NTSB Investigation: A bug in the system manufacturer’s software causes the loss of the primary control system

0

The NTSB released the accident report of the passenger ferry Commodore on the East River near Bushwick Inlet off Brooklyn, New York, when the ship lost primary steering and speed control to its two harbor hull waterjets and then ran aground.

The incident

AAfter 4 days of idling at the pier according to the normal schedule, the Commodore should be operational on June 5, 2021. Around 1533, the Commodore disembarked the Sandy Hook Ferry Landing in Sandy Hook, New Jersey, with 107 passengers and 7 crew members, en route to the East 35th Street NYC Ferry Terminal along the East River in Midtown Manhattan.

The crew of the Commodore consisted of a captain, a mate, an engineer and four seamen. This was the ship’s second transit to the East 35th Street terminal and the sixth overall arrival/departure terminal for the crew that day.

The captain undocked the ship from the Sandy Hook Ferry Landing from the port wing control station. Shortly after leaving port, the captain handed control over to the main control station, which operated in manual mode.

The transit was uneventful and the ship passed under the Brooklyn Bridge around 1603. A few minutes later at 1607:09, the ship was proceeding full ahead, northbound in the East River about 1.3 miles from the East 35th Street Terminal, the jet alert panel activated and provided audible and visual (flashing) indications that a “Control Error” had occurred in both the Port Jet Outer 1 and Port Jet Inner 2 waterjet systems.

At the same time, the main display screen A became blank. The speed of the ship recorded by the automatic identification system (AIS) at this time was 37.9 knots with a heading of 015°.

The ship’s closed-circuit television (CCTV) on the bridge caught the captain and helmsman, who were seated at the main control station, as they jumped up from their chairs and looked at the main control console to assess the situation.

Video surveillance showed that neither the captain nor the helmsman silenced the control failure alarms on the jet alarm panel immediately after they were activated or throughout the event.

Twelve seconds later, at 16:07:21, the captain pulled both thrust levers back to the zero (neutral) position and attempted to slow the ship. The starboard waterjets slowed from 1,750 rpm to 970 rpm, but the port waterjets stayed full ahead at 1,750 rpm and the ship immediately began turning to starboard.

According to the AIS, the Commodore’s speed was reduced to about 16.9 knots on a heading of 076°. The captain tapped the main B touchscreen and noticed that two red triangles were flashing over the port water jet symbols. He pressed one of the two red triangles and attempted to “reconnect the waterjet controls” to regain control, but he quickly discovered that the system was unavailable because the waterjet reconnect icon was “not flashing green.”

Seconds later, at 16:07:45, the captain grabbed the thrust levers again and set them to full reverse. The starboard fuselage jets responded to the command inputs by lowering their reverse vanes and increasing the starboard engine RPM to about 1,400 to provide full reverse thrust.

The port waterjets and engines were unresponsive to command inputs and remained full ahead with buckets raised. The ship proceeded in a starboard turn. Seconds later, the mate announced over the ship’s intercom for the passengers to “take your seats” and “please remain seated.”

The captain told investigators that he then placed the throttles and steering controls in the “port.” [auto] Mode.” At 1608:08, both starboard engines dropped from 1,400 rpm to 750 rpm after the master pulled the joystick aft and attempted to reverse the direction of thrust of all water jets to stop the ship’s forward motion A’s main screen was still blank.

About 10 seconds later, the captain left the main control station and ran to the port wing station. At 160840, the master handed control over to the port wing station via the port wing touchscreen display and tapped one of the red triangles to try reconnecting the water jet controls again.

However, the captain told investigators that the system would not reconnect. The captain placed both thrust levers in the full aft position and pushed the tiller handle hard to port. He told investigators that he thought he received the same non-response he received at the main control station.

Still banking to starboard, the Commodore approached the entrance to Bushwick Inlet on the Brooklyn side of the East River, where the riverfront was dominated by levees and facilities.

At 160855, the mate again announced over the intercom, “Please remain seated”. The ship entered the mouth of Bushwick Inlet and at 1608:58 the port hull first struck the old pilings, rock fill and bottom of the inlet in the northern part of the inlet at 8.8 knots.

The starboard hull then touched old, submerged piles and rock fill along the southern shoreline as the ship passed over. The port engines continued at 1,750 rpm and the starboard engines at 750 rpm as the ship continued to move along the southern shoreline of the bay and slowed.

At 1609:03, the master exited the port wing station and returned to the center console to transfer control of the main screen B back to the main control station. He tried several times unsuccessfully to reconnect the port water jets.

Credit: USCG

analysis

#1 Operator Actions:

Based on investigators’ review of CCTV footage, the captain focused on reconnecting the harbor water jet controls. He told investigators he believed Main Screen A temporarily lost communications and would reconnect and restore steering and propulsion controls.

Neither the captain nor the helmsman looked at or silenced (via the jet alarm panel) the rudder failure alarms for the two port waterjet systems on the jet alarm panel to the left of the captain’s chair.

When the captain pulled back on the throttles and joystick, the ship did not respond as expected and began to turn, and he could not determine why he lost control in the short time before the ship entered Bushwick Inlet and then ran aground could not regain.

Had the master or helmsman recognized the control failure alarms and understood that they indicated loss of primary control for the port engines and waterjets, they would have realized that attempting to reconnect the primary control system would not work.

According to Seastreak’s SMS, in the event of a power failure in the main control system, the ship could be operated by the backup system. The SMS also included instructions on how to steer the ship manually, slowing down and accelerating using the hydraulic control valves.

The captain would have had to transfer control from the primary controls to the backup controls and maneuver the ship using hydraulic control valves.

However, the captain attempted to regain control by attempting to reconnect the primary control system at both the main control station and the port station.

He pulled back on the throttle, put the car in reverse, and then tried to gain control by shifting into another operating mode. With only the jets and engines on the starboard hull responding, the captain’s actions initiated and maintained a starboard tack and reduced the ship’s speed.

#2 Training and Supervision: After the accident, the control system manufacturer concluded that the system bridge displays showed active failures several days before the accident, indicated by a red bar in the upper part of the screen.

Seastreak’s SMS required operators to verify as part of ship launch that no system warnings or alarms were displayed on the control system display panels. However, the Commodore crew conducted several transits on the day of the accident and there was no indication that they had identified or reported the active faults.

Had the active faults been identified and reported to the company, the company would have had an opportunity to take action. They may have been trying to troubleshoot, or they may have taken the ship out of service.

You could also have contacted the manufacturer who may have fixed the SD card issue before it caused the control system to fail. Effective SMS would have ensured staff could identify critical system alarms and know how to address them.

The captain had means of controlling the ship after losing primary control of the port hull engines and waterjets, but he did not take the specific actions necessary to gain control.

Crews should train and conduct emergency drills to respond appropriately if failure of the primary control system occurs and use the backup system to maneuver the ship.

Ship owners and operators should continually evaluate ship-specific processes and procedures and improve training programs to ensure effectiveness of crew drills and best practices.

Credit: USCG

probable cause

The National Transportation Safety Board notes that the likely cause of the passenger ferry Commodore’s grounding was the loss of the primary control system for the catamaran’s harbor water jets and propulsion motors due to a bug in the system manufacturer’s software that caused a memory card failure.

Contributing to the accident were the company’s lack of clear safety management system procedures for primary control system failure and ineffective oversight of crew training on failure modes upon loss of propulsion and steering control, resulting in the captain failing to identify the nature of the loss of control and either activating the Reserve control or emergency engine shutdown to stop the vessel.

Lessons learned

#1 Workout for Loss of Drive and Steering: The loss of propulsion and steering control when navigating channels or when maneuvering near immediate hazards (ground, traffic, objects) when reaction time is critical requires crew members to act quickly to mitigate potential casualties.

Safety management systems should identify potential failure modes and specific responses.

Effective company training on loss of propulsion and steering control builds crew confidence and skills and improves a crew’s ability to respond during an actual emergency.

Training should include requirements for hands-on demonstration of loss of control procedures and use of emergency backup systems. Ship owners and operators should continually evaluate training programs to ensure the effectiveness of the exercises and make changes to improve safety management system procedures.

DISCOVER MORE IN ntsb’s ACCIDENT REPORT

Share.

Comments are closed.