Sunteți pe pagina 1din 32

Materials System Specification

34-SAMSS-623 Programmable Controller Based ESD Systems Instrumentation Standards Committee Members
Al-Juaib, Mohammed Khalifah, Chairman Tuin, Rienk, Vice Chairman Al-Dakhil, Tareq Khalil Al-Faer Al Sharif, Hisham Mohammed Al-Harbi, Ahmed Saad Al-Jumah, Yousif Ahmed Al-Khalifa, Ali Hussain Al-Qaffas, Saleh Abdal Wahab Al-Sahan, Fawaz Adnan Al-Saleem, Hesham Salem Chetia, Manoj Ell, Steven Tal Fadley, Gary Lowell Falkenberg, Anton Raymond Grainger, John Francis Mahmood, Balal Mathew, Vinod Qarni, Mahdi Ali Trembley, Robert James

27 December 2008

Saudi Aramco DeskTop Standards


Table of Contents 1 2 3 4 5 6 7 8 9 Scope............................................................. 2 Conflicts and Deviations................................. 2 References..................................................... 3 Definitions....................................................... 5 General.......................................................... 6 General Design Requirements....................... 8 Acceptable ESD System Architectures........ 11 ESD Hardware Configuration....................... 11 ESD Panel Construction............................... 21

Previous Issue: 16 January 2008 Next Planned Update: 27 December 2013 Page 1 of 32 Primary contact: Qaffas, Saleh Abdal Wahab on 966-3-8746410
CopyrightSaudi Aramco 2008. All rights reserved.

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

Table of Contents (contd) 10 11 12 13 14 15 16 17 18 ESD System Safety Availability (PFDavg). 24 Fault-Tolerant Considerations...................... 25 Reliability...................................................... 25 Noise and Fault Protection........................... 25 Programming and Configuration.................. 26 On-Line Diagnostics..................................... 28 Documentation............................................. 29 Quality Control.............................................. 30 ESD System Inspection and Testing............ 31

Scope 1.1 This specification defines the minimum mandatory requirements for fail-safe, fault-tolerant, programmable controller based Emergency Shutdown (ESD) systems. This specification is applicable for any redundant programmable controller based ESD system, i.e., dual-modular-redundant (DMR) 1-out-of-2D, triplemodular-redundant (TMR), 2-out-of-3 systems. This specification together with a project ESD system Functional Specification Document (FSD), Specification Sheet(s) ISS 8020-623-ENG Sheets 1 and 2, and associated logic diagrams prescribes the minimum mandatory design, fabrication and testing requirements for the project. Where a project Functional Specification Document (FSD) calls for more than one ESD system, this specification shall apply to each ESD system individually.

1.2

1.3

1.4

Conflicts and Deviations 2.1 Any conflicts between this specification and other applicable Saudi Aramco Materials System Specifications (SAMSSs), Engineering Standards (SAESs), Standard Drawings (SASDs), or industry standards, codes, and forms shall be resolved in writing by the Company or Buyer Representative through the Manager, Process & Control Systems Department, Engineering Services of Saudi Aramco, Dhahran. Direct all requests to deviate from this specification in writing to the Company or Buyer Representative, who shall follow internal company procedure SAEP-302 and forward such requests to the Manager, Process & Control Systems Department, Engineering Services of Saudi Aramco, Dhahran.
Page 2 of 32

2.2

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

References Material or equipment supplied to this specification shall comply with the latest edition of the following references as of the date of the Purchase Order, unless stated otherwise: 3.1 Saudi Aramco References Saudi Aramco Engineering Procedure SAEP-302 Instructions for Obtaining a Waiver of a Mandatory Saudi Aramco Engineering Requirement

Saudi Aramco Materials System Specifications 34-SAMSS-820 34-SAMSS-821 Instrument Control Cabinets Indoor Instrument Control Cabinets Outdoor

Saudi Aramco Forms and Data Sheets Form 8020-623-ENG Instrument Specification Sheet (ISS) for Programmable Controller Based ESD System, Sheets 1 and 2 Inspection & Testing Requirements

Form 175-344400 3.2 Industry Codes and Standards

American National Standards Institute/National Fire Protection Association ANSI/NFPA 70 National Electric Code (NEC)

American National Standards Institute/Institute of Electrical & Electronics Engineers ANSI/IEEE 802.3 Canadian Standards CSA C22.2 No. 0 CSA General Requirements (Electrical) Supplement to ISO/IEC 8802-3, Local and Metropolitan Area Networks Section 13 & 14

Electronic Industries Association EIA/RS-232 Interface between Data Terminal Equipment and Data Communication Equipment Employing Serial Binary Data Interchange Electrical Characteristics of Balanced Voltage Digital Interface Circuits
Page 3 of 32

EIA/RS-422

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

EIA/RS-485

Electrical Characteristics of Generators and Receivers for Use in Balanced Digital Multipoint Systems

The Instrumentation, Systems, and Automation Society (ISA) ANSI/ISA-84.00.01-2004 Application of Safety Instrumented Systems for the Process Industries ISA TR84.00.02 Safety Instrumented Functions (SIF) Safety Integrity Level (SIL) Evaluation Techniques

International Electro-technical Commission (IEC) IEC 61131-2 IEC 61131-3 IEC 61000-6-2 IEC 61000-4-3 Part 2: Programmable Controllers Equipment Requirement and Tests Part 3: Programmable Controllers Programming Languages Generic Standards Immunity for Industrial Environments Testing and Measurement Techniques Radiated, Radio Frequency, Electromagnetic Field Immunity Tests Functional Safety of Electrical / Electronic / Programmable Electronic Safety-Related Systems Functional Safety-Safety Instrumented Systems for the Process Industry Sector

IEC 61508

IEC 61511

International Organization for Standardization ISO 9001 Quality Systems - Model for Quality Assurance in Design/Development, Production, Installation and Servicing

Other Industry References Bellcore TR-332 MIL-HDBK-217 Reliability Prediction Procedure for Electronic Equipment - Telcordia Technologies Military Handbook Reliability Prediction of Electronic Equipment

Page 4 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

Definitions Availability (Safety): The fraction of time that a safety system is able to perform its designated safety service when the process is operating. It is calculated as in Equation (1). Note that the average Probability of Failure on Demand (PFDavg) equals 1 minus the Safety Availability:
MTTF A M TTF = M TBF (MTTF MTTR)

(1)

Diagnostic Coverage Factor: The ratio of detectable faults to the total number of faults or failures which might occur in ESD components, modules, external wiring, internal wiring, cables, interconnections, and logic elements. Dual Modular Redundant (1oo2D Configuration): An ESD system which uses two separate processors each with its own separate I/O modules, bus structure, chassis, software and power supplies, to vote input signals in a 1oo2 arrangement. Sensor signals are separated into two isolated paths to two separate input modules where signals are conditioned and communicated by separate busses to separate processors. A valid input signal on either leg of the system will initiate the desired logic response via two separate, fail-safe, output modules. Failure: An error in ESD system hardware, firmware or software whereby a module which is not capable of performing its specified function. Modules may fail safely in which case the process is brought to the safe state, or dangerously in which case the system is unable to bring the system to the safe state. Fail-Safe: An ESD system is fail-safe if the failure of a component, signal, or utility, initiates action that returns the system to a safe state. Fault-Tolerance: The built-in capability of the system to provide continued correct execution of ESD commands and functions in the presence of a limited number of hardware and software errors/faults. Fault-tolerance includes the ability to detect and log transient or steady-state error conditions via diagnostic circuits or comparative logic, and take appropriate corrective action, while remaining on-line, and performing its specified safety function. Field Proven: A system shall be considered to be field proven when it has been installed, commissioned, and operational in a customer facility for a period of six months or longer (excluding beta test periods) after receiving TUV certification for the programmable controller's hardware, firmware, and software. First Out Alarm: ESD logic that discriminates from a group of inputs the input that tripped first to cause a shutdown.

Page 5 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

MTTF: Mean Time To Failure is the expected time to failure of a system in a population of identical systems. MTBF: Mean Time Between Failure is a statistical value equal to the mean or average time expected between failures of a given device which is used in the determination of system reliability. MTBF figures can be predicted or observed. Observed MTBF for a given component is calculated using actual failure rate data collected for the population of the component while in-service. Predicted MTBF is a figure which is calculated based failure rate models of individual sub-components of the component. Two methods widely accepted for calculation of predicted MTBF are; MIL-HDBK-217 and Bellcore TR-332. It is derived in its simplest form as: MTBF = MTTF + MTTR (2)

MTTR: Mean Time To Repair is the statistical average of time taken to identify and repair a fault (including diagnosis), in a population of identical systems. PFDavg: The average probability of a system failing to respond to a demand in a specified time interval is referred to as PFDavg. PFDavg = 1 - Safety Availability. Reliability: The probability that when operating under stated environmental conditions, the system will perform continuously, as specified, over a specific time interval. Scan Time: ESD system scan time is the composite of input modules scan, program execution and all output modules state transition time. Triple Modular Redundant ESD (TMR, 2oo3 Configuration): TMR configured ESD systems employ 3 processors running in parallel with triplicated I/O, bus structure, chassis, and software. Each processor executes its individual application program simultaneously and independently; verifying data, executing logic instructions, control calculations, clock and voter/synchronization signals and performing comprehensive system diagnostics and discrepancy monitoring. Process outputs are sent via triplicated paths to output modules where they are voted (2oo3) to ensure logic and output integrity. 5 General 5.1 Use of Standard Products 5.1.1 The system shall be composed of manufacturer's standard hardware, systems software, and firmware that can be configured to meet the stated requirements. A vendor's standard system operating software shall not be modified to meet any of Saudi Aramco's requirements.

5.1.2

Page 6 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

5.1.3 5.2

Application software shall be designed in a manner that requires no modification to the system operating software.

Revision Level All ESD system hardware, firmware and software shall be the latest field proven revision level at the time of the hardware freeze date as defined in the contract purchase order or the Preliminary Design Review (PDR) whichever is later.

5.3

System Support 5.3.1 ESD vendor shall guarantee support of all hardware, firmware, and software associated with the controller, I/O subsystems, power supplies and any proprietary communications equipment for a period of ten (10) years from the hardware freeze date. Support shall include spare parts and technical support. This support shall not be contingent on the customer upgrading to later releases of software or hardware. Withdrawal of product support for ESD vendor manufactured products shall be notified in writing 12 months in advance, to the Manager, Process & Control Systems Department, Engineering Services of Saudi Aramco. ESD vendor shall provide factory trained technical support services locally (In Kingdom).

5.3.2

5.3.3 5.4

Engineering Units Unless otherwise specified all dimensions and measurements shall be in the International System of Units (SI), and may be followed by the equivalent value in conventional units between brackets.

5.5

Environmental Conditions 5.5.1 Indoor Installations All ESD Equipment installed in air-conditioned buildings shall be designed for: a) b)
Note:

Ambient temperature range: Ambient relative humidity:


(1)

10C to 35C (1) 20% to 80%.

For equipment which dissipates internal heat, an additional 15C shall be added to the above maximum temperatures. An example, for "indoor air conditioned" installation, the equipment must perform at 35 + 15 = 50C. The designer can substantiate temperature rise of less than 15C by

Page 7 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

providing the support data and heat calculations.

5.5.2

Outdoor Installations All ESD equipment specified for outdoor installation shall be designed to operate continuously at the environmental conditions specified in 34-SAMSS-821 and without using cabinet cooling fans.

5.6

Electrical Requirements and Certifications 5.6.1 Unless otherwise specified, ESD equipment shall be powered from separate Saudi Aramco supplied Uninterruptible Power Supply (UPS) branch feeders at 120 VAC (tolerance of 110 126 VAC), 60 Hz (2Hz), which are over-current protected. Unless otherwise specified, ESD system components shall be installed within a general purpose, non-classified electrical area per ANSI/NFPA 70, National Electrical Code (NEC) Article 505. ESD systems operating in outdoor cabinets shall be certified for use in Class I, Zone 2 hazardous areas. ESD system components shall be listed, labeled, and conform to UL, FM, or CSA standards or guidelines. Unless otherwise specified, field power supplies that are used to power field I/O shall use nominal 24 VDC (tolerance of 21 28.2 VDC). The Vendor's manufactured ESD equipment comprised of modules, operating system software and firmware shall be certified to meet SIL 3 requirements of International Electro-technical Commission (IEC) IEC 61508 by Factory Mutual or TUV Product Services, Rheinland, SD or NORD.

5.6.2

5.6.3 5.6.4 5.6.5 5.6.6

5.7

Electromagnetic Compatibility 5.7.1 5.7.2 ESD equipment shall comply with immunity levels stated in IEC 61000-6-2. Alternatively, the vendor shall provide testing results to confirm that the equipment will operate without disturbance when energized and subjected to an electromagnetic field from a radiating source equivalent to a level 3 disturbance as detailed in IEC 61000-4-3. In particular, RF sources such as hand-held radio transceivers operating at 5 Watts within the frequency ranges, 50-174 MHz, 406- 470MHz, and 800-870 MHz and held at a distance off 1.0 meters from the equipment with cabinet
Page 8 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

doors open shall not cause any malfunction, data corruption, or damage to the equipment. 6 General Design Requirements The ESD system shall incorporate a redundant architecture which is fault tolerant and fail-safe. 6.1 Fault Tolerance The ESD system shall be fault tolerant as per the definition in Section 4. 6.2 Fail-Safe Operation ESD systems shall fail to the safe state position upon loss of the ESD signal or electric power supplies. The safe state shall be the de-energized mode unless otherwise specified in the ISS, logic drawings or Purchase Order. 6.3 Input Bypass Switches 6.3.1 The ESD system shall incorporate an input bypass switch for each field sensor, except where sensors are used in 2oo2 or 2oo3 voting schemes. The input bypass switch is required to perform on-line testing or maintenance. Input bypass switch implementation shall be software configured. Input bypass switches shall not bypass nor disable the 'trip' signal from an ESD input which drives associated annunciator logic, a CRT's alarm display, event logger or data archiving devices either directly or via an alias point address. Input bypass switches shall have restricted access by way of a common key-lock and/or password protection scheme with a confirmation/ acknowledge step. Actuation of input bypass switches shall enable a feedback signal that is communicated via data highway which confirms the bypass switch action to an operator's and event logger.

6.3.2

6.3.3

6.4

Input Point Replication 6.4.1 If discrete ESD input signals must be replicated for annunciators, local panel or data logger, prior to being input to an ESD input module, individual rail-mounted, optical isolators shall be installed within ESD cabinets and powered from the ESD system. Opto-isolator wiring and circuitry shall be passive and shall under no circumstances compromise ESD signal integrity.

Page 9 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

6.4.2

Relays shall be used for replication of ESD system inputs when solidstate isolation devices are incapable of meeting signal isolation specifications. Electric relays shall be dust-tight when installed indoors and hermetically-sealed when installed outdoors.

6.5

Output Point Isolation 6.5.1 ESD output points that directly interface with motor control circuits shall be individually isolated (non-commoned) from other outputs. ESD outputs shall be rated for, and capable of switching the maximum load and in-rush current of the designated final device (e.g., motor control relay circuitry). Non-isolated outputs may be used provided that output loads or devices permit common power supply source and returns 'common grounding'. 6.5.2 Output isolation relays shall not be used for the multiplication or replication of ESD system outputs, unless they are absolutely essential for: a) b) c) 6.5.3 Isolating different input or output signals voltages/currents. Preventing the mixing of circuit voltages/currents which are out of phase, or involve separate grounding systems. Interrupting large loads or substantial inrush currents such as motor control circuits.

If absolutely required, isolation relays, shall be rail or card mounted and configured in such a manner as to meet the requirements of Section 6 (General Design Requirements) and 34-SAMSS-820 (wiring segregation), with loop back circuitry and logic (to ESD inputs via, e.g., simplex inputs) to verify the health and functionality of the isolation relays or the intended state of the final control element/field device. Electric relays shall be dust-tight when installed in indoor and hermetically-sealed when installed outdoors.
Commentary Note: For example, if isolation/interposing relays are used to communicate ESD output commands to motor control circuits, the state of the final device (the motor) can be verified by looping back an auxiliary contact from the motor controller into a simplex ESD input, thereby enabling the input status to be compared against the desired output command.

6.6

Output Point Verification The intended state of the final control element/field device shall be verified with the ESD command to alarm the operator when the final device does not reach
Page 10 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

the intended ESD state within an acceptable time. Final device verification maybe achieved using a soft logic within the DCS or soft link between the DCS and a sub-system (i.e., machine monitoring system, power monitoring system, etc.). 7 Acceptable ESD System Architectures 7.1 ESD systems shall be configured using redundant architecture, i.e., Dual Modular Redundant (DMR), 1-out-of-2D (1oo2D) or Triple Modular Redundant (TMR), 2-out-of-3 (2oo3) voting architecture. CPU Self-Test and System Diagnostic Routines Separate watchdog circuitry, and/or diagnostic algorithms shall run in background mode, each scan cycle to monitor the health of all system components, including system software and external/internal communications. 7.2.1 Internal logic within each CPU shall execute automatic self-test, diagnostic routines, I/O change-of-status/ loop-back verification and data table fault detection to determine the health of each module or subassembly within the ESD system. Comprehensive diagnostic coverage (>99%) and fault detection shall be performed using comparative or deterministic voting and fault detection circuits in both firmware and software. These circuits shall automatically identify, alarm, isolate and contain both safe and dangerous faults within system components without compromising ESD system performance. If any processor fails to agree with its other parallel or triplicated counterpart(s), the failed processor shall be automatically diagnosed and alarmed as having failed in either a safe or dangerous manner. System degradation for DMR-ESD (1oo2D) systems and TMR-ESD (2oo3) systems shall follow the TUV Report and the system Safety Considerations Guidelines and apply any restrictions required for safe operation.

7.2

7.2.2

7.2.3

ESD Hardware Configuration The ESD chassis or modular assembly shall be of rigid, metal construction. ESD assemblies, module densities and cabinet configurations shall be based solely on convection ventilation requirements (See Section 9). ESD chassis or modular configurations shall be capable of accepting all components necessary to configure a DMR or TMR architecture, e.g., multiple processors (CPUs), I/O modules, communications interfaces, power supplies, bus assemblies, external termination panels, etc. The chassis back-plane shall be capable of handling the electrical current
Page 11 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

requirements of all applicable module configurations. ESD hardware and system configuration shall be designed to minimize common mode or common cause failures. 8.1 CPU/Processor Memory, Education, Synchronization and Scan Time a) The Central Processing Units shall contain the program memory, either in nonvolatile EPROM/EEPROM, Flash memory or battery backed RAM, with a minimum 6 month battery backup for RAM based memory. Batteries shall be capable of being replaced without degrading ESD system functionality. In addition to normal application programs, 50% spare application logic memory shall be available within each CPU for future program modification or revisions. Hot replacement, re-education, or modification of a CPU's running application program shall not require process interruption or system reinitialization. Redundant or triplicated CPUs shall not require individual memory reeducation or manual resynchronization. CPUs shall be self-educating and self-synchronizing. The CPU shall continuously execute the control program(s) that are stored and enabled in processor memory. Based on the status of configured inputs the control program shall execute specified output commands. ESD scan time shall not exceed 300 milli-seconds.

b)

c)

d)

e)

8.2

CPU Event Logging and Status Indication The ESD system shall be configured to perform both event logging and first-out reporting, i.e., the time-tagged discrimination of trip events as well as first out event capture, that will allow the determination of the first event which caused individual or collective process equipment to trip. 8.2.1 8.2.2 Time tagging and discrimination of sequential ESD inputs/events shall be performed within a minimum resolution of 300 milliseconds. In order to accomplish this resolution, the Vendor shall provide standard function blocks or utilities to support first out event capture, event logging, buffering, reporting and printing. The event logging utility shall allow for flexible address grouping and include both internal, nonvolatile event storage as well as an option to communicate event status or event log files to an external computer, storage device or workstation so as to remotely log, print or monitor ESD events.

Page 12 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

8.2.3

The event log utility shall incorporate security features which prevent data from being corrupted, destroyed or over-written in the event that data communications devices or ports are malfunctioning or that power is removed to the ESD system. At least 1000 events shall be capable of being stored in internal, non-volatile memory. This feature would be required to maintain the last I/O status for not less than 100 log points. CPU Operating Modes A locking mechanism (hardware or software configured switch) for each CPU shall prevent memory modification from an outside source. The switch shall allow optional operating modes, including PROGRAM, REMOTE, RUN or other equivalent functions.

8.2.4

8.2.5

CPU, I/O and Communication Module Status Indicators Each system module CPU shall continuously monitor its own status and indicate either normal operation or error conditions via LED status indicators or equal on each module. Fault conditions shall be annunciated remotely at the Operators' Workstation and be archived. Status indication at either the module or Operator Workstation shall be provided for the following conditions or their equivalents: a) b) c) d) e) f) g) MAIN PROCESSOR STATUS (Pass/Fault/Active) COMMUNICATION MODULE STATUS (Pass/Fault/Active) CHASSIS POWER SUPPLY (Pass, Fault) RAM BATTERY STATUS I/O MODULE STATUS (Fault/Active) I/O CHANNEL FORCE (On) FIELD POWER SUPPLY (Pass, Fault)

8.3

Time Synchronization Time synchronization between ESD and DCS systems, shall be within 100 milliseconds and performed once daily.
Commentary Note: The recommended method of time synchronization is to synchronize both the DCS and ESD to a Global Positioning System (GPS) clock / (Network Time Protocol) NTP Server over a network using Simple Network Time Protocol (SNTP).

Page 13 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

8.4

Input/Output Modules 8.4.1 The input section of the ESD system shall be designed to receive input signals from analog field devices or process activated switch contacts that are closed (i.e., normally energized) during healthy process conditions and will open when process variables exceed predetermined limits. Outputs are designed to be normally energized (when healthy) and de-energize upon the loss of appropriate input signals.
Commentary Note: Certain ESD outputs, e.g., 1500 HP or larger motor switch-gear trip coils may be preconfigured as energize to trip rather than de-energize to trip. The Vendor must exercise caution when designing a fail-safe ESD interlock for these motor control circuits to ensure that respective output circuits are properly monitored.

8.4.2

All ESD input and output points shall be individually fused, or employ current limiting circuitry, e.g., in the case of module self powered I/O. Fuses shall be located on an external termination panel, fused terminal strip, or in a location readily accessible for maintenance. If fused terminal strips are used they shall be hinged, quick-disconnect, cap, or an equivalent type of terminal, with a blown fuse indicator (e.g., LED - light emitting diode). Removal of I/O modules shall not be necessary to accomplish fuse replacement.
Commentary Note: Requirements for individual input fusing or installation of knife-switch terminals do not apply to direct-connected RTD or thermocouple inputs. Fuse application, location, and ampacity ratings must be properly sized and coordinated, taking into account the maximum expected load at the maximum ambient temperature of the ESD system.

8.4.3 8.4.4

I/O module types, quantities, and respective signal levels shall be as indicated on ISS sheets or the purchase order. I/O modules shall be solidly constructed and shall be capable of being inserted into or removed from their chassis or mounting rail assemblies online and shall not require movement of system cables or wiring, either external or internal. Field I/O wiring shall be connected to remote or extension termination panels via integral screw or compression type terminals. The I/O section shall be designed such that all I/O modules are oriented vertically within the I/O chassis. I/O modules shall be capable of being

8.4.5

Page 14 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

arranged in any location within a chassis, irrespective of their voltage levels. 8.4.6 Proper chassis and component arrangement and spacing shall be used to minimize the potential for cabinet over heating. Cabinet heat generation/ventilation calculations shall assume that I/O housings have the maximum number of I/O modules inserted with all I/O modules carrying their maximum connected load, (load specifications to be supplied by Saudi Aramco). The heat calculation shall only consider provision for installed spares and future expansion capability. All discrete I/O modules or their associated termination modules shall include local status indicators to monitor the status of each input and output and any communication and I/O faults. Spare I/O points, which are pre-configured within the ESD system shall be shorted or terminated according to manufacturer's recommendations to avoid nuisance faults or diagnostic alarms. All inputs and all outputs shall incorporate internal diagnostic features which permit them to be automatically tested on-line. Faults which are detected in I/O modules shall be capable of being logged and annunciated. Provision shall be made to detect, alarm, disable and backup I/O circuits that fail on (short circuit) thereby preventing a situation where the ESD system can fail in a dangerous manner, being unable to initiate a shutdown upon demand.
Commentary Note: It may be necessary to mask certain diagnostics for supervised output circuits which are used for both ESD and normal equipment start/stop functions, or that are opened as part of an output circuit test. For example, solid-state ESD outputs which are directly wired into motor controller stop/start circuits as run permissives, and which supervise the voltage/current in the control circuit, will require logic which mask these diagnostics to avoid functionality conflicts between ESD and normal stop/start logic. This is also true for solenoid valve circuits which are momentarily opened in order to verify proper failure mode response.

8.4.7

8.4.8

8.5

Remote I/Os and Communications Cables 8.5.1 ESD system remote I/O modules, if so specified on the ISS, shall be capable of being remotely located from their CPUs. Actual cable length/distance requirements will be specified in the ISS. Remote I/O modules shall have either two or three separate and independent communication links, communications interface modules, and drivers as required by the specific ESD system architecture.

Page 15 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

8.5.2

Communications links/cables shall comply with Vendor recommended cabling using physically-lockable, and stress relieving cable connectors. The ESD system Vendor shall confirm in writing that selected communication cable(s) meet communications driver specifications. Communication cable electrical interfaces shall incorporate ground isolation circuitry to avoid ground loops between equipment referenced to different ground nodes. Communications driver software/firmware shall continuously monitor and check the status of communication links and associated I/O. Status indication shall be provided on the faceplate of each associated module. Loss of any single link or communications driver shall be logged by the system and annunciated externally, but shall not disable either local or remote I/O processing functions.

8.5.3

8.6

Communication 8.6.1 ESD External Communications External bi-directional communication of ESD input/output status to an external computer (DCS) shall be accomplished as follows: a) Via dedicated, electrically isolated communications interface, operating continuously, with physically and functionally redundant communications ports and paths.
Exception: Integration of the safety network, alarm & events, Control System and ESD System Engineering workstations is acceptable. Commentary Note: Port and path redundancy is not required for application program configuration, testing or simulation via a workstation, or for a readonly type interface with external computers.

b)

Communication interfaces shall be off-the-shelf, using existing, industry standard media and communications protocols such as OPC, Modbus or Ethernet as identified on the ISS. Error checking schemes such as Cyclical Redundancy Checking (CRC), Longitudinal Redundancy Checking (LRC) or Check Sums, in conjunction with bit parity checks, fail-safe transmission time-out, message fault words, and loss of communication path alarms. Write Protected, by either key-lock or password security techniques, or a combination of both such that ESD operating
Page 16 of 32

c)

d)

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

system, ESD application program and memory contents are protected from unauthorized alteration. e) Source password or key lock protection, in conjunction with a separate confirmation acknowledge step is required to accept bypass commands.

8.6.2

Communications Interface 8.6.2.1 The controller shall as a minimum, support multiple EIA/RS232, EIA/RS-422, EIA/RS-485, or ANSI/IEEE 802.3 ports for communicating with external devices such as a DCS, host computer, local area network gateway, program development station, or printer. Acceptable data communications protocols include Modbus/RTU, TCP/IP, and OPC (Object linking and embedding for Process Control). Specific porting requirements will be identified on the ISS.
Commentary Note: When OPC is used, it shall comply with Data (DA) and Alarm & Event (A&E) specification as minimum.

8.6.2.2

All communications ports shall permit connection or disconnection of cabling without interrupting or jeopardizing ESD system operation. Communications ports used for communicating (external) software input bypasses shall be configured to operate redundantly, i.e., if one port fails, there shall be a mechanism to detect this fault and automatically switch to an alternate port. Communications ports shall be capable of supporting the following functions: a) Downloading of programs and event log configuration via a password protected and/or key-locked protection mechanism; Uploading real-time event log records; Reading/writing program data and I/O registers; Monitoring fault status; Forcing inputs (where permitted); Printer interface for "event logging" or internal program alarms;
Page 17 of 32

8.6.2.3

8.6.2.4

b) c) d) e) f)

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

g) 8.6.3

Each Ethernet based port shall provide access control for individual IP address of client or other security methods.

ESD Peer to Peer Communications 8.6.3.1 ESD to ESD (Peer-to-Peer) Communication if so specified on the ISS shall be TUV certified for SIL 3 peer-to-peer communications.
NOTE: Manager, Process & Control Systems Department approval must be granted for the number and type of ESD signals communicated via the ESD peer-peer communication link.

8.6.3.2 8.6.3.3

System peer-to-peer communication paths and devices shall comply with the requirements of section 8.6.1. Communication media (i.e., fiber optic cable) shall be physically and logically dedicated shall not be used for nonESD purposes and shall not include bridges, routers or switches to other non-ESD networks unless approved as part of the TUV certification for SIL-3 safety communication. Redundant communication cable or media out side buildings shall take alternate routes. Time out of signals between peers or loss of communication shall initiate a communications failure/discrepancy alarm to notify the operator that manual intervention, maintenance or remedial action is required, but shall not cause the slave or remote ESD systems to trip its respective facility.
Exception: ESD system installed in unmanned facilities shall trip its respective facilities upon the total loss of communication signals with the master peer.

8.6.3.4 8.6.3.5

8.6.3.6

The ESD systems shall be designed and configured in accordance with ESD vendor guidelines and specification, to ensure proper system and application program design for interfaces between the various systems. Signs shall be provided on all ESD cabinet doors with a warning that the system utilizes peer-to-peer communication with other ESD systems and that the central/master ESD system shall not be interrupted, unless system maintenance is required to all systems. The sign shall clearly identify the
Page 18 of 32

8.6.3.7

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

location and name of the other peer-to-peer ESD nodes and devices. 8.7 Power Supplies 8.7.1 Distribution of branch circuits shall be designed such that the loss of a single incoming power feeder will not compromise the integrity of the ESD system nor cause it to fail. Failure of a single power feeder shall be alarmed to the operator. Branch feeders distributing power from the 120 VAC ESD bus shall incorporate over-current protection for connected loads (rated at 125% of maximum possible connected loads). Tandem type (dual) circuit breakers contained in a single, molded case breaker, are not acceptable. A transient power interruption of one-half cycle shall not have an effect on the ESD equipment or system performance. The Vendor shall incorporate all necessary filters, surge suppressers, or similar circuitry required to protect ESD equipment from voltage spikes and/or surges as defined in Section 13. ESD Chassis Power Supplies Fully redundant or N+1 chassis power supplies shall be used to supply power to internal ESD system modules. The power supply system must be separate; connected via robust cabling or internal bus structure. The power supply system shall be sized to provide 100% of the ampacity requirements while one power supply unit is removed (at rated voltage, connected load, and maximum ambient temperature) for the specified configuration of I/O cards, CPU's, etc., including provision for expansion capability (see paragraph 8.8). Calculations shall be based on all modules and outputs energized and carrying their maximum connected load. 8.7.4 Field I/O Power Supplies 8.7.4.1 8.7.4.2 Field I/O power supplies shall be separated and totally independent of ESD system chassis power supplies. Switch mode or linear (non-switching) types shall be used to power the I/O portion of the ESD system. Branch circuits shall be protected from unnecessary shorts or grounds by proper fuse coordination and by physically shielding or protecting distribution buses. The field power supply system shall be fully redundant or N+1 and sized to continuously supply 125% of its connected load
Page 19 of 32

8.7.2

8.7.3

8.7.4.3

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

while one power supply unit is removed (at rated voltage, ampacity, and at maximum ambient temperature). It shall be possible to configure power supplies in either a master-slave or load sharing arrangement. Power supply loads shall be calculated with all points energized, and all outputs carrying their maximum connected load. The load calculation shall include provision for installed spares and future expansion capability. 8.7.5 Power Supply Protection - General Each power supply shall be protected by a properly sized circuit breaker or fuse. Output protection shall be provided via a combination of strategies (i.e., diode auctioning/isolation - where diodes are rated at not less than 300% of the maximum power supply current delivery and timeover voltage/over-current protection). 8.7.6 ESD Chassis Power Supply Diagnostics 8.7.6.1 ESD system diagnostics shall detect events which may compromise internal (ESD chassis) power supply health or integrity, e.g., overvoltage, overcurrent, or high temperature conditions are detected within the power supply or at the DC output(s) of the power supply. Power supply (health/fault) status shall be indicated on its faceplate and be externally communicated via alarm contacts (or software logic) to an alarm display and event log.

8.7.6.2

8.7.7

ESD Reaction to Cycling of ESD System Power 8.7.7.1 The ESD system shall be designed such that output modules de-energize when primary UPS power is cycled to the ESD system (i.e., applied, removed, or restored to the CPU or I/O modules). Individual output channels shall not be re-energized until the power to inputs and the logic is established, CPU and module diagnostic/startup routines have been reinitialized, and all application logic permissives have been reset, compared and re-voted. Input bypasses which have been enabled as a result of an external data command (i.e., soft-commands), shall be

8.7.7.2

8.7.7.3

Page 20 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

automatically reset to a non-enabled state in the event that power to an ESD system is cycled. 8.8 ESD System Spare Capacity and Future Expansion Capability 8.8.1 ESD System Spare I/O Capacity The Vendor shall provide a minimum of, 5% spare I/O points of each type specified (including associated termination modules) to allow for future system expansion. Spare rack, chassis, terminal strip, and panel space shall be provided for these spare I/O points. Spare I/O points shall be physically wired into the ESD system (e.g., between a termination panel/strip and an I/O module), shunted or terminated as necessary to avoid nuisance input diagnostics, and given pre-configured spare tags/definitions within ESD operating system software.
Commentary Note: A minimum of one spare module for each different type of cards used shall be provided and installed in the operating system.

8.8.2

ESD System Expansion Capability The total expansion capability for ESD systems involving new plant facilities (excluding existing ESD replacements or upgrades) shall be 10%. This includes spare rack, chassis, terminal strip, and panel space for the installed 5% spare I/O points specified in 8.8.1 plus an additional 5%, unused I/O point expansion capability, (total spare rack and cabinet space permits a composite expansion capability of 10% of I/O points).

8.9

Component Selection Criteria 8.9.1 8.9.2 Electronic components shall be high quality, industrial grade and rated for the environmental conditions specified. Printed circuit board (PCB) and module/card construction shall be rigid and robust. Each PCB/module shall be identified by type/revision number and serial number. Edge connected on ESD modules or PCBs shall be gold plated. All modules or PCBs shall incorporate a keying system to prevent improper board or module placement or orientation. Front panel LEDs or visual indicators that permit module health, communications or I/O channels to be monitored must be identified and mechanically protected.

8.9.3

8.9.4

Page 21 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

ESD Panel Construction 9.1 Indoor Installations 34-SAMSS-820 Instrumentation Control Cabinets Indoor shall be used for the design of ESD cabinets located indoors except where superseded by this specification. 9.2 Outdoor Installations 9.2.1 34-SAMSS-821 Instrumentation Control Cabinets Outdoor shall be used for the design of ESD cabinets located outdoors except where superseded by this specification. The cabinets shall be 316L stainless steel minimum 12 GA. (for corrosion resistance) and weather tight (NEMA 4X or IP 66). All hardware including hinges, latches, fittings, mounting hardware, etc., shall be 316L stainless steel for the cabinet. There shall be no penetrations on the top of the cabinet.

9.2.2

9.2.3 9.3

Additional Requirements for ESD Cabinets 9.3.1 ESD cabinets shall be rigid and self-supporting. Cabinets shall be braced for shock and vibration normally encountered during transport and construction.
Commentary Note: System modules may be shipped separately from system cabinets to avoid weight impact on system chassis.

9.3.2

All doors shall be provided with integral lockable door handles with the same lock and key combination, unless otherwise specified on the ISS. Each door panel shall be electrically bonded to the main cabinet by a braided ground strap (wire size #8 AWG or equivalent). Cabinet Ventilation 9.3.3.1 ESD Cabinets shall be designed to be convection ventilated. However, fans may be used within indoor cabinets and ESD power supplies to assist in heat removal and lower ambient cabinet temperatures provided that: a) No credit is given to their operational status in reducing internal cabinet temperatures so as to meet continuous ambient-operational requirements of paragraph 5.5.
Page 22 of 32

9.3.3

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

b) 9.3.3.2

The net reduction in ventilation area is factored into ventilation inlet area and filter mesh calculations.

Calculation programs or procedures shall be used to properly size cabinets, ventilation requirements, inlet/outlet areas and filter screen sizing. These calculations must be available for Buyer's review. Careful attention should be given to module population density, component spacing and cabinet arrangement to ensure that hot spots or thermal gradients do not occur within the cabinet.
Commentary Note: It is recommended to install baffles between system chassis to divert hot air away from electronic equipment.

9.3.3.3

Where fans are required for heat dissipation, each cabinet shall be equipped with two continuously running fans. Each cabinet with fans shall be fitted with replaceable or washable filter screens inserted behind slotted louver inlets for cabinet air supply.

9.3.4

Assembly and Mounting ESD system modules or components shall be mounted such that they can be quickly replaced in the event of their failure. Module or component mounts, bracing and/or supports shall be designed so that they dampen out the effects of external vibration. ESD modules that plug into a backplane, motherboard or rail must utilize a restraining bar or anchoring device to prevent accidental removal or release due to shock or vibration. Components that are not mounted on printed circuit boards or installed individually within modules, motherboards or chassis must be securely fastened to a cabinet support member, rail, or bus assembly.

9.3.5

Power/Signal/Communications Wiring, Routing and Terminations 9.3.5.1 Communications cabling between processors and transceivers/ communications drivers shall utilize Vendor's standard cable and pre-assembled terminators. The Vendor's maximum specified communications cable lengths shall not be exceeded. All cabling shall be provided with sufficient slack to allow for the maximum allowable bend radius into a cable termination plug or connector. Individual communications cables for each of the redundant (A, B) or triplicated communications paths A, B, and C must be of the same nominal length and identical cable specification to prevent communication timing and
Page 23 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

synchronization problems. Cable connectors shall have strain relief cable boots and be lockable to prevent inadvertent separation or disconnection. 9.3.5.2 Discrete inputs and outputs to field devices (which are not linemonitored, in a current loop arrangement) shall be wired so that they switch the hot side of the line. Isolated commons shall be used when passing signals between devices which utilize different grounding systems.

9.3.6

Each cabinet which contains system components, such as controllers, I/O and communications modules or which house power supply modules shall contain a temperature sensing device. This device shall be interfaced to the DCS to provide temperature indication and to provide high temperature alarming to the operators.

10

ESD System Safety Availability (PFDavg) 10.1 10.2 The PFDavg for the composite ESD system (all modules and subsystems considered) shall be a maximum of 0.0001 (10-4). Vendor's ESD system proposal shall include detailed calculations for the PFDavg of the system that they are proposing and the mean time to a safe (spurious) and dangerous failure. Markov models (or equivalent PFDavg calculation methodology) shall be used to calculate the PFDavg for the system. All assumptions must be clearly stated. Markov modeling (or equivalent) shall split all ESD component failures into dangerous and safe failures. A dangerous failure is one that puts the ESD system in a fail-to-function state, unavailable to shutdown the process if a demand is placed on it. A safe failure is one that causes the ESD system to prematurely shut down the process when no hazard exists, (e.g., a false or spurious trip). Vendor's ESD system proposal shall include detailed calculations for maximum allowable spurious failure rate for the composite ESD system (all modules and subsystems considered). The Vendor's Markov model (or equivalent) must include diagnostic coverage factors for all Vendor supplied ESD system components and show on-line repair rates when redundancy allows repair on-line. On-line field repair times of eight (8) hours are to be used in calculations. Failures which are undetected on-line will be subject to system proof test interval of 10 years (e.g., off-line functional testing of field I/O devices).

10.3

10.4

Page 24 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

11

Fault-Tolerant Considerations The Vendor's ESD system shall be designed to tolerate faults, not eliminate them. ESD hardware and system configuration shall be designed to minimize common mode or common cause failure mechanisms. The ESD system must have the ability to recognize and detect either a safe or dangerous fault. It must be able to locate the source of that fault, contain and isolate the fault to a specific module or modules of the system, and be able to recover, or maintain operational status in the presence of a fault. Both transient and permanent module or system faults shall be capable of being stored in or retrieved from non-volatile processor memory.

12

Reliability ESD system components shall meet or exceed the MTBF data specified in the table below at the equipment's design temperature over the life of the system. MTBF figures shall be Predicted using data and calculation provided by the Bellcore Reliability Prediction Procedure.
M odule Process Controller module Input/Output Modules Communication Module System Power Supply module Field Power Supply Commentary Note: The above MTBF figures are assumed for each individual module or leg in its simplex form. The vendor must calculate the overall MTBF for each module with the required redundancy (dual or triplicated) to meet SIL 3 fault tolerant system and provide as part of the system proposal. MTBF 15 Years 25 Years 25 Years 50 Years 50 Years

13

Noise and Fault Protection I/O Protection 13.1 All discrete I/O circuits shall be isolated from logic or processor circuitry via optical coupling or other equivalent means. Steady-state voltage isolation shall be a minimum of 1000 Volts RMS, or 1500 VDC common-mode. All discrete I/O circuits shall be designed such that accidental normal-mode connection of 1000 VAC/DC to its external terminals for one second shall not cause any other system damage other than to the discrete circuit to which it is applied.
Page 25 of 32

13.2

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

13.3

Analog input circuits shall be designed with integral over-range protection such that accidental connection of a nominal 120 VAC or 125 VDC, for one second will not functionally disable or degrade the long-term performance of the input point or modules. Output circuits and final elements shall be provided with protection against reverse EMF and voltage transients caused by the switching of inductive DC loads (i.e., R-C circuits, solenoid valve coils); and protection against current overloads.
Commentary Note: A suggested protection/suppression technique is to install an IN4007 diode across an inductive DC load.

13.4

14

Programming and Configuration Program development software tools shall be provided by the Vendor, enabling the user to develop, edit and debug application programs. Software shall be IEC 61131-3 based incorporating on-screen tutorials and help functions to assist the user. Software shall be compatible with a current Windows operating system supported by Microsoft Corp. The program development workstation shall be capable of monitoring the status of application programs in real-time. ESD system shall be capable of separating application logic into multiple programs. A minimum of 2 programs shall be capable of being executed simultaneously within the ESD system. 14.1 Program Development Workstation Minimum PC/Workstation requirements are specified within the requisition or ISS. 14.2 On-Line and Off-Line Programming Capability and Support The program development software shall be capable of supporting both on-line and off-line programming. On-line programming or making on-line application program changes while an ESD system is operating, (e.g., configuring new I/O points, tags and addresses, revising or adding logic and changing dynamic element parameters) shall be possible without having to reset or re-initialize application programs currently running within the CPU. Off-line program emulation shall be provided unless specified otherwise. Program editing functions shall incorporate automatic time-dated, and revision level file saving routines which store all file revisions.

Page 26 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

14.3

Program Utilities The following programming utilities or their equivalent functions shall be provided by the Vendor for the following: a) b) c) d) e) f) g) h) i) Function Block Logic Elements and Sequential Function Charts/Tables First-out Event Discrimination (first ESD event out of a group of events) Event Log Configuration System diagnostics Program documentation and cross-reference On-line application program changes Input and output forcing Hardware configuration Comprehensive program revision and control that allows source code comparisons between different revision levels of ESD application programs Configurable multi-level password control to allow definition of users access rights Help utilities that describe the proper sequence for defining new points, building or revising logic, verifying logic, debugging logic, simulating application program logic, and downloading new logic

j) k)

14.4

Program Development Elements and Function Block Libraries The Vendor's shall provide standard development program elements and function block libraries that are capable of performing the required program logic.

14.5

Application Program and Software Development and Testing 14.5.1 If specified in the purchase order or ISS, the Vendor shall be required to develop an application program(s) which performs the logic sequence and functionality as indicated on referenced logic diagrams. The application program shall be designed in such a manner as to promote user friendliness (for operations & maintenance personnel). This means that detailed comments and descriptions shall be included throughout all function block networks (or relational elements) which identify elements by tag numbers, and communicate network description and intended functionality.

14.5.2

Page 27 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

14.5.3

Function block logic networks shall be arranged in such a manner as to group all logic dealing with a specific piece of equipment, function, or task. Logic for individual pumps, turbines, compressors, or process interlocks must be differentiated by separate networks or function blocks. Identical logic structures and elements (except for tag names and addresses) should be used for identifying ESD logic of equipment operating in parallel trains, or which are controlled in a similar manner. When assigning input and output addresses for field devices pertaining to a group of equipment or trains (e.g., group of pumps, turbines, compressors, etc.) or redundant signals, it is recommended to assign these signals to different I/O modules, so that a potential failure of one module or card will not adversely affect more than one piece of equipment of the group or shutdown a multiple process trains. Software configured I/O bypass switches shall use a secure data transmission mechanism to implement bypass initiation or bypass reset action. The data transmission may be either retentive or non-retentive provided that confirmation feedback of bypass logic initiation and status is also be implemented. ESD input alarms shall be combined into first-out groups, per equipment within each ESD system, to distinguish between initial and subsequent alarms

14.5.4

14.5.5

14.5.6

15

On-Line Diagnostics 15.1 Processor/CPU modules shall run diagnostics in conjunction with the execution of application programs in such a manner as to avoid interfering with the basic cycle time of any application. Should a fault occur, the controller shall provide local indication of the fault on the controller module and remote annunciation on the Operator Workstation. Module or board failures shall be displayed by means of a Fault indicator on the failed module or controller. Preconfigured diagnostic displays shall also be available via programming tool set displays or via memory mapped interfaces to external DCS computers and Operators Workstation. Diagnostic messages, displays and/or alarms shall be capable identifying any system fault to a particular cabinet, rack, module, channel and slice. ESD Module Failure Indication and Action 15.3.1 Failures or faults within I/O circuits or system modules shall be automatically detected by routine diagnostics. System fault or failures shall initiate a system status alarm and be captured in non-volatile,
Page 28 of 32

15.2

15.3

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

internal memory. Faults or failures which prevent individual system components or modules from functioning normally shall initiate an automatic switch over to a redundant module or cause its particular circuit or module to be removed from service. 15.3.2 On-line removal/replacement of any ESD system module (assuming the system is not running in a degraded mode) shall be possible without having to reconfigure system software, alter system wiring or cabling, deenergize system or module power, re-initialize the ESD system or compromise any ESD safety function.

16

Documentation Required Vendor's Documentation - Prior to commencement of a factory acceptance test (FAT), the Vendor shall provide the following Non-Material Requirements (NMR's) to designated Company representatives, via electronic format: a) b) A listing of the ESD system configuration identifying each module type, location, and tag name; Annotated application program files in function block logic format including all pertinent embedded comments describing logic functionality in accordance with project Logic Diagrams. Descriptors for logic element/blocks shall include completed I/O addresses and tag numbers, set points, logic element parameter identification, and logic execution sequence so as to facilitate ESD system troubleshooting; An Index of the system's data base including tag name(s), descriptors, and alias addresses; I/O and internal element, and alias variable cross reference; A narrative describing the operation and sequence of the logic system (embedded ladder or function block comments are acceptable providing they are comprehensive); Vendor standard documentation for fault finding/troubleshooting guide for the ESD cabinet and all components; Vendor standard Installation and Maintenance/Troubleshooting Manuals containing: module circuit schematics/diagrams (where repair and fault-finding can realistically be performed), parts lists, assembly and interconnecting wiring diagrams, field device/input-output termination/wire number/I/O module indexes, cabinet construction details, assembly and interconnecting wiring diagrams; and cabinet arrangement drawings showing front and rear views of enclosure with a hidden view of installed equipment;

c) d) e)

f) g)

Page 29 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

h) i) j) k) l) 17

Vendor standard Operations/Programming Manual, describing operating modes, program editing elements, parameters, guidelines and instructions; Vendor Safety Consideration Guidelines and standard Product Guide; Vendor's calculation of overall ESD system safety availability (1 PFDavg) and spurious failure rates including the MTBF for all system components. Vendor's calculation of each system cabinet heat rise and ventilation requirements; TUV Certificate and Report.

Quality Control 17.1 Quality Control Procedures 17.1.1 17.1.2 A total Quality Assurance (QA) program covering the span from ESD system design conception through user satisfaction shall be active. Vendor's QA program shall conform to the guidelines of ISO 9001, quality systems - Model for quality assurance in design/development, production, installation, and servicing. Sampling techniques shall be applied where practical, but never used for final acceptance and burn-in of system components. Where statistical inspections are applied, the plan shall conform to the guidelines of ISO 9001.

17.1.3

17.2

Qualification Testing The Vendor's manufactured ESD equipment comprised of modules, operating system software and firmware shall be certified to meet SIL 3 requirements of International Electro-technical Commission (IEC) IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems by Factory Mutual or TUV Product Services, Rheinland, SD or NORD, Vendor's manufactured equipment shall be capable of meeting the following parameters as documented by third party certification agency such as TUV, UL, FM, CSA or IEC 61131-2: a) b) Vibration - Per axis sinusoidal (Sinusoidal Sweep) 8.4 to 150 Hz 1.0 G Shock Non-Operating: 15 G for 11 msec Operating: 6 G for 11 msec c) Temperature Operating: 0 to 50C (temperature external to ESD cabinet)
Page 30 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

d) e) f) g) h)

Thermal Stress: 70C (represents storage temp.) Humidity: 5 - 95% relative, non-condensing Electromagnetic Compatibility per section 5.7 of this specification Hipot & Ground Continuity: Per CSA C22.2 No. 0 (or equal) Burn-In Testing Vendor's production testing of all ESD system active component parts, inclusive of all component modules, shall include a dynamic burn-in test period of a minimum 40 hours. This testing shall be conducted in a controlled environment, where temperature is varied from 0 to 60C, and where 60C temperatures are held for at least 24 hours.

18

ESD System Inspection and Testing A Conditions Diagram, Logic Function Chart/Table, logic diagrams or ESD system functional narrative, along with inspection and testing form 175-344400, attached to the Purchase Order, shall be used as the basis for a Factory Acceptance Test of all Vendor supplied ESD equipment. 18.1 Factory Acceptance Test (FAT) 18.1.1 During the FAT test the complete ESD system including all composite modules, interconnecting wiring, and associated circuitry shall be subject to both hardware and software functional tests. These tests shall demonstrate the functionality of each individual component module within the integrated ESD system, including individual I/O point tests. Cabinet heat generation shall be tested on the most loaded ESD system cabinet during the FAT with all configured and installed spares energized. ESD system cabinets that have the same arrangement as an ESD cabinet that has passed a heat generation test before do not require to be tested again. Wire tagging and terminations shall be checked and Tug tested. (A tug test involves physically stressing a wire termination to determine whether it has been crimped and/or terminated properly. The intent is not to break wiring or stress insulation but to test the integrity of the termination). All ESD system software logic/application programs shall be checked against logic drawings and dynamically tested and verified for proper ESD sequence and functionality:

18.1.2

18.1.3

18.1.4

Page 31 of 32

Document Responsibility: Instrumentation Issue Date: 27 December 2008 Next Planned Update: 27 December 2013

34-SAMSS-623 Programmable Controller Based ESD Systems

a)

The dynamic test will involve physically simulating all inputs and outputs in their proper operational sequence, and verifying that specified ESD application program logic is executed properly. The ability to make and save on-line application program changes and configure new I/O points, without having to reinitialize the operating system shall also be tested at this time. Fail safe output states will be tested in response to simulated input/output module and CPU failures and loss of ESD module
power.

b)

c)

d)

All diagnostic routines shall be tested by simulating CPU, I/O module/individual point failures; power supply failure, communications interface failures, card replacement induced failures. Fault histories/summaries shall be logged and annunciated both on an external printer and Operator's Workstation.

e) 18.2

Integrated Factory Acceptance Test (IFAT) When the ESD system(s) is part of an integrated Process Automation System, such as a DCS, SCADA or RTU, an IFAT shall: a) b) Functionally test a minimum one of each type of communication interfaces using actual system and equipment. Functionally test each I/O point interfaced between the ESD and DCS. This test may use I/O software simulator when the ESD I/Os are not available at the IFAT location. Test all shutdown, reset, bypass and alarm signals.

c) 18.3

All discrepancies noted in the FAT and/or IFAT shall be resolved to the satisfaction of the Buyer. Results of the FAT and/or IFAT test shall be documented by a written report, supported by the FAT and/or IFAT procedures used.

27 December 2008

Revision Summary Major revision.

Page 32 of 32