Communication network failures have been identified in high profile incidents involving Dynamically Positioned (DP) vessels over the years. The cause of several of these network failures was specifically attributed to netstorm. What is a netstorm, what impact does it have on DP and other control systems and is there a solution?
Published: 13 March, 2019
What is a netstorm?
A netstorm is simply an excessive amount of traffic, or more specifically, a flood of packets on the network. In a control system network scenario, the vastly increased number of packets can cause controllers to become overloaded, unable to handle their normal tasks – such as controlling a thruster (DP), monitoring shutdown conditions (ESD), or providing switchboard protection (PMS). Valid packets may never reach their intended destination.
Imagine a postal worker, on a typical day, manually sorting parcels on a narrow conveyor belt for delivery. Under normal conditions, the parcels arrive at a speed and volume that is within tolerable limits; allowing the worker to read the destination address from the label, and sort accordingly in a timely manner.
Now imagine this situation during the festive season. There is now a much higher volume of parcels on the conveyor belt, which is restricted in its width. Without increased personnel, the worker is now unable to deal with all the packets in the time available as they pass. Some parcels may go unprocessed but will remain in the system – possibly delayed. Others could fall off the belt entirely; they may become lost – never to be delivered.
Netstorm hinders valid data packets on an Ethernet network in the same way. Successful delivery cannot be guaranteed under netstorm conditions. Packets can be lost or delayed to the point they are worthless. Such delay is not acceptable in a real-time control system.
What impact does a netstorm have on DP and other control systems?
Netstorm could affect different control systems in the following ways:
- A netstorm on a DP control system has the potential to cause a loss of position, this can occur due to reference system signals not being received by the controller, or thruster/rudder command signals not being delivered.
- A netstorm on a Thruster Control System (TCS) has the potential to cause a loss of position, this can occur due to a thruster field station stopping if the controller became overloaded.
- A netstorm on a Power Management System (PMS) has the potential to cause one or more generators to shutdown unintentionally, thus causing a partial or full blackout. This could result in a loss of position while on DP.
- A netstorm on an Emergency Shutdown System (ESD) system has the potential to cause unwanted shutdowns or inhibit a genuine shutdown command. This could result in a loss of position while on DP.
- A netstorm on an Integrated Automation System (IAS) system has the potential to cause loss of position while on DP, due to the integrated nature of systems, many signals can be affected, or not correctly processed if the controller became overloaded.
It should be possible to test networks annually with little if any additional burden on vessel availability. Options include facilities to allow the crew to test the networks themselves or to have the test carried as part of the Annual DP trials.
Opinions on the frequency of testing differ but many in the DP community would agree that testing the networks every five years or after a software or hardware change/repair is prudent. What is clear, is that they should at least be tested when they are commissioned.
Netstorm and throughput should be tested to demonstrate that the system can detect and protect the controllers from a network storm on one of the two process networks, and that alarms are given to the Operator. Testing should also prove the network can maintain communications at the expected data rates. It should similarly validate the independence of any Independent Joystick System (IJS) system. The result should be no loss of position or unexpected failure of equipment.