100% found this document useful (1 vote)

384 views63 pages

27607E03 ICSS Guidelines

The document is a guideline for the Integrated Control and Safety System (ICSS) by eni spa, detailing functional requirements, architectures, and integration aspects. It includes a revision history, distribution lists, and references to industry codes and company standards. The document serves as a framework for design criteria in control systems, emphasizing compliance and responsibilities of suppliers.

Uploaded by

Alberto Albergamo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

384 views63 pages

27607E03 ICSS Guidelines

Uploaded by

Alberto Albergamo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 63

eni spa 27607.DOC.STA.

SDS
Rev 03 – October 2016
Sh 3 of 63

Consulted Distribution List

Date Name Surname / Unit Society/Unit

July 2016 V. Trimarco / TESA eni/ITEM
July 2016 D. Ditadi / TESA eni/ITEM
July 2016 C. Patanè / STAU Tecnomare
July 2016 M. Skelton Eni Eng E&P Ltd
July 2016 C. Bottani eni/DAOP
July 2016 G. Mirtelli eni/CYSE/A-3
July 2016 D. Capuano eni/CYSE/A-3

Informed Distribution List

Date Name Surname / Unit Society/Unit

October 2016 F. Vailati Tecnomare
October 2016 M. Skelton Eni Eng E&P Ltd
October 2016 A. Marceglia / MECC eni / ITEM
October 2016 T. Cheldi / TEMC eni / ITEM
October 2016 F. Guglielmi / SATE eni / ITEM
October 2016 M. Gorlini / TEEL eni / ITEM
October 2016 G. Cognigni / COETA eni / ITEM
October 2016 A. Fortunato / COETA eni / ITEM
October 2016 G. Bona / COETA eni / ITEM

REVISION TRACKING

• Rev 00: issued on 2006, July.

• Rev 01: issued on October 2014
The Title has been changed from DESIGN GUIDELINE FOR INTEGRATED
AUTOMATION SYSTEMS to DESIGN GUIDELINE FOR INTEGRATED
CONTROL AND SAFETY SYSTEMS
Modification in ICSS concept to be compliant to the “Frame Work Agreement
on ICSS” concept.
General modification in several part of the document.
Actual revision is of 63 pages including the Appendix.
• Rev 02: issued on November 2014.
This revision includes all collected comments of Rev 01
• Rev 03: issued on October 2016
This revision includes all collected comments of Rev 02

ENGINEERING COMPANY STANDARD

Documento riservato di proprietà di eni spa. Esso non sarà mostrato a terzi né utilizzato per scopi diversi da quelli per i quali è stato inviato.
This document is property of eni spa. It shall neither be shown to third parties nor used for purposes other than those for which it has been sent.
eni spa 27607.DOC.STA.SDS
Rev 03 – October 2016
Sh 4 of 63

INDEX
1. GENERAL ....................................................................................................... 7

1.1 SCOPE ........................................................................................................... 7

1.2 REFERENCE CODES AND STANDARDS ............................................................ 7

1.2.1 Industry Codes and Standards ...................................................................... 7

1.2.2 Company Standards ...................................................................................... 8

1.3 COMPANY DEPARTMENTS REFERENCES ......................................................... 8

1.4 RESPONSIBILITY........................................................................................... 9
1.5 DEFINITIONS ................................................................................................ 9
1.6 ACRONYMS .................................................................................................. 10

2. INTEGRATED CONTROL & SAFETY SYSTEM (ICSS) ....................................... 11

2.1 ICSS OVERVIEW .......................................................................................... 11

2.2 ICSS INTEGRATION ..................................................................................... 12
2.3 ICSS INTERNAL COMMUNICATIONS FEATURES ........................................... 13
2.4 ICSS HIERARCHY LEVELS ............................................................................ 13

2.4.1 ICSS connection to external Networks ........................................................ 14

2.5 ICSS I/O MODULES ..................................................................................... 15

2.5.1 Standard I/O Modules ................................................................................. 15

2.5.2 Remote I/O Modules ................................................................................... 15

2.6 ICSS ELECTRICAL POWER SUPPLIES ........................................................... 15

2.7 ICSS REDUNDANCY REQUIREMENTS ........................................................... 16
2.8 ICSS PERFORMANCES .................................................................................. 16

2.8.1 ICSS AVAILABILITY and Reliability ............................................................. 17

2.8.2 Time Synchronization .................................................................................. 17

2.9 ICSS ENGINEERING WORKSTATION ............................................................ 17

2.10 ICSS INTERFACES ........................................................................................ 18
2.11 ALARM MANAGEMENT SYSTEM .................................................................... 18
2.12 INFORMATION MANAGEMENT SYSTEM (IMS) .............................................. 18
2.13 DATA STORAGE AND RETRIEVAL SYSTEM .................................................... 19
2.14 ICSS SPARE PHILOSOPHY ........................................................................... 19

2.14.1 Human Machine Interface (HMI) ................................................................. 19

2.14.2 Internal and External Communications ....................................................... 19
2.14.3 Controllers and I/O Cards ........................................................................... 19
2.14.4 Marshalling Cabinets ................................................................................... 20
2.14.5 Future Expansions ....................................................................................... 20

ENGINEERING COMPANY STANDARD

3. PROCESS CONTROL SYSTEM (PCS) .............................................................. 21

3.1 PROCESS CONTROL SYSTEM (PCS) FUNCTIONS........................................... 21

3.2 PROCESS CONTROL SYSTEMS (PCS) DESCRIPTION ..................................... 21
3.3 PROCESS CONTROL SYSTEM (PCS) CONTROLLERS ...................................... 22
3.4 ADVANCED PROCESS CONTROL (APC) SYSTEM............................................ 22
3.5 INPUT/OUTPUT MODULES ........................................................................... 22

3.5.1 Configurable Input/Output modules ........................................................... 23

3.6 PROCESS CONTROL SYSTEM REDUNDANCY REQUIREMENTS ....................... 23

3.7 PROCESS CONTROL SYSTEM SEGREGATION REQUIREMENTS ...................... 23
3.8 PCS INTERNAL COMMUNICATIONS .............................................................. 24
3.9 PCS EXTERNAL COMMUNICATIONS ............................................................. 24

4. SAFETY INSTRUMENTED SYSTEM (SIS) ....................................................... 25

4.1 SIS FUNCTIONS ........................................................................................... 25

4.2 SAFETY INSTRUMENTED SYSTEM (SIS) DESCRIPTION ................................ 26
4.3 FAIL SAFE PHILOSOPHY .............................................................................. 27
4.4 SIS CONTROLLERS....................................................................................... 27
4.5 INPUT/OUTPUT MODULES ........................................................................... 28

4.5.1 Configurable Input/Output modules ........................................................... 28

4.6 FIRE ALARM CONTROL PANEL (FACP) ......................................................... 29

4.7 FIRE & GAS DETECTORS .............................................................................. 29
4.8 SIS CERTIFICATION .................................................................................... 30
4.9 SAFETY INSTRUMENTED SYSTEM REDUNDANCY REQUIREMENTS ................ 30
4.10 SAFETY INSTRUMENTED SYSTEM SEGREGATION REQUIREMENTS ............... 31
4.11 SIS ALARMS ................................................................................................ 32
4.12 SAFETY INTERNAL COMMUNICATION .......................................................... 32
4.13 SAFETY EXTERNAL COMMUNICATIONS ........................................................ 32
4.14 SAFETY INSTRUMENTED SYSTEM DOCUMENTATION ................................... 32

5. HUMAN MACHINE INTERFACE (HMI) ........................................................... 33

5.1 HUMAN MACHINE INTERFACE OVERVIEW ................................................... 33

5.2 OPERATOR WORK STATIONS (OWS) FUNCTIONS ........................................ 33
5.3 AUXILIARY PANELS ..................................................................................... 33

5.3.1 ESD Panel .................................................................................................... 34

5.3.2 F&G Panels .................................................................................................. 34
5.3.3 Fire & Gas Mimic Panel ................................................................................ 34
5.3.4 Fire Fighting Panel ...................................................................................... 34
5.3.5 By-pass Panel for Process Override Switches (POS) ................................... 34
5.3.6 By-pass Panel for Maintenance Override Switches (MOS) ........................... 35

5.4 THIRD PARTS OPERATOR INTERFACES ........................................................ 35

6. SUPERVISORY CONTROL AND DATA ACQUISITION ..................................... 36

6.1 SCADA FUNCTIONS ...................................................................................... 36

6.2 SCADA DESCRIPTION .................................................................................. 36
6.3 SCADA SYSTEM ARCHITECTURE................................................................... 37
6.4 REDUNDANCY REQUIREMENTS .................................................................... 37
6.5 SEGREGATION CRITERIA ............................................................................. 37
ENGINEERING COMPANY STANDARD
Documento riservato di proprietà di eni spa. Esso non sarà mostrato a terzi né utilizzato per scopi diversi da quelli per i quali è stato inviato.
This document is property of eni spa. It shall neither be shown to third parties nor used for purposes other than those for which it has been sent.
eni spa 27607.DOC.STA.SDS
Rev 03 – October 2016
Sh 6 of 63

6.6 SYSTEMS INTEGRATION .............................................................................. 37

6.7 INTERNAL COMMUNICATIONS..................................................................... 38
6.8 EXTERNAL COMMUNICATIONS .................................................................... 38

7. OPC INTERFACE AND REAL TIME DATA ACQUISITION ................................. 39

7.1 OPC/ICSS INTERFACE REQUIREMENTS ....................................................... 39

8. PLC FOR PACKAGE UNIT .............................................................................. 40

8.1 PACKAGE TYPE ............................................................................................ 40

8.2 TECHNICAL CHARACTERISTICS ................................................................... 40
8.3 OPERATIONAL GUIDELINES ........................................................................ 40
8.4 INTERFACES WITH THE ICSS ....................................................................... 41

APPENDIX A EXISTING SIS REPLACEMENT ............................................................. 44

A.1 GENERAL ..................................................................................................... 44

A.2 SIS SAFETY LIFE-CYCLE PHASES ................................................................. 44

APPENDIX B ARCHITECTURE EXAMPLES ................................................................. 47

APPENDIX C - OPERATOR TRAINING SIMULATOR .................................................. 59

ATTACHMENT 1 “Cyber Security Baseline for Industrial Control Systems v2.0”

ATTACHMENT 2 “EDOF- PI ARCHITECTURE BLUE PRINT”

ENGINEERING COMPANY STANDARD

1. GENERAL

1.1 SCOPE
This document concerns the “Integrated Control and Safety System (ICSS)” and it has to be set
within the documents that will constitute the “Design Criteria of Control Systems”.
The purpose of this specification is to provide functional minimum requirements showing both
the typical architectures and some specific integration aspects related to it. Also, instructions
and definitions will be highlighted in order that they can be used inside the functional design
specification.
This document has to be considered more as a Guideline than a Standard. The intention of this
document is not to give very specific constraints or features, but to provide general data and
design rules.

1.2 REFERENCE CODES AND STANDARDS

All equipment and materials shall be in accordance with regulations in force within the country
where they will be installed.
The applicable Company standards shall be defined for the scope of each specific project.

Industry Codes and Standards

Here below are listed the major families of international codes and standards that can be
considered. Some specific standards are mentioned in this document and other applicable
standards shall be defined by the project.
• American Gas Association (AGA)
• American National Standards Institute (ANSI)
• American Petroleum Institute (API)
• Atmosphères Explosibles (ATEX)
• National Fire Protection Association (NFPA)
• International Electrotechnical Commission (IEC)
• International Society of Automation (ISA)
• European Norm (EN)
• International Organisation For Standardisation (ISO)
• Institute of Electrical and Electronic Engineers (IEEE)
CONTRACTOR / SUPPLIER shall verify the validity and applicability of each rule and standard
checking at least the latest edition available and also the issuance of new pertinent regulations.

ENGINEERING COMPANY STANDARD

Company Standards

DOCUMENT KEY MAP

Here below there is an identification table with a short description of the four typologies of the
Instrumentation COMPANY standards.

Documents that describe the key fundamental COMPANY requirements and

principles for the design, selection and operation for oil & gas plants.
LEVEL 1

The documents included in this level are:

• 28045.VAR.STA.SDS "Design Guidelines for Instrumentation and Control
Systems"

Documents that describe the General Philosophies to be followed in the

design, selection and operation for oil & gas plants. These documents
explain different types of solutions, architectures, and specific aspects in
order to give a tool to be used during the design and selection of the plant
main items.
LEVEL 2

The documents included in this level are:

• 20048.VAR.STA.SDS "Instrumentation Philosophy"
• 27607.DOC.STA.SDS "Design Guidelines for Integrated Control and Safety
Systems"
• 28037.CMP.STA.SDS "Instrumentation and Automation included in Package
Plants”

Documents that describe technically the COMPANY requirements to be

followed for specific items and parts of plants. These documents usually
provides in attachment the forms and drawings to be used to prepare
LEVEL 3

documentation during the different phases of projects, as installation detail

drawings, hook ups details, technical, inspection and required Datasheets.
The documents included in this level are:
• 20047.VAR.STA.SDS "Requirements for the installation of instrumentation"
• All the other Instrumentation COMPANY Standards

These documents shall be used during the different phases of engineering

and usually are attached to the LEVEL 3 documents described above.
LEVEL 4

The documents included in this level are:

• Datasheets (TDS, IDS, DDS)
• Instrument Installation Standard Details
• Typical Installation Hook Ups
• All the other COMPANY forms standard

This document, “27607.DOC.STA.SDS”, belong to LEVEL 2 (Highlighted in grey).

1.3 COMPANY DEPARTMENTS REFERENCES

For any further information about the content of this company standard, refer to the following
mailboxes:
• [email protected] for Automation issues
• [email protected] for Cybersecurity issues
• [email protected] for EDOF (Real Time Data Acquisition services) issues

ENGINEERING COMPANY STANDARD

1.4 RESPONSIBILITY
SUPPLIER is responsible for the compliance with the requirements set in this specification and
with applicable laws and regulation.
Nothing in this specification shall relieve the SUPPLIER of the responsibility for performing
additional analysis, tests, standard inspections and other activities necessary to ensure the
product, the equipment and workmanship suitable for the service intended not considered inside
this specification.
Proposals of alternative solutions with respect to technical requirements of this specification will
be taken into consideration if they are adequately supported with documentation proving that
their functional characteristics and performance levels are not lower than the ones herein
required, written consent from COMPANY is required to deviate from the guidelines in this
document

1.5 DEFINITIONS
For the purpose of this specification, the following definitions shall be applied:
COMPANY Eni spa or affiliated COMPANY as stated in the Contract.

CONTRACTOR/ COMPANY (or companies) able to provide goods and/or

CONSTRUCTION COMPANY services as stated in the Contract.
PURCHASER Is the party that buys the equipment and its auxiliaries
for its own use or as an agent for the owner. The
PURCHASER may either be the COMPANY or the
CONTRACTOR.
SUPPLIER Person or organization able to supply goods as stated in
the Contract.
The terms VENDOR or MANUFACTURER shall be
considered as synonymous of the term SUPPLIER as
defined above.
SHALL Indicates a requirement.
SHOULD Indicates a recommendation.

Furthermore, the following technical definitions shall be applied:

ASD Abandon Shut Down. It is a hierarchic safety level.
AMS Alarm Management System.
APC Advanced Process Control
Emergency Shutdown. It is a function of SIS. It is also a hierarchic
ESD
safety level.
Fire & Gas system. It is used to monitor the equipment and
F&G
environmental of the plant
Fire Alarm Control Panel. It is a Panel suitable to monitor the Fire
FACP
Detection of each building or specific indoor area.
Human Machine Interface. It is the operator interface that allows the
HMI interaction between the Operator and the plant to be controlled /
supervisioned.
ICSS Integrated Control and Safety System
Information Management System. A system that provide predictive
asset health information derived from data embedded in smart field
IMS
devices, control systems, and sensors to predict problems before
they can escalate.
LSD Local Shut Down. It is a hierarchic safety level.
Machine Monitoring System. Generally dedicated to the supervision
MMS
of vital parameters of rotating machines
ENGINEERING COMPANY STANDARD
Documento riservato di proprietà di eni spa. Esso non sarà mostrato a terzi né utilizzato per scopi diversi da quelli per i quali è stato inviato.
This document is property of eni spa. It shall neither be shown to third parties nor used for purposes other than those for which it has been sent.
eni spa 27607.DOC.STA.SDS
Rev 03 – October 2016
Sh 10 of 63

Master Terminal Unit. It is part of SCADA system. It will be used to

MTU
interface the RTUs.
Operator Training Simulator (system). A dedicated station with a
OTS virtual software plant, used for training to operators and field
engineers simulating the specific plant where the ICSS is installed.
Process Control System. It is used to control the process of a plant.
PCS
(It is also called DCS in other Company documents)
Programmable Logic Controller. It is used to handle a specific
PLC
package (i.e.: Gas Compressor unit)
Power Management System. System dedicated to the control and
PMS
safety intervention of electrical apparatus and switches.
PSD Process Shut Down. It is a hierarchic safety level.
Remote Terminal Unit. It is used to interface the field devices and
RTU equipment with the main control system (i.e.: SCADA). It will be able
to process logic if necessary.
Supervisory Control And Data Acquisition System. It is used to
SCADA acquire data and send commands, if any, from/to remote sites
allowing a general supervision.
Safety Instrumented System. It is used to handle the safety of the
SIS
plant (It is also called ESD/F&G in other Company documents).
Unit Control Panel. It is a control system dedicated to a single entire
UCP
unit/package and it is generally composed by one or more PLCs.
Unit Shut Down. It is a hierarchic safety level. It is a sub-level of
USD
PSD.

1.6 ACRONYMS
Here below are listed the common used acronyms. Other technical definitions, terminology
reference, symbols and abbreviations can be mentioned where necessary in this specification.
CPU Central Processing Unit OWS Operator Work Station
CRC Cyclic Redundancy Check PDP Power Distribution Panel
dBA Decibels Using the "A-weighted" scale for PID Proportional/Integral/Derivative
measuring Acoustic sound level POS Process Override Switch
DMZ Demilitarized Zone RBE Report by Exception
EDOF Eni Digital Oil Field RTD Resistance Temperature Detector
EWS Engineering Work Station SAT Site Acceptance Test
FAT Factory Acceptance Test SER Sequence of Event Recorder
GPS Global Position System SIF Safety Instrumented Function
HIFT Hardware Implemented Fault Tolerance SIFT Software Implemented Fault Tolerance
HVAC Heating Ventilation and Air Conditioning SIL Safety Integrity Level
I/O Inputs/Outputs SOE Sequence of Event System
IS Intrinsic Safety SOW Scope of Work
mA MilliAmpere SP Set-point
MCC Motor Control Centre SW Software
MCP Manual Call Point SI International System of Units
MOS Maintenance Override Switch UPS Uninterruptible Power Supply System
MTBF Mean Time Between Failures UV/IR Ultra-Violet/Infra-Red
MTTF Mean Time to Failure VDC Volts Direct Current
MTTR Mean Time to Repair VAC Volts Alternating Current

ENGINEERING COMPANY STANDARD

2. INTEGRATED CONTROL & SAFETY SYSTEM (ICSS)

Generally, the plant is controlled, monitored and protected by an Integrated Control & Safety
System (ICSS) consisting of PCS, SIS (ESD/F&G) and SCADA system (if necessary). These
systems are described below.

2.1 ICSS OVERVIEW

The ICSS shall perform supervision functions, control and safety functions and shall provide a
fully continuous and easy operation of the plant’s units to the operator.
The system shall guarantee the following features:
• Open and flexible design
• Expandability
• Integrated Operation.
The ICSS design topology shall consist of a distributed I/O modules, process controllers and data
processing equipment.
System components shall be minimized and standardized in order to reduce engineering,
procurement, commissioning, maintenance, training and operations costs. Standardization shall
be applied to all the components, hardware and software, of the systems.
The ICSS shall be composed as minimum by the following subsystems:
• PCS - Process Control System
• SIS (ESD and F&G function) - Safety Instrumented System
• ICSS HMI - (Human Machine Interface)
• EWS - Engineering Work Stations
• Printers
• Servers
• Firewalls
• SCADA (if necessary)
and other auxiliary equipment as Alarm Management System (AMS), Historian, Operator
Training Simulator (OTS), Information Management System (IMS), Servers for Machine
monitoring systems (if not implemented inside the IMS), Override panels, etc.
All systems shall be conformed to the intent of IEC 61000.
All systems shall be compliant with IEC 61131-3
The ICSS Supplier shall guarantee that all the hardware and software components of the system
shall be available and fully supported over a period after the SAT, defined by the project
documentation.
The ICSS Supplier shall also provide maintenance and engineering services to support the ICSS
during the plant life time.
The ICSS sub-systems are organized according to the functional block diagram hereafter:

ENGINEERING COMPANY STANDARD

All ICSS nodes shall be interconnected via redundant ICSS networks. Two different levels of
Redundant Communication Bus for Process data exchange (Process Bus) and Safety data
exchange (Safety Bus) shall be provided.
The SIS shall be designed to ensure the safety functions are separate and independent from the
PCS, however, the SIS could be linked to the Process Bus to exchange monitoring data (or signal
for action by PCS) to upper level of control and monitoring. The Safety Bus shall be used to link
the Safety processors and other components of the SIS only.
The safety bus shall be not linked to a DMZ zone; only the Process Bus could be linked to the
DMZ zone, with the use of appropriate safe link devices.
The HMI of the ICSS shall operate in a self-contained mode, minimizing the potential impact of
any inter-nodal communications loss.
To ensure system integrity, all controllers shall be capable of stand-alone operation or
communication without the need of a console, of the ICSS network, or other support hardware,
except for power. The system shall be designed to achieve fail-safe control of the process
operation. The fully transparent data transmission (commands, signals, alarms, measurements,
etc.) for communication between PCS and SIS (ESD/F&G) will be required.
The ICSS shall be able to be interfaced to other third party systems.
All information required by Operators, whether for monitoring, alarming, display, archiving,
control, or plant safeguarding, shall be capable of presentation by way of the ICSS Human
Machine Interface (HMI) [see sec.5].
Any PC such as Human Machine Interface components, EWS, Maintenance PC, Server, etc., shall
be based on a PC Industrial type.

2.2 ICSS INTEGRATION

The term ‘integration’ means the sharing of information between the systems but not as
integration of functionality. Every system (PCS, SIS) shall be designed to perform a given
function.

ENGINEERING COMPANY STANDARD

Control function and Safety functions shall be never integrated (IEC 61511, ISA 84); SIS system
never receives safety commands via bus from the PCS but the opposite direction of the
communication is permitted where useful.
To perform the full integration of information, these systems shall be of same technology (same
manufacturer) or at least belong to same technological platform. Furthermore, this solution
ensures the full uniformity in terms of management, operational, responsibility, spare parts and
training.
The use of different technologies for PCS and SIS could be accepted in specific cases (such as
existing plants or plants with reduced size/complexity) but it shall be always subject to COMPANY
APPROVAL.

2.3 ICSS INTERNAL COMMUNICATIONS FEATURES

The system communication network shall be a digital communication bus providing a high speed
and reliable data (by including codes such as CRC – Cyclic Redundancy Check – parity error,
overrun error, etc.) to be transferred between all System modules (operator console, I/O cards
etc.). Communication networks shall be dual redundant, consisting of two separate buses and
separate communication interfaces for each connected device.
The digital communication link shall preferably utilize fiber optic or cat5 or 6A cable. The overall
system performance shall not be degraded whether the communication subsystem is loaded at
10% or 100%.
Any back-up communication device (cables, interfaces) must be automatically and permanently
tested to ensure that it is not out of service. An alarm shall be generated in case of failure.
Transfer to a back-up communication channel shall be automatic without disrupting the System
operation, but alarmed to the operator and stored in a system alarm historical file.
No single point of failure shall disable the communication network. Extensive error checking shall
be provided. Self-diagnostic shall provide the Operator system status, alarms, and any fault,
and take appropriate protective action.

2.4 ICSS HIERARCHY LEVELS

The Purdue logical framework identifies three zones and five levels of operations (according to
IEC 62443-2-1) as shown in figure below:

With reference to the Control zone, the ICSS architecture will be based on four control/safety
levels as defined below.

ENGINEERING COMPANY STANDARD

Level 0 (Process I/O devices)

Level 0 includes the control and safety sensors and instrumentation elements that are directly
connected to control or safety systems. These devices are controlled by systems found in Level
1.
Level 1 (data acquisition and elaboration/processing)
Level 1 includes control and safety equipment/systems that receive input from sensors,
processes the inputted data by using control algorithms, and sends the outputted data to the
final elements. The main functions included in this level are:
• The Process Control (PCS) functions: control of flow, pressure, temperature, levels,
automatic sequence, etc.
• The ESD functions: shut down of part or all facilities in the event of process-upset
condition or a specified fire and gas alarm (this is the case of ESD or ASD Action). PSD
or LSD action carries out low level shutdown of process or utility equipment in case of
minor process upset or abnormal condition.
• F&G functions: detection of fire and gas presence and protection of facilities by
activation of extinguishing devices and electrical isolation through the ESD functions.
Personnel will be alerted by audible and visual alarms in case of fire or gas detection.
The F&G node(s) should be segregated from the ESD ones. Nevertheless, the shutdown
actions on facilities incoming to F&G detection are carried out by ESD function (building
F&G detection is out of the scope of this function and will be recalled in the par.4.6).
Level 2 (Operation interface)
Level 2 consists of following:
• The Human-Machine Interface (HMI), based on ergonomic and secured display
philosophy, by including all components described at per Section 5.
Level 3 (Gathered data treatment)
Level 3 consists of following:
• Engineering Workstations
• The Information Management System (IMS) is the instrumentation device Maintenance
tool.
• Sequence of Events (SOE) gathers all safety alarms and actions chronologically. These
signals are coming from level 1 (SIS and building F&G).
• Historian is the database, which collects all process data and make them available for
elaboration and trends.
• Operating Training System (OTS) is the hardware and software architecture, which is
used to virtually reproduce the plant and its behaviour to train the operators to control
the plant.
• Remote Access services for connection to external networks.

ICSS connection to external Networks

In accordance with Cyber Security guideline “Cyber Security Baseline for Industrial Control
Systems v1.0” attached to this document, in order to reduce the risks related to external
connection into the Control Zone, a Demilitarized Zone will be created by using a pair of Firewalls.
The first firewall, between DMZ and enterprise zones, blocks inbound attacks destined to systems
in the Control Zone network and inspects traffic into and out of the DMZ. The second firewall,
between DMZ and Control zone, controls traffic into and out of the ICSS area and contains
attacks originated inside the ICSS network. For further details, refer to Cyber Security Baseline
for Industrial Control Systems v1.0.
The ICSS shall be supplied with remote access management tools which shall allow the control
and management of user identifier (ID) and password.
The ICSS network should be monitored by dedicated management tools (such as sniffer, etc.)
Firewall brand shall be specified by SUPPLIER and approved by COMPANY. Firewall configuration
is confidential and shall be disclosed to an agreed restricted list of persons.

ENGINEERING COMPANY STANDARD

2.5 ICSS I/O MODULES

Standard I/O Modules

The ICSS shall manage and process both analogue and digital signals. I/O modules shall be able
to handle a wide variety of signals (number of signals for each module will be VENDOR's
standard).
I/O cards shall have electrical isolation from the field components/equipment. Each I/O channel
shall have following features: electrical isolation “signal to ground” and “signal to signal”.
Diagnostic data and parameters of the modules shall be always available in the ICSS HMI.

Remote I/O Modules

The use of Remote I/O Modules shall be selected by the project minimizing the relevant
application as much as possible due to availability and reliability concerns that could strongly
affect the production/maintenance and safety aspects.
Remote I/O shall be certified for Zone 1 if installed in Hazardous Areas. The Replacement of each
I/O card or each power supply module shall be always guaranteed under power. The design of
remote I/O racks shall be such as a loss or de-energization of one rack of remote I/O shall never
impact the other remote I/O racks. As per standard I/O module, each I/O channel shall have
following features: electrical isolation “signal to ground” and “signal to signal”. All the diagnostic
data and parameters shall be always provided (e.g.: HART functions) as for the standard I/O
modules.
Furthermore, the use of the remote I/O technology for safety functions shall be selected and
evaluated by the project and shall meet the following requirements:
a) Where the redundancy is requested (e.g.: I/O module, power supply module,
communication card, etc.) each RIO shall provide the relevant facility.
b) The use of the remote I/O for safety functions shall meet the following requirements:
- Loop components Redundancy.
- Project segregation criteria.
- SIL compliance (SIL 3 certification).
Anyway the use of remote I/O for safety purposes shall be always under COMPANY APPROVAL.

2.6 ICSS ELECTRICAL POWER SUPPLIES

The ICSS Power distribution philosophy should be developed as follows:
a) The plant UPS shall provide redundant power supply lines at 240 VAC 50 Hz (or 60 Hz
according to project requirements) through relevant automatic main feeders. The number
of power lines (floating type) is generally 3 pairs:
• one redundant power line for the PCS Power Distribution Panel(s),
• one redundant power line for the SIS Power Distribution Panel(s);
• one redundant power line for the F&G/FACP Power Distribution Panel(s) if not
included in the SIS PDP.
Each redundant power line will be switch off with the proper time delay within the UPS
system.
b) Two Power Distribution Panels Groups shall be derived from the UPS, the former
dedicated to the Control Systems and the latter for the Safety Systems.
Each PDP shall be functionally divided in three sections in order to ensure redundant (by
using two sections) and single (by using one section) power supplies in order to feed all
ICSS parts and each package UCP/PLC with the relevant feeders at 240 VAC floating type.
c) Generally each ICSS subsystem shall be provided with its own power supply distribution
system in order to generate the other voltage levels (e.g.: 24VDC, 5 VDC, etc.).
d) All users not requiring a UPS (e.g.: cabinet electrical socket, cabinet internal lights, etc.)
shall be fed by other Power Distribution Panel(s) through normal power supply system,
See the APPENDIX B for more details.
ENGINEERING COMPANY STANDARD
Documento riservato di proprietà di eni spa. Esso non sarà mostrato a terzi né utilizzato per scopi diversi da quelli per i quali è stato inviato.
This document is property of eni spa. It shall neither be shown to third parties nor used for purposes other than those for which it has been sent.
eni spa 27607.DOC.STA.SDS
Rev 03 – October 2016
Sh 16 of 63

2.7 ICSS REDUNDANCY REQUIREMENTS

The following general requirements shall be applied to those parts (i.e.: external communication
bus, power supplier modules) of the ICSS to be supplied in a redundant configuration:
• Imposed switchovers shall have no effect on system operation;
• Redundant equipment shall be continuously monitored for error diagnostics;
• Automatic switchover to back up equipment shall take place on detection of failure of the
primary equipment. The switchovers shall have no effect on system operation;
• Any failure of back up equipment shall be handled by the system alarm;
• Current operating parameters shall be continuously updated and synchronized on backup
equipment;
• Switchback to repaired equipment shall be by manual command
For the further redundancy requirements of each ICSS sub-systems refer to paragraphs 3.6,
4.9, 6.4.

2.8 ICSS PERFORMANCES

The ICSS shall be designed in order to meet the best performances available and shall be based
on standard product of field proven design.
The typical value for sub-systems performances are shown below (as indications only). The
following requirements should be checked during the FAT and verified after the SAT.
The minimum performances for the PCS shall be as follows:

PCS SYSTEM PERFORMANCE

cycle time of each PCS Node

500 ms max

Interlocks cycle time ≤200 ms

Recalling and refreshing cycle of the graphical
≤1 s
pages
Availability (MTTR 8 h) Greater than 99,95%
Acquisition cycle for signals from serial and
Ethernet lines
≤1 s
(whatever could be the number and typology
of information to be acquired)

The minimum performances for the SIS shall be as follows:

SIS PERFORMANCE

Cycle time of each SIS node 250 ms max

Data exchange communication time between
PCS and SIS (for read and write) where PCS 500 ms max.
and SIS are fully integrated.
Data exchange communication time between
PCS and SIS (for read and write) where PCS
and SIS are NOT fully integrated. This time is 3 s max.
from the starting event to the receiving of the
signal.

Availability (MTTR 8 h) Greater than 99,99%

The minimum performances for the SCADA shall be as follows:

ENGINEERING COMPANY STANDARD

SCADA SYSTEM PERFORMANCE

cycle time of each RTU Node

500 ms max

Interlocks cycle time ≤200 ms

Recalling and refreshing cycle of the graphical

≤1 s
pages

Availability (MTTR 8 h) Greater than 99,9%

Acquisition cycle for signals from serial and

Ethernet lines
≤1 s
(whatever could be the number and typology
of information to be acquired)

ICSS AVAILABILITY and Reliability

The Availability is defined as the percentage of time that a system is available to perform its
required function(s). It is measured in different ways, but it is principally a function of downtime.

The Inherent availability is an appropriate design and performance criteria; it is based only on
the inherent failure characteristics of the system without considering unavailability for scheduled
maintenance.
The Inherent availability is defined as:
MTBF
Ai = x100%
MTBF + MTTR
where MTBF is Mean Time Between Failure and MTTR is Mean Time To Repair.
The MTBF is commonly used as measure of Reliability.
The overall plant facility shall be designed to provide high production availability, therefore
process control and safety systems shall be of high integrity. The number of production
shutdowns caused by control/safety system failures shall be kept to a minimum and the effect
of any system failure shall be selective to minimize economic impacts, while not impairing safety.
Vendors shall make clear at time of tender the necessary spares required to be held locally to
achieve the desired MTTR.

Time Synchronization

All ICSS systems (PCS, ESD and F&G) and other third party electronic devices shall be time
synchronized, so that events are time stamped with the common system time, from a sole
external source, a GPS receiver that will distribute the time synchronization messages to the
systems. Network Time Protocol (NTP) via an Ethernet connection (or Modbus), referenced by
an IP address (or specific register) may be used.
The synchronization signal shall be transmitted to all sub-systems, via the interface links.
Preferred solution for packages’ synchronization is via software link. If a package is not able to
accept software synchronization messages from ICSS or for Packages without software link, a
hardwired synchronization signal will be connected to the package Unit Control Panel.
The clock synchronization requirement should be 50 ms or better.. The system checks that the
sub-systems have the correct time at a predefined interval. If it detects a deviance of the time,
it will gradually correct the time, to prevent time “leap” in the system.

2.9 ICSS ENGINEERING WORKSTATION

An Engineering Work Station (EWS) as minimum shall be provided for each of ICSS systems
(i.e.: PCS, ESD, F&G; SCADA, etc.). The Engineering Work Station(s) can be placed locally to
ENGINEERING COMPANY STANDARD
Documento riservato di proprietà di eni spa. Esso non sarà mostrato a terzi né utilizzato per scopi diversi da quelli per i quali è stato inviato.
This document is property of eni spa. It shall neither be shown to third parties nor used for purposes other than those for which it has been sent.
eni spa 27607.DOC.STA.SDS
Rev 03 – October 2016
Sh 18 of 63

the control cabinets or in dedicated zones preferably separated from the HMI operator station
that is placed in the Control Room. A suitably authorized person shall be able to view active
software and hardware configurations and implement approved user modifications. Security
facilities shall be provided to prevent unauthorized access to the programs. The ESD System
EWS may be combined with the F&G EWS if supplied by the same manufacturer.

2.10 ICSS INTERFACES

The ICSS should provide the following interface protocols:
• Profibus
• Modbus RTU / TCP/IP, RS-232/485
• HART, Wireless HART (where necessary); HART data shall be preferably retrieved straight
into the control system through the I/O card
• Ethernet IP
• Foundation Fieldbus
• OPC
• IEC 61850
• IEC 60870
• DNP3

2.11 ALARM MANAGEMENT SYSTEM

The Alarm Management System shall comply with IEC 62682, considering an alarm system
lifecycle model.
The color philosophy to represent alarms and events shall be defined project by project and
approved by COMPANY. As an example the following colors may be used for alarms and events:
Critical: White
High: Red
Medium and Low: Yellow
Events: Cyan

2.12 INFORMATION MANAGEMENT SYSTEM (IMS)

Information Management System (IMS) includes tools and practices to keep all assets
performing at their best.
The IMS shall be capable to manage HART data from ICSS, data with communication protocol
not HART and other information from all the Third Party PLC, through a serial connection with
them.
With the IMS function, it is possible to perform intelligent operations, such as remote access,
device parameter management, and device diagnostics and tuning.
The IMS shall provide as minimum the following features for all ICSS (DCS/ESD/FGS) HART
related instrumentation, whenever applicable:
• Monitoring of the status, events and operating conditions for all the field devices
connected;
• Online connection and configuration with instruments and valves;
• Valve Diagnostic test (included Partial Stroke Test);
• Performing of device diagnostics with the results documented in the IMS;
• Automatic Recording of all instrument parameter changes and maintenance activities;
• Configuration Data;
• Calibration check of HART transmitters;
• Configuration audit trail;
• Checking of loop performance.

ENGINEERING COMPANY STANDARD

2.13 DATA STORAGE AND RETRIEVAL SYSTEM

It shall be possible to store data into the ICSS servers’ bulk memory in a rolling file such that
when the file storage total capacity is reached, the most recent data is saved and the oldest is
deleted.
An historian server shall be supplied to allow data archiving and data enquiry, for all the data
(both hardwired and serial) relevant to the ICSS servers using RAID (Redundant Array of
Independent Disks, RAID 1 as a minimum requirement) technology or equivalent.
The archiving shall be done automatically in pre-defined periods. It shall also be possible to store
and retrieve this data on removable mass storage media like DVD/CD ROM, etc.
The size of the historians archive memory shall be capable of a minimum of the 3 years rolling
data assuming all plant I/O, time stamped values (analogue) and status (digital), taken every 5
sec for digital and configurable between 5 sec to 1 minute for the analogue signals.

2.14 ICSS SPARE PHILOSOPHY

Spare capacity/expandability indicated hereafter is the spare capacity at the end of SAT and for
each system (PCS, SIS and SCADA). With the term future expansion (utilized hereinafter) must
be intended any expansion of the system beyond the requirements of project needs.

Human Machine Interface (HMI)

The Human Machine Interface (HMI) is the operator interface that allows the interaction between
the Operator and the plant to be controlled / supervisioned.
HMI performance and memory shall be adequate to allow an increase of 50% in the size of the
configured database, without requiring any hardware modification complying with the stated
performance criteria. The communication system shall be capable of handling the above-
specified expansion.
Each hardwired auxiliary panel shall be designed in order to allow an increase of spare
components by 20% for future expansion.

Internal and External Communications

The system internal main communication network shall be adequate to allow an increase 50%
in terms of number of nodes with no noticeable degradation of system performance and access
time. System communication buses usage shall be not higher than 70% of its capacity.
The installed system external communication shall be capable of handling an increase of 30%
for future expansion without any noticeable degradation of system access time.
All other system internal communication networks shall be adequate to allow an increase of 30%
in the size of the configured database with no noticeable degradation of system performance
and access time.

Controllers and I/O Cards

The supplied controllers and associated I/O sub-system shall be sized to provide for a future
20% increase of capacity.
That is to say, there shall be sufficient reserve capacity to add an additional 20% of I/O cards,
without adding additional components or equipment of any kind (CPU cards, power supply,
racks) different from I/O cards, terminations and their accessories and cabling. A minimum of
20% of reserve capacity, for each type of I/O signal, of I/O cards shall be installed and wired at
System shipping.
The average software load, for the entire system as a whole, shall be no more than 60%;
however the ICSS Supplier shall consider that an initial average software load of 50% based on
the I/O preliminary count is required. The ICSS Supplier shall clearly demonstrate in the Bid that
his System sizing meets this initial requirement.
The load shall be calculated by using the below equations:
U, Processor Loading is the amount of time not in Idle task, that means percentage of
time available for application program, also called cyclic load as shown in Equation below:

ENGINEERING COMPANY STANDARD

𝑈𝑈 = 100% − 𝐵𝐵

where B, % time in the idle task, is the task with the absolute lowest priority in a
multitasking system:
(𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑜𝑜𝑜𝑜 𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏 𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡 𝑤𝑤𝑤𝑤𝑤𝑤ℎ 𝑛𝑛𝑛𝑛 𝑙𝑙𝑙𝑙𝑙𝑙𝑙𝑙) ∗ 100%
𝐵𝐵 =
(𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑜𝑜𝑜𝑜 𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏 𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡 𝑤𝑤𝑤𝑤𝑤𝑤ℎ 𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 𝑙𝑙𝑙𝑙𝑙𝑙𝑙𝑙)
The load is strongly affected by some parameters:
• scan time
• number of signals connected in the controller logic.
A load calculator shall be used to estimate the controller load by entering different parameters
into a set of predefined formulas based on the load ICSS library.
Finally, memory usage (after all programs are loaded) shall be not higher than 70% of the
system memory.

Marshalling Cabinets
A minimum of 20% fully equipped and wired ready to use spare I/O cards SHALL be provided.
This must be calculated on 100 % of actual cabled signals.
Furthermore, all spare pairs/cores of the field cables shall be terminated.
A minimum of 20% spare space to allow expansion of devices (wires, barriers, termination,
terminals etc.), shall be provided for each cabinet. According to project requirements, it is
acceptable to respect spare space requirement by providing one or more free cabinets.,

Future Expansions
A design is required that will allow planned and orderly expansion to meet projected data
acquisition and equipment needs. The design shall allow modular expansion such that the ICSS
design does not have to be replaced or shutdown where possible. The system shall have
expansion capability. This includes routine addition of data points, displays and reports, data file
expansion and long term expansion by addition of CPUs and disk drives.

ENGINEERING COMPANY STANDARD

3. PROCESS CONTROL SYSTEM (PCS)

The PCS shall perform the process control, and shall monitor the plant equipment. The PCS shall
be based on “open” system architecture and protocols. The PCS system network shall provide
real time performance in order to integrate and exchange information with other brand system
devices through specific communications supports and protocols.

3.1 PROCESS CONTROL SYSTEM (PCS) FUNCTIONS

The PCS shall provide, as a minimum, the following functions:
• Signal Conditioning and Transmission
• Continuous control of analogue process loop;
• Monitor of analogue and digital process variables;
• Mathematical functions (e.g. multiplication, division, square root, addition,
subtraction, etc.);
• PID control, Ratio control, Feed forward functions, functional logic and sequencing;
• Equipment Monitoring
• Alarming and Reporting
• Data acquisition and archiving
• Sequence of Events Recording
• Time Synchronisation of Subsystems
• Self-diagnostics facilities with alarm indications.
• Data processing with report printouts either for technical than manager scopes;
• Flexibility to configure and expand in case of future plant needing;
• Capability to be interfaced with other systems equipped with dedicated Programmable
Logic Controllers (PLC);
• Lead of all duty units via simple operator commands;
• Automatic Start-up of stand-by equipment when desired or in the case of faults or
not working event of the base unit running.
Bumpless transfer between all control modes (e.g. manual, automatic, cascade) shall be
provided without manual adjustment of balancing.

3.2 PROCESS CONTROL SYSTEMS (PCS) DESCRIPTION

The system shall be composed of manufacturer's standard hardware, systems software and
firmware that can be configured to meet the stated requirements. The vendor's standard system
operating software shall not be modified to meet any of the User's requirements.
The PCS system shall permit data acquisition and control functions to be performed at multiple
(distributed) locations while providing the capability to monitor and control the process from a
central control room.
The system shall be sufficiently scalable and flexible that it can be configured to a wide range of
process requirements at the loop and component level without changes to the hardware.
The data communication will be from the various sub-systems to the PCS and not vice-versa.
The command from PCS to other sub-system should be limited as much as possible (i.e.:
command to package).
The PCS Architecture is constituted of following main physical parts:
• Operating and Engineering Workstations;
• Communication System;
• Power Supply system and protections;
• Process Controllers;
• Data acquisition and storage equipment;
• Interconnection cables among cabinets.
The system shall be capable to provide facilities as advices for the scheduling and automatic
realization of particular test, as the stroke test for valves, and shall be capable to maintain the
database continuously updated.
ENGINEERING COMPANY STANDARD
Documento riservato di proprietà di eni spa. Esso non sarà mostrato a terzi né utilizzato per scopi diversi da quelli per i quali è stato inviato.
This document is property of eni spa. It shall neither be shown to third parties nor used for purposes other than those for which it has been sent.
eni spa 27607.DOC.STA.SDS
Rev 03 – October 2016
Sh 22 of 63

3.3 PROCESS CONTROL SYSTEM (PCS) CONTROLLERS

The PCS controllers shall utilize digital techniques and shall be capable of combining data
acquisition, sequential batch, continuous and discrete functions and basic regulatory and
advanced control. Any value (calculated or measured) within any PCS controller shall be directly
accessible by any other device in the system without the need for hardwiring.
System multiloop controllers shall be able to perform their control functions without access to
the operator/engineering workstations or communication bus. In case of console and/or
communication bus failure, it shall not disrupt the process to controller interface nor prevent
blind operation of the plant.
The control of process and utilities units is performed and realized through the operating consoles
of the Process Control System (PCS) included into the HMI operator station where all the
information required by operators, whether for monitoring, alarming, display, archiving control,
or plant safeguarding shall be presented.
One of the main duties of the PCS is to reduce the number of demands on the SIS. A demand
on the SIS implies that the Control System has failed to keep the process within the safety
range, and the process is now relying on the SIS to protect against the hazard.

3.4 ADVANCED PROCESS CONTROL (APC) SYSTEM

The Advanced Process Control APC is fully embedded in the ICSS architecture, when requested,
and will be installed in ICSS cabinets and APC operator interface will be the same of the PCS
one.
Based on process variables gathered by PCS and on other additional information entered by the
operator, APC will calculate set points of plant controllers in order to maintain selected process
parameters at their specified values or within the specified limits, without violating either
physical or process plant constraints.
Benefits obtained by use of APC could be:
• more stable operation of the plant,
• lower energy consumption,
• higher plant throughput,
• product quality improvements,
• pollution minimization.
APC will be disconnected by the operator or automatically during plant start up or shut down.
APC will be based on Multivariable software Package; however, as necessary, some easy control
strategies could be configured in the PCS (e.g. inferential correlations, neutral networks, genetic
algorithms, fuzzy logic, etc.).
The System delivered on site (after FAT) will be “Pre-tuned” and ready “for Step Test” in order
to minimize on site activities.

3.5 INPUT/OUTPUT MODULES

Unless otherwise specified, all analogue inputs/outputs and digital inputs shall be powered by
the System.
External isolation barriers (to be installed in the marshalling panel between field signals and I/O
cards) shall be provided in case of electrical isolation “signal to ground” and “signal to signal”
cannot be guaranteed.
All I/O circuits shall be isolated from logic or processor circuitry. Transient voltage isolation for
discrete I/O shall be around 1000 Volts RMS, common- mode.
All I/O circuits shall be protected for reverse polarity.
Input signal monitoring shall be used to generate invalid or out-of-range value status alarms.
I/O processors shall be configurable to either allow or inhibit propagation of invalid or out-of
range values.

ENGINEERING COMPANY STANDARD

Analogue input and output signals will be monitored to generate out-of limit alarms when
selected signal parameters exceed configurable limits.
Discrete input and output signals will be monitored to generate alarms when selected signal
parameters exceed configurable limits.
The HART signals shall be electrically compatible with the standard 4 to 20 mA signal.
Configurable Input/Output modules

One of the possible application is whenever the plant design status do not allow to define properly
the quantity of each signal type (e.g.: AI, AO, DI, DO, etc.) to be allocated both for each plant
Facility Functional Unit and for the partial/overall plant, unless to get these data at latest project
stage causing a delay in the project execution.
The use of cards with configurable Input / Output signals is permitted without loose the above
requirements at section 3.5. In this case each signal can be configured as input or output and
as analogue or digital.
This kind of technology shall provide the capability to accept a suitable range of standard signals
(for analogue input and output, for digital input and output, pulse, etc.) that are user selectable
and changeable in order define the card loading tag assignment.

3.6 PROCESS CONTROL SYSTEM REDUNDANCY REQUIREMENTS

The PCS redundancy capability shall be provided in order to ensure a reliable and efficient control
and monitoring for the plant.
Thus all critical system components (such as system busses, CPU and relevant software, I/O
cards, network communications interface cards, Ethernet switches (if any), power supplies
modules, main feeders) shall be redundant.
Following minimum requirements related to redundancy features shall be guaranteed:
• Analogue I/O for control critical loops shall be redundant with hot back up configuration;
• Any I/O involved in critical sequences shall be redundant with hot back up
configuration;
• Processor CPU shall be 1:1 redundant with hot back up configuration;
• Communication card (included switches) shall be 1:1 redundant;
• Communication networks between the redundant controllers shall be dual redundant;
• Operator stations shall be duplicated to split plant control among the stations, but each
station can take the full plant control;
• Power feeders and power supply units shall be redundant. The power supply units will
be redundant with hot back up or with “n+2” configuration;
The I/O cards to be redundant shall be installed in different racks in order to avoid power
common failures.
In case of Processor malfunctioning, the back-up controller shall automatically take-over all card
functions and control strategies of primary controller in bumpless mode and in less than one
second, in case of its malfunction. Continued automatic control shall be achieved without process
disturbance or control upset.
Failure of any Processor controller shall cause an alarm to be generated on the operator console.
The loss of both active and back-up controllers shall cause system outputs to freeze at their last
position or drive to pre-defined fail-safe conditions.

3.7 PROCESS CONTROL SYSTEM SEGREGATION REQUIREMENTS

Field I/O’s shall be grouped and assigned to CPU’s using the following guidelines as good
engineering practice and not as sizing criteria:
• Inputs and/or outputs for multiple equipment (e.g.: pumps, compressors, etc.) shall
utilise separate modules in order to minimise the impact of single module failure.
• CPUs assignment should be designed in accordance with the process area segregation;
as general guideline, the major segregation criteria to be followed shall be based on the
functional aspects (e.g.: CPUs for Process units, CPUs for utilities units, CPUs for serial
links, etc.).

ENGINEERING COMPANY STANDARD

• The peer to peer communication between CPUs across the PCS communication network
shall be minimised.
• In case of multiple equipment/trains, each I/O card shall not include more than one
equipment/train. If the I/O quantities are consistent, the segregation will be extended
also to racks.
• Where independent sensors/devices are dedicated to the same monitoring of process
variables or action (in order to have redundancy of the measurement/action), the
input/output shall be connected to different I/O modules in order to achieve maximum
reliability. As a minimum, where multiple sensors are used, a failure of one field input
shall not disable any other input and repair must be possible on-line, without impacting
other inputs.

3.8 PCS INTERNAL COMMUNICATIONS

Communication networks shall be dual redundant, consisting of two separate buses and separate
communication interfaces for each connected device providing a high speed and reliable data
transfer.
Any back-up communication device (cables, interfaces) must be automatically and permanently
tested to ensure that it is not out of service. An alarm shall be generated in case of failure.
The digital communication link shall preferably utilize fiber optic or cat5 or 6A cable that provides
a high-speed communication path between all control devices, interface modules and multiple
operator interfaces.
The overall system performance shall not be degraded whether the communication subsystem
is loaded at 10% or 100%.
Peer to peer communication capability shall be provided.
Transfer to a back-up communication channel shall be automatic to connect or disconnect any
devices to/from the communication subsystem without disrupting normal operation and a failure
of any connected module should not affect the communication between the other modules.
A manual switchover of the communication channel must be possible. The System shall be
designed for quick and easy connection and disconnection of devices.

3.9 PCS EXTERNAL COMMUNICATIONS

Specific parts of the plant can be controlled by dedicated systems based on programmable logic
controller (PLC) which need to communicate with the PCS to acquire signals, alarms, and
measurements, and to receive / send commands if any, for an efficient interchange of
information. This information will be available on the graphic pages to handle the relevant
process units. Further information on ICSS – UCP interface are stated in the Section 8.
The PCS shall be provided with redundant networks via serial ports type RS 232 or RS 422 or
RS 485, or Ethernet TCP/IP or equivalent; each of these ports shall have redundant cable and
connectors. So that if a serial communication failure appears, a switch over to the backup serial
line will occur. In addition, the PCS shall provide a dedicated software for the exchange of data
from/to other systems, allowing data compatibility between the PCS and the subsystems, and
to guarantee the remote management.
The ICSS SUPPLIER and the selected suppliers for the PLC based systems must co-ordinate the
respective actions for implementation of the communication protocol between them. These co-
ordination activities shall be in the scope of supply of both, PCS SUPPLIER and PLC systems
suppliers.
It is preferred to use the communication protocol Modbus TCP/IP over Ethernet or MODBUS RTU.
The data to be exchanged shall be packed by type and function code, in order to minimise the
number of read/write calls. This applies to the data that shall be read or written by PCS, and not
to a generic memory map, which could contain internal flags, or intermediate data. The master
PCS will read/write on one serial link and, in case of failure of the active link, the communication
will be switched to the other port. The slave PLC will follow the same philosophy.

ENGINEERING COMPANY STANDARD

4. SAFETY INSTRUMENTED SYSTEM (SIS)

Safety Instrument Systems (SIS) is the control system that takes the process to a safe state in
terms of conditions that may be hazardous or could eventually give rise to a hazard if no action
will be taken. It performs the Safety Instrumented Functions (SIF) by acting to prevent the
hazard or mitigating the consequences. It is composed of inputs (sensors), logic solvers and
outputs (actuators).
As per the definition given, the SIS shall be functionally divided in two major parts: the one
dedicated to the process/utility plant behaviour (ESD – Emergency Shut Down function) and the
other dedicated to the monitoring and prevention of Fire or Gas conditions (F&G – Fire and Gas
function). Functionally, the two parts should be implemented in separate nodes of the SIS.
The F&G system for building/indoor applications, usually is managed by a System Panel, called
Fire Alarm Control Panel (FACP). The FACP is a dedicated system interfaced to the SIS. However,
the FACP could be part of the ICSS according to the project needs. In this case, the FACP shall
be of the same technology as SIS to fit with the concept of Integrated System.

4.1 SIS FUNCTIONS

Unless of specific requirements stated inside the project documents (i.e.: Cause/Effects matrix,
Logic diagrams, narratives, etc.), the functions performed by ESD system, as a minimum, are:
• Monitor of analogue and digital variables relevant to safety of operation of the plant
or of different equipment/packages;
• Detect any abnormal operational or equipment condition;
• React to this condition automatically by shutdown and/or isolation of sections of the
plant and bring the plant to a safe state;
• Blowdown sections of the plant with the objective of preventing any consequential
effect of the abnormal condition and bring the plant to a safe state
• Provide a complete control and status overview to the operator on the HMI operator
station.
• Provide annunciation and sequence of events logging of shutdown, and transfer the
information to the Alarm Management server for displaying on a dedicated
workstation.
• Run automatic self-checking routines and provide system fault alarms and fault
diagnostics.
This shall be achieved in a controlled, sequenced manner. The ESD system will initiate pre-
programmed actions automatically, on detection of abnormal process conditions and hazardous
conditions, or by manual activation, through pushbuttons located on the ESD auxiliary console,
in the control room, or pushbuttons located in strategic areas of the plant, according to project
documentation.
The Emergency Shutdown Function of the SIS is generally structured with the below hierarchic
main safety shut down levels:
• ASD Level: It is the highest priority level for each plant. Abandon Shut Down is associated
to the whole plant, triggered manually from manual station, for an emergency or a
hazardous situation that can be no longer controlled;
• ESD Level: Emergency Shut Down is mainly related to the fire and gas detection and
some critical situations;
• PSD Level: Process Shut Down is triggered on detection of abnormal conditions that
present a risk of developing into an accidental situation;
- USD Level: Unit Shut Down is a sub-level of PSD or a separate level for individual
package/equipment.
• LSD Level: Local Shut Down is triggered on detection of abnormal conditions and will
operate on specific equipment.
The SIS shall not shut down those items or equipment required for the essential safety functions
used in emergency.

ENGINEERING COMPANY STANDARD

The ESD, PSD and LSD safety levels must be designed, whenever practicable, so that: the ASD
has priority over the ESD, the ESD has priority over the PSD and the LSD, and the PSD has
priority over the LSD.
The ESD system shall execute outputs in accordance with the project cause and effect matrix
and project ESD/PSD Block Diagram. As usually, each plant Functional Facility Unit could have
instruments (e.g.: transmitters, valves, etc.) handled by a specific safety level and other field
instruments handled by other safety level.
Unless project specific requirements state differently, the major functions involved in fire and
gas and ESD function are:
• Monitor all designated areas for fire;
• Monitor all areas where flammable/toxic gas/vapours might be present in normal
operation;
• Monitor all air locks/HVAC air intakes to Technical rooms/ Accommodations / enclosures
for toxic and flammable gas;
• Provide a facility for raising an alarm;
• Alert personnel of any fire or gas (toxic or flammable) emergency situation;
• Activate the automatic fire-fighting system and ESD functions;
• Close fire dampers of facilities where gas is detected;
• Alert personnel in Control Room of any fault detected by self-test facilities;
• Activate audible and visual alarm devices;
• Evaluate signals from F&G detection, using voting techniques if necessary;
• Monitor state and availability of the fire-fighting systems.
• Present a complete control and status overview to the operator on the HMI operator
station.
• Provide annunciation and sequence of events logging of Detectors, and transfer the
information to the Alarm Management server for displaying on a dedicated workstation.
• Run automatic self-checking routines, provide system fault alarms, and fault
diagnostics.

4.2 SAFETY INSTRUMENTED SYSTEM (SIS) DESCRIPTION

The SIS shall be composed of manufacturer's standard hardware, systems software, and
firmware that can be configured to meet the stated requirements. The vendor's standard system
operating software shall not be modified to meet any of the User's requirements. The system
shall be of proven type.
The SIS is based on redundant architecture, fail-safe and fault tolerant, and will be constituted
of following parts:
• Engineering Workstations;
• Communication System;
• Power Supply system and protections;
• Process Interface;
• Sequence of Event Recording (SER);
• Interconnection cables among cabinets.
Functionally, ESD and F&G parts of SIS should be implemented in separate nodes of the SIS,
but, where the in case of plant size and complexity is sufficiently small/simple, the Logic Solver
of the ESD and F&G parts of SIS may be integrated in one node(s). In this case dedicated I/O
cards shall be considered for ESD and F&G functions.
The F&G system shall also interface with the Public address and General Alarm System by means
of hardwired signals.
SIS shall be initiated automatically, via process safety devices, and/or manually via pushbuttons.
Key functions necessary to bring the installation to a safe level shall remain active for a time
delay. This includes generally SIS, Fire-fighting systems and some other specific equipment.
Emergency Response Equipment shall remain functionally live for the time necessary to perform
an evacuation (protection of personnel) and to put the Plant in the safe state.
The plant UPS, or the Power Distribution Panel, will manage the mentioned time delay and the
consequent power supply switch off upon the alarm arising related to the plant upset.

ENGINEERING COMPANY STANDARD

In case of emergency, the SIS will automatically activate an alarm system able to alert all
personnel in all the plant; different alarms tones will be activated depending from relative
causes.
The SIS shall be self-contained in lockable cabinets that only house the SIS equipment. On-line
logic changes (including trip set points and timer setting parameters) and system software
upgrades shall not be performed unless full functional tests (inputs, outputs, and logic) can be
performed with the process unit in operation. All changes to the SIS shall be documented.

4.3 FAIL SAFE PHILOSOPHY

Fail-safe philosophy foresees that shutdown circuits and logic elements shall be designed to be
energized during normal operation and de-energized to trip for ESD function, and de-energized
during normal operation and energize to trip for F&G function. However, the main equipment
will be shut-down keeping the plant in safe condition, according to the project cause/effect
matrix. In the occurrence of multiple or simultaneous faults that cause the SIS to go out of
service, all outputs shall go to a safety state. It is understood that safety status can be only the
one with output signal zero.
The SIS shall be fault tolerant, able to protect the controlled process and monitored areas from
intermittent, transient and permanent system faults, in order to achieve high reliability and
integrity and to avoid spurious shut down and non-occurrences shut down actions when
necessary; it shall also be able to perform its commands and its functions in the presence of any
hardware, firmware or software single fault or component failure without causing a system
shutdown or degradation in system performance.
Fault tolerance includes also software routines, which ensure continuous diagnosis of the system
in order to detect malfunction, fault or error conditions (either temporary or stable), and take
appropriate on-line action, in real time, while the process is under control.
In the event of a single fault the SIS shall guarantee the full functionality of the system
concerning equipment protection and the integrity of the process.
System diagnostic shall identify all possible faults through testing. Testing shall be either within
each scan by Software Implemented Fault Tolerance (SIFT) or Hardware Implemented Fault
Tolerance (HIFT) or a combination of these.
It shall be possible to replace (“hot replacement” feature) any module without interrupting the
normal operation of the process or requiring any part of the system to be powered down.

4.4 SIS CONTROLLERS

The SIS system CPUs shall be fault tolerant and self-testing, composed of multiple processors
(Dual, Triple or Quad Modular architecture) with suitable components and functions adequate to
achieve a high reliability and high integrity.
The failure of one CPU shall not result in a degraded availability or fail-safe mode of operation,
and shall maintain the maximum system safety performance if the Mean Time To Repair (MTTR)
for the CPU is achieved.
Redundant CPU and inter-processor communications shall be provided.
CPU redundancy shall be designed to ensure continued automatic control in the event of CPU
failure.
The backup CPU shall automatically take over all card functions and control strategies of primary
controller in less than one second without loss of automatic control, process disturbance, or
control upset (bump less transfer). Failure of any CPU shall cause an alarm to be generated on
the PCS and be logged. Loss of both the active and redundant CPUs shall cause system outputs
to drive to pre-defined fail safe conditions.
The SIS supplier shall fully describe the proposed ESD/F&G system architecture including the
Central Processing Unit (CPU) architecture and I/O architecture as well as the degraded mode
of operation if a processor fault occurs. The description shall include:
• Processor type;
• Amount of user memory available for each CPU;

ENGINEERING COMPANY STANDARD

• Maximum number of I/O rack for each CPU;

• Maximum amount of I/O and type for each CPU.
The CPU’s shall include discrete control functions to implement industry standard binary-logic
functionality. Moreover, CPUs shall be capable of combining continuous and sequential functions.
The CPU shall continuously monitor its own status and indicate both normal operation and error
via LED status indicators on each CPU faceplate. The monitoring watchdog for the CPU processors
should be a separate part of the system that is dedicated to this function only. Supplier shall
provide description and reliability data for the watchdog as well as details how the malfunction
due to common mode failure is avoided.
All control unit configurations (application program) shall reside at control unit level in non-
volatile memory so that configuration shall not require reloading from an Engineering
Workstation or disk in the event of failed card or upon power up.
The proposed non-volatile memory shall be specified in the offer providing sufficient description
of the methodology required to update the memory for application software modifications and
relevant on-line download.
On loss of power, the SIS system shall shutdown in an orderly manner and all I/O shall fail to
their predictable state.
If the application program is kept in a battery-back-up memory, system memories and clocks
shall be protected against power loss by batteries to maintain these items for at least 6 months.
In addition, it shall be possible to replace the battery while the system is running without losing
the contents of the memory.
Any single SIS system fault shall not affect operation of the controlled process and shall not
degrade system safety or functionality. Any fault resulting in a system failure shall be such that
all failure modes are fail-safe to the OFF or OPEN state. This includes all module removal and
cable faults.

4.5 INPUT/OUTPUT MODULES

I/O cards shall have electrical isolation between field equipment and the SIS; each channel shall
be individually protected.
The vendor shall make clear in their tender if there are special compatibility requirements for
connected devices so that when Line Monitoring is taking place it does not have an adverse effect
on any loop devices.
Input signals shall be filtered in order to avoid undesired detection of shutdown condition due to
the temporary fluctuation of a process variable.
All inputs shall be configured to alarm on a “Fail to trip” in order to prevent unnoticed analogue
input fault presence.
The health of each I/O module shall be continuously monitored by diagnostic routines. Their
health status shall be also displayed by LEDs on the module front panel. In case of fault of an
I/O module the relevant CPU shall automatically take proper action in order to put the module
off-line and the system in a fault-tolerant condition.
If Intrinsically Safe protection is required, it shall be performed generally through active barriers
on the card, otherwise these IS barriers shall be provided externally to the cards and mounted
in the marshalling cabinets. In any case, the Intrinsic Safe barriers shall also be SIL 3 certified
for the safety applications.
The adjustment to configurable transmitter parameters shall be write-protected to prevent
inadvertent modifications of program parameters.
The SIS digital I/O shall be line monitored. The design shall be such that the whole loop is line
monitored.
All F&G loops shall be monitored in order to detect any interruption of the loop.
I/O modules shall meet the requirements indicated in the next paragraphs.
The HART signals shall be electrically compatible with the standard 4 to 20 mA signal.

Configurable Input/Output modules

One of the possible application is whenever the plant design status do not allow to define properly
the quantity of each signal type (e.g.: AI, AO, DI, DO, etc.) to be allocated both for each plant

ENGINEERING COMPANY STANDARD

Facility Functional Unit and for the partial/overall plant, unless to get these data at latest project
stage causing a delay in the project execution.
The use of cards with configurable Input / Output signals is permitted without loose the above
requirements at section 4.5. In this case each signal can be configured as input or output and
as analogue or digital.
This kind of technology shall provide the capability to accept a suitable range of standard signals
(for analogue input and output, for digital input and output, pulse, etc.) that are user selectable
and changeable in order define the card loading tag assignment.

4.6 FIRE ALARM CONTROL PANEL (FACP)

The Fire Alarm Control Panel (FACP) for buildings will be integrated or interfaced with the ICSS
systems according to project needs, market availability and/or procurement strategies.
This system shall be addressable type. In addition, this system has to use, as much as possible,
the same hardware platform of the Fire & Gas system for the plant areas.
A proper segregation criterion will be defined in order to provide functional and safe architecture;
it shall be ensure a cycle time of maximum 250 ms per each CPU/node.
The redundancy shall be applied at each level (I/O card, CPU, bus, power supply module,
Ethernet switch, serial communication links, etc.) in order to avoid a single point failure.
All I/O cards, circuits and the external wiring to detectors or other field devices, having safety
related functions, shall always be monitored and automatically alarmed when a failure occurs.
The FACP System design shall meet the requirement of NFPA 72 or EN 54 code and where
integrated to the ICSS and/or taking executive action compliant with IEC 61508 / 61511,
according to plant location and/or applicable codes.
If the FACP system is not provided with the Safety Integrity Level (SIL) compliance rating, it
shall perform only detection functions without performing any safety logic (i.e.: Fire Damper
closure) that shall be performed by SIS. Then, whenever the FACP has to perform any safety
logic, it shall be also SIL 2 minimum certified.
The specific Safety Integrity Level (SIL) compliance rating shall be required for the instruments
(i.e.: transmitters, solenoid valves, detectors, etc.) to be used in F&G or safety loop application,
that have been awarded a SIL rating.
Generally, the FACP will be composed of:
• F&G detectors/devices to be installed within each building;
• Marshalling cabinets, system cabinets, Mimic panels, Consoles, etc., properly located;
• Relevant interconnection wirings/cables between F&G detectors/devices and
cabinets/panels and other systems.

4.7 FIRE & GAS DETECTORS

This section provides a possible list of the inputs coming from F&G detectors, and outputs in
terms of audible/visual devices activation, respectively for FACPs and FGS.
Fire detectors/devices:
• smoke point-type detectors (addressable type);
• Aspirating Smoke Detector
• UV/IR detectors
• Heat detectors, point type (addressable type);
• Heat detectors, point-type, for transformers protection outside substations
(addressable type);
• RTDs,
• MCPs (addressable type);
• Clean agent extinguishing system, if any.
• Visual and audible alarm devices (possibly addressable type).
• Field instruments (i.e.: Pressure Transmitters, Pressure Switches, Solenoid
Valves, Limit switches, etc.)
Gas detectors/devices:
• Hydrocarbon gas detectors,
• Hydrogen gas detectors
ENGINEERING COMPANY STANDARD
Documento riservato di proprietà di eni spa. Esso non sarà mostrato a terzi né utilizzato per scopi diversi da quelli per i quali è stato inviato.
This document is property of eni spa. It shall neither be shown to third parties nor used for purposes other than those for which it has been sent.
eni spa 27607.DOC.STA.SDS
Rev 03 – October 2016
Sh 30 of 63

• Oxygen depletion detectors,

• Visual and audible alarm devices (if necessary).
• Fire & Gas Systems for Plant areas
F&G detectors/devices:
• Thermo-sensitive cables,
• Flame detectors (UV/IR type),
• MCPs (not addressable),
• Hydrocarbon gas detectors,
• CO2 gas detectors,
• Field instruments (i.e.: Pressure Transmitters, Pressure Switches, Solenoid
Valves, Limit switches, etc.) that could be installed on the fixed fire-fighting
system lines in plant units, if any.
After receiving these inputs, the F&G cabinets will activate the relevant output to visual and
audible alarm devices where necessary, if they originate in an FACP the signals shall also be sent
to the SIS.

4.8 SIS CERTIFICATION

The SIS shall be SIL 3 certified according to IEC 61508 and IEC 61511 codes, and NFPA72 /
EN54 code for F&G (indoor applications), if not differently defined on Project documentation.
IEC 61508 SIL 3 certification shall include, but not be limited to:
• The SIS hardware such as Analogue and Digital I/O cards, termination units,
barriers, relays, etc.;
• Manual-switches such as configuration and force enable switches;
• CPUs / logic solver;
• Power supply units;
• SIS-to-SIS communication over the Safety Bus;
• Application software;
• Interface cards or Ethernet switches (if present).
In case of a node of the Safety Instrumented System (SIS) will be dedicated to a Burner
Management System (BMS), the SIS shall also be certified for the NFPA 85 (or NFPA 86), EN
50156-1, EN 298 and other pertinent standards according to the specific application.
All F&G detector/devices (including push buttons) and final elements (e.g. relays, solenoid
valves, etc.) connected to the F&G system shall be minimum SIL 2 certified.

4.9 SAFETY INSTRUMENTED SYSTEM REDUNDANCY REQUIREMENTS

The SIS configuration shall employ Hardware Fault Tolerance to perform the fault detection and
redundancy management functions.
HIFT configurations shall primarily utilise hardware based on voting and fault detection circuits
with minimal software overhead, to verify all instructions, data, control clocks and
synchronisation signals. These circuits shall automatically identify, isolate and contain faults
without compromising Safety System performance.
Fault tolerance is the ability of a system to detect transient or steady-state error/fault conditions
and take appropriate corrective actions on-line, while a process is being controlled. This means
that the SIS shall continue to be available and functioning even if one or more of its components
(hardware, firmware or software) should fail. True fault tolerance also provides fully automatic
recovery without disrupting operations.
Fault tolerance implies a defined level of functional redundancy such that no single fault or
component failure will cause a system shut down nor cause a degradation in the performance or
operation of its redundant counterparts.
If a fault tolerant component fails, the others shall continue to operate; shall activate an alarm
giving an indication of type and location of the fault.

ENGINEERING COMPANY STANDARD

To provide a high level of integrity, the Safety Instrumented System (SIS) shall be implemented
on a redundant basis.
Each processor with associated I/O, power supplies, card cages, bus structure and software,
shall work tightly synchronized and running in parallel. Each processor shall execute the
application program simultaneously and independently, verifying instructions, data, controls,
clock and synchronization signals.
Full system redundancy capability shall be provided and no additional identification character
shall be needed to identify primary/secondary cards. No additional external wiring shall be
necessary for such a purpose. The redundant Safety System should have as a minimum the
following requirements:
• Analogue I/O shall be in fault tolerant configuration;
• Digital I/O shall be in fault tolerant configuration;
• Processor shall be redundant with fault tolerant configuration;
• Data communication buses and devices shall be redundant in fault tolerant
configuration;
• Power feeders and power supply units shall be redundant. The power supply units
will be redundant with hot back up or with “n+2” configuration.
• Redundancy is not required for signals not involved in sequences such as MOS and
POS.
• The Engineering Workstations will not be duplicated.
In order to avoid power common failures, the redundant I/O cards in dual configuration shall be
installed in different racks unless the systems get around this by having dual power supplies in
the same rack; so redundant I/O cards for the same function could be installed in the same rack.
An on-line Fault tolerance configuration shall maintain full control in the event of a failure.
Transfer to the standby shall be automatic, shall be alarmed and shall have no effect on the
operation of the safety system.
In case of Safety Instrumented System (SIS) based on dual technology, the redundancy of the
I/O signals shall be performed providing the additional cards and each signal to be redundant
shall be addressed to both cards.
In case of Safety Instrumented System (SIS) based on Triple Modular Redundant (TMR)
technology, the redundancy intrinsically embedded within the same TMR Input/Output card shall
be technically acceptable. Then, no additional card is required to perform the requested level of
availability and reliability, but the hot replacement capability of any TMR I/O card shall be
ensured providing a free slot beside each card.
The system shall have facility to remove the faulty module for maintenance, even while the
system is powered, without interrupting the normal operation and processing of functions.
To prevent a situation where the SIS is unable to initiate a shutdown, provisions shall be made
to detect and disable circuits that “tail on” (short circuit).

4.10 SAFETY INSTRUMENTED SYSTEM SEGREGATION REQUIREMENTS

Even though the ESD functions may be fully integrated with F&G functions (generally for outdoor
applications), F&G Inputs and/or Outputs signals shall be segregated from the ESD one using
different I/O cards.
Generally, SIS inputs and/or outputs for multiple equipment (e.g.: pumps, compressors, etc.)
shall utilise separate modules in order to minimise the impact of single module failure.
SIS Inputs and Outputs modules shall be grouped in racks of I/Os and assigned to CPUs using
the following guidelines as good engineering practice:
• CPU assignment should follow the below criteria:
a) One group of controllers for each of the following certain SIS levels:
- e.g.: ASD and ESD,

ENGINEERING COMPANY STANDARD

- e.g.: PSD and LSD,

- and for a specific location (e.g.: Technical rooms and Living quarter).
In this way the same controller(s) shall manage the relevant I/O and logic. This
approach is strongly suggested to minimize the data between controllers/nodes.
b) One group of controllers for the F&G logics.
• The internal Communication between CPUs across the SIS communication network
shall be minimised.
• In case of multiple equipment/trains, each I/O card can not include more than one
equipment/train. If the I/O quantities are consistent, the segregation will be extended
also to rack.
• Sensors and final elements (e.g.: transmitters, solenoid valves and F&G
detectors/devices) to be used in voting logic (e.g. 2oo2, 2oo3 or 2ooN) shall be wired
to separate hardware fault tolerant sets of I/O cards. As a minimum, where multiple
sensors are used, a failure of one field input shall not disable any other input and
repair must be possible on-line, without impacting other inputs

4.11 SIS ALARMS

All alarms will be sent to the PCS operator interface and, in case of main shut down causes, to
the announcer panel on the ESD/PSD console. The time stamping of the SIS alarms shall be
performed at card level and these alarms will be addressed to a dedicated printer; the possibility
to transfer this data to PCS, on real time, will be preferred.

4.12 SAFETY INTERNAL COMMUNICATION

The SIS Communication Bus (Safety Bus), shall be separated from the Process Communication
Bus (Process or ICSS Bus), it shall be SIL certified within the entire Safety System.
Failures of communication links within the safety system’s apparatus shall bring any safety
related signals to a safe state.

4.13 SAFETY EXTERNAL COMMUNICATIONS

The SIS will be interfaced with the PCS through dedicated redundant communication bus with
proprietary or open (but certified) communication protocol. This means that the SIS could be a
node of the Control Bus. The fully transparent data transmission (commands, signals, alarms,
measurements, etc.) for communication between PCS and SIS will be preferred.
No serial communication is allowed with subsystem’s PLCs in order to manage the safety action
of packages/skids or parts of the Plant; any safety commands or acquisition of data relevant to
safety logics shall be acquired by the use of hardwired connection.

4.14 SAFETY INSTRUMENTED SYSTEM DOCUMENTATION

The documentation regarding the SIS shall comply the IEC 61508, IEC 61511 codes and project
requirements.
In case of a node of the Safety Instrumented System (SIS) will be dedicated to a Burner
Management System (BMS), the SIS documentation shall also comply the API 556.

ENGINEERING COMPANY STANDARD

5. HUMAN MACHINE INTERFACE (HMI)

5.1 HUMAN MACHINE INTERFACE OVERVIEW

All information required by Operators, whether for monitoring, alarming, display, archiving
control or plant safeguarding shall be presented by way of the ICSS Human Machine Interface
(HMI). The design of the HMI station shall be based on an ergonomic approach and a secure
display philosophy, considering the layout of the Control Room, the number of operators,
acoustic and lighting requirements. The HMI design shall comply with ISO 11064 and ISO 6385.
The HMI is constituted by the Operator workstations and printers for event logging (alarms, F&G,
etc.). Auxiliary panels will be placed in the control room to provide a general overview of the
plant and the possibility to carry out emergency functions in case of critical conditions. These
are described in the section dedicated to the auxiliaries’ panels.
The HMI station shall be as minimum composed of:
• Operator Work Stations (OWS), to interface with the ICSS.
• Printers for event logging (alarms, F&G, SER, events etc.).
• F&G & Fire-fighting panel, to visualize a summary of the alarms related to F&G
(mimic panel based on the F&G Layouts) and activate the necessary actions.
• ESD Matrix panel based on hardwired signals, alarms and emergency shutdown
actions, to activate the ESD levels by pushbuttons.
• POS (Process Override Switches) panel, for the bypass of critical safety signals.
• MOS (Manual Override Switches) panel to be used for maintenance purposes.
Each operator workstation shall be identical in presentation, operation, performance and
capabilities, in order to ensure system reliability and complete interchangeability for process
operation. The failure of the electronics in one workstation shall only cause the loss of the
associated operator workstation and all operator interface facilities shall continue to be available
on the remaining operator workstations. Each operator workstation shall be capable of plant-
wide operation. Therefore SUPPLIER shall envisage hardware & software tools in order to allow
the operator to switch, at any time, any workstation in Control Room to a different operating
area, regardless of its weight in terms of I/O’s (application licenses). Each operator station shall
also be capable to be configured in order to operate on a restricted control area basis.
The HMI station shall not include the Engineering Work Stations. The Engineering workstations
shall be located near the panels, or in dedicated zones preferably separated from the HMI
operator station.

5.2 OPERATOR WORK STATIONS (OWS) FUNCTIONS

Each operator workstation shall be able to provide the following functions, as a minimum:
• Operating Displays (Overview, Process control of each unit, SIS & F&G, etc.)
• Group Displays (Control loops, Trends, Events, Alarms, MOS & POS for ESD, etc.)
• Alarm and Event Management
• Trend Displays and Plotting
• Reports / Logs
• Self Diagnostic Displays
• Print-out Capabilities
• Custom Keys
SUPPLIER shall state the maximum number of these functions that can be implemented and any
limitations to their access on the operator consoles.

5.3 AUXILIARY PANELS

The ESD and F&G & Fire-fighting panels (integrated in HMI) shall be used to monitor and control
the plant ESD and F&G systems in the event of ICSS failure.

ENGINEERING COMPANY STANDARD

ESD Panel

A hardwired panel will be equipped with lamps, LEDs, pushbuttons. The function of this panel is
to manually activate critical safety levels of shut down (i.e.: ASD, ESD, PSD) for the plant or the
major part of the plant (i.e.: Train 1, Train 2), all in accordance with the plant Cause & Effects

F&G Panels

The F&G Panels are as shown below.

Fire & Gas Mimic Panel

The Fire & Gas Panel is a Hardwired matrix/mimic panel and shall illustrate simplified
geographical layouts of the plant, which is to be monitored. The indications on the hardwired
panel shall be driven via hard-wired signals from the Fire & Gas I/O modules.
The Fire & Gas panel shall group together all types of inputs for a single zone. If any input is in
the alarm state, a zone (unit) alarm LED on the hardwired panel shall operate. Separate “zoned”
indications shall be provided for fire, flammable gas, toxic gas, and system alarms. Each alarm
shall be presented by means of a coloured lamp and the corresponding text, as appropriate.
This panel will provide the following indications per each fire zone:
• MCP Activated;
• Fire;
• Flammable Gas;
• Toxic Gas;
• Fault/Inhibited Device.

Fire Fighting Panel

The Fire Fighting Panel shall allow the operator to handle the major active protection of the plant,
with minimal interface. The Fire/Foam Pumps and Fire Extinguishing devices, such as inhibit /
override enable key switch(s) facilities for indications and controls, if any, as follows:
• Fire Pump Duty/Standby configuration indications;
• Fire Pump Duty Select;
• Fire Pump Running Indications;
• Fire Pump Failed to Start Indications (Diesel pumps only);
• Fire Pump Un-Available;
• Fire Pump Fault;
• Fire Pump Manual Start;
• Foam Pump Duty/Standby configuration indications;
• Foam Pump Duty Select;
• Foam Pump Running Indications;
• Foam Pump Manual Start.
The Fire Fighting Panel shall allow the remote manual release and relevant inhibit selector by
operator intervention, for each area where there is firefighting extinguishing system(s). These
pushbuttons shall be provided with protective flaps to prevent accidental operation and shall
illuminate when operated.

By-pass Panel for Process Override Switches (POS)

The process override function is limited to those inputs (or logic blocks) that are not in safe
conditions during particular operating phases (e.g.: start-up) and would cause shutdown if not
properly managed.
The POS shall be only hardwired and implemented on inputs to logic functions without activating
the involved shutdown actions.
Overrides on outputs to final actuators shall be NOT allowed.
ENGINEERING COMPANY STANDARD
Documento riservato di proprietà di eni spa. Esso non sarà mostrato a terzi né utilizzato per scopi diversi da quelli per i quali è stato inviato.
This document is property of eni spa. It shall neither be shown to third parties nor used for purposes other than those for which it has been sent.
eni spa 27607.DOC.STA.SDS
Rev 03 – October 2016
Sh 35 of 63

The POS By-pass panel must be suitable for process requirements and will be composed with
key switches (momentary types and spring return), LED lamps, and pushbuttons; these
components shall be hardwired linked to the SIS. The POS’s will be organized in a matrix panel
completed of function description.
The automatic reset shall be allowed only after the process has achieved normal operating
conditions and plus a delay time to be defined case by case.
In case the timeout of the POS expires before the input became healthy the system shall
generate the relevant alarm/action according to project requirement.
Activation/deactivations of any POS shall be recorded by the SER and on PCS printer log.
The PCS through dedicated dynamic graphic pages shall also represent the actual status of each
single POS including the actual status of the inputs.

By-pass Panel for Maintenance Override Switches (MOS)

A Hardwired Master MOS enable key-switch (or more than one organized for macro areas or
functional units in function dependent on plant size/complexity) shall be provided for ESD and
F&G overrides.
This key-switch must be enabled before any software MOS can be activated. On disabling of the
Master MOS, all enabled MOS will be removed immediately. In any case the software MOS
development/application shall never jeopardize the safety of the plant.
The maintenance override function is limited to those inputs (or logic blocks) related to the field
instruments that may require maintenance (to test repair/calibrate primary elements) and would
cause shutdown if not properly managed. The MOS shall be manually activated and implemented
on inputs to logic functions without activating the executive shutdown action.
Overrides on outputs to final actuators shall be NOT allowed.
The PCS through dedicated dynamic graphic pages shall also represent the actual status of each
single MOS including the actual status of the inputs.

5.4 THIRD PARTS OPERATOR INTERFACES

The project control philosophy shall be to maximize integration of the operator interfaces for all
instrumentation and control systems on the facility into the ICSS HMI. Information required by
the Operators from sub-systems such as:
• Subsea Control System
• Electrical Distribution and Generation Equipment
• Machinery Unit Control Panels
• Machinery Condition Monitoring Equipment
• Dedicated Compressor Control Systems (such as anti-surge systems)
• Other control systems, including UCPs supplied with packaged equipment
• Metering Supervisory Computer
• Platform Structural and Corrosion Monitoring Systems
• Building F&G panels
These shall be presented in a uniform manner on the ICSS Workstations through the graphic
displays. This requirement does not preclude the use of vendor-supplied control systems. The
requirement is only that the operator interface shall be integrated via the ICSS. The VENDOR
shall assume that all information available from these sub-systems, package equipment and field
instrumentation, including alarms, shall be available at the PCS.
The packages themselves may include their own control systems (subject to the requirements
of Section.8 "PLC for Package Units” in this document). In which case, vendor supplied control
systems may include dedicated HMIs, which shall typically be able to provide operators,
maintenance, operations supervisory/management or engineering personnel with additional
information over and above that which is presented on the ICSS.

ENGINEERING COMPANY STANDARD

6. SUPERVISORY CONTROL AND DATA ACQUISITION

SCADA is a combination of telemetry and data acquisition. SCADA is generally designed to collect
information, transferring them back to the central site, carrying out any necessary analysis and
control and then displaying that information on a number of operator screens or displays. The
required control actions are then conveyed back to the process.
The SCADA System can be used to control remote areas such as wellhead areas, manifold area,
or Line Valve Stations along a pipeline. These may involve integration between the SCADA
system and RTUs installed at each remote area via the communication media (e.g.: radio link or
optical fiber cable).
The SCADA system can also be used to supervise different remote plant already equipped with
their independent control and safety systems. This application is an interface between the SCADA
system and the other plants control systems (e.g.: pipeline gas distribution control and
monitoring system).

6.1 SCADA FUNCTIONS

Main functions performed by Master Terminal Unit (MTU) are the following:
• Monitoring and continuous control of the entire SCADA communication through
communication link such as LAN/WAN based on the available communication media such
as radio signals, telephone line, cable connection, optical fibre cable, satellite and micro-
wave media);
• Displaying the data/information related with SCADA communication in the forms of text
and graphics using HMI hardware and software;
• Send/receive request data/message/information to/from RTUs such as current status of
RTUs, check of communication link and upon receiving information/data from RTUs,
perform data acquisition.
• Data processing with report printouts either for technical than management scopes;

The following functions should be implemented inside the RTU/PLC at remote sites:
• Flexibility to configure and expand in case of future plant needs;
• Continuous control of analogue process loop;
• Monitoring of analogue and digital process variables;
• Control of all duty units via simple operator commands;
• Automatic Start-up of stand-by equipment.

6.2 SCADA DESCRIPTION

The SCADA shall represent the control system of the remote sites and as well as the collecting
point of data from which the authorized personnel can take the proper information.
Each remote site shall be equipped with a Remote Terminal Unit (RTU) that shall be able to
accumulate data and, if required, perform logical functions and flow calculations. The RTU shall
be able to communicate by Store and Forward protocol. The data shall be onward transmitted
as required to the SCADA master stations (Master Terminal Unit), which shall collect data from
each RTU on a polling basis and/or on a Store and Forward basis, while the point to point
communication should be applicable where the optical fiber cable is connected.
The RTUs shall be able to receive commands from the SCADA for specific purpose.
The RTU topology shall be chosen on the basis of functions that it will be perform and also in
function of the media to be used.
The wellhead areas or valve stations etc. shall be designed in order to be standardized as much
as possible.

ENGINEERING COMPANY STANDARD

A SCADA system shall provide the monitoring, control, computing and communication between
the Central Control Room and remote sites (i.e.: wells/manifold/Line Valve Stations). Any Safety
action is NOT allowed if the communication media is based on radio type and if the remote RTU’s
are not SIL 3 certified. The safety device shall be SIL 3 certified according to IEC 61508 and IEC
61511 codes and shall handle all safety tasks related to process and F&G emergency shutdown.

6.3 SCADA SYSTEM ARCHITECTURE

Usually the SCADA System architecture is comprise of following parts:
• Consoles (HMI and Engineering Workstations);
• Communication System (MTU/Server, etc.);
• Power Supply system;
• RTU / Process Interface;
• Auxiliary Panels (MOS, F&G, Firefighting) if necessary;
• Interconnection cables among cabinets.
The structure of the system and relevant marshalling cabinets shall be designed in accordance
with the following main requirements. For all technical aspects and characteristics not clearly
discussed in the following paragraphs, it is necessary to refer to the section related to PCS or
SIS.
The Master Terminal Unit, called also SCADA server, is connected directly or indirectly with the
main server, through communication link such as “Local Area Network (LAN) or/and Wide Area
Network (WAN)”.
Human Machine Interface (HMI) is typically installed in Master Terminal Unit (MTU) or control
centre and provide facility to visualize the information coming from the Remote Terminal Units.
The processing system (redundant server industrial type to be provided) and Front-end shall be
composed of communication interfaces to communication Network, and logic capable of
performing the data exchange functions with the RTUs, the communications diagnostics and the
data processing.
The on-line unit shall keep the back-up unit updated, to allow intervention in case of failure,
without loss of instantaneous and/or historical data.

6.4 REDUNDANCY REQUIREMENTS

The system redundancy capability shall be provided. Where redundancy is required, no additional
identification character shall be needed to identify primary/secondary cards.
The failure of one card shall be reported with clear alarm identification.
No additional external wiring shall be necessary for such a purpose.
CPU, communication bus, communication card, Ethernet switch, etc. shall be redundant.
Also, any server, or PC, shall have redundant CPU, power supply card, Hard Disk and
Communication card.

6.5 SEGREGATION CRITERIA

Output signals for multiple devices (i.e.: solenoid valves) shall utilise separate modules in order
to minimise the impact of single module failure.
The following guidelines shall be applied as good engineering practice and not as sizing criteria:
• CPU assignment shall be designed in accordance with the process area segregation;
• The internal Communication between CPUs across the SCADA communication network
shall be minimised.
Hardware layout within the I/O racks is subject to specific COMPANY/CONTRACTOR approval.

6.6 SYSTEMS INTEGRATION

SCADA system shall provide total integration of controls.
The current technology provide open architecture for SCADA communication across LANs/WANs
by using several types of open standard protocols. These open standards minimize the limitations
suffered by older SCADA communication systems and open new ways to connect several types
of input/output devices or other systems with SCADA network.

ENGINEERING COMPANY STANDARD

6.7 INTERNAL COMMUNICATIONS

The communication subsystem protocol shall include codes such as CRC (Cyclic Redundancy
Check), parity error, overrun error, etc., in order to detect errors and take protective action to
assure a high degree of transmission reliability. Diagnostics shall be continuous and failure
alarms shall take priority.
No single control node failure shall disable the communication network.

6.8 EXTERNAL COMMUNICATIONS

The SCADA system communication between Master Terminal Unit (MTU) and Remote Terminal
Units (RTUs) are implemented by uses of SCADA protocols. Each SCADA protocol provides rules
and procedures of communication between field devices and other functions included MTU/RTU
commands, MTU/RTU status information, data/information storing, data presentation and
conversation, assignment of MTU/RTU addresses, system monitoring and controlling.
The SCADA shall provide two independent and redundant networks via serial ports type RS 232
or RS 422 or RS 485, or Ethernet, or equivalent; each of these ports shall have redundant cable
and connectors. So that if a serial communication failure appears, a switch over to the backup
serial line will occur. In addition, the SCADA shall provide dedicated software for the exchange
of data from/to other systems, allowing data compatibility between the SCADA and the RTUs.
The main external communication is between SCADA server(s) and RTUs.
SCADA and RTU shall be synchronised by a common time signal. All data between SCADA
server(s) and RTU shall be time stamped.
The RTU database should be used to store data (for a project specified time period) in case of
communication failure, such that no data is lost and RTU data can be communicated to the MTU
when communication is restored.
In order to reduce the data traffic for the SCADA system communicating over modem and radio
networks in case of radio communication, each RTU will have the function of Report By Exception
(RBE) for maximizing the communication efficiency. When RBE is enabled, a node will respond
to a poll by transmitting only the values that have changed since the last poll and any alarms.
RBE communication will be selectable on an individual signal basis.
It will be possible to mix communication modes within the same system and even in the same
node. For example, commands from the SCADA will be sent down the network to the destination
node (RTU) by Remote Data Base, historical data may be passed up the network to the data
concentrator using peer to peer, and display data may be gathered on a Report By Exception
basis.
The Remote Radio Station and the RTU shall be interconnected with serial interface cable.
The data to be exchanged shall be packed by type and function code, in order to minimise the
number of read/write calls. This applies to the data that shall be read or written by SCADA, and
not to a generic memory map, which could contain internal flags, or intermediate data. The
master SCADA will read/write on one serial link and, in case of failure of the active link, the
communication will be switched to the other port. The slave RTU will follow the same philosophy.

ENGINEERING COMPANY STANDARD

7. OPC INTERFACE AND REAL TIME DATA ACQUISITION

A COMPANY objective is to implement a Real Time Data Acquisition System (RTDA). All the plant
critical measurement data such as production profiles and downhole data, critical information on
rotary or particular machines or packages, other subsea parameters and any other information
useful to maintenance, production and any other superior level of the asset management, shall
be available to the RTDA system. The system shall be structured on the commercial OSI-soft PI
Blueprint software architecture, and shall be based on OPC communication protocol. The list of
the data to be acquired and made available into the system shall be defined during project design
phase.

7.1 OPC/ICSS INTERFACE REQUIREMENTS

In order to implement the real time data acquisition architecture, the following component needs
to be in place in ICSS:
OPC Servers: provide a standard way to access real time data from the plant. They shall be
provided as part of the ICSS. Vendor specific protocols will not be accepted unless explicitly
approved. OPC protocol shall be DA, HDA or UA, depending on PI OPC Interface releases.
OPC servers collect real-time tags provided by different sources and make them available to any
connecting client. The OPC server should be configured to provide READ-ONLY access to the
values of the tags (no WRITE operations allowed).
A firewall is to be configured between OPC server and client, it is suggested to use the OPC
Tunneling technology to force all data traffic on a single user-defined port.
Suggested Hardware Configuration and Architecture
For any information, refer to Attachment 2 “EDOF- PI ARCHITECTURE BLUE PRINT”

ENGINEERING COMPANY STANDARD

8. PLC FOR PACKAGE UNIT

8.1 PACKAGE TYPE

A package is a set of different equipment/devices and services that is generally bought as a
whole from a single SUPPLIER. It is possible to classify packages depending on their complexity.
The following package naming (P1, P2, P3) is indicative.
PACKAGE TYPE “P1”
This Package is equipped with its instruments, without junction boxes, cables and cable trays.
This package type is restricted to a unit with only a few instruments connected to ICSS via plant
junction boxes.
Package unit is fully controlled by ICSS.
PACKAGE TYPE “P2”
The Package is equipped with its instruments, wired by means of appropriate cables and cable
trays. The cables are connected to the junction boxes located at the skid battery limits.
Package unit is fully controlled by ICSS.
PACKAGE TYPE “P3”
The Package is equipped with its instruments, wired by means of appropriate cables and cable
trays. The cables are connected to the junction boxes located at the skid battery limits.
Package unit shall be totally controlled and monitored by dedicated UCP (PLC system based).
Generally each package unit will have control and safety functions / instruments, as well as the
UCP shall be organized to handle them by two main sections usually called UCP_C and UCP_S
that will be interfaced with the plant ICSS.
All signals between SIS and Package PLC (UCP_S) shall be hardwired, while the signals between
PCS and Package PLC (UCP_C) could be exchanged via serial link connection.
For any further information about packages characteristics refer to company standard
28037.CMP.STA.SDS- Instrumentation and Automation included in package plants.

8.2 TECHNICAL CHARACTERISTICS

For all the technical aspects related the PLC and its sub-item, refer to section related to PCS,
SIS or SCADA.

8.3 OPERATIONAL GUIDELINES

In some applications the Packaged Unit shall be capable of standalone operation fully
independent from the plant ICSS and therefore shall be supplied with its own operator interface,
the design of which is detailed below.
The PLC for a package shall exchange all the necessary information with the plant ICSS
(PCS/SIS) allowing an operation mode where the operator is normally not required to operate
the packaged unit.
Method for data exchange between PLC and the plant ICSS will depend upon the quantity of
necessary data, their type and specific application in accordance to the following:
• All information between Shut down Safety systems (SIS) and packages shall be
hardwired; this means that all safety commands from ICSS and any Unit Control Panel
shall be hardwired, serial connection is not allowed;
• All critical commands between PCS and PLCs shall be hardwired also.
• All SIS commands (ESD/ any trip action) shall be voltage commands (0 or 24 VDC),
therefore, within the UCP, shall be provided with interposing relays whose coils will be
energized/de-energized by the SIS commands (ensure the interposing relays are
compatible with any ‘line monitoring’);
• Redundant Serial link is considered the standard choice for data exchanging having
the PCS as master of the communication; see section3.9.
• If the amount of exchanged data is reasonably reduced (typically less than 16 analogue
variables and less than 32 binary signals), hardwired data exchange is allowed.

ENGINEERING COMPANY STANDARD

Unless otherwise specified, the communication between the plant PCS and each UCP (mainly for
the Rotary machines) shall include:
• a redundant Server where all data (any signal, alarm, measure, diagnostic failure,
maintenance data, HART information, etc.) will be stored and addressed to the plant
Information Management System (IMS) of ICSS system.
• a redundant communication link where the UCP will make available to the plant PCS
the I/O signals necessary to the PCS operator.
• A communication link UCP-PCS will be foreseen if the HART information cannot be
routed on the IMS link.
• Another communication link UCP-PCS (versus Conditioning Monitoring System) will be
foreseen for the Machine Monitoring System of each Rotary machine package if these
Machine Monitoring System information cannot be routed on the IMS link.
The critical information (any signal, parameters, alarm, measure, diagnostic failure,
maintenance data, HART information, etc.) of each package, shall be made available and
accessible to the COMPANY, through the OPC server provided with the ICSS, in order to be
acquired by the Real Time Data Acquisition System.

8.4 INTERFACES WITH THE ICSS

Detailed below are described the common equipment/systems that could be interfaced with the
plant ICSS. Other feature are specified in the company standards 28037.CMP.STA.SDS
(Instrumentation and Automation included in Package Plants) and 20150.PKG.STA.FUN
(Instrumentation & Automation plants included in Rotary Machine Package).
Each PLC linked to PCS, via serial links; will be suitable to receive synchronization messages
(year, month, day, hour, minute, second) from the PCS. In case of GPS fault, each system (ICSS
and each PLC) will work with its internal clock independently from the other systems.

ICSS - Motor Control Centre

Motor starters will be located in MCC’s in Electrical Room(s). Status indication and control will
be interfaced to the PCS in Instrument Equipment Room (IER) or Local Equipment Room (LER)
via serial link or via hardwired connections in function of the MCC type: Standard MCC or Smart
MCC, as detailed by the specific project requirements. The PCS signals will not overrule electrical
interlocks or test arrangements.
A trip from the SIS will be interfaced with MCCs and Power Centers by means of hardwired
individual connection (shutdown command). The trip relay on MCC and Power Centre will be fed
at 24 VDC from SIS. The relay will be maintained "energized" for normal and be "de-energized"
for trip. This is valid both for standard and smart MCCs.
The plant SIS will overrule all other signals.
Package unit motor auxiliaries will be controlled via hardwired (where required) circuitry from
package unit control panel.
The PCS will be connected, with a serial link, to the Electrical Systems.

Conventional type MCC

According to the type of equipment and specific project requirements, a motor start may be
possible from a remote location, or may only be possible when the operator is in the field, viewing
the equipment. For this reason, the PCS will feed a relay for local start permits (Local/Remote)
that will be de-energized for local start enabled and be energized for local start disabled.
A start/stop relay will be fitted for all motors fed at 24 VDC from PCS. The relay shall be
maintained "energized" for run and be "de-energized" for stop.
Each motor stop/start signal will be repeated to the event-logging system relevant to the PCS,
while the shutdown command will be reported in the SER and repeated in the PCS printers.

Smart type MCC

The MCC will comprise an intelligent microprocessor based multi-function contactor control unit
in each motor starter which communicates via a serial link to an MCC PLC, which in turn, provides
the control and monitoring functions.
ENGINEERING COMPANY STANDARD
Documento riservato di proprietà di eni spa. Esso non sarà mostrato a terzi né utilizzato per scopi diversi da quelli per i quali è stato inviato.
This document is property of eni spa. It shall neither be shown to third parties nor used for purposes other than those for which it has been sent.
eni spa 27607.DOC.STA.SDS
Rev 03 – October 2016
Sh 42 of 63

The MCC PLC will communicate via a redundant serial data link to the PCS using generally a
communications protocol to be defined at project. The serial data link between the MCC PLC and
the PCS will be duplicated using dual redundant PCS serial interface hardware, redundant MCC
PLC serial hardware and cables with a PCS alarm upon failure of any link. SIS signals for the
shutdown of electrical equipment will be hardwired in the normal fail safe manner.

ICSS – Subsea equipment

According to ISO 13628-6, clause 6.4.1.2, the Master Control System (MCS) can be configured
in three possible ways:
- fully integrated with the host DCS;
- as a stand-alone terminal being the primary interface for control of the subsea system;
- as a stand-alone terminal with interface to both the DCS and subsea equipment. The host
DCS is the primary operator's interface for control of the subsea system. The MCS is
secondary, but able to perform subsea control should the DCS or the link to the DCS fail.
In the first case dedicate PCS node(s) will be foreseen.
Whenever the sub-sea wells production will be controlled by dedicated control system (Master
Control System - MCS), Reference 18006.SSE.STA.FUN, the Plant PCS will be interfaced with the
MCS via 'standard' interface which allows the signal/data to be exchanged.
In any case the isolation of subsea well(s) is performed by the topside ESD functions according
to ISO 13628-6, clauses 7.4.9.2. and the MCS will interface with the Plant SIS, and perform
certain sub-sea shutdown sequences.

Wellhead Control Panel (WHCP)

The wellheads are controlled throughout dedicated panels. They will be
electrical/pneumatic/hydraulic type and will be interfaced with the SIS and with the PCS.
WHCP system will consist of:
• A wellhead control panel containing general controls and individual controls for each
well;
• A hydraulic power generation unit.
The wellhead control system will be used to perform manual and automatic control, and
sequence of the wellhead surface and sub-surface safety valves.
Automatic closing sequences will be initiated by:
• Abnormal pressure condition of flow lines;
• Remote commands from SIS and/or PCS systems.
Wellhead control panel will be designed to control the surface safety valves (master and wing)
and the surface control sub-surface valves (SSSV) ensuring the correct opening/closing
sequencing of the wells.
All valves for each well will be generally hydraulically actuated.

ICSS - Marine Systems

The Hull part of an FPSO will be monitored and controlled by the Control and Safety System.
Control hardware should be standardized with that used for the Topsides facilities wherever
possible. The component parts of this system will vary in accordance with ship design.
The marine systems will typically comprise a tank and ballast control system, tanker loading
facilities, and SIS/F&G systems for the Hull areas.
The general requirements will be dependent on the Vessel design and associated Classification,
and hence will be determined by the Vessel Builder.

Tank gauge and Ballast Systems

This control and monitoring package will provide a facility to accurately measure product and
ballast tank levels, compute the various distributed loads and consequent ship stresses, and
control associated fluid movement.
The tank level measurement will be based on the Radar principle, and additional parameters,
e.g. temperature, used to ensure accurate load measurement throughout the product and ballast
tank gauge. Ship design and stress estimating data are used in a special software package. This
ENGINEERING COMPANY STANDARD
Documento riservato di proprietà di eni spa. Esso non sarà mostrato a terzi né utilizzato per scopi diversi da quelli per i quali è stato inviato.
This document is property of eni spa. It shall neither be shown to third parties nor used for purposes other than those for which it has been sent.
eni spa 27607.DOC.STA.SDS
Rev 03 – October 2016
Sh 43 of 63

software will be used to compute and display all operational information related to product
handling and ballast control on the FPSO.

Marine SIS and F&G Systems

In order to have uniformity and Full Integration, increasing the safety aspect, Marine SIS and
Topside SIS/F&G system should utilize the same hardware and software. Otherwise the SIS and
F&G detection for the Marine facilities will be properly interfaced with the plant SIS/F&G system.
Full Marine SIS status will be displayed on the plant Operator Stations and the relevant alarms
will be treated as per the topside SIS.
F&G detection and protection of FPSO facilities, such as accommodation and ship machinery
spaces, addressable smoke and heat detection systems will be employed. The facilities will be
strictly in accordance with the Codes and Standards relevant to the Ship Classification or National
Regulations whichever is the most stringent.

Marine Offloading Control System (OCS)

The Offloading control system manages all loading arms. In case the OCS system will be
interfaced with plant PCS, through software interface (Modbus TCP/IP) and through hardwired
signal with plant SIS, the offloading facilities of this FPSO are monitored via a dedicated work
station in OCR, that will be located in front of loading arms, and the safety shutdown of offloading
system will be handled by its safety system or by the main vessel SIS itself. In case the OCS
system will be fully integrated with plant ICSS, it will be handled as per the other facilities and,
however, a PCS monitor will be located in the OCR room.

ENGINEERING COMPANY STANDARD

APPENDIX A EXISTING SIS REPLACEMENT

A.1 GENERAL
With increasing global demand for oil and gas driving prices higher and higher, the focus of oil
and gas producers is to maintain and maximise production from every available facility. Older
unreliable facilities are being upgraded and this often includes the replacement of Safety
Instrumented Systems (SIS) and Fire and Gas (F&G) systems due to obsolescence or reliability
issues.
Traditionally, the replacement of such safety critical systems is undertaken during a plant
shutdown opportunity to ensure that process integrity was maintained and the replacement
systems could be fully commissioned and validated without the presence of the process hazards.
However, in this era of high oil and gas demand we are now seeing more and more SIS
replacement projects being undertaken whilst the process is still fully operational, and this can
lead to potential compromises during commissioning and validation of functionality.

The live replacement of SIS creates two main issues:

Maintaining process integrity during the SIS replacement;
Avoiding the significant potential for spurious trips whilst transferring safety functions to the
replacement system.

The decision to maintain production during the SIS change out process is driven by avoidance
of production losses sustained when the process is shut down. Thus the focus of project
management is also, unfortunately, too often on the avoidance of spurious trips during
installation at the expense of maintaining integrity. In some cases little or no attempt is made
to undertake a hazard analysis to identify the project related hazards created by a live change
over.

A SIS change out, whilst the process remains operational, will always be more costly in terms of
project time and manpower compared to doing it whilst the process is shut down. This additional
cost is easily offset by avoiding production shut down.
Often the argument used is that a SIS change out is ‘simply a like-for-like modification’ and, as
a consequence, projects may not budget for any validation testing following change over. This
is often without any consideration that:
- the complete replacing the logic solver has an impact on every safety instrumented
function (SIF);
- the rationalising of the cause and effect logic configuration;
- the I/O interface architecture may also be significantly different;
- there is the opportunity to upgrade field fitted devices as well.

So the argument of like-for-like may have little foundation.

The life-cycle phases of IEC 61508 and IEC 61511 require commissioning and validation
completed before hazards are introduced, and they were not developed or structured for SIS
related projects to be implemented on live process plant whilst hazards are present. Thus it is
always going to be difficult, if not impossible, to fully comply with the life-cycle framework.

A.2 SIS SAFETY LIFE-CYCLE PHASES

Upgrading and changing out the logic solver is of far more significance than making a
‘modification’ to the functionality. It will be necessary to progress the project by following the
SIS safety life-cycle phases but certain phases need to be further developed to embrace projects
contemplating SIS replacements on live process plant. Many of the objectives remain the same
but the approach taken, with a live change out, will be somewhat different from that of a new
build SIS.
The following Figure is the standard overview of the IEC 61511 life-cycle phases, and the main
phases concerning a SIS replacement project, that has a shutdown opportunity for the change
over, are 1 through to 6.

ENGINEERING COMPANY STANDARD

Manage- Safety Hazard & Risk Verifica-

ment of life-cycle assessment tion
functional structure Clause 8
safety and 1
and planning
functional
safety
assess- Allocation of safety
ment and functions to
auditing protection layers
2 Clause 9

Safety requirements
specification for the safety
instrumented system
Clauses 10 and 12
3

Stage 1 Design and

development of other
Design and engineering of means of
safety instrumented system risk reduction
Clauses 11 and 12 Clause 9
4

Stage 2

Installation, commissioning
and validation
Clauses 14 and 15
5

Stage 3

Operation and maintenance

Clause 16 SIS replacement
6
is more than a
modification
Stage 4

Modification
Clause 17
7
Clause 7,
Stage 5
Clause 5 Clause 6.2 12.4 and
12.7
Decommissioning
Clause 18
8
10 11 9

Key:
Typical direction of information flow

No detailed requirements given in this standard

ABSTRACT FROM IEC 61511-1
Figure 8 – SIS safety life-cycle phases and
Requirements given in this standard functional safety assessment stages

NOTE 1 Stages 1 through 5 inclusive are defined in 5.2.6.1.3.

NOTE 2 All references are Part 1 unless otherwised noted.

There are many additional considerations that need to be applied when the process is running.

The main gated progression phases still follow the IEC 61511 life-cycle as follows:
Hazard identification and risk assessment (IEC 61511 phases 1-3);
Design, engineering and FAT (IEC 61511 phase 4);
Training;
Installation of replacement SIS (IEC 61511 phase 5);
Commence cut over to new SIS (IEC 61511 phase 5);

ENGINEERING COMPANY STANDARD

Plant daily meetings (IEC 61511 phase 5);

Permit to work (IEC 61511 phase 5);
Control Room Operator interfaces (IEC 61511 phase 5);
The cut over work (IEC 61511 phase 5);
Testing and sign off (IEC 61511 phase 5);
Ongoing operations and maintenance (IEC 61511 phase 6).

Even where SIL studies may have been previously implemented, experience has revealed that
few SIS change out projects are prepared to review, the PFD or hardware fault tolerance
calculations for the new systems, even though the whole logic solver will change, filed elements
may be changed and very often the I/O interfaces are modified as well.

Rationalisation of SIS functionality within the replacement SIS also impacts greatly on the
application software configuration, making it difficult, if not impossible, to check functionality of
the old and replacement SIS configurations on a like-for-like basis. The whole configuration must
therefore be checked by comprehensive factory acceptance testing (FAT).

It will be checked that secure power supplies and HVAC are capable of supporting both the old
and the replacement system for the changeover period. In addition there has to be sufficient
space to install the replacement SIS before the old system is destructed.

Another fundamental item that is often overlooked is whether the actual terminals, associated
with the SIS outputs for all normally powered field elements, can support the connection of a 24
Volt temporary supply to hold the field element in the powered state whilst the wires are
physically moved (i.e. cutover) to the new system.
The replacement SIS is therefore initially installed alongside the old system but without any I/O
connections to the field elements. This will probably require special software programs to be
installed to transfer data between the two systems.
Wherever possible, offline or spared equipment should be transferred first, to minimise the risks,
and then swapped over to become on line so that their partners can be transferred without risk
The purpose of validation for each field input and output is to ensure that they are connected to
the correct I/O termination and that they remain functional. Replacing a SIS is always going to
be safer and less risky when the process is shut down. This removes most of the associated
integrity and production issues as well as the additional stress related to working on integrity
systems on a live process. The time taken and the project costs will also be considerably less.
Full commissioning and validation will also be possible before the process starts up again.
Project design must ensure that the safety is fully guaranteed, the risks are fully identified and
evaluated and they should not shortcut the IEC 61508 and IEC 61511 standards by arguing like-
for-like since this is so often far from the mark.

ENGINEERING COMPANY STANDARD

APPENDIX B ARCHITECTURE EXAMPLES

Refer to section 2.6

ENGINEERING COMPANY STANDARD

Refer to section 2.6

ENGINEERING COMPANY STANDARD

PCS Architecture - Refer to section 3.2

ENGINEERING COMPANY STANDARD

PCS Architecture with MCS - Refer to section 3.2.

ENGINEERING COMPANY STANDARD

PCS Architecture without MCS and MMS - Refer to section 3.2

ENGINEERING COMPANY STANDARD

SIS Architecture - Refer to section 4.2

ENGINEERING COMPANY STANDARD

SIS Architecture with F&G sections - Refer to section 4.2

ENGINEERING COMPANY STANDARD

SIS Architecture with Technical Building Fire Zones Indoor - Refer to section 4.2

ENGINEERING COMPANY STANDARD

F&G Architecture - Refer to section 4.2

ENGINEERING COMPANY STANDARD

FACP Network Architecture - Refer to section 4.2

ENGINEERING COMPANY STANDARD

HMI Interface - Refer to section 5.1

ENGINEERING COMPANY STANDARD

SCADA Architecture - Refer to section 6.2

ENGINEERING COMPANY STANDARD

APPENDIX C - OPERATOR TRAINING SIMULATOR

The following sections have to be considered as examples.

SCOPE

The scope of this specification defines the requirements for design, implementation,
development, maintenance, supply, testing, services and Vendor’s warranty of the necessary
equipment, license, application software and documentation for one Operator Training
Simulator (OTS) System to be provided for the plant.
The Simulator will be installed in an appropriate space located closed to the Central Control
Room or where requested by the project.
“High Fidelity” OTS will be stimulated and real Operator Workstation shall be provided as
Operator Interface; all the hardware requested for OTS operability must be included in the
supply.
This specification sets out the minimum requirements for the supply and does not relieve the
Vendor of his full responsibility for the design and the reliable operation of the elements
supplied. Therefore, the Vendor shall be liable for the correct operation of all elements involved.

SYSTEM DESCRIPTION

The principal use of Operator Training Simulator is the training of operators under normal start-
up, normal operations, normal shutdown, emergency shutdown, process upsets and load
changes. The specific process units to be simulated are in paragraph PROCESS MODELS. All
control and safety functions in these areas will be simulated.
It is envisaged that after plant start-up, the OTS will be used for refresher courses for
experienced operators, for training of new recruits and also shall be used to evaluate operator
performance during the various training exercises.
The System will be based on dynamic process simulator software running on a computer,
interfaced with 3 Operator Workstations with double screens fully acting as operator consoles
and emulating real operation. A terminal (called “Field Operator device”) will emulate field push
button panels.
One of the trainee consoles will have also engineering functionalities.
OTS design shall include equipment, instrumentation, controls, process models, and application
software that will enable an operator to act in all modes of plant operations, the instructor to
perform required training sessions, and the engineer to maintain the OTS.
A Plant Model that will rigorously simulate the dynamic response of the process units to external
changes, control system and operator actions. Plant Model shall include emulation of SIS, PCS
and all other PCS subsystems, Compressor Control, etc.
OTS shall utilize the post FAT version of the actual PCS databases and all its subsystems.
Vendor shall define a procedure for OTS Data Base and Graphic upgrading considering and
matching the real Plant PCS changes. The procedure shall be included in OTS manuals.
It shall be possible to transfer future PCS Graphics modifications to OTS operator workstation
without difficulties.

PROCESS MODELS

ENGINEERING COMPANY STANDARD

The simulator will use a high – fidelity integrated process model of the Plant and procedures
for warm start, cold start, normal operations and the handling of upsets and/or emergencies.
Critical to such operations is the emulation of panel and field duties.
OTS shall include dynamic process models for simulating the process and utilities areas.
Furthermore, the following parameters and/or functions will not be modelled explicitly:
• Rotating temperature bearing temperature or vibration;
• Fire and gas alarms;
• Lube oil;
• Metering system

OPERATING CONDITIONS

The simulations shall be based on the real-time solution of realistic mathematical models and
the real PCS database.
OTS shall allow for maximum capacity of the individual units and total plant under various
process conditions:
- Hot start-up
- Cold start-up
- Normal operation
- Normal shutdown
- Emergency shutdown / depressurization
- Process upsets
- Load change
The following initial conditions will be supplied as default starting cases in the OTS:
- Normal steady state – to represent the normal operating state of the plant. It is
envisaged that operators will initialize from this state to perform training on the pre –
programmed exercises, arbitrary instructor initiated malfunctions and plant shut down
procedures;
- Warm Start – designates the condition of the plant just after the shutdown of the plant;
- Cold Start - designates a condition where a new plant (or a plant after extended
shutdown) is ready for general start-up activities. In this state all equipment is at near
atmospheric pressure.

MODEL FIDELITY

The steady state accuracy of the model will be ±5% of the reference PFD’s values for
temperatures, pressures and flows of the major streams.
Dynamic accuracy will be such that model responses will appear to be realistic to an expert
operator. Dynamic accuracy will be ensured by the use of actual volumes of vessels and piping,
vendor quoted valve stroke times and sufficiently tuned controls to achieve stable operation of
the OTS.
Static accuracy will be a key acceptance parameter and it shall be checked at the model steady
state starting conditions with reference to the values showed in the Heat and Material balance
specifications.
It is defined as:
SA=((A-B)×100)/B
where:
SA = Static accuracy

ENGINEERING COMPANY STANDARD

A = Vendor steady state model result

B = Contractor Material Balance value

The list of the major streams to be checked with the corresponding expected values and static
and dynamic acceptance accuracy will be made available by the Vendor in the FDS submission.
Vendor thermodynamic library packages shall match the model accuracy. Vendor limitations (if
any) in Thermodynamic packages availability (e.g. for ammine, sulphur recovery Units) shall
be highlighted during the bidding phase.

APC PRE-TUNING
OTS Dynamic model (after Model Acceptance Test Phase) will be used by the Vendor for
Advanced Process Control System (APC) pre-tuning activity.
Vendor shall coordinate internally its APC and OTS teams; additional licences, hardware and/or
software tools shall be fully included in the scope.

INSTRUCTOR WORKSTATION FUNCTIONALITIES

The Instructor Station shall be a graphical user interface (GUI).
The Instructor shall be able to monitor the status of the simulated process and directly control
selected malfunctions, remote function, and scenarios from easy-to-use displays. These
displays are described hereinafter.
The OTS Instructor interface will have the following minimum functionalities:
- PFD style process displays and ability to navigate through process displays
- Save a new initial conditions at any time or load any previously saved initial conditions
- Ability to stop/start and speed up & slow down the simulator
- Ability to initiate arbitrary malfunctions
- Ability to initiate pre – programmed scenarios
- Ability to load different models
- Ability to perform duties and panel functions
- Ability to create new malfunctions or pre – programmed scenarios (as customized
malfunctions)
- Ability to make minor parameter changes (as customized malfunctions)
The Instructor Station display shall have a header giving, as a minimum:
- Display Name
- Date
- Time (real clock time)
- Engineering/Instructor mode
- Simulation time
- Freeze/Unfreeze status
- Simulation time scale (Time Factor)
The Instructor Station functionalities will be as a minimum:
- Snapshot functionalities, Manual Snapshot, Snapshot Reload, etc.
- Freeze/Unfreeze Functions
- Slow down function
- Fast time function
- Alarm and event logging
- Model selection function

ENGINEERING COMPANY STANDARD

FIELD OPERATOR DEVICE FUNCTIONALITIES

A dedicated Personal Computer will be used for Field Operator Device (FOD) emulation. FOD’s
to be emulated are SIS functionality (including Reset, MOS and POS) and Local Panel
commands (including hand valves and rotating equipment panels).
OTS shall have min 300 Remote Functions configured for each model; lists of remote functions
will be provided during detail design

OPERATOR WORKSTATION FUNCTIONALITIES

OTS trainee stations shall have the same functionalities of the actual PCS operator station
(operator keyboard, trackball, touch screen, colour graphic displays, trend displays, etc.)
The OTS will provide the following minimum training functionality:
- Ability to perform PCS actions
- Ability to perform all critical functions required to execute normal operations, plant
start-up such as cold start, respond to emergencies and restart from tripped conditions
- Ability to measure trainee performance and record, retrieve, manage the trainee actions

Each Trainee operator station shall be able to provide the following functions, as a minimum:
- Operating displays
- Custom graphic pages
- Alarm and Event management
- Trends
- Custom keys
- Any other functions as per PCS Standard functionalities
Vendor shall state the maximum number of these functions that can be implemented and any
limitation to their access on the Trainee operator consoles.

Operating displays
Each Trainee operator station shall have the following displays and functions:
- Group display
- Point detail display
- Alarm display
- Trend display
- and other displays as per DCS Vendor's standard.

HARDWARE REQUIRMENTS AND ARCHITECTURE

The Hardware will not include any interface to the real PCS or to other external computer
systems.
Terminals, computers, monitors, and printers shall be of sufficient quality and have the features
and resolutions to perform the functions for which they are intended.
All hardware shall be new and previously unused.
Basically, there are two main component parts – the PCS component and the simulation
component. The two component parts are linked through an Ethernet switch.

ENGINEERING COMPANY STANDARD

OTS shall use its own local network linking the OTS model server(s) and peripherals. The
connection has to be performed with standard communication protocol, with a minimum speed
of 1Gbit/sec. Anyway the Vendor shall provide the necessary network speed in order to ensure
training feasibility.

SOFTWARE REQUIREMENTS AND ARCHITECTURE

The software required shall include all software necessary for operation of the OTS, for
development and maintenance of process models, and for development and maintenance of
the PCS configuration.
Only standard proven software shall be used.
Simulator operations and model development software shall contain the following:
- A library of all standard process algorithms such as flow, pump, heat exchanger, flash,
etc.
- A library of any custom process algorithms used to develop the plant models.
- Custom displays and trends to monitor all process variables.
- The capability to save, load and unload the model database and simulated variables.
Software shall enable COMPANY to build tabular, graphic or trend displays on the Instructor
Station and to make the displays interact with any simulated variables of the model.
COMPANY will have the capability to modify the plant models to keep them up to date with
plant changes.
All process models shall provide diagnostic error messages that identify the source of any run-
time errors that occur during model execution.
Diagnostic programs and/or utilities, required to monitor system performance and aid trouble-
shooting, shall be provided.

Preliminary OTS functional architecture shall be developed by vendor showing all

interconnection components including PCs, PCS workstation, printers, servers, switches,
modems, etc.

ENGINEERING COMPANY STANDARD

Onshore-Norms APPENDIX-3-INSTRUMENTATION - Rev 5
No ratings yet
Onshore-Norms APPENDIX-3-INSTRUMENTATION - Rev 5
29 pages
Spd0008eie Control Valve Sizing by Computer
No ratings yet
Spd0008eie Control Valve Sizing by Computer
33 pages
Evolution of The PLC Infographic
No ratings yet
Evolution of The PLC Infographic
1 page
MAST2776B Process Instrumentation TS Lesson 5 Rev.00
No ratings yet
MAST2776B Process Instrumentation TS Lesson 5 Rev.00
96 pages
20193E01 Scelta Sensori F&G
100% (1)
20193E01 Scelta Sensori F&G
35 pages
10 IN 00 IWD 009 - Rev.1 - 180611
No ratings yet
10 IN 00 IWD 009 - Rev.1 - 180611
867 pages
Instrumentation Symbols & Standards PDF
No ratings yet
Instrumentation Symbols & Standards PDF
21 pages
Smart Plant Instrumentation Tutorial
No ratings yet
Smart Plant Instrumentation Tutorial
3 pages
Hookup For Instrument
No ratings yet
Hookup For Instrument
40 pages
VD 1227 601B DWG 003 2
No ratings yet
VD 1227 601B DWG 003 2
42 pages
Icm Du 5253
No ratings yet
Icm Du 5253
56 pages
EP-GIS 62-041 - Specification For Relief Valves - 0900a86680b1b210
100% (1)
EP-GIS 62-041 - Specification For Relief Valves - 0900a86680b1b210
11 pages
Instrument Spare Parts List
100% (1)
Instrument Spare Parts List
3 pages
Icm Du 5088 C
No ratings yet
Icm Du 5088 C
30 pages
Instrumentation Part1omkar
No ratings yet
Instrumentation Part1omkar
173 pages
Determine Sis and SIL Using HAZOPS: Process Safety Progress March 2010
100% (1)
Determine Sis and SIL Using HAZOPS: Process Safety Progress March 2010
11 pages
SNO-I-DS-005 - 0 Instrument Data Sheet For Radar Level Transmitter (Replace)
No ratings yet
SNO-I-DS-005 - 0 Instrument Data Sheet For Radar Level Transmitter (Replace)
154 pages
Integrated Control and Safety Systems (Icss) : Home About Us Our Business Contact Us
No ratings yet
Integrated Control and Safety Systems (Icss) : Home About Us Our Business Contact Us
2 pages
GS Ep Tel 700 en
No ratings yet
GS Ep Tel 700 en
21 pages
6907 6 52 0040
No ratings yet
6907 6 52 0040
35 pages
SPI Typical Loops PDF
No ratings yet
SPI Typical Loops PDF
39 pages
34-SAMSS-514 - Dec. 26. 2013
No ratings yet
34-SAMSS-514 - Dec. 26. 2013
10 pages
MAST2776B Process Instrumentation TS Lesson 1.2 Rev.00
No ratings yet
MAST2776B Process Instrumentation TS Lesson 1.2 Rev.00
47 pages
S10332300-3010 - 0 Control Valves
No ratings yet
S10332300-3010 - 0 Control Valves
29 pages
Project One - Ecr Epcm Services Contract: Level Instruments Datasheets
No ratings yet
Project One - Ecr Epcm Services Contract: Level Instruments Datasheets
105 pages
Self Regulating Valve
100% (1)
Self Regulating Valve
19 pages
Centum VP Installation Guide
No ratings yet
Centum VP Installation Guide
239 pages
Electric Tracing Systems and Hydrocarbons Treatment Plants: Company Specification
100% (1)
Electric Tracing Systems and Hydrocarbons Treatment Plants: Company Specification
19 pages
Orbit 60 Series System Datasheet - 137M5182
No ratings yet
Orbit 60 Series System Datasheet - 137M5182
27 pages
UCP - Process Control Manual-1
No ratings yet
UCP - Process Control Manual-1
115 pages
Instrumentation Part 2omkar
100% (1)
Instrumentation Part 2omkar
117 pages
F&G Console Drawing Iooc-Idhc-Bpd-Ins-Dwg-039: - Cover Sheet
100% (2)
F&G Console Drawing Iooc-Idhc-Bpd-Ins-Dwg-039: - Cover Sheet
12 pages
Earthing and Lightning Protection System: Company Specification
No ratings yet
Earthing and Lightning Protection System: Company Specification
31 pages
ABB - Pressure Transmitter - 266DSH-EN - I
No ratings yet
ABB - Pressure Transmitter - 266DSH-EN - I
36 pages
Pressure Vacuum Relief Valve
No ratings yet
Pressure Vacuum Relief Valve
49 pages
Emerson - Best Practices in Sis Documentation
No ratings yet
Emerson - Best Practices in Sis Documentation
18 pages
ELC-SU-5179-C Power System Protective Relaying and Metering
No ratings yet
ELC-SU-5179-C Power System Protective Relaying and Metering
22 pages
7J48N-00-15-17-006-1 Emergency Shutdown System
100% (2)
7J48N-00-15-17-006-1 Emergency Shutdown System
49 pages
ISA Symbology
No ratings yet
ISA Symbology
4 pages
What Is ESD & PSD? Difference Between ESD & PSD Field Instrumentation
67% (3)
What Is ESD & PSD? Difference Between ESD & PSD Field Instrumentation
2 pages
Esd PPT PDF
100% (1)
Esd PPT PDF
31 pages
EGPM10-H2S-I-DAT-001 H2S Detectors
No ratings yet
EGPM10-H2S-I-DAT-001 H2S Detectors
1 page
2063 72040 Tipicos Instrumentacion
No ratings yet
2063 72040 Tipicos Instrumentacion
42 pages
Fq-Fry TRRW: Standard Specification FOR Distributed Control System
100% (1)
Fq-Fry TRRW: Standard Specification FOR Distributed Control System
1 page
2004A Rev.4
100% (2)
2004A Rev.4
83 pages
Anayser Shelter - Rev 1 - 16 09 2013
No ratings yet
Anayser Shelter - Rev 1 - 16 09 2013
55 pages
Micro Motion 5300 Mass Flow & Density Transmitter: EMERSON Process Management Educational Services
No ratings yet
Micro Motion 5300 Mass Flow & Density Transmitter: EMERSON Process Management Educational Services
30 pages
Level Measuring Instruments Selection and Application
No ratings yet
Level Measuring Instruments Selection and Application
70 pages
Dcs Specification
100% (1)
Dcs Specification
42 pages
Offsites Engineering Works For The Erbil Refinery 40,000 B/D Expansion Project
100% (1)
Offsites Engineering Works For The Erbil Refinery 40,000 B/D Expansion Project
7 pages
Master Document List - C&I: Discussion On I&C Comments in I&C DBR
No ratings yet
Master Document List - C&I: Discussion On I&C Comments in I&C DBR
1 page
Instrument Engineer Manual
100% (1)
Instrument Engineer Manual
31 pages
Control Valves
No ratings yet
Control Valves
101 pages
Saes J 505
No ratings yet
Saes J 505
16 pages
Field Instrument List V1 R1
No ratings yet
Field Instrument List V1 R1
12 pages
Tender Specs - ROSOV (CH 7 (B) )
No ratings yet
Tender Specs - ROSOV (CH 7 (B) )
17 pages
Cascade Control 1
100% (1)
Cascade Control 1
4 pages
Maintenance Management System - Maintenance Entities Description
No ratings yet
Maintenance Management System - Maintenance Entities Description
125 pages
Operability & Maintenability Requirements: Company Technical Standard
100% (2)
Operability & Maintenability Requirements: Company Technical Standard
22 pages
N.STD - Unit of Measurement
100% (1)
N.STD - Unit of Measurement
12 pages
Somachine PLC Training: Rezky Nova Sonny
No ratings yet
Somachine PLC Training: Rezky Nova Sonny
66 pages
Gwy 100
No ratings yet
Gwy 100
4 pages
08 R&a
No ratings yet
08 R&a
16 pages
Automation Network Selection Third Edition Chapter 3
No ratings yet
Automation Network Selection Third Edition Chapter 3
37 pages
PLC Hardware
No ratings yet
PLC Hardware
17 pages
Modicon TSX Micro - TSX3721101
No ratings yet
Modicon TSX Micro - TSX3721101
6 pages
PLC-RS /21: PLC Interface With PDT Relay, Universal Version
No ratings yet
PLC-RS /21: PLC Interface With PDT Relay, Universal Version
5 pages
ISE 511L Syllabus11 - 8 - 11
No ratings yet
ISE 511L Syllabus11 - 8 - 11
4 pages
Network Variables
No ratings yet
Network Variables
14 pages
ABB Analyzer AO2020
100% (3)
ABB Analyzer AO2020
48 pages
Implementation of A Temperature Control Process Trainer Through PID Controller Designed With Siemens S7-1200 PLC and HMI: Proceedings of ICCDN 2018
No ratings yet
Implementation of A Temperature Control Process Trainer Through PID Controller Designed With Siemens S7-1200 PLC and HMI: Proceedings of ICCDN 2018
9 pages
Company Profile 2014
No ratings yet
Company Profile 2014
18 pages
Integration Quick Start Guide T5845660109
No ratings yet
Integration Quick Start Guide T5845660109
70 pages
Apunte 10-7
No ratings yet
Apunte 10-7
13 pages
Training Catalog
No ratings yet
Training Catalog
12 pages
Manual 103047366 en 2025 01 01
No ratings yet
Manual 103047366 en 2025 01 01
25 pages
AMETEK102
No ratings yet
AMETEK102
351 pages
PLC Based Water Bottle Filling and Caping System
No ratings yet
PLC Based Water Bottle Filling and Caping System
4 pages
Front Cover: Smarter Cities Series: A Foundation For Understanding IBM Smarter Cities
No ratings yet
Front Cover: Smarter Cities Series: A Foundation For Understanding IBM Smarter Cities
32 pages
Control of Machines Revised Second Edition Bhattacharya S. K. - Read The Ebook Online or Download It For The Best Experience
No ratings yet
Control of Machines Revised Second Edition Bhattacharya S. K. - Read The Ebook Online or Download It For The Best Experience
52 pages
Rtu560 Datasheet Deabb125506
No ratings yet
Rtu560 Datasheet Deabb125506
16 pages
GSK 983M Series Machining Center CNC Systems PLC User Manual (2010-11)
No ratings yet
GSK 983M Series Machining Center CNC Systems PLC User Manual (2010-11)
67 pages
EEE Lab Equipments
No ratings yet
EEE Lab Equipments
12 pages
What Is Industrial Automation
No ratings yet
What Is Industrial Automation
6 pages
Abb - Catalogo ACS355 PDF
No ratings yet
Abb - Catalogo ACS355 PDF
56 pages
2 Powerex First Call Alarm Panel Training (0321)
No ratings yet
2 Powerex First Call Alarm Panel Training (0321)
56 pages
PLC - 3 Input Output
No ratings yet
PLC - 3 Input Output
14 pages
Implementação de Motion No 5000 11397-00722-GS1
No ratings yet
Implementação de Motion No 5000 11397-00722-GS1
117 pages
SER Equirements Emplate IAL Asher: Vial Washer
No ratings yet
SER Equirements Emplate IAL Asher: Vial Washer
22 pages