Single fault failures should not be possible in safety critical systems. However, a recent incident in which dynamic positioning failed while divers were underwater show that they can and do happen in ways that, with 20/20 hindsight, are not surprising.
A serious incident occurred in which a diving support vessel’s dynamic positioning (DP) system, designated as IMO class 2, failed resulting in the vessel drifting off position while divers were deployed subsea. Investigations have shown that a probable cause of the DP failure was a single fault which caused blocking of the DP system’s internal data communications.
Dynamically positioned (DP) vessels undertake a range of safety critical activities such as diving support, drilling for hydrocarbons and operations adjacent to offshore production installations. In many cases the safety of critical activities depends on the continued availability of DP functions. Many DP systems rely on bus-oriented communications networks. Investigation of the incident referenced above found that communications dependent on a dual bus network can be totally lost because of a single fault.Where the safety case for an offshore installation includes claims in relation to performance of dynamic positioning systems the safety case duty holder should verify that the claims can be met. In particular where the safety case claims that a dynamic positioning system achieves IMO Class 2 or better the duty holder for the safety case should investigate the communications architecture for the relevant DP system. If the dynamic positioning functions are dependent on a shared communication medium such as a dual data bus network, then the duty holder should ensure that appropriate measures are in place to prevent a single fault causing failure of the DP system.
Manufacturers and suppliers of dynamic positioning systems who claim their products satisfy IMO Class 2 or better should investigate the communications architecture for the relevant dynamic positioning systems. If the dynamic positioning functions are dependent on a shared communication medium such as a dual data bus network, then the manufacturer / supplier should check that appropriate measures are in place to prevent a single fault causing failure of the DP system. If such measures are not in place, then the relevant manufacturer or supplier should ensure that the users of the dynamic positioning system are provided with adequate information regarding the vulnerability of the dynamic positioning system to single faults.