Sei sulla pagina 1di 41

Engineering Standard

SAES-Z-001

24 October 2009

Process Control Systems


Process Control Standards Committee Members
Khalifah, Abdullah Hussain, Chairman
Assiry, Nasser Yahya, Vice Chairman
Awami, Luay Hussain
Ben Duheash, Adel Omar
Bu Sbait, Abdulaziz Mohammad
Baradie, Mostafa M.
Dunn, Alan Ray
Fadley, Gary Lowell
Genta, Pablo Daniel
Ghamdi, Ahmed Saeed
GREEN, CHARLIE M
Hazelwood, William Priest
Hubail, Hussain Makki
Jansen, Kevin Patrick
Khalifa, Ali Hussain
Khan, Mashkoor Anwar
Mubarak, Ahmad Mohd.
Qaffas, Saleh Abdal Wahab
Shaikh Nasir, Mohammad Abdullah
Trembley, Robert James

Saudi Aramco DeskTop Standards


Table of Contents
1
2
3
4
5
6
7
8
9
10

Scope............................................................ 2
Conflicts and Deviations............................... 3
References.................................................... 3
Definitions..................................................... 4
System Selection.......................................... 8
Standard Products........................................ 8
Redundancy.................................................. 8
Segregation................................................... 9
Spare and Expansion Capabilities............... 12
System Access & Security........................... 13

Previous Issue: 16 April 2007 Next Planned Update: 15 April 2012


Revised paragraphs are indicated in the right margin
Primary contact: Kinsley, John A. on 966-3-8730952
CopyrightSaudi Aramco 2009. All rights reserved.

Page 1 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

SAES-Z-001
Process Control Systems

Table of Contents (Cont'd)


11 Process Control & Equipment Protection..... 19
12 Consoles, Workstations and Control
Networks............................................... 22
13 Operator Graphical Displays........................ 23
14 Alarms and Messages.................................. 27
15 History.......................................................... 33
16 Integration & Interface.................................. 34
17 Units of Measurement.................................. 35
18 Wiring and Power Supply............................. 35
19 Environmental Conditions............................ 38
20 Control Rooms............................................. 40
21 Documentation............................................. 40
1

Scope
This Standard prescribes the minimum mandatory requirements and guidelines
governing the engineering, design and installation of Process Control Systems (PCS) in
Saudi Aramco plants.
Distributed Control Systems (DCS) and the interface with their subsystems are
considered within the scope of this standard. The regulatory, sequential, advanced
controls and optimization implemented in these systems are also included. The
integrated system shall be referred to as the Process Control System (PCS).
The following systems are excluded from this standard except their interfaces to the
PCS:
a)

ESD (Emergency Shutdown) systems (covered by SAES-J-601).

b)

Royalty and Custody Transfer Systems (covered by SAES-Y-101 and


SAES-Y-103).

c)

Package Unit Instrumentation (covered by 34-SAMSS-831), for example, an air


compressor skidLicensor's specific technology package.

d)

Automatic Tank Gauging System (covered by 34-SAMSS-318).

e)

Supervisory Control and Data Acquisition Systems (SCADA).

This entire standard may be attached to and made a part of purchase orders.

Page 2 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

SAES-Z-001
Process Control Systems

Conflicts and Deviations


2.1

Any conflicts between this standard and other applicable Saudi Aramco
Engineering Standards (SAESs), related Materials System Specifications
(SAMSSs), Standard Drawings (SASDs), or industry standards, codes, and
forms shall be resolved in writing by the Company or Buyer Representative
through the Manager, Process & Control Systems Department of Saudi Aramco,
Dhahran.

2.2

Direct all requests to deviate from this standard in writing to the Company or
Buyer Representative, who shall follow internal company procedure SAEP-302
and forward such requests to the Manager, Process & Control Systems
Department of Saudi Aramco, Dhahran.

References
Specific sections of the documents listed below are referenced within the body of this
standard.. Material or equipment supplied to this standard shall comply with the
referenced section of the latest edition of these specifications. Where specific sections
are not referenced, the equipment or material shall comply with the entire referenced
document.
Saudi Aramco References
Saudi Aramco Engineering Procedures
SAEP-16

Project Execution Requirements for Process


Automation Systems

SAEP-302

Instructions for Obtaining a Waiver of a


Mandatory Saudi Aramco Engineering
Requirement

Saudi Aramco Engineering Standards


SAES-J-003

Instrumentation - Basic Design Criteria

SAES-J-601

Emergency Shutdown and Isolation Systems

SAES-J-801

Control Buildings

SAES-J-902

Electrical Systems for Instrumentation

SAES-J-904

FOUNDATION Fieldbus (FF) Systems

SAES-Y-101

Custody Metering of Hydrocarbon Gases

SAES-Y-103

Royalty / Custody Metering of Hydrocarbon


Liquids

Page 3 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

SAES-Z-001
Process Control Systems

SAES-Z-010

Process Automation Networks Connectivity

SAES-Z-020

Design and Installation of Fiber Optic CableSystems for Process Control Networks

Saudi Aramco Materials System Specifications


23-SAMSS-010

Distributed Control Systems

34-SAMSS-318

Automatic Tank Gauging Equipment

34-SAMSS-820

Instrument Control Cabinets - Indoors

34-SAMSS-831

Package Unit Instrumentation

Saudi Aramco Engineering Report


SAER-5895

Alarm Management Guidelines for Process


Automation Systems

Definitions
4.1

Abbreviations
CCS
CWAN
DCS
ESD
FIFO
HMI
HTML
OPC
PCS
PDF
PLC
RMPS
RTPM
RTU
SAEP
SAES
SAMSS
SCADA
TCP/IP
TMS
UPS

Compressor Control System


Combined Wide Area Network
Distributed Control System
Emergency Shutdown Systems
First-In, First Out
Human Machine Interface
Hyper Text Markup Language
OLE for Process Control
Process Control System
Portable Document Format
Programmable Logic Controller
Rotating Machinery Protection System
Real-Time Performance Management
Remote Terminal Unit
Saudi Aramco Engineering Procedures
Saudi Aramco Engineering Standards
Saudi Aramco Material System Specifications
Supervisory Control and Data Acquisition
Transmission Control Protocol
Terminal Management System
Uninterruptible Power Supply

Page 4 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

4.2

SAES-Z-001
Process Control Systems

Definitions
Advanced Control: Multivariable, constraint and optimizing controls will be
labeled advanced controls. Controls that fall into this category will be those that
are supervisory in nature, i.e., they normally, but not always, output to the set
points of other control loops rather than to the valves directly.
Algorithm: A prescribed set of well-defined rules or processes for the solution
of a problem in a finite number of steps. (See also control algorithm).
Application: Application packages shall be vendor's standard off-the-shelf
offering configurable to meet job-specific requirements. Modification of source
codes unique for Saudi Aramco is not allowed.
Availability: The percent of time a system or component remains on line and
performs as specified.
Cascade (Cascade Control): A control scheme composed of two loops where
the setpoint of one loop (the inner loop) is the output of the controller of the
other loop (the outer loop).
Control Algorithm: A mathematical representation of the control action to be
performed.
Console: A collection of one or more workstations and associated equipment
such as printers and communications devices used by an individual to interact
with the PCS and perform control and monitoring functions.
Critical: A function which if lost would result in either a major process upset
or loss of operation.
Dead Band: The range through which an input signal may be varied without
initiating an action or observable change in output signal.
Distributed Control System (DCS): A process control system that is
composed of distinct modules. These modules may be physically and
functionally distributed over the plant area. The distributed control system
contains all the modules and associated software required to accomplish the
regulatory control and monitoring of a process plant, excluding field
instruments, remote terminal units, auxiliary control systems and Plant
information systems.
Fault-Tolerant: The property of a system which enables it to carry out its
intended function with one or more active hardware or software faults.

Page 5 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

SAES-Z-001
Process Control Systems

Firmware: Firmware is a combination of both hardware and software.


Hardware such as ROMs (Read Only Memory) or EPROMs that have software
programs or data recorded on them is considered firmware.
Functional Specification Document (FSD): Written requirements of the
functionality required for a piece of equipment or a system.
Hardware: Instrumentation and Control System Hardware consists of physical
devices like transmitters, I/O cards, power supplies, control processors, disk
drives, display screens, keyboards, printers, integrated circuit boards, and silicon
chips.
OLE for Process Control (OPC): The objective of the OPC Foundation is to
develop an open, flexible, plug-and-play standard that allows end users to enjoy
a greater choice of solutions, as well as sharply reducing development and
maintenance costs for hardware and software suppliers.
Point: A process variable derived from an input signal or calculated in a
process calculation.
Portable Document Format (PDF): A file format developed by Adobe
Systems. PDF captures formatting information from a variety of desktop
publishing applications, making it possible to send formatted documents and
have them appear on the recipient's monitor or printer as they were intended. To
view a file in PDF format, you need Adobe Reader, a free application distributed
by Adobe Systems.
Process Controller: A microprocessor-based control device used primarily to
perform regulatory control functions. These can be either DCS based
controllers, Compressor Controllers, PLC based controllers or similar.
Process Control System: The integrated system which is used to monitor and
control an operating facility. The PCS consists of operating area Distributed
Control Systems and there related Auxilliary systems which are connected
together at the Process Control Network and Plant-wide Information Network
level to form a single integrated system.
Programmable Logic Controller (PLC): A stand-alone microprocessor-based
control device used primarily to perform discrete or sequential control.
Real-Time Performance Management (RTPM): An integrated set of
computing hardware, system software, networking, communication products,
database management and applications which interfaces with the PCS to provide
process data to a wide variety of users in an off-line office environment.

Page 6 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

SAES-Z-001
Process Control Systems

Redundant: A system and/or subsystem that provides for a standby module


with automatic switchover from the active unit to the standby module, in the
event of a failure, without loss of a system function. Both active and standby
modules utilize diagnostics to assist in identifying and locating failures and to
permit modules to be removed for repair and/or replacement.
Regulatory Control: The functions of process measurement, control algorithm
execution, and final control device manipulation that provide closed loop control
of a plant process.
Remote Terminal Unit (RTU): A device used for interfacing process I/O in a
remote location with a central station. An Intelligent RTU includes discrete and
regulatory control functions.
Risk Area: A grouping of Process equipment and associated Control Systems
equipment which together perform a specific process function.
Software: Software shall be considered programming code, computer
instructions or data that can be stored electronically. The storage devices and
display devices are hardware. Software is often divided into two categories:

Systems Software: Includes the operating system and all the utilities that
enable the computer to function.

Applications Software: Includes programs that do real work for users. For
example, word processors, spreadsheets, and database management systems
fall under the category of applications software.

Supervisory Control and Data Acquisition (SCADA): A system primarily


intended for data acquisition and limited remote control over a wide
geographically distributed area.
Tag: A collection of attributes that specify either a control loop or a process
variable, or a measured input, or a calculated value, or some combination of
these, and all associated control and output algorithms. Each tag is unique.
Terminal Management System (TMS): An integrated product receipt and
distribution control management for terminal operations. Terminal facilities
include bulk plants and air fueling terminals.
Transmission Control Protocol (TCP): Is one of the main protocols in TCP/IP
networks. Whereas the IP protocol deals only with packets, TCP enables two
hosts to establish a connection and exchange streams of data. TCP guarantees
delivery of data and also guarantees that packets will be delivered in the same
order in which they were sent.
Page 7 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

SAES-Z-001
Process Control Systems

Workstation: A computer and its associated monitor(s), keyboards(s) and other


peripheral devices which is connected to the PCS and is used to provide Human
Machine Interface functions and/or other maintenance and engineering
functions.
5

System Selection
Depending on the particular control objectives to be accomplished within any given
project, decisions need to be made regarding selection of the class of system(s) to be
utilized.
This selection is specified by the Company's purchase orders, contracts or job
specifications, including a project-specific FSD.

Standard Products
6.1

The process control system shall be composed of manufacturers' standard


hardware, software, firmware and process control application packages.

6.2

A system's standard operating system software shall not be modified to meet any
of Saudi Aramco's requirements.

6.3

All hardware, firmware, software and application that are supplied shall have
been field proven prior to the hardware freeze date as defined in the contract or
purchase order. Field proven is defined as successful operation at a field
installation for six (6) or more months (excluding beta test period). It shall be
possible for Saudi Aramco to verify the field proven status of the system.

6.4

Application packages shall be vendor's standard off-the-shelf offering


configurable to meet job-specific requirements. Modification of source codes
unique for Saudi Aramco is not allowed.

6.5

Third-party products incorporated as part of the vendor's systems must have


been approved and certified by the specific vendor. Any substitute must be
approved by Saudi Aramco in writing.

Redundancy
7.1

The following equipment shall be supplied in redundant or fault-tolerant


configuration unless otherwise specified in the project specific Functional
Specification Document:
a)

All Process Controllers.

b)

All Power supply modules.


Page 8 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

SAES-Z-001
Process Control Systems

c)

All DCS Control Network Communications Equipment.

d)

All communications equipment required for communications between


controllers and I/O modules.

e)

All Input and Output modules used for critical regulatory control.

f)

All Foundation Fieldbus Host interface modules.

g)

All Foundation Fieldbus power supply and conditioning modules.

h)

All data storage devices (e.g. hard-drives) used to store system


configuration information or control strategy configuration information.

i)

All auxiliary systems communications interface modules, including


communications paths, where either the communications channel is used
to send commands from the DCS to the auxiliary system or data from the
auxiliary system is used within a regulatory control strategy within the
DCS.
Commentary Note:
Regulatory control refers to control which is implemented at the DCS layer.
This can be either analog (e.g. 4-20mA to control valves) or discrete (e.g.
24vDc to Motor starters). Critical regulatory control refers to control of
equipment which does not have an installed spare or backup or where failure
of the equipment would result in a significant loss of production or an unsafe
operating condition. Inputs and Outputs used for regulatory control in critical
applications shall be supplied with redundant I/O modules. Requirements for
redundant inputs and outputs will be specified in the project FSD.

7.2

A minimum of two electrically and electronically independent operator


workstations shall be provided for each operator's console.

Segregation
Process Control Systems shall be segregated into risk areas to increase system and
process availability. Risk Areas shall be defined in three levels. Separate segregation
requirements apply to each risk level.
8.1

Level 1 Risk Area Segregation


Level 1 (L1) segregation provides the greatest degree of segregation. L1
segregation is used to segregate plant operations based on a 50% production loss
rule:

Page 9 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

SAES-Z-001
Process Control Systems

8.1.1

Where a plant is designed with parallel processing trains, control


systems equipment shall be segregated such that a total loss of process
control equipment contained within a single L1 risk areas shall not
result in the loss of more than 50% of the total plant processing
capability.

8.1.2

Equipment located in separate L1 Risk Areas require separate:

UPS Power Circuits


Power Supplies, Power Distribution circuits or panels
Operator workstations and alarm panels
Process controllers (DCS), Safety Instrumented Systems (ESD),
Compressor or Turbine Control Systems and associated I/O
subsystems for each.
Process Control Network equipment and cabling
System and marshalling cabinets
Auxiliary systems interfaces.

8.1.3

Level 1 segregation does not apply to software applications which


require a 'global' system database. The following software applications
are excluded: DCS Configuration Database, System Diagnostics
applications, Analyzer Management Systems, Instrument Asset
Management System (IAMS), Alarm Management system, MVC
software, OSI-PI software, Power Monitoring Systems and Condition
Monitoring Systems. This exception is allowed because failure in any
of these does not adversely affect the ability to operate the plant.

8.1.4

A double failure of any redundant component in one L1 Risk Area


shall not affect the operations of equipment in any other L1 Risk Area.

8.1.5

Where a single operator console is used to monitor two or more L1 risk


areas, each risk area must have a dedicated Operator Workstation.
Requirements for Operator Workstation redundancy (ie the backup
operator workstation) can be a met using a workstation dedicated to
another risk area as long as that workstation has full monitoring and
control capabilities of both risk areas.

8.1.6

Where a single operator console is used to monitor two or more L1 risk


areas, control network communications equipment and cables shall be
segregated between risk areas. Communications cables may terminate
on a common network switch associated with the console provided the
switch is supplied in redundant configuration and both are dedicated
for the operator console.

Page 10 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

8.2

SAES-Z-001
Process Control Systems

Level 2 Risk Area Segregation


Level 2 segregation is used to segregate parallel processing units within a Level
1 risk area. Level 2 segregation is also used to segregate major process
equipment installed within Utilities plant areas.
Process Control Equipment shall be segregated into separate Level 2 (L2) risk
areas as follows:
8.2.1

Parallel processing trains or parallel processing units within a Level 1


risk area shall be segregated into separate L2 risk areas.

8.2.2

Redundant or parallel processing equipment located within utilities


plant areas shall be segregated into separate L2 risk areas such that a
complete failure in any single L2 risk area will only result in a loss of
no more than 50% throughput of the utilities area.
Commentary Note:
In most instances, it is impractical to segregate equipment located in
the Utilities plant area into separate L1 risk areas. Equipment such as
Boilers, air compressors, nitrogen systems, hot-oil systems, etc feed a
common header which is used plant-wide and therefore feeds two
separate L1 risk areas. For this reason, Level 2 segregation is applied
for utilities equipment using a similar 50% production loss rule as is
applied for Level 1.

8.2.3

Equipment located in separate Level 2 (L2) Risk Areas require


separate:

Process Controllers and associated IO modules, IO


communications equipment and communications cabling.
Marshalling Cabinets.

8.2.4

Where two or more operator consoles are used to control equipment


within a single L1 risk area, equipment operated by each console shall
be segregated into separate L2 risk areas.

8.2.5

Parallel processing trains within an L1 risk area which have been


segregated into separate Level 2 risk areas require separate Emergency
Shutdown Systems for each L2 risk area.

8.2.6

An exception is allowed for segregation of I/O communications cables


when I/O modules are located remote from the controllers and fiber
optic cables are used for communications. In this case, controllers in
two separate L2 risk areas may share the same fiber optic cable
provided that:
Page 11 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

8.3

SAES-Z-001
Process Control Systems

Dedicated fiber strands are used for each controller.

No Fiber optic converters are shared between controllers.

Communications between the controller and I/O is redundant and


the redundant cables are installed in separate routes.

Level 3 Risk Area Segregation


Level 3 segregation is used to segregate parallel process equipment or
equipment installed in redundant configuration in order to increase process
availability. Level 3 segregation requires segregation of equipment at the IO
card level.
8.3.1

Level 3 (L3) Risk Area Segregation shall be applied for parallel


process equipment or any equipment installed in redundant
configuration.

8.3.2

Any equipment which serves the same purpose but is provided in


redundant configuration to increase a process system's availability shall
be segregated into separate L3 risk areas.
Commentary Note:
Redundant or parallel processing equipment are equipment such as:
Booster pumps, Shipper Pumps, Sales Gas Compressors, Feed Gas
Compressors, LP, HP and Pipeline compressors in a GOSP, column
bottoms pumps, reboilers, filters/separators, condensate pumps, etc.
which are installed in redundant configuration.

8.3.3

Equipment located in separate L3 risk areas shall not share the same IO
card. Field cables for equipment located in separate L3 risk areas may
be terminated in a common marshalling cabinet and use a common
(redundant) external field power supply if required.

Spare and Expansion Capabilities


9.1

Each system shall be supplied with 5% spare IO points. The spare I/O shall be
licensed, installed, and wired to termination points. Spare IO shall be provided
in approximately the same ratio as that of the installed types and shall be
distributed between risk areas in the approximate ratio as the required IO.

9.2

Where both redundant and simplex IO models are used for a signal type, the
requirement for spare IO shall apply for both types.

Page 12 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

SAES-Z-001
Process Control Systems

9.3

Each system shall be installed with 10% spare slots in IO chassis or baseplates
to accommodate addition of IO modules without requiring additional chassis or
baseplates to be added to the system. Power supplies for IO modules shall be
sized to accommodate the additional 10% expansion requirement.

9.4

Each system shall be capable of expanding the number of controllers by 10%


from that installed in the base system.
Commentary Note:
Requirements for expansion capacity and spare IO do not apply to expansion
projects where control and I/O are being added to an existing system. For
expansion projects, the requirements for spare IO and expansion capability shall
be mutually agreed upon between PMT and Proponent and specified in the
project specific FSD. If none are specified in the FSD, the requirements above
shall apply.

10

9.5

The average CPU Loading of any controller during normal operating conditions
shall not exceed 65% overall or 75% of the manufacturers recommended
maximum loading specification, whichever is lower. The spare capacity is
required to accommodate peak loads during upset conditions and to provide
additional capacity required for configuration of spare IO points and associated
control algorithms and to enable the utilization of the spare IO slots.

9.6

Servers and/or Engineering Workstations shall be configured with additional


spare capacity of 40% minimum for hard-drive space, memory, and CPU. CPU
and memory spare requirements shall be verified on the running system during
steady-state conditions with all applicable software running on the system.

System Access & Security


10.1

Access Control
10.1.1

Access to Process Control Systems shall be restricted only to person(s)


with legitimate business requirements.

10.1.2

Procedures for control of user registration, de-registration and the


allocation of access rights and privileges for access to process control
systems shall be documented and enforced.

10.1.3

User access to a system shall be restricted by means of User Ids and


Passwords or other suitable technologies for identification and
authentication of users.

Page 13 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

10.2

SAES-Z-001
Process Control Systems

User Roles
10.2.1

User Roles shall be created to facilitate application of individual user


access privileges based on the user role or user group to which they are
assigned.

10.2.2

The following user roles shall be configured as a minimum.


Additional user roles may be created based on the particular needs of
the facility:

10.2.3

Process Operator
This user role shall be configured to provide access privileges for
process operators and control board operators. Access privileges shall
be defined to enable monitoring and control of equipment located
within specific process area(s) to which the role is associated.
Monitoring of other process areas without the ability to control these
areas is permissible. View-only access to function block parameters
such as alarm limits and tuning parameters shall also be granted.
Commentary Note:
It may be necessary to define multiple Process Area Operator User
Roles. Each process area in a plant will typically have a separate user
role. Access to control functions from the PCS will be limited to those
process areas associated with the specific user role.

10.2.4

Process Area Supervisor


This user role shall include all of the privileges assigned to the area
process operator. In addition, any requirements for special authority
commands required for control of the process area shall be granted to
the Process Area Supervisor role.

10.2.5

Maintenance Engineer/Technician
This user role shall provide access to system and instrument diagnostic
and troubleshooting tools. Access to utilities required for backup and
restore of system information shall also be granted. Other privileges
required to enable maintenance functions (such as replacement of
failed components) shall also be granted as required. View-only or
monitoring-only access to process graphics and function block
parameters shall also be granted.

Page 14 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

10.2.6

SAES-Z-001
Process Control Systems

Process Control Engineer


This user role is used to grant access privileges for process engineers
associated with a particular process area. Access privileges required
for monitoring and control of equipment associated with the particular
process are to which the role is associated shall be granted. Access
privileges required to modify function blocks parameters (such as
alarm limits and tuning constants) shall also be granted. Read-write
privileges for function block parameters shall be limited to those
function blocks associated with the particular plant area to which the
role is associated.

10.2.7

PCS Engineer
This user role shall be used to grant access privileges to persons
responsible for the configuration and maintenance of the PCS system.
Access privileges required to perform functions necessary for the
configuration and support of the system shall be granted. Permission
to modify user role privileges, user accounts and passwords shall not
be granted.

10.2.8

PCS Administrator
This user role shall provide access to the entire system. Assignment of
users to this role shall be restricted to a limited number of highly
trusted and competent employees. This role shall also contain
privileges necessary for configuration of user role privileges and
assignment of user to particular user roles. The role shall contain
privileges necessary to administer individual user Ids and passwords as
well as system and application user Ids and passwords. The role shall
provide access to utilities required for monitoring and auditing of
system access activities.

10.2.9

View Only
This user role shall be used to provide monitoring only access of all
process areas within the plant. Access to graphics which are
specifically required for control operations (such as controller
faceplates) shall be restricted. Access to system diagnostics,
maintenance and configuration utilities shall also be restricted.

10.3

User Accounts
10.3.1

Each User shall be assigned a unique User ID.

10.3.2

All GUEST user accounts shall be disabled on the system.


Page 15 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

10.4

SAES-Z-001
Process Control Systems

10.3.3

Users shall be granted access privileges by assigning the user to a User


Role applicable to their particular job function. Access privileges
which have been defined for that User Role shall be inherited by the
User.

10.3.4

The PCS System shall be configured to require an individual User ID


and password for authentication purposes prior to being allowed access
to any station connected to the system with the exception of the
operator workstations located within operator consoles in the Central
Control Room (CCR) only.

10.3.5

Operator workstations located within operator consoles in the CCR can


be configured with a common 'CONSOLE XX' operator account. This
account can be shared by individuals assigned to the particular console
only. These accounts shall not be valid on any other stations connected
to the PCS.

User Account Passwords


10.4.1

Every User ID shall have an individual password.

10.4.2

The system shall be configured to require a minimum password length


of six characters.

10.4.3

Passwords shall be transmitted and stored in encrypted format.

10.4.4

The system shall be configured to enforce password uniqueness. A


minimum of three unique passwords must be entered before a
password can be re-used.

10.4.5

The system shall be configured to enforce password complexity rules.


As a minimum, the system shall be configured to enforce a minimum
password length and not allow common phrases such as names, and the
word 'Password'.

10.4.6

Management of passwords, User IDs and User Role privileges shall be


done via a central server connected to the PCS system.

10.4.7

The system shall be configured to require passwords to be reset for all


User IDs every six months.

10.4.8

Facilities shall be provided to enable user account passwords to be


changed at any workstation connected to the system. A password
changed at one location shall be automatically updated at all stations
where the account is valid.

Page 16 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

10.5

10.6

10.7

10.8

SAES-Z-001
Process Control Systems

Application and System Accounts and Passwords


10.5.1

Application IDs refer to the account name used to run applications as


either a service or a background process. These type of IDs may
require the account name and/or passwords to be hardcoded into
startup scripts. Passwords used for application IDs shall not be stored
in un-encrypted format. Passwords used for application IDs are
excluded from the six month password aging policy described above.

10.5.2

System IDs refer to account names used by the operating system.


These type of accounts require special consideration and shall be
managed by the PCS administrator. System ID default passwords shall
be changed prior to commissioning the system. System account
passwords shall not be stored in un-encrypted format and shall be
excluded from the six month password aging policy described above.

Anti-Virus protection
10.6.1

Anti-virus software shall be installed and configured on all Windows


based workstations which are part of the PCS.

10.6.2

Anti-virus software shall be Norton or MacAfee anti-virus software.

10.6.3

The vendor's recommended procedures shall be followed for


configuration of anti-virus software.

10.6.4

Anti-virus definition files shall be updated on all stations connected to


the PCS every three months or as per the vendor's recommended
update procedures, whichever is more frequent.

Operating System Software Patch Management


10.7.1

The vendor's recommended procedures for updating of Operating


System (OS) software and OS patch installation shall be followed.

10.7.2

Access privileges for updating of Operating System software shall be


assigned to PCS Administrator only.

10.7.3

Operating System software and OS patches shall not be installed unless


they have been tested and certified by the vendor as being compatible
with the PCS System software.

Communications and Network Security


10.8.1

Process Control Networks shall be physically and logically separated


from the Corporate Network.
Page 17 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

10.9

SAES-Z-001
Process Control Systems

10.8.2

A dedicated Firewall shall be used to provide the interface between the


process control network and the corporate network.

10.8.3

Configuration and implementation of the interface between process


control networks and corporate network shall be as per the
requirements defined in SAES-Z-010, 'Process Automation Networks
Connectivity'.

10.8.4

All unused ports on DCS Process Control Network equipment shall be


deactivated.

Security Management Practices


10.9.1

All workstations which are connected to the PCS and are not located
on an operator console within the CCR shall be configured to
automatically lock the workstation or switch to "view-only" user
environment after it has been idle for 30 minutes or longer. If locking
of the workstation is used, password re-authentication from either the
last user or the PCS administrator shall be required to unlock the
station.

10.9.2

All Workstations, Servers, and networking equipment, such as


switches or hubs, shall be housed in lockable cabinets or consoles to
prevent physical access to the equipment from unauthorized users.

10.9.3

Monitoring
10.9.3.1

All login events shall be monitored and recorded by the


system. Login events shall be recorded with date and time
of login, user account, and location of login. Records of
logins shall be maintained on the system for a minimum
period of six months.

10.9.3.2

The system shall monitor and record all failed login


attempts. If available, functionality shall be provided to
automatically notify the PCS administrator after a preset
number of consecutive failed login attempts has been
exceeded.

10.9.3.3

Failed login attempts shall not initiate an automatic 'lockout' of the user account.

10.9.3.4

The system shall be configured to monitor 'stale' user


accounts. Stale accounts are user accounts which have not
been used on the system for a period of three months or
longer. The system shall have the capability to produce a
Page 18 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

SAES-Z-001
Process Control Systems

report of stale user accounts. The PCS administrator shall


be responsible for manually disabling stale user accounts.
10.9.4

11

System Recovery Planning


10.9.4.1

Procedures for incremental and complete Backup and


Restore of Process Control systems and data shall be
documented for each system at a particular location.

10.9.4.2

Control Systems shall be configured to automatically


backup control database, system configuration, and other
vital information to hard-drive at a minimum of once per
week.

10.9.4.3

The system shall be configured to maintain a minimum of


two sets of complete backup and recovery data for each
workstation, server and/or controller connected to the PCS
on off-line storage media.

Process Control & Equipment Protection


11.1

Regulatory Control Implementation


11.1.1

Execution rates for control algorithms shall be set as per the table
below unless otherwise specified in the project FSD.
Application or Loop Type
Flow or Pressure (gas)
Flow or Pressure (liquid)
Temperature (inline)
Temperature (vessel)
Level
Discrete Input or Output

Execution Rate
(seconds)
0.5
1.0
2.0
5.0
5.0
1.0

Range
(seconds)
0.1 - 1.0
0.25 - 2.0
1.0 5.0
2.0 - 30.0
2.0 30.0
0.5-2.0

11.1.2

Consideration must be taken during design that the I/O scan rate is at
least as fast as the required control algorithm execution rate.

11.1.3

Control loops shall be configured for bump-less transfer between


manual, automatic, cascade and "computer" modes. Bumpless transfer
shall be defined as less than 0.5% deviation when the transfer occurs.

11.1.4

Tracking - Control loops shall be configured to set the output of the


controller equal to the downstream value during the initialization
process. If the downstream value is an output to the field, the initial
output of the controller will equal the position of the field device. For

Page 19 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

SAES-Z-001
Process Control Systems

cascade controllers, the output of the primary controller shall equal the
setpoint of the secondary controller.

11.2

11.1.5

Output - Output modules with failsafe functionality shall be configured


to safely shutdown affected process equipment.

11.1.6

Composite tag - Where possible, multiple inputs and outputs for a


single device, such as a pump or MOV, shall be combined into a single
tag ID. Operation of the device shall be through this single tag ID.

FOUNDATION Fieldbus Implementation


For systems based on FOUNDATION Fieldbus (FF), design and
configuration of the Fieldbus portion of the system shall be as per SAES-J-904.

11.3

Advanced Control Implementation


11.3.1

Advanced control shall be implemented in a hardware platform that is


supported as a standard offering by each individual supplier.

11.3.2

Advanced control loops shall be of a supervisory nature and provide


the set-points for regulatory control loops. Direct output to the output
modules shall be by exception and clearly documented.

11.3.3

Startup and shutdown of the advanced control algorithms, whether by


hardware failure or via operator command, shall be bumpless to the
process.

11.3.4

If a critical input to an advanced control strategy or algorithm is out of


service, the system will be automatically 'turned off' and the control
will revert automatically to regulatory control, and the operator will be
notified.

11.3.5

Graphical displays shall be provided for operators to monitor and


manipulate advanced control strategies and/or algorithms. Where
feasible, these displays shall be accessible through the operator's
normal DCS workstation. Provide the following operator functions:

11.3.6

Operator shall be able to acknowledge the APC alarms from the


DCS station.

Operator shall be able to bypass non critical APC control variables


from his station.

Where an economic objective function is used, it shall be possible to


change all economic parameters on-line.
Page 20 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

11.4

SAES-Z-001
Process Control Systems

11.3.7

Alarms shall be provided from the advanced process controller when it


or its sub-controllers are turned off for any reason.

11.3.8

Graphical displays shall be provided for the operator to allow/disallow


the advanced process controller to write to the DCS, SCADA or PLC
systems.

11.3.9

Graphical displays shall be provided for the operator to change the


limits of any process variables permitted.

Sequential Control
If a DCS is selected, and the sequence control is process related, it is preferred
to be implemented in a process controller inside the DCS. If a PLC is selected,
it shall be integrated as part of the PCS.

11.5

Equipment Protection
11.5.1

Equipment protection can be implemented either in the DCS, SCADA


or the ESD layer, or other auxiliary systems such as RMPS and CCS as
specified by the FSD in each project.

11.5.2

Saudi Aramco Engineering Standard, SAES-J-601, 'Emergency


Shutdown and Isolation Systems", defines requirements for Equipment
protection when implemented in an Emergency Shutdown System.

11.5.3

Input, Output and Startup Bypasses


11.5.3.1

All inputs to shutdown logic shall have an input bypass


switch to facilitate maintenance and testing. Bypass
switches shall be software configured using a mechanism to
restrict access to activation or de-activation of the bypass.

11.5.3.2

Bypass commands sent from DCS to external shutdown


systems shall be configured as pulsed outputs to the
external system. Active bypass commands shall not be
maintained in a non-zero state across the interface to the
external system. Suitable logic shall be implemented inside
the external system to latch and unlatch the bypass
command.

11.5.3.3

Status indication on the primary operator graphic shall be


visible whenever an input bypass is activated.

11.5.3.4

De-activation of an input bypass shall initiate a momentary


alarm at the primary operator workstation.
Page 21 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

12

SAES-Z-001
Process Control Systems

11.5.3.5

Activation and De-activation of an input bypass shall be


recorded in an operator event log with time & date, tag ID
and station from which the activation occurred.

11.5.3.6

Startup bypass systems shall be configured for devices


which would prevent the normal startup of plant equipment,
e.g., minimum flow, level, pressure or temperature
interlocks. Startup bypasses shall be reset either by an
operator or a computer program.

11.5.3.7

Logic for ESD input or startup bypass switches, and


associated functionality (e.g., annunciation and event
logging), shall be shown on separate logic or function block
drawings, but not on P&IDs.

Consoles, Workstations and Control Networks


12.1

12.2

General
12.1.1

Consoles, including panel and CRT mounting structures shall be


equipped with tabletop work surfaces.

12.1.2

Where required, telecommunication equipment (e.g., telephones, plant


paging system, PA system) and emergency shutdown buttons shall be
incorporated in separate bay within the same console furniture.
Shutdown pull-buttons shall comply with the section titled, "Input
Devices" of SAES-J-601.

12.1.3

Each workstation shall have access to a printer which could be


networked within the PCS network.

12.1.4

Printers shall be free standing, or tables shall be provided. Printers that


utilize fanfold paper shall be equipped with pedestal (noise absorption
enclosures) with paper stackers.

Operator Consoles
12.2.1

Each station in the operator console shall have access to a networked


printer(s) for alarm logging, reporting and graphical printing.

12.2.2

Consoles that are manned on a continuous basis shall have access to a


networked graphics printer for making hard copies of active displays.

12.2.3

Each Operator Console shall be equipped with a minimum of two


workstations. (See Section 7.2)

Page 22 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

12.3

13

SAES-Z-001
Process Control Systems

Engineering Workstation
12.3.1

Engineering consoles shall consist of a minimum of one workstation.

12.3.2

Each engineering workstation shall have access to a networked printer.

12.3.3

Each engineering workstation shall be capable of performing all


operator workstation's functions.

Operator Graphical Displays


This section defines graphical displays primarily used by process operators to control
and obtain information via the operator workstation.
13.1

General Operator Graphics Requirements


13.1.1

All graphics shall include the following information in standard


locations:
a)
b)
c)

13.1.2

Title
Date and time
Display name

Colors
The following guidelines on color usage shall be applied unless it
violates the standard conventions designed into the system.

13.1.3

a)

Bright colors shall be used to convey key information such as


process and control information.

b)

Subdued (low intensity) colors shall be used for process vessels,


process lines, and equipment labels.

c)

Data representation of a specific type (alphanumeric, symbolic,


etc.) shall be displayed with the same color sets for specific
conditions on all graphic displays.

Process and Control Lines


a)

Process lines shall either be drawn horizontally or vertically.

b)

Process line crossovers shall be minimized. Line breaks shall be


used to indicate that crossing lines do not join. Main process
lines for each graphic shall be bold with secondary lines being of
finer width.
Page 23 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

13.2

SAES-Z-001
Process Control Systems

Design Philosophy
13.2.1

Operator displays shall use only standard features provided by the


selected product.

13.2.2

When designing operator displays, a consistent approach shall be used


for the appearance (look-and-feel) and functionality. Avoid using
highly animated objects that may inadvertently divert the operator from
important process information.

13.2.3

The design approach shall include standardized approach for the entire
process plant:

13..2.4

Layout - line sizes, equipment representation, orientation, fonts,


titles, etc.
Data representation - process values and alarms
Color choices - process lines, control lines, process equipment,
titles, etc.
Display access and navigation
How options are chosen via switches
How control strategies are commissioned and de-commissioned
How status pairs are defined (on/off, open/closed, start/stop, etc.)
Control modes (manual/auto/computer etc.), either by color or by a
small text next to the controller
Data validity (invalid, out-or-range, unknown status), either by
color or by a small text next to the controller

Wherever possible and practical, library elements, e.g., controller


faceplate template, shall be used when assigning elements to a graphic.
The template approach is preferred to ensure consistency between
elements on graphics. Individual elements within a library element
should be configured using agreed conventions. For example, if the
background color of a process value indication in a controller element
is specified to be flashing red for unacknowledged alarm condition,
solid red for acknowledged alarm condition, and flashing background
color for unacknowledged return-to-normal alarms, this behavior
should be specified in a display convention file and the element linked
to the display convention. This approach is preferred to ensure
consistency between elements on a graphic and to facilitate graphic
maintenance in the future.

Page 24 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

13.3

13.4

SAES-Z-001
Process Control Systems

Display Navigation
13.3.1

Operators shall be able to easily access specific displays and graphics


by pressing dedicated function keys, selecting from a list of displays in
directories and menus, or by typing display or graphic names.

13.3.2

Display navigation shall be configured such that it is possible to move


between related displays and graphics of different detail levels or of the
same detail level with a maximum of two operator actions.

13.3.3

Any graphic display shall be accessible via no more than three operator
actions.

13.3.4

All process graphics shall include a "Previous Display" button or


capability which will call-up the previous process graphic when
selected.

13.3.5

When a graphic element has an associated primary control display,


e.g., a PID faceplate for a controller, the graphic shall have a target that
immediately calls up the associated control display when selected.

13.3.6

Graphics shall be designed to facilitate easy call-up of trend displays


for individual tags from the primary process graphic. This may be
accomplished by adding a trend button to the individual control display
which is called-up when the element is selected on the process graphic.

13.3.7

When using a windows environment consideration must be given to


prevent the Operator from opening too many windows and potentially
masking important process information.

Control functions
13.4.1

On systems where the dynamic update time of the operator displays


can be configured, they shall be configured for updating at least once
every two seconds.

13.4.2

For remote data acquisition, updating shall be within one second of the
actual event received at the central station.

13.4.3

The operator shall be able to perform all the basic monitoring and
control functions from graphic display or control faceplates. These
functions shall include, but not be limited to, changing process
variables, setpoints, switching control modes, manually driving
outputs, or initiating maintenance bypasses for input points.

Page 25 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

13.5

13.6

SAES-Z-001
Process Control Systems

Control Strategies
13.5.1

Control strategy information shall be displayed in such a way that the


operator can determine what is being controlled, which control
strategies are in service, which are out of service, and which are
constrained or limited in some way.

13.5.2

Control strategy information shown on process displays shall be


dynamic, reflecting the actual current state of the strategy.

13.5.3

The operator shall be able to manipulate the state of the control


strategy from the control graphics.

13.5.4

Controller modes shall be indicated on primary operating display.

13.5.5

Where alternate control paths exist for advanced process controls, the
graphical interconnecting line representation shall change to show the
current control path.

Control Faceplate Displays


13.6.1

Control faceplates shall show dynamic process and status information


about a function block or tag and shall permit an operator to change
required parameter values associated with the function block.

13.6.2

Faceplates shall display the following information as applicable:

Tag ID
Tag Descriptor
Process input, setpoint, and output values displayed numerically
with engineering units.
Process input, setpoint, and output in bar or graphical
representation.
Control Mode (auto/manual) and setpoint status (remote/local).
Visual indication of setpoint and output high and low limits.
Symbolic and alphanumeric indication of discrete states both for
two state devices and multi-state devices.
For signal selectors, all available process inputs with visual
indication of which input is selected and the selection method (i.e.
High / Low / Median).
Visual indication for alarm status, acknowledgeable on a point-bypoint basis.

Page 26 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

13.6.3

14

Process Control Systems

The following actions shall be possible from each Faceplate as


applicable:

13.6.4

SAES-Z-001

Change control block mode.


Change setpoint and other operator settable parameters.
Issue commands to multi-state devices.
Adjust outputs in manual mode.

Faceplates shall be constructed from templates. The layout and


operational characteristics of the individual faceplates shall be
inherited from the template such that each faceplate constructed from
the template will have the same look and operational characteristics as
the template.

Alarms and Messages


14.1

General
14.1.1

Configuration of Alarms and Messages shall follow the guidelines


listed in Saudi Aramco Engineering Report, SAER-5895 to provide
consistency and avoid configuration of unnecessary alarms. Priority
shall be established by severity of consequence and time to respond for
each process variable, rather than a blanket policy such as setting
alarms on all analog inputs at 80%.

14.1.2

Alarm and messages shall be configured to perform the following:


a)

To draw the operator's attention to abnormal conditions within


his area of responsibility, both in the process (process alarms)
under his control and in the control system equipment (system
alarms).

b)

To provide information to facilitate the operator's rapid


understanding of the abnormal condition.

c)

To provide rapid access to the tools needed by the operator to


perform corrective action.

d)

To provide a comprehensive historical record, accessible to the


operator and other plant personnel, of the information needed to
assess such abnormal conditions.

e)

To prompt the operator or process engineer for feedback when


approval for automated action or selection from among options is
required.

f)

To give operators and other users the ability to enter messages


useful to other operators and users.
Page 27 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

14.1.3

14.2

SAES-Z-001
Process Control Systems

Alarms and messages shall be categorized as follows:


a)

Process alarms & messages

b)

System alarms & messages

c)

Operator actions messages

d)

Engineer actions messages

Process and System Alarms


Any alarm used shall be informative and demand an operator action. Automatic
alarm suppression shall be used to minimize nuisance alarms based on logic
actions and/or events.
14.2.1

14.2.2

General
14.2.1.1

Process and System alarms shall include both audible and


visual annunciation.

14.2.1.2

PCS modules shall provide identical alarm options.

Alarm Categories and Level Designations


14.2.2.1

14.2.2.2

Three alarm categories are required as a minimum:


a)

PROCESS: abnormal condition that requires


immediate operator action.

b)

ESD: for notification that an automatic ESD trip


action has taken place.

c)

SAFETY: reserved for safety related alarms such as


H2S, combustible and fire alarms.

Four alarm levels shall be used as a minimum:


HH
H
L
LL

high high
high
low
low low

These levels may be used in association with any category.


However, HH and LL in general indicate an automatic
shutdown response or imminent shutdown condition.
The "pre-alarms" shall be designated H (High) or L (low).

Page 28 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

14.2.2.3

14.2.3

SAES-Z-001
Process Control Systems

All automatic trip setpoints or limits shall be pre-alarmed in


the PCS, including auxiliary systems, regulatory controls,
and ESD loops.

Visible Alarm Indication


14.2.3.1

Blinking Feature Blinking shall be reserved for


unacknowledged alarm situations only. Blinking shall
cease when the alarm is acknowledged.

14.2.3.2

Alarms - Alarms shall be invisible on the operator graphics,


appearing only while an alarm is active.

14.2.3.3

All alarms shall be displayed with a small red square or


rectangular with its background flashing. Blinking shall
cease when the alarm is acknowledged. The color-coded
background shall remain while the alarm is active.

14.2.3.4

Alarms shall be visually displayed and annunciated


(blinking when unacknowledged) only on the workstation
configured for those alarms.

14.2.3.5

A "Process Alarm Summary" display showing all active


process alarms assigned to the workstation shall be
provided. Accessing this alarm summary display from any
other display shall require no more than one operator
action. Alarms shall be grouped on this display to allow the
operator to readily identify and respond to alarms and
abnormal conditions in his area of responsibility (e.g.,
Sorted by priority, time).

14.2.3.6

A "System Alarm Summary" display showing all active


system alarms shall be provided. Accessing this alarm
summary display from any other display shall require no
more than one operator action.

14.2.3.7

Each alarm indication shall be shown on one of the two


alarm summary displays and on another display which
conveys the significance of that alarm in relation to the
process or to the control system. The alarm indication on
this display shall be positioned and grouped, if necessary, to
clearly identify the exact nature of the abnormal condition
causing the alarm.

Page 29 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

14.2.3.8

14.2.4

Process Control Systems

There shall be an indication of the overall process alarm


status of the operator area assigned to each workstation
regardless of which display is in use.

Audible Alarm Indication


14.2.4.1

Distinct audible tones shall be used to distinguish between


the three required alarm categories, i.e., PROCESS, ESD
and SAFETY.

14.2.4.2

A different audible tone shall be used to indicate system


alarms.

14.2.4.3

Audible tone frequencies shall be between 500 Hz and


3000 Hz to ensure that alarms are heard by operators who
might have relatively poor hearing.

14.2.4.4

Audible tone decibel levels shall be loud enough to be


heard over normal control room background noise, but not
so loud as to cause annoyance or discomfort to personnel.
For these reasons, audible alarms should be approximately
25 to 30 dB above the normal "background" noise level.

14.2.4.5

A variable, "warbling" tone shall be considered to help


recognize priorities, especially for the highest priorities.

14.2.4.6

The audible alarm signal for an operator console shall


continue until either:

14.2.4.7
14.2.5

SAES-Z-001

a)

a "horn silence" is initiated at the operator console or

b)

an active alarm is "selected" (on either alarm


summary or other displays.)

Silencing the horn shall not constitute alarm


acknowledgment.

Alarm Printing
Printing of alarms at the time of the alarm or event shall be decided on
a per-project basis. Capabilities shall be provided on all systems to
produce a report of alarms and events during user-defined time periods
and to print-out the resulting report.

Page 30 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

14.2.6

14.2.7

SAES-Z-001
Process Control Systems

Alarm Acknowledgment
14.2.6.1

Alarms may be acknowledged only at consoles configured


for those alarms.

14.2.6.2

It shall be possible for an operator to acknowledge any


alarm configured at a workstation by no more than two
actions.

14.2.6.3

An alarm shall be acknowledgeable only if it is shown on


an active display.

First-Out
First-out alarms shall be used to pinpoint the origin of an automatic
equipment trip.

14.2.8

14.2.9

Nuisance and Inhibited Alarms


14.2.8.1

Nuisance alarms may be caused by a monitored process


variable continuously going into and out of alarm. This
situation shall be minimized by setting appropriate alarm
limits and alarm dead bands.

14.2.8.2

Nuisance alarms may be caused when a process is in a


shutdown or out of service condition for an extended
period. Alarm inhibition on a group basis shall be provided
for use in such situations.

14.2.8.3

A list of inhibited alarms shall be provided and available for


both display and printing. Other system processing
functions, e.g., data acquisition, control and logging, shall
continue for inhibited alarms.

The following PCS system alarms and messages shall be implemented


but not limited to:
a)
b)
c)
d)
e)
f)

Failed modules,
Communication errors,
Power supply failures,
Cabinet fan failure,
Cabinet high temperature, smoke or incipient fire detection,
Diagnostic error detections and messages.

Page 31 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

14.3

SAES-Z-001
Process Control Systems

Process and System Messages


14.3.1

Process Messages
Process messages consist of normal process events that need not be
brought to the immediate attention of the operator, although they are
significant enough to be logged in history files (e.g., "Dehydrator bed
regeneration cycle completed").

14.3.2

System Messages
System messages consist of normal system events that need not be
brought to the immediate attention of the operator, although they are
significant enough to be logged in history files (e.g., "Self-diagnostics
program XYZ completed. No errors found").

14.4

Logging of Operation and Engineering Actions


14.4.1

A log shall be available for tracking operation and engineering actions


or changes. Actions shall be further divided into "Operation" or
"Engineering". Optionally this log should track user name, time of
change and an abbreviated text of the change.
Items in the following shall be configured at different security levels
depending on the operating organization's established procedures.

14.4.2

Operation actions include normal operator actions that are to be logged


in history files including:
a)
b)
c)
d)
e)
f)
g)

14.4.3

Change made to the mode of a controller,


Change made to the setpoint of a controller,
Change made to the output of a controller,
Responses to operator prompts,
Toggle of an alarm between inhibit and enable,
Change made to alarm limit,
Activating a soft-bypass of an ESD point accessed via the PCS.

Engineer Actions consist of normal engineer actions that are to be


logged in history files, including:
a)
b)
c)
d)
e)
f)

Change made to tuning parameters,


Download or modification of tag or module configuration,
Modification to software used by the PCS,
Forcing member of a redundant pair on or off primary status,
Placing devices on-line or off-line,
Placing a tag on-scan or off-scan,
Page 32 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

g)
14.5

Process Control Systems

Responses to engineer prompts.

Operation and Engineering Prompts


14.5.1

14.5.2

15

SAES-Z-001

Operator Prompts
14.5.1.1

Operator prompts include operator guidance messages


which require a response. These may be provided by smart
alarming techniques or be part of a semi-automatic
sequence where each step requires operator approval before
it is initiated (e.g., "Compressor K101 on minimum recycle.
Proceed with compressor loading step?").

14.5.1.2

Audible annunciation shall be provided, typically with the


tone of "PROCESS" priority level.

14.5.1.3

Operator prompt message shall also serve as the visual


indication.

14.5.1.4

No password or key is required for this message.

Engineer Prompts
14.5.2.1

Engineer prompts include guidance messages which require


a response from a user performing control system functions.

14.5.2.2

The prompt message shall also serve as the visual


indication.

History
15.1

On-line History
15.1.1

All PCS configuration parameters, including tag data, workstation


configurations and controller module configurations shall be stored on
redundant on-line media.

15.1.2

On-line historical data shall be stored for access via history trends,
displayed listings, and printed listings.

15.1.3

The collection rates, longevity, and scope for historical data are to be
specified on a per project basis. The minimum allowable collection
rates and longevity are listed in the following table:

Page 33 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

Point type
Temperature
Analytical
Level
Flow
Pressure
Discrete

SAES-Z-001
Process Control Systems

Sampling Rate
10 sec
10 sec
10 sec
4 sec
4 sec
4 sec

Retention Time
4 days
4 days
4 days
4 days
4 days
1 day

Circular files on a FIFO basis shall be implemented such that the latest
records are retained when buffer or list overflow occurs.
15.2

16

Real-Time Performance Management (RTPM)


15.2.1

Utilities shall be implemented to facilitate gathering, analysis,


distribution and visualization of data through RTPM. This
implemented capability shall allow the recall of the data to enable the
use of all historical data analysis functions.

15.2.2

A method shall be provided to transfer and retrieve historical records


from RTPM.

Integration & Interface


16.1

General Interface Requirement


16.1.1

Interfaces between the PCS and associated subsystems or auxiliary


systems shall use standard hardware and software devices, which are
compliant with industry standard protocol; or proprietary protocol,
which is offered as a standard product by both the control system
vendor and the subsystem vendor.

16.1.2

Redundant communication interfaces shall be supplied for:

16.1.3
16.2

a)

Emergency Shutdown Systems,

b)

Subsystems where loss of communication will result in the


significant degradation of control functions.

Where redundant communications are specified, no single component


failure shall result in the loss of communication to any subsystem.

Time Syncronization
16.2.1

Time clocks for all stations which are part of the PCS shall be
syncronized to 100 milliseconds or better.

Page 34 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

16.3

16.4

SAES-Z-001
Process Control Systems

16.2.2

Time syncronization using GPS and networked time server which


supports Simple Networked Time Protocol (SNTP) is the preferred
method for syncronization of all servers connected to the PCS.

16.2.3

Syncronization shall be performed at a minimum of once every


24 hours.

Interface to ESD Systems


16.3.1

Emergency Shutdown Systems, interfaces, bypasses, shutdown and


reset functions shall be engineered per Saudi Aramco Engineering
Standard, SAES-J-601 requirements. Segregation of the ESD from the
PCS is required.

16.3.2

The interface to ESD systems shall meet the following:


a)

Communications between DCS and ESD systems for real-time


process data and operator commands shall be via dedicated,
redundant communications paths. The DCS shall NOT
communicate real-time process data or operator commands to
more than one ESD system over the same communications path.

b)

"First out" ESD event status, if available, shall be passed via the
communications link from the ESD logic solver to the PCS.

Interface to Corporate Networks


All interfaces between Process Control Systems and the Corporate Network
shall be through a dedicated firewall which provides both physical and logical
separation. Installation and configuration of connectivity between Process
Control Systems and Corporate Networks shall be in accordance with Saudi
Aramco Engineering Standard, SAES-Z-010 (see section 10.8).

17

Units of Measurement
The allowable units of measurement are specified in SAES-J-003 under the section
titled, "Measurement Units" and shall apply.

18

Wiring and Power Supply


18.1

Electrical Wiring
18.1.1

Electrical and wiring up to but excluding vendors' standard cabinets


shall be designed in accordance with Saudi Aramco Engineering
Standard SAES-J-902.

Page 35 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

18.1.2
18.2

Process Control Systems

Marshaling cabinets shall be designed in accordance with Saudi


Aramco specification 34-SAMSS-318.

Power Supply
18.2.1

Two separate, independent, electric circuits shall be supplied to power


redundant modules. If a simplex UPS is provided, one of the feed to
system redundant power modules shall be supplied from a raw 120V
power feed.

18.2.2

Power Supply circuits shall be clearly labeled. Branch circuits or


power cords to redundant modules shall be clearly labeled identifying
the circuit that they are connected to.

18.2.3

Redundant internal power supply modules shall be provided for the


following:

18.2.4

18.3

SAES-Z-001

a)

Process controllers

b)

Input and output modules

c)

Communication modules

Redundant power supply modules shall be provided for critical field


instruments as specified in the section titled, "Redundant UPS
Systems" in SAES-J-902.

Power Distribution within DCS Cabinets


18.3.1

Power supplies which feed multiple chassis' or baseplates shall have


their outputs wired to a power distribution panel within the cabinet.
Commentary Note
The term "power distribution panel" in the above requirement and
subsequent requirements of this section refers to a collection of din-rail
mounted circuit breakers and/or fused terminal blocks, terminal blocks
and wiring used to distribute power to multiple loads from a single
source.

18.3.2

Branch circuits from power supplies shall be individually fused or


protected by a circuit breaker.

18.3.3

Terminal blocks in the power distribution panel shall be segregated by


voltage level.

Page 36 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

18.4

18.5

SAES-Z-001
Process Control Systems

18.3.4

Power distribution terminal block wiring shall not be daisy-chained


using wires or crimp connectors. Jumper bars or preformed jumper
combs designed for the specific terminal blocks being used are
acceptable methods of distributing power supply wiring.

18.3.5

Wiring, terminal blocks, wire tagging and terminal block coding within
the power distribution panel shall be as per the requirements defined in
the relevant sections of 34-SAMSS-318.

Power Supply and Distribution to DCS Consoles and Workstations


18.4.1

DCS workstations shall be fed from UPS power sources. This


requirement applies to the processor, monitor, and other peripheral
devices associated with the workstation.

18.4.2

For redundant workstations within an operator console, it is acceptable


to supply power to the workstations using either of the configurations
described below:
a)

Each workstation shall be fed from a single UPS power circuit;


provided that each workstation is fed from a separate UPS power
source.

b)

Each workstation shall be fed from two separate power circuits


utilizing a power switching device to maintain continuous power
on loss of a single circuit. One of these circuits shall be fed from
UPS power source and the other may be fed from utility power.

18.4.3

Workstations which are not supplied in a redundant configuration shall


be powered as described above in 18.3.2.b.

18.4.4

Commercially available multiple outlet power strips (i.e. Tripp-Lite


model UL24CB-15 or similar) may be used to distribute power to
multiple components of a workstation (i.e. processor, monitor, and
associated peripheral devices) provided that each power strip feeds
equipment associated with a single workstation. The power strip must
have an integral circuit breaker and switch and must carry either a UL
listing, CSA certification, or CE marking.

Utility Power
18.5.1

One, duplex-type convenience outlet, rated at 120 VAC, 15 amp shall


be provided within each cabinet for utility power. Convenience outlets
shall be wired to a separate terminal strip which in turn is sourced from
a non-UPS AC distribution panel.

Page 37 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

18.5.2

18.6

18.7

19

SAES-Z-001
Process Control Systems

Two, duplex-type convenience outlets, rated at 120 VAC, 15 amp shall


be provided within each console for utility power. Convenience outlets
shall be wired to a separate terminal strip which in turn is sourced from
a non-UPS AC distribution panel. The outlets shall be placed on
opposite sides of the console to enhance availability.

Control Network Cabling


18.6.1

Process Control Network cabling installed indoors shall be placed in


ladder, trough or solid bottom cable trays as per SAES-J-902.

18.6.2

Redundant network cables installed indoors shall not be installed in the


same cable tray.

18.6.3

Installation of Fiber Optic process control network cabling shall be in


accordance with Saudi Aramco Engineering Standard, SAES-Z-020,
Design and Installation of Fiber Optic Cable-Systems for Process
Control Networks.

Grounding
18.7.1

Grounding design shall be per vendor standard recommendations and


per the applicable sections of SAES-J-902; whichever is more
stringent.

18.7.2

Any conflicts in grounding design shall be resolved per the provisions


of section 2.2.

Environmental Conditions
19.1

Air-Conditioned Buildings
19.1.1

19.1.2

Equipment installed in air-conditioned buildings shall be designed for:


a)

Ambient temperature range: 10C to 35C

b)

Ambient relative humidity:

20% to 80%.

Heat dissipation calculations shall be submitted for any cabinet that


houses power supplies, PCs or other heat generating components. The
calculations shall show that the components installed inside the cabinet
will not be exposed to a temperature above their temperature rating.
Ambient temperature outside the cabinet of 25 C shall be used for
calculations.

Page 38 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

19.1.3
19.2

SAES-Z-001
Process Control Systems

Cabinets requiring heat dissipation shall comply with requirements of


34-SAMSS-318 section 6.3.

Outdoor Environment
19.2.1

All equipment specified for outdoor installation shall be designed to


meet the following outdoor environmental conditions:
a)

Ambient temperature range:

b)

Outdoor Sheltered
= 0C to 55C (1)(2)
Outdoor Unsheltered = 0C to 65C (2)(3)

Ambient relative humidity: 5% to 95% non-condensing.

Commentary Notes:

19.2.2

1)

"Sheltered" refers to permanent, ventilated enclosures or buildings, or


permanently fixed sunshades with a top and three sides.

2)

For equipment which dissipates internal heat and is installed in custom


engineered enclosures (e.g., enclosures not included in the original
manufacturer's temperature certification), an additional 15C shall be
added to the above maximum temperatures. An example, for the
"outdoor unsheltered" case, the equipment shall be designed for a
maximum operating temperature of 65 + 15 = 80C.

3)

For the outdoor installations only, the designer can take credit for
forced or passive cooling to eliminate or reduce the 15C heat rise. For
example, if vortex coolers are used, the heat removal capacity of the
coolers may be subtracted from the generated heat. No more than
15C reduction in temperature will be given as credit. The designer
shall substantiate his claim by providing the support data and
calculations.

All equipment specified for outdoor installation shall be compliant


with the following contaminant levels:
19.2.2.1

Dust Concentration
Usual airborne dust concentration is 1 mg/m. During
sandstorms, dust concentrations may reach 500 mg/m.
Particle sizes are as follows:

95% of all particles are less than 20 micrometers.


50% of all particles are less than 1.5 micrometers.

Page 39 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

SAES-Z-001
Process Control Systems

19.2.2.2

Elements present in dust include compounds of calcium,


silicon, magnesium, aluminum, potassium, chlorides and
sodium. When wetted (high humidity conditions) these
compounds function as electrolytes and can result in severe
corrosion.

19.2.2.3

Other pollutants present in the atmosphere under the most


extreme conditions are:

19.2.3

H2S
Hydrocarbon
SO2
CO
NOx
O3

20 ppm (vol/vol)
150 ppm (vol/vol)
10 ppm (vol/vol)
100 ppm (vol/vol)
5 ppm (vol/vol)
1 ppm (vol/vol)

Equipment which is not enclosed or hermetically sealed, but is situated


outdoors offshore or outdoors near-shore shall be protected against
corrosion and operational failure due to wind-borne sea water spray
and the accumulation of wetted salt (sodium chloride).
Near-shore is defined as within one kilometer from the shoreline of the
Arabian Gulf, all of the Ras Tanura refinery and terminal, or within
three kilometers from the shoreline of the Red Sea.

20

Control Rooms
Control room design shall be per SAES-J-801.

21

Documentation
Comprehensive documentation shall be provided as listed below to ensure that the PCS
is engineered and configured in a consistent manner. It also ensures that a PCS project
is executed properly, that operating personnel are provided with accurate drawings and
manuals and that maintenance personnel will be able to trouble shoot and repair the
PCS, post installation.
SAEP-16 identifies the minimum documentation requirements and guidelines for PCS
systems, for other systems are not covered by SAEP-16, the following are required:
21.1

Standard vendor manuals and catalogs shall be provided in CD-ROM or other


electronic media. Formats to be in PDF or Microsoft Word.

21.2

Instrument and configuration data bases Microsoft Excel, Access or Intools.

Page 40 of 41

Document Responsibility: Process Control


Issue Date: 24 October 2009
Next Planned Update: 15 April 2012

21.3

16 April 2007
24 October 2009

SAES-Z-001
Process Control Systems

Three complete copies of all final project documentation shall be submitted in


electronic format on CDROM or DVD.
Revision Summary
Major revision.
Editorial revision to replace Standards Committee Chairman.

Page 41 of 41