MARINE Reports - 2005 - M05W0111

2.0 Analysis

2.1 Loss of Propulsion

The function of a governor is to limit an engine's rpm around a set point, preventing it from overspeeding. As the castellated nut loosened under vibrations, the control linkage fell out. This allowed the No. 1 main engine's governor to become disconnected from its fuel-control racks, leaving the engine without speed control. Neither the engine fuel-control shafts nor individual fuel pump racks were fitted with return springs (nor were they required to be). Therefore, overspeeding of the engine could not be prevented because the fuel racks could not be brought back to zero.

The engine was stopped by its overspeed protection trip. This could have been activated when the engine sped up as its fuel racks moved towards full fuel admission. However, when simulated during the sea trials (by disconnecting the governor of an engine), the fuel racks did not move in either direction.

The trial conditions, however, did not exactly mirror those at the time of the accident; the engine being tested was not running, nor had it warmed up to the same extent. Since this is a 60º V engine, the fuel racks are inclined 30º. It was expected that, under the influence of gravity and induced vibrations from all the running machinery, the fuel racks would move downwards, towards full fuel admission. Although this did not happen in the test case, it is still possible that, had the simulated conditions been identical, the racks may have moved downwards towards full fuel and caused the engine to overspeed.

A more likely scenario is that, as the vessel was engaged in manoeuvring operations, the load on the engines was being constantly reduced by the navigating officers. It is possible that the governor became disconnected just as the pitch of the propellers was reduced. As shown in the simulation, the fuel racks would not have moved, thus the quantity of fuel being admitted into the cylinders remained unchanged, but the load on the engines dropped sharply. This reduction in load, without a corresponding reduction in fuel injected, caused the engines to rotate faster and eventually trip on overspeed.

The vessel was in Mode 2 operation, and since the two engines were coupled together, the increase in the No. 1 engine's rpm also caused an immediate and corresponding increase in the No. 2 engine's rpm. The No. 2 engine's overspeed trip was found to be set at 511 rpm and the No. 1's at 524 rpm; the No. 2 engine thus tripped first, followed closely by the No. 1 main engine, the entire shutdown scenario probably taking no more than a few seconds.

As verified in post-accident trials, the governor on the No. 2 engine - sensing the increasing rpm - would have moved to reduce the fuel input into the engine. The interconnection of the two engines would have caused the No. 1 engine to take the No. 2 engine with it, even if the governor had reduced fuel admission to zero.

The activation of both the overspeed trips would have sent a signal to the clutches, causing them to declutch. This would not have been indicated on the wheelhouse console, where the control switch would still be in the forward and aft propeller position (Mode 2).

The No. 2 main engine continued to run in spite of having tripped on overspeed because, even though the overspeed protection device had pushed the fuel-control shafts to zero, the fuel pump racks on the A bank side had been improperly calibrated and remained set at a stroke of about 10 mm. This was sufficient to allow the engine to keep turning over, but not enough to let it take any appreciable load. The declutching of the engine also removed its connection with the propellers, further reducing all applied load.

The absence of a split pin on the securing nut on a governor linkage of the No. 1 main engine thus caused the governor to become disconnected from the fuel racks. The two main engines were interconnected at this time, and this caused the overspeeding No. 1 main engine to drag the No. 2 main engine into a shutdown condition with it, leaving the vessel without propulsion.

The Queen of Oak Bay's speed at this time was three to four knots. Without the propellers providing a wash over the rudders, this was too low a speed to enable steerage, and the vessel's heading could not be altered.

2.1.1 Absent Split Pin on the Securing Nut of the Governor Link Pin

Reconnecting the governor to the main engine requires placing it on its stand, aligning the drive gear and then tightening the four securing nuts. The link arm on the governor output shaft is then connected to the linkages of the fuel-control shafts. A split pin fitted through the castellated nut secures the linkages to the governor's output lever link pin.

The Queen of Oak Bay finished its MLU on 08 June 2005. Less than a month later, the nut worked itself loose and fell off. In order for this to occur, the locking split pin that is used to secure the nut was either not fitted or was fitted improperly.

Supervision or verification is essential to ensure that assigned work is completed properly, irrespective of whether the work is done by ship staff or contractor. This is crucial when safety-critical components of an engine are not readily visible under routine operations. The fact that the problem with the split pin was not detected would indicate that supervision/verification of the work was ineffective at all levels.

2.2 Engine Shutdown and the Effect on Interconnected Engines

2.2.1 Overspeed Shutdowns

The two main engines are clutched together in both Mode 1 and Mode 2, effectively making them one entity. A speed change in one engine instantly causes a corresponding speed change in the other, and an overspeed shutdown of one will cause the other to shut down.

This is because the engines have similar operating revolutions and therefore similar overspeed trip settings.¹⁰ The tripping devices work by cutting off the fuel to the engine, but because they are of mechanical design, there will be a difference of a few revolutions between the two engines' settings. Assuming that the overspeed shutdown setting of one is at 520 rpm and the other at 524 rpm, this creates two shutdown conditions:

• If the 524 rpm engine starts to overspeed, it will drag the 520 rpm engine with it. Both will shut down.
• If the 520 rpm engine starts to overspeed, because of the inertia of rotating parts, it would in all probability go past 524 rpm even after its fuel supply has been cut off. It could then, in low-load conditions, drag the 524 rpm engine into an overspeed condition, causing both engines to shut down.

If the trips on both the engines are set to the same value, overspeeding by either engine will cause the other to shut down.

This condition of the good engine also shutting down occurs because the same overspeed sensor is used to send a signal to both the overspeed shutdown cylinder and the declutching cylinder.

2.2.2 Shutdowns Caused by Other Fault Conditions and Design of the Stop Switch

BC Ferries is operating four other vessels with similar propulsion features as the Queen of Oak Bay. Inherently, these vessels have redundancy in propulsion power in that they are fitted with multiple engines, shafts, and propellers. It is not uncommon to have two or more engines clutched to common propulsion shafting. However, their configuration should be such that fault conditions on one engine are not allowed to detrimentally influence the other engine(s) in the propulsion system.

These fault conditions may include

• engine overspeed,
• low fuel pressure,
• low scavenge air pressure,
• high operating temperature,
• low lubricating oil pressure, and
• control failure.

Some of these fault conditions are monitored by the engine room alarm system, which will trigger an alarm. However, on the C Class vessels, only engine overspeed is connected to an automatic engine shutdown device. For all other faults, it is up to the engineer to stop the faulty engine using the manual emergency stop switch before it causes the other interconnected engine to stop.

The manual emergency stop switch sends sequential signals for declutching and stopping the engine. Notwithstanding, once an engineer hears an alarm and initiates a manual shutdown, it takes five seconds for the clutches to disengage, during which time the faulty engine is slowing down because its fuel supply has been shut off. However, in the event that one of the above fault conditions occurs and the faulty engine's clutch is still engaged, the faulty engine increases the load on the good engine. The control system on the good engine tries to maintain the set rpm, and consequently sensing the load from the faulty engine, the governor on the good engine moves the fuel racks, increasing the amount of fuel. When the clutches connected to the faulty engine are finally disengaged using the manual shutdown, the load imposed by the faulty engine is removed and the governor on the good engine may not be able to pull back the fuel racks in time to prevent the good engine from overspeeding and also shutting down.

On 13 and 14 February 2007, BC Ferries conducted trials aboard the Queen of Surrey to test the possibility of this scenario. The two main engines were put in Mode 2 operation and loading conditions existing during a docking were simulated. Under these conditions, it was found that, when the manual emergency stop was activated to shut down one main engine, it disengaged safely and did not bring about a shutdown of the other running interconnected engine.

The sea trials, however, were conducted at relatively low engine speeds and did not simulate the response of an engine operating in the upper rpm and load range, when a faulty engine suddenly declutches.

It is still possible that there are fault conditions that may require a main engine on the C Class ferries to be shut down quickly for which automated isolation from the other connected engine has not been incorporated, thereby placing at risk the vessel, passengers, crew, and the environment.

2.3 Evaluation of Emergency Situations

Wheelhouse manoeuvring consoles on C Class ferries do not have a mimic board showing the propulsion plant's condition. Relying on the propeller rpm gauges may therefore be misleading and, without gauges to likewise indicate engine rpm or the position of the clutches, it is impossible to tell if an engine is declutched but running, idling, or fully stopped.

At 1008, when the Queen of Oak Bay lost all propulsive power, the wheelhouse crew did not know that the clutches had become disengaged and that the No. 2 engine was still running. They could only see that both propeller shafts had stopped turning, and so they telephoned the engine control room and, without knowing the status of the propulsion plant, ordered the engine crew to restart the engines. The order, therefore, distracted the engine crew from effectively evaluating the nature of the failure.

In an emergency situation, decisions must be made taking into consideration all available information. Otherwise, subsequent actions intended to resolve the situation may be ineffective, thus placing the vessel at risk.

2.4 Safety Management System

2.4.1 Internal Communications and Record Keeping

Given that ferries change operating routes and terminals, are crewed from different pools, and their system of rotational watchkeeping does not enable direct communication between different shifts, it is crucial to ensure an accurate and detailed information exchange.¹¹ The exchange of appropriate operational information improves operational efficiencies, optimises utilization of resources, improves performance, and helps to minimize errors. It also provides a historical account of the performance and repair records of both personnel and machinery. Additionally, this enables effective gauging of staff capabilities, and performance trend monitoring and preventive maintenance of equipment - all of which are required by the ISM Code, the vessel's SMS and the company's Fleet Regulations.

The watch log report page in the software application for planned maintenance is the primary means to store and pass pertinent information from watch to watch on all BC Ferries vessels, and also from shift to shift, crew to crew, and ship to superintendent's office. It contains information about work completed during a watch, and details of work not yet done. This page, however, is not a controlled document; beyond requiring the identification of the person making the entry, his/her shift, and the date, there is no set format. Furthermore, there are no instructions from BC Ferries management or the senior chief engineer on how to fill out the page.

Reliance on verbal communication and lack of detail in the records prevented the conclusive resolution of the question regarding why the split pin was absent or improperly fitted, thereby hindering the determination of appropriate corrective action as required by the vessel's SMS.

2.4.2 Actions of the Wheelhouse and Engineering Crews

2.4.2.1 Anchor Deployment

The anchors on vessels may be used to slow or stop the vessel in the event of a loss of propulsion or manoeuvrability. On this trip, the anchor was on the vessel's port quarter.

While a deckhand on board the Queen of Oak Bay is designated to release the anchor in an emergency, normal shipboard practices did not call for a person to stand by the anchor during docking/undocking operations. At the time of the occurrence, the deckhand was occupied with duties elsewhere, and the anchor could not be dropped, depriving the vessel of a potentially important tool for use in an emergency.

2.4.2.2 Emergency Response

When the Queen of Oak Bay lost propulsion, the limited information available to the bridge prevented the bridge team from ascertaining the status of the propulsion plant. They could only see that the two propellers had stopped turning, and, realizing that the vessel was about to run into the marina, asked the engine room crew to restart the engines and restore power.

The wheelhouse crew arrived at an incorrect conclusion because instrumentation on the manoeuvring console did not provide a complete picture of the engines/clutch status. Consequently, communication between the wheelhouse and engine control room included instructions that interfered with the engineers' efforts toward potential resolution of technical problems.

Engine room staff would normally troubleshoot operational problems with engine room machinery and its systems. In this occurrence, when the two main engines tripped, alarms indicating the cause were set off in both the engine control room and the engine room; this information was readily available to the engineering staff. However, given the urgency of the situation, the engineering staff responded by restarting the engine without fully ascertaining the cause of the shutdown.

Attempts to restart the No. 1 main engine were unsuccessful because the fault condition that caused the engine to stop was neither diagnosed nor rectified. Restarting machinery without first determining the cause of the fault condition increases the potential for further damage. For example, had the fault condition been due to a lack of lubricating oil or mechanical damage, restarting the engine under such conditions would likely have caused further damage.

2.4.3 Inspection and Planned Maintenance Procedures

Inspection of the governor and fuel linkages was regularly done by the vessel's engineers, especially before startup. The missing or improperly fitted split pin on the castellated nut on the governor's output lever link pin was small (not more than 30 mm by 3 mm), and the problem was overlooked while inspecting the entire engine. The No. 2 main engine's governor, however, had a severely bent link pin that was connected to the output shaft, which should have been fairly obvious. This was not observed during inspection rounds. Other linkage-related defects on both engines, such as the use of a fabricated link pin and lock nut, and the improper angular arrangement of link rods (which had the potential to compromise the functionality of the fuel control system), had also existed for a while; they too were easy to see and, once noticed, to rectify.

The link pin is designed to be a sliding fit in the governor's output lever. Over time, wear resulted in increased clearances, leading to the generation and propagation of vibrations. A correctly tightened nut will not normally lose tension, even if it has been assembled without a locking device. In this case, induced engine vibrations, amplified by wear between mating components, loosened the fastener and allowed the disconnection of the linkages.

Major components generally have manufacturer's guidelines for inspection and maintenance. These are based on running hours, with the objective being timely repair or replacement of worn out parts. Company practice is to have the governors overhauled annually. By contrast, no inspection and planned maintenance routines are in place for checking wear in the linkages.

Although routines and checklists could conceivably be drawn up for the maintenance and assembly of every item or component of a machine, to do so would be an onerous task. Rather, it is up to the engineer or technician to take the initiative - using his/her education, training, and experience - and identify components where usage over time has caused wear. Suitable corrective action must then follow, with the discovery made known both to other engineers and to company management.

The SMS developed by BC Ferries require senior engineers to inculcate good engineering practices amongst the junior engineers and to foster an atmosphere that actively seeks to increase workplace efficiency and safety. In this case, the governors had been disconnected from and reconnected to the engines many times by different engineers and technicians, yet no one recognized the increased clearances in the pins and linkages.

2.4.4 Supervision of Tasks

Proper supervision can be effective in making sure assigned work has been done satisfactorily.

Operational and maintenance-related activity to keep machinery running smoothly must be selectively delegated by the person in charge of a watch. The chief engineer ought to be aware of the complexity and risks associated with such work. This means that he gives timely direction when required, and makes sure that the entire job has been satisfactorily completed and tested.

In the airline industry, mandatory¹² supervisory systems require vigorous cross-checking and independent verification to ensure proper completion of work. No such system exists in the marine industry, though the introduction of the ISM Code and associated SMSs supports the objectives of providing safe operating practices and establishing safeguards against identified risks.

The SMS developed by BC Ferries identifies many shipboard activities that present a risk, and it implements procedures to minimize or eliminate them.

Examination of the SMS indicates that BC Ferries has not done an assessment of the systems requiring maintenance in order to identify ones that are safety critical, nor has it developed procedures to prevent mistakes occurring during maintenance activities on such systems.

There has been at least one other occurrence where the absence of effective supervision of maintenance activity has resulted in major machinery failure. The TSB investigated that occurrence (fire on board the ferry Queen of Surrey) and identified causal factors, and determined that the risks associated with it could have been mitigated by effective supervision.

That the missing or improperly fitted split pin was not noticed before the Queen of Oak Bay re-entered service, or subsequently, indicates some inadequacies related to supervision and verification of the contractor's work by BC Ferries.

3.0 Conclusions

3.1 Findings as to Causes and Contributing Factors

1. The absence of a split pin on the securing nut on a governor control linkage of the No. 1 main engine caused the governor to become disconnected from the fuel racks, resulting in an overspeed shutdown.
2. The setup of the engines and clutches allowed a single-point failure to disable the entire propulsion system.
3. With no propulsive power, the vessel had limited ability to steer, and entered the marina.

3.2 Findings as to Risk

1. British Columbia Ferry Services Inc.'s (BC Ferries) procedures do not provide adequate guidance for the identification and supervision of many safety-critical maintenance tasks.
2. Reliance on verbal communication and lack of detail in the work records may hinder the determination of appropriate corrective action following an occurrence.
3. As no person was designated to stand by during berthing operations, the anchor could not be deployed, depriving the vessel of a potential important tool for use in emergency.
4. In an emergency situation, decisions must be made taking into consideration all available information. Otherwise, subsequent actions intended to resolve the situation may be ineffective, thus placing the vessel at risk.
5. There are fault conditions that may require a main engine on the C Class ferries to be shut down quickly for which automated isolation from the other connected engine has not been incorporated.

4.0 Safety Action

4.1 Action Taken

4.1.1 Transportation Safety Board of Canada

On 19 July 2005, a Marine Safety Advisory (MSA 03/05) was sent to British Columbia Ferry Services Inc. (BC Ferries) and copied to Transport Canada Marine Safety and Lloyd's Register, advising them of the lack of a fail-safe capability on the propulsion system of the Queen of Oak Bay and other C Class vessels.

Transport Canada replied supporting the advice made to BC Ferries to ensure that failure of one engine does not result in the total loss of vessel propulsion on C Class ferries.

On 07 September 2005, a Marine Safety Information letter (MSI 03/05) was sent to BC Ferries and copied to Transport Canada Marine Safety and Lloyd's Register, bringing to their attention various observed anomalies in the geometry and assembly of the governor control linkages.

4.1.2 British Columbia Ferry Services Inc.

On 11 July 2005, a directive was issued by the superintendent of the Horseshoe Bay terminal to the chief engineers of the vessels in his fleet - and also copied to the other BC Ferries superintendents - requiring them to set up regular routines to inspect and verify the integrity of the main engine control linkages at least twice a day.

Additionally, all C Class ferries have begun stationing a deckhand by the anchor windlass during arrivals and departures.

Further, on 18 January 2007, BC Ferries informed the TSB of the current status of the following actions it has undertaken in response to the accident.

Issue	Actions Taken	Status
Revise maintenance plans for the Queen of Oak Bay and other C Class vessels to incorporate results of a failure modes, effects and criticality analysis (FMECA) study.	Performed FMECA study. Initiated re-writing of planned maintenance job plans as required.	Completed April 2006 In progress
Incorporate results of the FMECA study into the specification and tracking of contracted service work on C Class vessel propulsion control and mechanical systems.	Initiated development of specification standards and contracted service work checklists.	In progress
Improve Fleet Maintenance Standards.	Section 5.0 of Fleet Maintenance Standards rewritten to: • More clearly specify critical systems and the maintenance procedures to be followed for them. • Specify the use of checklists and other standardized documentation. • Specify the use of standard onboard documentation procedures.	Draft completed May 2006 Peer Review in progress
Quality assurance on propulsion control systems contracted servicing to be performed by a qualified employee.	BC Ferries fleet support technicians assigned to quality assurance function.	Completed April 2006
Where quality assurance on propulsion systems servicing cannot be performed by a BC Ferries employee, third party quality assurance is to be procured.	BC Ferries has contracted additional quality assurance technical support for major project work.	Completed April 2006
Machinery and equipment trials shall be specified in advance by manufacturers, contractors and related parties. They shall be approved and witnessed by the chief engineer for any major propulsion system component.	Revised refit specifications to provide equipment trials for work on major propulsion system components. Standards set in Fleet Maintenance Standards for level of detail expected in trials. Incorporated in Maintenance Planner training course.	Completed May 2006
The testing of medium-speed engine safety shutdowns following completion of engine work is to incorporate: (a) a visual check of fuel rack positions to ensure fuel shut off; and (b) a shutdown test with engine at normal operating temperatures.	Trials and safety device testing on C Class vessels now performed with engines up to temperature. Fleet directive issued.	Completed December 2006
Contracting practices to be reviewed to avoid ambiguous assignment of responsibility for the performance of work on critical systems.	Refit specification and contract refit review process revised and staffed.	Completed September 2005
Watch log format	Review format and use of watch log to determine if improvements can be made.	In progress
Daily defect sheet	Review format and use of daily defect sheet to determine if improvements can be made.	In progress
Revise record keeping in shipboard Planned Maintenance system (Maximo)	Simplified input screens to encourage more comprehensive use. Revised Work Completion Detail portion of reporting function to enhance ease of use and provide guidance as to content.	In progress Estimated April 2007

Furthermore, Section 5.0 of Fleet Maintenance Standards is being revised following the incident. It lists critical systems and sets standards for maintenance procedures.

BC Ferries is further developing a range of procedures for the management of safety-critical tasks on board, including the following:

1. Inspection hold points are being established in refit specification documents.
2. Planned Maintenance Job Plans are to identify critical tasks (that is, tasks that require a hold point for inspection by the appropriate BC Ferries subject-matter expert).
3. Unplanned repairs require the identification of critical tasks by the chief engineer.
4. Inspection checklists (equipment specific) are required for verification of complex critical tasks.

4.2 Safety Concern

The safety of large vessels engaged in manoeuvring situations is contingent upon having propulsion to maintain steerage, particularly at low speeds when approaching, for example, a berth. In this occurrence, the Queen of Oak Bay experienced a loss of main engine propulsion during berthing operations that resulted in a loss of steerage and the striking of pleasure craft in a marina.

As per the vessel's standard operating procedures for berthing operations, the two main engines were coupled together via clutches driving both forward and aft propellers. When one of the main engines oversped, the increase in speed was immediately reflected in a matching speed increase of the other main engine, resulting in the activation of the overspeed protection devices that shut down both main engines. BC Ferries operates four other C Class vessels with propulsion features similar to the Queen of Oak Bay. These vessels have redundancy in propulsion system in that they are fitted with multiple engines, shafts, and propellers.

While it is not uncommon to have two or more engines clutched to common propulsion shafting, systems are available that prevent the failure of one engine from detrimentally affecting the other. For example, there are systems that automatically declutch and isolate an engine should it experience a serious fault. On board C Class vessels, only engine overspeed was connected to an automatic engine shutdown device. Other fault conditions detrimental to the main engines would trigger an alarm only and would not automatically isolate and shut down the engine.

Furthermore, Transport Canada believes that such propulsion control systems should be designed on a fail-safe principle, so that anomalies or failures in one part of the system will not compromise the operation of the overall propulsion system. Transport Canada will be giving consideration in addressing the integrity of propulsion control systems during Phase 2 of the Transport Canada's Regulatory Reform initiative to modernize the Canada Shipping Act and its regulations.

Although the TSB is not aware of other similar occurrences, given the risks associated with a passenger vessel losing propulsion while approaching a berth, the Board is concerned that the existing limited use of automatic shutdown devices and the setup of the engines on these vessels may allow a single point failure affecting one of the main engines to disable the entire propulsion system, thus placing the vessel, passengers, crew or persons on shore at risk.

This report concludes the Transportation Safety Board's investigation into this occurrence. Consequently, the Board authorized the release of this report on 24 May 2007.

Appendix A - Glossary

B.C.		British Columbia
BC Ferries		British Columbia Ferry Services Inc.
BHP		brake horsepower
FMECA		failure modes, effects and criticality analysis
ISM		International Safety Management
m		metre
MLU		mid-life upgrade
mm		millimetre
rpm		revolutions per minute
SMS		safety management system
TSB		Transportation Safety Board of Canada
UNF		Unified National Fine (screw thread)
º		degree

Previous | Table of Contents

---

1. See Glossary at Appendix A for all abbreviations and acronyms.

2. Units of measurement in this report conform to International Maritime Organization standards or, where there is no such standard, are expressed in the International System of units.

3. Practice drills show that the time required to release the anchor is around three minutes.

4. Directional reference is given relative to the vessel's bow, with the No. 2 end being "forward" at the time of the occurrence.

5. In both modes, an increase in one engine's rpm, for example, will cause an immediate increase in the other.

6. For the rudders to be effective in the absence of propeller wash, the vessel'speed must be at least four to five knots.

7. The exact setting depends upon the weather and sea conditions.

8. All times are Pacific daylight time (Coordinated Universal Time minus seven hours).

9. TSB Engineering Laboratory report LP 072/2005 is available upon request.

10. Regulations require the overspeed trip to be set at 110 per cent of rated rpm.

11. This has been analyzed in detail in the TSB's investigation into the fire aboard the Queen of Surrey (TSB report M03W0073).

12. Transport Canada and the Federal Aviation Administration specify the aircraft and the machinery components that require such supervision of maintenance tasks.