ShipCalculators.com

By ShipCalculators.com · Published · last updated

Engine Emergency Stop Circuits: Shutdown and Slowdown

Contents

Engine emergency stop circuits are the hardware and logic systems that stop or reduce the speed of a ship’s main engine when a sensor detects a condition dangerous enough to warrant intervention without waiting for a crew command. On a slow-speed two-stroke crosshead diesel, the distinction between a shutdown (engine brought to a full stop) and a slowdown (engine speed and load reduced automatically to a safe holding level) is fundamental to safe operation. Both types of response protect the engine and the ship, but from different threat levels and with very different consequences for propulsion availability.

This article covers the purpose of the safety system, the shutdown-versus-slowdown logic and typical trigger lists, the overspeed trip as the primary safety device, the emergency stop locations and the mechanical means of stopping a runaway engine, the bridge override arrangement and its limits, the auxiliary and generator engine safety arrangements and the blackout-prevention logic that distinguishes them from main engine protection, the oil mist detector and bearing temperature monitoring as shutdown initiators, the testing and survey regime for the safety system, historical incidents that shaped current shutdown philosophy, the SOLAS and IACS requirements that govern the system, and the practical limitations that engineers must understand.

For the broader context of engine speed regulation, see the article on engine governor systems. For the bridge-side command interface, see engine telegraph and remote control. The full automation and alarm management context is covered in marine engine room automation and monitoring.

Purpose of the safety system

A slow-speed two-stroke main engine running at rated power develops crankshaft loads in the range of 40,000 to 100,000 kN-m on large bore engines. The lubricating-oil film separating the crosshead bearing shells from the journal is 20 to 40 micrometres thick at full load. Loss of that film for as little as ten seconds begins to score the white-metal surface; continued running for 30 to 60 seconds can weld the bearing to the journal and cause a crankshaft fracture. The engine’s safety system exists to cut fuel before that damage becomes irreversible.

The safety system is distinct from the control system. The engine control system governs normal operation: it regulates speed to the bridge command, manages load during acceleration and deceleration, and sequences engine starts and stops. The safety system overrides the control system when a parameter crosses a threshold that signals destruction rather than inconvenience. Its design principle is: a single failure in the control system must not suppress a safety action. IACS Unified Requirement M67 (2019) codifies that separation, requiring the safety system to act independently even when the control system has failed.

The two classes of response differ in severity:

  • Shutdown: the engine is stopped immediately, fuel rack driven to zero, starting air isolated. Used for conditions where continued operation would cause engine destruction or a crankcase explosion within seconds to minutes.
  • Slowdown: engine speed and fuel index are reduced automatically to a preset low level (typically 50 to 65% MCR, sometimes lower) and held there while the alarm is raised. Used for conditions where continued slow-speed operation while the crew investigates is safer than a sudden propulsion loss.

The engineering choice between shutdown and slowdown for each parameter reflects a calculation: is the hazard of continued operation at any speed greater than the hazard of an immediate propulsion blackout? For a ship in a restricted channel or heavy traffic, sudden propulsion loss is itself dangerous. Slowdown preserves manoeuvring capability while still reducing engine loading below the level that would cause damage at the reduced speed.

Shutdown versus slowdown: the trigger matrix

The table below shows the typical trigger split for a modern slow-speed two-stroke main engine. Set points vary between engine builders, ship types, and class-society requirements; the values shown are representative of MAN Energy Solutions ME-C and WinGD X-series defaults and should not be taken as universal.

ParameterTypical alarm levelTypical slowdown levelTypical shutdown levelNotes
Lubricating-oil pressure (main bearing supply)3.5 barn/a< 1.8 barDrop time-delay 5 s to suppress transients
Lube-oil inlet temperature55 °Cn/an/aAlarm only on most installations
Crosshead lube-oil pressure2.5 barn/a< 0.8 barSeparate circuit from main lube oil
Piston-cooling-oil outlet temperature deviation+5 °C above mean+10 °Cn/aPer-cylinder deviation logic; slowdown only
Jacket cooling-water temperature (outlet)85 °Cn/a95 °CShutdown if HT cooler failure
Scavenge-air temperature55 °Cn/an/aAlarm only
Crankcase oil mist concentrationalarmn/a> 2.5 mg/L (or class-set threshold)Graviner or OMS type; immediate shutdown
Main bearing temperature (direct RTD)70 °Cn/a80 °CNot all engines fitted; slowdown on some
Thrust bearing temperature65 °Cn/a75 °CSlowdown on some class rules
Exhaust-gas temperature deviation (cylinder mean)+50 °C+80 °C slowdown on mostn/aDeviation from per-cylinder rolling average; engine builder-specific
Engine speed (overspeed)n/an/a> 110-115% rated speedIndependent hardware trip; non-overridable
Starting-air pressure (pre-start interlock)n/an/a< minimum start pressurePrevents start; not a running shutdown

The piston-cooling-oil outlet temperature deserves particular attention. Because each cylinder has its own cooling oil supply circuit, a single-cylinder deviation above the mean by more than 10 °C typically triggers a slowdown rather than a shutdown. A coolant blockage in one cylinder doesn’t justify stopping the engine at sea; it does justify reducing load to slow down the heat input while the watch engineer locates the blocked nozzle. The same reasoning applies to exhaust temperature deviation: one hot cylinder tells you about a fuel valve or scavenge problem in that cylinder, not necessarily an imminent engine-wide failure.

Oil mist concentration, by contrast, triggers a shutdown with no slowdown intermediate. An oil mist detector reading above the explosive threshold in the crankcase means the crankcase atmosphere is potentially flammable. Continued operation risks a crankcase explosion, which can cause death and severe structural damage to the engine room. No navigational consideration overrides that.

The overspeed trip

The overspeed trip is the primary safety device on any diesel engine, marine or otherwise. It fires when the crankshaft rotational speed exceeds a preset percentage of rated speed, typically 110 to 115%, cutting fuel supply to zero regardless of the governor command. At overspeed, centrifugal or inertial forces inside the engine exceed design limits; connecting-rod bolts, crosshead pins, and crankshaft webs are all at risk.

Overspeed conditions arise from three principal causes on main engines:

  1. Governor failure: the governor loses its speed feedback signal or its fuel-command output, allowing the fuel rack to open fully. The engine accelerates until either the propeller absorbs the power or the overspeed trip fires.
  2. Load shedding with fuel stick: the propeller shaft disconnects or the ship broaches into a following sea, reducing propeller torque to near zero. If the fuel rack doesn’t close fast enough (governor response lag), the engine can overspeed momentarily.
  3. Runaway on crankcase vapour: lube-oil mist or vapour accumulating in the scavenge spaces or crankcase can sustain combustion independent of diesel fuel injection, producing uncontrolled acceleration.

IACS UR M67 requires that the overspeed device be mechanically or electronically independent from the main engine governor. On older mechanical-governor engines, this was a separate centrifugal fly-weight mechanism on the camshaft or crankshaft that mechanically tripped the fuel rack to zero. On modern electronically controlled engines such as the MAN ME-C series, the overspeed protection is a dedicated hardware module (the Safety System Unit or SSU on MAN engines, the Safety System Module on WinGD engines) that monitors crankshaft speed independently from the Electronic Control Unit that runs the governor. A fault in the ECU cannot disable the SSU’s overspeed response.

The overspeed trip cannot be overridden from the bridge, the engine control room, or any other station. This is deliberate and required. The bridge override arrangement (described below) explicitly excludes overspeed protection from its scope.

Emergency stop locations and the means of stopping

Where the buttons are

SOLAS Chapter II-1 Regulation 49 (in the 2000 amendment consolidation) requires that the main propulsion machinery be capable of being stopped from the navigating bridge. Class rules extend this to require stop capability from the engine control room and at or near the engine itself. The practical implementation on a modern ship places emergency stop buttons at:

  1. The navigating bridge: typically a red mushroom-head button protected by a hinged cover or a guarded recess, to prevent accidental activation. Pressing it sends a hardwired signal directly to the engine’s safety system, not through the bridge management network.
  2. The engine control room (ECR): a separate dedicated button, distinct from the normal “stop” function on the telegraph or control console. This is the most frequently used stop in practice: planned stops, maintenance shutdowns, and emergency response from the ECR all use it.
  3. Local engine-side stations: on a large slow-speed engine, there are typically two to four push button stations distributed around the engine, at platform levels and at both ends. These allow an engineer working at the engine to stop it immediately without running to the ECR.
  4. Fire control station (passenger ships and some cargo ships): where the fire control station is remote from the ECR, a stop capability is required there so firefighting teams can stop the engine without entering the machinery space.

Each station connects to the safety system through hardwired circuitry, not through a control network bus. This matters because a software fault in the control system should not prevent a safety stop. The wiring runs are physically separated from signal cabling to the extent practicable, and the safety relays are powered from a dedicated supply circuit with battery backup.

Cutting fuel: the fuel rack mechanism

The standard method of stopping a diesel engine is driving the fuel injection pump rack to the zero-delivery position. On mechanically governed engines, this means physically moving the fuel rack linkage to zero stroke. On electronically controlled ME-C type engines, the Electronic Fuel Injection (EFI) solenoid valves are de-energized, stopping fuel supply to the injection accumulators. The result in both cases is that no fuel reaches the combustion chambers, combustion ceases, and the engine decelerates under propeller drag and its own internal friction.

On a large slow-speed two-stroke engine running at 90 RPM, with the propeller providing braking torque, the engine typically decelerates from running speed to stopped in 30 to 90 seconds after fuel cut. The exact time depends on the degree of propeller drag, which in turn depends on whether the vessel is underway at speed or manoeuvring. The engine telegraph and remote control article covers the crash-stop manoeuvre, where the engine is reversed rather than stopped, which is the primary means of reducing headway in an emergency.

A fuel rail pressure interlock prevents restart until rail pressure is within range, ensuring the fuel system is ready before combustion begins again.

Air shutoff flaps: stopping a runaway

Cutting the diesel fuel rack stops a normally running engine. But if the engine is sustaining combustion on lube-oil vapour (a vapour-phase runaway following an oil mist detector trip), cutting diesel fuel injection alone may not stop it. The crankcase vapour, drawn into the scavenge spaces and cylinders, can continue to combust and keep the engine turning even with zero diesel fuel.

The air shutoff flap valve, mounted on the turbocharger air inlet or on the scavenge receiver inlet duct, addresses this. On activation, the flap closes and seals the air supply to the engine. Without air, combustion cannot continue regardless of what fuel or vapour is present. The engine stops quickly once the air is starved.

Class rules (for example Lloyd’s Register Rules for the Machinery Installations, Chapter 3) require air shutoff capability on main engines where the oil mist detector is the primary crankcase protection. MAN Energy Solutions and WinGD both supply air shutoff flap assemblies as standard or optional equipment on their slow-speed engines. On a MAN MC/ME engine, the air shutoff valve is pneumatically actuated and spring-return: loss of actuating air pressure drives the valve to the closed (safe) position.

The flap valve also serves as a fire safety device for the engine room. If a fire occurs that could be sustained by the turbocharger air intake, closing the air shutoff starves the fire of the airflow that the running engine would otherwise provide.

The bridge override: logic and limits

What the override does

The bridge override is an arrangement that allows the officer of the watch (OOW) on the bridge to suppress certain main engine automatic shutdowns and slowdowns, keeping the engine running at normal load despite a sensor alarm. Its purpose is to prevent automatic propulsion loss at the worst possible moment.

Consider a ship in the final approach to a berth, or transiting a narrow channel in a head sea. At that moment, the piston-cooling-oil outlet temperature on cylinder six rises above the shutdown trigger. Without an override, the safety system stops the engine. The ship drifts, potentially onto rocks, a shoal, or another vessel. The override allows the OOW to acknowledge the alarm, accept the risk of continued operation with the elevated temperature, and maintain propulsion long enough to reach a safe location.

SOLAS Chapter II-1 Regulation 49 (and the related IMO Resolution A.694(17) on unified requirements for control, alarm, and safety systems) both acknowledge this logic. They require that the bridge be capable of suppressing automatic shutdown of the main propulsion machinery but require that the suppression capability be an intentional, recorded act. The bridge override is typically a key-switch or a dual-action control (lift-and-press) to prevent accidental suppression. When the override is active, an audible and visual alarm continues on both the bridge and in the ECR. The act of overriding is logged by the control system with a timestamp.

The override does not make the problem disappear. The alarm remains active throughout. In the ECR, the duty engineer is aware that one or more safety actions have been suppressed and is expected to investigate and resolve the underlying condition.

What the override cannot suppress

The overspeed trip is explicitly excluded from bridge override scope in both IACS UR M67 and the class rules of all major societies (DNV Rules for Classification Ships, Pt.4 Ch.2; LR Rules for the Manufacture, Testing and Certification of Materials, Section on Machinery; ABS Rules for Building and Classing Marine Vessels, Part 4). The bridge cannot suppress the overspeed shutdown because a runaway engine accelerating to 115% or more of rated speed will destroy itself in seconds, producing mechanical fragmentation that is an immediate danger to personnel and the ship structure.

Similarly, most class societies require that the crankcase oil mist shutdown not be suppressible from the bridge if the mist concentration is above the explosive threshold. Some rules allow a time-limited override of the oil mist slowdown alarm while awaiting verification, but not the shutdown trigger.

Common shutdown triggers that CAN typically be bridge-overridden (with continuous alarm):

  • Low lubricating-oil pressure (where the ship is in a position that makes immediate stop more dangerous)
  • High jacket cooling-water temperature
  • High piston cooling oil outlet temperature
  • High thrust bearing temperature
  • High main bearing temperature

Common conditions that CANNOT be bridge-overridden:

  • Overspeed (always excluded; hardwired trip)
  • Crankcase oil mist above explosive threshold (class-dependent; most prohibit override above the trip level)
  • Conditions defined as “non-overridable” in the vessel’s specific class certification

The vessel’s Safety Management System (SMS) under the ISM Code must document the bridge override procedure, the conditions under which it may be used, and the responsibility chain (typically master’s authority, with OOW executing on master’s instruction).

Auxiliary engine and generator safety systems

Why auxiliary engines are protected differently

The main propulsion engine and the ship’s diesel generator sets serve different functions, and their protection logic reflects that difference. The main engine is directly coupled to the propeller; a sudden stop endangers the ship’s manoeuvrability. A generator set supplies electrical power to the whole vessel, and its sudden stop causes a partial or total blackout, which is dangerous in its own right. Neither is simply “expendable”, but the consequences of losing one are not the same, and the protection philosophy differs accordingly.

Generator sets on most cargo ships run at constant speed: 720 or 900 RPM for 60 Hz systems, 720 or 750 RPM for 50 Hz, depending on the number of poles and the electrical frequency of the network. Speed regulation is handled by an isochronous governor that holds frequency within tight limits regardless of load variations. Unlike the main engine, where a slowdown preserves propulsion, a generator running slow produces under-frequency power that can damage electrical consumers and triggers protective relays on the switchboard. Generator safety systems therefore tend to be binary: they either keep the machine running or shut it down. There’s no useful “slowdown” intermediate for a machine that must hold constant speed.

The article on marine auxiliary engines and generators covers genset types and their mechanical characteristics in more detail.

Typical generator shutdown triggers

IACS Unified Requirement E9 (Safety Systems for Diesel Driven Generator Sets) defines the minimum shutdown conditions for shipboard generators. The required shutdown triggers typically include:

  • Overspeed: trip at 110 to 115% of rated speed. Same principle as the main engine; a runaway generator can shed load onto remaining sets or cause mechanical failure of the alternator windings.
  • Low lubricating-oil pressure: trip at the builder-specified threshold, typically 1.5 to 2.0 bar for a medium-speed four-stroke genset, with a time delay of 5 to 10 seconds to suppress transients on start.
  • High coolant temperature: trip at 95 °C jacket-water outlet temperature or equivalent.
  • High crankcase oil mist concentration: trip on oil mist detector alarm, same principle as main engine.
  • Reverse power: on a paralleled generator, sustained reverse power (power being absorbed from the bus rather than fed to it) indicates governor or exciter failure and requires disconnection and shutdown.
  • Overcurrent / short circuit: handled primarily by the switchboard protective relays and the alternator’s own thermal protection, which command a shutdown of the diesel if the fault is sustained.

The distinction from main engine protection is the addition of electrical protection signals feeding back into the diesel shutdown system. An alternator winding fault or a sustained bus fault that the switchboard relays cannot clear quickly will be followed by a diesel shutdown signal. The diesel and the alternator are treated as an integrated machine.

Preferential tripping and blackout prevention

The most significant conceptual difference between main engine protection and generator protection is the preferential trip system. On the ship’s electrical network, the total installed generation capacity is rarely all online simultaneously. Typically two or three generators run in parallel to meet the current load, with one or more on standby. If the running load suddenly increases (a large motor starting, a thruster going to full pitch) and exceeds the combined output of the running sets, the sets overload, frequency drops, protective relays begin to operate, and a blackout threatens.

The preferential trip system prevents this by automatically shedding non-essential loads before the overload develops far enough to trip a generator. When measured bus frequency drops below a set threshold (typically 48 Hz on a 50 Hz system), a cascade of contactors opens, disconnecting loads in priority order. Cargo pumps, ventilation fans serving non-essential spaces, heating elements, workshops, and deck machinery go first. Hotel loads, navigation systems, fire pumps, and propulsion auxiliaries stay on.

If load-shedding through preferential trips restores frequency, no generator trips and no blackout occurs. The system has managed a demand spike by cutting supply to loads that can tolerate interruption. This logic is embedded in the switchboard’s power-management system (PMS), not in the individual generator’s safety system, but it interacts closely with generator protection: the PMS decisions about which generators to start, parallel, and protect are coordinated with the generators’ own governors and AVRs (automatic voltage regulators).

The engineering separation is deliberate: the generator’s own safety system (oil pressure shutdown, overspeed trip) acts whether or not the PMS is functional. If the PMS fails, individual generator protection still works. IACS UR M55 requires that this independence be demonstrated during the commissioning tests for UMS notation: the safety system is tested with the PMS in a fault state to confirm that individual generator shutdowns still fire correctly.

Standby generator auto-start and dead-bus protection

On a UMS ship, the auto-start logic for standby generators is part of the safety architecture. When a running generator trips (on oil pressure, overspeed, or any of the triggers above), the PMS detects the loss of supply and commands the standby generator to start. The sequence is: trip detected, start signal sent, engine starts on air, alternator reaches voltage & frequency, breaker closes to bus. The whole sequence takes 20 to 45 seconds depending on the generator’s starting air system and the governor’s speed-up characteristic.

During those 20 to 45 seconds the bus may be dead (total blackout) or partially degraded if one of the remaining sets can carry partial load. A dead-bus condition is recognized by the emergency generator, which also auto-starts and connects to the emergency switchboard via a separate bus that is normally open but closes automatically when the main bus loses voltage. The emergency generator’s safety system is identical in principle to the main generators: overspeed trip, oil pressure shutdown, high temperature shutdown, all hardwired and independent of the PMS.

SOLAS Chapter II-1 Regulation 42 requires the emergency source of electrical power to be capable of supplying essential services for at least 18 hours (cargo ships) or 36 hours (passenger ships). The emergency generator’s automatic starting is tested at every UMS class survey as part of the blackout test: the main bus is killed (with class surveyor witnessing), and the time for the emergency generator to supply the emergency switchboard is recorded.

Oil mist detection and bearing temperature monitoring as shutdown initiators

Oil mist detectors: how they work and what they protect against

An oil mist detector monitors the atmosphere inside the crankcase of a diesel engine for suspended lube-oil aerosol. Below a certain concentration the crankcase atmosphere is inert: the oil mist density is too low to support combustion. Above a threshold (approximately 25 to 50 mg/m³ of air, or expressed differently as 50 to 65% of the lower explosive limit), the mixture becomes potentially ignitable by a hot spot.

The Graviner Mk 6 and the Schaller VN 115 are the two most widely fitted oil mist detectors on ocean-going cargo ships. Both work by drawing air samples from multiple crankcase sampling points through a multicell sensor head. The Graviner Mk 6 uses a photometric cell: a light beam passes through the sample and the attenuation caused by suspended oil droplets is measured against a reference cell. The Schaller unit uses a comparable optical principle. The detector compares the current cell reading against the average of all cells and also against an absolute threshold.

The dual-alarm approach matters. A single cell reading significantly above the others (relative alarm) suggests a localized hot spot near one of the sampling ports: a bearing, a piston, or a crosshead pin that is beginning to score and generating local oil mist above the background level. An absolute alarm on all cells together means the total crankcase mist has risen, which can indicate a more general condition or a seal failure. Class rules (DNV, LR, ABS) require that the oil mist detector respond within 20 seconds of the mist concentration reaching the alarm threshold, and within 30 seconds from alarm to shutdown signal being sent to the safety system.

The shutdown triggered by an oil mist detector combines fuel cut, air shutoff flap closure (described above), and an audible alarm that continues even after the engine stops to ensure the crew doesn’t open the crankcase doors while residual vapour is present. Class rules and the ship’s SMS both specify a mandatory cooling period before crankcase inspection: the standard is 20 minutes on most vessels, though some class rules specify 30 minutes for engines above a certain bore. Opening a hot crankcase after shutdown while residual vapour is still present has caused secondary explosions at several incidents in port.

Bearing temperature monitoring as a shutdown initiator

Direct bearing temperature measurement, via resistance temperature detectors (RTDs) embedded in the bearing shell or in the adjacent structure, gives the safety system an independent signal about bearing condition separate from the oil mist detector. A bearing that is starting to fail will show elevated temperature before it has generated enough oil mist to trip the mist detector.

On a large slow-speed two-stroke engine, the main bearings typically carry embedded RTDs at the bottom of each shell, measuring temperature at the point of maximum hydrodynamic film pressure. The normal operating temperature for a main bearing at full load is 55 to 65 °C. An alarm at 70 °C and a slowdown or shutdown at 80 °C are typical setpoints, though engine builders and class societies vary the exact values by engine series.

Crosshead bearings on a two-stroke engine run hotter than main bearings because the oil supply to the crosshead pin is intermittent (oil is carried up the connecting rod in oscillating pipes) and the bearing geometry differs. Crosshead bearing temperature RTDs typically alarm at 80 °C and trip at 95 °C on a large bore engine like the MAN B&W 90MC or the equivalent WinGD X82.

The safety value of bearing temperature monitoring is that it provides an early-warning signal independent of oil mist. A bearing that is approaching failure raises its temperature over a period of minutes to hours, giving the watch engineer time to reduce load before the mist detector trips. The oil mist detector is a last-resort device: by the time it trips, the bearing surface is already damaged and generating significant vapour. The bearing temperature trend, if the engineer sees it rising steadily over 30 minutes, allows an informed decision to reduce load or stop for inspection before damage becomes severe.

MAN Energy Solutions’ Engine Room Simulator training materials note that most real-world main bearing incidents are preceded by 15 to 45 minutes of above-normal temperature that the monitoring system recorded but the watch engineer didn’t act on promptly. This observation is consistent with findings from the UK MAIB and several Nordic flag state investigation reports on main bearing failures in the 2010 to 2020 period.

The oil mist detector and the air shutoff flap together form the crankcase explosion prevention system. A crankcase explosion has a two-stage mechanism. First, oil mist in the crankcase accumulates to the explosive concentration range (the initial explosion). Second, the crankcase relief door, designed to open at a low overpressure to vent the explosion, blows open. When it re-seals, it admits fresh air to the still-hot crankcase atmosphere, and a secondary explosion occurs. The secondary explosion is almost always more violent than the first.

The safety system’s role is to prevent the initial explosion from occurring by stopping the engine before the mist reaches the explosive threshold. If the detector trips at 25% of the lower explosive limit (as some class rules require for the first alarm), the shutdown removes the fuel and the air before the mist can reach the 100% LEL ignition point.

IMO MSC-MEPC.2/Circ.10 (Guidance on crankcase explosion prevention) recommends that relief doors be fitted on engines above 200 mm bore at a rate of at least one door per crankcase bay, with each door tested at its rated opening pressure at every drydocking. The relief door test is separate from the oil mist detector test but forms part of the same crankcase protection package that the safety system’s shutdown is intended to make unnecessary.

Testing, maintenance, and survey of the safety system

Pre-departure and watch-keeping functional checks

The ship’s Safety Management System typically requires that certain safety system checks be carried out before departure, on taking over watch, and at defined intervals during passage. Pre-departure checks are vessel-specific but commonly include:

  • Confirmation that all oil mist detector sampling lines are clear and the detector is not in “inhibit” mode.
  • Verification that the bridge emergency stop button is functional (tested against a lamp or buzzer, not against the engine).
  • Confirmation that slowdown and shutdown set points in the control system match the class-approved documentation.
  • Verification that the safety system is in automatic mode and not manually bypassed.

Watch-keeping checks during passage include monitoring that the alarm and monitoring system is not showing any inhibited or bypassed channels, and that the safety system status display on the ICMS (integrated control and monitoring system) shows all inputs as valid.

Informal bypasses are a documented risk. When a sensor fails spuriously and causes repeated nuisance shutdowns, engineers sometimes inhibit the channel in the monitoring system to stop the false alarms. If the inhibit is not documented, reported, and scheduled for repair, the safety system has a hole that the class surveyor will not know about and the next watch engineer may not know about. The ISM audit process specifically looks for undocumented inhibits.

Function tests required by class rules

Class rules and IACS UR M55 require functional testing of the safety system at defined intervals. The standard schedule across major class societies is:

  • At sea trials: full functional test of every shutdown trigger and every stop location, witnessed by class surveyor. Results are recorded in the class file.
  • Annual: verification that all setpoints are within the approved values. Oil mist detector calibration check. Overspeed trip test (live run or electronic simulation, depending on class acceptance). Lube-oil pressure shutdown test by controlled pressure reduction or by signal simulation at the safety module input.
  • Special survey (5-yearly): full functional test repeated, same scope as sea trials, witnessed by class surveyor. This is the deepest test in the cycle: every trigger is deliberately activated and the response is measured and timed.

Some class societies (DNV, LR) accept simulation tests in lieu of live tests for the overspeed trip on ships where taking the engine to 115% RPM with propeller disengaged is impractical at sea. The simulation involves injecting a simulated speed signal above the trip threshold into the safety module’s independent speed input and confirming that the module issues the shutdown command. The governor’s speed signal is bypassed for this test to confirm that the safety module truly is independent. The test must verify that the actual fuel cut-off hardware responds, not just that the module issues the command.

DNV Classification Notes 41.2 specifies that the response time from shutdown signal to fuel-cut-off at the rack must be within 5 seconds for the lube-oil pressure shutdown, and within 2 seconds for the overspeed trip. These times are measured and recorded during the sea trial test and the 5-yearly special survey test.

Common failure modes and false trips

The most common causes of safety system false trips on main engines, based on documented Port State Control deficiency reports and class society annual reports, fall into several categories:

Sensor failures: a lube-oil pressure transducer fails open-circuit or drifts low, causing the safety system to read zero pressure and issue a shutdown when actual oil pressure is normal. The time-delay relay (typically 5 seconds for lube-oil pressure) exists to suppress this type of transient, but a steady low-reading sensor will defeat the delay. Modern safety modules store the last valid reading and issue a “sensor fault” alarm rather than treating an out-of-range signal as a confirmed low-pressure condition, but older systems did not have this logic.

Water in sampling lines: the oil mist detector draws crankcase atmosphere through small-bore sampling pipes. If condensation accumulates in a sampling line, the detector reads the water droplets as oil mist and triggers a false alarm. Drain cocks at the low points of sampling lines, and annual blowing-through of the lines, are the standard preventive measures. Graviner’s service bulletins have noted that failure to drain sampling lines is the single most common cause of oil mist false trips in service.

Vibration-induced transients: on a rough-sea passage, lubricating-oil surface in the sump sloshing against the oil pressure sensor boss can cause momentary pressure spikes followed by momentary dips. These dips can reach the shutdown threshold briefly, causing a spurious trip. The time-delay relay handles most of these, but very heavy rolling on a vessel with a shallow sump (some container ships) has caused documented false trips. Class societies accept a longer time delay (8 to 10 seconds) in such cases, provided the delay doesn’t compromise safety.

Relay age and contact resistance: safety relays are electromechanical devices with a design life. A relay with worn contacts may fail to make a circuit cleanly, causing intermittent signals. Regular relay replacement (typically every 5 to 7 years on vessels with high relay-use duty cycles) is specified in planned maintenance schedules, but is sometimes deferred. Port State Control has cited several vessels for safety relay age exceeding the manufacturer’s recommended replacement interval without documented justification.

Dual-fuel solenoid complexity: on LNG-diesel dual-fuel engines, the safety system must operate both the diesel fuel cut-off and the gas valve close, and must verify that both have responded. A solenoid that closes the diesel fuel but fails to close the gas valve leaves the engine running on gas. The dual-confirmation logic added to WinGD X-DF and MAN ME-GI safety systems for this reason adds a layer of complexity that increases the number of potential failure modes.

Historical incidents and the evolution of shutdown philosophy

The 1947 Reina del Pacifico crankcase explosions

The foundational incident shaping crankcase explosion prevention rules occurred on the passenger vessel Reina del Pacifico in July 1947, while the ship was running trials off Belfast. A series of crankcase explosions in the main engine killed 28 people and injured more than 20. The investigation identified the core mechanism: oil mist accumulated to the explosive concentration in the crankcase, a hot spot ignited it, the first explosion blew out crankcase doors, and the inrush of fresh air caused the secondary explosion. The UK Ministry of Transport inquiry recommended fitted crankcase relief valves (rather than hinged doors), and the adoption of oil mist detection as a mandatory safety measure.

It took decades for mandatory oil mist detectors to enter class rules. In the interim, crankcase explosions continued to kill seafarers. The Reina del Pacifico inquiry specifically noted that no warning system existed on the vessel to detect elevated mist before the explosion point. Modern oil mist detectors, calibrated to alarm at 25 to 50% of the lower explosive limit rather than at the explosion point itself, are a direct descendent of that recommendation.

The 1990s Danish investigation reports on UMS shutdowns

Following the introduction of UMS notation and automated safety systems in the 1980s, Danish and Norwegian maritime investigations in the late 1980s and early 1990s documented a pattern: automatic shutdowns were occurring more frequently than loss-of-propulsion incidents had occurred under continuously manned engine rooms, but the shutdowns were often triggered by sensor faults rather than actual engine problems. An investigation by the Danish Maritime Authority published in 1993 found that approximately 60% of automatic shutdowns on surveyed Danish-flagged vessels over a three-year period were false trips caused by sensor failure or sampling line obstruction, not by actual mechanical conditions.

This finding drove two changes in IACS UR M55 (revised 1994 and again in 2000): the requirement for time-delay relays on pressure sensors to suppress transients, and the requirement for the monitoring system to distinguish between “signal out of range” and “parameter out of range” so that a sensor failure doesn’t automatically trigger a shutdown. The revision also introduced the standby pump auto-start requirement: by requiring the standby lube-oil pump to start on a high-alarm pressure signal before the shutdown threshold is reached, the revised UR reduced the frequency of shutdowns caused by running pump failures on UMS vessels.

The 2007 MV Finnbirch fire and the air shutoff lessons

The ro-ro cargo vessel Finnbirch experienced an engine room fire in November 2007 that caused serious structural damage. The Swedish Accident Investigation Authority (SHK) investigation found that the turbocharger on the main engine continued to draw air into the engine room after fire suppression had begun, sustaining the fire. The investigation’s recommendations included a review of air shutoff procedures and whether the turbocharger air supply should be treated as part of the fire suppression sequence rather than as a separate safety circuit.

The Finnbirch investigation accelerated interest in class rules that tie the air shutoff flap to the engine room fixed fire-detection system. At the time of the incident, air shutoff on the investigated vessel required a separate manual action from the engine stop. Several class societies subsequently tightened their rules to require that when the CO2 flooding system is activated for an engine room space, the air shutoff flap receives an automatic close signal simultaneously. MAN Energy Solutions and WinGD updated their project guides for post-2010 deliveries to include wiring provisions for this automatic connection.

The ISM era: override abuse and MAIB findings

The UK Marine Accident Investigation Branch (MAIB) and the Norwegian Accident Investigation Board (AIBN) have both documented accidents in the 2010 to 2020 decade where the bridge override was used in circumstances beyond its intended scope. In several cases, the override was activated to suppress a genuine alarm (not a sensor fault) while the voyage continued, with the underlying mechanical condition worsening. The MAIB’s 2016 investigation report on propulsion loss incidents identified that on vessels where the override was activated more than twice per voyage on average, the rate of serious mechanical damage was significantly higher than on vessels where overrides were rare.

This body of evidence shaped the requirement in revised IACS UR M67 (2019) that override activations be logged by the safety system with timestamps, and that the log be accessible to class surveyors during port surveys. The intent is to identify vessels where the override is used as a routine workaround rather than as an emergency measure. A vessel showing dozens of override activations per month is a vessel where the underlying sensor or mechanical condition has not been addressed, and the safety system is effectively disabled by habit.

The MAIB findings also reinforced the distinction between shutdowns that may be overridden (high temperature conditions, pressure conditions where the standby has started and the immediate danger has passed) and shutdowns that may never be overridden (overspeed, crankcase explosion risk). The 2019 UR M67 clarified this distinction more explicitly than the 2005 edition, removing ambiguity that several flag states had exploited to allow overspeed trip inhibit in some circumstances.

SOLAS and IACS requirements

SOLAS Chapter II-1

SOLAS Chapter II-1, Part E (Additional requirements for periodically unattended machinery spaces) contains the principal requirements for automatic shutdown systems on ships with unmanned machinery spaces (UMS). Regulation 54 (Safety systems) requires that a safety system independent from the control system be fitted, capable of shutting down the machinery and initiating an alarm when one of the parameters monitored reaches a dangerous level.

The specific parameters that SOLAS requires to be covered by automatic shutdown or slowdown are detailed in the Resolutions adopted under the chapter, including IMO Resolution A.830(19) (Code on Alarms and Indicators) and MSC.99(73). SOLAS doesn’t specify exact setpoints (those are left to class rules), but it does require that the system be adequate to prevent damage to unmonitored machinery.

For vessels not classed as UMS but still subject to SOLAS, Chapter II-1 Regulation 49 requires that propulsion machinery be capable of being stopped from the navigating bridge, and that there be an alarm on the bridge when the machinery space requires attention. This covers the bridge emergency stop requirement even on vessels with continuous engine-room manning.

IACS Unified Requirements M55 and M67

IACS Unified Requirement M55 (Unmanned Machinery Spaces) sets the collective class-society position on what automation and safety features a ship must have to earn UMS notation. Among the requirements relevant to emergency stop circuits:

  • The safety system must be independent from the alarm and monitoring system such that a fault in monitoring does not prevent a safety shutdown.
  • All required automatic shutdowns must be tested and documented before the UMS notation is granted.
  • The bridge must receive alarm notification of any safety action within 20 seconds.
  • Standby pumps and fire-detection systems must auto-start on the appropriate alarms.

IACS Unified Requirement M67 (Engine Safety Systems, revised 2019) is the specific document covering what a main engine safety system must contain. Key provisions:

  • The safety system must be designed with the principle that a single failure does not suppress a required safety action.
  • The overspeed protective device must be independent from the speed governor. On electronic governor systems, independence means a separate processor or hardware module that monitors speed independently.
  • The shutdown and slowdown setpoints must be documented in the engine’s class-approved documentation.
  • The means of activating shutdown must be hardwired (not network-dependent) for at least the bridge stop, ECR stop, and local stop.
  • The system must be designed to fail safe: loss of power or sensor signal must not prevent a required safety action (typically, loss of lube-oil pressure sensor signal defaults to alarm, with the shutdown protecting against sustained low pressure).

Class societies implement these UR requirements through their own rule chapters. DNV’s Classification Notes 41.2, LR’s Rules for the Classification of Ships Part 5, and ABS’s Rules for Building and Classing Marine Vessels Part 4 each elaborate the UR requirements into specific circuit architectures, required redundancies, and testing protocols.

Class notation requirements in practice

For a ship earning DNV AUT-UMS notation (or the equivalent at other societies), the safety system survey at delivery involves:

  • Review of design documentation showing independence of safety and control systems.
  • Functional testing of every automatic shutdown trigger, including deliberately lowering lube-oil pressure, simulating high oil mist readings, and the overspeed test.
  • Verification that the bridge stop, ECR stop, and local stops all produce the required response within the stated time.
  • Verification that the bridge receives alarms for all initiated safety actions.
  • Documentation of all setpoints in the approved safety system documentation.

These tests are witnessed by the class surveyor and results are recorded. Deficiencies found during the test must be corrected before the notation is granted.

Stopping means for different engine types

The fuel-cut and air-shutoff mechanisms described above apply specifically to slow-speed two-stroke crosshead diesels, which are the predominant main engine type on ocean-going cargo ships. The same principles apply to other diesel engine types, with differences in implementation:

  • Medium-speed four-stroke diesels (gensets, some cargo ship main engines): the fuel rack mechanism is similar, but the oil mist detector is mounted differently because the crankcase geometry differs from a crosshead engine. The overspeed trip is typically a separate mechanical or electronic device on the governor drive shaft.
  • Dual-fuel engines (LNG, methanol, ammonia capable): the safety system must handle both gas and liquid fuel. Shutdown includes closing the gas valve upstream of the engine in addition to cutting liquid fuel, preventing gas accumulation in the scavenge spaces. WinGD X-DF and MAN ME-GI engines have gas valve shutdown integrated into the safety system.
  • Electronic fuel injection engines (MAN ME-C, WinGD RT-flex/X-series): the absence of a mechanical camshaft-driven fuel pump changes the stop mechanism. Fuel injection is stopped by de-energizing the fuel injection solenoids (ME-C) or closing the rail supply valve (RT-flex), rather than mechanically moving a rack. The safety system must address the possibility that a solenoid fails energized (open), which a mechanical fuel pump cannot do. Engine builders address this through redundant solenoid supply circuits and watchdog logic.

The crosshead diesel engine architecture overview covers the mechanical differences between these engine families in more detail.

Restart after an emergency shutdown

An automatic shutdown leaves the engine stopped with the alarm active and the trigger condition recorded. Restart is not immediate and requires a documented sequence:

  1. Identify and confirm the trigger: read the alarm history to determine which parameter caused the shutdown. Cross-check against physical inspection where possible (for lube-oil pressure: was there an actual oil pressure drop, or did a sensor fail?).
  2. Investigate the cause: a lube-oil pressure shutdown requires inspection of the oil pump, filters, and pressure-relief valve before restart. An oil mist shutdown requires inspection of the crankcase through the inspection covers (after the mandatory cooling period to prevent fresh air igniting residual vapour).
  3. Reset the safety system: the alarm and shutdown state must be manually reset. This is intentional: automatic resets would allow repeated shutdown-restart cycles that could mask a recurring fault.
  4. Confirm readiness for start: pre-start checks including turning gear engagement, indicator cocks opened, and the normal slow-turn cranking sequence.
  5. Restart: normal start sequence. The engine control system’s start interlock logic prevents starting if any safety interlock condition is still present.

For an overspeed trip, the restart procedure includes confirming that the governor is in the correct state and that the cause of the overspeed (governor fault, load shedding, or other) has been resolved. Running the engine without confirming the overspeed cause is addressed risks a repeated trip.

The Chief Engineer’s Log records all emergency shutdowns, the identified cause, the remedial action, and the restart time. These records are reviewed at port-state control inspections and class surveys.

UMS operation and the safety system

On a ship with UMS notation, the engine room may be left unattended during sea passage. The safety system takes on additional responsibility because there may be no engineer physically present to respond within seconds. IACS UR M55 requires, for UMS operation:

  • All automatic shutdowns required to protect the machinery must be present and functional.
  • The bridge must receive an alarm within 20 seconds of any safety system activation.
  • A call system must ensure an engineer can be summoned to the engine room within a defined response time (typically ten minutes, varying by flag state).
  • Standby equipment (lubricating-oil pumps, cooling water pumps) must start automatically on failure of the running unit before shutdown occurs, reducing the frequency of shutdowns caused by auxiliary equipment failure.

The last point is important. Most UMS slowdowns and shutdowns on real ships are triggered not by catastrophic failures but by auxiliary equipment failures: a lubricating-oil pump trips, pressure drops, and the safety system responds before the standby pump auto-starts. By requiring the standby pump to start on low pressure before the shutdown threshold is reached, UR M55 reduces the shutdown frequency while maintaining safety.

On a UMS ship, the bridge officer on watch has the bridge override at hand and may use it (within the limits described above) to maintain propulsion while summoning the duty engineer. The SMS must define the circumstances under which the OOW may activate the override and the maximum time before an engineer must arrive in the engine room.

Limitations of this article

This article describes the typical architecture and regulatory requirements for main engine safety systems on ocean-going cargo ships with slow-speed two-stroke diesel propulsion. Several limitations apply:

  • Set points are ship-specific and class-specific. The trigger values in the table above are representative of MAN ME-C and WinGD X-series defaults but are not universal. The actual set points for any specific vessel are found in the class-approved safety system documentation on that vessel.
  • Dual-fuel and alternative-fuel engines introduce additional complexity. LNG, methanol, and ammonia-fuelled engines have gas-side safety requirements (gas valve isolation, ventilation interlocks, hazardous-area certification of sensors) that go beyond what is described here.
  • The regulatory baseline evolves. SOLAS Chapter II-1 and IACS URS are amended periodically. The 2019 edition of M67 introduced revised requirements for electronic engine safety systems; further revisions are possible as autonomous ship regulations develop.
  • National and flag-state rules add layers. SOLAS sets minimum requirements. Individual flag states may impose additional requirements through their national maritime administration rules. Ships with US or EU flag state approval may face additional requirements.
  • Passenger ship requirements are stricter. SOLAS Chapter II-1 imposes additional requirements on passenger ships, including redundant propulsion and enhanced fire control station stop capabilities, that are not fully described here.
  • This article does not cover propulsion system safety beyond the main engine itself. Shaft seals, propeller shaft bearings, gearboxes (on medium-speed installations), and controllable-pitch propeller hydraulics each have their own safety systems that interact with, but are separate from, the main engine safety system.

For calculations related to engine deceleration, crash-stop distance, and emergency response timing, see the calculator catalogue.

See also

Related calculators:

Frequently asked questions

What is the difference between a shutdown and a slowdown on a marine main engine?
A shutdown stops the engine immediately by cutting fuel to zero. It applies to conditions that would destroy the engine within seconds or minutes, such as overspeed, critically low lubricating-oil pressure, or crankcase oil mist above the explosive threshold. A slowdown reduces engine load automatically to a preset safe level rather than stopping it entirely. It applies to less critical conditions such as high piston-cooling-oil outlet temperature, high jacket-water temperature deviation, or high exhaust-gas temperature deviation from the average, where continued slow-speed operation while the crew investigates is safer than a sudden stop.
Which engine shutdown conditions cannot be overridden from the bridge?
The overspeed trip is the one condition that cannot be overridden from the bridge or from any other station. IACS UR M67 requires an independent overspeed protective device that cannot be inhibited from the bridge override system. Overspeed protection is hardwired to cut fuel and cannot be defeated by the bridge because a runaway engine at 120 percent rated speed destroys itself within seconds, and no navigational urgency justifies that risk.
How does a marine engine stop in a crankcase lube-oil vapour runaway?
When an oil mist detector trips and the engine is identified as running on lube-oil vapour rather than diesel fuel, the standard fuel cut-off alone may not stop the engine because the vapour in the crankcase is sustaining combustion. Air-shutoff flap valves mounted on the turbocharger inlet or scavenge-air inlet close to starve the engine of air, which breaks the vapour-combustion cycle and stops the engine. The fuel rack is cut to zero simultaneously.
Where are emergency stop buttons located on a ship?
SOLAS Chapter II-1 Regulation 49 and class rules require emergency stop capability at a minimum from: the navigating bridge, the engine control room, local positions at or near the engine itself, and the fire control station on passenger ships. Large slow-speed two-stroke main engines typically have local push buttons at each operating platform level along the engine side and at both ends of the engine.
What does IACS UR M67 require for the main engine safety system?
IACS Unified Requirement M67 (Engine Safety Systems) requires that the safety system be independent from the control system such that a failure in the control system does not prevent a safety shutdown. The overspeed device must be independent from the main governor. Slowdown and shutdown set points must be documented and verified at sea trials. The system must be designed so a single failure does not suppress a required safety action.
How often must the overspeed trip be tested on a marine main engine?
Class rules typically require the overspeed trip to be tested at least annually in service and at every main engine sea trial. MAN Energy Solutions and WinGD service letters specify the test procedure: fuel is gradually increased with the propeller disconnected or at light-running conditions until the trip fires, then the actual trip speed is recorded and compared against the set point. Alternatively, an electronic simulation test is accepted by some class societies in lieu of a live overspeed run when doing a live test is unsafe.

Related calculators