TR3034

Governing document Classification: Internal

Safety and Automation System

Project development (PD) Technical and professional requirement, TR3034, Final Ver. 2, valid from 2012-07-12

Owner: Leader TEX FOT ELA ATBO

Validity area: Corporate technical requirements/All locations/All value chains/On- and offshore

Governing document: Safety and Automation System Classification: Internal

Project development (PD), Technical and professional requirement, TR3034, Final Ver. 2, valid from 2012-07-12

Page 2 of 46


1 Objective, target group and provision ............................................................................................................. 4 1.1 Objective ................................................................................................................................................. 4 1.2 Target group ........................................................................................................................................... 4 1.3 Provision ................................................................................................................................................. 4

2 Introduction ....................................................................................................................................................... 5

3 Operational philosophy .................................................................................................................................... 6

4 SAS structure .................................................................................................................................................... 6 4.1 Location .................................................................................................................................................. 6 4.2 Segregation of SAS functions ................................................................................................................. 7 4.3 Independence between functions ........................................................................................................... 8 4.4 SAS logic solver groups ........................................................................................................................ 10 4.5 Control class of equipment packages ................................................................................................... 11 4.6 Communication interfaces between SAS logic solvers ......................................................................... 12 4.7 Communication interfaces between SAS logic solvers and control class 2 systems ............................ 12 4.8 Other SAS communication interfaces ................................................................................................... 13

5 SAS Human Machine Interface (HMI) ............................................................................................................. 15 5.1 General ................................................................................................................................................. 15 5.2 SAS operator station ............................................................................................................................. 15 5.3 Large Screen Display (LSD) ................................................................................................................. 16 5.4 Critical Action Panel (CAP) ................................................................................................................... 16 5.5 Printing facilities .................................................................................................................................... 16 5.6 Alarm and event handling ..................................................................................................................... 16 5.7 Trend .................................................................................................................................................... 16 5.8 User interfaces for SAS testing ............................................................................................................. 17 5.9 User interfaces for SAS maintenance ................................................................................................... 17 5.10 User interfaces for software engineering .............................................................................................. 17

6 Safety Instrumented System (SIS) ................................................................................................................. 17 6.1 General ................................................................................................................................................. 17 6.2 Emergency shutdown (ESD) system .................................................................................................... 19 6.3 Process shutdown (PSD) system.......................................................................................................... 19 6.4 Fire & gas (F&G) detection system ....................................................................................................... 20 6.5 Boiler/Fired-equipment Protection System and Burner Management System ...................................... 20 6.6 Flare ignition ......................................................................................................................................... 20 6.7 Subsea shutdown functions .................................................................................................................. 21

7 Process Control System (PCS) ...................................................................................................................... 21 7.1 General ................................................................................................................................................. 21 7.2 Basic process control system ............................................................................................................... 21 7.3 Power distribution control system ......................................................................................................... 21 7.4 Subsea control system.......................................................................................................................... 22 7.5 Marine systems in SAS ......................................................................................................................... 22 7.6 Compressor control............................................................................................................................... 22 7.7 Other drives control systems ................................................................................................................ 22 7.8 Boiler/Fired-equipment Control ............................................................................................................. 23 7.9 PCS control class 2............................................................................................................................... 23

8 Access rights ................................................................................................................................................... 23

9 SAS software ................................................................................................................................................... 23 9.1 General ................................................................................................................................................. 23 9.2 System software ................................................................................................................................... 23 9.3 Engineering and maintenance tools ...................................................................................................... 24 9.4 Application configuration ....................................................................................................................... 25 9.5 Typicals library ...................................................................................................................................... 26 9.6 Life-cycle simulator interface and SAS functionality required for simulator ........................................... 27

10 SAS hardware .................................................................................................................................................. 27 10.1 General ................................................................................................................................................. 27 10.2 Manufacturing requirements ................................................................................................................. 27 10.3 Availability and redundancy requirements ............................................................................................ 28 10.4 SAS network ......................................................................................................................................... 28 10.5 SAS servers and operator stations ....................................................................................................... 29



Page 3 of 46


10.6 Logic solvers ......................................................................................................................................... 30 10.7 Remote I/O ........................................................................................................................................... 30 10.8 Wireless network................................................................................................................................... 30 10.9 Input/output cards requirements ........................................................................................................... 30 10.10 Cabinets................................................................................................................................................ 32 10.11 Power supplies, power distribution........................................................................................................ 32 10.12 Earthing ................................................................................................................................................ 33 10.13 Cables................................................................................................................................................... 34 10.14 SAS termination .................................................................................................................................... 34 10.15 SAS monitoring ..................................................................................................................................... 34

11 SAS performance ............................................................................................................................................ 35 11.1 Logic solver cycle time .......................................................................................................................... 35 11.2 Time synchronisation ............................................................................................................................ 35 11.3 Response times .................................................................................................................................... 35 11.4 Time stamping ...................................................................................................................................... 37 11.5 SAS lifetime .......................................................................................................................................... 37 11.6 Operational requirements ..................................................................................................................... 38

12 Spare capacity and expandability .................................................................................................................. 39

13 LCI requirements ............................................................................................................................................. 40

14 Testing of SAS ................................................................................................................................................. 40

15 Additional information .................................................................................................................................... 41 15.1 Definitions and abbreviations ................................................................................................................ 41 15.2 Changes from previous version ............................................................................................................ 44 15.3 References ........................................................................................................................................... 45



Page 4 of 46


1 Objective, target group and provision

1.1 Objective

The objective of this document is to state technical requirements for the Safety and Automation Systems (SAS). This specification shall be used for new facilities and upgrade projects which involve total SAS upgrade/replacement. For modifications on existing automation systems, some requirements in this TR may be in conflict with existing design. Conflicts shall be assessed prior to the modification, and where existing design shall be maintained, this shall be documented as local addendums to this TR.

1.2 Target group

The target group for this document is personnel that shall specify, engineer, fabricate, install, maintain, modify, upgrade and operate Safety and Automation Systems.

1.3 Provision

This document is provided for in TR3030 – Automation, Technical requirements and standards.

http://www7.statoil.com/DocMap/page/doc/dmDocAll.html?DOCVIEW=FALSE?DOCKEYID=524997



Page 5 of 46


2 Introduction

Server Equipment Room / LQCCR Equipment Room

Central Control Room / LQ

Legend

Operator Station Monitor Operator Station Monitor

Large Screen Display

Operator Station Monitor

Critical Action Panel

Central Equipment Room Local Equipment Room / LQEWS Monitor

Local Equipment Room / Process AreaElectrical Equipment Room

F&G

Logic Solver

F&G

Logic SolverF&G

Logic Solver

F&G

Logic SolverF&G

Logic Solver

F&G

Logic SolverF&G

Logic Solver

ESD

Logic SolverF&G

Logic Solver

PSD

Logic Solver

PCS

Logic Solver

Contrl Class 2

Logic Solver

Contr Class 2

System

Remote

I/O Unit

PCS

Logic Solver

Remote

I/O Unit

PCS

Logic Solver

Remote

I/O Unit

PCS

Logic Solver

Remote

I/O Unit

Redundant backbone SAS Network - Electrical

Redundant backbone SAS Network - Optical

Technical Network - Optical

Technical Network - Electrical

High speed communication, e.g. Profibus DP, ProfiSafe, ProfiNet, OPC UA, Modbus TCP

Fieldbus communication, e.g. Profibus PA, Fondation fieldbus

Other

Hardwired

Engineering

Work Station

Secure Access Solution

to Office network

Plant Information

Systems incl IMS

Wireless

Access

point

Remote

I/O Unit

F&G

Logic Solver

PSD

Logic Solver

Remote

I/O Unit

F&G

Logic Solver

PSD

Logic Solver

Remote

I/O Unit

Remote

I/O Unit

Remote

I/O Unit

Remote

I/O Unit

F&G

Logic Solver

F&G

Logic Solver

Remote

I/O Unit

PCS

Logic Solver

Remote

I/O Unit

Remote

I/O Unit

MCC MCC

VSD

PDCS

Logic Solver

Remote

I/O Unit

El Switch

Board

Contr Class 2

System

PCS

Logic Solver

Remote

I/O Unit

Wireless

Access

point

PCS

Logic Solver

Remote

I/O Unit

PCS

Logic Solver

Remote

I/O Unit

F&G

Logic Solver

PSD

Logic Solver

Remote

I/O Unit

F&G

Logic Solver

PSD

Logic Solver

Remote

I/O Unit

Contr Class 3

System

Contr Class 3

System

SAS

Gateway

Operator

Station

Operator

Station

Operator

Station

LSD

Station

To Fieldbus

instruments

Contr Class 2

System

PCS

Logic Solver

Remote

I/O Unit

To Fieldbus

instruments

Remote

I/O Unit

Remote

I/O Unit

Remote

I/O Unit

Remote

I/O Unit

Remote

I/O UnitRemote

I/O Unit

Remote

I/O Unit

Remote

I/O Unit

Remote

I/O Unit

F&G

Central

Figure 1 Typical automation system topology (logical presentation)

Safety and Automation System (SAS) is a segment of the automation technology competence area specified in TR3031. Refer to TR3031 for definition of the control classes and categorization of the different systems. The systems included in SAS, hence covered by this specification, are the systems categorized as control class 1. This specification also defines interfaces to the systems categorized as control class 2, whereas typically the class 2 systems themselves are specified in separate Technical Requirement documents. SAS is the overall integrated system containing the Safety Instrumented System (SIS) control class 1 and the Process Control System (PCS) control class 1. SIS detects and evaluates abnormal situations, initiates required actions to prevent further escalation of the situation and, if necessary, shuts down production and facility. SIS includes the Emergency Shutdown system (ESD), the Process Shutdown system (PSD) and the Fire and Gas detection system (F&G).



Page 6 of 46


PCS controls and monitors the production process including utility systems. PCS includes the Basic Process Control System, the Power Distribution Control System (PDCS) and others. SAS includes the Human-Machine Interface (HMI), which provides the physical interface between SAS and the personnel operating and maintaining the facility. HMI includes operator stations, Large Screen Display, Critical Action Panel (CAP) and user interfaces for SAS engineering and testing.

3 Operational philosophy

SAS is required to be operative 24/7. It shall be operable during loss of main electrical power. The facility shall be operable via SAS operator stations from a centralized control room. SAS operator stations shall be the main operator interface with the facility process and utility systems. For requirements regarding remote located CCR refer to TR3031, section 3.5. Field equipment shall be monitored and operated from the Central Control Romm (CCR). A CAP shall be present in the CCR and shall be used as a last resort for activating main safety functions and monitor status of these. The infrastructure and SAS shall support remote monitoring and access possibilities to allow for diagnostic and maintenance from other locations at the facility and from outside the facility, i.e. the vendor’s offices. The remote access shall be performed through the Secure Access Solution. Refer to TR1658 for requirements related to security, antivirus protection and access control for SAS. The system shall be designed to:

Identify developing faults (early fault detection)

Detect only true faults, and as few as possible false alarms (fault validation)

4 SAS structure

4.1 Location

All SAS logic solvers shall be located in a room safe by location, except:

I/O may be distributed and located in hazardous or environmentally exposed areas if suitable according to zone.

SAS logic solvers may be located in hazardous or environmentally exposed areas if certified according to zone.

Ex p protection is not allowed and Ex d should be avoided. For offshore facilities, ESD and F&G logic solvers shall be centralised. Exception from this is F&G logic solvers in the living quarters. For onshore facilities, the ESD and F&G logic solvers should be centralized. PSD logic solvers may be distributed or centralised.



Page 7 of 46


PCS logic solvers may be distributed or centralised. SAS HMI shall include the following:

Main operator workplaces in CCR

Test workplace in the CCR

Maintenance workplace in a separate room

Remote HMI functionality

Operator workplaces outside CCR (if necessary) The CCR shall contain a CAP and, preferably, a Large Screen Display. The workplace(s) for software engineering should be located in a separate system maintenance room. The printer(s) shall be located in close vicinity of the CCR. The SAS servers in a redundant SAS server pair shall be located in different cabinets, and the cabinets should be placed with distance from each other in order to be robust to common threats such as fire, etc.

4.2 Segregation of SAS functions

SAS shall be distributed and designed with basis in functionally self-contained (autonomous) SAS logic solvers. The segregation of SAS shall be both functional and physical. Hardware and software shall be organized such that unavailability of one SAS unit

minimizes the loss of production

does not affect the operation of other parts of the facility Process units in parallel for purposes of production redundancy shall be allocated to different PCS logic solvers to obtain robustness and availability. I/O signals and connections to intelligent electrical devices for the process units shall be allocated to the corresponding logic solver. To achieve coverage redundancy F&G detectors within the same fire area shall be allocated to at least two different I/O cards. Distribution of control logic/structures shall not cause timing and synchronisation problems and excessive network load due to compound control logic or control structures. For purposes of minimizing network traffic, preference should be given to dedicating one PCS logic solver to each process unit, within the PCS logic solver processing capacity limits. Smaller process units that are functionally strongly dependent on each other, and consequently might need coordinated control structures, shall be implemented in the same PCS logic solver, provided spare processing capacity limits are maintained. Parallel process equipment shall have their I/O wired to separate I/O modules to minimize the consequences of common mode failures.



Page 8 of 46


4.3 Independence between functions

4.3.1 Implementation of independence between systems

The overall basis for how systems should be interconnected is illustrated in Figure 2. The F&G, ESD, PSD and PCS systems shall be separate and independent systems, as shown in the figure.

ESD

Logic

PSD

Logic

PCS

Logic

F&G

Logic

Figure 2 Typical interconnections of systems

In Figure 2, the arrowhead gives the direction of safety action signal flow. In addition to the safety action signals shown in the figure, status signals may be transferred between the systems. Valve limit switch feedback signals should be routed to the system from which the valve is operated and with the following priority: 1. PCS 2. PSD 3. ESD I.e. if an ESD valve is operated from the PCS system the limits switches should be fed back to the PCS system. If operated from the PSD system and not the PCS, the limits switches should be fed back to the PSD system. If neither PCS nor PSD system operates the valve, the limit switches should be fed back to the ESD system.



Page 9 of 46


4.3.2 Connection and data flow between systems

SIS PCS SIS PCS

HMI HMI

Figure 3 Systems interconnection via SAS network

The required SAS architecture is shown in Figure 3. The operator station HMIs shall have the physical capability of communicating with any SIS- and any PCS logic solver. The safety instrumented functions with the allocated safety integrity level shall be realised within the SIS part of the system. Logic solvers shall feature protection against faulty packets or wrong packet addressing. Operation of safety valves from operator station shall be possible.



Page 10 of 46


4.4 SAS logic solver groups

On the logic solver level, SAS shall be physically partitioned into a number of separate logic solver groups. Each logic solver group shall consist of one or more logic solvers (or one or more redundant logic solver pairs). SAS shall be partitioned into the following logic solver groups:

Table 1 SAS logic solver groups

SAS Logic solver group Logic solver names Typical sub-system to be included

SIS

ESD E01, E02, ... ESD

PSD P01, P02, ... PSD, boiler protection, flare ignition

F&G F01, F02, ... F&G, HVAC (Note 1)

PC

S

Basic PCS; main process and process support

C01, C02, ... Basic PCS, compressor control, burner management control

Basic PCS; utilities (Note 2) U01, U02, ... Basic PCS utilities, HVAC (Note 1)

Power Distribution Control System

L01, L02, ... PDCS

Subsea S01, S02, ... Subsea control system

Marine systems for safety/integrity of the facility

B01, B02, ... Ballast and bilge control, watertight doors/hatches monitoring and control

Other marine systems H01, H02, ... Anchor winch monitoring and control

Notes:

1. The safety related parts of HVAC shall be part of the F&G system and the control and monitoring applications for the HVAC system shall be a part of PCS.

2. Naming convention does not require separation of logic solvers for utilities from main process and process support.



Page 11 of 46


4.5 Control class of equipment packages

Equipment packages should be controlled using the control classes as listed in Table 2:

Table 2 - Control class definition for equipment packages

Package type Control class Comments

Rotating equipment excl. gas turbines 1 TR3132 “Vibration Protection and Diagnostic System”

Gas turbine 2 TR3036 ”Turbine Control System”

Static mechanical equipment 1

Fire water pumps 1

Fire fighting equipment excl. fire water pumps

1

Flare Ignition equipment 1

Heli-fuel equipment 3

HVAC equipment 1

Burner management 1

Electrical equipment 1 Electrical equipment is defined as control class 1 integration in SAS (e.g. variable speed drives and smart motor starters are regarded as field devices and not logic solvers)

Emergency and Essential diesel generators

1

High Integrity Protection System (HIPS)

3 TR1956 “Non-conventional pressure protection systems”

Drilling equipment 3 TR3135 ”Drilling Control System”

Subsea equipment 1 and 2 TR3037 “SAS Integration of subsea control”

Ballast and bilge control system 1

Watertight doors/hatches 1

Mooring winch 1

Dynamic Position System 2

Platform motion/draught/ inclination monitoring

2 Monitoring of motion/draught/ inclination values for comparison with calculated values from stability calculations

Structural monitoring 2 Stress measurements for input to load calculator

Pedestal cranes 3

Personnel & Goods Lift 3

Vibration protection and diagnostic system (VPDS)

2 TR3132 “Vibration Protection and Diagnostic System”

Telecom equipment 3 TR3043 “Telecommunication systems”

Environmental Monitoring System 2 TR3043 “Telecommunication systems”

CCTV 3 TR3043 “Telecommunication systems”

Load and Stability calculator 2 Monitoring system for stress and inclination based on tank levels etc.

Life-Cycle Simulator (LCS) 2 TR3133 “Life-Cycle Simulator”

Advanced Process Control (APC) 2 TR3134 “Advanced Process Control”

Analyzers 2 TR3032 “Field Instrumentation” section 5.9

Fiscal metering system 2 TR0814 “Metering systems for fiscal, allocation or custody transfer applications”

Multi-phase metering system 2

Down-hole instrumented system 2

Level interface profile system 2

Sand monitoring 2

Corrosion monitoring 2

For equipment packages not listed in Table 2 the control class shall be defined by the project.



Page 12 of 46


4.6 Communication interfaces between SAS logic solvers

Signals (SIL classified) exchanged between different SIS logic solvers should be hard wired. If shared data communication network is used, this shall fulfil the same integrity level requirements as relevant for the signals being exchanged. Status signals and interlock signals can be communicated via the SAS network (controller peer to peer communication). Dedicated SAS reports of signals communicated between logic solvers via the SAS network shall be available to support logic solver maintenance.

4.7 Communication interfaces between SAS logic solvers and control class 2 systems

Control class 2 systems shall be controlled from the SAS HMI, ref. 15.1.1 for definition. Shutdown signals between SAS and control class 2 logic solvers shall be hardwired. For data exchange of signals for monitoring and control between SAS and control class 2 logic solvers, the following communication interfaces are preferred:

Profibus DP

ProfiNet

OPC UA

Modbus TCP

Profibus DP when utilising wireless instrumentation If the control class 2 logic solver supports none of the above, the control class 2 logic solver’s native protocol may be implemented in the SAS logic solver. This shall be approved by Company. The SAS logic solver shall be the communication master in all configurations. There shall not be any physically separate protocol conversion units between SAS and control class 2 logic solvers. All interfaces shall be implemented with protocols that include supervision (control of errors). In addition to measured value, quality information of the value shall be transferred from control class 2 system to SAS logic solver. Local work stations for control class 2 systems shall be placed within cabinets and shall be equipped with Ethernet cards for connection to the technical network, ref. TR1658. All alarming shall be integrated in SAS in accordance with TR1494. Signals necessary for CCR HMI and control purposes shall be transferred to/from SAS logic solver. For remote access, bulk data handling to IMS and condition monitoring, these systems shall be connected to the technical network. The communication between PCS logic solver/SAS HMI and APC and similar applications should be based on OPC. To be able to identify OPC connections to SAS logic solver application, the OPC communication shall be directed via dedicated communication blocks.



Page 13 of 46


For further requirements to the interface to APC and requirements to SAS related to APC, refer to TR3134.

4.8 Other SAS communication interfaces

4.8.1 Field bus – interfaces to field devices

Industrial network for signal transfer based on field bus protocols may be used towards field devices, dependant on Company approval. This shall be in accordance with IEC 61158. The preferred choice is Profibus PA and Foundation Field bus. As a minimum, SAS should support the following field bus technologies:

Foundation Field bus

Profibus PA

Industrial Ethernet (IE) There shall not be any physically separate protocol conversion units between SAS and field devices.

4.8.2 Interfaces to wireless instrumentation

If wireless instrumentation is used, the wireless gateway should be implemented as remote I/O communicating directly to its logic solver, see also 10.8.

4.8.3 Interfaces to remote I/O (RIO)

The communication interface between the logic solver and the RIO unit shall be based on open industrial standards, e.g. Profibus DP for PCS and ProfiSafe for SIS, see also 10.7. The communication interface for SIS shall be redundant.

4.8.4 Interfaces to electrical equipment

The ESD, F&G and PSD trip signals to electrical equipment shall be hardwired. Basic PCS interface signals to motor starters, protective devices and variable speed drives, etc., should be directly via bus communication. PDCS interface signals to breakers should be via bus communication of the same standard as the bus communication for Basic PCS interface to motor starters, protective devices and variable speed drives. PDCS interface signals to load shedding shall be hardwired. Communication with standard protocols between SAS and electrical devices should be used. Selection of communication protocol shall be coordinated with selected electrical equipment to ensure compatibility. The following communication protocols and interfaces are preferred:

Profibus DP

ProfiNet

IEC 61850 The SAS logic solver shall be the communication master. There shall not be any physically separate protocol conversion units between SAS and electrical control equipment.



Page 14 of 46


4.8.5 Interfaces to other instrumented systems

This section defines SAS interface to other instrumented systems, such as:

Analyzers

Fiscal metering system

Multi-phase metering system

Down-hole instrumented system

Level interface profile system

Sand detection These systems shall be treated as control class 2 and the communication interface shall be as described for communication with control class 2 logic solvers, ref. section 4.7.

4.8.6 Interfaces to systems on technical network

4.8.6.1 General

SAS units which shall communicate over the technical network shall be connected to a SAS remote network. The SAS remote network can be the same as the SAS HMI network, but shall not be the same as the SAS network where the logic solvers are connected. The SAS remote network switch shall be connected as a dedicated VLAN on the technical network based on standard TCP/IP. IP addresses on the remote net shall be issued by Company to be kept unique. Refer to TR1658 and GL1658 for requirements related to security and access control for SAS.

4.8.6.2 Interface to Information Management System (IMS)

SAS shall provide a gateway to the Information Management System (IMS). The SAS gateway shall make all SAS real time data and selected parameters available for IMS according to TR2258. Alarm and event data shall be included in this interface function. The SAS gateway shall be able to supply data to IMS for all tagged objects in SAS with 10 seconds update interval. The sample interval shall normally be 1 second for all SAS tags and down to 100 ms for selected values. SAS facility data transferred to IMS shall have a time-stamp as part of the message. The SAS gateway shall support self-configuration of the IMS as specified in TR2258:

Automatic configuration of tags shall be implemented when possible. This will involve the detection of a new tag being created in a related system, transfer of configuration data, and automatic initiation of data communication.

New data shall only need to be defined once, with one single engineering tool. The interface between SAS gateway and IMS shall be one of the following protocols:

OPC UA

OPC A&E, OPC DA and OPC HDA OPC UA is the preferred solution.



Page 15 of 46


Plant data export shall not have a negative influence on SAS primary functions, i.e. safety functions, control and monitoring. The SAS gateway shall have the buffer capacity to store all SAS real time data and selected parameters for 7 days. Status information of the interface shall be available in SAS. Refer to TR2258 for requirements to IMS basic configuration, functionality and performance.

4.8.6.3 Interface to Field Device Management

Data which are collected from the field devices connected to SAS to be utilized in the centralized Field Device Management application shall be tunnelled via SAS. Dedicated field network shall not be used.

4.8.7 Interface to CCTV

Upon occurrence of a F&G alarm or other pre-defined alarm in SAS, the relevant CCTV picture should automatically be displayed in CCR at a CCTV screen, LSD or predefined Operator Station.

4.8.8 Interface to PA

ESD and F&G system shall activate PA alarms via hardwired signals.

5 SAS Human Machine Interface (HMI)

5.1 General

The HMI shall be common for the SIS and PCS functions.

5.2 SAS operator station

The SAS operator station represents the main HMI between the operator and the production facilities i.e. the "process window". This shall include a full set of configured dynamic VDU pictures sufficient to ensure safe and convenient communication between the operators and the production facilities. It shall be possible to connect SAS operator stations in locations other than the CCR, i.e. CER and LERs. SAS operator station HMI shall be available from remote locations. Refer to TR1658 for requirements related to security and access control for SAS. It shall be possible to configure the operator stations with the different access levels described in section 8. Control class 2 systems shall be operated via SAS operator station HMI. An overview VDU picture shall present the topology of SAS, showing the status of the system, serial links and communication interfaces.



Page 16 of 46


Refer to section 10.5 for hardware requirements for SAS servers and operator stations. Refer to TR1212 for SAS HMI requirements.

5.3 Large Screen Display (LSD)

The need for large screen display for overview information in large format in CCR shall be evaluated. SAS shall support use of a LSD. LSD should not be used for operator interaction, only for information. Refer to TR3039 for general LSD requirements.

5.4 Critical Action Panel (CAP)

A CAP (simplified safety matrix panel) shall be located in the CCR, allowing manual activation of predefined safety-critical functions, including related status and alarm presentation. Refer to TR1055/TR2237 for general requirements for CAP.

5.5 Printing facilities

Number of printers shall be kept to a minimum. Printers on the office network should be utilized via Access@Plant print spooling-queue if not important for operation. Failure of one operator station shall not prevent printer acces. Silent type of colour printers shall be used. Printouts shall be generated only on demand. The operator shall be able to generate a hardcopy print of any display screen. It shall be possible to generate printouts from the SAS engineering station. It shall be possible to generate a printout of all types of lists without using the screen-dump facility, refer to TR1494.

5.6 Alarm and event handling

Refer to TR1494 for requirements to SAS related alarm and event handling requirements.

5.7 Trend

SAS shall provide a facility for real time and historical trending of all binary and analogue variables, independent of the IMS. Refer to TR1212 for requirements related to trend presentation in SAS. Real time trending shall be with the same time resolution as the cycle time of the application in the logic solver. Historical trending shall have user selectable sampling time, normally 1 second. Sampling time for selected values shall be possible from 100 ms. SAS shall store relevant values for a minimum of 35 days for trending purposes.



Page 17 of 46


5.8 User interfaces for SAS testing

SAS shall include minimum one operator workplace to be used for SAS testing.

5.9 User interfaces for SAS maintenance

SAS shall include minimum one operator workplace to be used for SAS maintenance.

5.10 User interfaces for software engineering

SAS shall include minimum one workplace to be used for software engineering. It shall be technically straightforward to connect a number of additional SAS engineering stations later. If several engineering stations are used, then the SAS shall have a means of preventing online configuration conflicts. A master software revision handling system shall be included. The SAS engineering workplace shall have access to operator station facilities.

6 Safety Instrumented System (SIS)

6.1 General

The safety instrumented systems are systems used to implement one or more safety instrumented functions. Functional requirements to SIS are stated in TR1055 or TR2237 as applicable. The practicable systematic approach and those minimum premises which shall govern instrument-based protective measures and in particular SIF/SIS is presented in TR2041. SIS control class 1 includes the ESD-, PSD- and F&G system (refer to 15.1.1 for the definition of “system” as used here). The applicable safety system or affected parts of it should go to a predefined safe state in the event of detectable malfunction, and system design should be made with the intent to avoid single defects / failures that may prohibit safety actions being executed. If not fail-to-safe, the equivalent level of safety shall be achieved by redundancy, diagnostics and/or alarm to control room. The probability of single defects / failures causing inadevertent trip actions shall be as low as reasonably possible, e.g., provide fault tolerance by means of automatic diagnostic features and redundancy according to cost-benefit assessment. All equipment being part of barriers shall be protected against environmental conditions that may compromise their safety function. This may be accumulation of or influence by ice, snow, sand, water, etc. All output signals shall be normally energized, unless otherwice stated in safety specifications based upon assessment and verification of functions’ performance, e.g.:

Output signals from the F&G system to fixed fire protection systems, can be passive; i.e. energise on fire fighting.

Output signals from the F&G system to the ESD system can be passive, i.e. energises on alarm. Use of passive output signal shall however fulfil the same integrity level requirements as NE outputs (by redundancy, diagnostics and/or alarm to control room).



Page 18 of 46


SIS shall have the following facilities to allow for testing and maintenance without interrupting production or operation:

Blocking (inhibit) of input signals

Blocking (override) of outputs signals (effects) Override possibilities for all outputs should be evaluated based on operational requirements to availability. This function may be required to replace output cards without interrupting production or for SIS test ing after modifications. TR3138 describes requirements for regular testing and inspection of SIS. SIS shall be designed according to IEC 61508/61511/ANSI/ISA 84.00.01.

6.1.1 Logic solver

The logic solver including I/O, logic and communication interfaces, shall comply with prevailing regulations and practices for normal operation, test and emergency situations. The logic solver compliance with the intended use and safety integrity requirements shall be demonstrated, by compliance with IEC61508 and IEC 61511 i.e:

Logic solver (firmware, as standard manufacturer provision) compliance with IEC 61508/ IEC 61511 shall be documented and certified / type approved (note: also valid for system software revisions). Logic solver (hardware and software, according to user requierments) arrangement and application configuration shall be subject to acceptance based on independent verifications. System safety manual shall provide guidance to prerequisites and operation of the safety related functions.

Software by means of utility software, embedded software and application software. The logic solver shall be capable of handling at least SIL3 functions. Each plant shall have an overview of installed hardware and software versions. Logic solver shall, by hardware and software means, permit adequate testing of the safety critical functions within specified limitations regarding degradation of safety and reduction of production rate. This shall also include trip signals between SAS units. Logic solver shall include measures that prohibit unauthorised and avoid unintentional changes of system parameters, i.e. key-lock, password or software configuration. Software configuration should be required for entries of trip level setting, timers, forced outputs and selection of NE/NDE inputs and outputs. Features for comparison of two versions of application logic indicating where variations have taken place should be provided. SIS system units (logic solver) shall not be used for non-safety related systems.



Page 19 of 46


6.2 Emergency shutdown (ESD) system

The purpose of the emergency shutdown system (ESD) is to prevent escalation of abnormal conditions into a major hazardous event and to limit the extent and duration of any such events that do occur. Emergency depressurisation (EDP) and ignition source isolation shall be handled by the ESD system. All ESD logic (SIL classified) shall reside in the SAS ESD logic solvers. For an EDP system which requires sequential actions to avoid mechanical breakdown due to limited flare capacity, the output delay timers shall be realized outside the SAS ESD logic solvers utilising electrical/mechanical devices. The external devices are required to function irrespective of the availability of the ESD system. Timers shall be of a high integrity design. After activation of APS (Abandon Platform Shutdown, for offshore facilities), indication of remaining time (simulated) until isolation of instrument UPS shall be available in the CCR. ESD inputs shall be line monitored, detecting short circuit and open circuit. The ESD system may include a manually operated ESD "master switch" in order to de-energize the required outputs to bring the facility to a safe state. In some regions, this is an authority requirement. Refer to TR1055/TR2237 PS4 for requirements regarding shutdown hierarchy for ESD and TR1055 PS4 figure 3 for typical shutdown hierarchy for ESD. The initiated ESD level shall latch in the tripped state until manually reset in the CCR. Reset of ESD levels shall be available from SAS OS. ESD sensor loop including accessories (e.g. process tapping, impulse lines, air supply branch-off and power fuses) shall be separate from other functions, directly connected to ESD system unit. Signals (SIL classified) exchanged between different ESD units including communication with other safety units such as PSD should be hard wired. If shared data communication network is used, this shall fulfil the same integrity level requirements as relevant for the signals being exchanged. A common SAS data network and operator stations may be used allowing ESD operator interface functions/ activities to be executed such as inhibit and override, status / alarm handling, annunciation, logging and printing. For further requirements to ESD system, see TR1055/TR2237, with emphasis on PS4, PS6 and PS8.

6.3 Process shutdown (PSD) system

The PSD system shall detect and evaluate an abnormal process condition and initiate required equipment shutdown and/or process sectionalisation, in order to minimize the effects and protect the process equipment. If a PCS and PSD transmitter measure the same process variable, the warning alarm limits (H and L) shall be allocated to the PCS transmitter and the action alarm limits (HH and LL) shall be allocated to the PSD transmitter. For requirements regarding PSD application, refer to TR3035.



Page 20 of 46


For requirements to PSD system on offshore facilities, refer to TR3001, section 6 "Requirements for PSD functions for offshore installations". For requirements to PSD system on onshore facilities, refer to TR3001, section 7 "Requirements for process protection functions on onshore installations". For further requirements to PSD system, refer to TR3001, section 11 "Instrumentation for shut down functions" and TR1055/TR2237, with emphasis on PS12.

6.4 Fire & gas (F&G) detection system

The F&G system shall continuously monitor the fire and gas status and execute safety related functions upon fire or gas detection. The safety related parts of HVAC, such as closing of fire dampers and trip of fans and heaters, shall be part of the F&G or ESD system. The F&G system shall have the capability to handle addressable detectors. If F&G detector interface centrals are used, these shall be supplied as part of SAS. No logic should be implemented in the F&G detector interface centrals. All datacommunication between F&G interface central and the F&G node shall be redundant. Possible failure modes shall be identified througt systematic analysis. The safety integrity of the communication shall be documented. Silent testing shall be possible, i.e. for the functions being tested it shall be possible to disable audible alarm annunciation. All safety critical loops for F&G shall be line monitored, enabling detection of abnormalities (e.g. earth fault detection, short circuit detection, open circuit detection in the entire circuits, etc.). When powered up after being powered down, the total F&G system shall automatically restart itself, including all internal system communication mechanisms, without manual intervention. This also includes F&G detector interface centrals. Power-up shall not cause spurious activation of outputs. Refer to section 4.8.7 regarding interface to CCTV. For further requirements to F&G system, see TR1055/TR2237, with emphasis on PS3, PS7 and PS9.

6.5 Boiler/Fired-equipment Protection System and Burner Management System

Boiler/Fired-equipment Protection System and Burner Management System shall be designed in accordance with EN12952/EN12953 or NFPA85/NFPA86. The safety functions shall be implemented in the plant BMS/PSD logic solver. Refer to national codes and standards for additional requirements for boilers, steam generators and fired-equipment.

6.6 Flare ignition

If flare ignition is realised as a ballistic spark ignition system, ref TR3002, the safety function shall be designed in accordance with IEC61508/61511/ANSI/ISA 84.00.01 and the function shall be implemented in a PSD logic solver.



Page 21 of 46


6.7 Subsea shutdown functions

Refer to TR3037 for subsea shutdown functions requirements.

7 Process Control System (PCS)

7.1 General

The PCS controls and monitors the production process, the mechanical and electrical equipment and the utility systems part of the facility. PCS control class 1 includes the basic process control system, power distribution control system (PDCS), subsea control system and the marine control systems described in section 7.5 (refer to 15.1.1 for the definition of “system” as used here).

7.2 Basic process control system

The objective of the basic process control system is to control and monitor the production processes and the utility systems. SAS shutdown functions not defined as safety control or safety shutdown functions, i.e. shutdown functions not residing in the ESD, F&G or PSD systems, shall be implemented in PCS. Refer to 6.3 for requirements regarding alarm limits allocation for PCS and PSD transmitters measuring the same process variable. For PCS and PSD transmitters measuring the same process variable, condition monitoring shall be implemented in PCS. The process value measured by the PSD transmitter shall be transferred to PCS, compared to the PCS transmitter value, and an alarm shall be generated if deviation is greater than a predefined value (e.g. 4% of range).

7.3 Power distribution control system

The objective of the power distribution control system is to control and monitor the electric power generation and distribution network. The PDCS shall be implemented in dedicated SAS logic solvers. Refer to TR3021/TR3022 for functional requirements to PDCS. Refer to TR3031 for split of functions between PDCS and Basic PCS. PDCS logic solvers may be physically mounted inside electrical switch boards. Load shedding, if required, shall be implemented in the PDCS. The operator interface to PDCS shall be via dedicated VDU pictures. These VDU pictures shall be accessible from any SAS operator station. Control access to these pictures shall be limited to a group of specially instructed personnel by password protection.



Page 22 of 46


7.4 Subsea control system

The subsea control and monitoring functions shall be implemented in dedicated SAS logic solvers called Subsea Control Units (SCUs). Refer to TR3037 for requirements to the Subsea Control Unit.

7.5 Marine systems in SAS

The following marine systems shall be integrated in SAS as control class 1:

Ballast and bilge control system

Watertight doors/hatches monitoring and control

Anchor winch monitoring and control The ballast- and bilge control systems and watertight doors/hatches monitoring and control shall be implemented in dedicated SAS logic solvers for marine systems for safety/integrity of the facility. The anchor winch monitoring and control shall be implemented in dedicated SAS logic solvers for other marine systems, ref. 4.4. Safety critical functions shall be implemented in SIS. For the ballast and bilge systems, normal control and monitoring shall be performed from a SAS operator station in CCR. Control and monitoring shall also be possible from local operator stations. Watertight doors/hatches remote control and monitoring shall be performed from a SAS operator station in CCR. For further requirements to the ballast- and bilge systems and watertight doors/hatches, refer to TR1055, PS 18.4.1. Anchor winch monitoring shall be performed, and control of anchor winch operations shall be possible, from a SAS operator station in CCR. The system shall be designed to meet the fast respons requirements of the anchor winch monitoring and control functions.

7.6 Compressor control

The objective of the compressor control system is to monitor and control anti-surge and performance of the compressor. Compressor control, anti-surge control and load sharing should be implemented in Basic PCS logic solvers. The system shall be designed to meet requirements for fast response time on anti-surge control.

7.7 Other drives control systems

Proces control functions for other drives, e.g. steam turbines and variable speed drives, shall be implemented in Basic PCS logic solvers.



Page 23 of 46


7.8 Boiler/Fired-equipment Control

Boiler/fired-equipment Control shall be implemented in Basic PCS logic solvers. Refer to national codes and recordnized standards for further control related requirements for boilers, steam generators and fired-equipment, e.g. EN12952/EN12953 or NFPA85/86

7.9 PCS control class 2

The control class 2 systems are defined in table 2 section 4.5, hence only the interface to these systems are covered by TR3034, as described in section 4.7.

8 Access rights

SAS shall support different levels of access rights, preventing unauthorised manipulation of specific systems or system attributes (e.g. logic solver parameters, alarm limits, etc.). A proper authorisation method shall be provided to allow for definition of roles and assign users/user groups to roles. Refer to TR1658 for requirements. The system shall support View only client licenses for open remote use. As a minimum, the following roles shall be supported and differentiated by user passwords:

Operator

Maintenance

Engineer PCS

Engineer SIS

Electrician

System Administrator It shall be possible to configure the roles for access to limited parts of SAS.

9 SAS software

9.1 General

SIS software shall be capable of handling at least SIL3 functions according to IEC 61508. SAS programming shall comply with IEC 61131-3 Function Block Diagram (FBD), Sequential Function Chart (SFC) and Structured Text (ST). Structured Text shall be used for function block coding only.

9.2 System software

When powered up after being powered down, the total SAS shall automatically restart itself, including all internal system communication mechanisms, without manual intervention. Power-up shall not cause spurious activation of outputs. Restart of SAS shall take less than 30 minutes. There shall be a facility for read-out of current versions of all system software and firmware, including logic solvers, I/O’s, servers and operator stations.



Page 24 of 46


All system software changes shall be recorded in an auditable and unalterable log. The SAS logic solver shall be based on a true real-time operating system to achieve the necessary degree of security, reliability and reduced maintenance, i.e. operating systems like Microsoft Windows are not allowed for logic solvers. Process values shall be in engineering units throughout the system (engineering tools and run-time system).

9.3 Engineering and maintenance tools

The software tools shall be available from the engineering-/maintenance workplace. Additionally, these tools shall be available through the Secure Access Solution according to TR1658. The software tools shall provide the necessary functions for interaction for all phases of a project (programming and testing, as well as commissioning). The software tools included in the system shall as a minimum have the following features:

Configuration tool for VDU and logic solver library functions, ref. 9.5

Off-line programming and configuration of application software

Upload of application software to engineering station from any SAS unit

Off-line modification of application software

Loading of off-line modified application software via SAS network to any SAS unit without disturbing other applications

Automatic loading of off-line modified HMI graphic displays to all applicable client stations

Start/stop of application software

On-line modification of application software without stopping the SAS unit or affecting control modes and output signals

Possibilities of monitoring on-line any dynamic variable in any SAS unit

Possibility to view details of the logical structures and all interconnections within SAS

It shall be possible to do online monitoring of application software in a SAS unit even if the offline version has been modified

System diagnostic tool including system load, available capacity

Estimating tool for controller loading (To enable checking of offline changes prior to implementation)

Diagnostic of SAS units, communication buses, networks and RIO units

Methods allowing for off-line simulation and testing of new or modified applications

Tools for configuration and monitoring of Microsoft security patches to the Windows servers/clients implemented in the system

Tools for configuration and monitoring of antivirus to the Windows servers/clients implemented in the system

Tools for monitoring / reporting of backup status from all components in the system SAS applications and system performance shall not be influenced by utilization of engineering tools. The system shall be self-documenting including both suppliers’ standard application blocks and project specified application blocks. The documentation shall be "as programmed" in the executing SAS unit. The system shall be self-documenting with respect to system hardware set-up showing configuration of logic solver and I/O cards.



Page 25 of 46


It shall be possible to document the application program directly from the system and make it available as a graphical report. In special cases, program listings can be accepted based on approval by Company. An automatic cross reference between drawing interconnections shall be provided. There shall be a tool for read-back of the current parameters and update of configuration files. This tool shall provide a report showing the parameter differences. The software tools shall include provisions for application software revision control and traceability. There shall be a facility for comparing two revisions of a defined part of the application software and reporting all changes in a high level readable format to evaluate result of changes and identify the extent of required testing. Verification of application software in software tool and application software running in logic solver shall be possible on-line. All manual configuration shall be via intuitive graphical user interfaces. No further manual database entries shall be required in order to complete an application for a logic solver. It shall be easy for the user to trace the flow of information through the system. It shall be possible to include comments in the application code. These comments shall be included in the application graphical reports or program listings. There shall be a function for easy and secure deployment of new versions of function blocks from the function block library. The graphical level shall be automatically updated when a function block has been modified. It shall be possible to bulk import lists of tagged application blocks with associated data and interconnections for inclusion in the SAS control logic configuration. It shall also be possible to export a user defined portion of the application software as lists of tagged application blocks with associated parameters and interconnections. SAS should support programming of the application level through cause & effect tables, and it should be possible to generate C&E tables automatically from the application. HART functionality shall be available in configuration and maintenance tools. The backup mechanisms shall be optimized for fast recovery and integrated with a backup infrastructure provided by Company. Backup mechanisms for application data and complete SAS units shall be provided. The backup and restore mechanisms shall be documented. The backups for SAS units shall be automated:

It shall be sufficient to give the system a simple command in order to trigger manual backup

It shall be possible to configure clock- and event-driven automatic backups

9.4 Application configuration

It shall be possible to configure SAS applications semi automatically, as well as manually, utilising different configuration levels and libraries of function blocks and templates (ref. 9.5) to maintain the consistent use and quality throughout the configuration.



Page 26 of 46


SAS functionality shall support application configuration on the following levels:

Function blocks

Templates Function blocks are divided in two categories: Application blocks and elementary function blocks, as defined in IEC61804 Annex A. Application configuration shall be based upon the application blocks defined in TR3035 as well as elementary function blocks like AND, OR, logical inversion, RS latches, pulses, timers, etc. The application blocks shall be coded with version control, and the application block version shall be visible in the application. Function block cycle times shall be documented. Order of execution of the function blocks shall be editable and visible. It shall be possible to collect the function blocks and their interconnections in a typical control structure and define it as a “template”. When an object is deleted or altered in a template, a warning shall be given. All function blocks shall be shown at the instance of the template. All application blocks shall have a tag number and a service descriptor. SAS shall support minimum 15 characters tag numbers and 40 characters service descriptors. Tag numbers shall be according to TR0052 and service descriptors according to GL1494.

9.5 Typicals library

The following typicals shall be established and maintained:

application blocks according to TR3035

templates according to TR3035/GL3035

dynamic HMI elements according to TR1212

communication interface typicals for the interfaces described in section 4.7

hardware typicals as specified in section 10.1 of this document These library objects shall be tested prior to use and subject to version control. The application blocks and templates, dynamic HMI elements, communication interface typicals and hardware typicals shall be kept in a master typicals library. This master typicals library shall be the only place where modifications to the typicals are implemented. There shall be one common master typicals library for all facilities with Safety and Automation Systems of the same make. This shall be documented and included in the SAS Engineering Handbook and in Company technical documentation system. Development and modifications of control applications and VDU pictures shall be based on the latest versions of the standards in the library. Specialized versions of the standards shall be kept to a minimum. If specialized versions of the standards are developed, they shall be defined with a new name and incorporated in the master typicals library. Each project shall define which library objects shall be applied in the project, and this shall be made known to all relevant project members.



Page 27 of 46


9.6 Life-cycle simulator interface and SAS functionality required for simulator

SAS shall meet requirements to life-cycle simulator interface and functionality to support life-cycle simulator as stated in TR3133, section 5. For general requirements related to lifecycle simulator, refer to TR3133.

10 SAS hardware

10.1 General

SAS hardware shall be unified, i.e. a limited number of hardware types shall be used to ease maintenance and spare part handling. A set of hardware typicals shall be defined covering all necessary SAS hardwired signals and serial links. This shall include:

A description of the hardware typical with a unique name

Detailed electrical drawings including termination and powering

Typical loop drawing

Testing and verification of the hardware typical utilising actual field device and cabling HART functionality shall be integrated in the SAS hardware. Physically separate HART network shall be avoided. It shall be possible to replace redundant components in SAS during normal operation of the system, without any loss of functionality or production. Any SAS unit shall be able to survive loss of power for an indefinite period of time without irrecoverable loss of application programs, configuration or parameters which have been set by the user/operator. Recovery with data fetched via the SAS network is acceptable, but shall be in accordance with the response time specified in of section 9.1. Approximate recovery time for each SAS unit shall be documented and verified. The system shall be capable of automatic restart after a power failure, without manual intervention. Equipment shall fulfil the requirements of IEC 61000 and IEC 61010 and shall be certified for the relevant hazardous zone. Refer to TR1055/2237 PS6 for requirements to equipment located in hazardous areas.

10.2 Manufacturing requirements

All SAS hardware modules shall have been tested in accordance with recognised industrial standards with regard to susceptibility to environmental conditions such as:

Variations in signal and supply voltages

Electrostatic and electromagnetic noise

Temperature and humidity

Vibration and mechanical stress Test certificates specifying the tests conducted and the results obtained shall be available.



Page 28 of 46


For components which are critical or particularly susceptible to the conditions encountered on the specific site of installation, more comprehensive tests may be required.

10.3 Availability and redundancy requirements

10.3.1 Availability

Number of production losses caused by a fault in SAS (this includes all components in SAS) shall not be more than one per year. In addition, MTBF figures shall be documented and calculations of overall SAS availability shall be performed.

10.3.2 SIS (ESD, PSD, F&G) logic solvers redundancy

The system shall have redundant CPU and allow for online replacement of a CPU.

10.3.3 Logic solvers redundancy, marine systems for safety/integrity of the facility

The system shall have redundant CPU and allow for online replacement of a CPU.

10.3.4 Other SAS units redundancy

Logic solver redundancy shall be selected based on the following:

production availability requirements

consequence classification

process section criticality

modification requirements, like online configuration All SAS HMI servers shall be redundant, i.e. if a client/server architecture is used for operator stations, no VDU screen shall lose its functionality as a result of failure of a single server. If the operator stations are realised in a non-client/server architecture, the SAS operator station’s network interface and power supply shall be redundant.

10.4 SAS network

All SAS units shall be connected to a redundant SAS network, which can comprise of several network segments. The following requirements shall apply for the SAS network:

All segments of the SAS network shall be redundant (A and B network cables) and include all required switch functions to ensure that the failure of one of the networks does not disturb, interrupt or degrade operation.

The SAS network shall be state-of-the-art and high-speed.

Optical fibres shall be used to connect the SAS network between LIRs (Local Instrument Rooms)/LERs (Local Equipment Rooms). Single mode fibres shall be used.

One common multicore fibre cable may be used for several systems, but separate fibres shall be allocated to the different systems and segregated in patch panels, clearly marked. Redundant cables should be routed separately. Provisions shall be made to prevent unintended influence between systems during maintenance.

If the SAS network is realised in a star topology, the A and B network cable shall have different cable routings. If the SAS network is realised in a bidirectional ring topology, the A and B network can be in



Page 29 of 46


the same cable, but the different segments of the ring shall be physically separated with different cable routings (i.e. the “return” segment of the ring shall have a different, physically separate cable routing).

The SAS network shall be built by the use of fully managed network switches, all of the same brand and compatible.

Error detection on the SAS network shall be fast (within the application cycle time) and reliable.

The system response to network faults shall be deterministic.

The consequences of any failure shall be limited, determinate, failsafe, and shall not cause process problems outside of the process area directly affected by the failure. A network failure shall raise an understandable alarm.

It shall not be possible for the failure of one unit on the field network to interfere with the proper functioning of other units on the same field network.

Configuration of network components should be stored in a removable non-volatile memory for easy restoration after replacement of network component.

IP addresses on the SAS network shall be issued by Company and be within Company private address range.

Network equipment shall be of industry standard and preferably rail or rack mounted.

10.5 SAS servers and operator stations

SAS operator stations may be built in a client/server architecture. If a client/server architecture is used, the following requirements apply:

SAS servers shall be of the same hardware product family, i.e software and hardware compatible

SAS servers shall be of fit for industrial use preferably rack or rail mounted type

SAS operator station clients shall be of the same hardware family, i.e software and hardware compatible

SAS operator station clients shall be of fit for industrial use preferably rack or rail mounted type

SAS servers disk storage shall be fault tolerant and with automatic online recovery when replacing a disk

SAS servers shall be rack mounted with one common maintenance terminal (VDU, keyboard, mouse) per cabinet

Clients shall be connected to different network switches to obtain robustness with respect to switch failure

SAS servers shall be connected to both of the redundant SAS networks and shall handle automatic switchover between the networks

SAS servers and operator stations shall be suited for continuous operation If the operator stations are realised in a non-client/server architecture, the following requirements apply:

SAS operator stations shall be of the same hardware family

SAS operator station disk storage shall be fault tolerant and with automatic online recovery when replacing a disk

SAS operator stations shall be rack mounted

SAS operator stations shall be connected to both of the redundant SAS networks and shall handle automatic switchover between the networks

SAS operator stations shall be suited for continuous operation Computers for CCR Opertor Stations located outside CCR shall be rack or rail mounted. Connections to VDUs/keyboards/mice in the CCR shall be by individually wired connections, e.g. KVM extenders. Desk top stations outside of the CCR may be connected via Ethernet



Page 30 of 46


Operator stations and servers shall fulfil requirements to limitation of noise in the rooms where they are located, refer to TR0926.

10.6 Logic solvers

All logic solvers within a system (e.g. PCS, ESD, F&G, PSD) shall be of the same product family/type. The logic solvers shall be able to handle at least 800 I/O including associated application software based on required library functions.

10.7 Remote I/O

Refer to TR3032 for requirements related to instrumentation design. Use of field located RIO units is the preferred architectural principle to reduce cost, weight, installation and test time. Considerations must be taken to meet requirements to Ex certification, maintainability and environmental conditions (rain shield etc.). For use of RIO with SIS, special considerations must be taken to meet requirements to SIL and survivability ref. TR1055/TR2237. Field mounted RIO cabinets including RIO units shall be certified for Zone 2 as a minimum. RIO cabinets may contain several RIO units. RIO units for ESD, F&G, PSD and PCS can be segregated into separate RIO cabinets, or segregated within shared RIO cabinets. The segregation shall maintain the individual system independency. Field mounted RIO cabinets including RIO units shall be designed to handle both Ex i and Ex m for digital outputs (solenoids) and Ex i for AI, AO and DI signals. No RIO cabinet shall be located inside rooms containing batteries which can release hydrogen. The requirements in TR3032 related to weather protection of instruments installed in exposed areas also applies to field mounted RIO cabinets in exposed areas. RIO cabinets shall be installed in accordance with TR3023 (offshore) or TR3024 (onshore).

10.8 Wireless network

SAS shall support wireless network for field devices based on recognized international standard. Each pair of redundant wireless gateways shall be connected to one logic solver. The segregation principle described in section 4.3.1 shall be followed, i.e. separate wireless gateways shall be provided for F&G, ESD, PSD and PCS.

10.9 Input/output cards requirements

Each I/O module shall be fed from one MCB. One CB for each I/O card. Field devices should be powered from SAS. I/O cards shall have galvanic isolation between field and CPU side. No single defect or failure in any I/O card shall affect any other I/O card.



Page 31 of 46


Failure (e.g. short-circuit) in the field shall not affect any other I/O channel. All I/O cards shall be replaceable under full operating conditions without requiring SAS unit shutdown. Other I/O modules shall not be affected. This also applies to RIOs. Installation of additional I/O cards shall be possible under full operating conditions without shutdown of SAS unit. I/O cards for the following signal types are required: Table 4 Required I/O cards

Signal Type Analogue input

4 – 20 mA with HART protocol

Analogue input Ex i


Analogue output


Analogue output Ex i


Digital input Potential free contact

Proximity switches with line monitoring (Note 3) Digital input Ex i

Potential free contact

Proximity switches with line monitoring (Note 3) Digital output

24 VDC normal power, minimum 0,5 A

24 VDC high power, minimum 3 A Digital output Ex i

Typically 17 VDC, 20-50 mA

Notes: 3. For Europe, this will be NAMUR. In other parts of the world, other standards may be used. I/O cards for SIS shall comply as a minimum with the same SIL level as the SIS function it is included in. Instrument loop monitoring, e.g. short circuit, open circuit, out-of-range etc., shall be performed by SAS. The monitoring limits shall be configurable. Signal (both I/O and communicated signals) quality information shall be supported throughout the complete system. The last measured value shall be transferred to the application. Ground fault shall be automatically detected and reported per individual I/O card or per individual I/O channel. It shall be possible to manually set and freeze the value of any input, overriding any value or error associated with the corresponding field device. Such manually set values shall be accepted as valid quality by the software using them, with distinct indication on HMI. The manual setting of values shall only be available with Maintenance access rights. Manually set values shall be reported in a separate list.



Page 32 of 46


The system should have features for individual adjustable low pass filtering and dead band for analogue input signals. It shall be possible to define the following states for outputs:

fail state

initial state at power-up

10.10 Cabinets

The requirements in this section shall apply in a general manner to all SAS cabinets, as server cabinets, logic solver cabinets, Field Termination Cabinets (FTCs) and RIO cabinets. Cabinet layout, sizes and material shall be standardized. The requirements in TR3032 related to degree of protection provided by enclosures also apply to SAS cabinets. Equipment inside cabinets shall be easily accessible with door(s) open. Swing frames or logic solvers mounted in the cabinet door should be avoided, but if used, special consideration should be made to robustness of cable connections and sustainability against vibration and physical contact when opening swing frame/door. All cabinets shall be equipped with lifting eyes and door locks. All cabinets shall have lights. These may be turned on automatically when the cabinet door is opened or be turned on manually. All cabinets, except server cabinets, should be designed to avoid need for cooling fans. Special considerations, such as perforation of cabinet/doors and enforced cooling, shall be taken for server cabinets. On floating facilities, cabinet doors shall self lock in the fully opened position. Openings for cable entry should be in the bottom of the cabinets. The material used for field RIO cabinets shall be AISI 316 SS. Field RIO cabinets shall be equipped with drain nipples. Electrical anticondensation heaters shall be evaluated for RIO cabinets which are mounted outdoors.

10.11 Power supplies, power distribution

SAS shall be powered from two independent AC UPS sources (national voltage and frequency levels). ESD, PSD, F&G and PCS components shall be powered from different redundant AC/DC (24V DC) converters. CPU and I/O (field instruments) shall be powered from galvanically isolated power supplies to avoid interference from field to CPU via the power supply.



Page 33 of 46


Internal power supplies in SAS servers, SAS network equipment, logic solvers and RIO units shall be redundant and shall be replaceable under full operating conditions. Power supply to operator stations, VDU and KVM extenders shall be fault tolerant, e.g. redundant internal power supplies or sufficient roboust automatic switchover upon loss of either UPS A or B.

UPS A230V UPS B

230V

SAS-server(s)Network Equipment

PowerSupply (A)

AC/DC Converter(s)

PowerSupply (B)

AC/DC Converter(s)

PowerSupply (A)

AC/DC Converter(s)

PowerSupply (B)

AC/DC Converter(s)

PowerSupply (A)

AC/DC Converter(s)

PowerSupply (B)

AC/DC Converter(s)

PowerSupply (A)

AC/DC Converter(s)

PowerSupply (B)

AC/DC Converter(s)

PowerSupply (A)

AC/DC Converter(s)

PowerSupply (B)

AC/DC Converter(s)

PowerSupply (A)

AC/DC Converter(s)

PowerSupply (B)

AC/DC Converter(s)

PowerSupply (A)

AC/DC Converter(s)

PowerSupply (B)

AC/DC Converter(s)

PCSI/O

PowerSupply (A)

AC/DC Converter(s)

PowerSupply (B)

AC/DC Converter(s)

A-Supply

B-Supply

FieldRIO

ESDLogic Solver

ESDI/O

F&GLogic Solver

F&GI/O

PCSLogic Solver

PSDI/O

PSDLogic Solver

Figure 4 Principle for power supply from the UPS

Each of the redundant power supplies shall be designed for 150% of normal consumption. The extra capacity is to prepare for usage of the spare I/O specified in section 12. Modular power systems shall be possible to expand by 50% without rewiring. The supply voltage and tolerances shall be provided with adequate margins ensuring proper operations of all safety critical outputs, in particular if normally de-energised outputs are used. Alarm for power supply failures, fuses, earth fault detectors, fans etc. shall be available in the CCR for all SAS units.

10.12 Earthing

Refer to TR3023/TR3024 for requirements to equipment earthing. The SAS cabinets shall have separate earth bars for Protective Ground (PE), Instrument Ground (IE) and for IS Ground if applicable. The Ground bars shall be easy accessible and visible for check also after termination of cables.



Page 34 of 46


Ground bars shall be fabricated from copper and be provided with a suitable number and size of connections for all terminations (including installed and future spare I/O). Instrument Gound bars shall be isolated from the enclosure, and Protective Ground bars shall not be isolated from the enclosure. Refer to section 10.9 regarding ground fault detection.

10.13 Cables

Refer to TR3023/TR3024 for requirements to cables.

10.14 SAS termination

Refer to TR3023/TR3024 for requirements to cable termination. It shall be possible to isolate field signals from the SAS units without disconnecting the cable cores from the terminals. This applies to all field signal terminations, including those in RIO units. Field termination blocks shall be spring-loaded. It shall be possible to disconnect the termination part of the logic solvers without affecting the possibilities for application program testing. Reconnection facilities shall be pluggable.

10.15 SAS monitoring

All units on the SAS network shall be monitored and detected fault or malfunction shall be alarmed. SAS unit, fault type and card (if relevant) shall as a minimum be referenced in the alarm text. As a minimum, the following shall be monitored:

SAS servers (running processes, disk capacity etc.)

CPU redundancy

CPU performance/memory

I/O cards

All internal and external bus communication

Status of field networks

Status of SAS network

Condition of SAS network components (e.g. switches)

Power supply to the individual SAS units This information shall be presented in an overview topology VDU picture as described in 5.2, with details in separate graphics.



Page 35 of 46


11 SAS performance

11.1 Logic solver cycle time

The maximum cycle time for the SAS logic solver shall be 1 second. Individual applications may require shorter cycle times. Where required, selected logic solvers shall be able to handle applications with cycle times down to 10 ms.

11.2 Time synchronisation

All SAS units and subsystems which are connected to SAS shall be time synchronized. Defined SAS units shall receive NTP (Network Time Protocol) coordinated universal time (UTC, Universal Central Time) from the technical network and distribute accurate time to other SAS units and subsystems, e.g. MCCs. SAS must be able to receive UTC time, set correct time according to local time zone and handle daylight saving time. The time synchronisation mechanism shall incorporate a proven method of handling summer time and winter time, including all consequential actions for databases and relevant external systems. The time synchronisation requirement is +/-10 ms between any two SAS units. Other instrumented systems connected to the technical network should receive similar NTP directly from technical network.

11.3 Response times

HMI response time is how fast the system responds to user interaction, that is how fast the response is after the user gives information to the system or demands information from the system. The speed of computer response to user entries should be appropriate to the transaction involved. In general, the response should be faster for those transactions perceived by a user to be simple. The following are requirements for some key interactions and shall be satisfied for pages containing typically up to around 1000 dynamic data points (See Note 5, below table 4): Table 5 HMI interaction response times

HMI interaction Required max.

response time (seconds)

Target response time (seconds)

Call-up time for new picture (Note 6)

1.0 (Note 7)

0.25

Dynamic elements update (measured from change in input signal value on I/O card terminals until dynamic element shows same state/value)

2.0 (Note 8)

1.0

Operator control activation (mouse click, keyboard entry, cursor controller movement)

0.25 (Note 7) 0.10

Request for a dialogue window 0.25 (Note7)

Operator command (measured from operator command until output card/channel has reached new state)

2.0 (Note 8)



Page 36 of 46


Operator alarm acknowledge (measured from operator action until acknowledgement is observed on the operator VDU)

2.0 (Note 8)

Alarm announcement (measured from alarm limit is reached until alarm text is displayed)

2.0 (Note 8)

When no response from the application occurs (system “freeze”), an “abort” dialogue window shall appear

10.0

Notes: 4. The different SAS vendors define data points in different ways. The requirement is related to a window

with similar amount of data points as the process window in Figure 9 in TR1212. 5. Exception is made for drawing the trend line in minitrends, where requirement is maximum 2.0

seconds for all trends up to 10 minitrends on a page. (Showing the rest of the symbol shall satisfy the demand of 1.0 second).

6. Based on recommendations given in NUREG-0700, 2002. 7. This requirement is related to 1 second cycle time in logic solver. SAS shall be designed to meet the following performance requirements for logic solver: Table 6 Logic solver response times

Logic solver response Required max.

response time (seconds)

Target response time (seconds)

Closed loop control, i.e. from input signal/ IO module to output signal/ IO module (measured at I/O card terminals). For special control functions shorter cycle time may be necessary in order to fulfil function requirements

2.0

ESD activation, e.g. from initiator to activation of output signal

2.0

ESD initiation from F&G, i.e. from confirmed F&G detection to activation of ESD outputs (measured from F&G input signal is in alarm state until ESD outputs are activated)

4.0

Response time requriments for Fire and Gas functions: - Upon exposure, the time from individually connected

fire detector alarm limit is exceeded until alarm is presented/tagged on operator station

- Upon exposure, the time from addressable fire detector alarm limit is exceeded until alarm is presented/tagged on operator station

- Upon gas exposure, the time from gas detector alarm limit is exceeded until alarm is presented/tagged on operator station

4.0 15.0 2.0

The logic solver response requirements apply also when the information is transferred via serial communication to/from control class 2 systems.



Page 37 of 46


11.4 Time stamping

All SAS events, process and system alarms shall be time stamped in order to identify correct sequence of events. Time stamping should be performed by the SAS logic solver, and the accuracy of the time stamping shall be according to the defined cycle time. Manual data entry to SAS logic solvers shall be treated as events. Special requirements apply to accuracy of protection alarms in PDCS. Independent of configuration and number of MCCs and SAS units, the protection alarms in PDCS shall be time stamped with the accuracy of 10 ms, or better, relative to when they physically appear.

11.5 SAS lifetime

SAS lifetime shall be understood as the time from site acceptance test to necessary major change out of hardware and software to maintain the original functionality due to unavailability of spare parts, lack of system competence/support/capacity or high fault frequency. Minor replacement of individual parts (cards, hard disks etc.) does not influence the overall SAS lifetime as long as the spare parts are available from SAS supplier. The typical lifetime of a facility is in the area 20 to 100 years. During the lifetime of the facility, it is required to maintain the SAS function. It may be necessary to replace the originally installed SAS with a newer SAS generation during the lifetime of the facility. A SAS generation is defined as a system based on constant interfaces in the SAS topology (i.e. SAS network, interface between logic solver and I/O, interface between logic solver and HMI, applications, application environment/tools). Newer releases (hardware and software) within a SAS generation shall be compatible with older releases. In the transition between SAS generations, it is required that the new SAS generation supports the old interfaces. Figure 5 is a graphical representation of the typical interfaces within the SAS.

Compatible / Persistent interfaces:

1. HMI LS Application

2. LS Application LS HW/SW

3. LS App/HW I/O

4. LS App LS App

5. I/O Field

HMI

Network

Logic Solver (LS)

I/O

Field Device

Application

Logic Solver (LS)

Application

I/O

5

3

4

2

1

Figure 5 SAS interface through plant lifetime



Page 38 of 46


It is expected that the SAS lifetime, i.e. time until upgrade to a new SAS generation is required, on a facility is minimum 20 years from site acceptance test. Figure 6 is a graphical representation of the typical SAS lifecycle on a facility including several HMI upgrades and typically one overall SAS upgrade during the lifetime of the facility.

Figure 6 SAS lifetime

The minimum required lifetime of the different SAS components is:

Table 3 SAS components lifetime requirements

SAS component type Lifetime requirement (years) Lifetime target (years) SAS servers 8 10 SAS operator stations 8 10 Logic solvers 20 30 I/O cards 30 40 Logic solver power supply 20 30 SAS network components 10 15 SAS applications and tools Facility lifetime Facility lifetime

11.6 Operational requirements

Equipment shall be certified for operation under the following conditions:

Equipment in the CCR:

Ambient temperature: +10 - +35 oC (+50 - +95 oF)



Page 39 of 46


Temperature gradient: 10 oC/hour (18 oF/hour)

Relative humidity: 20 - 80 %, non-condensing

Equipment in LERs and local control rooms:

Ambient temperature: 5 - +35 oC (+32 - +104 oF)


Relative humidity: 10 - 90 %, non-condensing

RIO cabinets including RIO units and field equipment in general:

Ambient temperature: -20 oC - +40 oC (-4 oF - +104 oF) Equipment shall be certified for non-operation under the following conditions:

Ambient temperature: -25 oC - +50 oC (-13 oF - +122 oF)


Relative humidity: 5 - 95 %, non-condensing For offshore facilities, systems and equipment dedicated for use in emergency situations shall be able to operate at a maximum platform inclination of 17o in any direction, plus a dynamic angle to be specified during Detail Engineering - typically 5o in the same direction. The requirement is thus 22o in any direction. In addition an Accidental Limit State check shall be performed for all SAS equipment, based on an inclination of 30o in any direction. This check shall demonstrate sufficient structural capacity to avoid collapse of supports/equipment.

12 Spare capacity and expandability

The following spare capacity that shall be provided at the time of plant start-up or after major upgrade of SAS. For larger modification the need for future spare capasity shall be evaluated. For minor modifications and evaluation of operational situation, spare CPU capacity shall be according to requirements in addendum to TR3034 for the actual plant and technology.

Table 4 Spare capacity requirements

Spare requirement in relation to installed capacity Requirement at

contractual handover

Equipment room I/O - installed spare per type of I/O including corresponding number of field cable terminals (per logic solver)

25%

Field RIO - installed spare per type of I/O including corresponding number of field cable terminals (per logic solver and per RIO location)

20% (Note 10)

Spare slots for additional I/O cards in installed I/O racks in equipment rooms (per logic solver, not per I/O rack)

10%

Free space inside individual SAS cabinets 20% Logic solver free CPU capacity (Note 9) 50% Logic solver free memory – installed spare 50% SAS server and operator station free capacity (Note 9, 10) 50% SAS network free capacity (Note 9) 90% Notes:



Page 40 of 46


8. Average value, which shall be taken over a period of twice the slowest cyclic update interval 9. This requirement is for free CPU capacity, number of dynamic elements/trend curves/pictures, license

coverage 10. For small RIO units mounted on package skid, requirements for installed spare capacity may be

reduced to 5%. To obtain the above spare requirements, experience shows that the spare capacity at FAT should be higher than the spare requirements at plant start-up, e.g. 10% above the numbers listed in the table above. Procedure for measuring spare capacity shall be established and verified. Requirements regarding spare capacity for communication buses shall be as for hardwired I/O. There shall be a minimum of 20% spare ports on each network switch.

13 LCI requirements

Refer to TR2381 for LCI requirements and GL3034 for guidelines to which LCI requirements are relevant for SAS.

14 Testing of SAS

Test equipment for simulating all types of I/O signals connected shall be provided by the system supplier at time of testing. Test programs simulating values on all I/O channels shall be supplied. These programs shall be supplied with an appropriate operator interface. The capacity of the test equipment shall match the I/O handling capacity of I/O cards supplied. Facilities for measuring of dynamic loads of SAS unit, communication system and operator station shall also be supplied. Refer to GL3034 for guidelines to which acceptance tests should be performed for a SAS delivery.



Page 41 of 46


15 Additional information

15.1 Definitions and abbreviations

15.1.1 Definitions

The terms defined in this section are written in italic the first time they are used in the text.

Definition Description

Application block A complex logic-mathematical application which is defined and validated by Company

Application software The applications implemented in a SAS unit, typically control structures and control sequences in a logic solver or VDU pictures

Blocking Blocking is the prevention of actions by disabling the signal to/from the logic, but allowing the alarm annunciation to the operator

Centralised logic solver

Logic solver in cabinets located in Central Equipment Room (in vicinity of CCR)

Company

Statoil

Control class 1

All control and monitoring functions are fully integrated in SAS, utilising a uniform system with standard software and hardware.

Control class 2

Control and monitoring functions are integrated in a non-SAS logic solver, with interface to SAS to obtain complete operational control from SAS HMI, utilising standard hardware and/or software interface.

Control class 3

Stand-alone control and monitoring units with no communication interface to SAS, i.e. only hardwired signals.

Consequence classification

Classification of equipment as critical, important or general with respect to HES (Health, Environment and Safety), production or other maintenance control. The purpose is to form a basis for control and prioritisation of maintenance activities, decide preventive maintenance, maintenance frequency and spare parts control.

Control structure Group of application blocks, simple logic elements and logic connections between these

Distributed logic solvers

Logic solvers in cabinets distributed in LIR/LER

Elementary function block

A simple logic-mathematical operation usable in different types of process control applications, such as AND, OR, logical inversion, RS latches, pulses, timers, etc.

Facility Offshore installation or onshore plant

Function block

Generic term covering application blocks and elementary function blocks

Grounding Analogous to Earthing

Hardwired signal Signal individually wired e.g to/from I/O card.



Page 42 of 46


IMS

Information Management System as defined by TR2258

Logic solver That portion of either PCS or SIS that performs one ore more logic function(s). Examples are: electrical systems, electronic systems, programmable electronic systems, pneumatic systems, hydraulic systems. Sensors and final elements are NOT part of the logic solver

Operator Workplace All the equipment that the operator has for his disposal to do the monitoring and control of his facility area. Consists of one or more operator stations.

Override

Hardware function to set the output signal to a defined state, independent of changes in logic states

Process Equipment Singular piece of process equipment (e.g. pump, compressor, vessel, etc.)

Process Unit Group of process equipment functioning as a unit or system

RIO cabinet Cabinet which contains RIO (remote I/O) equipment and field cable terminals, but no logic solver

RIO unit

Cluster of remote I/O connected to one logic solver including communication device and power supplies

Safety Integrity Level Discrete level (one out of four) for specifying the safety integrity requirements of the safety instrumented functions to be allocated to the safety instruments systems. Safety integrity level 4 has the highest level of safety integrity; safety integrity level 1 has the lowest

Sample interval Time between samples

SAS unit A CPU with associated equipment such as I/O racks and cards, bus communication with RIO or control class 2 systems, network components, power supplies and termination facilities for field cables. Operator stations, engineering work stations, SAS servers, SAS gateways and large screen displays are also considered as SAS units.

System The ”system” term is in this context used to describe the SAS unit part of SIS and PCS, excluding the field part of the instrument loops from the field termination facilities for the field cables. The “system” term, as used in this document, differs from the “system” term which is used when denoting the different process systems in which the facility is divided

Update interval Time between updates

View Only Client

Client made for viewing process or system without permission to operate or manipulate. E.g. viewing operator HMI including alarm list and trend facilities.

15.1.2 Abbreviations

Abbreviation Description

A&E Alarm & Event

AI Analogue Input

AO Analogue Output

APC Advanced Process Control

APS Abandon Platform Shutdown (for offshore facilities, ref. TR1055)

BMS Burner Management System

CAP Critical Action Panel

CB Circuit Breaker



Page 43 of 46



CCR Central Control Room

CCTV Closed Circuit Television

CER Central Equipment Room

CIP Common Industrial Protocol

CPU Central Processing Unit

DA Data Access

DI Digital Input

DO Digital Output

EDP Emergency Depressurisation

ESD Emergency Shut Down (system)

FAT Factory Acceptance Test

FB Function Block

F&G Fire and Gas

FTC Field Termination Cabinet

HART Highway Addressable Remote Transmitter

HDA Historical Data Access

HIPS High Integrity Protection System

HMI Human Machine Interface

HVAC Heat, Ventilation and Air Conditioning

I/O Input/Output

IMS Information Management System

KVM Keyboard, Video, Mouse

LCI Life Cycle Information

LER Local Equipment Room

LIR Local Instrument Room

MCC Motor Control Centre

MCB Miniature Circuit Breaker

NAMUR NormenArbeitsgemeinschaft für Mess- Und Regeltechnik in der chemischen Industrie (A proximity switch technology; loop resistance-based state detection)

OLE Object Linking and Embedding

OPC OLE for Process Control

OS Operator Station

PA Public Address

PCS Process Control System

PDCS Power Distribution Control System

PSD Process Shut Down (system)

RIO Remote Input/Output

RS Reset Set



Page 44 of 46



SAS Safety and Automation System

SCU Subsea Control Unit

SIL Safety Integrity Level (Ref. IEC 61508)

SIS Safety Instrumented System

UA Unified Architecture

TCP/IP Transmission Communication Protocol/Internet Protocol

UTC Universal Central Time

VLAN Virtual LAN (Local Area Network)

VDU Video Display Unit

15.2 Changes from previous version

Editorial changes throughout the document.

Sect 1.1. Revised the definition of the validity for modification projects.

Sect 2. New figure 1.

Sect 4.2. Added requriments regarding segregation of F&G detectors and I/O allocation.

Table 1. Revised the table and belonging notes.

Table 2. Revised table 2.

Sect 4.7. Deleted CIP (communication interface) and added “quality information” for all interface.

Sect 5.5. Added requirements for printing facilities.

Sect 6.1. Revised (safety instrumented system) and added requriments from TR1055

Sect 6.1. Added a new section 6.1.1 Logic solver. Introduced new requriments and added requriements from TR1055.

Sect 6.2.Reorganized and added new requriments from TR1055.

Sect 6.4. Revised and added reqirements for data communication between Logic solver and fire central.

Sect 6.5. Revised and added new requriments and deleted old requirements.

Sect 7.8. Revised and Added new requriments and deleted old requirements.

Sect 8. Added “system administrator” under acces rights.

Sect 9.3. Added two more bullets, Engineering and maintance tool.

Sect 10.3.2.Removed requirements regarding maintaining SIL upon loss of power.

Sect 10.3.2/3/4/5 Removed requirement regarding maintaining SIL upon failure of one CPU.Added requriments for segregation of redundant cables in section 10.4 SAS network. And one more bullet.

Sect 10.5. Added requirements for “industrial use”. And revised requriment for OS outside CCR.

Sect 10.6. Revised system decription.

Sect 10.7. Added requirement for segregation.

Sect 10.9. Added new requirements.

Sect 10.11. Revised and added an illustration of power supply from UPS. Also added new requriments from TR1055.

Sect 10.12. Revised.

Sect 11.3. Added new requirement from TR1055.

Sect 11.5. New figure for illustration of SAS interface. Also replaced SAS lifetime figure.

Sect 11.6. Changed operational requriements.

Sect 12. Changed requriments for spare capacity and expandability.



Page 45 of 46


15.3 References

Company Doc no Document title GL1494 Alarm system guideline GL1658 Technical Network Architecture GL3034 Safety and Automation System GL3137 Safety Instrumented System, the follow up in operation phase GL3138 Compressor - Anti-surge (not issued) TR0052 Statoil engineering numbering system oil and gas production facilities TR1055 Performance standards for safety systems and barriers - Offshore TR1212 SAS Operator Station HMI TR1494 Alarm System TR1658 Security and Accessibility TR2237 Safety Design for Onshore Plants TR2041 Safety Instrumented System (SIS) - Management of Lifecycle Requirement TR2258 Requirement to IMS basic configuration TR2381 LCI Requriments TR3001 Process Safety TR3002 Flare, vent and drain systems TR3021 Electrical system design, offshore units TR3022 Electrical system design, onshore plants TR3023 Electrical installations, offshore units TR3024 Electrical installations, onshore plants TR3030 Automation, technical requirements and standards TR3031 Automation TR3032 Field Instrumentation TR3035 SAS application functions and structures TR3036 Turbine Control System TR3037 SAS integration of subsea control TR3038 IMS Applications (not issued) TR3132 Vibration Protection System TR3133 Life-Cycle Simulator TR3134 Advanced Process Control TR3138 Testing and inspection of safety instrumented system

TR3139 Large Screen Display (not issued) International standards Doc no Document title IEC 60079-14 Explosive atmospheres, Part 14: Electrical installations design, selection and

erection IEC 61000, all parts Electromagnetic compatibility (EMC) IEC 61010 Safety requirements for electrical equipment for measurement, control, and

laboratory use IEC 61131 Programmable controllers IEC 61158 Industrial communication networks Fieldbus specifications

http://docmap.statoil.no/DocMap/view/DOCID=1009720?MENUHEIGHT=0?DOCVIEW=FALSE?FINALPAGE=%2e%2e%2Fdoc%2FdmDocIndex%2ehtml&DOCID=1009720






























Page 46 of 46


Doc no Document title IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-

related systems IEC 61511 Functional safety instrumented systems for the process industry sector IEC 61804 Function Blocks (FB) for process control IEC 61892-7 Mobile and fixed offshore units, Electrical installations, Part 7: Hazardous

areas EN 12952 Water-tube boilers and auxiliary installation EN 12953 Shell boilers NFPA 85 Boiler and Combustion Systems Hazards Code NUREG-0700 Rev. 2 (2002)

Human-System Interface Design Review Guidelines, US Nuclear Regulatory Commission, Office of Nuclear Regulatory Research, available from Internet via http://www.nrc.gov/

http://www.nrc.gov/

Date post:	28-Dec-2015
Category:	Documents
Upload:	mohammad-reza-anghaei
View:	617 times
Download:	40 times

TR3034

Documents