For equipment class 3, the main DP control system should consist of at least two computer systems arranged so that, in case of any single failure, automatic position keeping ability will be maintained. Common facilities such as self-checking routines, alignment facilities, data transfer arrangements and plant interfaces should not be capable of causing failure of more than one computer system. The two or more computer systems mentioned above do not include the backup computer system; thus, in addition, one separate backup DP control system should be arranged. An alarm should be initiated if any computer fails or is not ready to take control.
Triple redundancy advantages
- Voting of sensor input signals.
- The voting is performed between tightly synchronised computers to detect sensor errors such as compass drift and sensor breakdown and ensure that all three computers use the same data as a basis for calculation of command signals.
- Software Implemented Fault Tolerance.
- The Triple Modular Redundancy (TMR) detects an error in the processing elements and corrects the error by employing voting algorithms. The system represents a Software Implemented Fault Tolerance (SIFT) concept.
- Voting on command (output) signals.
- DP-31: The thruster commands from the three control computers are compared by the “master” computer and the median command is selected to be the final output. DP-32: The voting of the thruster commands is performed in the thruster control field station.
- No single-point failure.
- The system is designed to avoid total system failure if single failure occurs
- Failure detection.
- The system will detect a failure, allowing corrective action to be taken.
- Fault isolaton.
- If one system component fails, the other components will not be affected.
- No standby unit, all computers are "hot".
- If one DP control computer fails in a triple-redundancy system, the two other computers continue working and perform dual-redundancy procedures in the same way as a dual system. Should a second computer failure take place, there is an automatic switchover to the remaining computer.
- Hot repair.
- It is possible to replace a computer while the other computers continue the operation.
Norwegian Maritime Directorate (NMD) Classification of DP Vessels Where IMO leaves the decision of which Class applies to what kind of operation to the operator of the DP ship and its client, the Norwegian Maritime Directorate (NMD) has specified what Class should be used in regard to the risk of an operation. In the NMD Guidelines and Notes No. 28, enclosure A four classes are defined:
- Class 0 operations where loss of position keeping capability is not considered to endanger human lives, or cause damage.
- Class 1 operations where loss of position keeping capability may cause damage or pollution of small consequence.
- Class 2 operations where loss of position keeping capability may cause personnel injury, pollution, or damage with large economic consequences.
- Class 3 operations where loss of position keeping capability may cause fatal accidents, or severe pollution or damage with major economic consequences.
Based on this the type of ship is specified for each operation:
- Class 1 DP units with equipment class 1 should be used during operations where loss of position is not considered to endanger human lives, cause significant damage or cause more than minimal pollution.
- Class 2 DP units with equipment class 2 should be used during operations where loss of position could cause personnel injury, pollution or damage with great economic consequences.
- Class 3 DP units with equipment class 3 should be used during operations where loss of position could cause fatal accidents, severe pollution or damage with major economic consequences.