Killer ESD Systems & DP

Introduction: This should hopefully be short. Everything that I am going to say is obvious and shouldn’t need said, but it keeps cropping up over the decades, so it might be worth repeating: “Don’t design systems that kill people or create worse disasters than they are trying to avoid.”

DUH! You think it would be obvious, but the world is complex, and designers have so many demands put on them and are so far from the actual work, that they sometimes don’t understand the implications of what they are making. Situations, which are obvious to people who work in them, sometimes never occur to people who are experts with equipment, and the mismatch between the design requirements and the actual operating environment causes trouble. ESD is just the most obvious example.

DP vs. ESD: There is an obvious contrast between these two. DP wants to make sure that the vessel reliably keeps position, and ESD wants to make sure that the ship reliably shuts down. These are both safety critical goals and aren’t necessarily contrasting goals, as DP belongs in the realm of safe operation and ESD belongs in the realm of safe shutdown. Problems occur when each encroaches on the other’s territory - when ESD endangers safe operation or DP redundancy prevents safe shutdown. You don’t see much of the latter, but the crew sometimes “improves” power redundancy or bypasses protection systems to avoid constant bother. This is also dangerous, but I’ve discussed it before.

Protecting “Baby”: Let’s start with a common problem on the way to ESD systems. In a storm or other dangerous operations, the crew expects equipment to complain but keep working. Safety depends on it. Designers want to shut down and protect their equipment. Operators know all about nuisance trips and aren’t impressed, so it’s vital that the equipment is hardy and trips vital, or the crew will bypass the safeties. A VSD designer might decide that improved safety would be nice and add a smoke detector that shuts down power to limit internal fires or to stop a drive when the load disconnects and a runaway might cause damage. This sounds good, but each can have external causes. So, outside dust or smoke can kill all thruster or critical mission drives, or a storm kill thrusters by lifting each out of the water. IMCA DPE 02/23.2 showed UPSs shutting down because of low frequency - exactly when you need them.

Context: Context is important, but the equipment designer often lacks it. The people who choose the equipment for the purpose need to catch these problems. The vessel designers, system integrators, and FMEAs need to catch the problems. If the documentation is poor and the problems are hidden, they show up in field reports and people are forewarned elsewhere. People from outside that loop are often surprised at what is looked at.

Back to ESD: DP is often summarized as avoiding single point failures that cause loss of more than one redundancy group. ESD can be summarized as avoiding single point failures that prevent detection and shutdown. DP wants shutdown commands to be confirmed as necessary, while ESD wants to be sure they happen when needed. One looks to avoid unnecessary shutdowns, while the other looks to enforce shutdowns. It’s possible to do both. Most ESD system designers work to avoid unnecessary shutdowns and make sure they work when they are needed.

Being the Gun: Sometimes, people new to ESD design for safety critical environments don’t get the balance right. Sometimes, the problem comes from people used to one type of equipment working with another. Normally, closing the dampers in an engine room is a good move to suppress a fire, and gas tight dampers are even more effective for that. But, while closing normal dampers is relatively safe, closing gas tight dampers is deadly and will kill crew and engines in the space. This can’t be done lightly or without a sure knowledge that it is necessary. If the design isn't fixed, the crew will rightly short circuit the design to ensure that they are not killed. So a zealous but inconsiderate design reduces safety. After an engine explosion or before the gas leak hits the engines, we might want to slam the dampers and save everyone else, but we certainly won’t do it for a garbage can fire or equipment fault. Serious consequences requires serious protections, and if crew can get safely out then they must be allowed too. Life is the highest priority, but I often find these threats to life while looking at support of safe DP operation (DP FMEA).

The Doctor Will See You Now: ESD is safety critical, but it’s a scalpel, not a hammer. Kill the cancer, not the patient. Killing all the engines in the only engine room, or one engine room in a closed bus system, is a safety critical decision. It has to be right, and not make things worse. It doesn’t matter if it kills DP, if it is the right decision, but if it’s a wrong one then there will be conflict. If making sure requires more detectors, then they need bought. Missing equipment cannot be designed away with aggressive cause and effects. ESD designers who only consider the worst case failure (e.g. explosion) without considering the lesser failures (equipment faults, minor circumstances that trigger ESD) can endanger life, equipment, and contracts. Being mesmerized by the worst case disaster can be dangerous. Both it and the other risks need properly managed to provide an effective solution that avoids unnecessary shutdowns, provides safe shutdowns when possible, and enforces shutdown when necessary.

Conclusion: Shutdowns need to reliably happen for very good reasons, and reliably not be triggered by bad ones. This requires understanding the vessel, its environment, its operations, and its equipment. Shortcuts to safety can be dangerous, and shutdowns need considered for both their positive and negative consequences. Medicine has the idea of the false positive. FMEA practitioners already consider it, and ESD designers need to as well. No one wants their ESD system to be ‘killer’ for the wrong reason.