(a) Vital systems that are automatically or remotely controlled must be provided with—

(1) An effective primary control system;

(2) A manual alternate control system;

(3) A safety control system, if required by § 62.25-15;

(4) Instrumentation to monitor system parameters necessary for the safe and effective operation of the system; and

(5) An alarm system if instrumentation is not continuously monitored or is inappropriate for detection of a failure or unsafe condition.

(b) Automation systems or subsystems that control or monitor more than one safety control, interlock, or operating sequence must perform all assigned tasks continuously, i.e., the detection of unsafe conditions must not prevent control or monitoring of other conditions.

(c) Each console for a vital control or alarm system and any similar enclosure that relies upon forced cooling for proper operation of the system must have a backup means of providing cooling. It must also have an alarm activated by the failure of the temperature-control system.

[CGD 81-030, 53 FR 17838, May 18, 1988, as amended by USCG-2003-16630, 73 FR 65189, Oct. 31, 2008]

(a) Local and remote starting for any propulsion engine or turbine equipped with a jacking or turning gear must be prevented while the turning gear is engaged.

(b) Automatic control systems must be stable over the entire range of normal operation.

(c) Inadvertent grounding of an electrical or electronic safety control system must not cause safety control operation or safety control bypassing.

[CGD 81-030, 53 FR 17838, May 18, 1988, as amended by USCG-2003-16630, 73 FR 65189, Oct. 31, 2008]

(a) Manual alternate control systems must—

(1) Be operable in an emergency and after a remote or automatic primary control system failure;

(2) Be suitable for manual control for prolonged periods;

(3) Be readily accessible and operable; and

(4) Include means to override automatic controls and interlocks, as applicable.

(b) Permanent communications must be provided between primary remote control locations and manual alternate control locations if operator attendance is necessary to maintain safe alternate control.

Note:

Typically, this includes main boiler fronts and local propulsion control.

(a) Minimum safety trip controls required for specific types of automated vital systems are listed in Table 62.35-50.

Note:

Safety control systems include automatic and manual safety trip controls and automatic safety limit controls.

(b) Safety trip controls must not operate as a result of failure of the normal electrical power source unless it is determined to be the failsafe state.

(c) Automatic operation of a safety control must be alarmed in the machinery spaces and at the cognizant remote control location.

(d) Local manual safety trip controls must be provided for all main boilers, turbines, and internal combustion engines.

(e) Automatic safety trip control systems must—

(1) Be provided where there is an immediate danger that a failure will result in serious damage, complete breakdown, fire, or explosion;

(2) Require manual reset prior to renewed operation of the equipment; and

(3) Not be provided if safety limit controls provide a safe alternative and trip would result in loss of propulsion.

(a) General. Minimum instrumentation and alarms required for specific types of automated vital systems are listed in Table 62.35-50.

(b) Instrumentation Location. (1) Manual control locations, including remote manual control and manual alternate control, must be provided with the instrumentation necessary for safe operation from that location.

Note:

Typically, instrumentation includes means to monitor the output of the monitored system.

(2) Systems with remote instrumentation must have provisions for the installation of instrumentation at the monitored system equipment.

(3) The status of automatically or remotely controlled vital auxiliaries, power sources, switches, and valves must be visually indicated in the machinery spaces or the cognizant remote control location, as applicable.

Note:

Status indicators include run, standby, off, open, closed, tripped, and on, as applicable. Status indicators at remote control locations other than the ECC, if provided, may be summarized. Equipment normally provided with status indicators are addressed in Table 62.35-50 and subparts 58.01, 56.50, and 112.45.

(4) Sequential interlocks provided in control systems to ensure safe operation, such as boiler programming control or reversing of propulsion diesels, must have summary indicators in the machinery spaces and at the cognizant control location to show if the interlocks are satisfied.

(5) Instrumentation listed in Table 62.35-50 must be of the continuous display type or the demand display type. Displays must be in the ECC or in the machinery spaces if an ECC is not provided.

(c) Instrumentation details. Demand instrumentation displays must be clearly readable and immediately available to the operator.

(d) Alarms. (1) All alarms must clearly distinguish among—

(i) Normal, alarm, and acknowledged alarm conditions; and

(ii) Fire, general alarm, carbon dioxide/Halon 1301/clean agent fire extinguishing system, vital machinery, flooding, engineers' assistance-needed, and non-vital alarms.

(2) Required alarms in high ambient noise areas must be supplemented by visual means, such as rotating beacons, that are visible throughout these areas. Red beacons must only be used for general or fire alarm purposes.

(3) Automatic transfer to required backup or redundant systems or power sources must be alarmed in the machinery spaces.

(4) Flooding safety, fire, loss of power, and engineers' assistance-needed alarms extended from the machinery spaces to a remote location must not have a duty crewmember selector.

Note:

Other alarms may be provided with such a selector, provided there is no off position.

(5) Automation alarms must be separate and independent of the following:

(i) The fire detection and alarm systems.

(ii) The general alarm.

(iii) CO2/halon release alarms.

(6) Failure of an automatic control, remote control, or alarm system must be immediately alarmed in the machinery spaces and at the ECC, if provided.

(e) Alarm details. (1) All alarms must—

(i) Have a manual acknowledgement device (No other means to reduce or eliminate the annunciated signal may be provided except dimmers described in paragraph (g)(2) of this section);

(ii) Be continuously powered;

(iii) Be provided with a means to test audible and visual annunciators;

(iv) Provide for normal equipment starting and operating transients and vessel motions, as applicable, without actuating the alarm;

(v) Be able to simultaneously indicate more than one alarm condition, as applicable;

(vi) Visually annunciate until the alarm is manually acknowledged and the alarm condition is cleared;

(vii) Audibly annunciate until manually acknowledged;

(viii) Not prevent annunciation of subsequent alarms because of previous alarm acknowledgement; and

(ix) Automatically reset to the normal operating condition only after the alarm has been manually acknowledged and the alarm condition is cleared.

(2) Visual alarms must initially indicate the equipment or system malfunction without operator intervention.

(3) Power failure alarms must monitor on the load side of the last supply protective device.

(f) Summarized and grouped alarms. Visual alarms at a control location that are summarized or grouped by function, system, or item of equipment must—

(1) Be sufficiently specific to allow any necessary action to be taken; and

(2) Have a display at the equipment or an appropriate control location to identify the specific alarm condition or location.

(g) Central control locations. (1) Central control locations must—

(i) Be arranged to allow the operator to safely and efficiently communicate, control, and monitor the vital systems under normal and emergency conditions, with a minimum of operator confusion and distraction;

(ii) Be on a single deck level; and

(iii) Co-locate control devices and instrumentation to allow visual assessment of system response to control input.

(2) Visual alarms and instruments on the navigating bridge must not interfere with the crew's vision. Dimmers must not eliminate visual indications.

(3) Alarms and instrumentation at the main navigating bridge control location must be limited to those that require the attention or action of the officer on watch, are required by this chapter, or that would result in increased safety.

[CGD 81-030, 53 FR 17838, May 18, 1988, as amended by USCG-2006-24797, 77 FR 33874, June 7, 2012; USCG-2014-0688, 79 FR 58280, Sept. 29, 2014]

(a) Programmable control or alarm system logic must not be altered after Design Verification testing without the approval of the cognizant Officer in Charge, Marine Inspection (OCMI). (See subpart 61.40 of this subchapter, Design Verification Tests). Safety control or automatic alarm systems must be provided with means, acceptable to the cognizant OCMI, to make sure setpoints remain within the safe operating range of the equipment.

(b) Operating programs for microprocessor-based or computer-based vital control, alarm, and monitoring systems must be stored in non-volatile memory and automatically operate on supply power resumption.

(c) If a microprocessor-based or computer-based system serves both vital and non-vital systems, hardware and software priorities must favor the vital systems.

(d) At least one copy of all required manuals, records, and instructions for automatic or remote control or monitoring systems required to be aboard the vessel must not be stored in electronic or magnetic memory.

[CGD 81-030, 53 FR 17838, May 18, 1988; 53 FR 19090, May 26, 1988; USCG-2014-0688, 79 FR 58280, Sept. 29, 2014]

(a) All automation must be suitable for the marine environment and must be designed and constructed to operate indefinitely under the following conditions:

(1) Ship motion and vibration described in Table 9 of section 4-9-7 of the ABS Steel Vessel Rules (incorporated by reference; see 46 CFR 62.05-1); note that inclination requirements for fire and flooding safety systems are described in 46 CFR 112.05-5(c).

(2) Ambient air temperatures described in Table 9 of part 4-9-7 of the ABS Steel Vessel Rules.

(3) Electrical voltage and frequency tolerances described in Table 9 of part 4-9-7 of the ABS Steel Vessel Rules.

(4) Relative humidity of 0 to 95% at 45 °C.

(5) Hydraulic and pneumatic pressure variations described in Table 9 of part 4-9-7 of the ABS Steel Vessel Rules.

Note:

Considerations should include normal dynamic conditions that might exceed these values, such as switching, valve closure, power supply transfer, starting, and shutdown.

(b) Low voltage electronics must be designed with due consideration for static discharge, electromagnetic interference, voltage transients, fungal growth, and contact corrosion.

[CGD 81-030, 53 FR 17838, May 18, 1988, as amended by USCG-2003-16630, 73 FR 65189, Oct. 31, 2008]