All automatic control, remote control, safety control, and alarm systems must be failsafe.
§ 62.30-5 Independence.
top
(a) Single non-concurrent failures in control, alarm, or instrumentation systems, and their logical consequences, must not prevent sustained or restored operation of any vital system or systems.
(b)(1) Except as provided in paragraphs (b)(2) and (b)(3) of this section, primary control, alternate control, safety control, and alarm and instrumentation systems for any vital system must be independent of each other.
(2) Independent sensors are not required except that sensors for primary speed, pitch, or direction of rotation control in closed loop propulsion control systems must be independent and physically separate from required safety control, alarm, or instrumentation sensors.
(3) The safety trip control of §62.35—5(b)(2) must be independent and physically separate from all other systems.
(c) Two independent sources of power must be provided for all primary control, safety control, instrumentation and alarm systems. Failure of the normal source of power must actuate an alarm in the machinery spaces. One source must be from the emergency power source (see part 112 of this chapter, Emergency Lighting and Power Systems) unless one of the sources is—
(1) Derived from the power supply of the system being controlled or monitored;
(2) A power take-off of that system; of
(3) An independent power source equivalent to the emergency power source.
§ 62.30-10 Testing.
top
(a) Automated vital systems must be tested in accordance with subpart 61.40 of this chapter.
(b) On-line built-in test equipment must not lock out or override safety trip control systems. This equipment must indicate when it is active.
Subpart 62.35—Requirements for Specific Types of Automated Vital Systems
top
§ 62.35-1 General.
top
(a) Minimum instrumentation, alarms, and safety controls required for specific types of automated vital systems are listed in Table 62.35–50.
(b) Automatic propulsion systems, automated electric power management systems, and all associated subsystems and equipment must be capable of meeting load demands from standby to full system rated load, under steady state and maneuvering conditions, without need for manual adjustment or manipulation.
§ 62.35-5 Remote propulsion control systems.
top
(a) Manual propulsion control. All vessels having remote propulsion control from the navigating bridge, an ECC or maneuvering platform, or elsewhere must have a manual alternate propulsion control located at the equipment.
Note: Separate local control locations may be provided for each independent propeller.
(b) Centralized propulsion control equipment. Navigating bridge, ECC, maneuvering platform, and manual alternate control locations must include—
(1) Control of the speed and direction of thrust for each independent propeller controlled;
(2) A guarded manually actuated safety trip control (which stops the propelling machinery) for each independent propeller controlled;
(3) Shaft speed and thrust direction indicators for each independent propeller controlled;
(4) The means to pass propulsion orders required by §113.30–5 and §113.35–3 of this chapter; and
(5) The means required by paragraph (d) of this section to achieve control location transfer and independence.
(c) Main navigating bridge propulsion control. (1) Navigating bridge remote propulsion control must be performed by a single control device for each independent propeller. Control must include automatic performance of all associated services, and must not permit rate of movement of the control device to overload the propulsion machinery.
(2) On vessels propelled by steam turbines, the navigation bridge primary control system must include safety limit controls for high and low boiler water levels and low steam pressure. Actuation of these limits must be alarmed on the navigating bridge and at the maneuvering platform or ECC.
(3) On vessels propelled by internal combustion engines, an alarm must annunciate on the navigating bridge and at the maneuvering platform or ECC, if provided, to indicate starting capability less then 50% of that required by §62.35–35(a). If the primary remote control system provides automatic starting, the number of automatic consecutive attempts that fail to produce a start must be limited to reserve 50% of the required starting capability.
(d) Control location transfer. Control location transfer must meet sections 41.19.3 and 41.19.4 of the American Bureau of Shipping's “Rules for Building and Classing Steel Vessels.” Manual alternate propulsion control locations must be capable of overriding and operating independent of all remote and automatic control locations.
(e) Control system details. (1) Each operator control device must have a detent at the zero thrust position.
(2) Propulsion machinery automatic safety trip control operation must only occur when continued operation could result in serious damage, complete breakdown, or explosion of the equipment. Other than the overrides mentioned in §62.25–10(a)(4) and temporary overrides located at the main navigating bridge control location, overrides of these safety trip controls are prohibited. Operation of permitted overrides must be alarmed at the navigating bridge and at the maneuvering platform or ECC, as applicable, and must be guarded against inadvertent operation.
(3) Remote propulsion control systems must be failsafe by maintaining the preset (as is) speed and direction of thrust until local manual or alternate manual control is in operation, or the manual safety trip control operates. Failure must activate alarms on the navigating bridge and in the machinery spaces.
[CGD 81–030, 53 FR 17838, May 18, 1988; 53 FR 19090, May 26, 1988]
§ 62.35-10 Flooding safety.
top
(a) Automatic bilge pumps must—
(1) Be provided with bilge high level alarms that annunciate in the machinery spaces and at a manned control location and are independent of the pump controls;
(2) Be monitored to detect excessive operation in a specified time period; and
(3) Meet all applicable pollution control requirements.
(b) Remote controls for flooding safety equipment must remain functional under flooding conditions to the extent required for the associated equipment by §56.50–50 and §56.50–95 of this chapter.
(c) Remote bilge level sensors, where provided, must be located to detect flooding at an early stage and to provide redundant coverage.
§ 62.35-15 Fire safety.
top
(a) All required fire pump remote control locations must include the controls necessary to charge the firemain and—
(1) A firemain pressure indicator; or
(2) A firemain low pressure alarm.
§ 62.35-20 Oil-fired main boilers.
top
(a) General. (1) All main boilers, regardless of intended mode of operation, must be provided with the automatic safety trip control system(s) of paragraphs (h)(1), (h)(2)(i), (h)(2) (ii), and (i) of this section to prevent unsafe conditions after light off.
(2) Manual alternate control of boilers must be located at the boiler front.
(3) A fully automatic main boiler must include—
(i) Automatic combustion control;
(ii) Programing control;
(iii) Automatic feedwater control;
(iv) Safety controls; and
(v) An alarm system.
(4) Following system line-up and starting of auxiliaries, fully automatic main boilers must only require the operator to initiate the following sequences:
(i) Boiler pre-purge.
(ii) Trial for ignition of burners subsequent to successful initial burner light-off.
(iii) Normal shutdown.
(iv) Manual safety trip control operation.
(v) Adjustment of primary control setpoints.
(5) All requirements for programing control subsystems and safety control systems must be met when a boiler—
(i) Automatically sequences burners;
(ii) Is operated from a location remote from the boiler front; or
(iii) Is fully automatic.
(6) Where light oil pilots are used, the programing control and burner safety trip controls must be provided for the light oil system. Trial for ignition must not exceed 15 seconds and the main burner trial for ignition must not proceed until the pilot flame is proven.
(b) Feedwater control. Automatic feedwater control subsystems must sense, at a minimum, boiler water level and steam flow.
(c) Combustion control. Automatic combustion control subsystems must provide—
(1) An air/fuel ratio which ensures complete combustion and stable flame with the fuel in use, under light off, steady state, and transient conditions; and
(2) Stable boiler steam pressure and outlet temperatures under steady state and transient load conditions; and
(3) A low fire interlock to prevent high firing rates and superheater damage during boiler warm up.
(d) Programing control. The programing control must provide a programed sequence of interlocks for the safe ignition and normal shutdown of the boiler burners. The programing control must prevent ignition if unsafe conditions exist and must include the following minimum sequence of events and interlocks:
(1) Prepurge. Boilers must undergo a continuous purge of the combustion chamber and convecting spaces to make sure of a minimum of 5 changes of air. The purge must not be less than 15 seconds in duration, and must occur immediately prior to the trial for ignition of the initial burner of a boiler. All registers and dampers must be open and an air flow of at least 25 percent of the full load volumetric air flow must be proven before the purge period commences. The prepurge must be complete before trial for ignition of the initial burner.
Note: A pre-purge is not required immediately after a complete post-purge.
(2) Trial for ignition and ignition. (i) Only one burner per boiler is to be in trial for ignition at any time.
(ii) Total boiler air flow during light off must be sufficient to prevent pocketing and explosive accumulations of combustible gases.
(iii) The burner igniter must be in position and proven energized before admission of fuel to the boiler. The igniter must remain energized until the burner flame is established and stable, or until the trial for ignition period ends.
(iv) The trial for ignition period must be as short as practical for the specific installation, but must not exceed 15 seconds.
(v) Failure of the burner to ignite during a trial for ignition must automatically actuate the burner safety trip controls.
(3) Post-purge. (i) Immediately after normal shutdown of the boiler, an automatic purge of the boiler equal to the volume and duration of the prepurge must occur.
(ii) Following boiler safety trip control operation, the air flow to the boiler must not automatically increase. Post purge in such cases must be under manual control.
(e) Burner fuel oil valves. Each burner must be provided with a valve that is—
(1) Automatically closed by the burner or boiler safety trip control system; and
(2) Operated by the programming control or combustion control subsystems, as applicable.
(f) Master fuel oil valves. Each boiler must be provided with a master fuel oil valve to stop fuel to the boiler automatically upon actuation by the boiler safety trip control system.
(g) Valve closure time. The valves described in paragraphs (e) and (f) of this section must close within 4 seconds of automatic detection of unsafe trip conditions.
(h) Burner safety trip control system. (1) Each burner must be provided with at least one flame detector.
(2) The burner valve must automatically close when—
(i) Loss of burner flame occurs;
(ii) Actuated by the boiler safety trip control system;
(iii) The burner is not properly seated or in place; or
(iv) Trial for ignition fails, if a programing control is provided.
(i) Boiler safety trip control system. (1) Each boiler must be provided with a safety trip control system that automatically closes the master and all burner fuel oil valves upon—
(i) Boiler low-low water level;
(ii) Inadequate boiler air flow to support complete combustion;
(iii) Loss of boiler control power;
(iv) Manual safety trip operation; or
(v) Loss of flame at all burners.
(2) The low-low water level safety trip control must account for normal vessel motions and operating transients.
[CGD 81–030, 53 FR 17838, May 18, 1988, as amended by USCG–2002–13058, 67 FR 61278, Sept. 30, 2002]
§ 62.35-35 Internal combustion engine starting systems.
top
(a) The starting system for propulsion engines and ship service generator prime movers required to automatically start must meet sections 34.23.3, 34.37.2, and 34.39 of the American Bureau of Shipping's “Rules for Building and Classing Steel Vessels,” except the sections referenced therein.
§ 62.35-40 Fuel systems.
top
(a) Level alarms. Where high or low fuel tank level alarms are required, they must be located to allow the operator adequate time to prevent an unsafe condition.
(b) Coal fuels. (1) Controls and instrumentation for coal systems require special consideration by the Commandant (G-MSE).
(2) Interlocks must be provided to ensure a safe transfer of machinery operation from one fuel to another.
(c) Automatic fuel heating. Automatic fuel heating arrangements must meet section 41.78.1 of the American Bureau of Shipping's “Rules for Building and Classing Steel Vessels.”
(d) Overflow prevention. Fuel oil day tanks, settlers, and similar fuel oil service tanks that are filled automatically or by remote control must be provided with a high level alarm that annunciates in the machinery spaces and either an automatic safety trip control or an overflow arrangement.
[CGD 81–030, 53 FR 17838, May 18, 1988, as amended by CGD 95–072, 60 FR 50463, Sept. 29, 1995; CGD 96–041, 61 FR 50728, Sept. 27, 1996]
§ 62.35-50 Tabulated monitoring and safety control requirements for specific systems.
top
The minimum instrumentation, alarms, and safety controls required for specific types of systems are listed in Table 62.35–50.
Table 62.35-50_Minimum System Monitoring and Safety Control Requirements for Specific Systems (Note 1)
----------------------------------------------------------------------------------------------------------------
System Service Instrumentation Alarm Safety control Notes
----------------------------------------------------------------------------------------------------------------
Main (Propulsion) boiler...... (\1\)............ (\1\)............ (\1\)........... ................ (2)
Supply casing and ................. Fire............
uptakes.
Burner flame..... Status........... Failure......... Burner auto trip (3)
Burner seating... ................. Failure......... ......ditto..... (3)
Trial for Status........... Failure......... ......ditto.....
ignition.
Control power.... Available Failure (low)... ......ditto..... (3)
(pressure).
................. ................. ................ Manual trip..... (3)
Burner valve..... Open/closed......
Low fire Status...........
interlock.
Program control Status...........
interlock.
Main (Propulsion steam) (\2\)............ (\2\)............ (\2\)........... ................ (4, 5)
turbine.
................. ................. ................ Manual trip.....
Main propulsion, diesel....... (\1\)............ (\1\)............ (\1\)........... ................ (4, 5)
................. ................. ................ Manual trip.....
Main propulsion, remote ................. ................. Failure......... ......ditto.....
control.
Auto safety trip ................. Activated.......
override.
Starting power... Pressure Low............. Limit........... (2)
(voltage).
Location in Status........... Override........ ................ (6)
control.
Shaft speed/ (\3\)............ (\3\)........... (\3\)...........
direction/pitch.
Clutch fluid..... Pressure......... Low.............
Main propulsion, electric..... (\4\)............ (\4\)............ (\4\)........... (\4\)........... (7)
Main propulsion, shafting..... Stern tube oil ................. Low.............
tank level.
Line shaft Temperature...... High............
bearing.
................. Forced Low.............
lubrication
Pressure.
Main propulsion, controllable Hydraulic oil.... Pressure......... High, Low.......
pitch propeller.
................. Temperature...... High............
Generators.................... Ship service..... (\1\)............ (\1\)...........
................. Starting pressure/ Low.............
voltage.
................. ................. Tripped.........
Emergency........ (\5\)............ (\5\)........... (\5\)...........
Turbogenerator... (1, 6)........... (1, 6).......... (\6\)...........
................. ................. ................ Manual trip.....
Diesel........... (1, 7)........... (1, 7).......... (\7\)........... (5)
................. ................. ................ Manual trip.....
Auxiliary boiler.............. ................. Run.............. Trip............ ................ (12)
Gas turbine................... (\8\)............ (\8\)............ (\8\)........... (\8\)........... (5)
Engines and turbines.......... Jacking/turning Engaged.......... ................ ................ (8)
gear.
Fuel oil...................... (\9\)............ (\9\)............ (\9\)...........
Remote/auto fill ................. High............ Auto trip or
level. overflow
arrangement.
Hi. press. ................. High............
leakage level.
Bilge......................... Pump remote Run..............
control.
Pump auto control Run.............. Excessive
operations.
Level............ ................. High/location...
Machinery space CL.3 W.T. ................. Open/closed......
doors.
Fire detection................ Machinery spaces. ................. Space on fire... ................ (9)
Fire main..................... ................. Pressure......... Low.............
Personnel..................... Deadman.......... ................. Fail to ................ (10)
acknowledge.
General, control and alarm Power supply..... Available Failure (low)...
systems. (pressure).
System function.. ................. Failure......... ................ (11)
Console air ................. Failure.........
conditioning.
Built in test Active...........
equipment.
Sequential Activated........
interlock.
Safety control... ................. Activated....... Auto trip/limit. (11)
Redundant auxiliary, system, ................. Status........... Auto transfer...
power supply.
----------------------------------------------------------------------------------------------------------------
\1\ See ABS Table 41.1.
\2\ See ABS Table 41.1, except Shaft Rollover.
\3\ See § 113.37 of this chapter.
\4\ See subparts 111.33 and 111.35 of this chapter.
\5\ See subparts 112.45 and 112.50 of this chapter.
\6\ See § 111.12-1(c) of this chapter.
\7\ See § 111.12-1 (b), (c) of this chapter.
\8\ See § 58.10-15(g) of this chapter.
\9\ See ABS Table 41.1, ``Additional Services.''
Notes on Table 62.35–50:
1. The monitoring and controls listed in this table are applicable if the system listed is provided or required. References to ABS Table 41.1 apply to the “Operation,” “Display,” “Alarm,” and “Notes” 1 through 12, except the reference to ACCU in Note 11.
2. Safety limit controls must be provided in navigating bridge primary propulsion control systems. See §62.35–5(c).
3. Safety trip controls and alarms must be provided for all main boilers, regardless of mode of operation. See §62.35–20(a).
4. Loss of forced lubrication safety trip controls must be provided, as applicable.
5. Override of overspeed and loss of forced lubrication pressure safety trip controls must not be provided. See §62.35–5(e)(2).
6. Transfer interlocks must be provided.
7. Semiconductor controlled rectifiers must have current limit controls.
8. Interlocks must be provided. See §62.25–5(a).
9. See subparts 113.10, 161.002, and fire protection requirements of the applicable subchapters. The use of thermal detectors alone is subject to special consideration by the Commandant (G-MSE). Flame detectors may only be used in conjunction with smoke or heat detectors.
10. See §62.50–20(b)(1).
11. Alarms and controls must be failsafe. See §62.30–1.
12. Vital auxiliary boilers only. Also see part 63.
[CGD 81–030, 53 FR 17838, May 18, 1988; 53 FR 19090, May 26, 1988, as amended by USCG–2000–7790, 65 FR 58461, Sept. 29, 2000]
Subpart 62.50—Automated Self-propelled Vessel Manning
top
§ 62.50-1 General.
top
(a) Where automated systems are provided to replace specific personnel in the control and observation of the engineering plant and spaces, or reduce overall crew requirements, the arrangements must make sure that under all sailing conditions, including maneuvering, the safety of the vessel is equal to that of the same vessel with the entire plant under fully attended direct manual supervision.
(b) Coast Guard acceptance of automated systems to replace specific personnel or to reduce overall crew requirements is predicated upon—
(1) The capabilities of the automated systems;
(2) The combination of the personnel, equipment, and systems necessary to ensure the safety of the vessel, personnel, and environment in all sailing conditions, including maneuvering;
(3) The ability of the crew to perform all operational evolutions, including emergencies such as fire or control or monitoring system failure;
(4) A planned maintenance program including routine maintenance, inspection, and testing to ensure the continued safe operation of the vessel; and
(5) The automated system's demonstrated reliability during an initial trial period, and its continuing reliability.
Note: The cognizant Officer in Charge, Marine Inspection, (OCMI) also determines the need for more or less equipment depending on the vessel characteristics, route, or trade.
(c) Equipment provided to replace specific personnel or to reduce overall crew requirements that proves unsafe or unreliable in the judgment of the cognizant Officer in Charge, Marine Inspection, must be immediately replaced or repaired or vessel manning will be modified to compensate for the equipment inadequacy.
§ 62.50-20 Additional requirements for minimally attended machinery plants.
top
Note: Minimally attended machinery plants include vessel machinery plants and spaces that are automated, but not to a degree where the plant could be left unattended. Emphasis is placed on the centralized remote control and monitoring of the machinery plant and machinery spaces.
(a) General. (1) Navigating bridge propulsion control must be provided.
(2) An ECC must be provided and must include the automatic and remote control and monitoring systems necessary to limit the operator's activity to monitoring the plant, initiating programed control system sequences, and taking appropriate action in an emergency.
(3) The ECC must include control and monitoring of all vital engineering systems, including—
(i) The propulsion plant and its auxiliaries;
(ii) Electrical power generation and distribution;
(iii) Machinery space fire detection, alarm, and extinguishing systems; and
(iv) Machinery space flooding safety systems, except the valves described in paragraph (e)(4) of this section.
(4) ECC control of vital systems must include the ability to place required standby systems, auxiliaries, and power sources in operation, unless automatic transfer is provided, and to shut down such equipment when necessary.
Note: ECC remote control need not include means for a single operator to bring the plant to standby from a cold plant or dead ship condition or controls for non-vital systems or equipment.
(b) Alarms and instrumentation. (1) A personnel alarm must be provided and must annunciate on the bridge if not routinely acknowledged at the ECC or in the machinery spaces.
(2) Continuous or demand instrumentation displays must be provided at the ECC to meet the system and equipment monitoring requirements of this part if the ECC is to be continuously attended. If the watchstander's normal activities include maintenance, a roving watch, or similar activities in the machinery spaces but not at the ECC, both alarms and instrumentation must be provided.
(3) All required audible alarms must annunciate throughout the ECC and machinery spaces. (continued)
Download First Page Previous Page
Next Page > Last Page >>Questions and Comments: jekstrom at stanford dot edu. 2008-2009 All Rights Reserved | http://cclme.org