Date post: | 04-Jun-2018 |
Category: |
Documents |
Upload: | cherif-yahyaoui |
View: | 357 times |
Download: | 22 times |
of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
1/31
Materials System Specification 34-SAMSS-623 20 March 2006
Programmable Controller Based ESD Systems
Instrumentation Standards Committee MembersAwami, Luay Hussain, Chairman
Tuin, Rienk , Vice Chairman
Bogusz, Zbigniew Jozef
Dakhil, Tareq Khalil
Dhafeeri, Farhan Taieh
Ell, Steven Tal
Fadley, Gary Lowell
Qaffas, Saleh Abdal Wahab
Trembley, Robert James
Falkenberg, Anton Raymond
Jumah, Yousif AhmedKhalifa, Ali Hussain
Madhi, Fawaz Abdullah
Mahmood, Balal
Qarni, Mahdi Ali
Saudi Aramco DeskTop Standards
Table of Contents
1 Scope............................................................. 22 Conflicts and Deviations................................. 23 References..................................................... 24 Definitions....................................................... 45 General.......................................................... 66 General Design Requirements....................... 87 Acceptable ESD System Architectures........ 108 ESD Hardware Configuration....................... 119 ESD Panel Construction............................... 2110 ESD System Safety Availability (PFDavg)... 2311 Fault-Tolerant Considerations...................... 2412 Reliability...................................................... 2413 Noise and Fault Protection........................... 25
14 Programming and Configuration.................. 2515 On-Line Diagnostics..................................... 2716 Documentation............................................. 2817 Quality Control.............................................. 2918 ESD System Inspection and Testing............ 30
Previous Issue: 29 December 2004 Next Planned Update: 20 March 2011Page 1 of 31
Primary contact: Qaffas, Saleh A on 966-3-874-6410CopyrightSaudi Aramco 2005. All rights reserved.
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
2/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
1 Scope
1.1 This specification defines the minimum mandatory requirements for fail-safe,fault-tolerant, programmable controller based Emergency Shutdown (ESD)
systems.
1.2 This specification is applicable for any redundant programmable controller
based ESD system, i.e., dual-modular-redundant (DMR) 1-out-of-2D, triple-modular-redundant (TMR), 2-out-of-3systems.
1.3 This specification together with a project ESD system Functional Specification
Document (FSD), specification sheet(s) ISS 8020-623-ENG pg. 1 and 2, andassociated logic diagrams prescribes the minimum mandatory design,
fabrication and testing requirements for the project.
1.4 Where a project Functional Specification Document (FSD) calls for more thanone ESD system, this specification shall apply to each ESD system individually.
2 Conflicts and Deviations
2.1 Any conflicts between this specification and other applicable Saudi Aramco
Materials Systems Specifications (SAMSSs), Engineering Standards (SAESs),Standard Drawings (SASDs), or industry standards, codes, and forms shall be
resolved in writing by the Company or Buyer Representative through the
Manager, Process & Control Systems Department, Engineering Services ofSaudi Aramco, Dhahran.
2.2 Direct all requests to deviate from this specification in writing to the Company or
Buyer Representative, who shall follow internal company procedure SAEP-302and forward such requests to the Manager, Process & Control Systems
Department, Engineering Services of Saudi Aramco, Dhahran.
3 References
Material or equipment supplied to this specification shall comply with the latest editionof the following references as of the date of the Purchase Order, unless stated otherwise.
3.1 Saudi Aramco References
Saudi Aramco Engineering Procedure
SAEP-302 Instructions for Obtaining a Waiver of a
Mandatory Saudi Aramco Engineering
Requirement
Page 2 of 31
http://csd-apps2/standards/Website/tqs1/esp/dts/Saep/AEP0302.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Saep/AEP0302.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Saep/AEP0302.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Saep/AEP0302.RTF8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
3/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
Saudi Aramco Materials System Specifications
34-SAMSS-820 Instrument Control Cabinets Indoor
34-SAMSS-821 Instrument Control Cabinets - Outdoor
Saudi Aramco Forms and Data Sheets
Form 8020-623-ENG Instrument Specification Sheet (ISS) for
Programmable Controller Based ESD System,
Sheets 1 and 2
Form 175-344400 Inspection & Testing Requirements
3.2 Industry Codes and Standards
American National Standards Institute/National Fire Protection Association
ANSI/NFPA 70 National Electric Code (NEC)
American National Standards Institute/Institute of Electrical & ElectronicsEngineers
ANSI/IEEE 802.3 Supplement to ISO/IEC 8802-3, Local and
Metropolitan Area Networks Section 13 & 14
Canadian Standards
CSA C22.2 No. 0 CSA General Requirements (Electrical)
Electronic Industries Association
EIA/RS-232 Interface Between Data Terminal Equipment and
Data Communication Equipment Employing
Serial Binary Data Interchange
EIA/RS-422 Electrical Characteristics of Balanced Voltage
Digital Interface Circuits
EIA/RS-485 Electrical Characteristics of Generators and
Receivers for Use in Balanced Digital
Multipoint Systems
The Instrumentation, Systems, and Automation Society (ISA)
ANSI/ISA-84.00.01-2004 Application of Safety Instrumented Systems for the
Process Industries
ISA TR84.00.02 Safety Instrumented Functions (SIF) Safety
Integrity Level (SIL) Evaluation Techniques
Page 3 of 31
http://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34820.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34821.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34821.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34820.RTF8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
4/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
International Electro-technical Commission (IEC)
IEC 61131 Part 3: Programmable Controllers -
Programming LanguagesIEC 61000-6-2 Generic standards Immunity for Industrial
Environments
IEC 61000-4-3 Testing and measurement techniques Radiated,
Radio Frequency, Electromagnetic Field
Immunity Tests
IEC-61508 Functional Safety of
Electrical/Electronic/Programmable Electronic
Safety-Related Systems
IEC-61511 Functional Safety-Safety Instrumented Systems for
the Process Industry Sector
International Organization for Standardization
ISO 9001 Quality Systems - Model for Quality Assurance in
Design/Development, Production, Installation
and Servicing
Other Industry References
Bellcore TR-332 Reliability Prediction Procedure for Electronic
Equipment - Telcordia Technologies
4 Definitions
Availability (Safety): The fraction of time that a safety system is able to perform itsdesignated safety service when the process is operating. It is calculated as in equation
(1). Note that the average Probability of Failure on Demand (PFDavg) equals 1 minus
the Safety Availability:
=AMTBF
MTTF=
MTTR)(MTTF
MTTF
+
(1)
Diagnostic Coverage Factor: The ratio of detectable faults to the total number offaults or failures which might occur in ESD components, modules, external wiring,
internal wiring, cables, interconnections, and logic elements.
Dual Modular Redundant (1oo2D Configuration): An ESD system which uses twoseparate processors each with its own separate I/O modules, bus structure, chassis,
software and power supplies, to vote input signals in a 1oo2 arrangement. Sensor
signals are separated into two isolated paths to two separate input modules where
Page 4 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
5/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
signals are conditioned and communicated by separate busses to separate processors. Avalid input signal on either leg of the system will initiate the desired logic response via
two separate, fail-safe, output modules.
Failure: An error in ESD system hardware, firmware or software whereby a modulewhich is not capable of performing its specified function. Modules may fail safely in
which case the process is brought to the safe state, or dangerously in which case the
system is unable to bring the system to the safe state.
Fail-Safe: An ESD system is fail-safe if the failure of a component, signal, or utility,initiates action that returns the system to a safe state.
Fault-Tolerance: The built-in capability of the system to provide continued correct
execution of ESD commands and functions in the presence of a limited number of
hardware and software errors/faults. Fault-tolerance includes the ability to detect andlog transient or steady-state error conditions via diagnostic circuits or comparative
logic, and take appropriate corrective action, while remaining on-line, and performingits specified safety function.
Field Proven: A system shall be considered to be field proven when it has been
installed, commissioned, and operational in a customer facility for a period of sixmonths or longer (excluding beta test periods) after receiving TUV certification for the
programmable controller's hardware, firmware, and software.
MTTF: "Mean Time To Failure" is the expected time to failure of a system in apopulation of identical systems.
MTBF: "Mean Time Between Failure" is a statistical value equal to the mean or
average time expected between failures of a given device which is used in the
determination of system reliability. MTBF figures can be "predicted" or "observed".
Observed MTBF for a given component is calculated using actual failure rate datacollected for the population of the component while in-service. Predicted MTBF is a
figure which is calculated based failure rate models of individual sub-components of the
component. Two methods widely accepted for calculation of predicted MTBF are;MIL-HDBK-217 and Bellcore TR-332. It is derived in its simplest form as:
MTBF = MTTF + MTTR (2)
MTTR: "Mean Time To Repair" is the statistical average of time taken to identify andrepair a fault (including diagnosis), in a population of identical systems.
PFDavg: The average probability of a system failing to respond to a demand in a
specified time interval is referred to as PFDavg. PFD = 1 - Safety Availability.
Page 5 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
6/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
Reliability: The probability that when operating under stated environmentalconditions, the system will perform continuously, as specified, over a specific time
interval.
Scan Time: ESD system scan time is the composite of input modules scan, programexecution and all output modules state transition time.
Triple Modular Redundant ESD (TMR, 2oo3 Configuration): TMR configured
ESD systems employ 3 processors running in parallel with triplicated I/O, bus structure,
chassis, and software. Each processor executes its individual application programsimultaneously and independently; verifying data, executing logic instructions, control
calculations, clock and voter/synchronization signals and performing comprehensive
system diagnostics and discrepancy monitoring. Process outputs are sent via triplicatedpaths to output modules where they are voted (2oo3) to ensure logic and output
integrity.
5 General
5.1 Use of Standard Products
5.1.1 The system shall be composed of manufacturer's standard hardware,
systems software, and firmware that can be configured to meet the statedrequirements.
5.1.2 A vendor's standard system operating software shall not be modified tomeet any of Saudi Aramco's requirements.
5.1.3 Application software shall be designed in a manner that requires nomodification to the system operating software.
5.2 Revision Level
All ESD system hardware, firmware and software shall be the latest "fieldproven" revision level at the time of the hardware freeze date as defined in the
contract purchase order or the Preliminary Design Review (PDR) whichever is
later.
5.3 System Support
5.3.1 ESD vendor shall guarantee support of all hardware, firmware, andsoftware associated with the controller and I/O subsystems and any
proprietary communications equipment for a period of ten (10) years
from the hardware freeze date. Support shall include spare parts andtechnical support. This support shall not be contingent on the customer
upgrading to later releases of software or hardware.
Page 6 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
7/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
5.3.2 Withdrawal of product support for ESD vendor manufactured productsshall be notified in writing to Saudi Aramco twelve months in advance.
5.3.3 ESD vendor shall provide factory trained technical support serviceslocally (In Kingdom).
5.4 Engineering Units
Unless otherwise specified all dimensions and measurements shall be in the"International System of Units" (SI), and may be followed by the equivalent
value in conventional units between brackets.
5.5 Environmental Conditions
5.5.1 Indoor Installations
All ESD Equipment installed in air-conditioned buildings shall be
designed for:
a) Ambient temperature range: 10C to 35C (1)
b) Ambient relative humidity: 20% to 80%.
Note:
1) For equipment which dissipates internal heat, an additional 15C shall be added tothe above maximum temperatures. An example, for "indoor air conditioned"installation, the equipment must perform at 35 + 15 = 50C. The designer cansubstantiate temperature rise of less than 15C by providing the support data andheat calculations.
5.5.2 Outdoor Installations
All ESD equipment specified for outdoor installation shall be designed tooperate continuously at the environmental conditions specified by 34-
SAMSS-821.
5.6 Electrical Requirements and Certifications
5.6.1 Unless otherwise specified, ESD equipment shall be powered fromseparate Saudi Aramco supplied Uninterruptible Power Supply (UPS)
branch feeders at 120 VAC (tolerance of 110 126 VAC), 60 Hz (2%), which are over-current protected.
5.6.2 Unless otherwise specified, ESD system components shall be installedwithin a general purpose, non-classified electrical area per ANSI/NFPA
70, National Electrical Code (NEC), Article 505.
Page 7 of 31
http://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34821.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34821.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34821.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34821.RTF8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
8/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
5.6.3 ESD systems operating in outdoor cabinets, shall be certified for use inClass I, Zone 2 hazardous areas.
5.6.4 ESD system components shall be listed, labeled, and conform to UL,FM, or CSA standards or guidelines.
5.6.5 Unless otherwise specified, field power supplies that are used to powerfield I/O shall use nominal 24VDC (tolerance of 21 28.2 VDC).
5.6.6 The Vendor's manufactured ESD equipment comprised of modules,
operating system (kernal) software and firmware shall be certified tomeet SIL 3 requirements of International Electro-technical Commission
(IEC) IEC-61508 by Factory Mutual or TUV Product Services,
Rheinland or Bayern.
5.7 Electromagnetic Compatibility
5.7.1 ESD equipment designated as 'indoors' shall carry CE Mark for
compliance with European EMC Directive 89/336/EEC or shall comply
with immunity levels stated in IEC 61000-6-2.
5.7.2 Alternatively, the vendor shall provide testing results to confirm that the
equipment will operate without disturbance when energized and
subjected to an electromagnetic field from a radiating source equivalentto a level 3 disturbance as detailed in IEC 61000-4-3. In particular, RF
sources such as hand-held radio transceivers operating at 5 Watts within
the frequency ranges, 50-174 MHz, 406- 470MHz, and 800-870 MHzand held at a distance off 1.0 meters from the equipment with cabinet
doors open shall not cause any malfunction, data corruption, or damage
to the equipment.
6 General Design Requirements
The ESD system shall incorporate a redundant architecture which is fault tolerant and
fail-safe.
6.1 Fault Tolerance
The ESD system shall be fault tolerant as per the definition in section 4.
6.2 Fail-Safe Operation
ESD systems shall fail to the safe state position upon loss of the ESD signal or
electric power supplies. The safe state shall be the de-energized mode unlessotherwise specified in the ISS, logic drawings or Purchase Order.
Page 8 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
9/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
6.3 Input Bypass Switches
6.3.1 The ESD system shall incorporate an input bypass switch for each field
sensor, except where sensors are used in 2oo2 or 2oo3 voting schemes.The input bypass switch is required to perform on-line testing ormaintenance.
Commentary Note:
Input bypasses are only required for input signals wired to the ESDsystem and used for shutdown logic.
6.3.2 Input bypass switch implementation shall be software configured. Inputbypass switches shall not bypass nor disable the 'trip' signal from an ESD
input which drives associated annunciator logic, a CRT's alarm display,
event logger or data archiving devices either directly or via an alias pointaddress. Input bypass switches shall have restricted access by way of a
common key-lock and/or password protection scheme.
6.3.3 Actuation of input bypass switches shall enable a feedback signal that is
communicated via data highway which confirms the bypass switchaction to an operator's Human Machine Interface (HMI) or event logger.
6.4 Input Point Replication
6.4.1 If discrete ESD input signals must be replicated for annuciators, localpanel or data logger, prior to being input to an ESD input module,
individual rail-mounted, optical isolators shall be installed within ESDcabinets and powered from the ESD system. Opto-isolator wiring andcircuitry shall be passive and shall under no circumstances compromise
ESD signal integrity.
6.4.2 Relays shall be used for replication of ESD system inputs when solid-state isolation devices are incapable of meeting signal isolation
specifications. Electric relays shall be dust-tight when installed in indoor
and hermetically-sealed if installed outdoors.
6.5 Output Point Isolation
6.5.1 ESD output points that directly interface with motor control circuits shallbe individually isolated (non-commoned) from other outputs. ESD
outputs shall be rated for, and capable of switching the maximum loadand in-rush current of the designated final device (e.g., motor control
relay circuitry).
Page 9 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
10/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
Non-isolated outputs may be used provided that output loads or devicespermit common power supply source and returns 'common grounding'.
6.5.2 Output isolation relays shall not be used for the multiplication orreplication of ESD system outputs, unless they are absolutely essentialfor:
a) Isolating different input or output signals voltages/currents.
b) Preventing the mixing of circuit voltages/currents which are out of
phase, or involve separate grounding systems.
c) Interrupting large loads or substantial inrush currents such as motorcontrol circuits.
6.5.3 If absolutely required, isolation relays, shall be rail or card mounted and
configured in such a manner as to meet the requirements of paragraph 6(General Design Requirements) and 34-SAMSS-820(wiringsegregation), with loop back circuitry and logic (to ESD inputs via, e.g.,
simplex inputs) to verify the health and functionality of the isolationrelays or the intended state of the final control element/field device.
Electric relays shall be dust-tight when installed in indoor and
hermetically-sealed if installed outdoors.
Commentary Note:
For example, if isolation/interposing relays are used to communicate ESDoutput commands to motor control circuits, the state of the final device
(the motor) can be verified by looping back an auxiliary contact from themotor controller into a simplex ESD input, thereby enabling the inputstatus to be compared against the desired output command.
6.6 Output Point Verification
The intended state of the final control element/field device shall be verified with
the ESD command to alarm the operator when the final device does not reach
the intended ESD state within an acceptable time. Final device verificationmaybe achieved using a soft logic within the DCS or soft link between the DCS
and a sub-system (i.e., machine monitoring system, power monitoring system,
etc.) only if this signal is not an ESD initiating signal within the ESD logic.
7 Acceptable ESD System Architectures
ESD systems shall be configured using redundant architecture, i.e., Dual ModularRedundant (DMR), 1-out-of-2D, Triple Modular Redundant (TMR), 2-out-of-3 (2oo3)
voting architecture.
Page 10 of 31
http://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34820.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34820.RTF8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
11/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
7.1 CPU Self-Test and System Diagnostic Routines: Separate watchdog circuitry,and/or diagnostic algorithms shall run in background mode, each scan cycle to
monitor the health of all system components, including system software and
external/internal communications.
7.1.1 Internal logic within each CPU shall execute automatic self-test,diagnostic routines, I/O change-of-status/ loop-back verification and data
table fault detection to determine the health of each module orsubassembly within the ESD system. Comprehensive diagnostic
coverage (>99%) and fault detection shall be performed using
comparative or deterministic voting and fault detection circuits in bothfirmware and software. These circuits shall automatically identify,
alarm, isolate and contain both safe and dangerous faults within system
components without compromising ESD system performance.
7.1.2 If any processor fails to agree with its other parallel or triplicated
counterpart(s), the failed processor shall be automatically diagnosed andalarmed as having failed in either a safe or dangerous manner.
7.1.3 System processor degradation for DMR-ESD (1oo2D) systems shall be
2-1-0 and for TMR-ESD (2oo3) systems shall be 3-2-0 unless otherwiseallowed by the TUV report and/or the system safety manual stating the
restrictions considered for safe operation.
8 ESD Hardware Configuration
The ESD chassis or modular assembly shall be of rigid, metal construction. ESD
assemblies, module densities and cabinet configurations shall be based solely on
convection ventilation requirements (See Paragraph 9). ESD chassis or modularconfigurations shall be capable of accepting all components necessary to configure a
DMR or TMR architecture, e.g., multiple processors (CPUs), I/O modules,
communications interfaces, power supplies, bus assemblies, external termination panels,etc. The chassis back-plane shall be capable of handling the electrical current
requirements of all applicable module configurations. ESD hardware and system
configuration shall be designed to minimize common mode or common cause failure
mechanisms.
8.1 CPU/Processor Memory, Education, Synchronization and Scan Time
a) The Central Processing Units shall contain the program memory, either in
nonvolatile EPROM, Flash memory or battery backed RAM, with a
minimum 6 month battery backup for RAM based memory. Batteries shallbe capable of being replaced without degrading ESD system functionality.
b) In addition to normal application programs, 50% spare 'application logic
Page 11 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
12/31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
13/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
switch shall allow optional operating modes, including PROGRAM,REMOTE , RUN or other equivalent functions.
8.2.5 CPU, I/O and Communication Module Status Indicators
Each system module CPU shall continuously monitor its own status and
indicate either normal operation or error conditions via LED statusindicators or equal on each module. Fault conditions shall be
annunciated remotely at the operators' Workstation and be archived.
Status indication at either the module or Workstation shall be providedfor the following conditions or their equivalents:
a) MAIN PROCESSOR STATUS (Pass/Fault/Active)
b) COMMUNICATION MODULE STATUS (Pass/Fault/Active)
c) CHASSIS POWER SUPPLY (Pass, Fault)
d) RAM BATTERY STATUS
e) I/O MODULE STATUS (Fault/Active)
f) I/O CHANNEL FORCE (On)
g) FIELD POWER SUPPLY (Pass, Fault)
8.3 Time Synchronization
Time synchronization between ESD and DCS systems, shall be within
100 milliseconds and performed once daily as a minimum.
Commentary:
The recommended method of time synchronization is to synchronize both theDCS and ESD to a GPS clock / NTP Server over a network using SNTP.
(SNTP = Simple Network Time Protocol, NTP = Network Time Protocol, GPS =Global Positioning System)
8.4 Input/Output Modules
8.4.1 The input section of the ESD system shall be designed to receive input
signals from analog field devices or process activated switch contactsthat are closed (i.e., normally energized) during healthy processconditions (and will open when process variables exceed predetermined
limits). Outputs are designed to be normally energized (when healthy)
and deenergize upon the loss of appropriate input signals.
Commentary Note:
Certain ESD outputs, e.g., 1500 HP or larger motor switch-gear trip coils
Page 13 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
14/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
may be preconfigured as energize to trip rather than deenergize to trip.The Vendor must exercise caution when designing a fail-safe ESDinterlock for these motor control circuits to ensure that respective output
circuits are properly monitored.
8.4.2 All ESD input and output points shall be individually fused, or employcurrent limiting circuitry, e.g., in the case of module 'self powered' I/O.
Fuses shall be located on an external termination panel, fused terminal
strip, or in a location readily accessible for maintenance. If fusedterminal strips are used they shall either be hinged, quick-disconnect,
cap, or an equivalent type of terminal, with a blown fuse indicator (e.g.,
LED - light emitting diode). Removal of I/O modules shall not benecessary to accomplish fuse replacement.
Commentary Note:
Requirements for individual input fusing or installation of knife-switchterminals do not apply to direct-connected RTD or thermocouple inputs.Fuse application, location, and ampacity ratings must be properly sizedand coordinated, taking into account the maximum expected load at themaximum ambient temperature of the ESD system (i.e., 50C).
8.4.3 I/O module types, quantities, and respective signal levels shall be asindicated on ISS sheets or the purchase order.
8.4.4 I/O modules shall be solidly constructed and shall be capable of beinginserted into or removed from their chassis or mounting rail assembliesonline and shall not require movement of system cables or wiring, either
external or internal. Field I/O wiring shall be connected to remote or
extension termination panels via integral screw or compression type
terminals.
8.4.5 The I/O section shall be designed such that all I/O modules are orientedvertically within the I/O chassis. I/O modules shall be capable of being
arranged in any location within a chassis, irrespective of their voltagelevels.
8.4.6 Proper chassis and component arrangement and spacing shall be used to
minimize the potential for cabinet over heating. Cabinet heat
generation/ventilation calculations shall assume that I/O housings havethe maximum number of I/O modules inserted with all I/O modules
carrying their maximum connected load, (load specifications to besupplied by Saudi Aramco). The heat calculation shall only consider
provision for installed spares and future expansion capability.
8.4.7 All discrete I/O modules or their associated termination modules shall
include local status indicators to monitor the status of each input and
Page 14 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
15/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
output and any communication and I/O faults. Spare I/O points, whichare pre-configured within the ESD system shall be shorted or terminated
according to manufacturer's recommendations to avoid nuisance faults or
diagnostic alarms.
8.4.8 All inputs and all outputs shall incorporate internal diagnostic featureswhich permit them to be automatically tested on-line. Faults which are
detected in I/O modules shall be capable of being logged andannunciated. Provision shall be made to detect, alarm, disable and
backup I/O circuits that fail "on" (short circuit) thereby preventing a
situation where the ESD system can fail in a dangerous manner, beingunable to initiate a shutdown upon demand.
Commentary Note:
It may be necessary to mask certain diagnostics for supervised outputcircuits which are used for both ESD and normal equipment start/stopfunctions, or that are opened as part of an output circuit test. Forexample, solid-state ESD outputs which are directly wired into motorcontroller stop/start circuits as run permissives, and which supervise thevoltage/current in the control circuit, will require logic which mask thesediagnostics to avoid functionality conflicts between ESD and normalstop/start logic. This is also true for solenoid valve circuits which aremomentarily opened in order to verify proper failure mode response.
8.5 Remote I/Os and Communications Cables
8.5.1 ESD system remote I/O modules, if so specified on the ISS, shall becapable of being remotely located from their CPUs. Actual cable
length/distance requirements will be specified in the ISS. Remote I/O
modules shall have either two or three separate and independentcommunication links, communications interface modules, and drivers as
required by the specific ESD system architecture.
8.5.2 Communications links/cables shall comply with Vendor recommendedcabling using physically-lockable, and stress relieving cable connectors.
The ESD system Vendor shall confirm in writing that selected
communication cable(s) meet communications driver specifications.Communication cable electrical interfaces shall incorporate ground
isolation circuitry as per the requirements of paragraph 8.6.1.a to avoidground loops between equipment referenced to different ground nodes.
8.5.3 Communications driver software/firmware shall continuously monitorand check the status of communication links and associated I/O. Status
indication shall be provided on the faceplate of each associated module.Loss of any single link or driver shall be logged by the system and
Page 15 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
16/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
annunciated externally, but shall not disable either local or remote I/Oprocessing functions.
8.6 Communication
8.6.1 ESD External Communications
External bi-directional communication of ESD input/output status to anexternal computer (DCS) shall be accomplished as follows:
a) Via dedicated, electrically isolated communications interface,
operating continuously, with physically and functionally redundantcommunications ports and paths.
Commentary Note:
Port and path redundancy is not required for application programconfiguration, testing or simulation via a workstation, or for a read-only type interface with external computers.
b) Communication interfaces shall be off-the-shelf, using existing,
industry standard media and communications protocols such as
OPC, Modbus or Ethernet as identified on the ISS.
c) Error checking schemes such as Cyclical Redundancy Checking(CRC), Longitudinal Redundancy Checking (LRC) or Check
Sums, in conjunction with bit parity checks, fail-safe transmission
time-out, message fault words, and loss of communication path
alarms.d) Write Protected, by either key-lock or password security
techniques, or a combination of both such that ESD operating
system, ESD application program and memory contents areprotected from unauthorized alteration.
e) Source password or key lock protection, in conjunction with a
separate confirmation acknowledge step is required to accept
bypass commands.
8.6.2 Communications Interface
8.6.2.1 The controller shall as a minimum, support multiple EIA/RS-232, EIA/RS-422, EIA/RS-485, or ANSI/IEEE 802.3 ports for
communicating with external devices such as a DCS, hostcomputer, local area network gateway, program development
station, or printer. Acceptable data communications protocolsinclude Modbus/RTU, TCP/IP, and OPC - Object linking and
Page 16 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
17/31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
18/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
8.6.3.4 Routing of redundant communication cable or media shall takealternate routing.
8.6.3.5 Time out of signals between peers or loss of communicationshall initiate a communications failure/discrepancy alarm tonotify the operator that manual intervention, maintenance or
remedial action is required, but shall not cause the slave or
remote ESD systems to trip its respective facility.
Exception:
ESD system installed in unmanned facilities shall trip itsrespective facilities upon the total loss of communicationsignals with the master peer.
8.6.3.6 The ESD systems shall be designed and configured inaccordance with ESD vendor guidelines and specification, to
ensure proper system and application program design for
interfaces between the various systems.
8.6.3.7 Signs shall be provided on all ESD cabinet doors with awarning that the system utilizes peer-to-peer communication
with other ESD systems and that the central/master ESDsystem shall not be interrupted, unless system maintenance is
required to all systems. The sign shall clearly identify the
location and name of the other peer-to-peer ESD nodes anddevices.
8.7 Power Supplies
8.7.1 Distribution of branch circuits shall be designed such that the loss of a
single incoming power feeder will not compromise the integrity of the
ESD system nor cause it to fail. Failure of a single power feeder shall bealarmed to the operator. Branch feeders distributing power from the 120
VAC ESD bus shall incorporate over-current protection for connected
loads (rated at 125% of maximum possible connected loads). Tandemtype (dual) circuit breakers contained in a single, molded case breaker,
are not acceptable.
8.7.2 A transient power interruption of one-half cycle shall not have an effecton the ESD equipment or system performance. The Vendor shall
incorporate all necessary filters, surge suppressers, or similar circuitry
required to protect ESD equipment from voltage spikes and/or surges asdefined in paragraph 17.2.
Page 18 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
19/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
8.7.3 ESD Chassis Power Supplies
Fully redundant or N+1 chassis power supplies shall be used to supply
power to internal ESD system modules. The power supply system mustbe separate; connected via robust cabling or internal bus structure. Thepower supply system shall be sized to provide 100% of the ampacity
requirements while one power supply unit is removed (at rated voltage,
connected load, and maximum ambient temperature of 50C) for thespecified configuration of I/O cards, CPU's, etc., including provision for
expansion capability (see paragraph 8.8). Calculations shall be based on
all modules and outputs energized and carrying their maximumconnected load.
8.7.4 Field I/O Power Supplies
8.7.4.1 Field I/O power supplies shall be separated and totally
independent of ESD system chassis power supplies.
8.7.4.2 Switch mode or linear (non-switching) types shall be used topower the I/O portion of the ESD system. Branch circuits shall
be protected from unnecessary shorts or grounds by proper fusecoordination and by physically shielding or protecting
distribution buses.
8.7.4.3 The field power supply system shall be fully redundant or N+1and sized to continuously supply 125% of its connected load
while one power supply unit is removed (at rated voltage,ampacity, and at maximum ambient temperature of 50C). It
shall be possible to configure power supplies in either a master-slave or load sharing arrangement. Power supply loads shall be
calculated with all points energized, and all outputs carrying
their maximum connected load. The load calculation shallinclude provision for installed spares and future expansion
capability.
8.7.5 Power supply protection - General
Each power supply shall be protected by a properly sized circuit breakeror fuse. Output protection shall be provided via a combination of
strategies (i.e., diode auctioning/isolation - where diodes are rated at not
less than 300% of the maximum power supply current delivery and time-over voltage/over-current protection).
8.7.6 ESD Chassis Power Supply Diagnostics
Page 19 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
20/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
8.7.6.1 ESD system diagnostics shall detect events which maycompromise internal (ESD chassis) power supply health or
integrity, e.g., whenever extreme overvoltage, overcurrent, or
high temperature conditions are detected within the powersupply or at the DC output(s) of the power supply.
8.7.6.2 Power supply (health/fault) status shall be indicated on its
faceplate and be externally communicated via alarm contacts(or software logic) to an alarm display and event
logger/archiver.
8.7.7 ESD Reaction to Cycling of ESD System Power
8.7.7.1 The ESD system shall be designed such that output modules
deenergize when primary UPS power is cycled to the ESDsystem (i.e., applied, removed, or restored to the CPU or I/O
modules).
8.7.7.2 Individual output channels shall not be re-energized until thepower to inputs and the logic is established, CPU and module
diagnostic/startup routines have been reinitialized, and allapplication logic permissives have been reset, compared and
re-voted.
8.7.7.3 Input and output bypasses which have been enabled as a resultof an external data command (i.e., soft-commands), shall be
automatically reset to a non-enabled state in the event thatpower to an ESD system is cycled.
8.8 ESD System Spare Capacity and Future Expansion Capability
8.8.1 ESD System Spare I/O Capacity
The Vendor shall provide a minimum of, 5% spare I/O points of eachtype specified (including associated termination modules) to allow for
future system expansion. Spare rack, chassis, terminal strip, and panelspace shall be provided for these spare I/O points. Spare I/O points shall
be physically wired into the ESD system (e.g., between a termination
panel/strip and an I/O module), shunted or terminated as necessary toavoid nuisance input diagnostics, and given pre-configured spare
tags/definitions within ESD operating system software.
Commentary Note:
A minimum of one spare module for each different type of card shall alsobe provided, but not wired into the system.
Page 20 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
21/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
8.8.2 ESD System Expansion Capability
The total expansion capability for ESD systems involving new plant
facilities (excluding existing ESD replacements or upgrades) shall be10%. This includes spare rack, chassis, terminal strip, and panel spacefor the installed 5% spare I/O points specified in 9.6.2 plus an additional
5%, unused I/O point expansion capability, (total spare rack and cabinet
space permits a composite expansion capability of 10% of I/O points).
8.9 Component Selection Criteria
8.9.1 Electronic components shall be high quality, industrial grade.
8.9.2 Printed circuit board (PCB) and module/card construction shall be rigid
and robust. Each PCB/module shall be identified by type/revisionnumber and serial number.
8.9.3 Edge connected on ESD modules or PCBs shall be gold plated. All
modules or PCBs shall incorporate a keying system to prevent improper
board or module placement or orientation.
8.9.4 Front panel LEDs or visual indicators that permit module health,
communications or I/O channels to be monitored must be identified and
mechanically protected.
9 ESD Panel Construct ion
9.1 Indoor Installations
34-SAMSS-820"Instrumentation Control Cabinets Indoor" shall be used forthe design of ESD cabinets located indoors except where superseded by this
specification.
9.2 Outdoor Installations
9.2.1 34-SAMSS-821"Instrumentation Control Cabinets Outdoor" shall beused for the design of ESD cabinets located outdoors except where
superseded by this specification.
9.2.2 The cabinets shall be 316L stainless steel minimum12 GA. (for corrosionresistance) and weather tight (NEMA 4X or IP 56 for ingress protection).
All hardware including hinges, latches, fittings, etc., shall be 316L
stainless steel for the cabinet and interior interface panels (as applicable).
9.2.3 There shall be no penetrations on the top of the cabinet.
Page 21 of 31
http://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34820.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34821.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34821.RTFhttp://csd-apps2/standards/Website/tqs1/esp/dts/Samss/AMS34820.RTF8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
22/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
9.3 Additional Requirements for ESD Cabinets
9.3.1 ESD cabinets shall be rigid and self-supporting. Cabinets shall be braced
for shock and vibration normally encountered during transport andconstruction.
Commentary Note:
System modules may be shipped separately from system cabinets toavoid weight impact on system chassis.
9.3.2 All doors shall be provided with integral lockable door handles with thesame lock and key combination, unless otherwise specified on the ISS.
Each door panel shall be electrically bonded to the main cabinet by a
braided ground strap (wire size #8 AWG or equivalent).
9.3.3 Cabinet Ventilation
9.3.3.1 ESD Cabinets shall be designed to be convection ventilated.However, fans may be used within cabinets or ESD power
supplies to assist in heat removal and lower ambient cabinettemperatures provided that:
a) No credit is given to their operational status in reducing
internal cabinet temperatures so as to meet continuous
ambient-operational requirements of paragraph 5.5.
b) The net reduction in ventilation area is factored into
ventilation inlet area and filter mesh calculations.
9.3.3.2 Calculation programs or procedures shall be used to properly
size inlet and outlet areas and filter mesh/screen sizing.(Note: these calculations must be available for Buyer's
review). Careful attention should be given to module
population density, component spacing and cabinetarrangement to ensure that hot spots or thermal gradients do
not occur within the cabinet.
Commentary Note:
It is recommended to install baffles between system chassis todivert hot air away from electronic equipment.
9.3.4 Assembly and Mounting
ESD system modules or components shall be mounted such that they can
be quickly replaced in the event of their failure. Module or componentmounts, bracing and/or supports shall be designed so that they dampen
Page 22 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
23/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
out the effects of external vibration. ESD modules that plug into a back-plane, motherboard or rail must utilize a restraining bar or anchoring
device to prevent accidental removal or release due to shock or vibration.
Components that are not mounted on printed circuit boards or installedindividually within modules, motherboards or chassis must be securely
fastened to a cabinet support member, rail, or bus assembly.
9.3.5 Power/Signal/Communications Wiring, Routing and Terminations
9.3.5.1 Communications cabling between processors and transceivers/communications drivers shall utilize Vendor's standard cable
and pre-assembled terminators. The Vendor's maximum
specified communications cable lengths shall not be exceeded.All cabling shall be provided with sufficient slack to allow for
the maximum allowable bend radius into a cable terminationplug or connector. Individual communications cables for each
of the redundant (A, B) or triplicated communications paths A,B, and C must be of the same nominal length and identicalcable specification to prevent communication timing and
synchronization problems. Cable connectors shall have strain
relief cable boots and be lockable to prevent inadvertent
separation or disconnection.
9.3.5.2 Discrete inputs and outputs to field devices (which are not line-monitored, in a current loop arrangement) shall be wired so
that they switch the hot side of the line. Isolated commons
shall be used when passing signals between devices whichutilize different grounding systems.
10 ESD System Safety Availabili ty (PFDavg)
10.1 The PFDavg for the composite ESD system (all modules and subsystemsconsidered) shall be a minimum of 0.0001 (10
-4). To achieve this the ESD
system design and architecture shall conform to paragraphs 7 and 8 of this
specification and incorporate sufficient redundancy, self-diagnostic and
automatic self-test features (i.e., Diagnostic Coverage > 99%).
10.2 Vendor's ESD system proposal shall include detailed calculations for thePFDavg of the system that they are proposing and the mean time to a safe
(spurious) and dangerous failure. Markov models shall be used to calculatesafety availability in terms of PFDavg. Transition probability matrixes shall be
used as the basis for these calculations. All assumptions must be clearly stated.
10.3 Markov modeling shall split all ESD component failures into dangerous and safefailures. A dangerous failure is one that puts the ESD system in a fail-to-
Page 23 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
24/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
function state, unavailable to shutdown the process if a demand is placed on it.A safe failure is one that causes the ESD system to prematurely shut down the
process when no hazard exists, (e.g., a false or spurious trip). Vendor's ESD
system proposal shall include detailed calculations for maximum allowablespurious failure rate for the composite ESD system (all modules and subsystems
considered).
10.4 The Vendor's Markov model must include diagnostic coverage factors for allVendor supplied ESD system components and show on-line repair rates when
redundancy allows repair on-line. On-line field repair times of eight (8) hours
are to be used in calculations. Failures which are undetected on-line will besubject to system proof test interval of 10 years (e.g., off-line functional testing
of field I/O devices).
11 Fault -Tolerant Considerations
The Vendor's ESD system shall be designed to tolerate faults, not eliminate them. ESDhardware and system configuration shall be designed to minimize common mode or
common cause failure mechanisms. The ESD system must have the ability to recognize
and detect either a safe or dangerous fault. It must be able to locate the source of thatfault, contain and isolate the fault to a specific module or modules of the system, and be
able to recover, or maintain operational status in the presence of a fault. Both transient
and permanent module or system faults shall be capable of being stored in or retrievedfrom non-volatile processor memory.
12 Reliability
ESD system components shall meet or exceed the MTBF data specified in the tablebelow at the equipment's design temperature over the life of the system. MTBF figures
shall be "Predicted" using data and calculation provided by the Bellcore Reliability
Prediction Procedure.
Modu l e MTBF
Process Controller module 15 Years
Input/Output Modules 25 Years
Communication Module 25 Years
System Power Supply module 50 Years
Field Power Supply 50 Years
NOTE: The above MTBF figures are assumed for each individualmodule or leg in its simplex form. The vendor must calculatethe overall MTBF for each module with the requiredredundancy (dual or triplicated) to meet SIL 3 fault tolerantsystem and provide as part of the system proposal.
Page 24 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
25/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
13 Noise and Fault Protection
I/O Protection
13.1 All discrete I/O circuits shall be isolated from logic or processor circuitry via
optical coupling or other equivalent means. Steady-state voltage isolation shall
be a minimum of 1000 Volts RMS, or 1500 VDC common-mode.
13.2 All discrete I/O circuits shall be designed such that accidental normal-modeconnection of 1000 VAC/DC to its external terminals for one second shall not
cause any other system damage other than to the discrete circuit to which it isapplied.
13.3 Analog input circuits shall be designed with integral over-range protection such
that accidental connection of a nominal 120 VAC or 125 VDC, for one secondwill not functionally disable or degrade the long-term performance of the input
point or modules.
13.4 Output circuits and final elements shall be provided with protection against
reverse EMF and voltage transients caused by the switching of inductive DCloads (i.e., R-C circuits, solenoid valve coils); and protection against current
overloads.
Commentary Note:
A suggested protection/suppression technique is to install an IN4007 diodeacross an inductive DC load.
14 Programming and Configuration
Program development software tools shall be provided by the Vendor, enabling the userto develop, edit and debug application programs. Software shall be IEC-61131-3 based
incorporating on-screen tutorials and help functions to assist the user. Software shall be
compatible with a current Windows operating system supported by Microsoft Corp.The program development workstation shall be capable of monitoring the status of
application programs in real-time.
ESD system shall be capable of separating application logic into multiple programs. A
minimum of 2 programs shall be capable of being executed simultaneously within theESD system.
14.1 Program Development Workstation
Minimum PC/Workstation requirements are specified within the requisition orISS.
Page 25 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
26/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
14.2 On-Line and Off-Line Programming Capability and Support
The program development software shall be capable of supporting both on-line
and off-line programming. On-line programming or making on-line applicationprogram changes while an ESD system is operating, (e.g., configuring new I/Opoints, tags and addresses, revising or adding logic and changing dynamic
element parameters) shall be possible without having to reset or re-initialize
application programs currently running within the CPU. Off-line programemulation shall be provided unless specified otherwise. Program editing
functions shall incorporate automatic time-dated, and revision level file saving
routines which store all file revisions.
14.3 Program Utilities
The following programming utilities or their equivalent functions shall beprovided by the Vendor for the following:
a) Relay Ladder Logic, Function Block Logic Elements Sequential Function
Charts/Tables
b) First-out Event Discrimination (first ESD event out of a group of events)
c) Event Log Configuration
d) System diagnostics
e) Program documentation and cross-reference
f) On-line application program changes
g) Input and output forcing
h) Hardware configuration
i) Comprehensive program revision and control that allows source code
comparisons between different revision levels of ESD applicationprograms
j) Configurable multi-level password control to allow definition of users
access rights
k) Help utilities that describe the proper sequence for defining new points,
building or revising logic, verifying logic, debugging logic, simulating
application program logic, and downloading new logic
14.4 Program Development Elements and Function Block Libraries
The Vendor's shall provide standard development program elements andfunction block libraries that are capable of performing the required program
logic.
Page 26 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
27/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
14.5 Application Program and Software Development and Testing
14.5.1 If specified in the purchase order or ISS, the Vendor shall be required
to develop an application program(s) which performs the logicsequence and functionality as indicated on referenced logic diagrams.
14.5.2 The application program shall be designed in such a manner as topromote user friendliness (for operations & maintenance personnel).
This means that detailed comments and descriptions shall be included
throughout all ladder or function block networks (or relationalelements) which identify elements by tag numbers, and communicate
network description and intended functionality.
14.5.3 Ladder or function block logic networks shall be arranged in such a
manner as to group all logic dealing with a specific piece of equipment,function, or task. Logic for individual pumps, turbines, compressors,
or process interlocks must be differentiated by separate networks orfunction blocks. Identical logic structures and elements (except for tag
names and addresses) should be used for identifying ESD logic of
equipment operating in parallel trains, or which are controlled in a
similar manner.
14.5.4 When assigning input and output addresses for field devices pertainingto a group of equipment or trains (e.g., group of pumps, turbines,
compressors, etc.), it is recommended to assign these signals todifferent I/O modules, so that a potential failure of one module or card
will not adversely affect more than one piece of equipment of thegroup or shutdown a multiple process trains.
14.5.5 Software configured I/O bypass switches shall use a secure datatransmission mechanism to implement bypass initiation or bypass reset
action. The data transmission may be either retentive or non-retentiveprovided that confirmation feedback of bypass logic initiation and
status is also be implemented.
15 On-Line Diagnost ics
15.1 Processor/CPU modules shall run diagnostics in conjunction with the executionof application programs in such a manner as to avoid interfering with the basic
cycle time of any application. Should a fault occur, the controller shall supportboth local indication and remote annunciation of faults.
15.2 Module or board failures shall be displayed by means of a 'Fault' indicator onthe failed module. Preconfigured diagnostic displays shall also be available viaprogramming tool set displays or via memory mapped interfaces to external
Page 27 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
28/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
DCS computers and Operators workstation. Diagnostic messages, displaysand/or alarms shall be capable identifying any system fault to a particular
cabinet, rack, module, channel and slice.
15.3 ESD Module Failure Indication and Action
15.3.1 Failures or faults within I/O circuits or system modules shall beautomatically detected by routine diagnostics. System fault or failures
shall initiate a system status alarm and be captured in non-volatile,
internal memory. Faults or failures which prevent individual systemcomponents or modules from functioning normally shall initiate an
automatic switch over to a redundant module (i.e., depending on the
ESD architecture selected), or cause its particular circuit or module tobe removed from service.
15.3.2 On-line removal/replacement of any ESD system module (assuming
the system is not running in a degraded mode) shall be possiblewithout having to reconfigure system software, alter system wiring or
cabling, deenergize system or module power, re-initialize the ESD
system or compromise ESD safety functions.
16 Documentation
Required Vendor's Documentation - Prior to commencement of a factory acceptance
test (FAT), the Vendor shall provide the following Non-Material Requirements
(NMR's) to designated Company representatives, via electronic format:
a) A listing of the ESD system configuration identifying each module type, location,and tag name;
b) Annotated application program files in ladder logic or function block logic format
including all pertinent embedded comments describing logic functionality.
Descriptors for logic element/blocks shall include completed I/O addresses andtag numbers, set points, logic element parameter identification, and logic
execution sequence so as to facilitate ESD system troubleshooting;
c) An Index of the system's data base including tag name(s), descriptors, and alias
addresses;
d) I/O and internal element, and alias variable cross reference;
e) A narrative describing the operation and sequence of the logic system (embedded
ladder or function block comments are acceptable providing they arecomprehensive);
f) Vendor standard documentation for fault finding/troubleshooting guide for the
ESD cabinet and all components;
Page 28 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
29/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
g) Vendor standard Installation and Maintenance/Troubleshooting Manualscontaining: Module circuit schematics/diagrams (where repair and fault-finding
can realistically be performed) w/parts lists, assembly and interconnecting wiring
diagrams, field device/input-output termination/wire number/I/O module indexes,cabinet construction, assembly and interconnecting wiring diagrams; and cabinet
arrangement drawings showing front and rear views of enclosure with a hidden
view of installed equipment;
h) Vendor standard Operations/Programming Manual, describing operating modes,program editing elements, parameters, guidelines and instructions;
i) Vendor standard Safety Manual and/or Product Guide;
j) Vendor's calculation of overall ESD system PFDavg (1 - Safety Availability), i.e.,
for Vendor supplied or integrated components, plus MTBF for all components andspurious failure rates;
k) Vendor's calculation of each system cabinet heat calculation;
l) TUV Certificate and Report.
17 Quality Control
17.1 Quality Control Procedures
17.1.1 A total 'Quality Assurance' (QA) program covering the span from ESDsystem design conception through user satisfaction shall be active.
17.1.2 Vendor's QA program shall conform to the guidelines of ISO 9001,quality systems - Model for quality assurance in design/development,
production, installation, and servicing.
17.1.3 Sampling techniques shall be applied where practical, but never used for
final acceptance and burn-in of system components. Where statisticalinspections are applied, the plan shall conform to the guidelines of ISO
9001.
17.2 Qualification Testing
The Vendor's manufactured ESD equipment comprised of modules, operating
system (kernal) software and firmware shall be certified to meet SIL 3requirements of International Electro-technical Commission (IEC) IEC-61508Functional Safety of Electrical/Electronic/Programmable Electronic Safety-
Related Systems by Factory Mutual or TUV Product Services, Rheinland or
Bayern, Vendor's manufactured equipment shall be capable of meeting the
following parameters as documented by third party certification agency such asTUV, UL, FM, or CSA:
Page 29 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
30/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
a) Vibration - Per axis sinusoidal (Sinusoidal Sweep) 55 to 200 Hz 1.5 G
b) Shock
Non-Operating: 15 G for 11 msecOperating: 6 G for 11 msec
c) Temperature
Operating: 0 to 50C (temperature external to ESD cabinet)
d) Thermal Stress: 70C (Represents storage temp.)
e) Humidity: 0 - 95% relative, non-condensing
f) Electromagnetic Compatibility per section 5.6.6 of this standard
g) Hipot & Ground Continuity: Per CSA C22.2 No. 0 (or equal)
h) Burn-In Testing
Vendor's production testing of all ESD system active component parts,
inclusive of all component modules, shall include a dynamic burn-in test
period of a minimum 40 hours. This testing shall be conducted in a
controlled environment, where temperature is varied from 0 to 60C, andwhere 60C temperatures are held for at least 16 hours.
18 ESD System Inspection and Testing
A Conditions Diagram, Logic Function Chart/Table, logic diagrams or ESD system
functional narrative, along with inspection and testing form 175-344400, attached to thePurchase Order, shall be used as the basis for a Factory Acceptance Test of all Vendor
supplied ESD equipment.
18.1 Factory Acceptance Test (FAT)
18.1.1 During the FAT test the complete ESD system including all composite
modules, interconnecting wiring, and associated circuitry shall be subjectto both hardware and software functional tests. These tests shall
demonstrate the functionality of each individual component module
within the integrated ESD system, including individual I/O point tests.
18.1.2 Cabinet heat generation shall be tested on the most loaded ESD systemcabinet during the FAT with all configured and installed spares
energized. ESD system cabinets that have the same arrangement as an
ESD cabinet that has passed a heat generation test before do not requireto be tested again.
18.1.3 Wire tagging and terminations shall be checked and "Tug" tested. (A tug
test involves physically stressing a wire termination to determine
Page 30 of 31
8/13/2019 34-SAMSS-623 Programmable Controller Based ESD Systems
31/31
Document Responsibility: Instrumentation 34-SAMSS-623
Issue Date: 20 March 2006
Next Planned Update: 20 March 2011 Programmable Controller Based ESD Systems
whether it has been crimped and/or terminated properly. The intent isnot to break wiring or stress insulation but to test the integrity of the
termination).
18.1.4 All ESD system software logic/application programs shall be checkedagainst logic drawings and dynamically tested and verified for proper
ESD sequence and functionality:
a) The dynamic test will involve physically simulating all inputs and
outputs in their proper operational sequence, and verifying thatspecified ESD application program logic is executed properly.
b) The ability to make and save on-line application program changes
and configure new I/O points, without having to reinitialize the
operating system shall also be tested at this time.
c) Fail safe output states will be tested in response to simulatedinput/output module and CPU failures and loss of ESD module
power.
d) All diagnostic routines shall be tested by simulating CPU, I/Omodule/individual point failures; power supply failure,
communications interface failures, card replacement induced
failures.
e) Fault histories/summaries shall be logged and annunciated both onan external printer and an operator's workstation or console.
18.2 Integrated Factory Acceptance Test (IFAT)
When the ESD system(s) is part of an integrated Process Automation System,
i.e., DCS, an IFAT shall:
a) Functionally test a minimum one of each type of communication interfacesusing actual system and equipment.
b) Functionally test each I/O point interfaced between the ESD and DCS.
This test may use I/O software simulator when the ESD I/Os are not
available at the IFAT location.
c) Test all shutdown, reset, bypass and alarm signals.
18.3 All discrepancies noted in the FAT and/or IFAT shall be resolved to thesatisfaction of the Buyer. Results of the FAT and/or IFAT test shall be
documented by a written report, supported by the FAT and/or IFAT proceduresused.
Revision Summary20 March 2006 Major revision.