Download - Norsok Safety and Automation System
-
8/9/2019 Norsok Safety and Automation System
1/21
NORSOK STANDARD
COMMON REQUIREMENTS
SAFETY AND AUTOMATION SYSTEMS(SAS)
I-CR-002Rev. 1, December 1994
-
8/9/2019 Norsok Safety and Automation System
2/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 1 of 20
CONTENTS
1. FOREWORD 2
2. SCOPE 2
3. NORMATIVE REFERENCES 2
4. DEFINITIONS AND ABBREVIATIONS 24.1 Definitions 24.2 Abbreviations 4
5. FUNCTIONAL REQUIREMENTS 55.1 Control levels, distribution 55.2 SAS functions 65.3 Package integration and categorising 95.4 Man machine interface 105.5 Process and system alarms, events 125.6 Programming 13
6. SYSTEM REQUIREMENTS 146.1 Hardware 146.2 Software 15
ANNEX A
GUIDELINE FOR TESTINGANNEX B Guidelines for Time Response
16
18
-
8/9/2019 Norsok Safety and Automation System
3/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 2 of 20
1 FOREWORD
This standard has been developed by the NORSOK Standardisation Work Group.
2 SCOPE
This standard covers functional and technical requirements and establishes a basis for engineering related to Instrument Control and Safety System Design. This standard shall beused together with I-CR-001, Field Instruments and I-CR-003, Installation of electrical,instrument & telecommunication. It is the companies aim to utilise system vendors
standards in order to achieve the most cost effective solution, also considering LCC.
3 NORMATIVE REFERENCES
ISO 10418 Recommended practice for analysis, design, installation and testing of basicsurface safety systems on offshore production platforms.
EN 50081-2 Electromagnetic compability generic emission standard.
EN 50082-2 Electromagnetic compability generic immunity standard.
4 DEFINITIONS AND ABBREVIATIONS
4.1 Definitions
SAS SAS is defined as the overall Safety and Automation System.SAS performs monitoring, logic control and safeguarding of a
plant. SAS comprises all control equipment as a total, integralconcept, either from one vendor or aquired from from severalsources.
Subsystems made as stand-alone units communicating throughcustom made serial links are also considered as part of SAS.System Topology Principles as shown in figure 1 are applicableindependent of the SAS size and complexity.
-
8/9/2019 Norsok Safety and Automation System
4/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 3 of 20
Figure 1 Typical SAS Topology
-
8/9/2019 Norsok Safety and Automation System
5/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 4 of 20
SAS unit SAS unit consists of CPU with associated equipment such as I/Oracks and cards, bus communication, power supplies, signalconditioning units and termination facilities for field cables.Operator stations and gateways are also considered as SAS units.
Inhibit Inhibit function disables action of the input signals, however thealarm will be displayed.
Override Overide function set the output signal to predefined position,independent of changes in logic status.
Supression of alarm A supression function disables the alarm while the signal actionis maintained.
Alarm filtering Alarm filtering is a supression of secondary alarms.
PDS PDS is a reliablility/availability calculation procedure availablefrom SINTEF
4.2 Abbreviations
ANSI American National Standard InstituteAPI American Petroleum InstituteCCR Central Control RoomCPU Central Processing UnitDnV Det norske VeritasESD Emergency Shut-Down (System), including Process
DepressurisationF&G Fire and GasFAT Factory Acceptance TestFB Function Block FWP Fire Water PumpHVAC Heating Ventilation and Air Conditioning
IEC International Electrotechnical CommissionIFEA (The Association for Electrotechnic and Automation in Industry)Industriens Forening for Elektroteknikk og Automasjon
IMS Information Management SystemISA Instrument Society of AmericaISO International Standard OrganisationLED Light Emitting DiodeLER Local Equipment RoomMCC Motor Control CentreMMI Man-Machine Interface
NDE Normally de-energised NE Normally Energised NPD Norwegian Petroleum DirectorateOLF Oljeindustriens Landsforbund
-
8/9/2019 Norsok Safety and Automation System
6/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 5 of 20
OS Operator StationPCS Process Control SystemPDCS Power Distribution Control SystemPDS Plitelighet av datamaskin baserte sikkerhetssystemer (reliability
of computer based safety systems)PSD Process Shut-Down (System)RIO Remote Inputs/OutputsRTD Resistance Temperature DeviceSINTEF Stiftelsen for Industriell og Teknisk Forskning ved Norges
Tekniske Hyskole (The Foundation for Scientific and IndustrialResearch at the Norwegian Institute of Technology)
T/C Thermo CoupleSAS Safety and Automation System
UPS Uninterrupted Power SupplyVDU Visual Display UnitLCC Life Cycle Cost
5 FUNCTIONAL REQUIREMENTS
5.1 Control levels, distribution
Main high speed communication bus shall always be redundant. Each SAS unit shall be
connected to both buses. 5.1.1 Area related distribution
The area related distribution as described below is considered as a guideline and shall notexclude alternative solutions and combinations.
ESD
I. Shall be located in room safe by location.II. Shall be centralised, in vicinity of CCR.III. RIOs may be used.
F&G
I. Shall be located in rooms safe by location.II. May be distributed/or centralised.III. Addressable detectors (field bus) and RIOs may be used.
PCS
I. Should be located in rooms safe by location.
II.
May be distributed and/or centralised.III. Instrument field bus and RIOs may be utilized.IV. Field bus units (multiplexers) may be utilized.
-
8/9/2019 Norsok Safety and Automation System
7/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 6 of 20
PSD
I. Should be located in rooms safe by location.II. May be distributed or centralised.III. Instrument field bus and RIOs may be utilized.IV. Field bus units (multiplexers) may be utilized.
PDCS
I. Should be located in rooms safe by location.II. May be distributed and/or centralised.III. Intelligent MCC bus and/or RIOs may be utilized.
5.1.2 Functional Distribution
The process systems shall be logically distributed into separate SAS units and/or SAS programs in order to optimise mechanical completion, commissioning and maintenance.
5.2 SAS functions
5.2.1 ESD
The ESD system shall have the following features:
I.
It shall be possible to test the ESD logic without degrading the platform safety and reducing the production rate.
II. The platform shall be protected even in case of loss of power or single failure of electronic parts.
III. Common ESD reset function shall be provided in the CCR, in addition to localresets.
IV. Status of the ESD system, ESD valve status, inhibit and override facilities shall beavailable in the CCR.
V. It shall be possible to initiate any ESD level from the CCR.
VI. PDS or an equal calculation method shall determine the ESD system configuration,aiming for a simple solution.
VII. The ESD information and operation shall be easily accessible to the CCR operator without unnecessary time delay.
VIII. The operator interface may be a VDU based solution or a combination of LED/switch
operated matrix and VDU(s).IX. The ESD output signals to field devices shall be hardwired.
-
8/9/2019 Norsok Safety and Automation System
8/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 7 of 20
X. ESD dedicated field bus may be used for ESD inputs.
XI. Communication between ESD and F&G can be by means of a dedicated safety bus,serial links or hardwired.
5.2.2 F&G
The F&G system shall have the following features:
I. The F&G system should be non-redundant provided successful verification based onPDS or an equal calculation method.
II. It shall be possible to override PA alarms and FWP start due to the on-line testrequirements.
III. Delay of audible PA alarms to LQ and possibility for inhibition of the audible alarmsshall be provided in the CCR.
IV. Facility for manual start of FWPs shall be provided in the CCR.
V. Addressable detectors (field bus) may be used.
VI. Fire fighting release from the F&G system shall be hardwired.
VII. Communication F&G and ESD can be by means of dedicated safety bus, serial linksor hardwired.
VIII. Information about geographical arrangements of detectors and fire areas shall beavailable in the CCR.
IX. It shall be visually distinguished between fire and gas alarms.
X. Hot work status, per safety area should be available in the CCR.
XI. Status of F&G alarms, inhibits, override and release of protection facilities shall be
provided in the CCR. XII. Selection of FWP priorities, running/available status of FWPs, ring main pressure
and FWP fault indication shall be available in the CCR.
XIII. The F&G information shall be easily accessible to the CCR operator withoutunnecessary delay.
XIV. The information on an integrated F&G mimic/matrix shall be kept to a minimum and the F&G mimic/matrix shall typically contain:
XV. Common gas alarm per safety area.
XVI. Common fire alarm per safety area.
-
8/9/2019 Norsok Safety and Automation System
9/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 8 of 20
XVII. Common indication of any inhibit per safety area.
XVIII. Override and release facilities of protection skids and electrical isolation.
XIX. The mimic/matrix interface will normally be a LED/switch operated solution,however other techniques can be utilised.
5.2.3 HVAC
The HVAC safety related functions should be integrated in the F&G system. No separateSAS unit for HVAC functions should be implemented.
5.2.4 PCS
LED/switch operated process mimic should be avoided. PCS statuses and operationcommands should be available on VDU only.
5.2.5 PSD
PSD functions shall be implemented in separate SAS unit(s). Machinery protection is notconsidered as PSD level.
5.2.6 PDCS
The purpose of the PDCS is to control and monitor the electric power generation and distribution network.
5.2.7 MCC
The MCC may be controlled from any SAS unit and following principles are acceptable:
I. Distributed concept based on suppliers standard intelligent MCC bus concept.
II. RIO with potential free contacts rated for the voltage used in MCC control circuitry.
III. Hardwired signals.
The MCC shall proceed into pre-defined selectable state (on/off/steady) in the event of lossof data communication.
The PDCS status shall be available in CCR. Separate LED/switch operated electricalmimic panels should be avoided. PDCS status should be available on VDU screen pictures.
5.2.8 IMS (when required)
On line communication to shore shall be possible.
IMS shall typically receive and process data from the following external systems:
I. Fiscal Metering
II. Mooring and Positioning System
-
8/9/2019 Norsok Safety and Automation System
10/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 9 of 20
III. Ballast system
IV. Environmental and Platform Monitoring System
V. Corrosion Monitoring System
VI. Condition Monitoring System
VII. Fuel & flare gas metering
VIII. Oil Storage and Off-loading System
Typical IMS functionality is:
I. Long term storage of alarms and events.
II. Trend data storage.
III. Long term storage of selected measurements values.
IV. Alarm analysis.
5.3
Package integration and categorisingThis section gives guidelines to how process and utility equipment supplier packages can
be integrated into the SAS, and how operation and control accordingly will be carried out.The individual package unit can have different operation and control philosophy within a
plant, depending on operational requirements. Start-up of equipment packages may be performed from the CCR, while other packages may have a requirement for local start.
5.3.1 Category of packages.
I. Category A, SAS integrated packages.
Packages fully integrated in SAS standard hardware/software. Control and monitoringare programmed / configured in the SAS system by the project according to PackageVendor specifications.
I. Category B, SAS partly integrated packages.
Package with control functions programmed/configured by Package Vendor in standard SAS hardware / software. Non standard hardware may be used for special functionslike turbine governor.
I.
Category C, SAS Stand-alone packages.Packages with only serial link or hardwired signal communication interface to other
-
8/9/2019 Norsok Safety and Automation System
11/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 10 of 20
SAS units. Vendor supplies separate logic for machinery protection, control and monitoring.
I. Category D, Stand-alone locally controlled packages.
Packages with local control only. Vendor supplies separate logic unit for control.
These control units are not considered as SAS units and no external communication isrequired.
5.4 Man machine interface
The general design basis for the MMI shall be the SAS Vendor standard .
5.4.1 Operator station
The CCR Operator Stations shall as a minimum meet the following functionalrequirements:
I. The SAS shall give possibility to monitor all process and safety signals from anyOperator Station. Silent type of alarm/event printers shall be located in CCR or in areaadjacent to CCR.
I. The operator shall be able to request a colour hard copy of any VDU picture.
I. Number of printers shall be kept at a minimum. Failure of one OS or one printer shallnot stop printing possibilities. The printout shall be available on request.
Local operator stations may be used in local panels.
Temporary Operator Stations should be available for test and commissioning purposes.
5.4.2 Display system arrangement
The display system shall allow for a minimum of three levels - overview, system and sub-
system displays. Additionally the system shall allow for object displays. Direct jump between pictures shall be possible.
The following display types should be available to the operator:
I. Process / utility mimic display.
II. Cause and effect shutdown display.
III. Object display.
IV. Trend display.
V. Alarm list.
-
8/9/2019 Norsok Safety and Automation System
12/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 11 of 20
VI. Event list.
VII. Sequence display.
VIII. Control display.
5.4.3 Use of colour
The colour coding as shown in tables below shall be used for process and service lines and equipment. Further definition may call for lines consisting of dashes of different colours if lines or equipment are designed for multiple fluids.
Table 1 Coulors of process and utility medium
Process/utility medium Colour selections
Oilincluding diesel, crude, lubrication,seal, hydraulic oil and drilling mud.
Brown
Gasincluding fuel, HP, LP, injection,relief, flare gas.
Yellow
Waterincluding potable, ballast, drill,
produced, cooling, injection water and steam.
Green
Airincluding instrument and plant air.
Blue
Fire fightingincluding fire water and foam.
Orange
Chemicalsincluding glycol, scavenger, chemicals,cooling and heating medium, drilling
and other chemical additives.
Violet
Table 2 Colours of electrical systems
Electrical systems Colour selection
11 kV Blue690 V Orange
400/230 V Yellow
230V UPS Brown
-
8/9/2019 Norsok Safety and Automation System
13/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 12 of 20
Table 3 Colours of alarms
Process / Utility medium Colour selection
Active alarm Red Warning YellowFault alarm status VioletSuppressed/blocked Blue
System related functions should be the SAS suppliers standard.
5.4.4 Use of symbolsSAS vendor standard VDU symbols shall be used.
5.4.5 Trend facilities
The SAS shall have capabilities for short and long term trending of any analogue signal.On line structuring of trends should be available.
5.5 Process and system alarms, events
5.5.1 DefinitionsAlarms arise when an abnormal situation occurs.
Example: HH level in separator, motor overload.
Event is a change of process status or operators interaction with process.
Example: Change of controller's setpoint.
System alarm is activated if SAS functions fail or exceed pre-defined limits.
Example: Digital input card failure or analogue input less than 3mA.
5.5.2 Time tagging
Events, process and system alarms must be time tagged with highest resolution but not lessthan the scan rate, and related to the central Real Time Clock.
No events or alarms shall be lost in the SAS.
The alarms shall be time tagged where it is first detected.
-
8/9/2019 Norsok Safety and Automation System
14/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 13 of 20
5.5.3 Alarm suppression and filtering
Alarm suppression and/or filtering shall be possible for individual alarms, pre-defined
groups of tags (e.g process system or safety area), or initiated by logic (e.g. suppression of low flow alarm from a pump that has stopped).
The SAS shall on request provide lists of all suppressed alarms.
5.5.4 Alarm and event presentation
The system shall offer means for alarm annunciation as follows:
I. Acoustically
II. Visually on VDU in process displays, alarm overviews and on alarm lists.
Event information is displayed chronologically in an event list available on VDU and printed on operators request.
The system must include a historic alarm and event file able to store lists on hard disc.
5.6 Programming
5.6.1 Programming tools ( Engineering work station)
The programming tool should have the following features:
I. Change parameters on line without disturbing process control.
II. On line programming.
III. Load and unload application programs including database structure via common bus.
IV. Graphical MMI is preferred.
V.
It shall be possible to monitor on line any dynamic variable in any relevant SAS unitvia bus for debugging purposes.
VI. Override/inhibit of signals and/or data base elements.
VII. Start/stop of application programs.
5.6.2 Function blocks
To the extend possible, the SAS vendors or Company standard existing function blocksshall be applied. Function block oriented programming should be used.
-
8/9/2019 Norsok Safety and Automation System
15/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 14 of 20
6 SYSTEM REQUIREMENTS
6.1 Hardware
Equipment shall meet requirements to EN50081-2 and EN50082-2 regardingelectromagnetic compatibility.
6.1.1 Remote I/O
In order to minimise cabling and hook-up offshore RIO should be used where applicable.
6.1.2 Input/output cards requirements
Field devices shall always be powered from SAS. In cases where active galvanic isolated barriers are not used, I/O cards should have galvanic isolation between field and CPU side.The number of different I/O card types shall be kept to a minimum.
I/O cards shall be powered in a way that damage on one card do not have any influence onother cards. Short-circuit in the field shall not damage I/O cards.
6.1.3 Power supplies, power distribution
Availability calculations shall define whether single or redundant power supplies arerequired.
CPU and I/O-field instruments shall be powered from different galvanically isolated power supply.
Power supplies shall be designed for 150% normal consumption or based upon a modular system which can be expanded without rewiring.
6.1.4 SAS termination
Any cross wiring shall be included in the SAS units termination part. Signal conditioningunits shall be rack or rail mounted.
It shall be possible to isolate field signals from the SAS unit(s) without disconnecting thecable cores from the terminals.
All I/O channels, including spares shall be pre-wired.
The SAS shall be designed in such way that the termination part can be delivered to site atan early stage while testing of application programs continue at SAS vendors workshop.Reconnection facilities shall be pluggable.
6.1.5 Instrument field bus/ field bus unitsInstrument field bus/field bus unit (multiplexer) solutions shall be considered if the conceptclearly demonstrates economical savings and requirements to time response are satisfied.
-
8/9/2019 Norsok Safety and Automation System
16/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 15 of 20
6.1.6 Hardware expandability
Spare capacity shall be measured per SAS unit and per card type at time of plant start-up.
For a well defined mechanical package, a lower quantity of spare/ expandability can beaccepted.
Table 4 Hardware expandibility table
Task Spare capacity
I/O cards 10 % installed spare25 % possible extension
Disk capacity 40 % spare installed
100 % possible extension
6.2 Software
6.2.1 CPU performance
CPU load of SAS unit(s) at the time of plant start-up shall not exceed 75%. CPU load means percentage of time available for application program (internal CPU handling tasksexcluded).
Memory
It shall be possible to expand memory without any change of application programs and there shall be 75% spare capacity at time of plant start-up of SAS.
6.2.2 Bus load
Bus load at the time of plant startup shall not exceed 75% of by the vendor recommended bus load.
6.2.3 Time synchronisation
Time synchronisation means that internal time between different units shall not deviatemore than 50 msec. The SAS system shall get time vector from platform clock.
-
8/9/2019 Norsok Safety and Automation System
17/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 16 of 20
ANNEX A
GUIDELINE FOR TESTING
-
8/9/2019 Norsok Safety and Automation System
18/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 17 of 20
ANNEX A GUIDELINE FOR TESTING
The SAS vendor shall have available test equipment for all I/O configured in SAS.
Facilities for measuring of dynamic loads for SAS unit, communication system and OSshall be made available by the vendor of the SAS.
The tests shall be performed hierarchically, starting first SAS units tests, then system testsand finally the Integration test.
All tests shall be documented. All I/O's shall be tested from the field side of SAS unit(s).
SAS unit test
Complete test of hardware and software applications of all SAS units, includingapplications on OS. The tests shall be performed in accordance with approved test
procedures. Signals/telegrams to other SAS/systems will be tested during system test.
System test
Several SAS units forming a system shall be tested together. Example F&G SAS units, OSand F&G mimic/matrix tested together. All I/O shall be simulated. System test shallinclude all inter-unit signals.
Integration test
The test shall cover complete SAS including simulation of Partly Integrated Packages(category B). In addition to functional test of all systems, dynamic bus and CPU load shall
be measured. The SAS should be alarm and failure free for at least 24 hours.
-
8/9/2019 Norsok Safety and Automation System
19/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 18 of 20
ANNEX B
GUIDELINES FOR TIME RESPONSE
-
8/9/2019 Norsok Safety and Automation System
20/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
_______________________________________________________________________________ NORSOK Standard 19 of 20
ANNEX B GUIDELINES FOR TIME RESPONSE
This chapter establishes a common definition of system response time including guidelinesfor accept criteria.
Alarm response time/resolution
Alarm response is a period of time from the time when process conditions exceeds pre-defined limit until the alarm is tagged. (Defined as A+B in figure A2) Recommended timeresponse is as follows:
Table 5 Process/PSD/ESD alarm response time
Process /PSD/ESD alarms Timeresponse
are in general dependant on process criticality.For long time constant process variablessubstantially slower time response may beaccepted (4 - 16 sec), example temperaturechanges.
1 sec
Table 6 Fire & Gas alarm response time
Fire & Gas alarms Time response
Gas in air intake. Calculation to be provided dependent on the length of the air duct and response time of the activated device (damper)
Max. 2 sec
Gas detectors generally 2 secFire, smoke, heat detectors 4 secAddressable detectors 15 sec
Table 7 Electrical alarm response time
Electrical alarms Time response
Switch gear alarms 2 0 msec
-
8/9/2019 Norsok Safety and Automation System
21/21
Safety and Automation Systems (SAS) I-CR-002Rev. 1, December 1994
VDU picture update times
Table 8 Guidelines for VDU time response requirements.
Task Time responseCall up of new picture with 100analogue values and 100 digital points. Values are
picked up from 5 different units. The time ismeasured from operators request until the pictureis on screen and all dynamic values are updated.
5 sec
Updating dynamic values only for DU picture asdefined above.
3 sec
Operator command request. Time from operator command until the execution starts in SAS unit.For critical actions the time should be close to 1sec.
2 sec
Alarm display time. Is the time from a generationof alarm in the SAS unit until the alarm isdisplayed on the VDU.
2 sec
A B CD
Figure 2 Principles of time response.
Digital clock synchronisation
Sensor response time I/O and program scan
Alarm tagging
Communication time OS scan/display time
Analogue clock
synchronisation
Field actuator
response time
CPU