DNV-OS-D202 Automation, Safety, and Telecommunication Systems

The electronic pdf versions of the documents found through http://www.dnv.com/ are the officially binding versions. Copyright Det Norske Veritas.

Sec.1: Design Principles

[Table of Contents]

B: System Availability

DNV-OS-D202 Automation, Safety, and Telecommunication Systems

[-]

Ch.2: Technical Provisions

[-]

Sec.1: Design Principles

[-]

A: System Configuration

Ch.2 Sec.1
A. System Configuration

Ch.2 Sec.1
A 100 General

Ch.2 Sec.1 A
101 Essential and important systems shall be so arranged that a single failure in one system cannot spread to another system.

Guidance note:
The system should be designed so that a failure in the automation function does not have any impact on the safety function. Other items are use of selective fusing of electrical distribution systems.

---e-n-d---o-f---G-u-i-d-a-n-c-e---n-o-t-e---

Ch.2 Sec.1 A
102 Failure of any safety and automation system shall initiate an audible and visual alarm at a manned control station and shall not prevent manual control.

Ch.2 Sec.1
A 200 Field instrumentation

Ch.2 Sec.1 A
201   The field instrumentation belonging to separate essential process segments shall be mutually independent.

Ch.2 Sec.1 A
202   When the field instrumentation of a process segment is common for several systems, and any of these systems is essential, failures in any of the systems shall not affect this field instrumentation.

Ch.2 Sec.1 A
203   When manual emergency operation of an essential process segment is required, the field instrumentation required for the manual emergency operation shall be independent of other parts of any system.

Ch.2 Sec.1 A
204   When traditional mechanical components are replaced by electronic components, these components shall have the same reliability as the mechanical component being replaced.

Guidance note:
Electronic governors should have power supply independent of other consumers and system availability of R0. Speed sensor cabling should be mechanically well protected.

Electric or electronic fuel injectors should be designed to permit the necessary functionality in case of the most probable failures.

---e-n-d---o-f---G-u-i-d-a-n-c-e---n-o-t-e---

Ch.2 Sec.1
A 300 System

Ch.2 Sec.1 A
301 For an essential system having more than one process segment, failure in the field instrumentation of one process segment shall not result in failure for the remaining parts of the system.

Ch.2 Sec.1
A 400 Integrated systems

Ch.2 Sec.1 A
401   Essential systems, excluding common process segments, shall be independent of other systems.

Ch.2 Sec.1 A
402   Non-important systems or parts of non-important systems, which may affect essential or important systems shall meet the requirement for the relevant system it is connected to.

Ch.2 Sec.1 A
403   UID's for operation shall only be available at workstations from which operation is permitted.

Ch.2 Sec.1 A
404   There shall be sufficient VDU's or other panels to ensure both overview and detailed information for relevant safety systems.

Guidance note:
Sufficient overall status should be provided without browsing between screen pictures. This implies that it should be possible to both have fixed overview of safety related information as well as using other VDU's to obtain detailed information about the incident.

---e-n-d---o-f---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note:
The number of VDU's and UID's at control stations should be sufficient to ensure that all functions may be provided for with any one VDU or UID out of operation, taking into account any functions that should be continuously available.

---e-n-d---o-f---G-u-i-d-a-n-c-e---n-o-t-e---

Ch.2 Sec.1
A 500 Redundancy

Ch.2 Sec.1 A
501   Redundancy shall be built in to the extent necessary for maintaining the safe operation of the unit. Changeover to redundant systems shall be simple even in cases of failure of parts of the safety and/or automation system.

Ch.2 Sec.1 A
502   Automatic switching between two systems shall not be dependent on only one of the systems.

Ch.2 Sec.1 A
503   The redundancy requirement shall imply redundant communication links, power supplies, computers and operator stations.

Guidance note:
Redundancy of computers should be limited to controllers with CPU's; single I/O cards/modules are accepted. Consideration should be given to the allocation of signals to I/O modules in order to minimise the consequences of a single card/module failure.

Addressable loop detector systems with single CPU central units are presently accepted for living quarter and marine areas as well as for drilling areas, but areas with more than one detector should normally be covered by at least two loops, Consideration should be given to distribution of detectors on different loops.

---e-n-d---o-f---G-u-i-d-a-n-c-e---n-o-t-e---

Sec.1: Design Principles

[Table of Contents]

B: System Availability