SBM Offshore

INSTRUMENT

ICSS FUNCTIONAL

STANDARD SPECIFICATION

Rev. Issue Date_(DD-MMM-YY) Description EPM Technical Authority Monaco Technical Authority Schiedam Technical Authority Houston Technical Authority Kuala Lumpur Technical Authority SBM PC

C1 25-Sep-03 For Comments and/or Approval FMA WYL BBE C2 16-Aug-04 For Comments and/or Approval FMA WYL BBE

V1 30-May-05 Valid for Construction FMA WYL BBE ODE WHS

A1 21-Dec-05 Approved for Construction FMA WYL BBE STS WHS

A2 23-May-08 Approved for Construction TLO OLJ BBE PAL JLI MCJ

SBM Offshore N.V.

CORPORATE ENGINEERING STANDARDS

APPROVAL FRONT SHEET

PROJECT:

CORPORATE ENGINEERING STANDARDS

Head Office 5, Route de Fribourg PO Box 152 CH-1723 Marly Switzerland Tel. +41 26 439 99 20 Fax: +41 26 439 99 39 www.singlebuoy.com Engineering Office 24, Ave de Fontvieille PO Box 199 MC 98007 Monaco Cedex Tel. +377 92 05 15 00 Fax: +377 92 05 44 94

ES45000 SJ F 51 001 A

2

INSTRUMENT

ICSS FUNCTIONAL

STANDARD SPECIFICATION

Revision (DD-MMM-YYYY) Date

No of

Pages Written by Checked by Technical Authority EPM Approval for Issue P1 04-Dec-2002 33 M. Ringlever J. Soetjahjo B. Bernhard

C1 26-Spe-2003 35 M. Ringlever J. Soetjahjo B. Bernhard F. Marchais C2 16-Aug-2004 71 J. Van Dartel J. Soetjahjo B. Bernhard F. Marchais

V1 30-May-2005 43 N. Wakeling P. Hesnard M. Wyllie F. Marchais

A1 21-Dec-2005 42 N. Wakeling P. Hesnard M. Wyllie F. Marchais

A2 23-May-2008 44 N. Wakeling P. Hesnard O. Jeannin T. Lorin

INFORMATION ON STATUS: P I C V A X EPM

Preliminary for Information Internal Discipline Checking For Comments and Approval Valid for Construction Approved For Construction “As Built”

Engineering Project Manager or Assigned Substitute  Copyright Single Buoy Moorings Inc 2008

REVISION STATUS / SUMMARY OF CHANGES

REVISION REVISED CHAPTERS REVISION DESCRIPTION REASON FOR REVISION

P1 Preliminary for Information

C1 For Comments / Approval

C2 For Comments / Approval

V1 Valid for Construction

A1

Minor changes including ABS approval, all marked with bar on left

side of page. Approved for Construction ABS Approval

A2 Updates to several sections; new _{sections added} Approved for Construction

A2 revision notes:

• Update of Definitions

• Deletion of non-relevant Codes and Standards • Update of relevant Corporate Engineering Standards

• Throughout this document, the term SIS is reserved for all safety systems. The terms PSS and FGS/ESD are used for clarity.

• The terms Manifold/Riser Area and Hull area are used instead of Turret and Marine for generic applications.

• Wherever possible, the names of FPSO-specific equipment rooms are removed for generic applications.

• Plant area description simplified

• ICSS architecture requirements, including redundancy are moved to SJF92028 • Typical environmental conditions simplified

• Updated panel requirements

• Power supply requirements updated • Wiring sizes updated

• Internal wire colour and identification updated

• Graphics section simplified – now covered by SJF51004 • Alarms section updated

• Historian section updated

• Security login privileges updated

• Detail added to HMI client requirements • Processor requirements updated • I/O Module requirements updated • Section added on EMC

• Software and graphics development requirements updated • System security requirements moved to SJF92028

• System testing section updated to include FAT, SFAT and SAT. • I/O spare required updated

TABLE OF CONTENTS

1. INTRODUCTION... 7

1.1 SCOPE... 7

1.2 TERMS USED TO DESCRIBE REQUIREMENTS ... 7

1.3 DEFINITIONS ... 7

1.4 ABBREVIATIONS ... 14

1.5 STANDARDS, SPECIFICATIONS AND REFERENCES... 15

1.5.1 Codes and Standards ... 15

1.5.2 Corporate Engineering Standards... 15

2. SYSTEM OVERVIEW ... 17

2.1 ICSS SYSTEM DESCRIPTION BY PLANT AREA ... 17

2.1.1 Topsides Area ... 17

2.1.2 Manifold / Riser Area... 17

2.1.3 Hull Area ... 17

2.2 ICSS SYSTEM ARCHITECTURE... 18

3. ICSS MECHANICAL DETAILS SPECIFICATIONS ... 18

3.1 ICSS SYSTEM PANELS... 18

3.1.1 Environmental Conditions ... 19

3.1.2 Indoor Panels ... 19

3.1.2.1 Multiple bayed Indoor Panels... 20

3.1.3 Outdoor Panels ... 20

4. ICSS ELECTRICAL SPECIFICATIONS... 22

4.1 POWER SUPPLY AND DISTRIBUTION ... 22

4.1.1 Internal Panel 24Vdc Distribution: Redundancy... 22

4.1.2 AC and Other Power Distribution ... 22

4.2 EARTHING... 23

4.2.1 Panel Earth (PE) ... 23

4.2.2 Instrument Earth (IE)... 23

4.3 WIRING CODES AND STANDARDS ... 23

4.3.1 Wiring Sizes ... 23

4.3.2 Wire Colour Coding... 24

4.3.3 Wire Identification... 24

4.3.4 Terminations ... 24

4.4 INTRINSICALLY SAFE ISOLATION... 24

5. ICSS USER INTERFACE FUNCTIONAL REQUIREMENTS... 25

5.1 GRAPHICS ... 25

5.1.1 Group Overviews ... 25

5.1.2 Process Systems Operation... 25

5.1.3 Detail Displays ... 25 5.1.4 Faceplates... 26 5.2 ALARMS ... 26 5.2.1 Alarm Occurrence ... 26 5.2.2 Alarm Acknowledgement ... 26 5.2.3 Alarm Types ... 26 5.2.4 Alarm Groups ... 26

5.2.5 Alarm Summary Display... 27

5.2.6 Alarm Prioritisation ... 27

5.2.7 Alarm Shelving ... 27

5.3.1 Real Time Trends... 28

5.3.2 Historical Trends ... 28

5.4 SECURITY AND INTEGRITY ... 28

6. ICSS HARDWARE REQUIREMENTS ... 31

6.1 HUMAN MACHINE INTERFACE ... 31

6.1.1 Operator Workstation (HMI Clients) ... 31

6.1.2 Engineer’s Station ... 31

6.1.3 PC Specification: Servers and Clients ... 31

6.1.4 FGS Display ... 31

6.1.5 Tag Servers: Interfaces HMI/Control... 32

6.1.6 Networks ... 32

6.2 CONTROL AND SAFETY HARDWARE ... 32

6.2.1 Processors ... 32

6.2.2 Processor Loading ... 32

6.2.3 I/O Modules Requirements ... 33

6.2.4 I/O Module Types... 33

6.2.5 Capabilities For Other Interfaces ... 34

6.2.6 Future Expansion Capability ... 34

6.2.7 Electromagnetic Compatibility (EMC) ... 34

7. ICSS APPLICATION SOFTWARE REQUIREMENTS... 35

7.1 APPLICATION SOFTWARE DEVELOPMENT... 35

7.2 GRAPHICS DEVELOPMENT ... 35

7.3 SOFTWARE QUALITY ... 35

7.4 SOFTWARE CONFIGURATION REQUIREMENTS... 36

7.4.1.1 Processor Task Scheduling ... 36

7.5 PEER TO PEER COMMUNICATIONS ... 36

7.6 FORCED VARIABLES ... 38

7.7 SYSTEM DIAGNOSTICS... 38

8. SYSTEM TESTING... 39

8.1 SUPPLIER PRE-FAT TESTING AND PREPARATION ... 39

8.1.1 Hardware and Staging Completion ... 39

8.1.2 Electrical Tests... 39

8.1.3 System Hardware Pre-tests ... 39

8.1.4 Application Software Pre-tests ... 40

8.2 FACTORY HARDWARE AND SAFETY LOGIC ACCEPTANCE TEST (FAT) ... 40

8.2.1 Hardware Inspection ... 40

8.2.2 System Performance and Integrity Tests ... 41

8.2.3 Safety Cause and Effects Implementation Test ... 41

8.2.4 Class Approval of Safety Cause and Effects Implementation... 41

8.2.5 System Configuration and Application Software Inspections... 41

8.2.6 Process Control Logic Testing ... 42

8.3 SOFTWARE FACTORY ACCEPTANCE TEST (SFAT) ... 42

8.3.1 Test Platform... 43

8.4 SITE ACCEPTANCE TEST (SAT) ... 43

8.4.1 Cause and Effects Testing ... 43

FOREWORD

This document forms part of the suite of Single Buoy Moorings Inc (SBM) Corporate

Engineering Standards (CES).

These documents are intended for use on SBM leased Production Unit projects, or on

projects for other Clients where SBM standards have been accepted. As such, all

Companies within the SBM Offshore Group, and their nominated subcontractors, shall use

them.

The objective of these SBM Corporate Engineering Standards is to provide a fit-for-purpose

set of minimum design standards, which incorporate project execution feedback from recent

SBM projects as well as operational experience from the SBM Production Contractor’s fleet

of vessels.

The Corporate Engineering Standards are intended to be general, not project specific, and

will have a lower order of precedence than Client Specifications, Class Rules, Flag State

Regulations and Local Legislation. It is therefore intended that for use within a project, each

Corporate Engineering Standard is supplemented by a Project Specification, which will

identify changes required due to the above higher precedence items.

This Corporate Engineering Standard has been reviewed and found satisfactory as per the

requirements of the applicable ABS Rules, Guides, IMO MODU Code and other standards

listed below:

* ABS Guide for Building and Classing Floating Production Installations, (FPI) 2004

* ABS Guide for Building and Classing Facilities on Offshore Installations, (Facilities Guide) 2000 * ABS Rules for Building and Classing Steel Vessel, (SV Rules) 2005

* ABS Rules for Building and Classing Mobile Offshore Drilling Units (MODU Rules) 2001 * 1989 IMO MODU Code, including Amendments (Consolidated Edition 2001)

1.

INTRODUCTION

1.1

SCOPE

This document specifies the functional requirements for the design, engineering,

fabrication, testing, delivery and commissioning of the ICSS hardware and software. This document should be read in conjunction with SJF 92028 (‘Instrument, Control,

Safeguarding and Override Design Philosophy’) which defines the ICSS philosophy and performance requirements.

Throughout this document the term “Production Unit” is used to refer to FPSOs, FSOs, Jackups and other production and/or storage units.

1.2

TERMS USED TO DESCRIBE REQUIREMENTS

In this specification the following definitions shall apply:

“shall” Defines a mandatory requirement

“should” Defines a preferred requirement

“will” Defines a future or standard requirement

“may” Defines a optional requirement

“Supplier” Refers to the supplier of the ICSS “Purchaser” Refers to the Purchaser of the ICSS

“Plant” Refers to the FPSO on which the ICSS is to be installed

1.3

DEFINITIONS

Alarm filtering

Preventing an alarm signal so that it is not available for the operator in any part of the system. That is the alarm is eliminated and is not available in the system.

Alarm suppression

Preventing an alarm from being presented in main alarm displays, e.g. overview displays, but the alarm is still available in the system at a more detailed level. Note: this is the Norsok YA711 definition; the EEMUA 191 definition of suppression is less specific and is not used herein.

Alarm shelving

Facility for manually removing a nuisance alarm from the main list and placing it on a shelve list, temporarily preventing the alarm from re-occurring on the main list until it is removed from the shelf.

Availability

The availability of a system (or group of systems) is the system ‘up time’ and may be expressed as a percentage of time for which the system is able to correctly perform its functions. The availability of a system may be improved by adding redundancy or utilising higher quality components.

Application software

The Application Software running in a PES/PLC is the software specific to the user application. In general, it contains logic sequences, permissives, limits and expressions

that control the appropriate input, output, calculations, decisions necessary to meet the functional requirements.

Bad Quality

Bad Quality is indication that a signal from a field device is unavailable, in-error, out of the calibrated range, or not in communication with the PES/PLC.

Central Control Room (CCR)

The CCR is located in the Unit/Vessel accommodation area and is a permanently manned area. The Unit/Vessel Control and Safety System is operated and monitored from within the CCR.

Centralised I/O / Local I/O

The opposite of remote I/O: the location of PES/PLC I/O modules in the same location as the processor.

Closed Network Versus Open Network

A Closed Network shall carry data traffic associated with the control, HMI, and data acquisition functions pertinent to the process being controlled only. Any network that carries any additional data other than these data types is defined as an Open Network.

Common Cause Failure

A failure, which is the result of one or more events, causing failures of two or more separate channels in a multiple channel system, leading to system failure.

Control

Control refers to automatic control executed by a PES/PLC system, including the ICSS

Control system

A system which responds to input signals from the process and/or from an operator and generates output signals causing the process to operate in the desired manner. The control system includes input devices and final elements and may be either a process control or safety system.

Convenience Trip

A logical signal used to bring a secondary device to a state that is consistent with a shutdown state of the primary device. Failure of these signals will not affect the safety function and will not have safety or business-interruption implications. The purpose of this convenience trip is to aid the operator by aligning the plant for restart. Examples include closing control valves in the same process line as shutdown valves, or tripping units which would subsequently shutdown as a consequence of the primary shutdown function..

Degraded State

A condition where a protective instrumented system may be able to perform its intended functions correctly, but may have major components or channels in a failed condition. Systems with a high degree of redundancy are capable of safe operation in some degraded states.

Deterministic

Ability to measure the maximum worst-case delay in delivery of a message between any two nodes in a network. Any network protocol that depends on random delays for

message delivery is non-deterministic.

The ratio of the detected failure rate to the total failure rate of the component or subsystem as detected by diagnostic tests. Diagnostic coverage does not include any faults detected by

proof tests.

Distributed Control System (DCS)

A Distributed Control System is a system which executes process control but not safety functionality. As such this term is not used within this document since an Integrated Control and Safety System (ICSS) is utilised.

Embedded software

Software that is part of the PES/PLC system supplied by the manufacturer and is not accessible for modification by the end-user. Embedded software is also referred to as firmware or system software.

Emergency Shutdown System (ESD)

The ESD System effects process, production and non-essential utility shutdown in response to a detected hazard, typically from the FGS system or a manual initiation. As such the ESD system is a hazard mitigation system which executes ESD and PESD levels of shutdowns.

ESD level shutdown

An ESD is the second highest level of shutdown, and usually encompasses the blowdown of the process plant.

Engineering Work Station (EWS)

Necessary hardware and utility software designed to perform Programmable Electronic System configuration; typically is a based on a PC platform.

Fail-safe

The capability to go to a predetermined safe state in the event of a specific malfunction.

Fail-reliable

The opposite of fail-safe: the capability to ensure that the plant continues to run despite a component of the ICSS or a system variable failing.

Fault tolerant

The ability to continuously correct execution of the assigned function in presence of a limited number of hardware and software faults. A redundant system is fault tolerant such that if unit A fails, unit B takes over.

Factory Acceptance Test (FAT)

A set of predefined procedures typically conducted at the ICSS supplier's facility after the system has been assembled, and before the system ships to site. A FAT may include both the hardware / system checkout and the application software and HMI checkout.

Field Powered

The loop powering of 4-20mA instruments from the instrument; i.e. where the instrument is current sourcing.

Final Element:

That part of a protective instrumented function that implements the physical action necessary to achieve a safe state. Examples include valves, switchgear, motors, etc.

The Fire and Gas system encompasses the fire and gas detection equipment, signal processing, monitoring, alarming and voting. The FGS system’s function is to generate confirmed fire initiators for ESD functions and to execute fire fighting functions such as firewater/foam/CO2 deployment.

Function block diagram (FBD) language

A graphical programming language (for application software) using function block diagrams for representing the application programme for a PLC-system.

Hazard

Chemical or physical condition that has the potential for causing casualty (injury, death, contamination) to the people or the environment.

Hazardous Area

Area in which an explosive gas atmosphere is present, or may be expected to be present, in quantities such as to require special precautions for the construction, installation and use of apparatus.

Hazard Prevention

Action of safety devices of a system to prevent the occurrence of a hazardous event, for example via the execution of a unit shutdown (USD) or process shutdown (PSD). The Process Safety System executes hazard prevention functions.

Hazard Mitigation

Action of safety devices of a system to reduce the consequences of a hazardous event, e.g. ESD shutdown initiation, extinguishing release, electrical isolation, firewater controls etc. The FGS/ESD system executes hazard mitigation functions.

Historical trend

A graphical display on the HMI which allows the operator to view historical data from before the display was opened, along with real-time data.

Human Machine Interface (HMI)

The means by which information is communicated between human operator(s) and the Process Control and Safety system (for example, monitors, indicating lights, push-buttons, horns, alarms). The HMI is also known as the operator interface.

Integrated Control & Safety System (ICSS)

The combined safety and process control systems which incorporates a HMI.

Inputs and Outputs: I/O

Inputs and Outputs to a PES / PLC / ICSS. Some typical I/O types include 4–20 mA analogue input/output, 24 Vdc discrete input/output and are to/from field instrumentation or other systems.

I/O Bus

The communications highway between the PES/PLC processor and its associated I/O modules. This may be a local bus (within a panel) for centralised / local I/O or an extended bus for remote I/O.

I/O Driver

That portion of application software which forms the interface between the I/O card and the application software.

Ladder diagram (LD) language

A graphical programming language using ladder diagrams for representing the application program for a PLC-system

Line monitoring device

A device to monitor/alarm a faulty state of input of output safety device; which is required to be attached for a fault tolerant safety device; e.g. end of line resistor, inline resistor, power supply failure relay.

Logic Solver

That portion of either a PCS or SIS that performs one or more logic function(s). This includes electrical, electronic and Programmable Electronic systems.

Lower Explosive Limit (LEL)

The concentration of gas in air, below which the gas atmosphere is not explosive.

MooN

Voting function of safety instrumented system made up of “N” independent

channels/inputs, which are so connected, that “M” channels/inputs are sufficient to perform the safety instrumented function, i.e. initiating a trip/shutdown signal.

Non-Emergency Electrical Equipment

Any items of electrical equipment not required to have a role in an emergency.

Nuisance Alarm

Alarms which do not generate a specific action or response from the operator. For example, a repeating alarm.

OPC

The OPC Specification is a non-proprietary technical specification that defines a set of standard interfaces based upon Microsoft’s OLE/COM technology. The application of the OPC standard interface makes possible interoperability between automation/control applications, field systems/devices and business/office applications. Typically an OPC client application running in the ICSS is provided with data from OPC Servers running in other PES/PLC systems.

Operator Interface

See HMI.

Operation

Operation refers to the human operator making commands to start/stop motors or open/close valves, or change automatic control setpoints or other parameters.

Override function

Temporary deactivation of some part of a shutdown loop. There are two types of overrides: maintenance overrides and operational overrides. Maintenance overrides involve the override of field instruments forming part of safety functions for maintenance reasons. Operational overrides involve the override of the trip action for operational reasons, such as overriding low flow trips on a pump for start up.

Package Unit Control Systems

Package units include gas compression, power generation and boilers supplied with their own PES/PLC control system. Subsea systems which execute control logic in a PES/PLC or other control system are also classified herein as package units.

Communications between two PES/PLC processors via the system’s networks or another communications link.

Post Emergency Shutdown (PESD)

The PESD is the highest level of shutdown, which may be initiated following an ESD. The PESD constitutes a platform abandon.

Process Safety System (PSS)

The Process Safety System executes hazard prevention functions: process shutdowns (PSD) or unit shutdowns (USD). The PSS responds to excursions of process conditions outside the prescribed limits by initiating shutdowns to prevent equipment damage, or further development of process hazards to the personnel.

Process Shutdown (PSD)

A process shutdown results in the shutdown of the production process, without affecting the utilities. As such a PSD is the third highest level of shutdown.

Processor

The component of the ICSS which executes application control or safety software, otherwise known as the controller, CPU, logic solver or PLC.

Production Unit

The FPSO, FSO, Jack-up or other production and / or storage unit.

Programmable Electronic System (PES)

A system for control, protection or monitoring based on one or more programmable electronic devices (usually microprocessor based), including all elements of the system such as power supplies, sensors and other input devices, data highways and other communication paths, actuators and other output devices.

Programmable Logic Controller (PLC)

Digitally operating electronic system, designed for use in an industrial environment, which uses a programmable memory for the internal storage of user-oriented instructions for implementing specific functions such as logic, sequencing, timing, counting and arithmetic, to control, through digital or analogue inputs and outputs, various types of machines or processes. Both the PLC and its associated peripherals are designed so that they can be easily integrated into an industrial control system and easily used in all their intended functions. A PLC is a Programmable Electronic System excluding the sensors and actuators.

Process Control System

Otherwise known as Basic Process Control System, a system that responds to input signals from equipment under control and/or from an operator and generates output signals, causing the equipment under control to operate in the desired manner, i.e. within its operating envelope.

Real time trend

A graphical display on the HMI which allows the operator to view real-time data commencing from when the display was opened.

Redundancy

Use of multiple elements or systems to perform the same function; redundancy can be implemented by identical elements (identical redundancy) or by diverse elements (diverse redundancy)

Reliability

Reliability is the probability that an operational component or system will perform its required functions when called upon to do so. This applies to functions required to be performed occasionally (e.g. trip functions) or continuously (e.g. motor running). The reliability of a system may be improved by using higher quality components or adding redundancy.

Reset Action

A manual operator action to unlatch a trip condition, normally the tripped device (e.g. motor or shutdown valve).

Remote I/O

The opposite of centralised I/O: a system where the I/O modules are located remotely to the processor, usually in the field close to the process elements being controlled / monitored.

Risk

Combination of the frequency of occurrence of harm and the severity of that harm

Safety Integrity

Average probability of a safety instrumented system to satisfactory perform the required safety function under all stated design conditions within a stated period of time.

Safety Integrity Level (SIL)

Discrete level (one out of four), defined in IEC 61508, for specifying the safety integrity requirements of the safety instrumented functions to be allocated to the safety

instrumented systems. Safety integrity level 4 has the highest level of safety integrity; safety integrity level 1 has the lowest. Safety integrity is the average probability of a safety instrumented system satisfactorily performing the required safety instrumented functions under all the stated conditions within a stated period of time.

Safety Critical

A safety critical loop is one required to be executed in the SIS not the PCS. In projects where a SIL analysis is executed, this means safety function assigned a SIL of 1,2 or 3. Safety Critical data refers to parameters directly used as part of a Safety Instrumented Function, e.g. process measurement.

Safety Instrumented System (SIS)

System composed of initiating devices, logic solvers, and output devices designed to prevent or mitigate hazard conditions. As such the SIS is broken down into two parts – the Process Safety System which executes hazard prevention functions (USD and PSD) and the FGS/ESD system which executes hazard mitigation functions (fire fighting, ESD and PESD). As such the term SIS refers to all safety systems in the ICSS.

Simplex I/O

The use of single (as opposed to redundant) I/O modules in a PES/PLC.

Site Acceptance Test (SAT)

A set of predefined procedures conducted at a job site after the system has been reassembled, and usually following some modifications to the software tested at FAT.

System Powered

The loop powering of 4-20mA instruments from the ICSS; i.e. where the instrument is current sinking.

Topsides

In this document, the term refers to the production/processing facility, not including the turret (if applicable). On FPSOs and FSOs the Topsides facility is physically located on the topsides of the vessel.

Upper Explosive Limit (UEL)

The concentration of gas in air, above which the gas atmosphere is not explosive

Unit Shutdown (USD)

Unit Shutdowns are the fourth and lowest level of shutdown function. USDs shutdown specific units of the process plant in response to excursions of process conditions outside the prescribed limits in order to prevent equipment damage, or further development of process hazards to the personnel.

Utility software

Software tools for the creation, modification, and documentation of application software running in the PES/PLC.

1.4

ABBREVIATIONS

AER Aft Equipment Room (part of the accommodation block on FPSOs)

BAC Boiler Automation and Control

BMS Burner Management System

ECR Engine Control Room

EWS Engineering Work Station

CCR Central Control Room

DTU Dry Tree Unit

ESD Emergency Shutdown

EWS Engineering Workstation

FGS Fire and Gas System

F&G Fire and Gas

FPSO Floating Production, Storage and Offloading

FSO Floating Storage and Offloading

FMEA Failure Mode Effect Analysis

HAZID Hazard Identification

HAZOP Hazard & Operability

HIPPS High Integrity Pressure Protection System

HFO Heavy Fuel Oil

HLG High Limit Gas

HMI Human Machine Interface

HPU Hydraulic Power Unit

HVAC Heating, Ventilation, and Air Conditioning ICSS Integrated Control & Safety System

I/O Input/Output

LCP Local Control Panel

LEL Lower Explosion Limit

LER Local Equipment Room (topsides module on FPSOs)

MAC Manual Alarm Call point

MCB Miniature Circuit Breaker

MDO Marine Diesel Oil

MOS Maintenance Override Switch

OOS Operational Override Switch

OPC OLE for Process Control

PA/GA Public Address/General Alarm

PCS Process Control System

PESD Post Emergency Shutdown

PSD Process Shutdown

UPS Uninterruptible Power Supply

USD Unit Shutdown

SER Sequence of Events Recorder

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System

1.5

STANDARDS, SPECIFICATIONS AND REFERENCES

In addition to requirements of the Classification Society, rules and regulations, the latest editions of the following codes and standards shall be used as guidelines for design.

1.5.1

Codes and Standards

The following codes and standards are listed as reference documents:

ANSI / ISA 84.01 Application of Safety Instrumented Systems for the Process Industries

API 14C American Petroleum Institute Basic Surface Safety

Systems for Offshore Production Platforms

API RP 554 Process instrumentation and control

IEC 60079 Electrical Apparatus For Explosive Gas Atmospheres

IEC 61131 Programmable controllers

IEC 60529 Degrees of protection provides by enclosures (Ingress Protection code)

IEC 61508 Functional safety of electrical/electronic/programmable electronic safety related systems

IEC 61511 Functional safety – safety instrumented system for the process industry sector

1.5.2

Corporate Engineering Standards

ES45000 SJF 51001 Instrument ICSS Functional Standard Specification ES45000 SJF 51002 Instrument ICSS HMI Standard Specification ES45000 SJF 51003 Instrument ICSS Software Function Block Standard

Specification

ES45000 SJF 51004 Instrument ICSS Graphics and Application Software Standard Specification

ES45000 SJF 53001 Instrument Fire and Gas Detection Design Philosophy ES45000 SJF 92028 Instrument Control, Safeguarding and Override Design

Philosophy

ES45000 SJF 92034 Instrument & Electrical Package Standard Specification ES45000 SJF 92048 Instrument Protection System Design Specification ES45000 SJT 55001 Telecom System Design Philosophy

ES45000 SJT 55002 Telecom Subsystems Design Standard

Note: design procedure according SJF92048 shall be applied if IEC61511 is to be applied on the project.

2.

SYSTEM OVERVIEW

2.1

ICSS SYSTEM DESCRIPTION BY PLANT AREA

The plant consists of the following parts: • Topsides Area

• Manifold / Riser Area • Hull Area

2.1.1

Topsides Area

The Topsides Area of Production Units incorporates oil and gas processing and utilities, and typically consists of the following sections.

Oil Section:

• High pressure separation, Intermediate pressure separation (if applicable), Test separation

• Low pressure separation, Electrostatic treater Gas Section:

• Gas compression

• Gas treatment and dehydration system • Vapour recovery unit compressor • Flare system and knock out drums Utility Section:

• Cooling and heating medium • Water treatment and injection

• Chemical injection package, methanol injection package, etc.

2.1.2

Manifold / Riser Area

The Manifold / Riser area forms the interface between the Production Unit and the subsea systems, Well Head Platforms or other permanent units.

For Production Units provided with a turret, the risers and manifolds will be located on the fixed section. The fixed and rotating part are connected via the swivel. The swivel has sections for the transmission of production fluids, electrical power, instrumentation and may include a fibre-optic communications swivel for transmission of ICSS networks. The Turret will normally incorporate a chain tension monitoring system.

2.1.3

Hull Area

The Hull Area comprises the accommodation block, cargo storage transfer and offloading facilities, and Services Systems for the whole Production Unit.

The Hull Area facilities typically consist of the following systems: Cargo

• Cargo handling system, which includes: cargo and ballast pump control • Inert Gas / gas blanketing system

• Produced/slop water system Service systems typically include:

• Boilers and steam systems • Steam turbine generators • Service air system

• Instrument air system

• MDO and HFO service and transfer system • Seawater service system

• Potable water • Sewerage • HVAC • Bilge system • Fire water pumps

• Emergency and Essential Generators

Several Hull Service Systems, will be “black box” package systems provided with local controllers – see ES45000 SJF92028 section 3.4.2. For the existing systems on vessel conversions, the extent of integration to the ICSS will be decided in the detailed engineering phase.

2.2

ICSS SYSTEM ARCHITECTURE

The Integrated Control and Safety System (ICSS) consists of: 1. Human Machine Interface System

2. Process Control System 3. Process Safety System

4. Fire and Gas / Emergency Shutdown System 5. Interfaces with Package Unit Control Systems

The ICSS system architecture, including redundancy requirements is described in ES45000 SJF92028.

3.

ICSS MECHANICAL DETAILS SPECIFICATIONS

The following sections contain the mechanical details on the panels which comprise the overall ICSS system.

3.1

ICSS SYSTEM PANELS

The system panels can be divided into indoor and outdoor panels.

The panels shall be free from distortions and blemishes, the structure shall be such that they can be lifted into position with eye bolts without causing resultant distortion.

Each panel shall be supplied with fixing holes to allow for secure fixing of the panel to the floor. In and outgoing cables and all wiring in the panel shall be supported and run through plastic grey ducts with covers. In case of intrinsically safe field wiring, the cables must run through blue plastic ducts with protective cover.

Panels shall be designed to protect internal electronics from Radio Frequency Interference.

3.1.1

Environmental Conditions

Requirements for environmental conditions for ICSS panels will be detailed in project-specific General Data and Conditions project-specifications.

3.1.2

Indoor Panels

The indoor panels shall be fitted with double doors at both front and rear. A mounting plate is fitted in the middle to separate the ICSS processor and I/O cards from the field terminations. The right-hand door of each panel is fitted with a key-lockable swing handle. A panel shall be fitted with removable eye bolts, for lifting the panel. The ingress

protection shall be IP42, with the internals of the panel meeting IP20 (finger proof). Equipotential bonding (earth straps) shall be provided for all non-fixed surfaces, e.g. doors.

Ventilation fans and grills shall be mounted on panel doors and provided per bay on the powered side of the panel. Installation on the side walls of panels is prohibited.

All indoor panels shall be supplied with thermostats, wired into the ICSS to alarm high panel temperature. The panels shall also be supplied with adequate identification labelling internally and externally.

All indoor panels shall be fitted with low profile lighting with an on/off switch fitted on the light itself.

The panels and plinth are to be finished to the paint specification quoted in project documentation.

Panels located in the indoor equipment rooms may have top or bottom entry for cables; this is to be specified in the project documentation. Panels with top entry shall be supplied with MCT cable transits for top entry mounted on a 200 mm extension to top of panel to aid with the installation of cables.

In the front of the panel shall be the ICSS processor and I/O cards and in the back shall be the marshalling.

The supplier is responsible for the following: • Complete panel design

• Stress calculation for lifting.

• Heat dissipation calculation (maximum allowable internal temperature 30 degrees C).

• Certification as required on the project.

All cable trunking shall be sized so not to be more than 60% full even if all spare I/O channels are used.

All components within the panel shall be labelled both on the component and adjacent to the components, so that when replaced, the identification remains.

All indoor panels, including server panels, shall be fitted with key-lockable door handles. 3.1.2.1

Multiple bayed Indoor Panels.

Where multi-bayed indoor panels require shipping breaks, all internal wiring through the shipping break (except for Profibus cables) shall be wired via terminals. This may include panel temperature measurements, commoned up power supply fail contacts.

24V DC power supplies should be installed in all bays such that intra-panel 24V distributions are minimised.

3.1.3

Outdoor Panels

The outdoor panels are normally placed in a hazardous area classed as Zone 2, material shall be ASTM 316L stainless steel, 2.5mm thick plate as a minimum fitted with lockable double doors on the back and key-lockable single door on the front. A mounting plate is fitted in the middle to separate the ICSS processor and I/O cards from the field

terminations. The doors shall be fitted with key-lockable swing handles and door stoppers preventing the doors from opening past their intended design. The panel must be fitted with removable eye bolts, for lifting the panel. The ingress protection shall be IP56, with the internals of the panel meeting IP20 (finger proof). Equipotential bonding (earth straps) shall be provided for all non-fixed surfaces, e.g. doors.

All fixtures, including nuts, bolts, washers shall be A4-70 or A4-80 grade stainless steel. It is the responsibility of the Supplier to achieve the required class approval of the outdoor panels for use in the hazardous area zone as specified in the project documentation. Removable gland plates must be fitted for cable entry. Gland plates shall be strong enough to support the necessary glands and cables. The panels shall have mounting legs of 200 mm height to accommodate installation and glanding of cables. Panels shall be supplied with the required anti-vibration mats to be mounted between panel and the deck.

All panels shall be supplied complete with a cable mounting bar, located underneath the trunking, installed with sufficient clearance for cables to enter trunking.

Where pressurisation is relied upon to comply with hazardous area requirements, the panels shall be fitted with a purge control unit which shall be pre-certified to the

international standard required by the project. The panel shall be fitted with instruction label describing the operating procedure of the purging unit for safe operation. All required labels to identify the panel shall be supplied suitable for outside use.

A Vortex cooler shall be provided; the supplier shall be responsible for a heat dissipation calculation ensuring that the panels are maintained at a maximum temperature of 35 degrees C. The cooler outlet into the panel to be mounted in such a manner as to prevent any condensation or moisture that may come from the air system to come into contact with the physical components of the control system.

Ex certified Limit switches on the doors (to be alarmed at the ICSS HMI) and pressure switch for pressure loss (to be alarmed at the ICSS HMI) shall be fitted and terminated to ICSS to alarm to operator.

All outdoor panels shall be supplied with temperature transmitters, wired into the ICSS to alarm high panel temperature.

The panels are finished to paint specification RAL 9003.

In the front of the panel shall be the ICSS processor and I/O cards and in the back shall be the field I/O marshalling.

All cable trunking shall be sized so not to be more than 60% full even if all spare I/O channels are used.

All components within the panel shall be labelled both on and adjacent to the components, so that when replaced, the identification remains.

4.

ICSS ELECTRICAL SPECIFICATIONS

4.1

POWER SUPPLY AND DISTRIBUTION

The incoming power supplies to the ICSS are two 220Vac, single phase, 60 Hz, floating feeders from the UPS system.

The two incoming supplies must be converted to 24Vdc which is connected to 24Vdc distribution in the panel via O-diodes or redundancy modules. 24Vdc power supplies shall be adjustable up to at least 26V to allow for voltage drop across diodes, termination assemblies and field wiring. The 24Vdc shall be distributed via fuses.

Power supplies shall be sized assuming all modules including all spare I/O channels are ICSS system-powered, and including a further 30% spare capacity.

Power supply (220V AC) wiring shall run in separate duct from the marshalling termination wiring, low voltage wiring and communication wiring.

The 220 V AC terminals shall be covered with protective plastic covers with warning signs

4.1.1

Internal Panel 24Vdc Distribution: Redundancy

Within each ICSS panel, independent redundant power supplies shall be provided for the PSS, FGS/ESD and the PCS system power (i.e. power for processor and I/O modules). For ICSS systems that require a field power supply to be applied to digital output circuits (usually to drive outputs greater than a certain power), independent redundant field power supplies shall be provided for PCS, PSS and FGS/ESD systems. These supplies shall be independent from the system power supplies.

Thus a remote I/O panel containing PCS and PSS I/O racks, which require system and field power, will be fitted with a minimum of 8 power supply units: 2 PCS system, 2 PCS field, 2 PSS system and 2 PSS field.

24V DC field supplies to I/O modules shall be individually fused. 24V power to the field in 3 or 4 wire arrangements shall be fused per channel.

All 24V power supplies (PCS system, PSS system, PCS field and PSS field) shall be monitored, and failure of any supply shall be alarmed at the ICSS HMI.

4.1.2

AC and Other Power Distribution

All ICSS equipment not supplied from the redundant 24Vdc supply shall be provided with redundant power, sourced from the UPS A and B systems. All such equipment including PCs, monitors and Ethernet switches, shall be supplied with either:

• Dual internal power supplies or

• From a fast AC switches (e.g. APC type) which is fed from both UPS supplies. Where fast AC switches are used, for example to power computers, a minimum of 2 shall be installed such that a failure of the switch will not result in the loss of all loads.

4.2

EARTHING

4.2.1

Panel Earth (PE)

The panel earth is an earth connection for the electrical safety of the panel body and is required for all panels. Two 8mm stainless steel earthing bolts must be fitted on each panel. All earthing points on power supplies, racks, chassis, etc shall be connected to the Panel Earth. The PE is also provided for the connection of armouring from incoming field cables.

4.2.2

Instrument Earth (IE)

This is the instrument shield earth and shall be isolated from the panel earth. The panel shall be provided with an earthing bar adjacent to the field terminals with sufficient screws (including spares) for termination of the wires; with only one wire per connection.

4.3

WIRING CODES AND STANDARDS

The specifications for the internal wiring of the system are detailed below.

System cable and internal wiring shall, where possible, be constructed using reduced flame propagation, non-toxic, low smoke type cable, which has an EMA or equivalent outer sheath. System cables and internal wiring must comply with IEC 60332-3 class A. The type of cable used shall be halogen free, have an outer sheath constructed from HFI 120 material.

4.3.1

Wiring Sizes

All wiring shall be terminated on terminals including screens and spare wires of cables. In general the following core sizes from power, earth and field cables are terminated in the ICSS panels. Space should be allowed accordingly:

220 VAC Power (phases) –6-16 mm2

220 VAC Power (ground) –6-16 mm2

Safety protection ground 6 mm2

Instrument earthing 6 mm2

IS earthing 6 mm2

Analogue input signals 0.75 – 1.5 mm2

Analogue output signals 0.75 – 1.5 mm2

Discrete input signals 0.75 – 1.5 mm2

Discrete output signals 1.5 – 2.5 mm2

Internal panel wiring for field I/O shall be no less than 0.5mm2_{, though system cables may}

be of smaller cross-section. Electrical power distribution shall be via appropriately sized cabling.

4.3.2

Wire Colour Coding

The wire colour code for internal wiring is detailed below:

Wire function Colour

220Vac phase 1 Brown

220Vac phase 2 Blue

24Vdc Red 5Vdc Orange 0Vdc Black

Field input Grey

Field output Grey

Wire function Colour

Panel (dirty) earth Green/Yellow

Instrument(clean) earth Green/Yellow

Intrinsically safe earth Green

Intrinsically safe Light blue

4.3.3

Wire Identification

All wires, including panel internal wiring, including 220V AC, 24Vdc, signal wiring and ethernet cables/fibres shall be fitted with wire identification at both ends. The identifier consists of a number of black characters on a non-shrinking type sleeve: it shall be possible to replace identifiers without removing wires.

4.3.4

Terminations

Terminals shall be Weidmuller types WTR (disconnect), WSI (fuse), WDU (feed through) or equivalent. It shall be possible to isolate all field terminations (fuse or disconnects) in order to allow point to point testing of field wiring.

All fused terminals shall be provided with LED fuse failure indication.

Stranded wires shall be terminated on terminals with crimped pins. Only one wire crimped pin per terminal, though a bridge/jumper between terminals is acceptable.

Intrinsically safe terminals shall be segregated from other terminals and shall be coloured blue.

4.4

INTRINSICALLY SAFE ISOLATION

5.

ICSS USER INTERFACE FUNCTIONAL REQUIREMENTS

5.1

GRAPHICS

The HMI monitors shall provide graphic displays with live process information. The ICSS shall have as a minimum the types of displays listed in this section. The graphic system shall incorporate facilities for the Purchaser to reconfigure these displays to meet changing operational requirements and to create and configure additional displays. In addition to any standard facilities, a hierarchical system is required which will allow fast access to any Process System graphic. Several means of navigation between graphics shall be provided.

Refer to Instrument ICSS Graphics and Application Software Standard Specification, ES45000 SJF51004 for detailed graphic standards and conventions.

5.1.1

Group Overviews

Group overviews consist of the following types:

• Process overviews – based on block diagrams or Process Flow Diagrams • Fire and gas overview – depicting the whole Production Unit

• Cause and effects overview graphics – block diagram providing navigation down to relevant cause and effect displays

The primary purpose of this display is to provide the operator with an overview of the hierarchy of graphics and navigation.

5.1.2

Process Systems Operation

These are the main level of graphics operator will be using day to day, and consist of: • Process graphics – based on simplified P&IDs, combined to depict sufficient detail

for operation. The operator can select plant items such as motors, valves and operate these devices via faceplates.

• Package Unit monitoring graphics – repeat of key performance indicators from Package Unit control systems

• Fire and gas layout graphics – depicting the physical layout of a fire zones and positions of detectors

• Fire and gas process graphics – depicting fire pumps, water, foam systems, dampers, isolations

• Electrical one line diagrams

• Cause and effects diagrams – based on C&E sheets.

• Special graphics – override summaries, ICSS panel displays, shutdown valve summaries, etc.

• System Status displays – displaying the status of all ICSS components from servers to processors and I/O cards.

In addition to the above list of process system graphics, an alarm summary is provided to the operator see section 5.2.5 below.

5.1.3

Detail Displays

All Process system graphics shall have associated operator trend displays displaying historical data associated with the plant.

5.1.4

Faceplates

All standard symbols on graphics depicting devices such as transmitters, motors, valves have associated operation faceplates. These faceplates “pop-up” when selected via the trackball. Faceplates provide the operator with the capability of operating the device, and changing parameters associated with it, depending on the operator’s login privileges. Refer to section 5.4.

Refer to ES45000 SJF51002 for documentation of all standard symbols and faceplates.

5.2

ALARMS

5.2.1

Alarm Occurrence

Alarms shall be initiated in accordance with conditions and limits as specified in the Alarm and Trip summaries. Every alarm initiated by the application software or system shall be displayed on operator alarm summaries, unless “shelved”, see section 5.2.7 below. When an alarm is detected the following shall occur:

• An audible alarm shall be initiated in the appropriate control room

• Associated graphical elements on a display will flash for active alarms that are not yet acknowledged.

• An alarm status change shall be recorded in the system alarm log file. • The alarm will appear on the allocated operator station alarm page(s). • The alarm will appear on the operator station alarm banner.

5.2.2

Alarm Acknowledgement

The operator shall be required to accept alarms individually via the associated process display or individually and globally on the alarm summary.

5.2.3

Alarm Types

In addition to process alarms specified in the project P&IDs and Alarm and Trip summaries, the following alarms shall be included.

System alarms, alerting the operator to the failure of an ICSS component as detected by system diagnostics, and shall include:

• Failure of any module of ICSS hardware (processors, communications modules and I/O modules)

• Failure of the ICSS network hardware, tag servers (if applicable), power supplies • Input or output bad quality / out of range.

5.2.4

Alarm Groups

The ICSS alarms shall be structured by plant hierarchy, enabling the operator to filter alarms by plant area.

5.2.5

Alarm Summary Display

Alarms shall be displayed on the alarm summaries as follows:

• Alarms shall be listed in chronological order, the most recent at the top. • Alarms shall be listed with date and time, source tag, description, plant area

(group)

• Each alarm page shall display up to 50 alarms at one time with a maximum total of 1000 alarms which may be viewed by simply paging down through the alarm list. It shall be possible to display alarms associated with one group; for example to display only system alarms.

The ICSS alarm management system shall allow the operator to view alarms in the following formats:

• Incoming alarm list - all un-acknowledged incoming alarms. • Acknowledged alarm list - all acknowledged active alarms • Outgoing alarm list – alarms which have returned to normal. 5.2.6

Alarm Prioritisation

Alarms shall be prioritised in order to assist the operator in recognising the severity or speed of response required for each alarm condition. Process alarms are grouped into the following three priorities:

• High: Emergency or critical alarm requiring an immediate response. E.g. high level gas detected

• Medium: Hazard preventive or warning alarm, requiring a quick response. Typically a medium priority alarm, if not acted upon, can subsequently result in a high priority alarm.

• Low: Process message alarm requiring attention. Typically equipment failure alarms.

Two additional alarm priorities are incorporated, for maintenance and system alarms: • Maintenance alarm: MOS or OOS activated

• System alarm: malfunction or failure of a ICSS system component (as detected by system diagnostics)

The graphical representation of alarms is described in ES45000 SJF 51002 Instrument ICSS HMI Standard Specification.

5.2.7

Alarm Shelving

There shall be a facility provided on the ICSS to allow nuisance alarms to be temporarily removed from the main alarm summary and diverted to a separate alarm summary

5.3

REAL TIME AND HISTORICAL TRENDS

5.3.1

Real Time Trends

Real time trending of up to 100 configurable trends per operator station is required with a selectable sampling frequency down to 1 second. Real-time trends shall be included in operator faceplates, and operator-configurable trend displays.

5.3.2

Historical Trends

Historical data shall be stored on-line for a minimum of 3 months, at sampling intervals of between 5 seconds and 10 seconds, as specified in the project documentation. The historian shall be sized to store all of the following I/O for the above duration:

• All PID controller set points • All hardwired analogue inputs

• All analogue signals from Package Control systems interfaced with the ICSS. Exception is made for the (free-issued) Subsea system which is expected to be equipped with historian capability.

• 40% spare capacity shall be included in the licensing and hardware design

The facility shall be provided to make back-ups of the data, typically to DVD or tape. It shall be possible to view historical trends from any HMI operator workstation.

5.4

SECURITY AND INTEGRITY

To prevent unauthorised use of the ICSS it shall be configured for the access levels as specified below. Access shall be controlled via user login / password. Activities for which only supervisor and engineer have authorisation are typically accessed via graphical faceplates. Engineer only authorisation is typically for system parameter changes, or changes to application software from the Engineering Workstation.

Function L1 L2 L3 L4

Designated level title (Notes 1,2) Gu Op Su En

Graphics - Access and view Yes Yes Yes Yes

- Modify or create No No No Yes

Valve operation - Open / close No Yes Yes Yes

- Change travel alarm time

No No Yes Yes

Motor operation - Start / stop No Yes Yes Yes

- Change feedback alarm time

No No Yes Yes

PID Controller - Mode change No Yes Yes Yes

- Set point change No Yes Yes Yes

- Tuning parameters No No Yes Yes

- Alarm level change (incl PV/SP deviation

or rate of change if configured)

Sequences - Start / stop No Yes Yes Yes

- Change parameters such as timers

No No No Yes

Alarms - Acknowledge No Yes Yes Yes

- Change alarm setpoints

No No Yes Yes

Shutdown logic - Apply / remove

MOS: Note 3

No Yes Yes Yes - Apply / remove

OOS

No Yes Yes Yes

- Change OOS timer No Yes Yes Yes

- Change trip level No No No Yes

Trends (real time) - Add /delete No Yes Yes Yes

- Add / delete variables to trend

No Yes Yes Yes - Change vertical

scale or time scale

No Yes Yes Yes Fixed Trend displays

(historical)

- Add /delete No No No Yes

- Add / delete variables to trend

No No No Yes - Change vertical

scale or time scale

No Yes Yes Yes

Reports - print reports No Yes Yes Yes

- change reports No No No Yes

Input / output - I/O force to value No No No Yes

Calculations - Add new No No No Yes

- Change parameters No No No Yes

System configuration - Access to Windows environment on HMI clients No No No Yes - Download software to controllers No No No Yes Notes

1. Gu = Guest, Op = Operator, Su = Shift Supervisor, En = Engineer. 2. Access level L1 is the lowest level, L4 is the highest level

3. MOS application subject to keyswitch, refer to SJF92028 section 4.5.1. Operator logins should be provided, as a minimum for the following operator groups:

• Topsides • FGS/ESD

• Hull service systems (Marine ECR for FPSOs) • Cargo handling and storage

• Supervisor

• Engineer / administrator

Each operator group will only have access to the graphics relevant to its plant area. The alarm banner shall be filtered to only display alarms relevant to the plant area.

6.

ICSS HARDWARE REQUIREMENTS

The minimum mechanical details and electrical specifications are described in sections 3 and 4 of this document.

6.1

HUMAN MACHINE INTERFACE

6.1.1

Operator Workstation (HMI Clients)

The operator interface shall be by standard supplier designed operator stations with full colour graphics and access to all aspects of the process and control system required as per the applicable levels of security. Pointing devices (trackball) shall be provided. Failed operator stations shall be isolated from the communications highway for repair or placement to take place. This shall be done on-line without affecting the use of any of the other operator station, or interruption to the communication highway.

Operator Workstations shall be furnished with 24” widescreen monitors, with 1920x1200 resolution minimum.

6.1.2

Engineer’s Station

The functions of the Engineer’s (maintenance) Workstation (EWS) are as follows: • Access the I/O database for additions / modifications

• Access to the application software for modifications

• Back-up the application software, and I/O database (if applicable) to a back-up facility such as a tape streamer or DVD

• Run diagnostics routines

• Load new version of the application software • Copy and merge files

• Maintenance on clients, servers and networks 6.1.3

PC Specification: Servers and Clients

The engineering workstation, tag servers and historian are as a minimum to be supplied with RAID 1 mirrored hard disks.

All PCs are to be supplied with sufficient RAM to run all system software. Hard disks shall be sized adequately to store system data (such as log files). Historian hard disks shall be sized for the quantity of historical data required by SJF 92028.

All PCs (clients, servers, EWS) are to be located in server panels.

6.1.4

FGS Display

For incident control there shall be a large monitor, minimum 30” widescreen (1920x1200 pixels), dedicated to the FGS overview.

6.1.5

Tag Servers: Interfaces HMI/Control

Tag servers (or equivalent interface between the processors and the HMI) shall be sized for the I/O count specified plus a minimum of 30% capacity for future expansion.

6.1.6

Networks

All networks shall have sufficient capacity to ensure that even during plant upsets, there is no significant reduction in communication rates.

6.2

CONTROL AND SAFETY HARDWARE

All ICSS safety system hardware shall be certified for use in SIL3 applications (certain configurations may apply for SIL3). Given the application of outdoor remote I/O or processor panels, all control and safety hardware, including necessary communications modules, shall be certified for use in zone 2 applications as per IEC60079.

6.2.1

Processors

Where processor redundancy is included, a failed standby processor may be exchanged on-line without affecting the running (duty) processor.

On loss of system power to the processors, the following requirements shall be met: • Processors shall be provided with the capability (such as battery back up) to store

volatile data during power loss. This capacity should be sufficient to maintain that data for a minimum of ninety days.

• All other control modules, such as ethernet switches, shall retain system configuration, and shall not require manual intervention to initialise. • System software and licences shall be retained within ICSS

• All processor source application software shall be retained within the ICSS • The ICSS shall restart its normal functioning automatically

On processor start-up following a loss of system power: • Any normal start-up diagnostic shall run

• Manual intervention to initialise processors or I/O modules should not be required • All auto / manual switching elements and other key functions shall adopt a

predefined mode (normally manual) as required for the application.

• All sequences etc shall move to a predefined hold state as required by the application

Software changes should be possible on-line, under controlled security without requiring a shutdown of the process. It is recognised that some changes, in particular to safety software, are not permitted on-line.

6.2.2

Processor Loading

The Processor application software size shall be such that 30% spare memory is available for future program expansion. In addition, there shall be sufficient memory to allow the program to run (without affecting I/O scanning, communications or diagnostics) even

when 30% more I/O and associated application software is added. If the manufacturer recommends greater spare memory requirements, these shall apply.

Processors’ cycle times shall be set to ensure that when higher priority activities such as scanning I/O and executing application software are complete, there is sufficient free-time for the processor to execute system diagnostics, communications (to other processors and HMI) and other activities such as intercommunications from the running duty processor to the standby processor.

6.2.3

I/O Modules Requirements

I/O modules of the system shall meet the following requirements:

Accuracy: ± 1% of full scale across entire temperature range

Resolution: 12 bits minimum

Linearity: ± 0.1% (with reference to input range)

Repeatability: 0.05% (in steady state condition at 25°C with reference to input range)

Electrical Isolation As a minimum between the I/O channels and the backplane bus

Temperature operating range:

0-60 °C

Failed I/O modules shall be exchanged with healthy modules on-line with only the loss of those channels allocated to that card. No other module in that rack, any other rack or enclosure shall be affected.

6.2.4

I/O Module Types

The I/O cards communicate with the Processor to execute control and logic functions via the I/O bus.

I/O signal types are as follows:

Signal Type Requirements Comments

Analogue input 4-20mA system powered, 2 wire Typically field transmitter (including temperature transmitter)

Analogue input 0-20mA field powered, 3 wire (24V, common and signal)

Flame, gas and smoke

detectors – signal range 1-4mA used for diagnostics

Analogue Output 4-20mA system powered Typically I/P converters Digital Input Volt-free contacts, system

powered

Typically switches or relay contacts; also inductive proximity switches Digital Output 24V dc, system powered, 5W

minimum.

Low power solenoids: typically < 5W

Digital Output 24V dc, system powered, 10W minimum.

High power solenoids

In general the field equipment is flame proof (Ex-d), though there will be some intrinsically safe instrumentation.

Features to detect open and short circuit in I/O circuits shall be provided for Fire and Gas (energise to trip) outputs.

All cards shall be capable of being applied in redundant I/O card architectures. 6.2.5

Capabilities For Other Interfaces

The ICSS shall be capable as a minimum of interfacing with other PES/PLC systems via: • Modbus RTU (RS485 or TCP/IP)

• OPC-DA

6.2.6

Future Expansion Capability

10% installed spare of each I/O type shall be provided per panel at the time of handover to the operating company.

All channels, whether used or spare, shall be wired to terminals. 10% spare I/O slots should be included per system.

6.2.7

Electromagnetic Compatibility (EMC)

All control and safety hardware shall have undergone supplier EMC testing to confirm its immunity to electromagnetic interference. All hardware shall have certification to EU directive 2004/108/CE (previously 89/336/EEC) or equivalent.

7.

ICSS APPLICATION SOFTWARE REQUIREMENTS

The ICSS user interface functional requirements are described in section 5.

7.1

APPLICATION SOFTWARE DEVELOPMENT

The application software is developed during the detailed design phase of the project and consists of:

• I/O implementation

• Process control logic – PID control, motor control, on/off valve control, monitoring • Safety logic – cause and effects logic

The application software shall utilise the Purchaser’s standard function blocks to provide the required logic functions, in accordance with the Purchaser’s requirements. The function blocks shall not be modified or customised as part of the project without written permission from the Purchaser. This is both for reasons of consistency throughout the project and to facilitate future library upgrades if required.

The purchaser’s standard function block library is documented in detail in document reference ES45000 SJF51003 Instrument ICSS Software Function Block Standard Specification.

Application software shall be primarily developed using function block language (as defined by IEC 61131 part 3). Function block is preferred because of the ease of understanding, both by other software engineers during the project design and commissioning, and by the ICSS technician during the Production Unit’s operation. Ladder logic is allowed, but Instruction List, Structured text and Sequential function chart shall only be used purchasing specific applications where function block is not

appropriate.

7.2

GRAPHICS DEVELOPMENT

Graphics shall be developed as specified by the purchaser in the design documentation. The Purchaser’s library of standard symbols and faceplates shall be utilised. These symbols and faceplates shall not be modified or customised without the permission of the Purchaser. This is both for reasons of consistency throughout the project and to facilitate future library upgrades if required.

The purchaser’s library of standard symbols and faceplates is documented in detail in document reference ES45000 SJF51002 Instrument ICSS HMI Standard Specification. Refer to Instrument ICSS Graphics and Application Software Standard Specification, ES45000 SJF51004 for detailed graphic standards and conventions.

7.3

SOFTWARE QUALITY

The software integrator shall demonstrate rigorous software management of change procedures. These shall encompass logging of each revision of design documentation received, cross referenced with revision control of source files for application software, graphics or databases updated. These are particularly important to trace work done post FAT.