1 The Maritime Safety Committee, at its seventieth session 7 to 11 December 1998, approved the Guidelines for the on-board use and application of computers given in the annex. Also, the Committee, at its sixty-ninth session (11 to 20 May 1998), approved MSC/Circ.854 on Guidelines for shipboard loading and stability computer programmes and instructed the Secretariat to annex them to the aforementioned Guidelines for the on-board use and application of computers, once approved. The former have, therefore, been attached to the latter and are set out in the appendix to the annex.
2 The advent of inexpensive personal computers has resulted in rapidly-growing usage aboard merchant marine vessels for many shipboard applications, including cargo loading and trim and stability calculations. To the extent that these programmes rely upon human input of data and interpretation of output, they are potentially vulnerable to human factor errors. Although such errors will most likely emerge in the user such as shipboard officers, the actual roots of the errors might be found in other shoreside sectors; software developers who might not anticipate human factor needs, or shipping company
management.
3 Requirements as to the performance of such software will depend on the person/organization involved as follows:
.1 For users (ship officers): greater consistency among .1 For users (ship officers): greater consistency among programmes from different vendors, which will make familiarization and proficiency easier and faster to achieve; programmes from different vendors, which will make familiarization and proficiency easier and faster to achieve;
.2 For ship owners/operators: availability of well-conceived software products that include
appropriate materials for training and also documentation for revising programme or data
when necessary, for instance to reflect any changes in the ship's weight and moment
characteristics;
.3 For software developers: the benefit of a broader experience base than just their own corporate experience, and a consistent uniform standard reflecting customer expectations;
and
.4 For Administrations: assurance that sophisticated programmes are developed and introduced into service and that they will reflect human factor considerations and minimize chances for human error.
4 These Guidelines for the on-board use and application of computers have been developed to provide an international standard for the design, approval and testing of such systems and should be construed as supplementary to the relevant regulations of the SOLAS Convention. However, it should be
noted that certain applications of computers are defined in Performance Standards adopted by the Organization which take precedence over these Guidelines
5 Taking into account that the number and types of computer-based systems available for on-board use is strongly increasing, that such systems are under fast development and the fact that they have
considerable effect on the safety at sea, the international harmonization should be beneficial to manufacturers, ship builders, ship owners and ship operators, maritime administrations and organizations acting on their behalf, seafarers, passengers and other users of marine services.
6 The Guidelines are not intended to prohibit the use of any existing computer-based systems on board existing ships if such systems do not fully comply with these Guidelines. Many existing ships have operated their computer-based systems successfully and safely for a long period of time, and their operating history should be considered in evaluating their suitability to continue contributing to their safe operation.
7 For existing systems, the Guidelines should be made applicable to a reasonable extent when major modifications are carried out.
8 Where these Guidelines refer to the Administration, this is the flag State Administration or a recognized organization authorized to act on its behalf in accordance with SOLAS regulation XI/1.
9 Member Governments, CIRM, IEC, IACS, ICS and all other interested parties are requested to bring the attached Guidelines to the attention of all concerned.
***
Annex
GUIDELINES FOR THE ON-BOARD USE AND
APPLICATION OF COMPUTERS
1 Scope
1.1 These Guidelines are applicable where computer-based systems are used to perform essential
functions, such as:
a) - propulsion, steering and manoeuvring
- navigation and communication
- cargo loading, discharging and control
- safety of passengers and crew (e.g. fire safety systems and general alarm); and
b) essential calculations, such as ship's stability and loading.
1.2 The Guidelines are not applicable to equipment or systems for which relevant specific Performance
Standards of the Organization exist.
1.3 The Guidelines should also be applied to non-essential functions where loss of control could result
in serious damage to the ship or its machinery, or serious injury to personnel, e.g. explosion of
domestic water boilers.
2 Definitions
In addition to the definitions in the SOLAS Convention the following are necessary for these
guidelines:
2.1 Computer
A programmable electronic device for storing and processing data, making calculations, or
performing control.
Notes:
1. For the purposes of this document the term "computer" means a "digital computer".
2. A computer may consist of a stand-alone unit or may consist of several interconnected units and includes
any programmable electronic system (PES), including main-frame, mini-computer or micro-computer.
2.2 Computer-based system
A system of one or more computers, associated software, peripherals and interfaces.
2.3 Integrated system
A combination of computer-based systems which are interconnected in order to allow centralised
access to sensor information and/or command/control.
Notes:
Integrated systems may, for example, perform one or more of the following operations:
- passage execution (e.g. steering, speed control, traffic surveillance, voyage planning);
- communications (e.g. radiotelephone, radiotelex, GMDSS);
- machinery (e.g. power management, machinery monitoring, fuel oil/lubrication oil transfer);
- cargo (e.g. cargo monitoring, inert gas generation, loading/discharging);
- safety and security (e.g. fire detection, fire pump control, watertight doors).
2.4 Interface
A transfer point at which information is exchanged.
Note:
Examples of Interfaces include:
- Input/output interface (used for interconnection with sensors and actuators);
- Man/machine interface (e.g. visual display units, keyboards, tracker-balls, and dedicated controls and
instruments used for communication between the operator and the computer);
- Communications interface (used to enable serial communications/networking with other computers or
peripherals).
2.5 Node
A point of interconnection to a data communication link.
2.6 Peripheral
A device performing an auxiliary action in the system, e.g. printer, data storage device.
2.7 Software
Programs, data and documentation associated with the operation of a computer-based system.
3 General Requirements
3.1 General
3.1.1 Computer-based systems should fulfill the functional requirements of the system under control for
all operating conditions including emergency conditions, taking into account:
- Danger to persons
- Environmental impact
- Damage to equipment
- Usability
- Operability of non-computer devices and systems, etc.
3.1.2 If process times for functions of the system are shorter than the reaction times of the operator and
therefore damage cannot be prevented by manual intervention, means of automatic intervention
should be provided.
3.1.3 A computer-based system should have sufficient capability to:
- perform necessary autonomous operations,
- accept user commands,
- inform the user correctly,
under all operating conditions including emergency.
3.1.4 System capability should provide adequate response times for all functions, taking into
consideration the maximum load and maximum number of simultaneous tasks, including network
communication speed, under normal and abnormal process conditions.
3.1.5 Computer-based systems should be designed in such a way that they can be used without special
previous knowledge, otherwise appropriate assistance should be provided for the user, as specified
in section 6 - Training.
3.1.6 Computer-based systems should be protected against unintentional or unauthorized modification
of programs and data.
3.2 Hardware
3.2.1 Hardware should be suitably designed to withstand supply voltage variations and transients,
ambient temperature changes, vibration, humidity, electromagnetic interference and corrosion
normally encountered in ships.
3.2.2 The design of the hardware should ensure ease of access to interchangeable parts for repairs and
maintenance.
3.2.3 Each replaceable part should be simple to replace and should be constructed for easy and safe
handling. All replaceable parts should be so arranged that it is not possible to connect them
incorrectly or to use incorrect replacements. Where this is not practicable, the replaceable parts,
including their means of electrical connection, should be clearly marked.
3.3 Software
3.3.1 Systematic procedures should be followed during all phases of the software life cycle
(development, installation and subsequent modification).
3.3.2 System tests should be specified, performed and documented. These tests should include all
software functions and important combinations of functions, performance, dependability and
usability requirements under all modes of operation including emergency conditions and behaviour
under failure conditions.
3.3.3 Modifications of program contents and data, as well as a change of version, should be documented.
Note: ISO 9000-3 gives guidelines for the application of ISO 9001 to the development, supply
and maintenance of software.
4 System Configuration
4.1 General
4.1.1 The hardware and software should be of a modular, hierarchical, design in order to maximise the
fault tolerance of the system.
4.1.2 The selection of the computer equipment should be consistent with safe operation of the system
under control.
4.2 Self-test
4.2.1 Computer-based systems should be monitored for correct operation and an alarm should be given
for an abnormal condition.
4.3 Power supply
4.3.1 The power supply should be monitored for failure and should give an alarm in the event of an
abnormal condition.
4.3.2 Program and data held in the system should be protected from corruption by loss of power.
4.3.3 Redundant systems should be selectively fed and separately protected against short circuits and
overloads.
4.4 Installation
4.4.1 Equipment and its associated cabling should be installed in accordance with an appropriate code
of practice to minimize electromagnetic interference between the equipment concerned and other
equipment on board.
4.5 Cables
4.5.1 Cables used for data communication should be of adequate mechanical strength, suitably supported
and also protected from mechanical damage.
4.6 Data communication
4.6.1 The data communication link should be continuously self-checking, for detecting failures on the
link itself and data communication failure on nodes and should give an alarm in the event of an
abnormal condition.
4.6.2 When the same data communication link is used for two or more essential functions, this link
should be redundant. Redundant data communication links should be routed with as much
separation as practical.
4.6.3 Switching between redundant links should not disturb data communication or continuous operation
of functions.
4.6.4 To ensure that data can be exchanged between various systems, standardized interfaces should be
used.
4.7 Failure to safety
4.7.1 In the event of a failure of a computer-based system, that system should automatically revert to the
least hazardous condition.
4.7.2 The failure and restarting of computer-based systems should not cause processes to enter undefined
or critical states.
4.7.3 Control, alarm and safety functions should be arranged such that a single failure will not affect
more than one of these functions.
4.8 Integration of systems
4.8.1 Operation with an integrated system should be at least as effective as it would be with individual,
stand-alone equipment. Where multifunction displays and controls are used they should be
duplicated and interchangeable.
4.8.2 Failure of one part (individual module, equipment or subsystem) of the integrated system should
not affect the functionality of other parts, except for those functions directly dependent upon
information from the defective part.
4.8.3 A complete failure in connectivity between parts should not affect their independent functionality.
4.8.4 An alternative means of operation, independent of the integration, should be available for all
essential functions.
4.8.5 When systems under control are required to be duplicated and in separate compartments this
should also be applied to computer-based systems.
5 User interface
5.1 General
5.1.1 Computer-based systems should be designed for ease of handling and user-friendliness and should
follow ergonomic principles.
5.1.2 The operational status of a computer-based system should be easily recognizable.
5.1.3 A user guide should be provided. This user guide should describe for example:
- function keys
- menu displays
- computer-guided dialogue steps, etc.
5.1.4 An alarm should be displayed at relevant operator stations for failure or shutdown of a subsystem.
5.2 Input devices
5.2.1 Input devices should have clearly definable functions, be reliable in use and operate safely under
all conditions. The acknowledgement of the instruction given should be recognizable.
5.2.2 Dedicated function keys should be provided for frequently recurring commands and for commands
which must be available for rapid execution. If multiple functions are assigned to keys, it should
be possible to recognize which of the assigned functions is active.
5.2.3 Control panels on the bridge should be provided with separate lighting. The level of lighting and
the brightness of visual display units should be controllable.
5.2.4 Where equipment operations or functions may be changed via keyboards appropriate measures
should be employed so as to limit access of such operations to authorized personnel only.
5.2.5 If the operation of a key is able to cause dangerous operating conditions, measures should be taken
to prevent the instruction in question from being executed by a single action such as:
- use of a special key lock,
- use of two or more keys.
5.2.6 Conflicting control interventions should be prevented by means of interlocks or warnings. The
active control status should be recognizable.
5.2.7 The operation of input devices should be logical and correspond to the direction of action of the
controlled equipment.
5.3 Output devices
5.3.1 The size, colour and density of text and graphic information displayed on a visual display unit
should be such that it may be easily read from the normal operator position under all operational
lighting conditions. The brightness and contrast should be capable of being adjusted to the
prevailing ambient conditions.
5.3.2 Information should be displayed in a logical priority.
5.3.3 If alarm messages are displayed on colour monitors, the distinctions in the alarm status should be
ensured even in the event of failure of a primary colour.
Reference is also made to the following International Electrotechnical Commission (IEC) Publications: *
92 - Electrical Installation in Ships.
533 - Electromagnetic compatibility of electrical and electronic installation in ships.
945 - Marine navigational equipment - General requirements - Methods of testing and
required results.
5.4 Graphical user interface
5.4.1 Information should be presented clearly and intelligibly according to its functional significance and
association. Screen contents should be logically structured and their representation should be
restricted to the data which is directly relevant for the user.
5.4.2 When using general purpose graphical user interfaces, only the functions necessary for the
respective process should be available.
5.4.3 Alarms should be visually and audibly presented with priority over other information in every
operating mode of the system; they should be clearly distinguishable from other information.
5.4.4 All display and control functions in control stations operated by the same operators should adopt
a consistent user interface. Particular attention should be paid to:
- symbols;
- colours;
- controls;
- information priorities;
- layout.
6 Training
6.1 Training should be provided at a level required to effectively operate and maintain the system and
should cover normal, abnormal and emergency conditions. The user interface for training should
correspond with the real system.
6.2 Documentation should be provided to support the training and should be available for repeated use
on board.
6.3 Where a training mode is incorporated in a computer-based system it should be clearly indicated
when the training mode is active.
6.4 Whilst in the training mode the operation of the system should not be impaired, and neither should
any system alarms or indications be inhibited.
7 Testing
7.1 Evidence should be furnished to the satisfaction of the Administration that the installed
computer-based systems have been designed, manufactured and tested in accordance with these
Guidelines. In the case of any integrated systems such evidence should be furnished by a single *
party responsible for the integration.
7.2 In addition to these Guidelines manufacturers should ensure by means of a quality control system
that their products meet with their specifications.
7.3 Tests and inspections should be carried out with the aim of establishing the correct operation and
the quality of a product (see also 3.3.2).
7.4 Modifications of program contents and data, as well as a change of version, should be tested (see
also 3.3.3).
Appendix
GUIDELINES FOR SHIPBOARD LOADING AND
STABILITY COMPUTER PROGRAMS
1 Scope
These guidelines may be applied where computer-based systems are used to perform functions, such as:
- predicting draughts and trim and verifying that limiting stability parameters, such as
"required GM " are met; T
- tank instrumentation systems used to provide direct electronic input of liquid loads (cargo,
fuel, ballast, etc.) into the computer, bypassing the human measurement and data entry
steps;
- operators of containerships may want to verify that over-the-bow bridge visibility
requirements are met;
- operators of chemical parcel tankers may want to integrate chemical compatibility data to
create voyage-specific/cargo-specific loading plans, thereby optimizing cargo flexibility;
- similarly, OBO operators may want a system which can accommodate multiple bulk
cargoes of different densities and compute bending stresses with more precision;
- a program system could be used to monitor real-time hull bending stresses during
loading/discharging operations, or due to sea conditions while under way via sensor
systems that provide direct input to the computer; and
- a calculating damage stability conditions integrating loading data and flooded compartment
characteristics.
2 General requirements
2.1 Units: Basic stability calculations are performed using weights, typically Ltons or Mtons.
However, some cargoes are more commonly measured in short tons, TEUs, or barrels. Other liquid loads
(fuel and ballast) might be initially measured as soundings or ullages. The program developer may wish
to make its program more convenient for the user to enter data in these alternate units. If so, the program
should minimize chances for unit confusion and, wherever possible, weight conversions should be
calculated by the computer. Screen displays and print-outs should then present both the entered value and
the computational weight value side-by-side.
2.2 Data and program protection: Although the program should be flexible enough to allow the user
to override default data, certain data, such as lightship characteristics, allowable bending stress, required
GM, as well as the program itself, should be protected against user revision. This could be achieved by
furnishing the ship with compiled or read-only versions.
2.3 Back-up of data: Copies of all constant data residing in computer files, such as ship geometry and
tables, should be available on independent storage units, such as tape of floppy disks. The number of such
copies should not be less than two.
3 User interface
3.1 "Home" screen: The program should have a simple command (keystroke/icon) that returns the user
directly to a familiar "home" screen from any of the loading screens. This allows a "lost" user (who may
have got disoriented among various loading screens) to quickly re-establish their orientation.
3.2 "Help" functions: The program should have easily-accessed "help" functions such as designated
function keys, or an on-screen menu bar.
3.3 Default loading: A default loading condition should reflect any special loading or operating
requirements imposed by the ship's stability booklet (such as locked-in ballast requirements).
3.4 Input and output data screening: The program should check data entered by the user for
reasonableness in order to screen out possible input errors, for example, a cargo tank entry which exceeds
the capacity of the tank. The program should not reject the entry as there may be special loading scenarios
where unusual data must be entered, but it should clearly indicate to the user that the entry is out of
expected bounds. Similarly, the program should alert the user if an output parameter such as "predicted
GM" is out of expected bounds.
3.5 Alerts: The system should alert the user if an output indicates a critical, or possibly dangerous
situation. Alerts should, when possible, be augmented by audio signals. It is recommended that the
graphical presentation and audio signals are different in case of critical events and user errors.
3.6 Extra loading entry lines: In most cases, load entries will be of the fixed-location type where LCGs,
VCGs, etc., are pre-displayed and the user only needs to enter a weight value. However, the program
should include several extra blank lines to allow additional non-fixed load entries where the user can enter
VCG, LCG, TCG, etc. Examples of non-fixed load entries might be an unusual deck cargo, temporary
ballast or damaged stability calculations (where a flooded compartment could be entered as if it were a
tank).
3.7 Print-outs: Each loading condition print-out should automatically contain the name of the ship and
the date of print-out; user should be prompted to enter a title for the condition as well. This information
should be repeated on each page of the print-out.
4 Training and documentation
4.1 User training: Training/tutorial material should be provided, as appropriate, for the sophistication
of the program. This may range from formal classroom sessions to tutorial videotapes and/or self-study
lesson plans.
4.2 Documentation: The software should be accompanied by a user's manual and a programmer's
manual.
4.2.1 The user's manual should be written for the direct user (ship's officers) and should include the
following elements:
.1 Identification: the manual should have a unique identification number that matches an
on-screen ID number in the program. It should also clearly identify the stability booklet
from which the lightship data is taken.
.2 System requirements: identifies computer system hardware and software requirements
such as compatible computers, operating system, memory requirements and other special
requirements, such as video graphics, mouse, printer, etc.
.3 File management: a list of all relevant software files, giving name, size, date and a brief
description of each. The manual should also explain how any user-generated files, such
as saved loading conditions, are named. These measures should allow the user to review
the disk directory and verify that the correct current files are present.
.4 Instructions: a clear explanation of how to install, use, and troubleshoot the program. The
instructions should be user-friendly, recognizing that the user is a ship officer.
.5 Information sources: a list of all ship-specific plans, drawings, tables, other documents,
etc., which provided information used in the program. In most cases, this information will
probably come from the ship's approved stability booklet; however, other sources should
be clearly identified. Ideally, all such information sources should themselves be annotated
to the effect that they were used in developing the program (so that future revisions to the
drawing will also prompt a review of the program).
4.2.2 The programmer's manual is not expected to be furnished to the ship; it is for use by select persons
familiar with programming (but who may not necessarily the original program writers) when it becomes
necessary to revise the program as a consequence of changes to the ship. The programmer's manual should
carefully document the program's workings, and include a flowchart and an annotated program listing. This
manual should explain how to edit the program, especially to revise ship-specific data (lightship data,
hydrostatic characteristics, weight and moment data, tank capacities, etc.).
4.3 Program and documentation control: A careful procedure should be established so that revisions
to the program are properly tracked and forwarded to the ship. Each revision delivered to the ship should
include change pages to the user's manual and instructions on how to delete obsolete files and install
replacement (revised) files. The process should include an "action complete" report back to shoreside
management.
5 Program functionality
Program functionality: A manner for independently verifying the program's functioning should be
provided. Ideally, the opening screen (when the program is first brought up) should present a
self-diagnostic report on program functioning. Alternatively, a range of sample loading conditions can be
furnished (on paper) which can be manually entered into the program for comparison with correct draughts,
trim and available GM. The sample conditions may be the same as found in the ship's approved stability
booklet, or separate samples included in the program's user manual.