Like One person likes this.

ICEweb has nearly 100 Control, Instrumentation, Fire

& Gas, Safety Instrumented Systems core pages and a
total of more than 300 pages - It Really is Cool
Engineering - By Engineers for Engineers it must be
just about the World's first choice for Technical
Information.

Whilst every effort is made to ensure technical accuracy of the information supplied on iceweb.com.au, Keyfleet Pty Ltd
and its employees accept no liability for any loss or damage caused by error or omission from the data supplied. Users
should make and rely on their own independent inquiries. By accessing the site users accept this condition. Should you note
any error/omission or an article offends please do not ignore it, contact the webmaster and we will review, rectify and
remove as necessary.

Get seen by the people who use your products!

THIS SPACE
can be yours

To the ICEWeb user: following is a paper which I produced a number of years ago which is still very
relevant today. I have edited a few references to make it more up to date. If you are undertaking a project
and follow the guidelines contained within it your job will, in my opinion, stand a greater chance of being
a success. Finally I am very interested in your opinion of my site, please feedback so that I can improve it!
Jim Russell

Distributed Control and Programmable Electronic Safety Systems

for a Large Offshore Oil and Gas Platform
Abstract: The Paper Describes the various aspects of the selection, design, standards and problems associated with Process
Control and Electronic Safety systems for a large offshore oil and gas platform.

It has been written essentially in an educational vain and the principles addressed can assist personnel involved in the
specification, design and maintenance of programmable electronic control systems as used in Process or Safety related
Applications.

Included are lists and typical examples of the documents which require to be produced, applicable standards which are of use and
details of a very advanced hierarchical shutdown system.

INTRODUCTION: The design of the Control systems for a large offshore platform is a complex task in that there are many
constraints associated with it. These vary from the equipment density, when figures in the order of $80,000 per square metre of
platform real estate are quoted there is little wonder at this, weight - severe weight restrictions being in place because the modules
must be capable of being lifted, restrictions on the UPS supply available, space and most importantly the hazardous nature of the
product.

The Programmable Electronic Control and Safety Systems must be Specified and designed to exacting standards. This is essential
in that these systems are responsible for the control of the facility and also the safeguarding of platform personnel and a major oil
company strategic asset worth $billions!

Platforms are generally built up of units which are called modules and within these are situated the various items of plant. These
items of plant vary from Reinjection Compressors to Pressure Vessels and are generally purchased as discrete packages.

Whilst the package controls are generally 'stand alone' they do need to interface with the Platform Control System and this is
achieved by Serial Links for loops of a non critical nature and hard wiring for critical circuits. Also it is necessary to interface
these packages with the platform Programmable Electronic Safety System, both these areas are difficult to supervise as there are so
many vendors and subvendors involved.

Once the Control systems have been determined conceptually the associated interfaces with the Onshore base and /or other
platforms need to be finalised. The Control/ Monitoring being made available to these facilities by means of Telemetry.
The Modules although being located within a very small area lend themselves to Distributed Control in that they may well be
fabricated in different locations and by utilising the advantages of a distributed approach can be precommissioned on a 'Standalone
basis'.

Of course if the platform has been designed on the single lift 'integrated deck' basis then the control systems are generally centrally
located. There are however still advantages in the distributed approach since should an 'event' occur the adjacent module controls
continue to report and operate.

There are generally FOUR totally discrete Control systems utilised on Major offshore platforms that should be considered, these
being:-

a. The PROCESS CONTROL SYSTEM (PCS) - Utilised for the process control of the platform.

b. The PROCESS AND EMERGENCY SHUTDOWN SYSTEM (PSD/ESD) - Responsible for the safe shutdown of the
process and utilities in the event of a Process Fault or Fire/Gas detection.

c. The FIRE AND GAS SYSTEM (F&G) - This system with its associated sensors detects fire or gas and initiates
appropriate fire protection systems ie., Deluge, CO2 or Halon release. It alerts personnel to the location of the event and
automatically operates the platform status lights/ audible warning. The appropriate signals to the PSD/ESD system for
controlled shutdown of the plant are also initiated.

d. The DRILLING CONTROL SYSTEM - Provides the Control and Safety Interlocks for the drilling operation. This
system is outside the scope of this paper.

The PSD/ESD and F&G system are sometimes called a COMBINED SAFETY SYSTEM and are generally purchased from the
same supplier even though the systems are functionally totally independent of each other. There are advantages in this approach in
that wherever possible similar hardware is utilised and the interface is clearly defined. Owing to the criticality of the intersystem
signals they are generally hardwired and are backed up by serial communication links.

THE CENTRAL CONTROL ROOM

Control of an offshore Platform revolves around the Central Control Room, this room is the most important in any Offshore
facility since it is the location of the Human Interface.

Operations staff must be capable to effectively and in a well ordered manner control the facility under both normal and 'extreme
stress' conditions. This is why in ALL installations an ERGONOMIC STUDY should be undertaken. A study of this nature
provides the guidelines for the design of the Control Room, detailing such items as console layout, keyboard height, lighting
requirements, functionality, communications, room colours, operator chair type, VDU graphics colours and alarm priority. Of
course consideration should be given to Console noise and the location of printers.

When considering printers it is worthwhile to consider ink jet or laser units in the specifications since one day the DCS suppliers
may wake up to the office technology which is currently available.

The Controls Engineer has to be prepared to spill blood, have fits, ulcers and tear his hair out over this room, Architects will try to
dictate requirements, EVERYONE will say too much space has been allocated and opinionated engineering will rule if one is not
careful. It is essential that Operations are involved, after all they have to work in the room and if IGNORED they will ensure that
even the best CCR does not suit them! What must be stressed is MAINTAIN THE SPACE requirement, too little space will result
in a poor operating environment for operators.

The use of large graphic backwall displays which utilise video projectors is slowly becoming a feature in control rooms, some
regard this as a gimmick' but this is just not so. The displays are a very useful tool for replacing the 'old' mimic and also serve for
demonstration, documentation and training purposes.

A useful reference document associated with ergonomics is ISA RP60.3-1985 'Human Engineering for Control Centres'.

SYSTEM SELECTION

It is essential that the RIGHT SYSTEM is selected. In the selection there are three distinct phases these being:-

a. PREQUALIFICATION

b. SELECTION

c. IMPLEMENTATION

PREQUALIFICATION
The prequalification is best carried out by utilising a technical questionnaire, this really sorts out the best systems and suppliers
with eventual selection being restricted to perhaps three to four bidders from a field of 12 to 15.

The prequalification is a very important document and should for expediency be of a database format, as each supplier answers the
same questions it is then possible to easily compare the answers. From this document it can be determined whether there are
technical, engineering or support problems with the various systems.

The questionnaire highlights any failings with the system, engineering or support and by utilising this method a equitable
prequalification can be made.

SELECTION

Once the prequalification is complete then the initial functional specification and associated invitation to bid has to be prepared.
These documents are then sent out to the suggested MAXIMUM of four bidders and work begins for the poor unfortunates who
have to put it all together.

What must be remembered by the Company requesting bids is that they are not cheap to produce and if it is their intent to go to
sole tender then they should not waste suppliers time or money, they certainly would not like something similar happening to
them!

The bid documents submitted by the vendors should initially be superficially technically reviewed, the idea of this is to
immediately identify a non compliant bid. Generally if there has been a good prequalification all bids will be of a high standard
technically.

Concurrently with the Technical Bid Evaluation there should be a Commercial review by A CONTROLS ENGINEER IN
ASSOCIATION with the purchasing department.

Finally the bid clarification meetings take place, costs are finalised and a supplier is selected.

IMPLEMENTATION

At this stage you have to find out if you have selected the correct supplier, this you do by partitioning the purchase order into two
sections, these being 'IMPLEMENTATION SPECIFICATION' and 'DESIGN AND CONSTRUCT'. The supplier must 'pass the
test' of implementation (sometimes called preliminary design) where hopefully 90% of the problems can be identified at an early
stage.

The Implementation spec also sets down the ground rules and provides a basis on which to engineer and build the system.
Particular emphasis should be placed on planning and ensuring that the supplier is fully conversant with what is required and how
the system is to be configured. The actual configuration being completed at a later stage during detail design. During this period
data which is required by other sections in the platform design team must be supplied, these include layout and footprint, heat
dissipation, weights and availability MTBF.

Suppliers generally under estimate the work to be done in the implementation specification phase, it is hard work involving long
hours but if done correctly can save both money and schedule delays in the long run.

THE SYSTEMS

For normal operation the Process Control system is utilised. This system is DISTRIBUTED with OUTSTATIONS in FIELD
EQUIPMENT ROOMS (FER) in each module. Each outstation is stand alone and in the event of a communication failure (a pretty
remote possibility in that the communication links are duplicated and routed differently) the control actions associated with it still
operate.

Also 'critical signals' are hardwired to provide increased reliability.

RELIABILITY and AVAILABILITY are of course paramount with any failure possibly costing $millions. Reliability and
Availability of a system is enhanced by the use of 'REDUNDANT CONTROL' in the form of DUAL Multifunction Controllers
and automatic transfer of I/O in the event of failure. Availability figures in the order of 97% for the Process Control System and
99.99% for the Combined Safety System are generally required.

CABLES, WIRING AND DUCTING

Fire retardant/ fire resistant cables, wiring and ducting which has low toxic and low smoke emission properties should be included
in the functional design specification. Utilising Materials which have these properties has several advantages including the
elimination of Halon systems along with the associated environmental problems.

FIELD EQUIPMENT
Electrical equipment selected for use on an offshore oil and gas platform is usually protected against igniting any hazardous
atmosphere by some means. This is generally intrinsic safety for the instrumentation and other means for high/medium voltage
electrical equipment ie.,Exd Exe etc. Special care should be taken to ensure that the interfaces to the PCS or CSS are compatible
with the input/ output devices and that 'ohms law' is addressed ie., calculations are done to ensure that there is sufficient available
voltage at the transmitters.

Smart 'Analogue' Transmitters are being used increasingly on platforms. It is very important to ensure that the requirements are
included in the functional design specification since when the 'communication mode' is selected it is possible that the interface at
the PCS or CSS may not be compatible and spurious control or shutdown actions occur.

INTERFACES

It is necessary to have extensive interfaces with the Motor Control System, these are achieved by use of 'System Cables'. System
Cables are preformed and utilise plug and socket arrangements. This method of connection is also used for interconnection
between the Marshalling and System Cabinets. It is a very efficient means of connection in that (a) module yard terminations are
minimised and (b) the system cables can be coiled into the marshalling cabinets for transport.

THE DISTRIBUTED APPROACH

The advantage of the distributed approach is apparent in that every I/O point can be checked in the module yard thus minimising
costly offshore commissioning.

Even if the CCR is in another module simple PC interfaces are used to test that each and every I/O point associated with the
module outstation is operating satisfactory. Thus when the system network is finally connected together one can be confident that
the system is operable.

SERIAL LINKS

Where there are packages then serial links can be used to great effect. On a large platform these may well be numerous, perhaps 15
to 20 and they are very economic in transferring information without hardwiring each I/O point.

Engineers should however be WARY in that many suppliers have a simplistic view of them and the statements 'EASY' 'A PIECE
OF CAKE' 'WE CAN IMPLEMENT ANY SIGNAL YOU REQUIRE' are common place. We all know that this is not true. It is
very easy to state that a serial link is the PANACEA of the Control Signal world but realities do dictate that there is more to it than
that.

It is however quite possible to achieve a fully operational link at an early stage by testing hardware against hardware and protocol
against protocol.

The best method of achieving the desired results is to (a) Purchase an interface to your PCS which can be readily connected with
the serial links to be tested, (b) ensure that the interface is totally portable in that it can be readily transported to your package
supplier's location and finally (c) terminate and test 'EARLY' against the appropriate equipment, producing a serial link
specification as you glean the information from the various suppliers. By taking this approach the majority of surprises can be
avoided.

Of course the dreaded 'MURPHY'S LAW' cannot always be catered for and may ultimately confound even the most rationally
thinking engineer.

It is very important to remember that the signals coming from packages via serial links will have link delays associated with them
and in order to get firstup alarming special programming of the PLC may be necessary. Also link speed is critical for accurate
event recording on the system.

SPECIAL APPLICATIONS

Offshore platforms today are utilising latest technology to the fullest to achieve the implementation of special applications, typical
of these are as follows:-

WELLFLOW: Other than some experimental systems there are at present no proven way for measuring two phase flow from
each well. With this special application flow through the individual wellheads is inferred by comparing three massflow
calculations for gas,oil and water, averaging and correcting them. The first calculation utilises the tubing head pressures and the
test separator results for the well in question and computes the resultant inferred flow.

Using this method it is proven that accuracies of around + or - 2% will be achieved.

MASSFLOW: Some platforms are now utilising the Process Control systems for the calculations of Massflow, however in general
this is not so as 'Flow Computers' of a 'standalone' nature continue to be used in that they are tried and proven, incorporate self
testing features such as pulse integrity and finally use proven algorithms that are readily accepted by the authorities monitoring the
fiscal metering.

CHOKE CONTROL: The choke valves control the flow from each wellhead and the control associated with these devices is
becoming increasingly complex. The chokes must have the capability to be stroked individually and also together with other
chokes, of course this has to be achieved without causing any major process upsets.

The control normally operates in the following way, the operator selects the choke in question and keys in the opening percentage
required. The choke then opens rapidly through what is known as the 'erosion zone' (normally 0 to 25%) which is a zone of
operation where rapid wear occurs on the valve. If the operator has selected less than this value the PCS will not allow the action
to take place and will advise the operator by way of a help message.

When the valve has been manually positioned then the operator will put the choke into 'cascade'. At this point the chokes in
automatic are pulsed sequentially until the desired setpoint is reached. The operator also has the ability to 'bias' any of the chokes
so that 'optimisation' of the various wells is achieved.

Should the platform have a Reinjection Compressor it is important to consider the effects of control and shutdown of that unit.
This is a very complex subject which requires a Dynamic Stability Study to be performed in order to ensure safe and effective
control under these conditions.

RED TAGGING: Modern PCS have the ability to 'redtag' or electronically lockout items of equipment.

Red tagging systems now being implemented ensure that the operator is aware of any item of equipment or plant area which is
subject to a permit by ensuring that the permit system is tied in with the PCS and that the permit is actually issued by the PCS via
the operator responsible.

Of course the maintenance man still has the ultimate responsibility to also physically lock out the unit and complete appropriate
documentation ie., site permits.

ENERGY MANAGEMENT: On an offshore platform Energy Management Systems are used, usually if there are no generation
problems then there is sufficient power for all users however when generation capacity is down or drilling activities are in place it
is essential that priority of users is defined. These systems are with the technology available being incorporated into the platform
PCS system. The system allocates priorities both on startup and shutdown of electrical plant.

ALARM PRIORITY: Process Control Systems have Intelligent alarm systems and these facilities are extensively used on
offshore platforms. All alarms are prioritised into priority (Bright RED), normal (MAGENTA) and information (YELLOW) with
different alarm tones and frequencies for the various priorities.

Operators are very often subjected to INFORMATION OVERLOAD when confronted with poor alarm management. Priority
alarms should direct the operator what to do by effective use of message lists. Also less important alarms should not cloud the
operators decision by causing confusion.

Packages on shutdown should alarm only the first two or three alarms the remaining alarms being suppressed. Of course the
graphics reflect all alarm states.

Considerable time and effort should be devoted to this subject of alarm priorities as it is crucial to effective operation of any
facility.

ELECTRONIC MANUALS: Office technology has started to make inroads into the offshore environment. Instead of the hard
copy manuals which when you really want them are either not available, pages are missing and have scrawlings all over them one
can now call up the manual via a video disc system. It is then possible to look, take a copy if necessary and finally include edit
comments. These edit comments are not immediately included in the text original but are placed into a special comment column.
The process superintendent then has the final choice whether to include the comment in the next manual update.

PCS DESIGN DOCUMENTS

It is worthwhile considering the extensive use of a database system in the production of the design documents which are to be used
as input documentation by the system supplier. Most of the major DCS suppliers use Microsoft Access or Excel programs for the
configuration of their database. For instance I/O schedules and Message Lists can be read straight from the disk into the system
thus saving time and eventually schedule.

The generation of 'base graphics' MUST be configured by the operating company since a supplier just does not have the
experience to produce graphics which accurately reflect the process. It is not simply a job of 'copying' the P&IDs. The most
effective way of configuring these base graphics which the supplier enhances is to use the supplier configuration package, thus
having the ability to transfer the data to the supplier database easily.

It is also a great idea to use a Database for creation of the Instrument Index , Cable data Sheets, I/O schedules, Message Lists and
Motor Schedules as data can then be effectively transferred from one database to another. This does have the added advantage in
that errors are minimised once one database has been checked. Mind you if adequate checking does not occur then the problem
will be multiplied.

The following input documents should be produced for issue to the PCS supplier. Some operators consider that it is more effective
for the PCS suppliers to create some of these documents but that is just not so in that they just CANNOT have adequate experience
to provide a comprehensive enough package.

(1) I/O SCHEDULES - this is the base document around which configuration revolves, information contained within it should
include tag number, whether it is an Intrinsically safe or Non I.S. loop, digital or analogue, range, units, critical or non critical
loop, report input and alarming priority.

Typical PCS I/O schedule fields are detailed in attachment 1.

(2) FUNCTIONAL LOGIC DIAGRAMS - these are the base documents which the supplier uses for motor and sequence
control. They are usually drawn utilising logic blocks around the logic symbols which are identified in AS 1102.9 - 'Graphical
Symbols for Electrotechnology - Part 9 Binary Logic Elements'.

(3) MESSAGE LISTS - these lists are the base document which are used for the generation of reports, alarm and special
messages.

They are usually configured using a database format which the supplier can easily transfer to his own database.

Typical PCS Message List fields are detailed in attachment 2.

(4) BASIC GRAPHICS - the rudimentary graphics which are initially passed to the operating company OPERATIONS GROUP
for comment and then used by the supplier as the base graphic background which the supplier then enhances.

(5) CABLE DATA SHEETS - these sheets are used rather like termination diagrams where normal termination diagrams do not
exist.

(6) MOTOR SCHEDULE - this document details the requirements needed by the energy management system ie priority of
tripping.

(7) TERMINATION DRAWINGS - details of all incoming terminations and cables.

(8) FUNCTIONAL DESIGN SPECIFICATION - This document specifies the functional and technical requirements of the
system. It should be comprehensive and miss nothing. 'Slimline' specifications DO NOT work and leave the customer wide open
for variations.

THE 'TAIL END CHARLIE SYNDROME'

It has always been the case that the Controls/ Instrumentation design could not be finalised until the piping design has been
completed because the instrument locations are unable to be adequately determined. This of course is true if total accuracy is
required, however, if you have a schedule problem there is a method of achieving 90% accuracy at a very early stage, picking up
the remaining 10 % at a later time.

This method utilises the base vessel layout and allocates instrument positions on a 'best guess' basis (usually they are very close to
the final position) and 'driving' package vendor terminations at edge of skid. The suppliers we have found are not adverse to this
approach as it does do a fair bit of design for them.

THE 'LOST' TAGS

It is always a problem as to just where you pick up internal system tags and tags which do not appear on the P&IDs. A convenient
method of picking up these tags is to use a document called a Instrument Line Diagram. The ILD is essentially a point list and can
be in diagrammatic or data format.

This document however must be treated with great care in that it can become a monster if you are not careful. Keep it as simple as
possible, utilise it by all means as a tool for creating 'temporary P&IDs' when package P&IDs are not available but ensure that the
tagging system used does not cause problems later.

CHECKING

It is absolutely essential that all documents produced are cross checked, to not check is false economy as eventually the supplier
will pick up errors and it takes significantly more effort at that time to rectify them. Considerable cost overruns can result from
poor cross checking.

THE COMBINED SAFETY SYSTEM

As mentioned previously the CSS is made up of two very distinct sections these being the Process/ Emergency Shutdown Systems
and the Fire and Gas System.

The individual system and marshalling racks are segregated into PSD/ESD and F&G outstations within the Field Equipment
Rooms.

Typical Combined Safety systems are generally duplex (2 processors) or triplex (3 processors). The reason for this is self
explanatory as it would be impossible to achieve the desired levels of reliability or availability with a single processor. The
difference between Duplex and Triplex processors is a subject which is outside the scope of this paper.

Generally the system is designed in accordance with the requirements of API RP14C "Recommended Practice for Analysis,
Design, Installation and testing of Basic Surface Safety Systems for offshore Production Platforms" and the UK Health and Safety
Executive document "Programmable Electronic Systems in Safety Related Applications" which has a number of check sheets.
These are very useful indeed when adapted to suit your particular application.

These documents should be read extensively to ensure that requirements are met.

Other useful reference documents are "Defences against common mode failures in redundancy systems" which has been published
by the U.K Safety and Reliability Directorate and also the UK Dept of Energy publication "Guidance notes for Emergency
Shutdown Systems".

IEC 61508 Programmable Electronic safety Systems in draft.

Further references can be found in the "Useful References" section at the end of this paper.

Many Applications use standard PLCs for safety related services, these units are not suitable for this role as they do not have
adequate diagnostics and also being very user friendly are too easily reconfigured by unqualified personnel.

DESIGN DOCUMENTS

The CSS utilises several documents to develop the necessary logic these being:-

PLATFORM SHUTDOWN PHILOSOPHY - this is the most important document associated with the Combined safety System
in that it lays down the philosophy applicable to it. In this document are listed the hierarchical shutdowns. One must not lose sight
of the fact that although the system has the ability to implement very critical shutdown features it also implements less critical unit
and process Shutdowns.

In offshore platforms the usual stages of shutdown are as follows:-

a. UNIT SHUTDOWN - this, the lowest level of shutdown, causes the individual units to stop.

b. PROCESS TRAIN SHUTDOWN - an individual Process Train will shutdown on occurrence of any applicable trip.

c. PROCESS SHUTDOWN - on this occurrence the complete process stops but utilities remain running, in effect it is a
process 'stop' with NO BLOWDOWN in order to facilitate a easier startup on rectification of the problem.

d. EMERGENCY SHUTDOWN - This action results generally from fire or Gas being sensed on the platform, obviously a
fire in the Galley or in a room in the accommodation does not cause a ESD but more serious events in the Process,
Wellhead or other critical areas will result in an ESD. An ESD is actually a Process Shutdown with Blowdown and
isolation of the platform trunkline. The blowdown results in flaring of the gas component of the platform inventory whilst
the liquid component is maintained within the various process vessels. When co-incident fire detection in the process or
wellhead areas occurs one of the two strategically placed firepumps start and deluge occurs automatically.

On some platforms main power is shutdown and the emergency generator starts when an ESD occurs whilst on
others main power is maintained by the generators switching to Diesel except when there is fire in a critical area
such as the wellheads. This approach is advocated in that maintaining lighting ensures that at night the firefighting
crew can see what they are doing.

e. TOTAL PLATFORM SHUTDOWN - This shutdown hopefully will never require operation during the life of the platform
since it usually is the result of abandonment. There are generally only two or three TPSD pushbuttons which are under the
control of the Platform Operations Manager. The result of this action is total blackout of the platform including isolation of
batteries except for some navaids which continue to run. The intent of this shutdown is to maintain some battery power for
when the 'black start team' reboard the platform.

Other documents used in the development of the CSS configuration are as follows:-

I/O SCHEDULES - these detail the fundamental configuration such as tag number, IS or NIS, alarm limits, analogue ranges etc.
PSD/ESD CAUSE AND EFFECTS - these documents which are based on the Process Cause and Effects are used by the CSS
supplier as the basis for the logic. The usual appearance of them is to have the cause on the lefthand side with the effect at the top
with a 'X' matrix, however it is becoming more standard to also include logic symbols on the drawing.

A typical cause and effect is detailed in Attachment 3.

FIRE AND GAS CAUSE AND EFFECTS - These documents are similar to the PSD/ESD C&E described above except that
they do not have logic symbols incorporated (matrix only).

The logic is developed by the vendor based on the above documentation on the CSS CONFIGURATION PACKAGE. This
package is deliberately separate from the executive software of the system since it is very important that software previously
developed is not corrupted in any way. After completion the software is tested extensively before being included in the overall
software package. Great emphasis is placed on ensuring that the executive software cannot be accessed by unauthorised personnel
and once the system is operational the configuration package is usually located onshore.

MESSAGE LISTS/CABLE DATA SHEETS/ TERMINATION DRAWINGS - As previously described for PCS.

When designing and specifying a CSS it is important to remember that it does have a fundamental common mode failure point this
being of course the software. It is all very well to have duplicated and triplicated hardware but if there is a common software bug
just what can be done to overcome the problem. Well the answer is that the requirements of API RP14C should be followed in that
there should be a primary and secondary safety system. Usually the primary being the electronic system and the secondary, safety
relief valves.

Where there is no possible alternative to having a single electronic system then it is absolutely imperative that DUAL sets of
software are used which have been written by DIFFERENT personnel. Having to use this route has great disadvantages in that it is
very complex, extremely costly and difficult to maintain. The RULE is therefore - devise some form of secondary system.

PLANNING

Planning is a very critical component of any PCS/CSS design since if the planning is inadequate then schedule and cost overruns
will result. Generally PCS and CSS systems are the longest lead time items and are therefore are on the critical path for platform
design.

It is essential that in the early stages of design that a manufacturing plan is submitted by the Control Systems supplier. This
ensures that the fabrication, fitout and wiring schedule is maintained.

It is recommended therefore that considerable effort is included in the suppliers scope for the provision of bargraphs and
precedence networks, this effort must also be 'mirrored' by the consultant in the checking and verification of adherence to the plan.

FACTORY ACCEPTANCE TESTING

After the supplier has completed his own factory testing the consultant/operator should conduct a very comprehensive test. These
tests should include at a minimum the following:-

a. HEAT SOAK TEST - this test should run over a period of a recommended 200 hours and cycled between ambient and a
upper value applicable to the maximum supplier specification.

b. POWER VARIATION TEST - this test should vary the input power between the lower and upper voltage and frequency
values as specified by the supplier.

c. 100% I/O TEST - Every I/O point should be checked for complete operation I/O card to Controller to Graphics thence onto
alarms etc.

d. SPECIAL APPLICATIONS, GLOBAL AND PROCESS UNIT FUNCTION TESTS-Extensive testing of all special
applications and all process/ global system functions.

e. FULL LOAD STRESS TEST - In order to ensure that the communications are adequate a full load stress test is
recommended. This test involves the switching and manipulation of large amounts of data to load the communications link
to ensure that it will operate under high stress conditions and not 'lock up'.

f. RETEST - Any modifications post FAT should be comprehensively tested.

CONCLUSION

There are many 'traps' to be avoided when involved in the selection, design, manufacture and testing of any Control System.
Hopefully by utilising some of the suggestions, methods and references suggested in this paper some of these may be overcome.
USEFUL REFERENCES AND RELEVANT STANDARDS:

Petroleum Submerged Lands Acts (PSLA) Specific Requirements as to Offshore Petroleum Exploration and Production -1985

API RP14C 'Recommended Practice for Analysis, Design, Installation and Testing of Basic Surface Safety Systems for Offshore
Production Platforms'

API RP14G 'Fire Prevention and Control on Open Type Offshore Production Platforms'.

AS 1211 'Reliability of Electronic Equipment and Components' - Parts 1,2 and 3.

AS 1670 'Automatic Fire Detection and alarm Systems, System Design, Installation and Commissioning'.

AS 3563-1988 'Software Quality Management System'.

IEC SC65A ' Software and Hardware for Computers in the application of Industrial Safety Related Systems'.

ISA RP60.3 - 1985 'Human Engineering for Control Centres'

ISA RP55-1 'Hardware Testing of Digital Process Computers'

MIL-HDBK-217E 'Reliability Prediction of Electronic Equipment'.

UK Health and Safety Executive 'Programmable Electronic Systems in Safety Related Applications'.

UK Safety and Reliability Directorate ' Defences against Common mode Failures in redundancy systems'

UK Safety and Reliability Directorate 'Reduction of Human Error in Process Operation'.

UK Department of Energy "Guidance notes for Emergency Shutdown Systems'

J.A.(Jim) Russell I.ENG MIICA is at present Lead Controls Engineer with Davy McKee McDermott who are contracted by
Woodside Offshore Petroleum to complete the topsides design of the Goodwyn 'A' Platform which is to be installed on the
Northwest Shelf. Jim's design responsibilities include the Platform Process Control and Combined Safety Systems and
Instrumentation and Control associated with packages. He has been associated with Instrumentation and Control for his whole
working life having previously worked with ESSO Fawley UK, Impala Platinum South Africa, British Gas, Worley Engineering
(Design of North Rankin A) and West Australian Petroleum.

[Top]

Manufacturers and Suppliers

Your company could be included in this list - for more information

see ICEWEB charges !!
This site is still under development, the information will be dramatically expanded when the core of the site is constructed. We
welcome contributions from individuals/corporations however it must be highlighted that the technical information is posted on a
non commercial basis and thus commercial references are not permitted. ICEWEB reserves the right to edit any information
submitted. We will publish an acknowledgment eg., "Information courtesy of ACME instruments". A link from this may also be
purchased at a low cost.

Note: Whilst every effort is made to ensure accuracy of the technical information ICEWEB does not take responsibility for any errors contained therein. Should
you notice an error please do not just ignore it, let the webmaster know so that we can rectify the situation.

© copyright ICEWEB 1998

SPONSOR- THIS COULD BE YOUR COMPANY!!

Missing Plug-in