I am a naval architect/marine engineer (University of Michigan - 1969). However, I only worked four years in design and construction before deciding to go to sea, obtain my engineering license, and work as a shipboard engineer. My original intent was to sail for several years, at least long enough to earn my chief engineer's license, then return to design and construction, thinking that I would be a much better naval architect/marine engineer if I actually sailed on ships. However, I enjoyed sailing so much that I never really returned to shoreside duty. I spent most of my 30-year career with a major oil company in their US-flag tanker fleet, with 20 years of that time as chief engineer. However, I also worked shoreside for the company on numerous special projects. Along the way, between shipboard assignments, I attended the University of California and earned a master's degree in electrical engineering, specifically in the area of microprocessor design, because programmable logic controllers (PLC's) were just beginning to make their appearance in the field of alarm and control systems, and I thought it would be worthwhile to know how they worked.
I am particularly interested in shipboard machinery control and alarm systems. I sailed on ships with no automation (the T2 oil tankers from World War II), some with partial automation (the GE Central Operating System), and some with triple modular redundant (TMR) advanced-technology control systems. On all of them, the engine room watch standing routine or the control and alarm systems were designed with the idea that human beings (a "competent person", as we say today) would respond to machinery alarms by going to the location of the problem/alarm. Somehow, that quaint notion has been discarded. Today, there is no regulatory body rule that even requires attendance/presence at the source of an alarm - the rules only require that an alarm be "acknowledged", and that can be at any remote terminal with an "acknowledge" feature. I, and several other seagoing engineers who have witnessed this evolution of requirements for acknowledged alarms, believe this is detrimental to good seamanship, and could lead to a real marine disaster.
I was not aware of how much the requirements for alarm acknowledgment had changed until I was working on two new, but different, ships several years ago, both built to the ABS Rules. Neither ship requires acknowledgment of an alarm by attendance in the machinery space where an alarm occurred - someone just has to push an "Acknowledge" button on a PC somewhere, and that's the end of it – no other action is required. On the ships I worked on (also ABS classed), there were specific "acknowledge" buttons mounted in each machinery space, and any alarm originating in that space had to be acknowledged there, not at a remote terminal. If the acknowledge button was not pushed within 15 minutes, a separate alarm would sound throughout the accommodation area, pilot house, and control room (these "cow bells", as we called them, could wake the dead, they were that annoying). The only way to silence this alarm was to push the acknowledge button in the machinery space where the alarm originated. This system ensured that an engineer acknowledged each machinery alarm at its source, and also ensured that if something happened to the engineer on his/her way to acknowledge the alarm, then the rest of the crew would be alerted after 15 minutes had expired.
As an example, I cite the sinking of the Estonia ferry in the Baltic Sea in 1994. Although the competence of the crew and the owners/operators’ negligence towards the seaworthiness of the vessel contributed to the disaster, I believe the sinking (with the loss of 852 lives) could have been prevented if the correct position of the limit switches on the loading/unloading doors were “permissives” to start the propulsion system, rather than merely red/green indicating lights on a panel near the doors. If one or more of the switches was open due to an unsecured door, then the propulsion system start would have been inhibited until the switch was closed. This would have required a competent person (probably a deck or engine officer) to check the limit switches and confirm that the doors were closed before the ship's propulsion system would have been operational. The permissives can always be over-ridden by the Master or other senior officers, but such actions can be recorded, and (hopefully) serve as a final warning to the crew that the ship may not be seaworthy. Simpler features than this were designed into the propulsion controls on the ships I served on, and since the position of the doors is so critical to a ferry's seaworthiness, it would not be difficult to integrate them into a “start permissive” for the propulsion system.