Technical Analysis (Engineering) of NTSB Preliminary Report M/V Dali

This is my first post. Hope it works.

  1. Ref. to 2.2.1 (“DG2” stall due to closed exhaust damper)

1.1 ) Referring to the exhaust damper of “DG2”, I’d expect its fully open position to be monitored by something like a limit switch in order to automatically shut down the engine as soon as the damper leaves its fully open position.

1.2) Can someone confirm if increasing the exhaust backpressure until the engine stalls is realistic and if it can damage the auxiliary diesel engine? I’d rather expect the engine to be shut down automatically due to an exhaust pressure high alarm or the damper open position monitoring.
Also as soon as the speed decrease below the corresponding frequency limit, the generator trips and that would happen long before the engine stalls though. How the engine is handled after a generator trip depends on how the genset (generator set, an engine driving a generator) controller ist programmed.

1.3) Considering that the “DG2” engine shutdown was not regular, would the restart be automatic as mentioned? Logically the fault should be reset manually and also initiating a restart sequence just by reopening the exhaust damper seems odd to me.

1.4) As HV bus 6.6 kV voltage loss was detected, “DG3” (in stand-by) started automatically. If there’s an automated start sequence including closing the corresponding generator breaker (here “DGR3”, a breaker is some sort of very large switch), why isn’t either “TR1” or “TR2” automatically fed by closing “HR1” or “HR2” and the LV (Low Voltage 440 V 60 Hz) bus fed by automatically closing “LR1” or “LR2”?
Starting automatically another Generator wich is on stand-by when a blackout is detected but not also automatically powering the bus after a short voltage and frequency stabilisation delay is odd. Usually either the whole sequence is automated or the generator is started and brought online both manually.

The report clearly mentions that “HR2” and “LR2” had to be closed manually.
Also it is not clear if “manually” means a manual operator input at the power management system console, the genset controller (from which the generator breaker can or cannot be operated manually depending on how it has been configured), the electrical controls of the breaker or direct mechanical actuation.
Medium voltage (here called high voltage) breakers are typically operated remotely mostly by energizing control solenoids (rarely by de-energizing them), the mechanical energy for the switching process (moving the contacts) is provided by a spring mechanism which is charged by an electric motor (or by hand in case of emergency or if no motor is present), usually the charging is automatically initiated and can be heard and takes only a few seconds.
Some rarely operated breakers can be operated manually. Some are remote-controlled but charged manually.
The spring system always allows at least one opening sequence once the breaker has been closed.

This comment about how a breaker is operated applies to all breakers as the report doesn’t state how very exactly the manually operated breakers have been handled (especially if from the engine control room power management operating panels or locally in front of the breaker, either electrically controlled or operated directly manually).
The control voltage required to remotely control the swichtgear is usually backed up by batteries. Issues with auxiliary control voltage supplies can cause all sorts of problems.

1.5) There are no details about the loss of fuel supply pressure of “DG3”. The trip of “DGR3” was automatically initiated, probably by the genset controller due to generator frequency or engine speed (RPM) fault. Rate of change faults could also have occurred but overall it doesn’t matter which fault tripped the genset as it run out of fuel.

Please not that the discussion above is exclusively related to the incident on 2024-03-25, the day before the allision.
If that fuel supply issue caused problems the following day is unknown. A generator breaker can trip due to problems related the driving engine as well as due to load-sided issues. The report doesn’t mention anything about later breaker trip causes.

  1. Steering gear, see page 11

2.1) A large Ram Type electro-hydraulic steering gear features typically several (often 4, here 3) main hydraulic pumps as well as typically the same number of small auxiliary hydraulic pumps which provide control oil pressure, the main pumps being variable pumps.
The NTSB mentions 3 Pumps which sort of surprises me, I’d have expected 4 main hydraulic steering gear pumps but 3 are of course possible.
What surprises me more is that when pump number 3 designated as emergency pump is fed from the emergency power (low voltage, 440 V, 60 Hz, 3 phases) its electric motor would rotate at a lower speed. Usually all steering gear pumps, including the small auxiliary pumps, are driven by asynchronous 3-phase motors. Not having all main pump motors running may reduce the angular speed of the rudder stock compared to using all pumps with the same torque load, though running a pump at lower speed if fed by emergency power doesn’t make sense as the required power can be adapted by controlling the variable pump, therefore the speed of the electric motor driving a variable pump doesn’t matter.
Running pump 3 of the steering gear at 2 different speeds (regular or emergency power) doens’t make any sense, it would require either a 2-speed motor, a DC motor or a VSD and all these options just uselessly increase costs and reduce reliability.

The steering gear hydraulic pumps can usually be selected and started remotely from the bridge. It is not known if the hydraulic control is performed by solenoid-controlled valves or a servomotor but it doesn’t seem that there was a failure of the rudder actuation and its controls from the bridge though the angular speed performance was reduced if powered by the emergengy generator (“EG”). The torque is not reduced as the pressure would not be reduced, only the flow would be lower with only one hydraulic pump operating.
Somewhat surprising is, that not all hydraulic pumps can be powered by the emergency generator even if of course only one could be run at the time. If the wrong pump fails when only emergency power is available, the steering is lost. Probabilistic risk assessment…

The emergency generator must anyway be sized to allow some mid-sized motors like a fire pump or a bilge pump to be started.
Is the report accurate when referring to the two different emergency pump speeds?

  1. Timings vs. CCTV Footage

The timings don’t seem to match the CCTV video (uncut non-manipulated normal speed “raw” version, YouTube from StreamTime Live, duration 07:20) but also unfortunately the NTSB report ist not very formal and neither accurate when it comes to timestamps. I miss a clear chronology. Even if an offset is applied based on the moment of the allision, the report doesn’t seem to match the CCTV recording but I must have a closer look and everyone has probably noticed anyway.

  1. Smoke

There is no mention about the smoke. Such black smoke is usual when starting an engine, but only for a short time as it’s due to a lack of combustion oxygen in relation to the injected amount of fuel. It also happens during massive load changes when the engine has to catch up with the new load.
Even one of the four auxiliary diesels can generate a lot of smoke but it should not last. If the synchronous HV (6.6 kV, 60 Hz, 3-ph) generator is heavily overloaded the genset trips, typically the frequency drops too low for too long or too quickly (ROCOF protection) and the excitation cannot compensate the voltage drop, so to keep it short, if there an overload the genset can’t handle there won’t be black smoke for long as the generator breaker will be opened (“generator trip”) to protect the generator and the fuel injection reduced to avoid an engine overspeed condition. If there no engine issue, the genset controller will often keep the engine running in order to reclose the generator breaker but it depends on the implementation (hv controls have been set up or programmed).

The NTSB mentions that after the first blackout the main engine (ME) was not restarted (bottom of page 11). I’m wondering if there were attempts to restart it and if such attempts could have lead to the seen smoke, the report doesn’t mention if there were attempts to restart the main engine.
The MAN B&W 9S90-ME-C9.2 is controlled electronically and doesn’t feature a camshaft, also the air starting is handled by individual electrohydraulically controlled individual valves for each cylinder.

4.1) After a blackout, would there have been enough time to try to restart the main engine before the allision?

4.2) Typically after a total blackout there are various subsystems which have to be restarted manually. Can someone confirm if after a blackout some automatic main engine start sequence can still be initiated?

4.3) What lead to the black smoke?
It is unclear if there was an unsuccessful attempt to restart de Main Engine (ME).

4.4) Will propeller drag still turn the main engine at the relevant speeds?
(See the impressive YouTube video called “Container ship engine emergency astern -sea trials-”, the power increase rate is incredible.)

  1. Power Distribution Diagram (Fig. 5, Page 8)

The diagram is outrageously simplified and IMO it’s even inaccurate as the emergency power switchgear which feeds all emergency-power-fed equipment is located in the emergency diesel generator (“EG”) room or a room adjacent to it (main deck level, often part of the superstructure).
The emergency power distribution Panel is fed with 440 V 60 Hz 3-ph from the main low voltage distribution switchgear (right or left of the “LVR” LV bus-tie breaker). The small “EG” emergency genset (“generator set”, i.e. here a high-speed (1800 RPM for 60 Hz) diesel engine driving a synchronous 3-phase generator), probably around roughly 400 to 600 kVA (only my not-so-educated guess!) does not “send” power back to the main low voltage distribution switchgear as all emergency-power-supplied equipment is fed from the emergency power distribution panel.
During normal operation the emergency busbar is fed from the main low voltage distribution switchgear and during a blackout the emergency busbar is disconnected from the regular supply (to avoid a short-circuit due to phase and voltage mismatch when regular power is back) and fed by the emergency power generator.
It is unknown if once regular power returns the changeover happens without short interruption (retrosynchronizing) or not, it depends on the emergeny genset controller and its setup.

The diagram is sort of misleading as one could believe that EG (emergency genset) can supply the main low voltage busbar (right and left of the “LVR” bus-tie breaker. This is not the case, as detailed above, the “EG” can only supply the equipment which is fed from the emergency power distribution switchgear.

  1. Missing Breaker Operation or Factual Error in Report?

I’ll try to discuss the electrical issues more in detail in a another post.

First the whole power supply was lost due to the loss of Transformer “TR1”, the cause of the simultaneous (?) or nearly simultaneous (?) trip of “HR1” and “LR1” is totally uknown (possibly a trip due to differential protection but that’s just as example). A trip is a breaker which opens automatically due to a fault, like for example overload, short-circuit or remote-controlled by genset controller).
Interestingly, both Generators “DG3” and “DG4” stayed connected (“DGR3” and “DGR4” remained closed) to the main HV (High Voltage) 6.6 kV Busbar, which means that the excitation regulation and speed regulation worked correctly, if not, the faulty generator would have been disconnected automatically from the corresponding HV busbar segment.

I’m not 100 % sure if the generator power data in the report is correct as generator power is stated in kVA and shaft diesel engine power in kW. Also the data seems to not match well with the ClassNK data where I could only find the total of 20’850 kVA (correctly specified in kVA and not kW), including the emergency power as a total of 5 generators are mentioned.
Possibly the Wikipedia data is more accurate than the NTSB Report data but I’m not sure at all, also sometimes specifications in kW and kVA are mixed.

Generators in the 4000-4400 kVA range like “DG1” to “DG4” (are typically protected by dedicated digital generator protection relays while smaller generators like the “EG” (Emergency Generator) are often protected both by a breaker which trip unit can be more or less advanced (electromechanical (rare by large modern breakers) or electronic trip units, and the genset controller itself.
“DG1” to “DG4” as well the high voltage switchgear (including breakers, digital protection relays, bay controllers and power management system are from Hyundai. Some devices can be identified but their exact model, version and configuration are unknown.

The genset controllers for “DG1” to “DG4” from Hyundai too.
There is no information about the emergency generator “EG” and its switchgear and controllers but it’s rather secondary as it operated as expected.
Once power comes back there is a programmed delay before the emergency load is reverted to the regular power, which explains that the emergency generator (“EG”) “rode through” the second blackout (emergency power fed loads only suffered the automatic startup delay (normally on-line after 45 seconds or less after power loss) after the first blackout).

Referring to page 11, after a sort of suprising trip of both generator breakers “DGR3” and “DGR4” (i.e. simultaneous or nearly simultaneous?, more to be discussed about that), the report does not mention if “TR1” and/or “TR2” are online or not though normal operation seems to be “TR1” or “TR2” with possible short Switchover overlap if some technical design requirements are met.

Referring to the report, as there’s nothing mentioned explicitely I assume that “HR1” and “LR1” weren’t opened as they were both closed to allow the use of “TR1”.
Therefore as soon as “DG2” went online to power the HV busbar, it would have imediately powered the low-voltage busbar as the transformer “TR1” has not been disconnected (as there is no mention about “HR1” and/or "“LR1” having been opened, either under automation authority or manual authority).

Referring to page 12, it is mentioned that at 01h27mn32s local time the crew manually closed “HR2” and “LR2” to restore low-voltage regular (i.e. non-emergency) power, which means that “TR2” is now used to step down 6.6 kV to 440 V.

I know I’m nitpicking but in this odd case of switching events each detail is important.

Implicitly one would expect that “HR1” and/or “LR1” were opened manually or automatically before “DGR2” closed (supposition: “DGR2” automatically closed when voltage and frequency conditions of “DG2” which diesel engine started automatically after voltage loss detection were met; as no other DG than “DG2” was feeding the HV busbar there was no snychronisation required).

  1. VDR and other Data
    The VDR is typically powered by UPS and the discussed model features an internal battery for 2 hours if fully charged and in good state. The VDR itself didn’t stop operating during the whole incident but obviously data links as well as digital and analog inputs became useless as the corresponding source devices lost their supply power.
    Various bridge equipment records internally data. Also modern digital control units, including generator controllers, protection relays, bay controllers and of course the power management systems automatically log data. The engine control units of the auxiliary engines powering the 4 generators also record data as does main engine control system.

Overall there should be a large amount of digitally logged data which should allow to find out what happened.
That said there are a few issues.
Ideally, logged data should be retrieved as soon as possible, ideally within 24 hours, or maybe 48 h but not a week.
Some data may be overwritten, some may be lost due to subsequent power off of a device (some logged data may not be stored remanently while other data is not lost).
Devices requiring a backup battery may lose data if the supply power fails and the battery is dead, in other cases the Real-Time Clock (RTC) ist lost, so timestamps can be affected.

Also data can be deleted maliciously, in some cases it can even be forged but that requires specific knowledge (for example SCADA database access if not encrypted for integrity preservation).

For many devices some data can be retrieved by the user but very often the manufactuer can download more data, data which the user cannot access and which is not documented.

Also all setup data should be secured, many devices have various settings, therefore not only the recorded data must be retrieved but also the setup data.

Of course timestamp alignement is required for Real-Time Clocks (RTCs) which are not automatically synchronized. Some devices, especially among the bridge equipment, are synchronized based on GNSS.
RTC mismatch is another reason to secure logged data as soon as possible.

I’m surprised that the critical breakers have not been removed for forensic analysis, or at least some of the digital protection relays and genset controllers. This is a multi-billion USD case. Simply applying a tamperproof sticker won’t help much. Typically in such high-profile I’d have expected the NTSB to install an own recording CCTV system to monitor critical locations like the engine control room (where the LV main witchgear is located) and the MV Switchgear control room as well the area where other critical devices are located.

Also there’s a possible conflict of interest as Hyundai has delivered the complete HV Gensets (“DG1” to “DG4”, 720 RPM medium-speed engines and generators as factory-built unit) as well as the HV switchgear, the protections relays, bay controllers, generator controllers, the power management system and other control equipment.
Therefore basically nearly all equipment which is of major interest is from the same manufacturer.
The main engine has been manufactured by Hyundai under MAN B&W license but the engine control system is from MAN B&W.

  1. Is there any information about AC UPS and DC batteries, not including those integrated in devices?
    Especially some brige equipment and computers and parts of control systems are powered without interruption.

I’ll try to focus on various technical details in a later post as there could be some interconnected causes.

As final note, I regret that the NTSB report doesn’t feature a more serious power distribution diagram, the one provided looks like made by journalists. Also the whole structure of the report lacks formality, there is no clear timeline, time indications don’t include seconds even where known, the generator data is possibly wrong or at least it should be listed correctly as kVA as kW is confusing
.
The transformers for the 440 V 60 Hz 3-ph reefer containers (1400 positions) supply should be shown but there is nothing mentioned about those containers while they can represent a major electrical load. Also the kVA ratings of TR1 and TR2 should have been mentioned.

It can be expected that a lot of technical information will have to be disclosed publicly so why not including more technical data and also the general arrangement (I only found the general arrangement one of sister ship Cézanne in an accident investigation report)?

IMO a more formal and technically accurate preliminary report should have been issued together with a non-binding general public version where diagrams can be simplified and explanations added.

The report as presented is sort of painful to read for anyone with some technical background and many already known factual details could have been added.

More generally, it could possibly help if technical investigation organizations would be led by an engineer or a scientist.

(I apologize for my English, it’s only my 3rd language after German and French.)

2 Likes

Large parts of the real power distribution diagram are missing. The 440 V 60 Hz sockets for the reefer containers are supplied by a number of 6’600/440 V smaller Transformers, e.g. around 2’000 kVA ea. It wouldn’t make sense to run long 440 V cables.
Considering that for this container ship up to 1’400 reefer containers can be supplied, the required power can represent an important part of the generated electrical power.
The only 6’600 V load which is not a transformer is the single 3’000 kW bow thruster.

Does anyone have an idea if someone tried to start the bowthruster, even if not efficient at those speeds?

The 3’000 kW bowthruster 6.6 kV motor ist the only high voltage motor and represents a massive load. All other motors are low-voltage and much smaller, typically up to maybe something like 250 to 400 kW. The larger motors are pumps and some are only used in case of emergency.

It would be very interesting to know how automated switchgear control functions (including sequences and load shedding) and protection functions have been implemented. As automation is handled by software it can be edited any time but I don’t expect it to be able to be done remotely, i.e. via Internet.
IMO Cybersecurity absolutely not a concern in this incident, I’m much more worried about not retrieved, deleted or overwritten logging data as well as tampered configurations/settings and not established RTC shifts. Also some data can be lost inadvertently, I don’t say that the crew will ever try to tamper data.

(I don’t dare to edit the previous message. Must first get used to the forum.)

Engelec,

Two thought provoking posts. Thank you and welcome.

I would agree entirely that the preliminary report is lacking in a number of areas and it does raise more questions than it answers.

The 3000Kw bow thruster does represent the highest load and there is no mention throughout the report whether it was shut down after departing the berth or kept on line. If the thruster was kept on line, it remained energised throughout blackout 1 plus the recovery so I doubt the heavy smoke was attributable to bow thruster load.

It is interesting to note that the recovery from the first blackout occurred at 01 25 34 EDT when HV1 and LV1 were manually closed and the heavy black smoke appeared at 01 25 43 EDT ……9 seconds later. DG 3 & 4 went through a load change at the time of recovery.

Here is a link to a contributor’s post with an attached time stamped video. Very sad breaking news out of Baltimore…..yet another allision. M.V. “Dali” - #15 by 27182

More questions than answers………

Hi Aus and Engelec - couple of comments.

  1. Like me, looks like Engelec also missed from the report that the ME Lube pumps are also from the HT board. Actually I think it may be the hydraulic pump for operating the exhaust valves and the fuel injection pumps during start up and perhaps slow speeds until the engine driven pump takes over.

  2. At a blackout condition of the HT board, all breakers will drop out and come on sequentially on a program after power is restored to the board. So after the second blackout, the BT breaker would have dropped out.

  3. As I mentioned previously, looks like the original ME exhaust is now being utilized as the outlet from the new scrubber. ME, DGs (at least 2 if not all) and the aux boiler would have a means to divert the exhaust to the scrubber in the SEZ. DGs and I also think the aux boiler firing up on full load is the cause of the blacksmoke.

PS: Interesting thoughts from Engelec. Thanks.

1 Like

@ Ausmariner
Thank you.

For a running generator of around 4’000 or 4’400 kVA 60 Hz only the 3’000 kW 6.6 kV bowthruster is a significant loads. All single 440 V 60 Hz motors are way to small to cause any voltage stability issue even when started directly (DOL, Direct On-Line) as long as when power is restored loads are brought online sequentially, either automatically or manually, which should obviously be the case.

I would only have expected that the bowthruster would have been started as last resort mean even if known to not make any significant difference, another forum member already mentioned it. The idea being “if it doesn’t help it won’t do any harm” but not taking into account possible electrical (subjacent?) issues.

Especially a possible inrush current will depend on how the bowthruster 3000 kW 6.6 kV Motor is started and possibly on the random voltage phase angle. Without further technical details we just can’t know. I expect the bowthruster to feature a variable pitch propeller and therefore no 6’600 V VSD (Variable Speed Drive), those MV (Medium Voltage) drives are very expensive and maintenance is somewhat specialized compared to LV (Low Voltage) Drives. MV power electronics systems are often not exactly trivial and require extremely strict safety rules to be followed.

Somewhat surprising is that there is only one bowthruster, some other large/very large container vessels are equipped with up to 4 bowthrusters but due to the low speed this point is not much relevant anyway.

Thanks for the link, I must anyway have a closer look at the timings based on the CCTV Video. I’ve only seen two videos showing the allision, the second one is short and has probably been shot using a smartphone.
The time indications in the NTSB report are sort of messy and need to be written down to get a better picture.

@ retdmarineengineer:
Thank you.

In case of blackout load shedding should be automatic in order allow sequential repowering in order to no overload the system with simultaneous inrush and peak currents when power is restored (see above) but formally no information is available about how individual loads have been brought back online after the different 6’600 V and 440 V breaker trips.

As general thought, we currently don’t know how the power management system was configured, if sequences had be reprogrammed and/or if some sequences have been initiated manually, how the switchboard automation is implemented and if automatisms have been disabled or overridden. Some loads could also have been handled manually.

Unless some breakers have been tripped manually, which is not mentioned about the decisive events, we can assume that those trips were either initiated by some controls like e.g. protections relays, genset controllers or the power management system, or there were some malfunctions which caused a spurious (i.e. unwanted random) trips.

As in most cases solenoids (here small electromagnetic actuators) initiate breaker trips actively (i.e. the solenoid must be energized), contact problems don’t cause spurious trips. If well designed, the continuity of the control solenoid is permanently monitored (broken wire) and there can also be two redundant solenoids for the same function. The 6.6 kV breakers are bistable and their main contacts close when the closing solenoid(s) is/are momentarily energized and open when the opening solenoid(s) is/are momentarily energized. Opening has priority over closing if accidentally both control signals are present. Remotely controlled breakers feature nearly always various feedback switches to monitor the breaker. Breakers which are operated only manually may or may not feature optional switches for monitoring purposes. Breakers can feature a locally frontpanel-mounted protection relay or be controlled by a device mounted elsewhere (or by both).
The built is modular and withdrawable so each breaker can be removed quickly with live busbars, e.g. to replace it.

I don’t really like to speculate but overall I’d rather expect that the breakers worked as expected, i.e. responding correctly to opening and closure signals but that some devices issued trip control signals for reasons which need to be determined.
The are many protection functions, where possible typically referred to by their ANSI system device function number, even often in Europe as the EN designation system is a mess.
Unfortunately unlike e.g. ABB or Siemens, the technical documentation of the installed Hyundai devices is difficult to find and we also don’t know exactly what is installed with which versions and options.

Overall digital protection relays, bay controllers, genset controllers and more generally control electronics from good manufacturers are fairly reliable if used correctly. Often small details like connectors, cable glands, damaged cable sheaths (incl. friction), poor cable ties and many others end causing major problems. Referring specifically to vessels, vibrations, corrosion and shocks require a specific design of the electrical system and their reliability is extremely dependent on experience. No rules, trainings and exams can replace hands-on experience, from engineering to operating and troubleshooting.
Entire books of lessons learned could be written about tiny details which ended causing major incidents.
Also here I sort of expect a more or less odd combination of causes where overall I’d also tend to include human errors at some stage. But as said, here I’m guessing and I don’t like to do that.

Even some of the known information has not been described very clearly in the preliminary NTSB report which seems to have been written be more for the general public as diehard engineers.

I was also wondering about the transformers “TR1” and “TR2”, typically you’d try to keep one of the two them fed even if you trip the corresponding low voltage side breaker (“HR1” and/or “HR2”). Logically, after a blackout one would first feed the transforner until fully magnetized before supplying low-voltage-side loads.

Interesting is also the use of only 2 large MV 6.5 kV/LV 440 kV Transformers (excluding smaller transformers 6.6 kV/440 V which provide the 440 V 60 Hz supply for the reefer containers which are not shown in the oversimplified diagram (Fig. 5, Page 8)).

Compared to large industrial power distributions for factories or power plants in continental Europe the design of the power distribution large of large container vessel is quite different. Typically there are more redundancies.
As there are not very large 440 V fed motors, there is no need for any single very large MV 6.6 kV/LV 0.44 kV transformer. Among the largest motors are some pumps but AFAIR there is no 440 V electric motor exceeding maybe something like 500 kW (referring to a large container ship).
Large Transformers are less easy to replace, require switchgear with busbars for very high currents, which increases thermal management and arc fault issues.

When designing the electrical system it is decided which programmed logic will be applied when different malfunctions occur and the devices which control the respective breaker will be programmed accordingly.
Details can be optimized during trials and even later but some external approval might be required.
Change logs depend a lot on the used devices, some will record parameter changes with timestamp while others won’t record anything about changed parameters, in which case it’s impossible to find out if a parameter has been changed and been later reset to its original value.
Also there can even be some unallowed hardwired modifications, for example using a jumper wire to bypass a nuisance trip cause. If removed later one might need to check it in a lab if there are for example traces left by tools or screws which show recent tampering evidence.

Overall I’m also surprised that the crew had not been replaced or someone from the port authority or NTSB remaining 24/7 on board. I’ve no idea if some officials remained with the crew though, I didn’t follow much the mainstream media sources as there’s only background noise when it comes to technical details.

As mentioned, the main engine (ME) is controlled electronically, fuel injection, exhaust valve and starting air valves are all controlled electronically which allows arbitrary timings handled by the programmable control units. There is a partial 1+1 redundancy but there are still single points of failure.
If required one or more cylinders can be disabled. In theory the ME could also be run as compressed air motor as long as the lubrication is operating correctly but obviously the compressed air reserve (about 25-30 bar (here barg)) is way too small. The fully replenished start air reserve is required to allow 12 starts if the engine can operate clockwise as well as counter-clockwise which is the case here.

AFAIK There is no shaft generator nor other power take-off excepted for main-engine-related purposes . Also there’s no exhaust gas heat recovery to specifcally run a steam turbine generator.

The engine control system is designed, made and provided by MAN & BW. It is mainly based on proprietary hardware.

To operate the ME (Main Engine), including starting, various balance of plant equipment (i.e. ancillary equipment) must be operated. Especially auxiliary blowers (as long as the turbochargers are unable to provide sufficient pressure (load not high enough, maybe roughly below 30 % but switched off with a managed hysteresis), fuel oil supply, different lube oil supplies, cooling pumps,…
The required blower power can be around 500 kW (total of 3 blowers with Direct-Online-Start (DOL) 440 V 60 Hz 3-ph asynchronous motors). Typical configuration but to be verified if applicable 1:1. Main lube oil pumps and various water pumps are quite powerful too.
The ME can be started and controlled remotely if in stand-by but due to the unexpected blackout if must be checked which subsystems could be restarted without manual intervention.

2 Likes

Engelec,

I am a retired Marine Pilot who saw many machinery failures during my tenure. Fortunately, we employed escort towage both ways and invariably the tugs were our saviours.

I have an interest in trying to understand what happened with the Dali and consequently am attempting to get my head around the electrical design relating to redundancy of systems…….or lack thereof.

With the view that the main engine relies on electrically driven fuel, LO and cooling pumps and looking at the simplistic line diagram supplied in the NTSB PR….it is confusing to the layperson to see that there was only a single feed employed between the HV BUS and LV BUS. In the event of transformer failure or opening of either of two breakers you instantaneously lose steering (potentially with already applied helm), ME fuel pumps, ME cooling pumps, data feed and ancillaries. According to the PR, ME lube oil pumps came directly off the HV BUS. Whether the pumps were stepped down to 440V or were 6,600V is unclear.

There are two fundamentals whilst transiting enclosed waters…….propulsion and steering. It would appear that modern day electrical distribution design supplied to these large vessels is lacking redundancy and/or the practices aboard Dali did not optimise available redundancy such as running the HV feed down both transformer lines and opening the LV BUS TIE.

Hopefully, all will be revealed in the fullness of time. It will be fascinating to see what recommendations the NTSB flag in their final report.

2 Likes

As I said before, this seems to be the underlying cause of the power failures, the lack of redundancy in the power plant design and operational procedures. Of course it is important to find out what exactly caused the blackouts, but that would be just one of the many single points of failure that had existed in the power plant at that moment. If the HV bus tie breaker had an issue and opened unexpectedly, the end result would had been the same. Or if one of the running generators governor failed to full fuel. Or if one of the Automatic Voltage Regulators malfunctioned. Let’s hope that there is enough recorded data to reconstruct the chain of events.

1 Like

Seems like another of your fundamentals is being applied Aus.
See main gcaptain page Maryland channel reopens, ships now require a Maryland State Pilot, PLUS 2 escort tugs. Well well.
Stable door and bolted horse come to mind.

4 Likes

244,

Many thanks for the update. Sanity prevails.

Now…….to get that horse corralled!

3 Likes

Don’t know for sure, The NTSB has a voice recording from the bridge. At least some of the pilot’s helm commands were included in the preliminary report. If anyone had made an order to use the BT the better bet is it would have also been included in the report, as was the command to let go the anchor.

If both transformers were in service with the LVR open, and there was a momentary disturbance on the HV bus (short cycle low voltage) chances are both the HR1 and HR2 would have dropped out as the UV coil on these breakers could not ride through this disturbance - possible this is what happened to HR1.

KC,

Which report?

EDIT: Forget that question. I thought there may have been a more detailed summary on the VDR audio.

1 Like

Interesting ClassNK indicates 5 x 20,850 kVA. 16,680 kW including the EDG.
NTSB report mentions in kW 2 x 4000 and 2 x 4400. 16,800kW. So EDG is rated at minus (-) 120kW.
Wiki indicates 2 x 3840 and 2 x 4400. Total 16,480 kW. So EDG is 200 kW.

Datasets are suspect as I expect the EDG to be around 350 to 450 kW range. This would include the drive motor for the emerg fire pump as well. No reason to believe that they would have an independent diesel driven emerg fire pump.

retdmarineengineer,

Is there any form of tolerance on these UV coils or are they affected and actioned by a momentary change in voltage?

Hi Aus
Not sure if there are specifications depending on the breaker class/criticality. If this was the case, it would not provide any alarm output - PR states unexpectedly which may mean no alarm condition on the HR1 that tripped it. Possible a few of the reefer breakers on the HV board may also have dropped out.

1 Like

Only after it took down a ‘village’. If only we could put the clock back …

1 Like

Indeed.

I note that the Maryland Pilots have also mandated additional constraints……
“ However, vessels will need a Maryland State Pilot and two escort tugs. The Maryland Pilots have also mandated a 3 ft under keel clearance (UKC) requirement. Further, containerships exceeding 1,000 ft in length and over 125 ft in beam will only be permitted to transit when winds are under 15 knots. Other vessels are allowed transit when winds are under 20 knots.”

Member Slick_cam1 posted this in the previous thread……

Interesting that wind is now a matter of consideration.

The undervoltage protection itself is usually handled by the digital protection relays where thresholds and delays can be programmed but I don’t know exactly which relays are used and unlike ABB or Siemens, Hyundai doesn’t make available the technical documentation.
Some cells of the 6.6 kV switchgear feature some basic Hyundai HiMAP relays but overall I’m not sure if the power management system is that advanced.

Indeed I believe that Hyundai provided also the low-voltage switchgear as well as the protections relays, bay controllers, genset controllers and energy management system.

Overall it seems to be a rather basic design, probably without fast automation allowing to immediately shed all loads and reclose breakers very quickly in a specific sequence after switching from “TR1” to “TR2” for example.

Technically it could be done so quickly that the ME (Main Engine) wouldn’t even notice it as pumps and blowers don’t stop immediately and also above some speed there’s enough propeller drag to keep the ME turning. The most urgently required pumps and fans can be started DOL (Direct On-Line) closing their breakers sequentially within 1 or 2 seconds.
With control systems supplied by UPS there’s no reboot delay.

As long as at least one DG (any of “DG1” to DG4") was running there was no reason to not be able to supply all services required to run the ME (Main Engine for propulsion) as at least “TR1” or “TR2” was operable.
So to keep a long story short, the diesel generators didn’t even fail during the incident voyage, with adequate control of the breakers and fast automation the ME woulnd’t even have stopped even if “TR1” exclusive-or (EXOR) “TR2” would have failed.

The fact that first the transformer “TR1” tripped (breakers “HR1” and “LR1” are opened) and that later two generators, “DG3” and “DG4” tripped (breakers “DGR3” and “DGR4” are opened) simply indicates that whatever controlled those breakers made a serious mess.

I still would love to hear the NTSB say if either of the pilots, the master, the mate, or the helmsmen actully saw the rudder angle indicator move. Seems an important piece of information.

6 Likes

All are wise now after the event. Wonder what would pilots/port say if before accident ship master asked for tug escort untill the bridge. And what Big Blue would do ?

Wonder how many Dali M/Es the owners could buy for the money they will have to pay in the wake of this disaster.

looks like " if technology is your master , you reach disaster faster" .
All this sophisticated and complicated protections from damage of M/E remind me of the Boeing 737 disasters and
Lauda Air Flight 004, when pilots were unable to take over command from computers.

On some ships I saw broomstics preventing the brakers from opening and guess what…it worked.
THIS IS HOW WE FIX PROBLEMS ON RUSSIAN SPACE STATION!!! (youtube.com)

1 Like