SBM Offshore

Corporate Engineering Standards Project Document No.:

ES45000 - SJF 51 001 - A2

Document Title:

INSTRUMENT

ICSS FUNCTIONAL

STANDARD SPECIFICATION

Rev. Issue Date (DD-MMM-YY) Description EPM Technical Authority Monaco

Technical Authority Schiedam

Technical Authority Houston

Technical Authority

Kuala Lumpur

Technical Authority SBM PC

C1 25-Sep-03 For Comments and/or Approval FMA WYL BBE

C2 16-Aug-04 For Comments and/or Approval FMA WYL BBE

V1 30-May-05 Valid for Construction FMA WYL BBE ODE WHS

A1 21-Dec-05 Approved for Construction FMA WYL BBE STS WHS

A2 23-May-08 Approved for Construction TLO OLJ BBE PAL JLI MCJ

SBM Offshore N.V.

CORPORATE ENGINEERING STANDARDS APPROVAL FRONT SHEET

EDMS0 OFFICIAL COPY - PDF Generated on 29-Jul-2008 5:16PM

CLIENT:

SBM PRODUCTION CONTRACTORS

PROJECT:

CORPORATE ENGINEERING STANDARDS Head Office 5, Route de Fribourg PO Box 152 CH-1723 Marly Switzerland Tel. +41 26 439 99 20 Fax: +41 26 439 99 39 www.singlebuoy.com

Engineering Office 24, Ave de Fontvieille PO Box 199 MC 98007 Monaco Cedex Tel. +377 92 05 15 00 Fax: +377 92 05 44 94 ES45000 SJ F 51 001 A 2

DOCUMENT DESCRIPTION:

INSTRUMENT

ICSS FUNCTIONAL

STANDARD SPECIFICATION

Status/ Revision

Date (DD-MMM-YYYY)

No of Pages Written by Checked by

Technical Authority

EPM Approval for Issue

P1 04-Dec-2002 33 M. Ringlever J. Soetjahjo B. Bernhard

C1 26-Spe-2003 35 M. Ringlever J. Soetjahjo B. Bernhard F. Marchais

C2 16-Aug-2004 71 J. Van Dartel J. Soetjahjo B. Bernhard F. Marchais

V1 30-May-2005 43 N. Wakeling P. Hesnard M. Wyllie F. Marchais

A1 21-Dec-2005 42 N. Wakeling P. Hesnard M. Wyllie F. Marchais

A2 23-May-2008 44 N. Wakeling P. Hesnard O. Jeannin T. Lorin

INFORMATION ON STATUS: P I C V A X EPM

Preliminary for Information Internal Discipline Checking For Comments and Approval Valid for Construction Approved For Construction As Built Engineering Project Manager or Assigned Substitute

Copyright Single Buoy Moorings Inc 2008


INSTRUMENT ICSS FUNCTIONAL STANDARD SPECIFICATION

ES45000 SJ F 51 001 A 2 PAGE 3

REVISION STATUS / SUMMARY OF CHANGES

REVISION REVISED CHAPTERS REVISION DESCRIPTION REASON FOR REVISION

P1 Preliminary for Information

C1 For Comments / Approval

C2 For Comments / Approval

V1 Valid for Construction

A1 Minor changes including ABS approval, all marked with bar on left side of page.

Approved for Construction ABS Approval

A2 Updates to several sections; new sections added Approved for Construction

A2 revision notes:

Update of Definitions Deletion of non-relevant Codes and Standards Update of relevant Corporate Engineering Standards Throughout this document, the term SIS is reserved for all safety systems. The terms PSS

and FGS/ESD are used for clarity. The terms Manifold/Riser Area and Hull area are used instead of Turret and Marine for generic

applications. Wherever possible, the names of FPSO-specific equipment rooms are removed for generic

applications. Plant area description simplified ICSS architecture requirements, including redundancy are moved to SJF92028 Typical environmental conditions simplified Updated panel requirements Power supply requirements updated Wiring sizes updated Internal wire colour and identification updated Graphics section simplified now covered by SJF51004 Alarms section updated Historian section updated Security login privileges updated Detail added to HMI client requirements Processor requirements updated I/O Module requirements updated Section added on EMC Software and graphics development requirements updated System security requirements moved to SJF92028 System testing section updated to include FAT, SFAT and SAT. I/O spare required updated Requirement added for offline check of application software C&E implementation



ES45000 SJ F 51 001 A 2 PAGE 4

TABLE OF CONTENTS

1. INTRODUCTION...................................................................................................................... 7 1.1 SCOPE............................................................................................................................ 7 1.2 TERMS USED TO DESCRIBE REQUIREMENTS ......................................................... 7 1.3 DEFINITIONS ................................................................................................................. 7 1.4 ABBREVIATIONS ......................................................................................................... 14 1.5 STANDARDS, SPECIFICATIONS AND REFERENCES.............................................. 15 1.5.1 Codes and Standards ................................................................................................ 15 1.5.2 Corporate Engineering Standards.............................................................................. 15

2. SYSTEM OVERVIEW............................................................................................................ 17 2.1 ICSS SYSTEM DESCRIPTION BY PLANT AREA ....................................................... 17 2.1.1 Topsides Area ............................................................................................................ 17 2.1.2 Manifold / Riser Area.................................................................................................. 17 2.1.3 Hull Area .................................................................................................................... 17 2.2 ICSS SYSTEM ARCHITECTURE................................................................................. 18

3. ICSS MECHANICAL DETAILS SPECIFICATIONS.............................................................. 18 3.1 ICSS SYSTEM PANELS............................................................................................... 18 3.1.1 Environmental Conditions .......................................................................................... 19 3.1.2 Indoor Panels ............................................................................................................. 19 3.1.2.1 Multiple bayed Indoor Panels................................................................................... 20 3.1.3 Outdoor Panels .......................................................................................................... 20

4. ICSS ELECTRICAL SPECIFICATIONS................................................................................ 22 4.1 POWER SUPPLY AND DISTRIBUTION ...................................................................... 22 4.1.1 Internal Panel 24Vdc Distribution: Redundancy......................................................... 22 4.1.2 AC and Other Power Distribution ............................................................................... 22 4.2 EARTHING.................................................................................................................... 23 4.2.1 Panel Earth (PE) ........................................................................................................ 23 4.2.2 Instrument Earth (IE).................................................................................................. 23 4.3 WIRING CODES AND STANDARDS ........................................................................... 23 4.3.1 Wiring Sizes ............................................................................................................... 23 4.3.2 Wire Colour Coding.................................................................................................... 24 4.3.3 Wire Identification....................................................................................................... 24 4.3.4 Terminations .............................................................................................................. 24 4.4 INTRINSICALLY SAFE ISOLATION............................................................................. 24

5. ICSS USER INTERFACE FUNCTIONAL REQUIREMENTS................................................ 25 5.1 GRAPHICS ................................................................................................................... 25 5.1.1 Group Overviews ....................................................................................................... 25 5.1.2 Process Systems Operation....................................................................................... 25 5.1.3 Detail Displays ........................................................................................................... 25 5.1.4 Faceplates.................................................................................................................. 26 5.2 ALARMS ....................................................................................................................... 26 5.2.1 Alarm Occurrence ...................................................................................................... 26 5.2.2 Alarm Acknowledgement ........................................................................................... 26 5.2.3 Alarm Types ............................................................................................................... 26 5.2.4 Alarm Groups ............................................................................................................. 26 5.2.5 Alarm Summary Display............................................................................................. 27 5.2.6 Alarm Prioritisation ..................................................................................................... 27 5.2.7 Alarm Shelving ........................................................................................................... 27 5.3 REAL TIME AND HISTORICAL TRENDS .................................................................... 28



ES45000 SJ F 51 001 A 2 PAGE 5

5.3.1 Real Time Trends....................................................................................................... 28 5.3.2 Historical Trends ........................................................................................................ 28 5.4 SECURITY AND INTEGRITY ....................................................................................... 28

6. ICSS HARDWARE REQUIREMENTS .................................................................................. 31 6.1 HUMAN MACHINE INTERFACE .................................................................................. 31 6.1.1 Operator Workstation (HMI Clients) ........................................................................... 31 6.1.2 Engineers Station ...................................................................................................... 31 6.1.3 PC Specification: Servers and Clients ....................................................................... 31 6.1.4 FGS Display ............................................................................................................... 31 6.1.5 Tag Servers: Interfaces HMI/Control.......................................................................... 32 6.1.6 Networks .................................................................................................................... 32 6.2 CONTROL AND SAFETY HARDWARE ....................................................................... 32 6.2.1 Processors ................................................................................................................. 32 6.2.2 Processor Loading ..................................................................................................... 32 6.2.3 I/O Modules Requirements ........................................................................................ 33 6.2.4 I/O Module Types....................................................................................................... 33 6.2.5 Capabilities For Other Interfaces ............................................................................... 34 6.2.6 Future Expansion Capability ...................................................................................... 34 6.2.7 Electromagnetic Compatibility (EMC) ........................................................................ 34

7. ICSS APPLICATION SOFTWARE REQUIREMENTS.......................................................... 35 7.1 APPLICATION SOFTWARE DEVELOPMENT............................................................. 35 7.2 GRAPHICS DEVELOPMENT ....................................................................................... 35 7.3 SOFTWARE QUALITY ................................................................................................. 35 7.4 SOFTWARE CONFIGURATION REQUIREMENTS..................................................... 36 7.4.1.1 Processor Task Scheduling ..................................................................................... 36 7.5 PEER TO PEER COMMUNICATIONS ......................................................................... 36 7.6 FORCED VARIABLES .................................................................................................. 38 7.7 SYSTEM DIAGNOSTICS.............................................................................................. 38

8. SYSTEM TESTING................................................................................................................ 39 8.1 SUPPLIER PRE-FAT TESTING AND PREPARATION ................................................ 39 8.1.1 Hardware and Staging Completion ............................................................................ 39 8.1.2 Electrical Tests........................................................................................................... 39 8.1.3 System Hardware Pre-tests ....................................................................................... 39 8.1.4 Application Software Pre-tests ................................................................................... 40 8.2 FACTORY HARDWARE AND SAFETY LOGIC ACCEPTANCE TEST (FAT) ............. 40 8.2.1 Hardware Inspection .................................................................................................. 40 8.2.2 System Performance and Integrity Tests ................................................................... 41 8.2.3 Safety Cause and Effects Implementation Test ......................................................... 41 8.2.4 Class Approval of Safety Cause and Effects Implementation.................................... 41 8.2.5 System Configuration and Application Software Inspections..................................... 41 8.2.6 Process Control Logic Testing ................................................................................... 42 8.3 SOFTWARE FACTORY ACCEPTANCE TEST (SFAT) ............................................... 42 8.3.1 Test Platform.............................................................................................................. 43 8.4 SITE ACCEPTANCE TEST (SAT) ................................................................................ 43 8.4.1 Cause and Effects Testing ......................................................................................... 43 8.4.2 Independent Cause and Effect implementation review.............................................. 44



ES45000 SJ F 51 001 A 2 PAGE 6

FOREWORD This document forms part of the suite of Single Buoy Moorings Inc (SBM) Corporate Engineering Standards (CES). These documents are intended for use on SBM leased Production Unit projects, or on projects for other Clients where SBM standards have been accepted. As such, all Companies within the SBM Offshore Group, and their nominated subcontractors, shall use them. The objective of these SBM Corporate Engineering Standards is to provide a fit-for-purpose set of minimum design standards, which incorporate project execution feedback from recent SBM projects as well as operational experience from the SBM Production Contractors fleet of vessels. The Corporate Engineering Standards are intended to be general, not project specific, and will have a lower order of precedence than Client Specifications, Class Rules, Flag State Regulations and Local Legislation. It is therefore intended that for use within a project, each Corporate Engineering Standard is supplemented by a Project Specification, which will identify changes required due to the above higher precedence items. This Corporate Engineering Standard has been reviewed and found satisfactory as per the requirements of the applicable ABS Rules, Guides, IMO MODU Code and other standards listed below: * ABS Guide for Building and Classing Floating Production Installations, (FPI) 2004 * ABS Guide for Building and Classing Facilities on Offshore Installations, (Facilities Guide) 2000 * ABS Rules for Building and Classing Steel Vessel, (SV Rules) 2005 * ABS Rules for Building and Classing Mobile Offshore Drilling Units (MODU Rules) 2001 * 1989 IMO MODU Code, including Amendments (Consolidated Edition 2001) ABS Approval letter ref no: 144818_R2 dated 23 May 2006.



ES45000 SJ F 51 001 A 2 PAGE 7

1. INTRODUCTION

1.1 SCOPE

This document specifies the functional requirements for the design, engineering, fabrication, testing, delivery and commissioning of the ICSS hardware and software. This document should be read in conjunction with SJF 92028 (Instrument, Control, Safeguarding and Override Design Philosophy) which defines the ICSS philosophy and performance requirements. Throughout this document the term Production Unit is used to refer to FPSOs, FSOs, Jackups and other production and/or storage units.

1.2 TERMS USED TO DESCRIBE REQUIREMENTS

In this specification the following definitions shall apply: shall Defines a mandatory requirement should Defines a preferred requirement will Defines a future or standard requirement may Defines a optional requirement Supplier Refers to the supplier of the ICSS Purchaser Refers to the Purchaser of the ICSS Plant Refers to the FPSO on which the ICSS is to be installed

1.3 DEFINITIONS

Alarm filtering Preventing an alarm signal so that it is not available for the operator in any part of the system. That is the alarm is eliminated and is not available in the system.

Alarm suppression Preventing an alarm from being presented in main alarm displays, e.g. overview displays, but the alarm is still available in the system at a more detailed level. Note: this is the Norsok YA711 definition; the EEMUA 191 definition of suppression is less specific and is not used herein.

Alarm shelving Facility for manually removing a nuisance alarm from the main list and placing it on a shelve list, temporarily preventing the alarm from re-occurring on the main list until it is removed from the shelf. Availability The availability of a system (or group of systems) is the system up time and may be expressed as a percentage of time for which the system is able to correctly perform its functions. The availability of a system may be improved by adding redundancy or utilising higher quality components. Application software The Application Software running in a PES/PLC is the software specific to the user application. In general, it contains logic sequences, permissives, limits and expressions



ES45000 SJ F 51 001 A 2 PAGE 8

that control the appropriate input, output, calculations, decisions necessary to meet the functional requirements. Bad Quality Bad Quality is indication that a signal from a field device is unavailable, in-error, out of the calibrated range, or not in communication with the PES/PLC. Central Control Room (CCR) The CCR is located in the Unit/Vessel accommodation area and is a permanently manned area. The Unit/Vessel Control and Safety System is operated and monitored from within the CCR. Centralised I/O / Local I/O The opposite of remote I/O: the location of PES/PLC I/O modules in the same location as the processor. Closed Network Versus Open Network A Closed Network shall carry data traffic associated with the control, HMI, and data acquisition functions pertinent to the process being controlled only. Any network that carries any additional data other than these data types is defined as an Open Network. Common Cause Failure A failure, which is the result of one or more events, causing failures of two or more separate channels in a multiple channel system, leading to system failure. Control Control refers to automatic control executed by a PES/PLC system, including the ICSS Control system A system which responds to input signals from the process and/or from an operator and generates output signals causing the process to operate in the desired manner. The control system includes input devices and final elements and may be either a process control or safety system. Convenience Trip A logical signal used to bring a secondary device to a state that is consistent with a shutdown state of the primary device. Failure of these signals will not affect the safety function and will not have safety or business-interruption implications. The purpose of this convenience trip is to aid the operator by aligning the plant for restart. Examples include closing control valves in the same process line as shutdown valves, or tripping units which would subsequently shutdown as a consequence of the primary shutdown function.. Degraded State A condition where a protective instrumented system may be able to perform its intended functions correctly, but may have major components or channels in a failed condition. Systems with a high degree of redundancy are capable of safe operation in some degraded states. Deterministic Ability to measure the maximum worst-case delay in delivery of a message between any two nodes in a network. Any network protocol that depends on random delays for message delivery is non-deterministic. Diagnostic coverage



ES45000 SJ F 51 001 A 2 PAGE 9

The ratio of the detected failure rate to the total failure rate of the component or subsystem as detected by diagnostic tests. Diagnostic coverage does not include any faults detected by proof tests. Distributed Control System (DCS) A Distributed Control System is a system which executes process control but not safety functionality. As such this term is not used within this document since an Integrated Control and Safety System (ICSS) is utilised. Embedded software Software that is part of the PES/PLC system supplied by the manufacturer and is not accessible for modification by the end-user. Embedded software is also referred to as firmware or system software. Emergency Shutdown System (ESD) The ESD System effects process, production and non-essential utility shutdown in response to a detected hazard, typically from the FGS system or a manual initiation. As such the ESD system is a hazard mitigation system which executes ESD and PESD levels of shutdowns. ESD level shutdown An ESD is the second highest level of shutdown, and usually encompasses the blowdown of the process plant. Engineering Work Station (EWS) Necessary hardware and utility software designed to perform Programmable Electronic System configuration; typically is a based on a PC platform. Fail-safe The capability to go to a predetermined safe state in the event of a specific malfunction. Fail-reliable The opposite of fail-safe: the capability to ensure that the plant continues to run despite a component of the ICSS or a system variable failing. Fault tolerant The ability to continuously correct execution of the assigned function in presence of a limited number of hardware and software faults. A redundant system is fault tolerant such that if unit A fails, unit B takes over. Factory Acceptance Test (FAT) A set of predefined procedures typically conducted at the ICSS supplier's facility after the system has been assembled, and before the system ships to site. A FAT may include both the hardware / system checkout and the application software and HMI checkout. Field Powered The loop powering of 4-20mA instruments from the instrument; i.e. where the instrument is current sourcing. Final Element: That part of a protective instrumented function that implements the physical action necessary to achieve a safe state. Examples include valves, switchgear, motors, etc. Fire and Gas (FGS) System



ES45000 SJ F 51 001 A 2 PAGE 10

The Fire and Gas system encompasses the fire and gas detection equipment, signal processing, monitoring, alarming and voting. The FGS systems function is to generate confirmed fire initiators for ESD functions and to execute fire fighting functions such as firewater/foam/CO2 deployment. Function block diagram (FBD) language A graphical programming language (for application software) using function block diagrams for representing the application programme for a PLC-system. Hazard Chemical or physical condition that has the potential for causing casualty (injury, death, contamination) to the people or the environment.

Hazardous Area Area in which an explosive gas atmosphere is present, or may be expected to be present, in quantities such as to require special precautions for the construction, installation and use of apparatus.

Hazard Prevention Action of safety devices of a system to prevent the occurrence of a hazardous event, for example via the execution of a unit shutdown (USD) or process shutdown (PSD). The Process Safety System executes hazard prevention functions. Hazard Mitigation Action of safety devices of a system to reduce the consequences of a hazardous event, e.g. ESD shutdown initiation, extinguishing release, electrical isolation, firewater controls etc. The FGS/ESD system executes hazard mitigation functions. Historical trend A graphical display on the HMI which allows the operator to view historical data from before the display was opened, along with real-time data. Human Machine Interface (HMI) The means by which information is communicated between human operator(s) and the Process Control and Safety system (for example, monitors, indicating lights, push-buttons, horns, alarms). The HMI is also known as the operator interface. Integrated Control & Safety System (ICSS) The combined safety and process control systems which incorporates a HMI. Inputs and Outputs: I/O Inputs and Outputs to a PES / PLC / ICSS. Some typical I/O types include 420 mA analogue input/output, 24 Vdc discrete input/output and are to/from field instrumentation or other systems. I/O Bus The communications highway between the PES/PLC processor and its associated I/O modules. This may be a local bus (within a panel) for centralised / local I/O or an extended bus for remote I/O. I/O Driver That portion of application software which forms the interface between the I/O card and the application software.



ES45000 SJ F 51 001 A 2 PAGE 11

Ladder diagram (LD) language A graphical programming language using ladder diagrams for representing the application program for a PLC-system Line monitoring device A device to monitor/alarm a faulty state of input of output safety device; which is required to be attached for a fault tolerant safety device; e.g. end of line resistor, inline resistor, power supply failure relay. Logic Solver That portion of either a PCS or SIS that performs one or more logic function(s). This includes electrical, electronic and Programmable Electronic systems. Lower Explosive Limit (LEL) The concentration of gas in air, below which the gas atmosphere is not explosive.

MooN Voting function of safety instrumented system made up of N independent channels/inputs, which are so connected, that M channels/inputs are sufficient to perform the safety instrumented function, i.e. initiating a trip/shutdown signal. Non-Emergency Electrical Equipment Any items of electrical equipment not required to have a role in an emergency. Nuisance Alarm Alarms which do not generate a specific action or response from the operator. For example, a repeating alarm. OPC The OPC Specification is a non-proprietary technical specification that defines a set of standard interfaces based upon Microsofts OLE/COM technology. The application of the OPC standard interface makes possible interoperability between automation/control applications, field systems/devices and business/office applications. Typically an OPC client application running in the ICSS is provided with data from OPC Servers running in other PES/PLC systems. Operator Interface See HMI. Operation Operation refers to the human operator making commands to start/stop motors or open/close valves, or change automatic control setpoints or other parameters. Override function Temporary deactivation of some part of a shutdown loop. There are two types of overrides: maintenance overrides and operational overrides. Maintenance overrides involve the override of field instruments forming part of safety functions for maintenance reasons. Operational overrides involve the override of the trip action for operational reasons, such as overriding low flow trips on a pump for start up. Package Unit Control Systems Package units include gas compression, power generation and boilers supplied with their own PES/PLC control system. Subsea systems which execute control logic in a PES/PLC or other control system are also classified herein as package units. Peer to peer communications



ES45000 SJ F 51 001 A 2 PAGE 12

Communications between two PES/PLC processors via the systems networks or another communications link. Post Emergency Shutdown (PESD) The PESD is the highest level of shutdown, which may be initiated following an ESD. The PESD constitutes a platform abandon.

Process Safety System (PSS) The Process Safety System executes hazard prevention functions: process shutdowns (PSD) or unit shutdowns (USD). The PSS responds to excursions of process conditions outside the prescribed limits by initiating shutdowns to prevent equipment damage, or further development of process hazards to the personnel. Process Shutdown (PSD) A process shutdown results in the shutdown of the production process, without affecting the utilities. As such a PSD is the third highest level of shutdown. Processor The component of the ICSS which executes application control or safety software, otherwise known as the controller, CPU, logic solver or PLC. Production Unit The FPSO, FSO, Jack-up or other production and / or storage unit. Programmable Electronic System (PES) A system for control, protection or monitoring based on one or more programmable electronic devices (usually microprocessor based), including all elements of the system such as power supplies, sensors and other input devices, data highways and other communication paths, actuators and other output devices. Programmable Logic Controller (PLC) Digitally operating electronic system, designed for use in an industrial environment, which uses a programmable memory for the internal storage of user-oriented instructions for implementing specific functions such as logic, sequencing, timing, counting and arithmetic, to control, through digital or analogue inputs and outputs, various types of machines or processes. Both the PLC and its associated peripherals are designed so that they can be easily integrated into an industrial control system and easily used in all their intended functions. A PLC is a Programmable Electronic System excluding the sensors and actuators. Process Control System Otherwise known as Basic Process Control System, a system that responds to input signals from equipment under control and/or from an operator and generates output signals, causing the equipment under control to operate in the desired manner, i.e. within its operating envelope. Real time trend A graphical display on the HMI which allows the operator to view real-time data commencing from when the display was opened. Redundancy Use of multiple elements or systems to perform the same function; redundancy can be implemented by identical elements (identical redundancy) or by diverse elements (diverse redundancy)



ES45000 SJ F 51 001 A 2 PAGE 13

Reliability Reliability is the probability that an operational component or system will perform its required functions when called upon to do so. This applies to functions required to be performed occasionally (e.g. trip functions) or continuously (e.g. motor running). The reliability of a system may be improved by using higher quality components or adding redundancy. Reset Action A manual operator action to unlatch a trip condition, normally the tripped device (e.g. motor or shutdown valve). Remote I/O The opposite of centralised I/O: a system where the I/O modules are located remotely to the processor, usually in the field close to the process elements being controlled / monitored. Risk Combination of the frequency of occurrence of harm and the severity of that harm Safety Integrity Average probability of a safety instrumented system to satisfactory perform the required safety function under all stated design conditions within a stated period of time. Safety Integrity Level (SIL) Discrete level (one out of four), defined in IEC 61508, for specifying the safety integrity requirements of the safety instrumented functions to be allocated to the safety instrumented systems. Safety integrity level 4 has the highest level of safety integrity; safety integrity level 1 has the lowest. Safety integrity is the average probability of a safety instrumented system satisfactorily performing the required safety instrumented functions under all the stated conditions within a stated period of time. Safety Critical A safety critical loop is one required to be executed in the SIS not the PCS. In projects where a SIL analysis is executed, this means safety function assigned a SIL of 1,2 or 3. Safety Critical data refers to parameters directly used as part of a Safety Instrumented Function, e.g. process measurement.

Safety Instrumented System (SIS) System composed of initiating devices, logic solvers, and output devices designed to prevent or mitigate hazard conditions. As such the SIS is broken down into two parts the Process Safety System which executes hazard prevention functions (USD and PSD) and the FGS/ESD system which executes hazard mitigation functions (fire fighting, ESD and PESD). As such the term SIS refers to all safety systems in the ICSS. Simplex I/O The use of single (as opposed to redundant) I/O modules in a PES/PLC. Site Acceptance Test (SAT) A set of predefined procedures conducted at a job site after the system has been reassembled, and usually following some modifications to the software tested at FAT. System Powered The loop powering of 4-20mA instruments from the ICSS; i.e. where the instrument is current sinking.



ES45000 SJ F 51 001 A 2 PAGE 14

Topsides In this document, the term refers to the production/processing facility, not including the turret (if applicable). On FPSOs and FSOs the Topsides facility is physically located on the topsides of the vessel. Upper Explosive Limit (UEL) The concentration of gas in air, above which the gas atmosphere is not explosive Unit Shutdown (USD) Unit Shutdowns are the fourth and lowest level of shutdown function. USDs shutdown specific units of the process plant in response to excursions of process conditions outside the prescribed limits in order to prevent equipment damage, or further development of process hazards to the personnel. Utility software Software tools for the creation, modification, and documentation of application software running in the PES/PLC.

1.4 ABBREVIATIONS

AER Aft Equipment Room (part of the accommodation block on FPSOs) BAC Boiler Automation and Control BMS Burner Management System ECR Engine Control Room EWS Engineering Work Station CCR Central Control Room DTU Dry Tree Unit ESD Emergency Shutdown EWS Engineering Workstation FGS Fire and Gas System F&G Fire and Gas FPSO Floating Production, Storage and Offloading FSO Floating Storage and Offloading FMEA Failure Mode Effect Analysis HAZID Hazard Identification HAZOP Hazard & Operability HIPPS High Integrity Pressure Protection System HFO Heavy Fuel Oil HLG High Limit Gas HMI Human Machine Interface HPU Hydraulic Power Unit HVAC Heating, Ventilation, and Air Conditioning ICSS Integrated Control & Safety System I/O Input/Output LCP Local Control Panel LEL Lower Explosion Limit LER Local Equipment Room (topsides module on FPSOs) MAC Manual Alarm Call point MCB Miniature Circuit Breaker MDO Marine Diesel Oil MOS Maintenance Override Switch OLE Object Link Embedded



ES45000 SJ F 51 001 A 2 PAGE 15

OOS Operational Override Switch OPC OLE for Process Control PA/GA Public Address/General Alarm PCS Process Control System PESD Post Emergency Shutdown PSD Process Shutdown UPS Uninterruptible Power Supply USD Unit Shutdown SER Sequence of Events Recorder SIF Safety Instrumented Function SIL Safety Integrity Level SIS Safety Instrumented System

1.5 STANDARDS, SPECIFICATIONS AND REFERENCES

In addition to requirements of the Classification Society, rules and regulations, the latest editions of the following codes and standards shall be used as guidelines for design.

1.5.1 Codes and Standards

The following codes and standards are listed as reference documents: ANSI / ISA 84.01 Application of Safety Instrumented Systems for the

Process Industries API 14C American Petroleum Institute Basic Surface Safety

Systems for Offshore Production Platforms API RP 554 Process instrumentation and control IEC 60079 Electrical Apparatus For Explosive Gas Atmospheres IEC 61131 Programmable controllers IEC 60529 Degrees of protection provides by enclosures (Ingress

Protection code) IEC 61508 Functional safety of electrical/electronic/programmable

electronic safety related systems IEC 61511 Functional safety safety instrumented system for the

process industry sector

1.5.2 Corporate Engineering Standards

ES45000 SJF 51001 Instrument ICSS Functional Standard Specification ES45000 SJF 51002 Instrument ICSS HMI Standard Specification ES45000 SJF 51003 Instrument ICSS Software Function Block Standard

Specification ES45000 SJF 51004 Instrument ICSS Graphics and Application Software Standard

Specification ES45000 SJF 53001 Instrument Fire and Gas Detection Design Philosophy ES45000 SJF 92028 Instrument Control, Safeguarding and Override Design

Philosophy ES45000 SJF 92034 Instrument & Electrical Package Standard Specification ES45000 SJF 92048 Instrument Protection System Design Specification ES45000 SJT 55001 Telecom System Design Philosophy



ES45000 SJ F 51 001 A 2 PAGE 16

ES45000 SJT 55002 Telecom Subsystems Design Standard Note: design procedure according SJF92048 shall be applied if IEC61511 is to be applied on the project.



ES45000 SJ F 51 001 A 2 PAGE 17

2. SYSTEM OVERVIEW

2.1 ICSS SYSTEM DESCRIPTION BY PLANT AREA

The plant consists of the following parts: Topsides Area Manifold / Riser Area Hull Area

2.1.1 Topsides Area

The Topsides Area of Production Units incorporates oil and gas processing and utilities, and typically consists of the following sections. Oil Section: High pressure separation, Intermediate pressure separation (if applicable), Test

separation Low pressure separation, Electrostatic treater Gas Section: Gas compression Gas treatment and dehydration system Vapour recovery unit compressor Flare system and knock out drums Utility Section: Cooling and heating medium Water treatment and injection Chemical injection package, methanol injection package, etc.

2.1.2 Manifold / Riser Area

The Manifold / Riser area forms the interface between the Production Unit and the subsea systems, Well Head Platforms or other permanent units. For Production Units provided with a turret, the risers and manifolds will be located on the fixed section. The fixed and rotating part are connected via the swivel. The swivel has sections for the transmission of production fluids, electrical power, instrumentation and may include a fibre-optic communications swivel for transmission of ICSS networks. The Turret will normally incorporate a chain tension monitoring system.

2.1.3 Hull Area

The Hull Area comprises the accommodation block, cargo storage transfer and offloading facilities, and Services Systems for the whole Production Unit. The Hull Area facilities typically consist of the following systems: Cargo

Cargo handling system, which includes: cargo and ballast pump control Inert Gas / gas blanketing system



ES45000 SJ F 51 001 A 2 PAGE 18

Produced/slop water system Service systems typically include:

Boilers and steam systems Steam turbine generators Service air system Instrument air system MDO and HFO service and transfer system Seawater service system Potable water Sewerage HVAC Bilge system Fire water pumps Emergency and Essential Generators

Several Hull Service Systems, will be black box package systems provided with local controllers see ES45000 SJF92028 section 3.4.2. For the existing systems on vessel conversions, the extent of integration to the ICSS will be decided in the detailed engineering phase.

2.2 ICSS SYSTEM ARCHITECTURE

The Integrated Control and Safety System (ICSS) consists of: 1. Human Machine Interface System 2. Process Control System 3. Process Safety System 4. Fire and Gas / Emergency Shutdown System 5. Interfaces with Package Unit Control Systems The ICSS system architecture, including redundancy requirements is described in ES45000 SJF92028.

3. ICSS MECHANICAL DETAILS SPECIFICATIONS

The following sections contain the mechanical details on the panels which comprise the overall ICSS system.

3.1 ICSS SYSTEM PANELS

The system panels can be divided into indoor and outdoor panels. The panels shall be free from distortions and blemishes, the structure shall be such that they can be lifted into position with eye bolts without causing resultant distortion. Each panel shall be supplied with fixing holes to allow for secure fixing of the panel to the floor. In and outgoing cables and all wiring in the panel shall be supported and run through plastic grey ducts with covers. In case of intrinsically safe field wiring, the cables must run through blue plastic ducts with protective cover.



ES45000 SJ F 51 001 A 2 PAGE 19

Panels shall be designed to protect internal electronics from Radio Frequency Interference.

3.1.1 Environmental Conditions

Requirements for environmental conditions for ICSS panels will be detailed in project-specific General Data and Conditions specifications.

3.1.2 Indoor Panels

The indoor panels shall be fitted with double doors at both front and rear. A mounting plate is fitted in the middle to separate the ICSS processor and I/O cards from the field terminations. The right-hand door of each panel is fitted with a key-lockable swing handle. A panel shall be fitted with removable eye bolts, for lifting the panel. The ingress protection shall be IP42, with the internals of the panel meeting IP20 (finger proof). Equipotential bonding (earth straps) shall be provided for all non-fixed surfaces, e.g. doors. Ventilation fans and grills shall be mounted on panel doors and provided per bay on the powered side of the panel. Installation on the side walls of panels is prohibited. All indoor panels shall be supplied with thermostats, wired into the ICSS to alarm high panel temperature. The panels shall also be supplied with adequate identification labelling internally and externally. All indoor panels shall be fitted with low profile lighting with an on/off switch fitted on the light itself. The panels and plinth are to be finished to the paint specification quoted in project documentation. Panels located in the indoor equipment rooms may have top or bottom entry for cables; this is to be specified in the project documentation. Panels with top entry shall be supplied with MCT cable transits for top entry mounted on a 200 mm extension to top of panel to aid with the installation of cables. In the front of the panel shall be the ICSS processor and I/O cards and in the back shall be the marshalling. The supplier is responsible for the following:

Complete panel design Stress calculation for lifting. Heat dissipation calculation (maximum allowable internal temperature 30 degrees

C). Certification as required on the project.

All cable trunking shall be sized so not to be more than 60% full even if all spare I/O channels are used. All components within the panel shall be labelled both on the component and adjacent to the components, so that when replaced, the identification remains. A drawing pocket shall be located on the inside of all rear doors (termination side).



ES45000 SJ F 51 001 A 2 PAGE 20

All indoor panels, including server panels, shall be fitted with key-lockable door handles.

3.1.2.1 Multiple bayed Indoor Panels.

Where multi-bayed indoor panels require shipping breaks, all internal wiring through the shipping break (except for Profibus cables) shall be wired via terminals. This may include panel temperature measurements, commoned up power supply fail contacts. 24V DC power supplies should be installed in all bays such that intra-panel 24V distributions are minimised.

3.1.3 Outdoor Panels

The outdoor panels are normally placed in a hazardous area classed as Zone 2, material shall be ASTM 316L stainless steel, 2.5mm thick plate as a minimum fitted with lockable double doors on the back and key-lockable single door on the front. A mounting plate is fitted in the middle to separate the ICSS processor and I/O cards from the field terminations. The doors shall be fitted with key-lockable swing handles and door stoppers preventing the doors from opening past their intended design. The panel must be fitted with removable eye bolts, for lifting the panel. The ingress protection shall be IP56, with the internals of the panel meeting IP20 (finger proof). Equipotential bonding (earth straps) shall be provided for all non-fixed surfaces, e.g. doors. All fixtures, including nuts, bolts, washers shall be A4-70 or A4-80 grade stainless steel. It is the responsibility of the Supplier to achieve the required class approval of the outdoor panels for use in the hazardous area zone as specified in the project documentation. Removable gland plates must be fitted for cable entry. Gland plates shall be strong enough to support the necessary glands and cables. The panels shall have mounting legs of 200 mm height to accommodate installation and glanding of cables. Panels shall be supplied with the required anti-vibration mats to be mounted between panel and the deck. All panels shall be supplied complete with a cable mounting bar, located underneath the trunking, installed with sufficient clearance for cables to enter trunking. Where pressurisation is relied upon to comply with hazardous area requirements, the panels shall be fitted with a purge control unit which shall be pre-certified to the international standard required by the project. The panel shall be fitted with instruction label describing the operating procedure of the purging unit for safe operation. All required labels to identify the panel shall be supplied suitable for outside use. A Vortex cooler shall be provided; the supplier shall be responsible for a heat dissipation calculation ensuring that the panels are maintained at a maximum temperature of 35 degrees C. The cooler outlet into the panel to be mounted in such a manner as to prevent any condensation or moisture that may come from the air system to come into contact with the physical components of the control system. Ex certified Limit switches on the doors (to be alarmed at the ICSS HMI) and pressure switch for pressure loss (to be alarmed at the ICSS HMI) shall be fitted and terminated to ICSS to alarm to operator.



ES45000 SJ F 51 001 A 2 PAGE 21

All outdoor panels shall be supplied with temperature transmitters, wired into the ICSS to alarm high panel temperature. The panels are finished to paint specification RAL 9003. In the front of the panel shall be the ICSS processor and I/O cards and in the back shall be the field I/O marshalling. All cable trunking shall be sized so not to be more than 60% full even if all spare I/O channels are used. All components within the panel shall be labelled both on and adjacent to the components, so that when replaced, the identification remains. A drawing pocket shall be located on the inside of all rear doors (termination side).



ES45000 SJ F 51 001 A 2 PAGE 22

4. ICSS ELECTRICAL SPECIFICATIONS

4.1 POWER SUPPLY AND DISTRIBUTION

The incoming power supplies to the ICSS are two 220Vac, single phase, 60 Hz, floating feeders from the UPS system. The two incoming supplies must be converted to 24Vdc which is connected to 24Vdc distribution in the panel via O-diodes or redundancy modules. 24Vdc power supplies shall be adjustable up to at least 26V to allow for voltage drop across diodes, termination assemblies and field wiring. The 24Vdc shall be distributed via fuses. Power supplies shall be sized assuming all modules including all spare I/O channels are ICSS system-powered, and including a further 30% spare capacity. Power supply (220V AC) wiring shall run in separate duct from the marshalling termination wiring, low voltage wiring and communication wiring. The 220 V AC terminals shall be covered with protective plastic covers with warning signs

4.1.1 Internal Panel 24Vdc Distribution: Redundancy

Within each ICSS panel, independent redundant power supplies shall be provided for the PSS, FGS/ESD and the PCS system power (i.e. power for processor and I/O modules). For ICSS systems that require a field power supply to be applied to digital output circuits (usually to drive outputs greater than a certain power), independent redundant field power supplies shall be provided for PCS, PSS and FGS/ESD systems. These supplies shall be independent from the system power supplies. Thus a remote I/O panel containing PCS and PSS I/O racks, which require system and field power, will be fitted with a minimum of 8 power supply units: 2 PCS system, 2 PCS field, 2 PSS system and 2 PSS field. 24V DC field supplies to I/O modules shall be individually fused. 24V power to the field in 3 or 4 wire arrangements shall be fused per channel. All 24V power supplies (PCS system, PSS system, PCS field and PSS field) shall be monitored, and failure of any supply shall be alarmed at the ICSS HMI.

4.1.2 AC and Other Power Distribution

All ICSS equipment not supplied from the redundant 24Vdc supply shall be provided with redundant power, sourced from the UPS A and B systems. All such equipment including PCs, monitors and Ethernet switches, shall be supplied with either:

Dual internal power supplies or From a fast AC switches (e.g. APC type) which is fed from both UPS supplies.

Where fast AC switches are used, for example to power computers, a minimum of 2 shall be installed such that a failure of the switch will not result in the loss of all loads.

AC Power wiring shall be segregated from DC power and signal I/O wiring.



ES45000 SJ F 51 001 A 2 PAGE 23

4.2 EARTHING

4.2.1 Panel Earth (PE)

The panel earth is an earth connection for the electrical safety of the panel body and is required for all panels. Two 8mm stainless steel earthing bolts must be fitted on each panel. All earthing points on power supplies, racks, chassis, etc shall be connected to the Panel Earth. The PE is also provided for the connection of armouring from incoming field cables.

4.2.2 Instrument Earth (IE)

This is the instrument shield earth and shall be isolated from the panel earth. The panel shall be provided with an earthing bar adjacent to the field terminals with sufficient screws (including spares) for termination of the wires; with only one wire per connection.

4.3 WIRING CODES AND STANDARDS

The specifications for the internal wiring of the system are detailed below. System cable and internal wiring shall, where possible, be constructed using reduced flame propagation, non-toxic, low smoke type cable, which has an EMA or equivalent outer sheath. System cables and internal wiring must comply with IEC 60332-3 class A. The type of cable used shall be halogen free, have an outer sheath constructed from HFI 120 material.

4.3.1 Wiring Sizes

All wiring shall be terminated on terminals including screens and spare wires of cables. In general the following core sizes from power, earth and field cables are terminated in the ICSS panels. Space should be allowed accordingly:

220 VAC Power (phases) 6-16 mm2 220 VAC Power (ground) 6-16 mm2 Safety protection ground 6 mm2 Instrument earthing 6 mm2 IS earthing 6 mm2 Analogue input signals 0.75 1.5 mm2 Analogue output signals 0.75 1.5 mm2 Discrete input signals 0.75 1.5 mm2 Discrete output signals 1.5 2.5 mm2

Internal panel wiring for field I/O shall be no less than 0.5mm2, though system cables may be of smaller cross-section. Electrical power distribution shall be via appropriately sized cabling.



ES45000 SJ F 51 001 A 2 PAGE 24

4.3.2 Wire Colour Coding

The wire colour code for internal wiring is detailed below:

Wire function Colour 220Vac phase 1 Brown 220Vac phase 2 Blue 24Vdc Red 5Vdc Orange 0Vdc Black Field input Grey Field output Grey

Wire function Colour Panel (dirty) earth Green/Yellow Instrument(clean) earth Green/Yellow Intrinsically safe earth Green Intrinsically safe Light blue

4.3.3 Wire Identification

All wires, including panel internal wiring, including 220V AC, 24Vdc, signal wiring and ethernet cables/fibres shall be fitted with wire identification at both ends. The identifier consists of a number of black characters on a non-shrinking type sleeve: it shall be possible to replace identifiers without removing wires.

4.3.4 Terminations

Terminals shall be Weidmuller types WTR (disconnect), WSI (fuse), WDU (feed through) or equivalent. It shall be possible to isolate all field terminations (fuse or disconnects) in order to allow point to point testing of field wiring. All fused terminals shall be provided with LED fuse failure indication. Stranded wires shall be terminated on terminals with crimped pins. Only one wire crimped pin per terminal, though a bridge/jumper between terminals is acceptable. Intrinsically safe terminals shall be segregated from other terminals and shall be coloured blue.

4.4 INTRINSICALLY SAFE ISOLATION

Intrinsically safe isolators shall be used for IS isolation; the use of barriers is prohibited.



ES45000 SJ F 51 001 A 2 PAGE 25

5. ICSS USER INTERFACE FUNCTIONAL REQUIREMENTS

5.1 GRAPHICS

The HMI monitors shall provide graphic displays with live process information. The ICSS shall have as a minimum the types of displays listed in this section. The graphic system shall incorporate facilities for the Purchaser to reconfigure these displays to meet changing operational requirements and to create and configure additional displays. In addition to any standard facilities, a hierarchical system is required which will allow fast access to any Process System graphic. Several means of navigation between graphics shall be provided. Refer to Instrument ICSS Graphics and Application Software Standard Specification, ES45000 SJF51004 for detailed graphic standards and conventions.

5.1.1 Group Overviews

Group overviews consist of the following types: Process overviews based on block diagrams or Process Flow Diagrams Fire and gas overview depicting the whole Production Unit Cause and effects overview graphics block diagram providing navigation down to

relevant cause and effect displays The primary purpose of this display is to provide the operator with an overview of the hierarchy of graphics and navigation.

5.1.2 Process Systems Operation

These are the main level of graphics operator will be using day to day, and consist of: Process graphics based on simplified P&IDs, combined to depict sufficient detail

for operation. The operator can select plant items such as motors, valves and operate these devices via faceplates.

Package Unit monitoring graphics repeat of key performance indicators from Package Unit control systems

Fire and gas layout graphics depicting the physical layout of a fire zones and positions of detectors

Fire and gas process graphics depicting fire pumps, water, foam systems, dampers, isolations

Electrical one line diagrams Cause and effects diagrams based on C&E sheets. Special graphics override summaries, ICSS panel displays, shutdown valve

summaries, etc. System Status displays displaying the status of all ICSS components from

servers to processors and I/O cards. In addition to the above list of process system graphics, an alarm summary is provided to the operator see section 5.2.5 below.

5.1.3 Detail Displays

All Process system graphics shall have associated operator trend displays displaying historical data associated with the plant.



ES45000 SJ F 51 001 A 2 PAGE 26

5.1.4 Faceplates

All standard symbols on graphics depicting devices such as transmitters, motors, valves have associated operation faceplates. These faceplates pop-up when selected via the trackball. Faceplates provide the operator with the capability of operating the device, and changing parameters associated with it, depending on the operators login privileges. Refer to section 5.4. Refer to ES45000 SJF51002 for documentation of all standard symbols and faceplates.

5.2 ALARMS

5.2.1 Alarm Occurrence

Alarms shall be initiated in accordance with conditions and limits as specified in the Alarm and Trip summaries. Every alarm initiated by the application software or system shall be displayed on operator alarm summaries, unless shelved, see section 5.2.7 below. When an alarm is detected the following shall occur:

An audible alarm shall be initiated in the appropriate control room Associated graphical elements on a display will flash for active alarms that are not

yet acknowledged. An alarm status change shall be recorded in the system alarm log file. The alarm will appear on the allocated operator station alarm page(s). The alarm will appear on the operator station alarm banner.

5.2.2 Alarm Acknowledgement

The operator shall be required to accept alarms individually via the associated process display or individually and globally on the alarm summary.

5.2.3 Alarm Types

In addition to process alarms specified in the project P&IDs and Alarm and Trip summaries, the following alarms shall be included. System alarms, alerting the operator to the failure of an ICSS component as detected by system diagnostics, and shall include:

Failure of any module of ICSS hardware (processors, communications modules and I/O modules)

Failure of the ICSS network hardware, tag servers (if applicable), power supplies Input or output bad quality / out of range.

5.2.4 Alarm Groups

The ICSS alarms shall be structured by plant hierarchy, enabling the operator to filter alarms by plant area.



ES45000 SJ F 51 001 A 2 PAGE 27

5.2.5 Alarm Summary Display

Alarms shall be displayed on the alarm summaries as follows: Alarms shall be listed in chronological order, the most recent at the top. Alarms shall be listed with date and time, source tag, description, plant area

(group) Each alarm page shall display up to 50 alarms at one time with a maximum total of

1000 alarms which may be viewed by simply paging down through the alarm list. It shall be possible to display alarms associated with one group; for example to display only system alarms. The ICSS alarm management system shall allow the operator to view alarms in the following formats:

Incoming alarm list - all un-acknowledged incoming alarms. Acknowledged alarm list - all acknowledged active alarms Outgoing alarm list alarms which have returned to normal.

5.2.6 Alarm Prioritisation

Alarms shall be prioritised in order to assist the operator in recognising the severity or speed of response required for each alarm condition. Process alarms are grouped into the following three priorities:

High: Emergency or critical alarm requiring an immediate response. E.g. high level gas detected

Medium: Hazard preventive or warning alarm, requiring a quick response. Typically a medium priority alarm, if not acted upon, can subsequently result in a high priority alarm.

Low: Process message alarm requiring attention. Typically equipment failure alarms.

Two additional alarm priorities are incorporated, for maintenance and system alarms:

Maintenance alarm: MOS or OOS activated System alarm: malfunction or failure of a ICSS system component (as detected by

system diagnostics) The graphical representation of alarms is described in ES45000 SJF 51002 Instrument ICSS HMI Standard Specification.

5.2.7 Alarm Shelving

There shall be a facility provided on the ICSS to allow nuisance alarms to be temporarily removed from the main alarm summary and diverted to a separate alarm summary



ES45000 SJ F 51 001 A 2 PAGE 28

5.3 REAL TIME AND HISTORICAL TRENDS

5.3.1 Real Time Trends

Real time trending of up to 100 configurable trends per operator station is required with a selectable sampling frequency down to 1 second. Real-time trends shall be included in operator faceplates, and operator-configurable trend displays.

5.3.2 Historical Trends

Historical data shall be stored on-line for a minimum of 3 months, at sampling intervals of between 5 seconds and 10 seconds, as specified in the project documentation. The historian shall be sized to store all of the following I/O for the above duration:

All PID controller set points All hardwired analogue inputs All analogue signals from Package Control systems interfaced with the ICSS.

Exception is made for the (free-issued) Subsea system which is expected to be equipped with historian capability.

40% spare capacity shall be included in the licensing and hardware design The facility shall be provided to make back-ups of the data, typically to DVD or tape. It shall be possible to view historical trends from any HMI operator workstation.

5.4 SECURITY AND INTEGRITY

To prevent unauthorised use of the ICSS it shall be configured for the access levels as specified below. Access shall be controlled via user login / password. Activities for which only supervisor and engineer have authorisation are typically accessed via graphical faceplates. Engineer only authorisation is typically for system parameter changes, or changes to application software from the Engineering Workstation.

Function L1 L2 L3 L4 Designated level title (Notes 1,2) Gu Op Su En Graphics - Access and view Yes Yes Yes Yes - Modify or create No No No Yes Valve operation - Open / close No Yes Yes Yes - Change travel

alarm time No No Yes Yes

Motor operation - Start / stop No Yes Yes Yes - Change feedback

alarm time No No Yes Yes

PID Controller - Mode change No Yes Yes Yes - Set point change No Yes Yes Yes - Tuning parameters No No Yes Yes - Alarm level change

(incl PV/SP deviation No No Yes Yes



ES45000 SJ F 51 001 A 2 PAGE 29

or rate of change if configured)

Sequences - Start / stop No Yes Yes Yes - Change parameters

such as timers No No No Yes

Alarms - Acknowledge No Yes Yes Yes - Change alarm

setpoints No No Yes Yes

Shutdown logic - Apply / remove

MOS: Note 3 No Yes Yes Yes

- Apply / remove OOS

No Yes Yes Yes

- Change OOS timer No Yes Yes Yes - Change trip level No No No Yes Trends (real time) - Add /delete No Yes Yes Yes - Add / delete

variables to trend No Yes Yes Yes

- Change vertical scale or time scale

No Yes Yes Yes

Fixed Trend displays (historical)

- Add /delete No No No Yes

- Add / delete variables to trend

No No No Yes

- Change vertical scale or time scale

No Yes Yes Yes

Reports - print reports No Yes Yes Yes - change reports No No No Yes Input / output - I/O force to value No No No Yes Calculations - Add new No No No Yes - Change parameters No No No Yes System configuration - Access to Windows

environment on HMI clients

No No No Yes

- Download software to controllers

No No No Yes

Notes 1. Gu = Guest, Op = Operator, Su = Shift Supervisor, En = Engineer. 2. Access level L1 is the lowest level, L4 is the highest level 3. MOS application subject to keyswitch, refer to SJF92028 section 4.5.1. Operator logins should be provided, as a minimum for the following operator groups:

Topsides FGS/ESD



ES45000 SJ F 51 001 A 2 PAGE 30

Hull service systems (Marine ECR for FPSOs) Cargo handling and storage Supervisor Engineer / administrator

Each operator group will only have access to the graphics relevant to its plant area. The alarm banner shall be filtered to only display alarms relevant to the plant area.



ES45000 SJ F 51 001 A 2 PAGE 31

6. ICSS HARDWARE REQUIREMENTS

The minimum mechanical details and electrical specifications are described in sections 3 and 4 of this document.

6.1 HUMAN MACHINE INTERFACE

6.1.1 Operator Workstation (HMI Clients)

The operator interface shall be by standard supplier designed operator stations with full colour graphics and access to all aspects of the process and control system required as per the applicable levels of security. Pointing devices (trackball) shall be provided. Failed operator stations shall be isolated from the communications highway for repair or placement to take place. This shall be done on-line without affecting the use of any of the other operator station, or interruption to the communication highway. Operator Workstations shall be furnished with 24 widescreen monitors, with 1920x1200 resolution minimum.

6.1.2 Engineers Station

The functions of the Engineers (maintenance) Workstation (EWS) are as follows: Access the I/O database for additions / modifications Access to the application software for modifications Back-up the application software, and I/O database (if applicable) to a back-up

facility such as a tape streamer or DVD Run diagnostics routines Load new version of the application software Copy and merge files Maintenance on clients, servers and networks

6.1.3 PC Specification: Servers and Clients

The engineering workstation, tag servers and historian are as a minimum to be supplied with RAID 1 mirrored hard disks. All PCs are to be supplied with sufficient RAM to run all system software. Hard disks shall be sized adequately to store system data (such as log files). Historian hard disks shall be sized for the quantity of historical data required by SJF 92028. All PCs (clients, servers, EWS) are to be located in server panels.

6.1.4 FGS Display

For incident control there shall be a large monitor, minimum 30 widescreen (1920x1200 pixels), dedicated to the FGS overview.



ES45000 SJ F 51 001 A 2 PAGE 32

6.1.5 Tag Servers: Interfaces HMI/Control

Tag servers (or equivalent interface between the processors and the HMI) shall be sized for the I/O count specified plus a minimum of 30% capacity for future expansion.

6.1.6 Networks

All networks shall have sufficient capacity to ensure that even during plant upsets, there is no significant reduction in communication rates.

6.2 CONTROL AND SAFETY HARDWARE

All ICSS safety system hardware shall be certified for use in SIL3 applications (certain configurations may apply for SIL3). Given the application of outdoor remote I/O or processor panels, all control and safety hardware, including necessary communications modules, shall be certified for use in zone 2 applications as per IEC60079.

6.2.1 Processors

Where processor redundancy is included, a failed standby processor may be exchanged on-line without affecting the running (duty) processor. On loss of system power to the processors, the following requirements shall be met:

Processors shall be provided with the capability (such as battery back up) to store volatile data during power loss. This capacity should be sufficient to maintain that data for a minimum of ninety days.

All other control modules, such as ethernet switches, shall retain system configuration, and shall not require manual intervention to initialise.

System software and licences shall be retained within ICSS All processor source application software shall be retained within the ICSS The ICSS shall restart its normal functioning automatically

On processor start-up following a loss of system power:

Any normal start-up diagnostic shall run Manual intervention to initialise processors or I/O modules should not be required All auto / manual switching elements and other key functions shall adopt a

predefined mode (normally manual) as required for the application. All sequences etc shall move to a predefined hold state as required by the

application Software changes should be possible on-line, under controlled security without requiring a shutdown of the process. It is recognised that some changes, in particular to safety software, are not permitted on-line.

6.2.2 Processor Loading

The Processor application software size shall be such that 30% spare memory is available for future program expansion. In addition, there shall be sufficient memory to allow the program to run (without affecting I/O scanning, communications or diagnostics) even



ES45000 SJ F 51 001 A 2 PAGE 33

when 30% more I/O and associated application software is added. If the manufacturer recommends greater spare memory requirements, these shall apply. Processors cycle times shall be set to ensure that when higher priority activities such as scanning I/O and executing application software are complete, there is sufficient free-time for the processor to execute system diagnostics, communications (to other processors and HMI) and other activities such as intercommunications from the running duty processor to the standby processor.

6.2.3 I/O Modules Requirements

I/O modules of the system shall meet the following requirements:

Accuracy: 1% of full scale across entire temperature range Resolution: 12 bits minimum Linearity: 0.1% (with reference to input range) Repeatability: 0.05% (in steady state condition at 25C with reference to

input range) Electrical Isolation As a minimum between the I/O channels and the

backplane bus Temperature operating range:

0-60 C

Failed I/O modules shall be exchanged with healthy modules on-line with only the loss of those channels allocated to that card. No other module in that rack, any other rack or enclosure shall be affected.

6.2.4 I/O Module Types

The I/O cards communicate with the Processor to execute control and logic functions via the I/O bus. I/O signal types are as follows:

Signal Type Requirements Comments Analogue input 4-20mA system powered, 2 wire Typically field transmitter

(including temperature transmitter)

Analogue input 0-20mA field powered, 3 wire (24V, common and signal)

Flame, gas and smoke detectors signal range 1-4mA used for diagnostics

Analogue Output 4-20mA system powered Typically I/P converters Digital Input Volt-free contacts, system

powered Typically switches or relay contacts; also inductive proximity switches

Digital Output 24V dc, system powered, 5W minimum.

Low power solenoids: typically < 5W

Digital Output 24V dc, system powered, 10W minimum.

High power solenoids

In general the field equipment is flame proof (Ex-d), though there will be some intrinsically safe instrumentation.



ES45000 SJ F 51 001 A 2 PAGE 34

Features to detect open and short circuit in I/O circuits shall be provided for Fire and Gas (energise to trip) outputs. All cards shall be capable of being applied in redundant I/O card architectures.

6.2.5 Capabilities For Other Interfaces

The ICSS shall be capable as a minimum of interfacing with other PES/PLC systems via: Modbus RTU (RS485 or TCP/IP) OPC-DA

6.2.6 Future Expansion Capability

10% installed spare of each I/O type shall be provided per panel at the time of handover to the operating company. All channels, whether used or spare, shall be wired to terminals. 10% spare I/O slots should be included per system.

6.2.7 Electromagnetic Compatibility (EMC)

All control and safety hardware shall have undergone supplier EMC testing to confirm its immunity to electromagnetic interference. All hardware shall have certification to EU directive 2004/108/CE (previously 89/336/EEC) or equivalent.



ES45000 SJ F 51 001 A 2 PAGE 35

7. ICSS APPLICATION SOFTWARE REQUIREMENTS

The ICSS user interface functional requirements are described in section 5.

7.1 APPLICATION SOFTWARE DEVELOPMENT

The application software is developed during the detailed design phase of the project and consists of:

I/O implementation Process control logic PID control, motor control, on/off valve control, monitoring Safety logic cause and effects logic

The application software shall utilise the Purchasers standard function blocks to provide the required logic functions, in accordance with the Purchasers requirements. The function blocks shall not be modified or customised as part of the project without written permission from the Purchaser. This is both for reasons of consistency throughout the project and to facilitate future library upgrades if required. The purchasers standard function block library is documented in detail in document reference ES45000 SJF51003 Instrument ICSS Software Function Block Standard Specification. Application software shall be primarily developed using function block language (as defined by IEC 61131 part 3). Function block is preferred because of the ease of understanding, both by other software engineers during the project design and commissioning, and by the ICSS technician during the Production Units operation. Ladder logic is allowed, but Instruction List, Structured text and Sequential function chart shall only be used purchasing specific applications where function block is not appropriate.

7.2 GRAPHICS DEVELOPMENT

Graphics shall be developed as specified by the purchaser in the design documentation. The Purchasers library of standard symbols and faceplates shall be utilised. These symbols and faceplates shall not be modified or customised without the permission of the Purchaser. This is both for reasons of consistency throughout the project and to facilitate future library upgrades if required. The purchasers library of standard symbols and faceplates is documented in detail in document reference ES45000 SJF51002 Instrument ICSS HMI Standard Specification. Refer to Instrument ICSS Graphics and Application Software Standard Specification, ES45000 SJF51004 for detailed graphic standards and conventions.

7.3 SOFTWARE QUALITY

The software integrator shall demonstrate rigorous software management of change procedures. These shall encompass logging of each revision of design documentation received, cross referenced with revision control of source files for application software, graphics or databases updated. These are particularly important to trace work done post FAT.



ES45000 SJ F 51 001 A 2 PAGE 36

Application software, graphics and other system configuration files shall be backed up daily. Daily backups shall be stored on a machine other than the Engineering Station. Weekly backups shall be kept either in a diverse location (not the same building) or in a secure safe. All backups shall be logged, with recorded revisions which cross-reference with the management of change system. Weekly backups shall be retained until the end of the project, i.e. final system handover after first oil production.

7.4 SOFTWARE CONFIGURATION REQUIREMENTS

The application software shall be clearly structured by plant area. Software shall be clearly annotated with notes where possible to allow other software engineers to interpret and understand the softwares function. Clear, simple uncomplicated application software shall be considered best practice. Fully or partially unused logic shall be removed, and overcomplicated or difficult to interpret logic shall be avoided. Unnecessary one (or more) cycle delays due to the incorrect execution order of software shall be avoided. Software shall be structured such that the execution order is self-evident. Software shall be consistently configured from one processor to another; identical control logic shall be implemented to achieve the same functionality wherever possible. All trip logic shall be written such that within the processor, 0=trip, 1=healthy. All unused software blocks, including unused communications blocks shall be deleted.

7.4.1.1 Processor Task Scheduling

The processor should be structured such that all code is executed in one cycle wherever possible; that is I/O scanned, and logic executed in the same cycle. Where tasks can be scheduled to run at different processor cycle rates, the following guidelines shall apply to processor cycle times:

Fast control loops (typically pressure and flow) 1 second Slow control loops (typically temperature and level) 2 second Motor start/stop 1 second Monitoring and alarming 2 second Sequences 2 second

The task scheduling of safety functions shall be as per the response time specified in C&E and other project design documentation. Note: the mandatory speed of response requirements for the ICSS are documented in ES45000 SJF92028 section 5.3.5.

7.5 PEER TO PEER COMMUNICATIONS

In designing any control system, every effort should be made to minimise the amount of information that has to be communicated between processors. Every effort should be made to hard wire any I/O signals that are required to accomplish the specific control function directly from the logic solver executing the process control logic to the corresponding field device.



ES45000 SJ F 51 001 A 2 PAGE 37

When using a communications link for transfer of data between two processors, such communication configuration logic shall be configured in a separately identifiable program area in the processors. This will assist with diagnosis of any communication problems, if and when they occur. Peer to peer communications shall be direct from the source processor to the destination; one signal shall not pass via an intermediate processor as this results in a further point of failure. Variables may only be read from one processor; they may not be written as this provides the possibility of blocks writing to the same memory location, overwriting one another. All peer to peer communications blocks shall be clearly annotated with the source/destination of the communications. Processor to processor communication must take place in a closed networked system. The requirement to keep the network closed provides the best mechanism for minimising system degradation over time. When using a communications link for process control signal data transfer, the responsible control engineer must understand the communications link speed of response The following table indicates whether peer to peer data should be configured to be fail-safe or fail-reliable. See notes 1 and 2 below for the requirements of fail-safe and fail-reliable communications. Signal Type Data Transmission Basis

Secondary Variables including Pressure and Temperature for Flow Compensation

Fail-Reliable (Note 2) Loss of these signals should allow the process to continue in a stable mode.

Keylock Permissive or authorisation (security switches) e.g. MOS authorisation

Fail-Safe (Note 1) In the event of a loss of communications, the authorisation can no longer be confirmed.

Equipment Permissive (usually a start permissive)

Fail-Safe (Note 1) To avoid starting a device when its permissive is lost. The intent is to discover and resolve communication problems before starting a device.

Primary Control Variable (e.g. for PID controller)

Shall be hardwired The delay imposed by peer to peer communication of a PV will adversely affect the control loop.

Digital shutdowns interlocks Fail-Safe All digital shutdown initiators and actions shall be fail safe. This can mean either hardwiring, or the use of fail-safe communications.

Analogue trip initiators Shall be hardwired Analogue variables, representing safety transmitters, shall be hardwired to the processor executing the safety logic.

Notes 1. Fail-Safe communication configuration shall imply that on Loss of Communication Status, a fail-safe value (zero) shall be substituted for the signal being communicated. Loss of Communication Status shall be generated on the loss of communication or a data read error for a predetermined time period between two communicating logic solvers.



ES45000 SJ F 51 001 A 2 PAGE 38

Refer to ES45000 SJF92028 section 4.8.1 for the required time-out period. An alarm shall also be generated to indicate Loss of Communication Status. 2. Fail-Reliable communication configuration shall imply that on Loss of Communication Status, the signal will hold its last good value and an alarm shall be generated to indicate Loss of Communication Status. A Loss of Communication Status shall be generated on the loss of communication, or a data read error for a predetermined time period (typically 5 seconds), between two communicating logic solvers.

7.6 FORCED VARIABLES

The facility to force variables, inputs or outputs may be available to the ICSS maintenance engineer and shall be controlled by security access. All forced variables shall be revealed in a clear operator display. The forcing of variables should normally be avoided in operation.

7.7 SYSTEM DIAGNOSTICS

The ICSS shall incorporate comprehensive self-diagnostics so that permanent and transient faults are identified, located and reported to operator. All diagnostics shall be performed automatically on-line, without disturbing the process or affecting the performance of the processors. The system diagnostics shall cover as a minimum:

SIS I/O module and channel failure alarms PCS I/O module failure alarms I/O Bus and communication failure alarms Redundancy failure alarms failure of redundancy of servers, processors, I/O

modules, etc Processor power supply failure, or back-up battery failure Processor loss of communications with other processors or servers



ES45000 SJ F 51 001 A 2 PAGE 39

8. SYSTEM TESTING

ICSS testing

Documents

SBM Offshore