Confidential Human Factors
Incident Reporting Programme
The Charity
Aviation
Maritime
M2692
Initial Report
A very large superyacht experienced a partial loss of power while performing an arrival manoeuvre into a confined harbour. Several critical systems went offline: navigation displays rebooted, engine room monitoring screens went dark, and the vessel briefly lost situational awareness.
Emergency power was restored to a limited extent, but the disruption caused confusion and delayed the manoeuvre.
Investigation by technical crews traced the failure to a remote software update on a galley refrigeration unit. The update had been initiated by the shore-side supplier without notifying the yacht. During the update, an unexpected electrical load spike triggered the power management system to shed systems in a sequence the crew did not fully understand.
CHIRP Comment
This incident highlights the risks associated with remote software updates being carried out on vessels without prior notification to the crew. In this case, a very large superyacht lost power during a manoeuvre after a software upgrade to a non-essential system (galley refrigeration). Through its connection to the integrated power management system, the update indirectly affected essential navigation and monitoring systems, causing critical equipment to go offline at a high-risk moment during manoeuvring in port.
Updating machinery controls or power-connected systems while a vessel is underway and entering harbour poses an unacceptable risk. Systems of this nature should be isolated using breakers or equivalent safeguards to ensure that non-critical equipment cannot trigger cascading failures affecting essential services.
The incident also raises cybersecurity concerns. Although the event appears to have been accidental, similar outcomes could result from a malicious cyberattack. Remote access to onboard systems, particularly non-essential ones, introduces potential vulnerabilities if cyber-defences and network monitoring are not robust. Crews should be aware of these risks and ensure appropriate protective measures are in place.
The crew’s response further illustrates the challenges of managing unanticipated system failures. While partial emergency power was restored, the order in which systems were shed was not fully understood, highlighting the need for improved familiarisation and training on how the power management system responds to abnormal electrical loads and unexpected system behaviour.
This event also points to a wider concern regarding the management of change. Software updates and system modifications should be treated as formal changes, with clear procedures in place, including risk assessment, crew notification, and operational restrictions where necessary.
CHIRP is also concerned that downsizing of crews and the transfer of technical control and decision-making ashore can have unintended consequences. Removing responsibility from those onboard may reduce situational awareness and the crew’s ability to anticipate or manage developing risks in real time.
Suppliers should communicate all software updates in advance, allowing vessels to assess potential operational impacts and decide when it is safe to proceed. Operators should also review the integration of non-critical systems with essential systems to prevent single-point or cascading failures. Strengthening cyber-defences and monitoring networked access points, even for apparently minor systems, will help reduce the risk of both accidental disruption and deliberate attack.
Key Issues relating to this report
Situational Awareness – was immediately affected when critical systems went offline, leaving the crew temporarily unaware of the vessel’s position and status. The sudden loss of displays and monitoring screens created confusion and increased cognitive load, impacting decision-making during a critical manoeuvre.
Complacency – Over-reliance on automation may have played a role.
Capability – The crew did not fully understand the sequence in which systems would be shed during an unexpected electrical load, highlighting the need for drills or procedures that address unusual scenarios beyond standard failures. The crew trusted that all systems would operate without affecting critical systems. This reliance left them unprepared for cascading system failures triggered by an unexpected load spike.
Communication – The shore-side supplier had initiated a software update without notifying the yacht. The lack of prior communication limited the crew’s ability to plan and maintain control.
Pressure – Increased sharply during the incident. Emergency power was partially restored, but the crew had to manage multiple simultaneous issues under time pressure, with an incomplete understanding of the power management system’s behaviour. This stress could impair judgement and slow the effective response.
Key Takeaways
Even small updates can have big consequences at sea.
For Regulators – This incident highlights the importance of establishing and enforcing clear communication protocols between equipment suppliers and vessels. Unannounced software updates, even to non-essential systems, can inadvertently affect critical ship systems. Regulators should ensure that guidance and standards require advance notice and risk assessment before any remote updates are applied.
For Managers – Managers are reminded to review how non-essential systems integrate with vital ship operations. Understanding these interdependencies and enforcing strict procedures for system changes, maintenance, and software updates are essential to prevent cascading failures. Oversight and verification of supplier actions can reduce the risk of unintended disruptions.
For Crew – The event underlines the need for crews to maintain situational awareness at all times and to be familiar with the vessel’s power management behaviour. Training should include unusual or cascading system failures, and crews should remain vigilant during periods of high workload or complex manoeuvres. Quick, informed action depends on understanding both the technology and the human factors at play.