System Architecture

Overview
This section provides a top-level description of the Ship Control and Monitoring System (SCAMS) software
design for the Royal Malaysian Navy Patrol Vessel (RMN PV).

Operational Concepts
User Needs
The SCAMS is a distributed control system (DCS), which provides control and monitoring of the RMN PV
propulsion, electrical, pneumatic, auxiliary and damage control systems. The SCAMS manages the
associated ship plants and systems via conventional (hardwired) and external (serial) interfaces.

Conventional Interfaces
The SCAMS provides control and monitoring functions of the PV plants and systems as per the list below:
a) Propulsion plant, which includes the following sub-systems:
- Propulsion Diesel Engine (PDE);
- Gearbox;
- Controllable Pitch Propeller (CPP).
b) Electrical power supply and distribution system, which includes the following sub-systems:
- Main groups 1, 2 and 3;
- Main Switchboard FWD;
- Main Switchboard AFT;
- Frequency converter 1;
- Frequency converter 2.
c) Auxiliary systems, which includes the following sub-systems:
- Fuel oil transfer and distribution system;
- Chilled water system;
- Fresh water system;
- Air pressure system;
- Tank level monitoring system;
- Fin stabiliser;
- Steering system;
- Waste water system;
- Vibration monitoring system (VMS).
 d) Damage control system, which includes the following sub-systems:
- Nuclear Chemical Detection System (NCDS);
- Fire alarm system;
- Citadel pressure system;
- Ventilation;
- Seawater fire extinguishing system;
- Special fire extinguishing system;
- Flooding alarm system;
- Ballast system;
- Bilge system;
- Leak system;
- Single alarms;
- Alarm safety warning system.

Serial Interfaces
The SCAMS also provides external interfaces to other sub-systems for control and monitoring of various
PV systems equipment and machines. The systems, which are linked via serial interfaces are defined
inTable below.

Serial Interfaces

System ID Description
DG 1 Diesel Generator 1
DG 2 Diesel Generator 2
NCDS Nuclear Chemical Detection System
PORT PDE PORT Propulsion Diesel Engine
STBD PDE STBD Propulsion Diesel Engine
STBD TPM STBD Torque Power Meter system
DG 3 Diesel Generator 3
DG4 Diesel Generator 4
MG 1.1 Electrical plant - Main Group 1
MG 2.1 Electrical plant - Main Group 2
MG 3.1 Electrical plant - Main Group 3
PORT TPM PORT Torque Power Meter system
FDS Fire Detection System
INS Integrated Navigation System
Primary Mission
The primary mission of the SCAMS is to provide control and monitoring functions for the PV propulsion
plant, electrical power supply and distribution, auxiliary and damage control systems.

Monitoring and Control Function

The SCAMS supports the following monitoring and control functions:
a) Propulsion plant control effected from any of the six control stations (consoles) or from the
portable operating unit (POU) or from the portable propulsion control unit (PPCU) or from the
dedicated propulsion control panels at the MCR and Bridge control consoles.
b) Electrical power generation and distribution system control effected from any of the six control
stations (consoles), or from the POU, or from the PPCU.
c) Auxiliary system control effected from any of the six control stations (consoles), or from the POU,
or from the PPCU.
d) Damage control system operation effected from any of the six control stations (consoles), or from
the POU, or from the PPCU.
e) Vibration monitoring and analysis effected from any of the six control stations (consoles), or from
the POU, or from the PPCU.

Each SCAMS operator is assigned privileges. Privileges are associated with job specialities (user groups)
such as Propulsion, Electrical, Auxiliary, Damage Control or Damage Control Plotting (or a combination).
The privileges also determine whether the user can take Station-In-Control.

The control and monitoring is provided at supervisory and local control levels. The Human Machine
Interfaces (HMI) allows an operator to control ship machinery using display pages and input devices.

In addition, some safety related functions are either totally hardwired or use a combination of software and
console instrumentation to support the function.

The control for each system is software-based, real-time control implemented in one or more of the following
manners:
1. Manual Control:
Control of a machinery item as a result of operator command.
2. Sequence Control:
Automatic sequences initiated by sensor inputs or operator command, execute a pre-defined
sequence of operations without further operator intervention, and may co-ordinate several
machinery items without any further operator intervention.
3. Automatic Control:
These controls consist of automatic configuration and operation of selected machinery
according to pre-defined operating strategy. These controls are initiated as a result of change
in pre-defined parameters or states of machinery items.
The SCAMS implements automatic and operator initiated, control and monitoring sequences. These
sequences are executed in Remote Terminal Units (RTUs) as close to the machinery as practicable. These
sequences incorporate interlocks and permissives to ensure safe operation of ship machinery.

Specifically the primary function of the SCAMS consoles is to support the safe control and management of
the propulsion, electrical, auxiliary and damage control systems ensuring maximum availability to the
command and operation of emergency procedures to satisfy the safety priorities.

Secondary Missions
The secondary missions of the SCAMS are as follows:
1. To provide onboard training capabilities when the ship sails or is alongside.
2. To also provide equipment health data for the management of repair and maintenance activities
with the provision of vibration monitoring and analysis capabilities.
SCAMS Hardware Architecture Overview
The SCAMS is a distributed system, which consists of several sub-systems. A sub-system is defined as a
fully functional unit that consists of Hardware Configuration Items (HWCIs) and Computer Software
Configuration Items (CSCIs). These sub-systems are connected to a dual redundant Fibre Distributed Data
Interface (FDDI) data bus that serves as the data network of the system. The sub-systems use this network
to exchange control commands and data and to send information to the NT workstations at the SCAMS
consoles and control units for analysis, display, printing and archiving. All these NT workstations support
the operator level activities of monitoring and control of the ship machinery and equipment. A selected
number of RTUs provide the data acquisition from the machinery plant. The RTUs also execute control
sequences for automatic and operations initiated control and monitoring of the ship machinery. Refer to
Figure 0-1, which shows the system architecture. The functions supported by each of the SCAMS sub-
systems are described in the following subsections.

Figure 0-1 SCAMS System Architecture

Data Network
The data network provides the communication medium between the consoles and the RTUs of the SCAMS.
The network comprises of a dual redundant FDDI data bus, which redundancy enhances the reliability of
operation of the network.

Operator Consoles
Each SCAMS console is a multi-function unit that may be assigned any of the supervisory control function.
The control consoles provide the primary operating position for supervisory control. The consoles include
display screens and control pages. The display screens provide an interactive display of system and data
pages that allow the operator to monitor the ship systems and enter commands (via keypad or trackball)
necessary to control the selected machinery or system.

The consoles are located in the MCR, at the Bridge and in the FWD and AFT Damage Control
Headquarters. Workstations are also provided for the POU and for the PPCU.

MCR Propulsion Control Console

At the MCR Propulsion Control Console (PCC), the Human Machine Interface (HMI) incorporates a 20-inch
LCD monitor, which presents propulsion plant system related pages of states and statuses. The PCC allows
control and monitoring of the following major systems:

- PDE;
- Gearbox;
- CPP;
- Vibration monitoring system data acquisition control and configuration.

NT Workstation

The NT Workstation comprises of a standard ruggedized computer with 20-inch LCD monitor and keyboard
with trackball. The workstation is connected via serial link (RS232) to the SCHENCK vibration monitoring
system in the Electrical Control Console (ECC).

Propulsion Panels

The propulsion panels provide the PCC operator with additional means for control and monitoring of the
most vital functions of the propulsion plant in case of a failure of the LCD monitor.
 MCR Electrical Control Console
The ECC, which is located in the MCR, allows the SCAMS operator to control and monitor the following
major systems:
- Electrical power generation and distribution;
- Secondary auxiliary equipment;
- Selected ship platform systems.

NT Workstation

The NT Workstation comprises of a standard ruggedized computer with 20-inch LCD monitor and keyboard
with trackball.

MCR Damage Control Console

The Damage Control Console (DCC), which is located in the MCR, allows the SCAMS operator to control
and monitor the following major systems:
- Fire detection and suppression systems;
- Ventilation system;
- Leak-bilge-ballast systems;
- Selected ship platform systems.

NT Workstation

The NT Workstation comprises of a standard ruggedized computer with 20-inch LCD monitor and keyboard
with trackball.

FWD and AFT Damage Control Station

The FWD and AFT Damage Control Stations, which are located in the FWD and AFT Damage Control
Headquarters respectively, allow the SCAMS operator to control and monitor the following major systems:
- Fire detection and suppression systems;
- Ventilation system;
- Leak-bilge-ballast systems;
- Selected ship platform systems.

NT Workstation

The NT Workstation comprises of a standard ruggedized computer with 20-inch LCD monitor and
retractable keyboard with trackball.
Printer Cabinet
The printer cabinet comprises of both laser colour and laser monochrome printer, which are connected to
the ECC and DCC workstations via an Ethernet link. These printers support the production of lists, logs etc.
and HMI screen dumps.

Remote Terminal Unit (RTU)

The primary purpose of the RTU is to provide data acquisition and control functions. Each RTU monitors
and controls the ship machinery and is dedicated to sensors, transducers and actuators associated with
the machinery. The RTUs update the signal database throughout the SCAMS over the network. In addition
to this function, a selected number of RTUs also implement machinery control sequences for the control
and monitoring of propulsion, electrical and auxiliary and ancillary machinery. The RTUs provide interface
with up to 2400 hardwired signals.

Operational States
The operation of the SCAMS is divided into the following states:
1. Diagnostic
2. Initialisation
3. Run
4. Failure
5. Power-down
The following subsections describe these states and their associated modes. Error! Reference source
not found. shows the transitions between these states and modes. The states and modes are the same in
the different subsystems (RTUs and NT workstations) except where noted. Each subsystem can be in
different state.

Diagnostic State
The diagnostic state is applicable to all of the SCAMS subsystems. The diagnostic state is entered upon
applying power to a subsystem or in the event of a subsystem reset.

Two modes of operation exist in this state:

1. Self-Test
2. Maintenance
The following subsections discuss the self-test and maintenance modes of the diagnostic state of
subsystems.
 1. Self-Test Mode
When entering the diagnostic state the self-test mode is assumed. All subsystems incorporate power-up
self-test features. During self-test, the built-in test software of the subsystem interrogates sub-components
and reports any fault encountered. If power-up self-tests pass, the subsystem enters the next state –
Initialisation. Even if the self-tests pass, the RTU subsystem transitions to maintenance mode (instead of
going to the Initialisation state) if they detect that the operator has set the maintenance mode flag.

If power-up self-tests fail, the subsystem does not enter the Initialisation state and remains isolated from
the SCAMS network. At this point the RTU subsystem transitions from self-test mode to maintenance mode.
The NT workstation transitions to the failure state.

1.2 Maintenance Mode

The Maintenance mode is the mode in which testing and maintenance activities may be carried out on the
SCAMS RTUs.

In maintenance mode, the operator may examine the results of the power-up self-tests and re-execute
some or all of the self-tests after completing any required maintenance actions (such as replacing faulty
circuit cards). When the self-tests pass, the operator may exit the Maintenance mode and transition to the
Initialisation State.

Initialisation State
During the Initialisation state the initialisation software starts the application tasks/processes. The
communication with the other SCAMS subsystems is established and the software databases are initialised.
Software databases include system wide data, signal database, and programmable parameters. After the
initialisation is completed, the subsystem transitions to the run state.

The initialisation software is different depending on which subsystem it is running in.

Run State
The Run state begins after Initialisation. The SCAMS functionality in this state is described in section Error!
Reference source not found..
 Failure State
A SCAMS subsystem enters the Failure state upon failure of a vital hardware sub-component or the
occurrence of a fatal software error. In the Failure state, none of the functions of the Run state is available.

When the NT workstation that is in control of a particular function enters the Failure state, the SIC of that
function is not automatically reassigned.

When a RTU fails, the hardware ensures that the electrical output condition is consistent with the fail safe
position of the machinery actuator.

The transition of a SCAMS subsystem to the Failure state is announced to the operators at the HMI stations.

Power Down State

The power down state may be entered from any other state.

The SCAMS subsystems may enter this state individually. In this state no power is applied to the SCAMS
subsystem..
 FROM ANY
STATE

POWER
DOWN
STATE

POWER
UP
RESET
FAIL STATE

DIAGNOSTIC STATE

SELF
TEST MODE

NO NT YES
PASS? WORKSTATION
?

YES NO

NT NO YES
MAINTENANCE
WORKSTATION
FLAG SET?
?

YES NO
MAINTENANCE
MODE

INITIALISATION
STATE

RUN STATE

SCAMS Subsystem States and Modes