34-SAMSS-623 Programmable Controller Based ESD Systems

8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems

1/31

Materials System Specification 34-SAMSS-623 20 March 2006

Programmable Controller Based ESD Systems

Instrumentation Standards Committee MembersAwami, Luay Hussain, Chairman

Tuin, Rienk , Vice Chairman

Bogusz, Zbigniew Jozef

Dakhil, Tareq Khalil

Dhafeeri, Farhan Taieh

Ell, Steven Tal

Fadley, Gary Lowell

Qaffas, Saleh Abdal Wahab

Trembley, Robert James

Falkenberg, Anton Raymond

Jumah, Yousif AhmedKhalifa, Ali Hussain

Madhi, Fawaz Abdullah

Mahmood, Balal

Qarni, Mahdi Ali

Saudi Aramco DeskTop Standards

Table of Contents

1 Scope............................................................. 22 Conflicts and Deviations................................. 23 References..................................................... 24 Definitions....................................................... 45 General.......................................................... 66 General Design Requirements....................... 87 Acceptable ESD System Architectures........ 108 ESD Hardware Configuration....................... 119 ESD Panel Construction............................... 2110 ESD System Safety Availability (PFDavg)... 2311 Fault-Tolerant Considerations...................... 2412 Reliability...................................................... 2413 Noise and Fault Protection........................... 25

14 Programming and Configuration.................. 2515 On-Line Diagnostics..................................... 2716 Documentation............................................. 2817 Quality Control.............................................. 2918 ESD System Inspection and Testing............ 30

Previous Issue: 29 December 2004 Next Planned Update: 20 March 2011Page 1 of 31

Primary contact: Qaffas, Saleh A on 966-3-874-6410CopyrightSaudi Aramco 2005. All rights reserved.


2/31

Document Responsibility: Instrumentation 34-SAMSS-623

Issue Date: 20 March 2006

Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems

1 Scope

1.1 This specification defines the minimum mandatory requirements for fail-safe,fault-tolerant, programmable controller based Emergency Shutdown (ESD)

systems.

1.2 This specification is applicable for any redundant programmable controller

based ESD system, i.e., dual-modular-redundant (DMR) 1-out-of-2D, triple-modular-redundant (TMR), 2-out-of-3systems.

1.3 This specification together with a project ESD system Functional Specification

Document (FSD), specification sheet(s) ISS 8020-623-ENG pg. 1 and 2, andassociated logic diagrams prescribes the minimum mandatory design,

fabrication and testing requirements for the project.

1.4 Where a project Functional Specification Document (FSD) calls for more thanone ESD system, this specification shall apply to each ESD system individually.

2 Conflicts and Deviations

2.1 Any conflicts between this specification and other applicable Saudi Aramco

Materials Systems Specifications (SAMSSs), Engineering Standards (SAESs),Standard Drawings (SASDs), or industry standards, codes, and forms shall be

resolved in writing by the Company or Buyer Representative through the

Manager, Process & Control Systems Department, Engineering Services ofSaudi Aramco, Dhahran.

2.2 Direct all requests to deviate from this specification in writing to the Company or

Buyer Representative, who shall follow internal company procedure SAEP-302and forward such requests to the Manager, Process & Control Systems

Department, Engineering Services of Saudi Aramco, Dhahran.

3 References

Material or equipment supplied to this specification shall comply with the latest editionof the following references as of the date of the Purchase Order, unless stated otherwise.

3.1 Saudi Aramco References

Saudi Aramco Engineering Procedure

SAEP-302 Instructions for Obtaining a Waiver of a

Mandatory Saudi Aramco Engineering

Requirement

Page 2 of 31
http://csd-apps2/standards/Website/tqs1/esp/dts/Saep/AEP0302.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Saep/AEP0302.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Saep/AEP0302.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Saep/AEP0302.RTF


3/31




Saudi Aramco Materials System Specifications

34-SAMSS-820 Instrument Control Cabinets Indoor

34-SAMSS-821 Instrument Control Cabinets - Outdoor

Saudi Aramco Forms and Data Sheets

Form 8020-623-ENG Instrument Specification Sheet (ISS) for

Programmable Controller Based ESD System,

Sheets 1 and 2

Form 175-344400 Inspection & Testing Requirements

3.2 Industry Codes and Standards

American National Standards Institute/National Fire Protection Association

ANSI/NFPA 70 National Electric Code (NEC)

American National Standards Institute/Institute of Electrical & ElectronicsEngineers

ANSI/IEEE 802.3 Supplement to ISO/IEC 8802-3, Local and

Metropolitan Area Networks Section 13 & 14

Canadian Standards

CSA C22.2 No. 0 CSA General Requirements (Electrical)

Electronic Industries Association

EIA/RS-232 Interface Between Data Terminal Equipment and

Data Communication Equipment Employing

Serial Binary Data Interchange

EIA/RS-422 Electrical Characteristics of Balanced Voltage

Digital Interface Circuits

EIA/RS-485 Electrical Characteristics of Generators and

Receivers for Use in Balanced Digital

Multipoint Systems

The Instrumentation, Systems, and Automation Society (ISA)

ANSI/ISA-84.00.01-2004 Application of Safety Instrumented Systems for the

Process Industries

ISA TR84.00.02 Safety Instrumented Functions (SIF) Safety

Integrity Level (SIL) Evaluation Techniques

Page 3 of 31
http://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34820.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34821.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34821.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34820.RTF


4/31




International Electro-technical Commission (IEC)

IEC 61131 Part 3: Programmable Controllers -

Programming LanguagesIEC 61000-6-2 Generic standards Immunity for Industrial

Environments

IEC 61000-4-3 Testing and measurement techniques Radiated,

Radio Frequency, Electromagnetic Field

Immunity Tests

IEC-61508 Functional Safety of

Electrical/Electronic/Programmable Electronic

Safety-Related Systems

IEC-61511 Functional Safety-Safety Instrumented Systems for

the Process Industry Sector

International Organization for Standardization

ISO 9001 Quality Systems - Model for Quality Assurance in

Design/Development, Production, Installation

and Servicing

Other Industry References

Bellcore TR-332 Reliability Prediction Procedure for Electronic

Equipment - Telcordia Technologies

4 Definitions

Availability (Safety): The fraction of time that a safety system is able to perform itsdesignated safety service when the process is operating. It is calculated as in equation

(1). Note that the average Probability of Failure on Demand (PFDavg) equals 1 minus

the Safety Availability:

=AMTBF

MTTF=

MTTR)(MTTF

MTTF

+

(1)

Diagnostic Coverage Factor: The ratio of detectable faults to the total number offaults or failures which might occur in ESD components, modules, external wiring,

internal wiring, cables, interconnections, and logic elements.

Dual Modular Redundant (1oo2D Configuration): An ESD system which uses twoseparate processors each with its own separate I/O modules, bus structure, chassis,

software and power supplies, to vote input signals in a 1oo2 arrangement. Sensor

signals are separated into two isolated paths to two separate input modules where

Page 4 of 31


5/31




signals are conditioned and communicated by separate busses to separate processors. Avalid input signal on either leg of the system will initiate the desired logic response via

two separate, fail-safe, output modules.

Failure: An error in ESD system hardware, firmware or software whereby a modulewhich is not capable of performing its specified function. Modules may fail safely in

which case the process is brought to the safe state, or dangerously in which case the

system is unable to bring the system to the safe state.

Fail-Safe: An ESD system is fail-safe if the failure of a component, signal, or utility,initiates action that returns the system to a safe state.

Fault-Tolerance: The built-in capability of the system to provide continued correct

execution of ESD commands and functions in the presence of a limited number of

hardware and software errors/faults. Fault-tolerance includes the ability to detect andlog transient or steady-state error conditions via diagnostic circuits or comparative

logic, and take appropriate corrective action, while remaining on-line, and performingits specified safety function.

Field Proven: A system shall be considered to be field proven when it has been

installed, commissioned, and operational in a customer facility for a period of sixmonths or longer (excluding beta test periods) after receiving TUV certification for the

programmable controller's hardware, firmware, and software.

MTTF: "Mean Time To Failure" is the expected time to failure of a system in apopulation of identical systems.

MTBF: "Mean Time Between Failure" is a statistical value equal to the mean or

average time expected between failures of a given device which is used in the

determination of system reliability. MTBF figures can be "predicted" or "observed".

Observed MTBF for a given component is calculated using actual failure rate datacollected for the population of the component while in-service. Predicted MTBF is a

figure which is calculated based failure rate models of individual sub-components of the

component. Two methods widely accepted for calculation of predicted MTBF are;MIL-HDBK-217 and Bellcore TR-332. It is derived in its simplest form as:

MTBF = MTTF + MTTR (2)

MTTR: "Mean Time To Repair" is the statistical average of time taken to identify andrepair a fault (including diagnosis), in a population of identical systems.

PFDavg: The average probability of a system failing to respond to a demand in a

specified time interval is referred to as PFDavg. PFD = 1 - Safety Availability.

Page 5 of 31


6/31




Reliability: The probability that when operating under stated environmentalconditions, the system will perform continuously, as specified, over a specific time

interval.

Scan Time: ESD system scan time is the composite of input modules scan, programexecution and all output modules state transition time.

Triple Modular Redundant ESD (TMR, 2oo3 Configuration): TMR configured

ESD systems employ 3 processors running in parallel with triplicated I/O, bus structure,

chassis, and software. Each processor executes its individual application programsimultaneously and independently; verifying data, executing logic instructions, control

calculations, clock and voter/synchronization signals and performing comprehensive

system diagnostics and discrepancy monitoring. Process outputs are sent via triplicatedpaths to output modules where they are voted (2oo3) to ensure logic and output

integrity.

5 General

5.1 Use of Standard Products

5.1.1 The system shall be composed of manufacturer's standard hardware,

systems software, and firmware that can be configured to meet the statedrequirements.

5.1.2 A vendor's standard system operating software shall not be modified tomeet any of Saudi Aramco's requirements.

5.1.3 Application software shall be designed in a manner that requires nomodification to the system operating software.

5.2 Revision Level

All ESD system hardware, firmware and software shall be the latest "fieldproven" revision level at the time of the hardware freeze date as defined in the

contract purchase order or the Preliminary Design Review (PDR) whichever is

later.

5.3 System Support

5.3.1 ESD vendor shall guarantee support of all hardware, firmware, andsoftware associated with the controller and I/O subsystems and any

proprietary communications equipment for a period of ten (10) years

from the hardware freeze date. Support shall include spare parts andtechnical support. This support shall not be contingent on the customer

upgrading to later releases of software or hardware.

Page 6 of 31


7/31




5.3.2 Withdrawal of product support for ESD vendor manufactured productsshall be notified in writing to Saudi Aramco twelve months in advance.

5.3.3 ESD vendor shall provide factory trained technical support serviceslocally (In Kingdom).

5.4 Engineering Units

Unless otherwise specified all dimensions and measurements shall be in the"International System of Units" (SI), and may be followed by the equivalent

value in conventional units between brackets.

5.5 Environmental Conditions

5.5.1 Indoor Installations

All ESD Equipment installed in air-conditioned buildings shall be

designed for:

a) Ambient temperature range: 10C to 35C (1)

b) Ambient relative humidity: 20% to 80%.

Note:

1) For equipment which dissipates internal heat, an additional 15C shall be added tothe above maximum temperatures. An example, for "indoor air conditioned"installation, the equipment must perform at 35 + 15 = 50C. The designer cansubstantiate temperature rise of less than 15C by providing the support data andheat calculations.

5.5.2 Outdoor Installations

All ESD equipment specified for outdoor installation shall be designed tooperate continuously at the environmental conditions specified by 34-

SAMSS-821.

5.6 Electrical Requirements and Certifications

5.6.1 Unless otherwise specified, ESD equipment shall be powered fromseparate Saudi Aramco supplied Uninterruptible Power Supply (UPS)

branch feeders at 120 VAC (tolerance of 110 126 VAC), 60 Hz (2%), which are over-current protected.

5.6.2 Unless otherwise specified, ESD system components shall be installedwithin a general purpose, non-classified electrical area per ANSI/NFPA

70, National Electrical Code (NEC), Article 505.

Page 7 of 31


8/31




5.6.3 ESD systems operating in outdoor cabinets, shall be certified for use inClass I, Zone 2 hazardous areas.

5.6.4 ESD system components shall be listed, labeled, and conform to UL,FM, or CSA standards or guidelines.

5.6.5 Unless otherwise specified, field power supplies that are used to powerfield I/O shall use nominal 24VDC (tolerance of 21 28.2 VDC).

5.6.6 The Vendor's manufactured ESD equipment comprised of modules,

operating system (kernal) software and firmware shall be certified tomeet SIL 3 requirements of International Electro-technical Commission

(IEC) IEC-61508 by Factory Mutual or TUV Product Services,

Rheinland or Bayern.

5.7 Electromagnetic Compatibility

5.7.1 ESD equipment designated as 'indoors' shall carry CE Mark for

compliance with European EMC Directive 89/336/EEC or shall comply

with immunity levels stated in IEC 61000-6-2.

5.7.2 Alternatively, the vendor shall provide testing results to confirm that the

equipment will operate without disturbance when energized and

subjected to an electromagnetic field from a radiating source equivalentto a level 3 disturbance as detailed in IEC 61000-4-3. In particular, RF

sources such as hand-held radio transceivers operating at 5 Watts within

the frequency ranges, 50-174 MHz, 406- 470MHz, and 800-870 MHzand held at a distance off 1.0 meters from the equipment with cabinet

doors open shall not cause any malfunction, data corruption, or damage

to the equipment.

6 General Design Requirements

The ESD system shall incorporate a redundant architecture which is fault tolerant and

fail-safe.

6.1 Fault Tolerance

The ESD system shall be fault tolerant as per the definition in section 4.

6.2 Fail-Safe Operation

ESD systems shall fail to the safe state position upon loss of the ESD signal or

electric power supplies. The safe state shall be the de-energized mode unlessotherwise specified in the ISS, logic drawings or Purchase Order.

Page 8 of 31


9/31




6.3 Input Bypass Switches

6.3.1 The ESD system shall incorporate an input bypass switch for each field

sensor, except where sensors are used in 2oo2 or 2oo3 voting schemes.The input bypass switch is required to perform on-line testing ormaintenance.

Commentary Note:

Input bypasses are only required for input signals wired to the ESDsystem and used for shutdown logic.

6.3.2 Input bypass switch implementation shall be software configured. Inputbypass switches shall not bypass nor disable the 'trip' signal from an ESD

input which drives associated annunciator logic, a CRT's alarm display,

event logger or data archiving devices either directly or via an alias pointaddress. Input bypass switches shall have restricted access by way of a

common key-lock and/or password protection scheme.

6.3.3 Actuation of input bypass switches shall enable a feedback signal that is

communicated via data highway which confirms the bypass switchaction to an operator's Human Machine Interface (HMI) or event logger.

6.4 Input Point Replication

6.4.1 If discrete ESD input signals must be replicated for annuciators, localpanel or data logger, prior to being input to an ESD input module,

individual rail-mounted, optical isolators shall be installed within ESDcabinets and powered from the ESD system. Opto-isolator wiring andcircuitry shall be passive and shall under no circumstances compromise

ESD signal integrity.

6.4.2 Relays shall be used for replication of ESD system inputs when solid-state isolation devices are incapable of meeting signal isolation

specifications. Electric relays shall be dust-tight when installed in indoor

and hermetically-sealed if installed outdoors.

6.5 Output Point Isolation

6.5.1 ESD output points that directly interface with motor control circuits shallbe individually isolated (non-commoned) from other outputs. ESD

outputs shall be rated for, and capable of switching the maximum loadand in-rush current of the designated final device (e.g., motor control

relay circuitry).

Page 9 of 31


10/31




Non-isolated outputs may be used provided that output loads or devicespermit common power supply source and returns 'common grounding'.

6.5.2 Output isolation relays shall not be used for the multiplication orreplication of ESD system outputs, unless they are absolutely essentialfor:

a) Isolating different input or output signals voltages/currents.

b) Preventing the mixing of circuit voltages/currents which are out of

phase, or involve separate grounding systems.

c) Interrupting large loads or substantial inrush currents such as motorcontrol circuits.

6.5.3 If absolutely required, isolation relays, shall be rail or card mounted and

configured in such a manner as to meet the requirements of paragraph 6(General Design Requirements) and 34-SAMSS-820(wiringsegregation), with loop back circuitry and logic (to ESD inputs via, e.g.,

simplex inputs) to verify the health and functionality of the isolationrelays or the intended state of the final control element/field device.

Electric relays shall be dust-tight when installed in indoor and

hermetically-sealed if installed outdoors.

Commentary Note:

For example, if isolation/interposing relays are used to communicate ESDoutput commands to motor control circuits, the state of the final device

(the motor) can be verified by looping back an auxiliary contact from themotor controller into a simplex ESD input, thereby enabling the inputstatus to be compared against the desired output command.

6.6 Output Point Verification

The intended state of the final control element/field device shall be verified with

the ESD command to alarm the operator when the final device does not reach

the intended ESD state within an acceptable time. Final device verificationmaybe achieved using a soft logic within the DCS or soft link between the DCS

and a sub-system (i.e., machine monitoring system, power monitoring system,

etc.) only if this signal is not an ESD initiating signal within the ESD logic.

7 Acceptable ESD System Architectures

ESD systems shall be configured using redundant architecture, i.e., Dual ModularRedundant (DMR), 1-out-of-2D, Triple Modular Redundant (TMR), 2-out-of-3 (2oo3)

voting architecture.

Page 10 of 31
http://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34820.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34820.RTF


11/31




7.1 CPU Self-Test and System Diagnostic Routines: Separate watchdog circuitry,and/or diagnostic algorithms shall run in background mode, each scan cycle to

monitor the health of all system components, including system software and

external/internal communications.

7.1.1 Internal logic within each CPU shall execute automatic self-test,diagnostic routines, I/O change-of-status/ loop-back verification and data

table fault detection to determine the health of each module orsubassembly within the ESD system. Comprehensive diagnostic

coverage (>99%) and fault detection shall be performed using

comparative or deterministic voting and fault detection circuits in bothfirmware and software. These circuits shall automatically identify,

alarm, isolate and contain both safe and dangerous faults within system

components without compromising ESD system performance.

7.1.2 If any processor fails to agree with its other parallel or triplicated

counterpart(s), the failed processor shall be automatically diagnosed andalarmed as having failed in either a safe or dangerous manner.

7.1.3 System processor degradation for DMR-ESD (1oo2D) systems shall be

2-1-0 and for TMR-ESD (2oo3) systems shall be 3-2-0 unless otherwiseallowed by the TUV report and/or the system safety manual stating the

restrictions considered for safe operation.

8 ESD Hardware Configuration

The ESD chassis or modular assembly shall be of rigid, metal construction. ESD

assemblies, module densities and cabinet configurations shall be based solely on

convection ventilation requirements (See Paragraph 9). ESD chassis or modularconfigurations shall be capable of accepting all components necessary to configure a

DMR or TMR architecture, e.g., multiple processors (CPUs), I/O modules,

communications interfaces, power supplies, bus assemblies, external termination panels,etc. The chassis back-plane shall be capable of handling the electrical current

requirements of all applicable module configurations. ESD hardware and system

configuration shall be designed to minimize common mode or common cause failure

mechanisms.

8.1 CPU/Processor Memory, Education, Synchronization and Scan Time

a) The Central Processing Units shall contain the program memory, either in

nonvolatile EPROM, Flash memory or battery backed RAM, with a

minimum 6 month battery backup for RAM based memory. Batteries shallbe capable of being replaced without degrading ESD system functionality.

b) In addition to normal application programs, 50% spare 'application logic

Page 11 of 31


12/31


13/31




switch shall allow optional operating modes, including PROGRAM,REMOTE , RUN or other equivalent functions.

8.2.5 CPU, I/O and Communication Module Status Indicators

Each system module CPU shall continuously monitor its own status and

indicate either normal operation or error conditions via LED statusindicators or equal on each module. Fault conditions shall be

annunciated remotely at the operators' Workstation and be archived.

Status indication at either the module or Workstation shall be providedfor the following conditions or their equivalents:

a) MAIN PROCESSOR STATUS (Pass/Fault/Active)

b) COMMUNICATION MODULE STATUS (Pass/Fault/Active)

c) CHASSIS POWER SUPPLY (Pass, Fault)

d) RAM BATTERY STATUS

e) I/O MODULE STATUS (Fault/Active)

f) I/O CHANNEL FORCE (On)

g) FIELD POWER SUPPLY (Pass, Fault)

8.3 Time Synchronization

Time synchronization between ESD and DCS systems, shall be within

100 milliseconds and performed once daily as a minimum.

Commentary:

The recommended method of time synchronization is to synchronize both theDCS and ESD to a GPS clock / NTP Server over a network using SNTP.

(SNTP = Simple Network Time Protocol, NTP = Network Time Protocol, GPS =Global Positioning System)

8.4 Input/Output Modules

8.4.1 The input section of the ESD system shall be designed to receive input

signals from analog field devices or process activated switch contactsthat are closed (i.e., normally energized) during healthy processconditions (and will open when process variables exceed predetermined

limits). Outputs are designed to be normally energized (when healthy)

and deenergize upon the loss of appropriate input signals.

Commentary Note:

Certain ESD outputs, e.g., 1500 HP or larger motor switch-gear trip coils

Page 13 of 31


14/31




may be preconfigured as energize to trip rather than deenergize to trip.The Vendor must exercise caution when designing a fail-safe ESDinterlock for these motor control circuits to ensure that respective output

circuits are properly monitored.

8.4.2 All ESD input and output points shall be individually fused, or employcurrent limiting circuitry, e.g., in the case of module 'self powered' I/O.

Fuses shall be located on an external termination panel, fused terminal

strip, or in a location readily accessible for maintenance. If fusedterminal strips are used they shall either be hinged, quick-disconnect,

cap, or an equivalent type of terminal, with a blown fuse indicator (e.g.,

LED - light emitting diode). Removal of I/O modules shall not benecessary to accomplish fuse replacement.

Commentary Note:

Requirements for individual input fusing or installation of knife-switchterminals do not apply to direct-connected RTD or thermocouple inputs.Fuse application, location, and ampacity ratings must be properly sizedand coordinated, taking into account the maximum expected load at themaximum ambient temperature of the ESD system (i.e., 50C).

8.4.3 I/O module types, quantities, and respective signal levels shall be asindicated on ISS sheets or the purchase order.

8.4.4 I/O modules shall be solidly constructed and shall be capable of beinginserted into or removed from their chassis or mounting rail assembliesonline and shall not require movement of system cables or wiring, either

external or internal. Field I/O wiring shall be connected to remote or

extension termination panels via integral screw or compression type

terminals.

8.4.5 The I/O section shall be designed such that all I/O modules are orientedvertically within the I/O chassis. I/O modules shall be capable of being

arranged in any location within a chassis, irrespective of their voltagelevels.

8.4.6 Proper chassis and component arrangement and spacing shall be used to

minimize the potential for cabinet over heating. Cabinet heat

generation/ventilation calculations shall assume that I/O housings havethe maximum number of I/O modules inserted with all I/O modules

carrying their maximum connected load, (load specifications to besupplied by Saudi Aramco). The heat calculation shall only consider

provision for installed spares and future expansion capability.

8.4.7 All discrete I/O modules or their associated termination modules shall

include local status indicators to monitor the status of each input and

Page 14 of 31


15/31




output and any communication and I/O faults. Spare I/O points, whichare pre-configured within the ESD system shall be shorted or terminated

according to manufacturer's recommendations to avoid nuisance faults or

diagnostic alarms.

8.4.8 All inputs and all outputs shall incorporate internal diagnostic featureswhich permit them to be automatically tested on-line. Faults which are

detected in I/O modules shall be capable of being logged andannunciated. Provision shall be made to detect, alarm, disable and

backup I/O circuits that fail "on" (short circuit) thereby preventing a

situation where the ESD system can fail in a dangerous manner, beingunable to initiate a shutdown upon demand.

Commentary Note:

It may be necessary to mask certain diagnostics for supervised outputcircuits which are used for both ESD and normal equipment start/stopfunctions, or that are opened as part of an output circuit test. Forexample, solid-state ESD outputs which are directly wired into motorcontroller stop/start circuits as run permissives, and which supervise thevoltage/current in the control circuit, will require logic which mask thesediagnostics to avoid functionality conflicts between ESD and normalstop/start logic. This is also true for solenoid valve circuits which aremomentarily opened in order to verify proper failure mode response.

8.5 Remote I/Os and Communications Cables

8.5.1 ESD system remote I/O modules, if so specified on the ISS, shall becapable of being remotely located from their CPUs. Actual cable

length/distance requirements will be specified in the ISS. Remote I/O

modules shall have either two or three separate and independentcommunication links, communications interface modules, and drivers as

required by the specific ESD system architecture.

8.5.2 Communications links/cables shall comply with Vendor recommendedcabling using physically-lockable, and stress relieving cable connectors.

The ESD system Vendor shall confirm in writing that selected

communication cable(s) meet communications driver specifications.Communication cable electrical interfaces shall incorporate ground

isolation circuitry as per the requirements of paragraph 8.6.1.a to avoidground loops between equipment referenced to different ground nodes.

8.5.3 Communications driver software/firmware shall continuously monitorand check the status of communication links and associated I/O. Status

indication shall be provided on the faceplate of each associated module.Loss of any single link or driver shall be logged by the system and

Page 15 of 31


16/31




annunciated externally, but shall not disable either local or remote I/Oprocessing functions.

8.6 Communication

8.6.1 ESD External Communications

External bi-directional communication of ESD input/output status to anexternal computer (DCS) shall be accomplished as follows:

a) Via dedicated, electrically isolated communications interface,

operating continuously, with physically and functionally redundantcommunications ports and paths.

Commentary Note:

Port and path redundancy is not required for application programconfiguration, testing or simulation via a workstation, or for a read-only type interface with external computers.

b) Communication interfaces shall be off-the-shelf, using existing,

industry standard media and communications protocols such as

OPC, Modbus or Ethernet as identified on the ISS.

c) Error checking schemes such as Cyclical Redundancy Checking(CRC), Longitudinal Redundancy Checking (LRC) or Check

Sums, in conjunction with bit parity checks, fail-safe transmission

time-out, message fault words, and loss of communication path

alarms.d) Write Protected, by either key-lock or password security

techniques, or a combination of both such that ESD operating

system, ESD application program and memory contents areprotected from unauthorized alteration.

e) Source password or key lock protection, in conjunction with a

separate confirmation acknowledge step is required to accept

bypass commands.

8.6.2 Communications Interface

8.6.2.1 The controller shall as a minimum, support multiple EIA/RS-232, EIA/RS-422, EIA/RS-485, or ANSI/IEEE 802.3 ports for

communicating with external devices such as a DCS, hostcomputer, local area network gateway, program development

station, or printer. Acceptable data communications protocolsinclude Modbus/RTU, TCP/IP, and OPC - Object linking and

Page 16 of 31


17/31


18/31




8.6.3.4 Routing of redundant communication cable or media shall takealternate routing.

8.6.3.5 Time out of signals between peers or loss of communicationshall initiate a communications failure/discrepancy alarm tonotify the operator that manual intervention, maintenance or

remedial action is required, but shall not cause the slave or

remote ESD systems to trip its respective facility.

Exception:

ESD system installed in unmanned facilities shall trip itsrespective facilities upon the total loss of communicationsignals with the master peer.

8.6.3.6 The ESD systems shall be designed and configured inaccordance with ESD vendor guidelines and specification, to

ensure proper system and application program design for

interfaces between the various systems.

8.6.3.7 Signs shall be provided on all ESD cabinet doors with awarning that the system utilizes peer-to-peer communication

with other ESD systems and that the central/master ESDsystem shall not be interrupted, unless system maintenance is

required to all systems. The sign shall clearly identify the

location and name of the other peer-to-peer ESD nodes anddevices.

8.7 Power Supplies

8.7.1 Distribution of branch circuits shall be designed such that the loss of a

single incoming power feeder will not compromise the integrity of the

ESD system nor cause it to fail. Failure of a single power feeder shall bealarmed to the operator. Branch feeders distributing power from the 120

VAC ESD bus shall incorporate over-current protection for connected

loads (rated at 125% of maximum possible connected loads). Tandemtype (dual) circuit breakers contained in a single, molded case breaker,

are not acceptable.

8.7.2 A transient power interruption of one-half cycle shall not have an effecton the ESD equipment or system performance. The Vendor shall

incorporate all necessary filters, surge suppressers, or similar circuitry

required to protect ESD equipment from voltage spikes and/or surges asdefined in paragraph 17.2.

Page 18 of 31


19/31




8.7.3 ESD Chassis Power Supplies

Fully redundant or N+1 chassis power supplies shall be used to supply

power to internal ESD system modules. The power supply system mustbe separate; connected via robust cabling or internal bus structure. Thepower supply system shall be sized to provide 100% of the ampacity

requirements while one power supply unit is removed (at rated voltage,

connected load, and maximum ambient temperature of 50C) for thespecified configuration of I/O cards, CPU's, etc., including provision for

expansion capability (see paragraph 8.8). Calculations shall be based on

all modules and outputs energized and carrying their maximumconnected load.

8.7.4 Field I/O Power Supplies

8.7.4.1 Field I/O power supplies shall be separated and totally

independent of ESD system chassis power supplies.

8.7.4.2 Switch mode or linear (non-switching) types shall be used topower the I/O portion of the ESD system. Branch circuits shall

be protected from unnecessary shorts or grounds by proper fusecoordination and by physically shielding or protecting

distribution buses.

8.7.4.3 The field power supply system shall be fully redundant or N+1and sized to continuously supply 125% of its connected load

while one power supply unit is removed (at rated voltage,ampacity, and at maximum ambient temperature of 50C). It

shall be possible to configure power supplies in either a master-slave or load sharing arrangement. Power supply loads shall be

calculated with all points energized, and all outputs carrying

their maximum connected load. The load calculation shallinclude provision for installed spares and future expansion

capability.

8.7.5 Power supply protection - General

Each power supply shall be protected by a properly sized circuit breakeror fuse. Output protection shall be provided via a combination of

strategies (i.e., diode auctioning/isolation - where diodes are rated at not

less than 300% of the maximum power supply current delivery and time-over voltage/over-current protection).

8.7.6 ESD Chassis Power Supply Diagnostics

Page 19 of 31


20/31




8.7.6.1 ESD system diagnostics shall detect events which maycompromise internal (ESD chassis) power supply health or

integrity, e.g., whenever extreme overvoltage, overcurrent, or

high temperature conditions are detected within the powersupply or at the DC output(s) of the power supply.

8.7.6.2 Power supply (health/fault) status shall be indicated on its

faceplate and be externally communicated via alarm contacts(or software logic) to an alarm display and event

logger/archiver.

8.7.7 ESD Reaction to Cycling of ESD System Power

8.7.7.1 The ESD system shall be designed such that output modules

deenergize when primary UPS power is cycled to the ESDsystem (i.e., applied, removed, or restored to the CPU or I/O

modules).

8.7.7.2 Individual output channels shall not be re-energized until thepower to inputs and the logic is established, CPU and module

diagnostic/startup routines have been reinitialized, and allapplication logic permissives have been reset, compared and

re-voted.

8.7.7.3 Input and output bypasses which have been enabled as a resultof an external data command (i.e., soft-commands), shall be

automatically reset to a non-enabled state in the event thatpower to an ESD system is cycled.

8.8 ESD System Spare Capacity and Future Expansion Capability

8.8.1 ESD System Spare I/O Capacity

The Vendor shall provide a minimum of, 5% spare I/O points of eachtype specified (including associated termination modules) to allow for

future system expansion. Spare rack, chassis, terminal strip, and panelspace shall be provided for these spare I/O points. Spare I/O points shall

be physically wired into the ESD system (e.g., between a termination

panel/strip and an I/O module), shunted or terminated as necessary toavoid nuisance input diagnostics, and given pre-configured spare

tags/definitions within ESD operating system software.

Commentary Note:

A minimum of one spare module for each different type of card shall alsobe provided, but not wired into the system.

Page 20 of 31


21/31




8.8.2 ESD System Expansion Capability

The total expansion capability for ESD systems involving new plant

facilities (excluding existing ESD replacements or upgrades) shall be10%. This includes spare rack, chassis, terminal strip, and panel spacefor the installed 5% spare I/O points specified in 9.6.2 plus an additional

5%, unused I/O point expansion capability, (total spare rack and cabinet

space permits a composite expansion capability of 10% of I/O points).

8.9 Component Selection Criteria

8.9.1 Electronic components shall be high quality, industrial grade.

8.9.2 Printed circuit board (PCB) and module/card construction shall be rigid

and robust. Each PCB/module shall be identified by type/revisionnumber and serial number.

8.9.3 Edge connected on ESD modules or PCBs shall be gold plated. All

modules or PCBs shall incorporate a keying system to prevent improper

board or module placement or orientation.

8.9.4 Front panel LEDs or visual indicators that permit module health,

communications or I/O channels to be monitored must be identified and

mechanically protected.

9 ESD Panel Construct ion

9.1 Indoor Installations

34-SAMSS-820"Instrumentation Control Cabinets Indoor" shall be used forthe design of ESD cabinets located indoors except where superseded by this

specification.

9.2 Outdoor Installations

9.2.1 34-SAMSS-821"Instrumentation Control Cabinets Outdoor" shall beused for the design of ESD cabinets located outdoors except where

superseded by this specification.

9.2.2 The cabinets shall be 316L stainless steel minimum12 GA. (for corrosionresistance) and weather tight (NEMA 4X or IP 56 for ingress protection).

All hardware including hinges, latches, fittings, etc., shall be 316L

stainless steel for the cabinet and interior interface panels (as applicable).

9.2.3 There shall be no penetrations on the top of the cabinet.

Page 21 of 31


22/31




9.3 Additional Requirements for ESD Cabinets

9.3.1 ESD cabinets shall be rigid and self-supporting. Cabinets shall be braced

for shock and vibration normally encountered during transport andconstruction.

Commentary Note:

System modules may be shipped separately from system cabinets toavoid weight impact on system chassis.

9.3.2 All doors shall be provided with integral lockable door handles with thesame lock and key combination, unless otherwise specified on the ISS.

Each door panel shall be electrically bonded to the main cabinet by a

braided ground strap (wire size #8 AWG or equivalent).

9.3.3 Cabinet Ventilation

9.3.3.1 ESD Cabinets shall be designed to be convection ventilated.However, fans may be used within cabinets or ESD power

supplies to assist in heat removal and lower ambient cabinettemperatures provided that:

a) No credit is given to their operational status in reducing

internal cabinet temperatures so as to meet continuous

ambient-operational requirements of paragraph 5.5.

b) The net reduction in ventilation area is factored into

ventilation inlet area and filter mesh calculations.

9.3.3.2 Calculation programs or procedures shall be used to properly

size inlet and outlet areas and filter mesh/screen sizing.(Note: these calculations must be available for Buyer's

review). Careful attention should be given to module

population density, component spacing and cabinetarrangement to ensure that hot spots or thermal gradients do

not occur within the cabinet.

Commentary Note:

It is recommended to install baffles between system chassis todivert hot air away from electronic equipment.

9.3.4 Assembly and Mounting

ESD system modules or components shall be mounted such that they can

be quickly replaced in the event of their failure. Module or componentmounts, bracing and/or supports shall be designed so that they dampen

Page 22 of 31


23/31




out the effects of external vibration. ESD modules that plug into a back-plane, motherboard or rail must utilize a restraining bar or anchoring

device to prevent accidental removal or release due to shock or vibration.

Components that are not mounted on printed circuit boards or installedindividually within modules, motherboards or chassis must be securely

fastened to a cabinet support member, rail, or bus assembly.

9.3.5 Power/Signal/Communications Wiring, Routing and Terminations

9.3.5.1 Communications cabling between processors and transceivers/communications drivers shall utilize Vendor's standard cable

and pre-assembled terminators. The Vendor's maximum

specified communications cable lengths shall not be exceeded.All cabling shall be provided with sufficient slack to allow for

the maximum allowable bend radius into a cable terminationplug or connector. Individual communications cables for each

of the redundant (A, B) or triplicated communications paths A,B, and C must be of the same nominal length and identicalcable specification to prevent communication timing and

synchronization problems. Cable connectors shall have strain

relief cable boots and be lockable to prevent inadvertent

separation or disconnection.

9.3.5.2 Discrete inputs and outputs to field devices (which are not line-monitored, in a current loop arrangement) shall be wired so

that they switch the hot side of the line. Isolated commons

shall be used when passing signals between devices whichutilize different grounding systems.

10 ESD System Safety Availabili ty (PFDavg)

10.1 The PFDavg for the composite ESD system (all modules and subsystemsconsidered) shall be a minimum of 0.0001 (10

-4). To achieve this the ESD

system design and architecture shall conform to paragraphs 7 and 8 of this

specification and incorporate sufficient redundancy, self-diagnostic and

automatic self-test features (i.e., Diagnostic Coverage > 99%).

10.2 Vendor's ESD system proposal shall include detailed calculations for thePFDavg of the system that they are proposing and the mean time to a safe

(spurious) and dangerous failure. Markov models shall be used to calculatesafety availability in terms of PFDavg. Transition probability matrixes shall be

used as the basis for these calculations. All assumptions must be clearly stated.

10.3 Markov modeling shall split all ESD component failures into dangerous and safefailures. A dangerous failure is one that puts the ESD system in a fail-to-

Page 23 of 31


24/31




function state, unavailable to shutdown the process if a demand is placed on it.A safe failure is one that causes the ESD system to prematurely shut down the

process when no hazard exists, (e.g., a false or spurious trip). Vendor's ESD

system proposal shall include detailed calculations for maximum allowablespurious failure rate for the composite ESD system (all modules and subsystems

considered).

10.4 The Vendor's Markov model must include diagnostic coverage factors for allVendor supplied ESD system components and show on-line repair rates when

redundancy allows repair on-line. On-line field repair times of eight (8) hours

are to be used in calculations. Failures which are undetected on-line will besubject to system proof test interval of 10 years (e.g., off-line functional testing

of field I/O devices).

11 Fault -Tolerant Considerations

The Vendor's ESD system shall be designed to tolerate faults, not eliminate them. ESDhardware and system configuration shall be designed to minimize common mode or

common cause failure mechanisms. The ESD system must have the ability to recognize

and detect either a safe or dangerous fault. It must be able to locate the source of thatfault, contain and isolate the fault to a specific module or modules of the system, and be

able to recover, or maintain operational status in the presence of a fault. Both transient

and permanent module or system faults shall be capable of being stored in or retrievedfrom non-volatile processor memory.

12 Reliability

ESD system components shall meet or exceed the MTBF data specified in the tablebelow at the equipment's design temperature over the life of the system. MTBF figures

shall be "Predicted" using data and calculation provided by the Bellcore Reliability

Prediction Procedure.

Modu l e MTBF

Process Controller module 15 Years

Input/Output Modules 25 Years

Communication Module 25 Years

System Power Supply module 50 Years

Field Power Supply 50 Years

NOTE: The above MTBF figures are assumed for each individualmodule or leg in its simplex form. The vendor must calculatethe overall MTBF for each module with the requiredredundancy (dual or triplicated) to meet SIL 3 fault tolerantsystem and provide as part of the system proposal.

Page 24 of 31


25/31




13 Noise and Fault Protection

I/O Protection

13.1 All discrete I/O circuits shall be isolated from logic or processor circuitry via

optical coupling or other equivalent means. Steady-state voltage isolation shall

be a minimum of 1000 Volts RMS, or 1500 VDC common-mode.

13.2 All discrete I/O circuits shall be designed such that accidental normal-modeconnection of 1000 VAC/DC to its external terminals for one second shall not

cause any other system damage other than to the discrete circuit to which it isapplied.

13.3 Analog input circuits shall be designed with integral over-range protection such

that accidental connection of a nominal 120 VAC or 125 VDC, for one secondwill not functionally disable or degrade the long-term performance of the input

point or modules.

13.4 Output circuits and final elements shall be provided with protection against

reverse EMF and voltage transients caused by the switching of inductive DCloads (i.e., R-C circuits, solenoid valve coils); and protection against current

overloads.

Commentary Note:

A suggested protection/suppression technique is to install an IN4007 diodeacross an inductive DC load.

14 Programming and Configuration

Program development software tools shall be provided by the Vendor, enabling the userto develop, edit and debug application programs. Software shall be IEC-61131-3 based

incorporating on-screen tutorials and help functions to assist the user. Software shall be

compatible with a current Windows operating system supported by Microsoft Corp.The program development workstation shall be capable of monitoring the status of

application programs in real-time.

ESD system shall be capable of separating application logic into multiple programs. A

minimum of 2 programs shall be capable of being executed simultaneously within theESD system.

14.1 Program Development Workstation

Minimum PC/Workstation requirements are specified within the requisition orISS.

Page 25 of 31


26/31




14.2 On-Line and Off-Line Programming Capability and Support

The program development software shall be capable of supporting both on-line

and off-line programming. On-line programming or making on-line applicationprogram changes while an ESD system is operating, (e.g., configuring new I/Opoints, tags and addresses, revising or adding logic and changing dynamic

element parameters) shall be possible without having to reset or re-initialize

application programs currently running within the CPU. Off-line programemulation shall be provided unless specified otherwise. Program editing

functions shall incorporate automatic time-dated, and revision level file saving

routines which store all file revisions.

14.3 Program Utilities

The following programming utilities or their equivalent functions shall beprovided by the Vendor for the following:

a) Relay Ladder Logic, Function Block Logic Elements Sequential Function

Charts/Tables

b) First-out Event Discrimination (first ESD event out of a group of events)

c) Event Log Configuration

d) System diagnostics

e) Program documentation and cross-reference

f) On-line application program changes

g) Input and output forcing

h) Hardware configuration

i) Comprehensive program revision and control that allows source code

comparisons between different revision levels of ESD applicationprograms

j) Configurable multi-level password control to allow definition of users

access rights

k) Help utilities that describe the proper sequence for defining new points,

building or revising logic, verifying logic, debugging logic, simulating

application program logic, and downloading new logic

14.4 Program Development Elements and Function Block Libraries

The Vendor's shall provide standard development program elements andfunction block libraries that are capable of performing the required program

logic.

Page 26 of 31


27/31




14.5 Application Program and Software Development and Testing

14.5.1 If specified in the purchase order or ISS, the Vendor shall be required

to develop an application program(s) which performs the logicsequence and functionality as indicated on referenced logic diagrams.

14.5.2 The application program shall be designed in such a manner as topromote user friendliness (for operations & maintenance personnel).

This means that detailed comments and descriptions shall be included

throughout all ladder or function block networks (or relationalelements) which identify elements by tag numbers, and communicate

network description and intended functionality.

14.5.3 Ladder or function block logic networks shall be arranged in such a

manner as to group all logic dealing with a specific piece of equipment,function, or task. Logic for individual pumps, turbines, compressors,

or process interlocks must be differentiated by separate networks orfunction blocks. Identical logic structures and elements (except for tag

names and addresses) should be used for identifying ESD logic of

equipment operating in parallel trains, or which are controlled in a

similar manner.

14.5.4 When assigning input and output addresses for field devices pertainingto a group of equipment or trains (e.g., group of pumps, turbines,

compressors, etc.), it is recommended to assign these signals todifferent I/O modules, so that a potential failure of one module or card

will not adversely affect more than one piece of equipment of thegroup or shutdown a multiple process trains.

14.5.5 Software configured I/O bypass switches shall use a secure datatransmission mechanism to implement bypass initiation or bypass reset

action. The data transmission may be either retentive or non-retentiveprovided that confirmation feedback of bypass logic initiation and

status is also be implemented.

15 On-Line Diagnost ics

15.1 Processor/CPU modules shall run diagnostics in conjunction with the executionof application programs in such a manner as to avoid interfering with the basic

cycle time of any application. Should a fault occur, the controller shall supportboth local indication and remote annunciation of faults.

15.2 Module or board failures shall be displayed by means of a 'Fault' indicator onthe failed module. Preconfigured diagnostic displays shall also be available viaprogramming tool set displays or via memory mapped interfaces to external

Page 27 of 31


28/31




DCS computers and Operators workstation. Diagnostic messages, displaysand/or alarms shall be capable identifying any system fault to a particular

cabinet, rack, module, channel and slice.

15.3 ESD Module Failure Indication and Action

15.3.1 Failures or faults within I/O circuits or system modules shall beautomatically detected by routine diagnostics. System fault or failures

shall initiate a system status alarm and be captured in non-volatile,

internal memory. Faults or failures which prevent individual systemcomponents or modules from functioning normally shall initiate an

automatic switch over to a redundant module (i.e., depending on the

ESD architecture selected), or cause its particular circuit or module tobe removed from service.

15.3.2 On-line removal/replacement of any ESD system module (assuming

the system is not running in a degraded mode) shall be possiblewithout having to reconfigure system software, alter system wiring or

cabling, deenergize system or module power, re-initialize the ESD

system or compromise ESD safety functions.

16 Documentation

Required Vendor's Documentation - Prior to commencement of a factory acceptance

test (FAT), the Vendor shall provide the following Non-Material Requirements

(NMR's) to designated Company representatives, via electronic format:

a) A listing of the ESD system configuration identifying each module type, location,and tag name;

b) Annotated application program files in ladder logic or function block logic format

including all pertinent embedded comments describing logic functionality.

Descriptors for logic element/blocks shall include completed I/O addresses andtag numbers, set points, logic element parameter identification, and logic

execution sequence so as to facilitate ESD system troubleshooting;

c) An Index of the system's data base including tag name(s), descriptors, and alias

addresses;

d) I/O and internal element, and alias variable cross reference;

e) A narrative describing the operation and sequence of the logic system (embedded

ladder or function block comments are acceptable providing they arecomprehensive);

f) Vendor standard documentation for fault finding/troubleshooting guide for the

ESD cabinet and all components;

Page 28 of 31


29/31




g) Vendor standard Installation and Maintenance/Troubleshooting Manualscontaining: Module circuit schematics/diagrams (where repair and fault-finding

can realistically be performed) w/parts lists, assembly and interconnecting wiring

diagrams, field device/input-output termination/wire number/I/O module indexes,cabinet construction, assembly and interconnecting wiring diagrams; and cabinet

arrangement drawings showing front and rear views of enclosure with a hidden

view of installed equipment;

h) Vendor standard Operations/Programming Manual, describing operating modes,program editing elements, parameters, guidelines and instructions;

i) Vendor standard Safety Manual and/or Product Guide;

j) Vendor's calculation of overall ESD system PFDavg (1 - Safety Availability), i.e.,

for Vendor supplied or integrated components, plus MTBF for all components andspurious failure rates;

k) Vendor's calculation of each system cabinet heat calculation;

l) TUV Certificate and Report.

17 Quality Control

17.1 Quality Control Procedures

17.1.1 A total 'Quality Assurance' (QA) program covering the span from ESDsystem design conception through user satisfaction shall be active.

17.1.2 Vendor's QA program shall conform to the guidelines of ISO 9001,quality systems - Model for quality assurance in design/development,

production, installation, and servicing.

17.1.3 Sampling techniques shall be applied where practical, but never used for

final acceptance and burn-in of system components. Where statisticalinspections are applied, the plan shall conform to the guidelines of ISO

9001.

17.2 Qualification Testing

The Vendor's manufactured ESD equipment comprised of modules, operating

system (kernal) software and firmware shall be certified to meet SIL 3requirements of International Electro-technical Commission (IEC) IEC-61508Functional Safety of Electrical/Electronic/Programmable Electronic Safety-

Related Systems by Factory Mutual or TUV Product Services, Rheinland or

Bayern, Vendor's manufactured equipment shall be capable of meeting the

following parameters as documented by third party certification agency such asTUV, UL, FM, or CSA:

Page 29 of 31


30/31




a) Vibration - Per axis sinusoidal (Sinusoidal Sweep) 55 to 200 Hz 1.5 G

b) Shock

Non-Operating: 15 G for 11 msecOperating: 6 G for 11 msec

c) Temperature

Operating: 0 to 50C (temperature external to ESD cabinet)

d) Thermal Stress: 70C (Represents storage temp.)

e) Humidity: 0 - 95% relative, non-condensing

f) Electromagnetic Compatibility per section 5.6.6 of this standard

g) Hipot & Ground Continuity: Per CSA C22.2 No. 0 (or equal)

h) Burn-In Testing

Vendor's production testing of all ESD system active component parts,

inclusive of all component modules, shall include a dynamic burn-in test

period of a minimum 40 hours. This testing shall be conducted in a

controlled environment, where temperature is varied from 0 to 60C, andwhere 60C temperatures are held for at least 16 hours.

18 ESD System Inspection and Testing

A Conditions Diagram, Logic Function Chart/Table, logic diagrams or ESD system

functional narrative, along with inspection and testing form 175-344400, attached to thePurchase Order, shall be used as the basis for a Factory Acceptance Test of all Vendor

supplied ESD equipment.

18.1 Factory Acceptance Test (FAT)

18.1.1 During the FAT test the complete ESD system including all composite

modules, interconnecting wiring, and associated circuitry shall be subjectto both hardware and software functional tests. These tests shall

demonstrate the functionality of each individual component module

within the integrated ESD system, including individual I/O point tests.

18.1.2 Cabinet heat generation shall be tested on the most loaded ESD systemcabinet during the FAT with all configured and installed spares

energized. ESD system cabinets that have the same arrangement as an

ESD cabinet that has passed a heat generation test before do not requireto be tested again.

18.1.3 Wire tagging and terminations shall be checked and "Tug" tested. (A tug

test involves physically stressing a wire termination to determine

Page 30 of 31


31/31




whether it has been crimped and/or terminated properly. The intent isnot to break wiring or stress insulation but to test the integrity of the

termination).

18.1.4 All ESD system software logic/application programs shall be checkedagainst logic drawings and dynamically tested and verified for proper

ESD sequence and functionality:

a) The dynamic test will involve physically simulating all inputs and

outputs in their proper operational sequence, and verifying thatspecified ESD application program logic is executed properly.

b) The ability to make and save on-line application program changes

and configure new I/O points, without having to reinitialize the

operating system shall also be tested at this time.

c) Fail safe output states will be tested in response to simulatedinput/output module and CPU failures and loss of ESD module

power.

d) All diagnostic routines shall be tested by simulating CPU, I/Omodule/individual point failures; power supply failure,

communications interface failures, card replacement induced

failures.

e) Fault histories/summaries shall be logged and annunciated both onan external printer and an operator's workstation or console.

18.2 Integrated Factory Acceptance Test (IFAT)

When the ESD system(s) is part of an integrated Process Automation System,

i.e., DCS, an IFAT shall:

a) Functionally test a minimum one of each type of communication interfacesusing actual system and equipment.

b) Functionally test each I/O point interfaced between the ESD and DCS.

This test may use I/O software simulator when the ESD I/Os are not

available at the IFAT location.

c) Test all shutdown, reset, bypass and alarm signals.

18.3 All discrepancies noted in the FAT and/or IFAT shall be resolved to thesatisfaction of the Buyer. Results of the FAT and/or IFAT test shall be

documented by a written report, supported by the FAT and/or IFAT proceduresused.

Revision Summary20 March 2006 Major revision.

Date post:	04-Jun-2018
Category:	Documents
Upload:	cherif-yahyaoui
View:	357 times
Download:	22 times

34-SAMSS-623 Programmable Controller Based ESD Systems

Documents