RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 1 OF 228

ADNOC GAS

Specification For Integrated Control & Safety System

COMPANY Contract No.

4700022871

JV TJN RUWAIS Contract No

215122C

Document Class

Class 2

Document Category (for Class 1)

NA

OPERATING CENTER Contract No. OPERATING CENTER Doc Ref.

1A

IFC - Issued for Construction

09-Apr-2025 A.Jatiningasih

1

0

IFC - Issued for Construction

30-Oct-2024 A.Jatiningasih

ICR - Issued for Client Review

28-Jun-2024 A.Jatiningasih

K. Michineau M. Joshi R. Ikeya R. Biju

K. Michineau M. Joshi R. Ikeya R. Biju

K. Michineau M. Joshi R. Ikeya R. Biju

S. Deilles F. Kiyoshi

S. Deilles F. Kiyoshi

S. Deilles F. Kiyoshi

Rev.

Revision Purpose

Date

Prepared by Checked by Approved by

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 2 OF 228

Table of Contents

Contents

Page

1.0

INTRODUCTION… 4 1.1 Scope of the Document … 4 1.2 Scope … 5 1.2.1 Scope of Supply … 5 1.2.2 Scope of Services … 6 1.3 Holds List … 7 1.4 References … 7 1.4.1 Project Specifications … 7 1.4.2 COMPANY Standards … 8 International Code(s) and Standards … 8 1.4.3 1.4.4 Order of Precedence … 8 1.5 Definitions and Abbreviations … 9 2.0 AMENDMENTS TO ADNOC GENERAL ENGINEERING SPECIFICATION AGES-SP-04-001 … 10 3.0 AMENDMENTS TO ADNOC GENERAL ENGINEERING SPECIFICATION AGES-SP-04-004 … 53 4.0 AMENDMENTS TO ADNOC GENERAL ENGINEERING SPECIFICATION AGES-SP-04-003 … 62 5.0 Appendix 1 (AGES-SP-04-001 – PROCESS CONTROL SYSTEM SPECIFICATION) … 71 6.0 Appendix 2 (AGES-SP-04-004 – EMERGENCY SHUTDOWN (SIS) SYSTEM SPECIFICATION) … 119 7.0 Appendix 3 (AGES-SP-04-003 – FIRE & GAS SYSTEM SPECIFICATION) … 179

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 3 OF 228

Table of Changes compared to previous revision (for Procedures and Job Specifications only)

Paragraph

Modification description

Remarks / Origin

All

Updated as per Company Comments on Rev.1

Section 1.3 Update on HOLD List

Section 2.0 Para 12.11

Deletion of Ergonomic Study from ICSS Vendor Scope of Work. It will be part of Others scope of work

Section 3.0 Para.15.6

SIS Interposing Relay Cabinet deleted from ICSS Scope of supply following COMPANY respond on ICSS TQ : RLNG-TQ-IC-0005_Remote IOs in Electrical substations

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 4 OF 228

1.0

INTRODUCTION

The ADNOC Ruwais LNG Project is a two train, near net-zero electrically driven LNG facility, targeting international markets. The feed gas for the project is supplied from the Habshan Gas Processing Plant via a new export gas pipeline. The plant will have two 4.8 MTPA (nominal capacity) electric driven LNG Trains with associated LNG storage/marine export facilities and utilities.

Figure 1 – Project Context

The ADNOC Ruwais LNG Project foresees the following main components at the facility:

• Onshore LNG Liquefaction facilities for 2 x 4.8 MTPA electrically driven LNG Trains (9.6MTPA

total)

• Common facilities including inlet receiving facilities, LNG storage, BOG handling, flare,

refrigerant storage and support buildings.

• Utilities to support the facilities including import power from the national grid.

• Marine facilities for LNG export and bunkering.

1.1

Scope of the Document

This document defines the minimum technical requirements for the design, engineering, and supply of the Integrated Control and Safety System (ICSS) for the ADNOC Ruwais LNG Project. The document covers as well the scope of the services of the ICSS.

This specification amends the below listed ADNOC General Engineering Specifications which are attached hereto in Appendix 1, 2 and 3.

a. AGES-SP-04-001

Process Control System Specification

b. AGES-SP-04-004

Emergency Shutdown (SIS) System Specification

c. AGES-SP-04-003

Fire & Gas System Specification

Sections 2, 3 and 4 of this document identify the amendments to the ADNOC General Engineering Specifications included in Appendix 1, 2 and 3 respectively.

Unless otherwise amended, AGES-SP-04-001; AGES-SP-04-004; AGES-SP-04-003 shall be applied.

ICSS VENDOR shall supply hardware and software with licenses to meet the requirements of this specification.

The ICSS shall be comprised of the following subsystems:

a. Distributed Control System (DCS)

b. Safety Instrumented System (SIS)

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 5 OF 228

c. Fire & Gas System (FGS)

Additional systems which shall be provided as part of the ICSS includes:

a. Human Machine Interface (HMI),

HMI requirements is also described in RLNG-000-IC-SP-0005 Specification for HMI Graphics

b.

Instrument Asset Management System (IAMS),

c. Alarm Management System (AMS),

AMS requirements is also described in RLNG-000-IC-SP-0102 Specification for Alarm Management System

d. Process Historian,

ICSS process historical data (short term) requirements is described in this specification and in RLNG- 000-IC-PP-0002 Philosophy for Automation & Instrumentation Design; while Process Historian (long term) requirements is describes in RLNG-000-IC-SP-0182 Specification for Process Historian

e. Sequence Of Events (SOE),

f. Operator Training Simulator (OTS)

OTS will be described in other specifications (RLNG-000-IC-SP-0007 Specification for Operator Training Simulator)

1.2

Scope

1.2.1 Scope of Supply

ICSS VENDOR shall provide following items for all ICSS (but not limited to):

a.

ICSS signal acquisition devices controllers and inputs/outputs digital converters (IS and NIS) and associated equipment;

b.

ICSS equipment: OWS, EWS, LSDs, KVM, Thin clients;

c. System and Application Software applicable to all user requirements;

d.

Interfaces other (FO/Ethernet/RS485…), OPC Servers/Clients, Process CCTV interface server, etc);

packages

(including

systems

and

to

firewalls, Converters

e. ESD and FGS Console Panels (Push Buttons, key Switches for input Overrides, and Visual and

Audible Annunciator of critical alarms);

f.

g.

h.

ICSS Cabinets including Network, System, I/O acquisition (Marshalling), Servers/computers cabinets in various Instrument Rooms in CCB and JCB and IESs;

ICSS interconnecting cables within the rooms and all indoor communication cables between the ICSS equipment (systems and subsystems) and between the ICSS equipment and packages/3rd party systems;

ICSS Networks devices including FO converters, ICSS network switches and routers, FO patch cords, FO patch panels inside ICSS Network Cabinet (FO backbone cable and main FO patch panels will be provided by others);

i. Servers;

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 6 OF 228

j. Printers;

k. Software and licenses;

l. Cybersecurity system including firewalls;

m. Dual redundant Network Time Protocol (NTP) time servers (with reference to Telecom NTP

servers GPS based clock);

n. Test kits and equipment to facilitate Typical Acceptance Test (TAT), Internal Test/Pre-FAT, FAT, IFAT, Communications Interface Testing (CIT). 4ea test kits are to be provided for CIT (refer to Section 2 Amendments AGES-SP-04-001 Section 16.7);

o. Temporary equipment for Pre-Commissioning & Commissioning activities (temporary servers, network switch, network cables, …), 4ea are to be provided (refer to Section 2 Amendments AGES-SP-04-001 Section 12.12);

p. Special tools required for installation, operation and maintenance of the equipment;

q. Spares (commissioning and 2 years);

r. Documentation;

s. Ergonomic Console desks, chairs furniture;

t. Above L3.5 Cyber security devices (Firewalls with Data diodes) (to be quoted as OPTIONAL);

u. Surge protection for 10% of SIS and FGS IOs (to be quoted as OPTIONAL);

v. Temporary workstation (DCS/SIS/FGS) for Pre-Commissioning & Commissioning activities (to be quoted as OPTIONAL), refer to Section 2 Amendments AGES-SP-04-001 Section 12.12.

1.2.2 Scope of Services

ICSS VENDOR shall provide following services (but not limited to):

a) ICSS Project management, controls, and reporting;

b) ICSS Interface Management and Coordination with COMPANY, CONTRACTOR, VENDORS

(packages and 3rd party systems);

c) ICSS detailed design and engineering services including system engineering reviews such as:

• Participation to cyber security workshop as required

• Participation during HMI workshop as required

• etc

d) SmartPlant Instrumentation (SI) support services;

e) Verification and certification of the supply;

f) ICSS procurement & expediting (including Sub-Vendors) ;

g) ICSS (DCS, SIS, FGS) System Assembly;

h) ICSS systems and network configuration and programming development including interface with

packages and other 3rd party systems;

i) Testing for hardware and software (includes Typical Acceptance Test (TAT), Internal Test/Pre-

FAT, FAT, IFAT, Communications Interface Testing (CIT) including transportation/travel;

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 7 OF 228

j)

ICSS marking, packing, and preservation;

k) Site activities (Installation, SAT, Pre-commissioning/commissioning, Start-Up support services,

warranty support for a period of two years);

l) Trainings;

m) Resident Engineers in CONTRACTOR office (refer to Section 2 Amendments AGES-SP-04-001

Section 16.1);

n) Communication Interface Testing (CIT) at Package Type C/3rd party system premises (refer to

Section 2 Amendments AGES-SP-04-001 Section 16.7);

o) 3rd party equipment packing in case CONTRACTOR sent the field device (sample of field instruments/valves/HART Mutiplexers) for the test at ICSS Vendor staging facility, refer to Section 2 Amendments AGES-SP-04-001 Section 16.3;

The scope of ICSS VENDOR services includes all services lasting all over the project execution, tasks and services part of the project execution, site services, additional services and options.

1.3

Holds List

HOLD

DESCRIPTION

1

2

3

4

5

6

7

DELETED

DELETED

DELETED

DELETED

DELETED

DELETED

DELETED

1.4

References

1.4.1 Project Specifications

[1] RLNG-000-PM-BOD-2002 [2] RLNG-000-IC-SP-0002 [3] RLNG-000-IC-SP-0005 [4] RLNG-000-IC-SP-0102 [5] RLNG-000-IC-SP-0007 [6] RLNG-000-IC-SP-0182 [7] RLNG-000-PM-SP-0001

Project design basis Philosophy for Automation & Instrumentation Design Specification for HMI Graphics Specification for Alarm Management System Specification for Operator Training Simulator Specification for Process Historian Cyber Security Requirements for Vendors The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 8 OF 228

[8] RLNG-000-IC-SP-0691 [9] RLNG-000-IC-SP-0143 [10] RLNG-000-IC-SP-6600 [11] RLNG-000-IC-SP-0741 [12] RLNG-000-IC-SP-0001 [13] RLNG-000-TE-SP-0010 [14] RLNG-000-IC-SP-Y140 [15] RLNG-111-IC-SP-1151 [16] RLNG-000-PR-PP-0004 [17] RLNG-000-IC-SP-0004 [18] RLNG-000-IC-SP-0121 [19] RLNG-000-TE-SP-0101 [20] RLNG-000-IC-PP-0101 (DCS, SIS, FGS) [21] RLNG-000-IC-SP-0801

Specification for AMADAS Specification for Machine Monitoring System Specification for Flow Metering Station Specification for Instrument Cables Specification for Compressor Control System Telecommunication Systems Specification Typical Interface between ICSS and PLC Packages Safety Requirement Specification Emergency Shutdown and Safeguarding Philosophy Instrumentation – Electrical Interface Philosophy Data Exchanged Rules and Guideline Specification for Process CCTV Inspection Test Plan for Integrated Control and Safety System

Specification For Packaged Unit Instrumentation

1.4.2 COMPANY Standards

[1] AGES-SP-04-001 [2] AGES-SP-04-003 [3] AGES-SP-04-004 [4] AGES-PH-03-001 [5] AGES-PH-03-002 [6] DGS 11511-023 Rev.01 [7] AGES-SP-04-013 [8] AGES-SP-13-002

Process Control System Specification Fire and Gas System Specification Emergency Shutdown (SIS) System Specification Emergency Shutdown and Depressurisation System Philosophy Fire & Gas Detection and Fire Protection System Philosophy DCS Guidelines for Control Loop Redundancy OT Cyber Security Security Specification Procurement Inspection and Certification Requirement In Projects

1.4.3

International Code(s) and Standards

[1] RLNG-000-PM-PP-2000

Applicable Codes and Standards

The reference above complements the normative reference listed in AGES-SP-04-001; AGES-SP-04- 003; AGES-SP-04-004 (e.g for the version)

1.4.4 Order of Precedence

The order of precedence with respect to codes and regulations that shall be followed for the design of the terminal is as follows in terms of priority:

1. UAE Statutory Legislation and Regulations

2. ADNOC HSE Regulations, Standards and Codes of practice

3. Project Specifications and Standards

4. ADNOC Engineering Specifications, Standards and Procedures

5. ADNOC Guidelines, Procedures & Codes of Practice

6. International Codes & Standards

The latest versions (at the time of contract effective date) of all applicable Codes, Specifications &

Standards shall be used as detailed in Section 1.4.3 Ref [1]

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 9 OF 228

1.5

Definitions and Abbreviations

COMPANY

CONTRACTOR

EPC ADOC POC YOC VENDOR

ABU DHABI NATIONAL OIL COMPANY (ADNOC) P.J.S.C. TJN Ruwais, Joint Venture of Technip Energies France-Abu Dhabi, JGC Corporation and National Marines Dredging Company (NMDC) Engineering Procurement Construction Abu Dhabi Operating center - National Marines Dredging Company Paris Operating Center - Technip Energies Yokohama Operating center - JGC Corporation Supplier of goods and services

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 10 OF 228

2.0

AMENDMENTS TO ADNOC GENERAL ENGINEERING SPECIFICATION AGES-SP-04-001

Instructions contained below such as “Add”, “Substitute”, “Revised”, or “New” shall be interpreted as follows:

1. Add: Requirements shall be a continuation of the paragraph in the referenced specification.

2. Substitute: The requirement of the referenced specification shall be replaced in its entirety by the

requirements below.

3. Revised: The requirement of the referenced specification shall be revised by the specific wording

below.

4. New: A new requirement as described below.

GENERAL

2. PURPOSE – Add to paragraph:

‘When reading this specification, Process Control System (PCS) shall be read as Distributed Control System (DCS).

This is to align with the terminology used on the Reference Project.’

4. DEFINED TERMS / ABBREVIATIONS / REFERENCES – Add below definitions:

AMADAS

Anayser Management and Data Acquisition System

BOG

CCB

CCS

CMS

DCS

Boil Off Gas

Central Control Building

Compressor Control System

Condition Monitoring System

Distributed Control System

ECMS

Electrical Control and Monitoring System

FACP

Fire Alarm Control Panel

IES

JCB

JCR

KVM

MCC

MMS

NAS

NRU

NTP

OTS

PAN

PCN

PTZ

Instrument Equipment Shelter

Jetty Control Building

Jetty Control Room

Keyboard, Video, Mouse

Motor Control Centres

Machine Monitoring System

Network Attached Storage

Nitrogen Rejection Unit

Network Time Protocol

Operator Training Simulator

Process Automation Network

Process Control network

Pan, Tilt and Zoom

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 11 OF 228

SIEM

SN

SS

TGS

Security Information and Event Management

Safety Network

Electrical Substation

Tank Gauging System

SECTION A

5. NORMATIVE REFERENCES

5.1

International Code(s) and Standards – Add the below reference standard:

IEEE 1588-2008

IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems

IEC 61850 Series

Communication networks and systems for power utility automation

5.2

COMPANY Specifications

The following AGES references are substituted with Project documents as detailed below:

AGES Reference Project Document No.

Project Document Title

AGES-SP-04-004 RLNG-000-IC-SP-0101

(This document)

Specification for Integrated Control & Safety System

AGES-SP-04-003 RLNG-000-IC-SP-0101

(This document)

Specification for Integrated Control & Safety System

10. DESIGN CONSIDERATIONS /MINIMUM DESIGN REQUIREMENTS

10.3

Electric Utility Data

Substitute the second paragraph with below:

‘The Electrical power supply details are as follows:

(a) Nominal voltage: 240V AC, UPS and non-UPS

(b) Single Phase, 50 Hz, earthed

(c) Steady state Voltage variation ± 5% nominal voltage

(d) Steady state Frequency variation ± 2 %’

10.7

Engineering Units – Substitute entire paragraph for below:

‘Units of Measure shall be as defined in RLNG-000-PM-BOD-2002, Project design basis’.

Add Sub-Section below:

’10.8 Language

Documentation, displays, alarms, messages, screens, and engraved tags / description shall be English language. System programming language and tools shall also be in English.’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 12 OF 228

SECTION B

11. TECHNICAL REQUIREMENTS

11.1 General Design – Add to paragraph:

‘The DCS shall be the primary integration point for operational control and monitoring of several subsystems including, but not limited to the SIS, FGS, and third-party equipment packages and systems.’

11.4 Architecture – Add after first paragraph:

‘The Process Control Network (PCN) shall allow information to be transferred between the various components of the DCS. The PCN shall comprise a fully, deterministic, redundant Ethernet communications network. Failure of the redundant communication paths shall not result in the loss of the control functions of any device on the system. The Ethernet network shall employ TCP/IP communications to all network resident devices with a minimum bandwidth of 100 Mbit/s.

The Process Automation Network (PAN) is a plant wide network interconnecting all ICSS sub-systems, that provides an interface with the plant DMZ to communicate with the COMPANY Corporate Network or third-party external networks. The network design shall provide physical and logical separation between the PAN and all other networks. The PAN backbone shall be based on Layer 3 multi-protocol switches or routers.’

11.4.2 Cybersecurity – Add after paragraph three:

‘Firewalls shall be provided by ICSS Vendor for all third-party package interfaces.

Communication between the DMZ and Enterprise network shall be through a high availability unidirectional gateway. Safety Zone shall be configured with dedicated next generation layer 7 inspection or latest firewalls for cyber security solutions.

All ICSS nodes, especially Windows based nodes shall be configured with Windows hardening settings. All networking elements shall be configured with the hardening features. COMPANY shall provide the hardening checklist for implementation.

All Windows based ICSS nodes shall be configured with Host based security, such as:

a. Application whitelisting

b.

Intrusion Host detection system

c. Antivirus software controlled using centralised Antivirus server

d. Network Monitoring Software

e. Patch Management system

The ICSS shall have a dedicated Security Information and Event Management (SIEM) system to collect real-time monitoring and analysis of events as well as tracking and logging of security data for compliance or auditing purposes. The SIEM system shall be able to collect, rationalise and correlate the logs and detect potential vulnerabilities.

A backup and recovery agent shall be installed on each ICSS node and centralised backup management software shall be configurable for scheduled routine backup of all ICSS nodes. Backups shall be stored on the dedicated Network Attached Storage (NAS). Other File/Backup server shall be provided by ICSS dedicated to 3rd party equipment. Back up shall be performed through the PAN network.’

Add after the last paragraph:

‘Patch Antivirus and Windows update shall be managed by ICSS server.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 13 OF 228

Provision on Cybersecurity aspect (e.g. by providing Firewalls) shall be foreseen for the ICSS network extends outside Process area for the FGS displays in fire station. The risk assessment shall be covered by Cyber security workshop.

Above L3.5 Cyber security devices (Firewalls with Data diodes) shall be quoted by ICSS Vendor as OPTIONAL.

The cyber security requirements shall also refer to Cybersecurity Requirements for Vendors Doc.No. RLNG-000-PM-SP-0001 and ADNOC Group projects and engineering OT Cyber Security Specification AGES-SP-04-013.’

11.5 Functional Specification (FS) and Functional Design Specification (FDS)

Revised

(3) Number and type of I/O (Analogue, Digital, SOV, Fieldbus, ‘Soft’ serial, IS, Non-IS) and allocation

to IES;

with:

(3) Number and type of I/O (Analogue, Digital, SOV, ‘Soft’ serial, IS, Non-IS) and allocation to IES;

11.6 Hardware

11.6.1 General

Revised the second paragraph: ‘(6) Dedicated marshalling cabinets shall be used for each system (PCS, ESD, F&G etc.), if an ICSS system is required, with segregation of IS and Non-IS.’

With:

‘(6) Dedicated marshalling cabinets shall be used for each system (DCS, SIS, FGS) with segregation of IS and Non-IS as required by IEC 60079 within the same cabinet per system’

11.6.2 Functional Requirements

Revised the third paragraph: ‘Dual redundant Simple Network Time Protocol (SNTP) time servers each with their own Global Positioning System (GPS) aerial in the Central Control Building signal shall be provided by VENDOR for time synchronization of all servers, workstations, controllers and other device clocks connected to the Process Control Network, third party systems and the Plant-Wide Network.’

With:

‘Dual redundant Network Time Protocol (NTP) time servers shall be provided by ICSS VENDOR in the Rack Room CCB for time synchronization of all ICSS servers, workstations, controllers and other device clocks connected to the Process Control Network, third party systems and the Plant-Wide Network.

ICSS shall also manage the time synchronization with Package type C and 3rd party systems which support NTP.

For the package type C and other 3rd party systems which don’t support NTP, time synchronization will be done by hardwired DO by the ICSS.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 14 OF 228

The ICSS dual redundant NTP servers above will be time synchronized by dual redundant Telecom NTP time servers. The Telecom NTP servers each will be provided by their own Global Positioning System (GPS) aerial in the Main Building roof and Telecom Tower. The Master Telecom NTP server shall be installed in the Main Building Telecom Equipment Room. The Master GPS antenna shall be installed on the Main Building roof. The Slave Telecom NTP server shall be installed in the Central Control Building Telecom Equipment Room. The Slave GPS antenna shall be installed on the Telecom Tower.

ICSS VENDOR shall provide the interface equipment necessary and liaise with Telecom VENDOR to time synchronized its systems with ICSS NTP servers (GPS antennas provided by Telecom). Refer to RLNG-000-TE-SP-0010 Telecommunication Systems Specification for Real Time Clock specification.

ICSS VENDOR shall provide the interface equipment necessary and liaise with Package type C and 3rd party systems VENDOR to time synchronize their systems with the ICSS NTP servers above. Refer to RLNG-000-IC-SP-0801 Specification for Packaged Unit Instrumentation.

NTP Time Synchronization Schematic (simplified)’

Add after paragraph three:

‘Nodes on the control network shall be synchronized across the entire network to within +/- one millisecond via the ICSS redundant NTP servers (with reference to Telecom NTP servers GPS based clock). IEEE 1588 standard shall be followed and time stamps shall be synchronized to the Master Clock with GPS.’

Add to paragraph:

‘DCS functionality for the Project shall include the following specific requirements:

a. Operator stations shall be used to display all the operator interfaces for control, operation, and

monitoring of the plant.

b. Provision for displays of all process and system alarms generated both by the DCS and all

subsystems interfaced to the DCS.

c. Provision for real time and historical trend displays for all measured and calculated variables and

system events.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

Master NTP Server (Telecom)Slave NTP Server (Telecom)Telecom Equipment Room in Main Building (OB-01)Telecom Equipment Room in Central Control Building (CCB-01)NTPICSS NTP Server (ICSS)ICSS NTP Server (ICSS)NTPRack Room in Central Control Building (CCB-01)NTPTo Package type C and 3rd Party SystemsOutdoor GPS Antenna (Telecom)Outdoor GPS Antenna (Telecom)

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 15 OF 228

d. Sequence of Events (SOE) recording of all SIS and FGS events.

e. Base level regulatory control and monitoring of the plant.

f. Sequential, timed, and logic control functions.

g. Plant performance logging and calculations.

h. Alarm management and analysis shall follow the guidelines from the Alarm Management

Handbook.

i. Asset management of plant resources.

j. Controller self-tuning software.

k. Facility to add plant-optimization functionality.

l. The integration of HART signals from field devices and support communication and control with

handheld operator stations.

m. Interfaces to third-party equipment and systems.

n. Remote performance management system’

11.6.3 EWS/OWS – Add the following after the second paragraph:

‘The operator console shall provide all the normal plant interface control and monitoring facilities required by the operators in the execution of their normal duties. It shall be possible, from any single OWS, to call up displays, accept alarms or invoke controls as part of normal operating procedures. Each OWS shall consist of high-resolution color screen VDU’s (video display units) that permits the combined display of graphical information and alphanumeric characters through an operator keyboard and mouse.

Each OWS shall be capable of displaying and controlling any and all areas of all facilities without necessity of reconfiguration. However, it shall be possible to assign specific control views and actions to a particular OWS. The invocation time shall be one second or less. The same requirements shall apply to custom graphic displays (built within ICSS VENDOR guidelines) and dynamic update times when a process variable changes.’

Add after the last paragraph:

‘Two Engineering Workstations (EWS) each with two 24” monitors, or larger shall be provided: one for DCS EWS, one for SIS/FGS common EWS in below Technical Buildings:

• Engineering Room (ER) CCB,

•

•

•

•

•

•

•

Instrument Rack (IR) JCB,

IES-04 Inlet Facilities IES,

IES-01 Chilled Water, Dry Flare & Refrigerant IES,

IES-11 LNG Liquefaction & NRU Train 1 IES,

IES-21 LNG Liquefaction& NRU Train 2 IES,

IES-02 Utilities IES,

IES-03 LNG Storage and BOG Compression IES’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 16 OF 228

Add after the last paragraph:

‘The ICSS VENDOR shall provide all the software and hardware engineering tools necessary to build and to modify the configuration of operator stations, controller units, servers, top level applications (IAMS, historian, etc.), third party software (anti-virus, etc.) as well as network communication interfaces. The tools shall be clearly identified and supplied in sufficient quantity.

The engineering tools (software) shall include facilities for:

• I/O software configuration;

• Control & Logic configuration;

• HMI development;

• Network configuration;

• Offline, Online modification for site activities;

• Manual for all software tools.

All engineering tools shall be implemented within the engineering workstation.

All engineering tools must be self-documenting.

Modifications and download shall be possible online. ICSS VENDOR shall detail the limitation of their system.

ICSS system shall allow import/export data to facilitate the ICSS activities like data comparison for the SW FAT, late modification of data, alarm management.

The EWS/OWS shall be able to access the controllers data directly.’

11.6.5 I/O Modules

Add before first paragraph:

‘I/O modules should preferably be Universal, software configurable type i.e., each I/O module can be configurable to Analogue or Digital input/outputs as per Project requirement. For Universal I/O, I/O Modules provides communication interface between I/O channels and the controllers.’

Add to the second paragraph: ‘Distribution of I/O shall also be governed by Unit segregation and reduction of common-mode failure risk. Unless otherwise approved by COMPANY, control loops from different units shall be processed by different controllers and I/O channels shall be segregate so that failure of a single card/module only affects one unit. I/O module for primary and standby equipment items shall also be segregated.’

With below addition:

‘Taking into consideration the capacity of controllers and the redundancy of all CPUs and networks, below additional guidelines distribution of I/Os shall be considered:

1. Definition

Type C is package is excluded from the additional guidelines, assuming that packages are connected to different PLCs but can be connected to the same ICSS controller (Logic/sequence are managed in PLCs).

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 17 OF 228

With the assumption that universal I/O’s will be used, I/O module defined as the card that is connecting a number of universal I/O’s to the controller. All the I/O modules shall be considered redundant.

Equipment/Unit is identified as critical when a failure is leading immediately or in short time to a high level shutdown. (Train shutdown).

Non critical is identified Equipment/Unit as when a failure doesn’t lead to a train shutdown (or after a delay where operator has time to react and prevent it).

2. Critical and Non-Critical Equipment

All critical units/equipment will be merged in the same controller. In case of controller lost, train will be tripped. Merging will be applied also for all for the dependent units (Example Unit 111 & 112 for the train).

All units/equipment merged in the same controller will be subjected to COMPANY Approval.

• Special case of Parallel Process/Utility Equipment

A redundant equipment is defined as a part of identical equipment that are working with a logic of backup (2*100%). If one this equipment failed, another one is replacing the one failed.

A parallel equipment (2*50%). is defined as a part of identical equipment that are working together in operation (without backup).

a/ Non critical equipment

I/O’s associated with parallel or redundant equipment shall be:

Connected to different I/O modules.

b/ Critical equipment

For redundant equipment, a segregated controller for each equipment shall be implemented.

For parallel equipment, a segregated controller for each equipment should be implemented only in case of one equipment failed, it is possible to operate in degraded mode during significant time (Time for maintenance for the failed one).

3. Duty Standby pumps

Duty/standby pumps will use common controllers (with COMPANY approval).

Peer to peer signals should be minimized and interface logic between controllers makes it more complex with more risk of mistakes, reaction delays, etc.

I/O’s from duty/standby pumps shall be segregated by I/O module and if only one I/O module available in different IO baseplate (Generally split by 16I/O’s).

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 18 OF 228

Add after seventh paragraph:

‘As optional, Smart Junction Box (SJB) with Remote I/O (RIO) may be used when specified in the material requisition. SJB enclosures and electrical components shall be designed, furnished and certified flameproof Ex db as per IEC 60079-1, Intrinsically Safe (Ex ia or Ex ib) as per IEC-60079-11 or Increased Safety Ex eb as per IEC-60079-7 suitable for installation within a Zone 2 hazardous area.

SJB enclosures shall be 316L stainless steel, rated as a minimum IP66 for ingress protection. VENDOR shall advise if additional features are required to protect electronics from excessive heat dissipation.’

11.6.6 I/O Signals

Add after the last paragraph ‘Wireless instrumentation is currently not considered for any applications on the Project.’

11.6.8 Cabinets

Add after the third paragraph:

‘If separate Network cabinets are used, equipment shall be installed in decreasing order of heat dissipation from top to bottom.

ICSS VENDOR shall propose standard arrangement of cabinets to be validated by CONTRACTOR.

ICSS VENDOR shall consider:

• un-armoured duplex fibre optic patch cord between two cabinets laid on covered cable trays

installed inside false floor.

The part of the cable between the cable tray and the cabinet will be protected by a PVC corrugated sheath. LC patch cords shall be used.

• Un-armoured fibre optic cables between two cabinets laid on covered cable trays installed inside false floor. The part of the cable between the cable tray and the cabinet will be protected by a PVC corrugated sheath.

The cable heads and connectors shall be supplied and installed by qualified staff.

• Armoured fibre optic cables between two cabinets for outdoor connection or within different

rooms.

A 100% reflectrometry test with report shall be carried out after cables pulling (and fitting of connectors where applicable).’

Revised the sixth paragraph ’The dimensions of the cabinets shall be 2000 mm (H) (excluding plinth) x 800mm (W) x 800 mm (D) (front access). If cabinets are permanently bolted to form sections, the length of these sections shall not exceed 2400 mm.’

with:

‘The dimensions of the cabinets shall be 2000 mm (H) (excluding plinth) x 800mm (W) x 800 mm (D) (front and rear access) for System, Marshalling Cabinet and 2000 mm (H) (excluding plinth) x 800mm (W) x 1000 mm (D) for server, network cabinet. If cabinets are permanently bolted to form sections, the length of these sections shall not exceed 2400 mm. Cabinets shall be double doors opening. Refer to Instrument Rooms Layouts.’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 19 OF 228

Add after the last paragraph:

‘Cabinet shall be vertically ventilated (bottom to top) and a hole shall be provided at the top of the cabinet to connect the sampling tube from the High Sensitivity Smoke Detection (HSSD) System. Tube connection hole size will be defined by CONTRACTOR during detailed design stage.’

Add after the last paragraph:

‘Cabinets shall be tagged as per the document Instrumentation & Control System Numbering Procedure Doc.No. RLNG-000-IC-PP-0001.

Cabinets requirements shall also refer to RLNG-000-IC-SP-0701 Specification for Instrument Installation & Design.’

11.6.10 Wiring

Add before the last paragraph:

‘Signal wiring shall be installed in a manner that shall minimise unwanted and unnecessary distortion of the signal.

IS and non-IS signals shall be segregated as required by IEC 60079. Wiring for IS/NIS systems shall be segregated and installed in dedicated cable trays. ‘

Add after the last paragraph:

‘If separate network cabinets are used, ICSS VENDOR shall consider un-armoured duplex fibre optic patch cord for between two cabinets (within the same room). LC patch cords shall be used.

This requirement is applicable in all ICSS cabinets if used.

Armoured fibre optic cables shall be used for outdoor connection or long distance within the same room/building.

The ICSS VENDOR is in charge of the internal cable networks. External cables (in between the different buildings) are specified by ICSS VENDOR, purchased and installed by CONTRACTOR. These cables shall be left inside the ICSS cabinet, and is the ICSS VENDOR that shall connect them. ICSS VENDOR shall state the length limitation for each type of link.

Wiring requirements shall also refer to RLNG-000-IC-SP-0701 Specification for Instrument Installation & Design and RLNG-000-IC-SP-0741 Specification for Instrument Cables’

11.6.11 Availability/Redundancy/Reliability

Revised the second paragraph ’…(3) I/O modules for loops which provide a ‘critical’ control function, where a ‘critical’ Function is defined as a function that, if lost due to a fault, would adversely affect asset safety or cause a significant loss of production. ‘ with:

(3) For Universal I/O: Universal I/O modules shall be redundant. I/O Modules provides communication interface between I/O channels and the controllers. In addition to Redundant I/O Modules, I/O channels shall be redundant for all I/Os associated with DCS closed-loop control functions.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 20 OF 228

(4) For conventional I/O: I/O channels shall be redundant for all I/Os associated with DCS closed-loop control functions’

11.7 Software

Add following paragraph’ The ICSS VENDOR shall provide to CONTRACTOR the software licenses for all parts of ICSS Vendor’s and sub-Vendor’s equipment, such as:

• Operator and Engineering Workstation;

• Servers systems;

• Controllers, logic solvers;

• Etc.

The ICSS software and equipment shall be provided with the latest available software versions at the time of FAT including firmware, patch, hotfixes, updates for hardware and software for the supplied versions.

In case version upgrade happens during project execution, ICSS VENDOR shall inform CONTRACTOR with impact of each software release.

COMPANY shall then decide to proceed, or not, to software release upgrade and when upgrade shall happen.

ICSS Vendor shall supply ICSS Software & license for all office application and report generation, latest and proven professional Windows operating system, etc.

Note: All software licenses shall be issued in the name of COMPANY. This includes all embedded licenses and Microsoft licenses in addition to all ICSS supplier licenses.’

11.7.2 Alarm Management

Substitute seventh paragraph ‘Refer to ADNOC Group Company AMS specification for further details.’ With:

‘Refer to RLNG-000-IC-SP-0102 Specification for Alarm Management System for further details and RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design.’

11.8 Maintainability – Add to paragraph:

‘On-line and off-line diagnostics shall be provided to assist in system maintenance and troubleshooting. Diagnostics shall be provided for every major system component and peripheral, including Fiber Optic converters and network switches. This shall include device diagnostics and firmware diagnostics in the devices. If diagnostics do not exist for particular peripheral devices (for example printers and terminals) the system shall detect and provide an error indication for the failure of these devices.

Continuous communications diagnostics shall alarm a failure in minimum time and switch to the redundant communications automatically. Any communication errors shall be available to be logged to

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 21 OF 228

any console in the system. Communication system status/performance shall be made available to any console in the system.’

11.9 Reports

Substitute last paragraph ‘Printers shall be provided as part of the ICSS for log and report printing. Colour printers shall be supplied for Graphic printing.’

with:

‘Printers shall be provided as part of the ICSS for log and report printing. Colour laser printers, network type, standing printers shall be supplied for Graphic printing. Printers can be accessed from each ICSS Workstation and are not dedicated to a specific function.’

Add after the last paragraph: ‘ICSS VENDOR shall supply two (2) printers in CCR CCB (1 for ICSS, 1 for Business Printer (loose item to COMPANY)); One (1) printer in JCR JCB.

In addition to ICSS printers, required printer for OTS shall refer to RLNG-000-IC-SP-0007 Specification for Operator Training Simulator.’

11.10 Instrument Asset Management System (IAMS)

Add after the last paragraph:

‘Refer also to RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design for IAMS requirements’

Add below sub section:

’11.10.1 HART Protocol

ICSS shall be able to communicate with smart transmitter type. This functionality should be implemented directly in HART pass-through IO modules.

All HART devices shall have identification for ICSS configuration in order to have interoperability with ICSS.

In case of a test is required by ICSS VENDOR, the instrument supplier (via CONTRACTOR) shall send a specimen of the corresponding devices to ICSS test platform.

The ICSS VENDOR shall ensure a proper performance, distribution of the instruments and respective branches connected to the IAMS.

The ICSS VENDOR is responsible to build the library of all the instruments connected to the ICSS via HART pass through and from packages via HART multiplexers.

Therefore, based on the CONTRACTOR instrument list, ICSS VENDOR (via CONTRACTOR) shall collect all the files and drivers with the instruments vendors.

The ICSS VENDOR is responsible for the hardware and network coordination for the HART multiplexers from packages.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 22 OF 228

11.10.2 IAMS Architecture

Refer to RLNG-000-IC-DWG-0101 Overall Control & Safety System Architectural Diagram for IAMS architecture.

All HART devices (transmitters, control valves, ..), which are wired to ICSS through HART pass through IOs, will be available in Instrument Asset Management System.

IAMS system uses a standard look and feel. It uses the industry standard device description (DD) technology. Manufacturers of HART devices already have a DD registered with the HART Communication Foundation.

With Server/Client architecture, IAMS shall allow users to set up client stations to remotely access its application to monitor and change full device configuration, run device methods, or perform advanced diagnostic procedures for field devices located across the plant.

The IAMS clients (located in Engineering Room CCB, each IESs, and Instrument Rack Room JCB) are the user interface, which can access that data from the IAMS server’s database in Rack Room CCB, and can view the field devices through a dedicated network. This will enable the maintenance technicians to maintain the plant instruments.

The IAMS servers shall be capable to communicate to handheld terminal to import data manually backed- up.

The IAMS servers shall be provided in Rack Room CCB. In addition, IAMS Workstation shall be provided in each IES (IES-04, IES-01, IES-11, IES-21, IES-02, IES-03) and Instrument Rack Room JCB.

The IAMS shall be able to calculate KPIs, provide reporting of various status from complete database and export data under spread sheet format or equivalent.

11.10.3 IAMS Communication

11.10.3.1 PCN Network

IAMS communicates to the Devices through the modules on the PCN network, monitoring devices such as HART.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 23 OF 228

11.10.3.2 HART Multiplexers

HART Multiplexers connection to IAMS schematic

IAMS device manager can be connected to devices via HART multiplexer.

Multiplexer are based on RS485 communication. Multiplexer are connected to IAMS device manager through RS485 to ethernet converter. Fiber optic will be used when in different buildings or within the same building with distance more than 100meters.

The HART field devices will be connected to IAMS system using HART multiplexers, which will reside in the package type C cabinets of respective vendor in the technical buildings or field.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

HART Multiplexers** (by Package Vendor)HART Multiplexers** (by Package Vendor)HART Multiplexers** (by Package Vendor)RS485RS485ETHERNETETHERNETCONVERTER (by ICSS Vendor*)CONVERTER (by ICSS Vendor*)CONVERTER (by ICSS Vendor*)IAMS NETWORKETHERNETEngineering Room CCBPCPCRack Room CCBRS485* Converter shall be provided by ICSS Vendor for the package located in IESs, CCB, or JCB. Converter shall be provided by package Vendor for the package located in other location than IESs, CCB, or JCB.**HART Multiplexers (including HART Multiplexers Master) shall be provided by package VendorIES-21IES-03IES-02IES-21IES-11IES-01IES-04Instrument Rack JCBPCIAMS Workstation (Including IAMS Client) Maintenance Workstation (including IAMS Client)IAMS server & database

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 24 OF 228

HART Multiplexers (including HART Multiplexers Master) will be supplied by package Vendor. RS485 to ethernet converter shall be supplied by ICSS Vendor for the package type C cabinets located in IESs, CCB, and JCB. For the package type C cabinets located outside of IESs, JCB, CCB, RS485 to ethernet converter shall be supplied by package Vendor.’

11.11 Controllers – Add to paragraph:

‘DCS Controllers shall be redundant with microprocessor-based devices capable of receiving and transmitting analog, digital and smart transmitter signals. They shall also be capable of executing calculation algorithms for the purpose of control including sequential control; be configurable from the engineering station; have a configurable scan (execution) time; be unaffected by the failure of other devices connected to the DCS communication system.

Values available in one controller should be available for use by other controllers connected via the DCS redundant communication system.

Fault tolerant centralised controllers with redundant communications to remote I/O shall be provided to achieve better availability, easier long-term maintenance and enhanced ability to provide advanced control functions.

Fifty (50) hours of battery backup shall be provided for volatile memory in each controller in the event of primary and secondary UPS feeder failure.

The additional requirements for controllers shall apply:

a. Each module shall have on-board diagnostics, with on board LED indicators, indicating controller

status.

b. Main programs shall be held in non-volatile Read Only Memory (ROM).

c. Back-up battery alarm status shall be displayed on the Maintenance Workstation.

d. Changing a battery should be possible on-line without power down or loss of module operational

functionality.

e. Controllers shall communicate with the servers via secured firewalls.

f. Variable and assignable scan times for each loop and peer to peer communication shall be

available.

Third paragraph:

Delete: of digital signals, the processing rate for each controller shall not be more than 0.2 second.’

‘The controllers shall be capable of scan rates of 100ms or faster. For logical processing

‘The controllers shall be capable of scan rates of 100ms or faster. The processing rate Add: for each controller shall not be more than 1 second. For 10% of DCS loops, the processing rate for each controller shall not be more than 500ms.’

Revised the sixth paragraph ‘Controller loading shall not exceed 50% during peak load (Alarm flooding condition). Loading measurement shall include I/O addressing capability and processor CPU loading.’

With:

‘Controller loading shall not exceed 60% during peak load (Alarm flooding condition). Loading measurement shall include I/O addressing capability and processor CPU loading.’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 25 OF 228

Add after the last paragraph:

‘Loss of redundant CPUs shall cause system outputs to freeze at their last position or to drive to the pre- defined fail-safe conditions.’

11.12 HMI

Add:

‘HMI requirements shall also refer to RLNG-000-IC-SP-0005 Specification for HMI Graphics.’

11.12.1 General

Delete:

Add:

‘Requirement for Large Screen Displays (LSDs) used for incident control and general overviews for operator and non-operator personnel shall be Project defined.’

‘Five (5) Operator Consoles Groups shall be provided in CCR (CCB). One (1) Operator Console Group shall be provided in JCR (JCB). Each Operator Console Group shall have two Operator Stations, each with a dedicated operator keyboard and mouse, four 24”, or larger, LCD screens (with the option for touch screen), and one central 42”, or larger, LCD screen. In addition, one sound bar shall be provided per station.’

Large Screen Display LEDs or backlit LCDs shall be provided for common wall-mounted displays in Control Rooms, Emergency Control Centre, and Fire Station as per Philosophy for Automation & Instrumentation Design Doc.No. RLNG-000-IC-PP-0002.

Large Screen Displays (LSDs) and workstations used for Emergency Control Centre and general overviews for operator and non-operator personnel shall be provided as specified in the RLNG-000-IC-R-0101 MR for Integrated Control and Safety System (DCS, SIS, FGS, OTS ). :Two (2) workstations, each with four 24” screens, or larger and Two (2) wall mounted Large Screen Displays 42”, or larger, LCD screen similar to those supplied for the Operator Consoles will allow monitoring of the complete Process and Utilities plant in the event of an emergency. These workstations will be used for monitoring only and will not be used for control or configuration.

In the Fire Station, Two (2) dedicated wall mounted Large screens 42”, or larger, LCD screen shall be provided to display F&G HMI’s configured with all plant related F&G data to alert the safety personnel of the location and type of hazard.

Refer to RLNG-000-IC-DWG-0101 Overall Control & Safety System Architectural Diagram and RLNG-000-IC-SP-0005 Specification for HMI Graphics. ’

Add below sub section:

‘11.12.3 HMI Performance Times

HMI performance times requirements refer to RLNG-000-IC-SP-0005 Specification for HMI Graphics.’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 26 OF 228

12. ADDITIONAL SPECIFIC REQUIREMENTS

Add below requirement:

‘12.1 Electromagnetic Compatibility

The design and installation of all electrical / electronic instruments shall meet the radio frequency interference (RFI) and electromagnetic interference (EMI) (IEC 61000) emission (IEC 61000 6-4) and immunity (IEC 61000 6-2) requirements for an industrial environment.

12.2 Servers/PC

Server and PC shall be rack mounted with associated cable management arm.

Each Server/PC cabinets shall be provided with KVM (Keyboard, Video, Mouse) and screen to access of each server/PC for maintenance.

12.3 DELETED

12.4 Data Communication

Any ICSS back-up communication devices shall be automatically and permanently self-tested and/or controlled by watchdog to ensure that it is not out of service.

A system alarm shall be generated in the case of failure.

Transfer to a back-up communication channel shall be automatic without disrupting the system operation, but alarmed to the operator and recorded in the system alarm historical file.

Each device shall be electrically or optically isolated from the data communication system.

Network performance shall be continuously monitored and if reduced capacity occurs alarm shall be given.

The DCS, SIS, and FGS although distributed are also capable of stand-alone operation at the controllers’ level functions.

ICSS VENDOR shall provide manageable Switches for all application.

Data Communication requirements shall also refer to RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design.

12.4.1 PCN Network

The PCN network shall be fully redundant.

The physical exclusion or insertion of a CPU shall not compromise the traffic of signals on the same line, which shall maintain the required characteristics.

The interface modules in the communication and data exchange system shall be provided with back-up units.

The physical supports (cables) for the communication bus shall be backed-up, with automatic commutation from one line to the other for any failure or malfunction.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 27 OF 228

The network shall allow very high availability by providing redundant data paths and eliminating single points of failure.

Refer also to Section 11.4.

12.4.2 Safety Network

Refer to AGES-SP-04-004 and AGES-SP-04-003.

12.4.3 IAMS network

IAMS network refer to Section 11.10.

12.4.4 PAN Network

Refer to Section 11.4.

12.4.5 Other Network

ICSS may have interface to PLC network with secured firewalls for some packages for time synchronization, antivirus and patch management, network management and back-up & restore. Refer to RLNG-000-IC-SP-0801 Specification for Packaged Unit Instrumentation (AGES-SP-04-018) for further details of ICSS interface to PLC network.

12.5 Interface with other systems

For the typical interface with packages refer to RLNG-000-IC-SP-Y140 Typical Interface between ICSS and PLC Packages.

For the standardize Modbus data exchange table and OPC data exchange table refer to RLNG-000-IC- SP-0121 Data Exchanged Rules and Guideline.

List of packages having interface with ICSS are shown in RLNG-000-IC-SP-0801, Specification for Packaged Unit Instrumentation.

List of 3rd party systems having interface with ICSS are mentioned in RLNG-000-IC-PP-0002, Philosophy for Automation & Instrumentation Design such as ECMS, Process CCTV, Ship to shore communication, LNG loading arm, feed gas pipeline, tank gauging system.

ICSS will have interface also with:

• MCC

• HVAC system

• FACP

• MMS and CMS

• Telecom system (PAGA, ACS, Process CCTV, Tetra UHF Plant Radio System,..)

• Fire fighting system

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 28 OF 228

12.5.1 ICSS interface with Process CCTV

As per RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design, The Process CCTV System shall be designed to interface and operate seamlessly with the DCS/ICSS in compliance to IEC 62443 requirements via redundant firewalls. Control Room Operators shall be able to view and control Process CCTV cameras and wash/wipe units on designated Operator Workstations.

Upon receipt of a Fire and Gas alert or alarm condition, the Process CCTV System shall automatically adjust and focus the nearest PTZ camera(s) towards the area of interest and provide live imagery, correlated to GIS maps, to Operator Workstations for assessment. Activation of a Fire and Gas alert or alarm shall trigger full frame rate/high quality pre-, live and post alarm video recording from all camera’s covering the area where the alarm was triggered.

Process CCTV system will be supplied by Telecom Vendor. ICSS Vendor shall supply Interface equipment (communication module, network equipment, firewalls, …) to enable the display of Process CCTV in case of fire/gas is detected by FGS in the concerned fire zone and to control Process CCTV cameras (Pan-Tilt-Zoom) and wash/wipe command. FGS signal is sent to Process CCTV system for camera to show plant area where signal is detected.

ICSS-Process CCTV interface schematic (simplified)

(1) Fire and Gas system (FGS) via DCS has a direct Modbus TCP/IP link to the PCCTV server in TER

CCB and in TER JCB to send F&G detection status via secured firewalls.

(2) Upon F&G detection, PCCTV system will control its cameras to display the corresponding F&G

zones. The Modbus/TCP adaptor to PCCTV is integrated to the PCCTV video server.

(3) Operator is able control Process CCTV cameras (Pan-Tilt-Zoom) and to send wash/wipe command

from PCCTV Workstation

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

Telecom Equipment Room in Central Control Building (CCB-01)SNRack Room in Central Control Building (CCB-01)CCR in Central Control Building (CCB-01)SERVERSPCCTV Main cabinet A(by TELECOM)RECORDINGKVMPCNFGSDCSPCCTV Workstation (by TELECOM)PCCTV Large Format Displays (by TELECOM)Telecom Equipment Room in Jetty Control Building (JCB-01)SNInstrument Rack Room in Jetty Control Building (JCB-01)JCR in Jetty Control Building (JCB-01)SERVERSPCCTV Main cabinet B(by TELECOM)RECORDINGKVMPCNFGSDCSPCCTV Workstation (by TELECOM)PCCTV Large Format Displays (by TELECOM)MODBUS TCP/IPMODBUS TCP/IPCCCCCC(1)FWFW(2)(2)(2)(3)(3)(3)PCCTV (s) (by TELECOM)(1)FWFW(2)(2)(2)(3)(3)(3)PCCTV (s) (by TELECOM)

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 29 OF 228

to RLNG-000-TE-SP-0101 Specification

Refer for Process CCTV, RLNG-000-TE-DWG-0101 Telecommunication Process CCTV System Block Diagram, and RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design.

12.6 Maintenance Workstation

One (1) Maintenance Workstation including IAMS Client (double screens, with two (2) 24” monitors, or larger) shall be provided in Engineering Room CCB.

Refer to RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design for the functionality’s requirements of this workstation.

12.7 IAMS Workstation

IAMS Clients Workstations shall be provided in the following areas:

• One (1) Maintenance Workstation including IAMS Client (double screens, with two 24” monitors,

or larger) in Engineering Room in CCB (same item as in section 12.6)

• One (1) IAMS Client Workstation (single screen, with 24” monitors, or larger) in IES-04 (Inlet

Facilities IES)

• One (1) IAMS Client Workstation (single screen, with 24” monitors, or larger) in IES-01 (Chilled

Water, Dry Flare & Refrigerant IES)

• One (1) IAMS Client Workstation (single screen, with 24” monitors, or larger) in IES-11 (LNG

Liquefaction & NRU Train 1 IES)

• One (1) IAMS Client Workstation (single screen, with 24” monitors, or larger) in IES-21 (LNG

Liquefaction & NRU Train 2 IES)

• One (1) IAMS Client Workstation (single screen, with 24” monitors, or larger) in IES-02 (Utilities

IES)

• One (1) IAMS Client Workstation (single screen, with 24” monitors, or larger) in IES-03 (LNG

Storage and BOG Compression IES)

• One (1) IAMS Client Workstation (single screen, with 24” monitors, or larger) in Instrument

Rack JCB

Refer to Section 11.10 and RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design for the functionality’s requirements of this workstation.

12.8 I/O Card

Input and output cards shall have a galvanic isolation between field equipment and the system.

Each Input/output channel shall be fully isolated and shall operate in parallel. Input/output channel shall be individually protected by fuse.

Input/output cards shall be designed such that a short-circuit or a high voltage on one I/O shall not induce a fault on any other I/O of the card.

System components shall be modular in design with rack mounting and plug-in type assemblies. Each system module shall be equipped with light indicators for fault and status display.

The system shall have self-diagnostic programs that run independently from the application programs on a continuous basis with fault detection capability down to the I/O module individual channel.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 30 OF 228

The analogue Input/Output shall follow the norm NAMUR 43.

Externally-powered instrumentation (3-wire, 4-wire), active or passive on the 4-20mA loop shall be configurable when required.

ICSS VENDOR shall provide electrical isolation (galvanic) of I/O points (individual, grouped or common for the entire modules).

I/O card of the system shall meet the following requirement:

• Accuracy: ± 0.1% of full scale Linearity: ± 0.05% of full scale •

The fail-safe states for I/O shall be configurable on an individual basis as follows:

• Analogue Inputs: 0%, 100% or last good value • Analogue Output: 0%, 100% or last good value • Digital Input: 0, 1 or last good value • Digital Output: 0, 1 or last good value

12.8.1 Intrinsic Safety Where intrinsic safety (IS) barriers for specific inputs/outputs are connected to equipment located in a hazardous area, they shall be of the galvanic isolation type.

The intrinsic safety barriers shall be provided by ICSS VENDOR and installed in the electronic marshalling cabinets if required.

12.8.2 Analogue Inputs Analogue inputs can be: • 4-20 mA in general, system powered, 2 wire field transmitter (including temperature transmitter) • 4-20 mA external powered supply • 0-22 mA, system powered, 3 wire (24 V, common and signal) – Signal range 0-4 mA/20-22 mA used for diagnostics • Range of Thermocouple and RTD inputs (Note- Temperature transmitters with HART 4-20 mA output shall be used for RTD and Thermocouple sensors unless specified otherwise)

HART interface (HART pass through) shall be supplied, for IAMS (Instrument Asset Management System) gathering and treatment.

Powering considerations: • Common and differential mode input surge protection can be requested on case by case. Accidental application of mainly supplies voltage or test voltages shall not damage the modules. • The internal drop voltage of 4-20 mA analogue input shall not exceed 8 V included the adaptive resistor 250- Ohm. • The analogue input circuit shall have transmitter out of range detection and open/short-circuit detection (NAMUR). • The maximum load on the Analogue input card shall not affect the power supply decrease less than 17 VDC. • The ICSS shall be able to recognize the transmitters failure mode alarm vs. saturation output values, either transmitters standard or NAMUR compliant. Therefore, the values shall be programmable on the ICSS.

12.8.3 Analogue Outputs Maintained analogue output shall be standard 4-20 mA DC signal, free of ground. Powering: analogue output shall be powered by system using internal 24 VDC supply. The output interfaces shall be able to drive up to 750 Ohms.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 31 OF 228

HART interface (HART pass through) shall be supplied, for IAMS (Instrument Asset Management System) gathering and treatment.

12.8.4 Digital Inputs The system shall accommodate both normally open and normally closed contacts. The interface shall include circuitry to ensure that any “chatter” or “bounce” encountered during contact closure does not initiate an erroneous alarm. To avoid these states, the input shall be electronically filtered on the board.

Powering: volt free contact inputs, shall be powered by the system.

Channel to channel isolation shall be provided for signals from devices that are externally powered or which may be subject to high voltage (e.g. AC power for motor status input).

The system shall handle inputs from NAMUR type switches, and accordingly recognize the line fault detection.

12.8.5 Digital Outputs Digital outputs are solid state or preferably relay for hardware system communication, isolated per channel, free of voltage and ground.

The contact outputs shall be configurable by output to allow for latched contact, pulse contact. Powering: the 24VDC relay output shall be powered by the ICSS.

Solenoids shall be powered at 24VDC by ICSS (no relay).

Each output channel shall be able to handle a 250mA load at 24 VDC. If a solid-state outputs are used, the leakage in open position shall be negligible.

When auxiliary relays are used, they shall be plug-in type with socket, sealed with heavy gold contact according to the voltage. Mercury switched are not permitted.

12.9 ICSS Servers

The ICCS shall house as minimum the following functions in servers:

• IAMS (redundant server);

• Historian (redundant server);

• SOE (redundant server);

• Network management (redundant server);

• File / Backup server (redundant server);

• 3rd Party Communication server (OPC UA) (redundant server);

• Patch antivirus / Windows update (WSUS) (simplex server);

• Process Historian Long Term (refer to Specification for Process Historian Doc.No. RLNG-000-IC-SP- 0182)

12.9.1 IAMS Servers

Refer to AGES-SP-04-001 Section 11.10 and RLNG-000-IC-PP-0002 for Philosophy for Automation & Instrumentation Design Section for IAMS servers requirements.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 32 OF 228

12.9.2 Historian Servers

Refer to AGES-SP-04-001 Section 11.7.1 and RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design for Historian servers requirements.

12.9.3 SOE Servers

Refer to AGES-SP-04-004 Section 10.11; AGES-SP-04-003 Section 10.11; and RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design for SOE servers requirements.

12.9.4 Network Management Servers

This server shall host configuration tools for all manageable switches, routers, firewalls, including the ones connected to PLC network.

The servers shall not be a single point of failure for cyber security aspects.

12.9.5 File/Backup Servers

File servers are attached to the PCN networks with the primary purpose of providing a location for shared disk access.

ICSS VENDOR shall provide servers for the back-up storage of database, application programs, network equipment configuration, image of each ICSS server or computer, including back-ups connected to PLC network.

Backup Server shall be configured with the necessary software to manage the full automated image backup of all OWSs, EWSs, Servers, computers of the system.

The hardware shall be adequate to provide the enough capacity to store a full system image, applications and historical data.

System image and applications shall be backup every 5 days and a copy of the last day shall be kept one month.

It shall also be possible to transfer data from Backup Servers to removable media for long term storage and/or archiving. Refer also to Section 11.4.2 for the back-up requirements.

12.9.6 3rd Party Communication server (OPC UA)

This server shall be provided for OPC UA data exchange with third party systems (ECMS, CMS, PI, etc…).

A secure connection is established through Firewall between third parties and OPC UA server.

OPC UA data can be read or write from third party systems into PCS database and historian.

Server shall be able to handle full flow of data.

12.9.7 Patch Antivirus/ Windows Update Servers

Refer to AGES-SP-04-001 Section 11.4.2 Cybersecurity.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 33 OF 228

12.9.8 Process Historian Long Term Servers

Refer to Specification for Process Historian Doc.No. RLNG-000-IC-SP-0182.

12.10 Keyboard

Operator keyboard with operation functionalities shall be provided for all OWSs. Alphanumeric keyboard QWERTY with Latin character shall be provided for non-OWS workstation.

12.11 Furnitures (Ergonomic Control Desk and Chair)

The furniture (ergonomic control desk and chair) shall be supplied by the ICSS Vendor and shall be in accordance with the Room Layouts. The operation desk equipment shall provide user friendly operations and easy maintenance.

ICSS Vendor will provide control desks and chairs in control/technical rooms below:

• Central Control Room (CCR) CCB

• Engineering Room (ER) CCB

• Emergency Control Centre (ECC) CCB

•

•

•

•

•

•

•

•

Jetty Control Room (JCR) JCB

Instrument Rack (IR) JCB

IES-04 Inlet Facilities IES

IES-01 Chilled Water, Dry Flare & Refrigerant IES

IES-11 LNG Liquefaction & NRU Train 1 IES

IES-21 LNG Liquefaction & NRU Train 2 IES

IES-02 Utilities IES

IES-03 LNG Storage and BOG Compression

• OTS Room CCB

for ICSS equipment and Third party equipment.

The CCR/JCR/OTS Room furniture shall comply with the operator interface design requirements and the Ergonomic studies:

• Desk wedge units for arc-shape arrangement,

• Flat to desk units to provide space for documents,

• Suitable consoles identical in size and appearance to OWS to be used for the installation of equipment such as F&G Console Panel (Matrix Panel), ESD Console Panel (Matrix Panel), communication equipment, etc…,

• Chairs.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 34 OF 228

ICSS Vendor shall develop the design of CCR/JCR/Technical Rooms control desk in order to allow a good and efficient integration of all equipment and ancillary, including the 3rd party’s equipment as shown in Control Rooms/Instrument Rooms/Buildings layout:

• Central Control Room Arrangement Layout Doc.No. RLNG-F30-IC-DWG-1007 for CCR, Rack

Room, Engineering Room

• CCB-01 Central Control Building Architectural & Structural Layout drawing Ground Floor Plan Doc.No. RLNG-F30-CV-DWG-0001 for Emergency Control Center (ECC) and OTS Room

•

•

•

•

•

•

•

•

Instrumentation Technical Room Jetty Control Room Arrangement Layout-JCR Doc.No. RLNG- E32-IC-DWG-8006 for JCR JCB

Instrumentation Technical Room Arrangement Layout- JCB-01 IRR Doc.No. RLNG-E32-IC- DWG-8001 for Instrument Rack Room JCB

Instrumentation Technical Room Arrangement Layout- IES-04 Doc.No. RLNG-B14-IC-DWG- 5231 for IES-04

Instrumentation Technical Room Arrangement Layout - IES-01 Doc.No. RLNG-C54-IC-DWG- 5231 for IES-01

Instrumentation Technical Room Arrangement Layout - IES-11 Doc.No. RLNG-A15-IC-DWG- 1231 for IES-11

Instrumentation Technical Room Arrangement Layout - IES-21 Doc.No. RLNG-A25-IC-DWG- 1231 for IES-21

Instrumentation Technical Room Arrangement Layout - IES-02 Doc.No. RLNG-C12-IC-DWG- 5231 for IES-02

Instrumentation Technical Room Arrangement Layout - IES-03 Doc.No. RLNG-D24-IC-DWG- 8101 for IES-03

ICSS Vendor shall quote Furnitures (Ergonomic Control Desk and Chair) in his base offer.

12.12 Temporary equipment

ICSS VENDOR shall include in his offer four (4ea) the temporary equipment for Pre-Comissioning & Commissionig activities such as:

•

•

•

•

temporary servers/database for all ICSS application,

network switches,

network cables,

etc

To not be dependent of CCB readiness, align with Pre-Commissioning and Commissioning strategies. Refer to CONTRACTOR project planning.

Above temporary equipment shall be quoted as base offer.

In addition, temporary workstation (DCS/SIS/FGS) shall be quoted per unit as OPTIONAL.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 35 OF 228

12.13 Remote Performance Management

Minimum requirements Refer to RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design AGES-PH-04-001 Section 16.1.2, Section 21, and Section 24.

12.14 Network Cabinet

ICSS Vendor shall provide ICSS Network Cabinet with below configuration:

• Network Cabinet A common for DCS/SIS/FGS

• Network Cabinet B common for DCS/SIS/FGS

Taking into account different UPS autonomy time for DCS/SIS and for FGS. Refer to Philosophy for Automation & Instrumentation Design Doc.No. RLNG-000-IC-PP-0002.

Those network cabinets shall be provided in each Technical Room and IES as below:

• Rack Room (RR) CCB

•

•

•

•

•

•

•

Instrument Rack (IR) JCB

IES-04 Inlet Facilities IES

IES-01 Chilled Water, Dry Flare & Refrigerant IES

IES-11 LNG Liquefaction & NRU Train 1 IES

IES-21 LNG Liquefaction & NRU Train 2 IES

IES-02 Utilities IES

IES-03 LNG Storage and BOG Compression

The ICSS Vendor shall provide FO Converters (including package and third party interface) inside ICSS network cabinets. Refer to Overall Control & Safety System Architectural Diagram Doc.No.RLNG-000- IC-DWG-0101.

12.15 ICSS Cabinet Alarms

ICSS Cabinet alarms are included in Systems Inputs / Output Sizing Data Doc.No. RLNG-000-IC-NM- 0101.

ICSS Vendor shall manage ICSS cabinet alarms IO List based on the proposed quantity of cabinets and the following guidelines.

ICSS cabinet alarms shall be considered for:

•

•

•

•

ICSS system cabinets (DCS/SIS/FGS)

ICSS IO Cabinets (DCS/SIS/FGS)

ICSS network cabinets (Refer to Section 12.14)

ICSS server cabinets

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 36 OF 228

Each cabinet alarms shall be wired to the respective system (DCS/SIS/FGS). For the common cabinets such as DCS/SIS network and ICSS server, cabinets alarms shall be wired to DCS.

The following signals per cabinet shall be foreseen at minimum:

• One (1) cabinet alarm related to power supplies:

-Common Fault Alarm (including MCB fault, individual fuses)

-Alarm of Incoming Power Feed A

-Alarm of Incoming Power Feed B

• One (1) cabinet alarm related to cabinet:

-High Temperature Alarm

-Fan Failure Alarm

-Door Open

SECTION C

14. QUALITY CONTROL AND ASSURANCE

Add after the last paragraph:

‘Quality Program Plan shall be issued by the ICSS VENDOR and shall include:

• The Quality Personnel Qualification;

• The Management Responsibility;

• The Quality System;

• The Contract Review;

• The Design Control;

• The Purchasing;

• The Customer Supplied Product;

• The Products Identification and Traceability;

• The Inspection and Testing;

• Measuring and Test Equipment;

• The Inspection and Test Status;

• The Control of Non-conforming Product;

• The Corrective Action;

• The Handling Storage Packaging and Delivery;

• The Quality Records, the Quality Audits;

• The Training;

• The Servicing;

• The Inspection Schedule Report;

• The Quality Assurance Audit.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 37 OF 228

The ICSS VENDOR shall assign QA/QC coordinators responsible for this project. The QA/QC coordinators shall conduct the project Pre-inspection and Quality Meetings and shall be assigned to this project throughout design, manufacturing, staging, installation, commissioning and start- up of the package equipment.

ICSS VENDOR shall have a valid, in date, approval to ISO 9001.

The ICSS VENDOR shall have a suitable Quality organization and procedures to ensure that the design process is suitably documented.’

16. INSPECTION & TESTING REQUIREMENTS

Add following paragraph ‘Inspection & Testing requirements shall refer also to Philosophy for Automation & Instrumentation Design Doc.No. RLNG-000-IC-PP-0002.

Refer to RLNG-000-IC-PP-0101 Inspection Test Plan for Integrated Control and Safety System (DCS, SIS, FGS) for minimum Inspection and Testing Plan requirements.’

16.1 General

Substitute the second paragraph ‘Inspection and Testing will be carried out by VENDOR and it will be witnessed by the CONTRACTOR and COMPANY representatives at various stages and locations as follows:

(1)Pre-Factory Acceptance - conducted at the system assembly/manufacturer location.

(2)Factory Acceptance Test - may be conducted at the system assembly location as a standalone PCS

(3)Integrated Factory Acceptance Test – conducted following FAT at the PCS location.

(4)Site Installation Test- conducted at the job site once system is installed and powered up.

(5)Site Acceptance Test - conducted at the job site as a system operating test after commissioning. ‘

With:

‘Inspection and Testing will be carried out by VENDOR:

Internal Test and Pre-Factory Acceptance

(1)VENDOR the system assembly/manufacturer location/VENDOR premises. COMPANY or CONTRACTOR witnessed is not mandatory, however COMPANY or CONTRACTOR shall have the right to inspect the work in progress at any stage.

• conducted at

Inspection and Testing will be carried out by VENDOR and it will be witnessed by the CONTRACTOR and COMPANY representatives at various stages and locations as follows:

(1) Typical Acceptance Test (TAT)- conducted at VENDOR premises. Typical Acceptance Test with 100% attendance for hardware and software

(2) Factory Acceptance Test (FAT) - conducted at system assembly location/VENDOR premises. FAT Hardware inspection with 100% attendance; FAT Software with 100% attendance for complex loops, remote attendance for simplex loops and parameters test (IO check, parameters such as alarm set points,etc), 100% attendance for ESD/FGS Cause and Effect Logics

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 38 OF 228

(3) Integrated Factory Acceptance Test (IFAT) – conducted following FAT at system assembly location/VENDOR premises. IFAT with 100% attendance (including network, load performance time response, ICSS applications (historian, AMS, IAMS) etc..) in parallel with cyber security

(4) Communications Interface Testing (CIT) – conducted at ICSS VENDOR premises or Package type C/ 3rd party system premises. Hardware and software interface testing with 100% attendance.

(5) Site Installation Test- conducted at the job site once system is installed and powered up.

(6) Site Acceptance Test - conducted at the job site as a system operating test after commissioning.

Add after second paragraph:

‘The tests shall be organized in such manner that errors or minor modifications shall be tracked through a dedicated software database (punch manager) provided by ICSS VENDOR.

The punch management software shall be presented to CONTRACTOR prior to the first testing activity. It is subject to CONTRACTOR approval.

This tool shall be used from the first test till the responsibility handover to CONTRACTOR and COMPANY. It shall enable a proper follow-up of punches, from creation to closure.

All modification managements shall be described in Test procedures.’

Add after third paragraph:

‘The procedure shall be approved before the effective starting date. The procedure shall define the testing architecture, means considered for testing, testing objective, testing schedule, progress metric.

At the beginning of Typical Acceptance Test (TAT), FAT, IFAT, Communications Interface Testing (CIT), ICSS VENDOR shall make available on the staging area a testing dossier to CONTRACTOR providing all needed evidence related to the task that shall be validated during the testing: • Input documents considered for the job; • Internal test & Pre-FAT procedures; • Internal test & Pre-FAT reports; • Evidence of the clearance of punches raised during internal testing & Pre-FAT.

In case of major noncompliance discovery, or evidence that internal test & Pre-FAT where not performed, CONTRACTOR could interrupt and postpone the testing.

For Testing held at ICSS VENDOR premises, ICSS VENDOR shall provide all the necessary facilities (desk, internet access, telephone access, print facilities and catering facilities) to CONTRACTOR and COMPANY representatives.

ICSS Vendor shall provide all the test equipment (tools and consumables ) necessary to perform the tests. This includes all necessary measurement, control and simulation equipment such as:

•

I/O simulation tools (switches, LEDs, 4-20mA generator, Ampere meter…)

• Communication network load and serial link analysers…

• Measurement Tools

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 39 OF 228

• Testing Tools

• Hand Tools

• Others special tools

• Consumables required for the performance of tests

ICSS VENDOR shall foresee a resident engineer (specialist involved fully on Ruwais project) who will resides in CONTRACTOR office for the period of three (3) months prior to TAT (Typical Acceptance Test). ‘

Add sub section below:

‘16.3 Design Validation Test (DVT)

16.3.1 Hardware Typical Acceptance Test (TAT)

Prototype validation for cabinet is to be performed at ICSS VENDOR premises. The validation of prototype enables to check and approve all typicals before manufacturing.

The prototype shall be done with the materials used for the project or similar.

There shall be one (1) prototype cabinet per type of cabinet and of system. In case of similar layout, common typical can be foreseen based on CONTRACTOR approval.

Dedicated test of field equipment is to be performed at ICSS VENDOR premises.

The test shall enable to validate that the hardware is correctly wired and that the field equipment software typical have a correct functioning.

CONTRACTOR shall provide the field device (sample of field instruments/valves/HART Mutiplexers) for the test. ICSS VENDOR shall provide all necessary equipment and wires for the test.

The ICSS VENDOR is responsible of the test.

The field equipment (field instruments/valves/HART Multiplexers) VENDOR shall participate if necessary to the test to support for the installation and interface.

The following shall be tested during the test as a minimum: • DCS/SIS/FGS interface; • HART functionality; • IAMS; • HMI; • Networks capabilities.

16.3.2 Software Typical Acceptance Test (TAT)

The ICSS VENDOR shall validate with CONTRACTOR all Typical functions.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 40 OF 228

For this test the real IO shall be used to demonstrate the functionality of the Control Modules and graphic elements, trends, diagnostics, alarms and historian collection.

ICSS VENDOR needs to get the approval for the Module library and Graphic static and dynamic library. In addition to that, Control module typicals like AI, AO, DI, DO, Control valves, On/off valves, motors, Master/slave, Override control, etc and graphic typical like overview graphic, Unit graphic, Third party graphic, Detailed graphics, Interaction from process to SIS C&E and vice versa needs to be discussed and approved by the CONTRACTOR and the COMPANY.

The ICSS VENDOR shall maintain a test Log, showing all operations, events, test results, failure details, etc during each category of tests. All entries shall be referenced to the relevant Test Plan.

It shall demonstrate that all necessary hardware, software, documentation, services and personnel are available at the test site to perform the tests.

16.3.3 System Typical Acceptance Test (TAT)

This test cover all devices used on network level 2 and 3 such as Console, screens, KVM, operator keyboard, infrastructure (switches, router, firewall) and others interfaces devices. The test shall cover also Level 2 and 3 system applications (EWS/OWS, AMS, IAMS, Historian, SOE,..) typicals.

The controllers and I/Os module test are defined in 16.3.1

ICSS VENDOR shall list all the hardware supply with software and firmware version and provided compatibility report.

If no report is available, then ICSS VENDOR shall demonstrate that all hardware equipment/interface links within its scope of supply are working satisfactorily.

The detailed description of the individual test procedures, relevant to all the items forming the ICSS supplied, shall be mutually agreed between ICSS VENDOR and the CONTRACTOR.’

Substitute ‘16.3 Pre-Factory Acceptance Test’

with:

‘16.4 Pre-Factory Acceptance Test’

16.4 Pre-Factory Acceptance Test

Substitute the second paragraph ‘The system equipment will be inspected by CONTRACTOR representative at the Pre- Factory Acceptance Test for satisfactory quality and workmanship. In addition, COMPANY or CONTRACTOR shall have the right to inspect the work in progress at any stage.’

With:

‘The system equipment may be inspected by CONTRACTOR representative at the Pre- Factory Acceptance Test for satisfactory quality and workmanship. In addition, COMPANY or CONTRACTOR shall have the right to inspect the work in progress at any stage.’

Add to the last paragraph: ‘Pre-FAT is part of the mandatory VENDOR internal test.’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 41 OF 228

Substitute ‘16.4 Factory Acceptance Test’

with:

‘16.5 Factory Acceptance Test’

16.5 Factory Acceptance Test

Add after first paragraph:

‘The ICSS VENDOR shall carry out FAT and shall demonstrate that the ICSS meets all the requirements stated in input documents.

Prior to FAT, the ICSS VENDOR shall: • Submit his detailed test procedure and acceptance criteria and procedures for approval; • Notify CONTRACTOR that the manufacturer’s Internal Tests have been correctly passed; • Make all drawings and documentation up to date and available. Drawings and documentation shall be approved by CONTRACTOR before the beginning of the FAT; • Make internal Tests records available; • Make FAT test schedule and procedures ready for application. ‘

Add after the last paragraph:

’16.5.1 Hardware FAT

The Hardware FAT shall include the following minimum requirements:

• Verification of Bill of Material;

• Visual and mechanical inspection of quality, layout, labels, paint finish, sheet thickness, adherence of ferruling, grounding, etc.;

• Redundancy test (power supply, CPU, communication cards and IO cards);

• Continuity tests;

• Isolation tests;

• Full hardware IO test;

16.5.2 Software FAT

Before the beginning of the software FAT all graphic documentation shall be approved by CONTRACTOR and COMPANY.

ICSS VENDOR shall propose off line tests such as review database extracts (alarms…) to be performed prior or in parallel of FAT.

During the FAT, the CPU spare capacity and the load of the network shall be measured (3) three times in the Software FAT: before, in the middle and at the end of the FAT.

The Software FAT shall include: • Full functional test of logic as described in control narratives and ESD/F&G Cause&Effect Chart. Functional tests shall be performed by units with DCS/SIS/FGS interactions; • 100% of graphic displays and graphic navigations tests; • 100% testing of configuration and logic for SIS, FGS • 100% testing of complex loops, logics, sequence, interlocks in DCS

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 42 OF 228

• Configuration extracts shall be provided by ICSS VENDOR to enable a proper check of basic parameters (e.g. typical assignment, direct/reverse setting) • SIF test and validation by competent person. All loops with SIL requirement shall be specifically identified.

Substitute ‘16.5 Integrated Factory Acceptance Test (IFAT)’ with:

‘16.6 Integrated Factory Acceptance Test (IFAT)’

16.6 Integrated Factory Acceptance Test (IFAT)

Revised the first paragraph: ‘Following FAT, IFAT shall follow and include testing of communication interfaces between FGS, ESD, PCS and third-party systems. Data transfer between FGS/ ESD/PCS shall be checked. FGS/ESD/third-party graphics implemented in PCS OWS shall be 100% tested.’ With

‘Following FAT, IFAT shall follow and include testing of communication interfaces between FGS, SIS, DCS. Data transfer between FGS/ SIS/DCS shall be checked. FGS/SIS implemented in DCS OWS shall be 100% tested.’

Add after the last paragraph: ‘The IFAT shall perform the integrity tests with all ICSS equipment connected as per ICSS architecture: • The test of ICSS networks integrity and network configuration; • The network performance test at full load with database size, displays and data processing; • System failure test and system diagnostic facilities; • Overall ESD activation; • Power up as per black start procedure including check of SOE and Historian; • Cybersecurity test (Pen Test) if required by COMPANY; • Verification of the domain controller functionality; • ‘Island Mode’ functionality.

The performance test during the FAT shall consist of the requirements described in section 11.12.3 and as follows: • Time synchronization between ICSS elements between 10-25 ms; • The reboot time for different components (Controller, EWS/OWS, Network switches, application program etc.) shall be given by ICSS SUPPLIER for validation by CONTRACTOR and COMPANY;

The project operating philosophy shall define the number of simultaneous users (i.e. OWS).’

Add sub section below:

‘16.7 Communications Interface Testing (CIT)

As a general rule each ICSS interface with a type C package or 3rd Party System using a communication interface shall be fully tested. This test is not only a communication test, but a complete test which validate the logic and operator interface (displays, reports, etc.).

The Type C packages or 3rd Party Systems shall be tested ahead of the final installation at site, at the PACKAGE VENDOR premises, to which the ICSS VENDOR shall prepare a test bench with redundant communications cards, CPU(s). PACKAGE VENDOR to make available other components needed to perform the test, such as Ethernet cables, switches, etc.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 43 OF 228

The following, list, not exhaustive, are the ones required to be done:

• Establish the communication including “black start” power up - i.e. initialisation of the comms link on power up;

• Redundancy test of the communication;

• Test of all signals exchanged according to the exchange list;

• Test of graphic displays animations based on signals received through the communication (on both sides: ICSS and PLC/3rd party servers);

• Verification of alarms generation and events log recording;

• Verification of associated logics (ICSS and PLC);

In order to properly perform testing at PACKAGE VENDOR premises, ICSS VENDOR shall integrate four (4) test kit panels in the offer covering a minimum:

• Communication cards for testing of all types of network interfaces;

• Controllers;

• Servers if needed (IAMS, OPC etc.);

• Laptop with software application to perform the test;

• Interface network equipment (switches, firewalls, …)

ICSS Vendor shall quote trips for CIT at Package Type C/3rd party system premises.’

Substitute ‘16.6 Site Installation Test (SIT)’ with:

‘16.8 Site Installation Test (SIT)’

Substitute ‘16.7 Site Acceptance Test (SAT)’ with:

‘16.9 Site Acceptance Test (SAT)’

Substitute ‘16.8 Certificates of Acceptance’ with:

‘16.10 Certificates of Acceptance’

Substitute the first and second paragraph ‘At the satisfactory conclusion of the FAT, IFAT, SIT, and SAT a Certificate of Acceptance shall be provided by the VENDOR for signature by the CONTRACTOR and COMPANY.

Following documents as minimum shall be attached to Certificate of Acceptance dossier:

(ddd) Signed and Approved FAT, IFAT, SIT and SAT test reports

(eee) Electric Equipment Test Certificates

(fff) Hardware Test Certificates

(ggg) Software Test Certificates

(hhh) Approved As-Built Drawings’

with:

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 44 OF 228

‘At the satisfactory conclusion of the TAT, FAT, IFAT, Communications Interface Testing (CIT), and SAT a Certificate of Acceptance shall be provided by the VENDOR for signature by the CONTRACTOR and COMPANY.

Following documents as minimum shall be attached to Certificate of Acceptance dossier:

(ddd) Signed and Approved TAT, FAT, IFAT, Communications Interface Testing (CIT), SIT and SAT test reports

(eee) Electric Equipment Test Certificates

(fff) Hardware Test Certificates

(ggg) Software Test Certificates

(hhh) Approved As-Built Drawings’

Substitute ‘16.9 Services by the VENDOR’

with:

‘16.11 Services by the VENDOR’

18. SPARE PARTS

18.1 Spare Parts

Substitute the first paragraph ‘VENDOR shall include the provision of all commissioning spares in the bid. The VENDOR shall also include list of spares required for two years operation, FAT Spares and insurance spares along with price schedule for each item along with the bid.’

With:

‘VENDOR shall include the provision of all Pre-commissioning ,commissioning, and start-up spares in the bid. The VENDOR shall also include list of spares required for two years operation, FAT Spares and insurance spares along with price schedule for each item along with the bid.’

Add after the last paragraph:

‘The list of spare parts shall provide the following information (according project template) as a minimum:

• Original manufacturer;

• Original manufacturer part number;

• Supplier;

• Supplier part number;

• Tag numbers where applicable;

• Number of units on the project;

• Drawing or sketch number (incl. references to the associated part);

• Price per unit;

• Recommended spare parts;

• Description of the spare parts; this description should be sufficient to purchase the component without knowledge of part numbers.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 45 OF 228

VENDOR shall support supply of spare parts for 15 years.’

18.2

Spareage – Add below requirement

‘ICSS network architecture shall be designed to ensure that at any measuring node, the total communication load shall not exceed 60%.

Tag or point capacity shall not exceed 60% for any server, client, historian, report generators, Engineering Workstations and interface gateways.’

Substitute the first paragraph ‘The PCS shall be delivered with an installed spareage of 20% for each type of input and output and associated support hardware and adequate space within the cabinets to allow for installation of an additional 15% inputs and outputs and any additional support hardware. This spareage shall be utilised to accommodate additions due to design development after the delivery of the system. Prior to delivery additional I/O shall be added as required by the Design Update Packages to maintain the 15% installed spareage target.’

with:

‘The PCS shall be delivered with an installed spareage of 20% for each type of input and output and associated support hardware. This spareage shall be utilised to accommodate additions due to design development after the delivery of the system. Prior to delivery additional I/O shall be added as required by the Design Update Packages to maintain the 20% installed spareage target.’

Add after the second paragraph:

‘Software license spare shall be provided as per general spare capacity required especially for IO expansion.’

Substitute the fifth paragraph ‘Minimum 30% spare space shall be provided for future use’

with:

‘Minimum 20% spare space shall be provided for future use’

19. PRESERVATION & SHIPMENT

19.1 Packing and Shipping

Add after the last paragraph:

‘In addition, ICSS Vendor shall quote as OPTIONAL 3rd party equipment packing in case CONTRACTOR sent the field device (sample of field instruments/valves/HART Mutiplexers) for the test at ICSS Vendor staging facility as per section 16.3.’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 46 OF 228

20. COMMISSIONING

20.1 Installation

Add to the first paragraph ‘VENDOR shall provide supervision assistance for Installation and Commissioning of DCS System at site. Installation will be carried out by the CONTRACTOR with supervision assistance from the VENDOR. Assistance for installation, power up and all SAT and SAT related activities, clearance of ‘fault logs’ shall be part of ICSS vendor scope. The VENDOR shall notify the CONTRACTOR of any special tools required for installation and supply these, if necessary, to the CONTRACTOR.

22. DOCUMENTATION

Add to the first paragraph ‘The list of documents to be issued by ICSS VENDOR shall be compliant with CONTRACTOR requirements given in MR for Integrated Control and Safety System (DCS, SIS, FGS, OTS) Doc.No. RLNG-000-IC-R-0101.’

Revise the tenth paragraph: ‘(25) FAT Procedure & Report’

with:

‘(25) TAT, FAT, IFAT, CIT Procedure & Report’

24. PROJECT ADMINISTRATION

Add ‘ICSS VENDOR shall assign a project manager for the whole project, from the bidding stage to the end of the project execution.’

24.1 Project Personnel

Add before the first paragraph ‘ICSS VENDOR shall provide a project organization chart and associated personnel resume to CONTRACTOR for validation.

The ICSS VENDOR shall assign a qualified person as the Lead Technical Engineer. The Lead Technical Engineer shall have responsibility for technical issues and direction of the day-to-day work in the engineering, design, configuration, and testing phases.

The ICSS VENDOR shall ensure that the Lead Technical Engineer shall be available full time for the length of the project.

The ICSS VENDOR shall not remove any of the lead personnel from the project including Project Manager, Sales Coordinator, and Lead Technical Engineer without the CONTRACTOR’s approval. The ICSS VENDOR ‘s removal of key persons from the project without the CONTRACTOR’s consent may be subject to a Ransom Penalty, monies paid for the privilege of removing those persons.

The CONTRACTOR shall approve new members of the project team and may request removal of current members of the project team. The CONTRACTOR’s request for a change in personnel shall not result in a change in schedule for the project or result in additional costs to the project, any cost or schedule impacts shall be the responsibility of the ICSS VENDOR

In accordance with IEC61511, the ICSS VENDOR shall demonstrate the qualification of specialist involved in functional safety when enrolling in SIS design, configuration, and testing.’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 47 OF 228

24.2 Project Schedule

Add after the last paragraph:

‘All along the project execution, the schedule shall be updated; critical paths shall be clearly identified as well as non-compressible durations.

Check point should be defined for the intermediate work as follows:

• Kick off meeting (defined by CONTRACTOR/ICSS VENDOR);

• Functional design specification (defined by ICSS VENDOR);

• Availability of all functions offered (Configuration pre-Test, Validation of typicals, validation of graphic standard, etc.) (defined ICSS VENDOR);

• Hardware freezing date (defined by CONTRACTOR);

• Software freezing dates (defined by CONTRACTOR);

• Pre-validation (hardware typical test, software typicals tests….) (defined by CONTRACTOR/ICSS VENDOR);

• Beginning of configuration (defined by ICSS VENDOR);

• End of configuration (defined by ICSS VENDOR);

• Internal tests/Pre-FAT for hardware and software (defined by ICSS VENDOR);

• Factory Acceptance Tests for hardware and software (defined by ICSS VENDOR);

• Integrated Factory Acceptance Tests (defined by ICSS VENDOR);

• Ready for shipment (defined by CONTRACTOR).

24.3 Progress Reporting

Add below sub sections after the first paragraph:

’24.3.1 MOM

ICSS VENDOR shall be in charge of elaborate minute of meeting (MoM) of all meeting between ICSS VENDOR and CONTRACTOR. Minute of meetings shall be provided to CONTRACTOR for comments via chronological email. After agreement between ICSS VENDOR and CONTRACTOR on the content of the MoM, CONTRACTOR is in charge to distribute the MoM.

24.3.2 Technical Meeting Report

Technical report shall be foreseen by the ICSS VENDOR at each Technical Meeting.

24.3.3 Monthly Report

A monthly report shall be foreseen by the ICSS VENDOR. This report shall be provided one week before each monthly meeting. The content of the report is to be discussed during the following monthly meeting.

The monthly report shall at minimum contain:

1. Actions, tasks and documents finalized during the month;
2. Actions, tasks and documents to be done during the coming month;
3. Human resources and mobilization follow-up;
4. Progress and Schedule for purchase, engineering studies, manufacturing;
5. Difficulties and risks (technical, related to schedule, etc.);

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 48 OF 228

6. Expectations toward CONTRACTOR (e.g. documents, plans, data);
7. Sub-VENDOR follow-up;
8. Up-to-date list of ICSS VENDOR document;
9. List of changes.

ICSS VENDOR is to propose additional themes that could ease the coordination follow-up. The content of the monthly report is to be discussed during Kick-off meeting.’

24.4 Coordination Meetings

Add to the last paragraph ‘Meetings can be done in Remote but KOM, pre-inspection Meetings shall be done in face to face. KOM shall be held at the VENDOR or CONTRACTOR offices/premises; pre- inspection meeting shall be done at the VENDOR premises.

The ICSS VENDOR must foresee as a minimum the following meetings during project execution.’

Add sub sections below:

’24.4.1 Kick Off Meeting

A Kick off meeting shall be organized after the Purchase Order before starting the activities. The Kick- Off Meeting shall cover: • Project team organization; • Establish communication channels for technical subjects; • Identify roles and responsibilities; • Review of project schedule; • Detailed review of the project scope; • Design and technical issues; • Training requirements; • Other Issues and topics as required.

24.4.2 Monthly Meeting

Every end of month, a meeting is to be planned to discuss about the month’s activities, the list of forecast activities for the next months and the list of miscellaneous points. The reports of meeting are to be written by the ICSS VENDOR.

24.4.3 Weekly Meeting

Every week, a meeting shall be held with ICSS VENDOR to clarify all potential queries and follow the progress of the week.

24.4.4 Working Workshop / Technical Meeting

ICSS VENDOR shall organized as necessary Working Workshop/Technical Meeting for clarification and knowhow transfer.

Those meetings shall be organized for the review the design of system and configuration done by the ICSS VENDOR and to solve technical questions.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 49 OF 228

Add Section below:

‘25. ICSS Execution Plan

ICSS VENDOR shall issue the execution plan and include a complete detailed execution plan. The execution plan shall include, but not limited to: • The administrative control procedure; • The organization and responsibilities; • The detailed location of centers; • The project filing system and document control procedure; • The coordination procedures; • The travel / passports / visas; • The approvals by CONTRACTOR; • The contract administration; • The accounting and billing; • The personal computers and computer systems; • The progress meeting agenda and minutes.

25.1. Detailed Engineering

In conjunction with the CONTRACTOR, the ICSS VENDOR shall: • Define the architecture for integration of the ICSS systems according to SIL levels and Project specifications; • Design the data communication networks structures, ensuring safe and reliable data transfers between distributed controllers and IOs, and taking into account the data traffic loads; • Design the communication interfaces between the main ICSS systems; • Design the HMI equipment in the building and in the equipment rooms; • Design the typical interface hardware signals to be implemented for package interface links; • Design the typical interface software communication blocks to be implemented for package interface networks.

25.1.1 Development of Standard Functions (Typicals)

CONTRACTOR and the ICSS VENDOR shall identify standard functions from P&IDs, ESD cause and effect charts/logic diagrams, F&G cause and effect charts and other engineering documents. For each identified standard function, the ICSS VENDOR shall develop a function block or a generic program in the relevant system and shall document it.

Once it has been developed, it shall be formally tested according to a test procedure prior to its incorporation in the application. Refer to section 16.3.2.

In case of modification of function blocks and/or generic programs those shall be retrofit on each application controller where already installed.

Design the security and access levels, enabling software upgrades to be carried out securely and safely and limiting unauthorized access to the systems.

Design the typical blocks and typical control loop strategies to be implemented during configuration development step. Occasionally, addition or modification of typicals should be envisaged during detail execution phase.

Design the typical HMI blocks to be implemented during the configuration development step.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 50 OF 228

25.1. 2 Design of Instrument Wiring Loops

CONTRACTOR is responsible for the detail design of the instrument loops and wiring.

ICSS VENDOR shall provide all necessary information related to ICSS wiring and installation needed for CONTRACTOR to proceed on this task.

ICSS VENDOR shall fill a template to provide all wiring information regarding ICSS. Data provided in template (Excel or equivalent) file shall be imported in Smart Instrumentation (SI) database.

25.1.3 Inputs for Implementation

• DCS/SIS/FGS Narratives and SIS/FGS Cause & Effect charts Detailed Narratives, cause and effect charts are issued by CONTRACTOR.

Detailed Narratives shall be produced in order to complete the information provided by the P&IDs, shutdown logic diagrams and cause and effects charts. Such documents shall include:

1. Narrative descriptions;
2. Sequence descriptions:
3. Definition of operating modes;
4. Logic diagrams if any/ Cause and effect;
5. I/O setting (alarms, filtering etc).

CONTRACTOR shall be responsible for issuing the Detailed Narratives to the ICSS VENDOR including the narratives from the Type A packages.

Those documents shall be used to the ICSS VENDOR for the ICSS detail design.

ICSS VENDOR shall review these documents as soon as available (even first revision) to make sure that the content and level of detail is correctly understood.

The ICSS VENDOR shall issue functional design specifications (general specifications) and detailed design specifications (readable application programme description) before any coding.

• Package Type C Interface Narratives

Package Type C Interface Narratives are issued by CONTRACTOR for packages with PLC (type C).

Interface Narratives shall be produced in order to complete the information provided by PACKAGE VENDOR: the P&IDs, shutdown logic diagrams or cause and effects charts. Such documents shall include communication interfaces for each package, including:

1. Graphic displays;
2. Alarm settings (values and/or priorities);
3. Communication protocols;
4. Definition of contents of the data tables to be exchanged with ICSS for control and monitoring functions from HMI;
5. Time synchronization principle;
6. Definition of the interface Typicals which shall be used for the ICSS and PLC programming.

• Detailed IO list

To complete engineering documentation a detailed IO list shall be provided by CONTRACTOR. Data for configuration including process unit, range, special treatment, and alarming shall be available on the list. Data shall be extracted from SI and exported on Excel file.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 51 OF 228

ICSS VENDOR shall review the template of IO list as soon as available (even first revision) to make sure that the content and level of detail is correctly understood by ICSS VENDOR.

25.2. Assembly And Configuration

25.2.1 Assembly

The ICSS VENDOR shall be responsible for: • Preparation of ICSS cabinets and integration of racks and equipment, including installation of supports, cables trays, terminals, connectors, and the like. • Preparation of the Control Rooms/IESs operator console and integration of all equipment including installation of supports, cable trays, connectors, labels, operator control stations (including large screens), ESD/FGS Console (for Control Rooms), ESD PBs for IESs; • Laying of cables within panels and control desks including fastening, cutting to length, ends preparation and fitting, identification and connection, glanding work, termination work, ferrule work • Preparation and testing of ICSS equipment located in same room of interconnecting cables, including cutting to length with sufficient over-length, cables identification, ends preparation, and mounting of connectors.

25.2.2 IO Assignment

Based on the hardwired IO list, the field junction boxes signals allocation, the package wiring diagram interface, segregation rules and spare rules defined in this specification and in RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design, the following shall be done by the ICSS VENDOR and validated by CONTRACTOR: • Assignment of IO to the field terminal boards and cards; • Design of the cabling system between system panels, consoles, servers, ICSS networks.

25.2.3 Configuration and Programming

The ICSS VENDOR shall perform: • The complete configuration of IO database, programming of control loops, logics, sequences, cause and effect matrix, etc; • The software development and configuration related to communication system interfaces; • The updating, if necessary, of the standard functions and generic programs developed during the detailed engineering phase; • The programming / configuration of DCS, SIS, FGS functions as they are specified in the detailed narratives and safety related documents (Cause and effect diagrams), and standard functions library; • Testing and correction of any faults till satisfactory running of the application programs; • Provide full documentation.

25.2.4 Graphic Display Development

CONTRACTOR shall provide to the ICSS VENDOR marked-up of PFD’s, P&ID’s and/or sketches or layout mark-up.

Displays related to systems status, communication status, network load monitoring, and security, shall be defined by the ICSS VENDOR and validated by CONTRACTOR.

Displays related to systems by-pass as maintenance and operation by-pass shall be defined by the ICSS VENDOR and validated by CONTRACTOR and/or COMPANY.

Once configured in the system, the ICSS VENDOR shall provide the necessary media to obtain approval from CONTRACTOR.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 52 OF 228

25.3 Testing for Hardware and Software

Refer to Section 16

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 53 OF 228

3.0

AMENDMENTS TO ADNOC GENERAL ENGINEERING SPECIFICATION AGES-SP-04-004

Instructions contained below such as “Add”, “Substitute”, “Revised”, or “New” shall be interpreted as follows:

1. Add: Requirements shall be a continuation of the paragraph in the referenced specification.

2. Substitute: The requirement of the referenced specification shall be replaced in its entirety by the

requirements below.

3. Revised: The requirement of the referenced specification shall be revised by the specific wording

below.

4. New: A new requirement as described below.

GENERAL

1. PURPOSE – Add to paragraph:

‘To ensure alignment with the terminology used for the Reference Project, the term Safety Instrumented System (SIS) shall be used for the Project.

When reading this specification, Process Control System (PCS) shall be read as Distributed Control System (DCS).

3. DEFINED TERMS / ABBREVIATIONS / REFERENCES – Add below definitions:

DCS

FGS

Distributed Control System

Fire & Gas System

SECTION A

4. NORMATIVE REFERENCES

4.2

ADNOC Specifications

The following AGES references are substituted with Project documents as detailed below:

AGES Reference Project Document No.

Project Document Title

AGES-SP-04-001 RLNG-000-IC-SP-0101

(This document)

Specification for Integrated Control & Safety System

AGES-SP-04-003 RLNG-000-IC-SP-0101

(This document)

Specification for Integrated Control & Safety System

9. DESIGN CONSIDERATIONS /MINIMUM DESIGN REQUIREMENTS

9.3

Electric Utility Data

Substitute the second paragraph with below:

‘The Electrical power supply details are as follows:

(a) Nominal voltage 240V AC, UPS and non-UPS

(b) Single Phase, 50 Hz, earthed

(c) Steady state Voltage variation ± 5% nominal voltage

(d) Steady state Frequency variation ± 2 %’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 54 OF 228

9.7

Engineering Units – Substitute entire paragraph for below:

‘Units of Measure shall be as defined in RLNG-000-PM-BOD-2002, Project design basis’.

SECTION B

10. TECHNICAL REQUIREMENTS

Add paragraph below:.

‘SIS requirements shall refer also to RLNG-111-IC-SP-1151 Safety Requirement Specification.’

10.1 General Design

10.1.1 System Architecture – Substitute first paragraph with below:

‘The Process facilities will be controlled from the CCR utilising an Integrated Control and Safety System (ICSS) architecture. This approach consists of a Distributed Control System (DCS), a Safety Instrumented System (SIS) and a Fire & Gas System (FGS), with the DCS serving as the prime control and command system.’

10.1.3 Redundancy

Add after the first paragraph:

‘For Universal I/O, I/O Modules provides communication interface between I/O channels and the controllers. The SIS I/O Modules shall be redundant.’

10.1.5 Functional Requirements

Add to second and third paragraph: ‘ESD System I/O modules shall be segregated by process and risk areas to increase system and process availability. In general, one I/O card shall not contain the I/O of more than one process unit. Process unit I/O split unit wise is not required for Non-Fail safe output cards driving alarm lamps. Cards belonging to one logic group shall be located together and spare points shall be left within the I/O group for expansion. Distribution of I/O shall also be governed by Unit segregation, identification as Independent Protective Layer for a specific Safety Instrumented Function and avoidance of common mode failures.

Wherever voted logic (for example. 1oo2, 2oo3 etc) is required for multiple devices, each device shall be

allocated to separate I/O cards. Critical duty and stand-by equipment such as boilers, turbines, compressors and pumps that are spared shall be segregated into separate I/O cards.’

With below addition:

‘Taking into consideration the capacity of controllers and the redundancy of all CPUs and networks, below additional guidelines distribution of I/Os shall be considered:

Definition

Type C is package is excluded from the additional guidelines, assuming that packages are connected to different PLCs but can be connected to the same ICSS controller (Logic/sequence are managed in PLCs).

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 55 OF 228

With the assumption that universal I/O’s will be used, I/O module defined as the card that is connecting a number of universal I/O’s to the controller. All the I/O modules shall be considered redundant.

Equipment/Unit is identified as critical when a failure is leading immediately or in short time to a high level shutdown. (Train shutdown).

Non critical is identified Equipment/Unit as when a failure doesn’t lead to a train shutdown (or after a delay where operator has time to react and prevent it).

Critical and Non-Critical Equipment

All critical units/equipment will be merged in the same controller. In case of controller lost, train will be tripped. Merging will be applied also for all for the dependent units (Example Unit 111 & 112 for the train).

All units/equipment merged in the same controller will be subjected to COMPANY Approval.

• Special case of Parallel Process/Utility Equipment

A redundant equipment is defined as a part of identical equipment that are working with a logic of backup (2*100%). If one this equipment failed, another one is replacing the one failed.

A parallel equipment (2*50%). is defined as a part of identical equipment that are working together in operation (without backup).

a/ Non critical equipment

I/O’s associated with parallel or redundant equipment shall be:

Connected to different I/O modules.

b/ Critical equipment

For redundant equipment, a segregated controller for each equipment shall be implemented.

For parallel equipment, a segregated controller for each equipment should be implemented only in case of one equipment failed, it is possible to operate in degraded mode during significant time (Time for maintenance for the failed one).

Duty Standby pumps

Duty/standby pumps will use common controllers (with COMPANY approval).

Peer to peer signals should be minimized and interface logic between controllers makes it more complex with more risk of mistakes, reaction delays, etc.

I/O’s from duty/standby pumps shall be segregated by I/O module and if only one I/O module available in different IO baseplate (Generally split by 16I/O’s).

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 56 OF 228

Segregation of voted signals

2oo3 voted signals shall be segregated on 3 different I/O modules in the same controller (with COMPANY approval).’

Substitute last paragraph with below:

‘The SIS logic solver shall be designed such that once it has placed the process in a safe shutdown state, the outputs shall be latched to fail safe state. They shall be restored to energise state only after process healthy condition is restored followed by software interlock reset command by operator. Note that ESDV’s will require manual reset of the SOV at the valve.’

10.3 ESD Hardware

10.3.2 I/O General

Add to the second paragraph ‘For the Universal I/O, I/O module shall be redundant, fail safe design and SIL3 certified as per IEC 61508. I/O Modules provides communication interface between I/O channels and the controllers.’

Add to the third paragraph ‘SIL 3 relays shall be proposed if used.’

Add to the sixth paragraph ‘Number of I/O channels per I/O card shall be limited to 32 nos for conventional I/O. For the Universal I/O, it can have up to 96 nos I/O channels per I/O Module.’

Add after the tenth paragraph:‘ICSS Vendor shall provide DI line monitoring for SIS signals which are not fail safe such as DI statuses (e.g. limit switches). Refer to below general guidelines:

Signal type

Line monitoring (SIS/FGS)

DO SIS trip

No (If fail safe)

DO lamps

No (test lamps in matrix panel)

DO trip not fail safe (Ex:FGS)

Yes

DI status switches)

(Ex

limit

Yes

ESD pushbutton

No (Fail safe)

ESD Selector Switch (MOS)

Yes (not fail safe)

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 57 OF 228

Trip order (Ex from package)

No (If fail safe)

MAC (FGS)

Yes (not fail safe)

FGS pushbutton

Yes (not fail safe)

FGS Selector Switch (MOS)

Yes (not fail safe)

’

10.5 Surge Protection

Add after the last paragraph:

‘ICSS VENDOR shall design the protection system against lightning, and state all requirements that must be followed, in order to ensure maximum effectiveness of the lightning protection system. Further details will be provided by EPC CONTRACTOR with the Lightning study. The ICSS VENDOR shall present typical per type of I/O, in special analog inputs/outputs, that includes SPDs. Also, the ICSS VENDOR shall detail the maximum galvanic isolation that the input/output characterizer module can withstand.

ICSS Vendor shall consider surge protection for 10% of SIS IOs as OPTIONAL.’

10.6.3 Engineering Workstation

Delete the eight paragraph ‘Additionally, for process plants with multiple ESD systems located at various Instrument Equipment Rooms, it shall be possible to connect PC-laptop based EWS at each ESD location, for purposes of monitoring or programming. The VENDOR is responsible for providing all necessary hardware, communication ports and internal cabinet wiring to support this EWS connectivity requirement at each ESD system location.’

Add after last paragraph:

‘The EWS/OWS shall be able to access the controllers data directly.

Refer to AGES-SP-04-001 Section 11.6.3 for the SIS EWS screen requirement and where it shall be installed and other EWS requirements applicable for SIS EWS.’

10.8 Human Machine Interface

Add below paragraph:

‘Refer to RLNG-000-IC-SP-0005 Specification for HMI Graphics for further details of HMI requirements.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 58 OF 228

10.8.2 ESD Console

Revised the first paragraph: ‘ESD Console shall be provided in CCR to install Push Buttons (Shutdown, De-pressurisation, Reset), key Switches for Input Overrides (MOS), and Visual and Audible Annunciator for critical alarms.’

with:

‘ESD Console shall be provided in CCR, JCR, IESs to install Push Buttons (Shutdown, De-pressurisation, Reset), key Switches for Input Overrides (MOS), and Visual and Audible Annunciator for critical alarms.’

Add after the last paragraph: ‘Refer to RLNG-000-IC-SP-0005 Specification for HMI Graphics and RLNG-000-IC-DWG-0101 Overall Control & Safety System Architectural Diagram where the ESD Console shall be installed.’

10.10 Alarm Management

Substitute the last paragraph ‘Refer to ADNOC Group Company AMS specification for further details.’

with:

‘Refer to RLNG-000-IC-SP-0102 Specification for Alarm Management System for further details and RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design.’

10.12 Cabinets

10.12.1 Construction

Revised the third paragraph ‘Unless otherwise specified in Purchase order, the dimensions of the cabinets shall be 2000 mm (H) (excluding plinth) x 800mm (W) x 800 mm (D) (front access). If cabinets are permanently bolted to form sections, the length of these sections shall not exceed 2400 mm.’

with:

‘Unless otherwise specified in Purchase order, the dimensions of the cabinets shall be 2000 mm (H) (excluding plinth) x 800mm (W) x 800 mm (D) (front and rear access). If cabinets are permanently bolted to form sections, the length of these sections shall not exceed 2400 mm. Cabinets shall be double doors opening. Refer to Instrument Rooms Layouts.’

Substitute paragraph seven with below:

“Cabinet shall be vertically ventilated (bottom to top) and a hole shall be provided at the top of the cabinet to connect the sampling tube from the High Sensitivity Smoke Detection (HSSD) System. Tube connection hole size will be defined by CONTRACTOR during detailed design stage”

Add after the last paragraph:

‘Cabinets shall be tagged as per the document Instrumentation & Control System Numbering Procedure Doc.No. RLNG-000-IC-PP-0001.

Cabinets requirements shall also refer to RLNG-000-IC-SP-0701 Specification for Instrument Installation & Design.’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 59 OF 228

10.12.2 Wiring

Revised the ninth paragraph: ‘All internal and external wiring shall be connected to terminals. Splices are not permitted in wiring. Terminal blocks shall be Push-in Spring type (cage clamp type) and non- hygroscopic type. Terminals shall be tinned and clearly identified. The size of the terminal blocks shall be consistent with the wire size. Segregation of IS and Non-IS marshalling is required. Terminal colour for Non-IS wiring shall be Grey and Intrinsic Safe wiring shall be Blue. Terminals utilized for voltages higher than 48 volts shall be protected against accidental contact with removable cover plates which carry high voltage warning labels. Terminal blocks shall be labelled and numbered.’

With:

‘All internal and external wiring shall be connected to terminals. Splices are not permitted in wiring. Terminal blocks shall be Push-in Spring type (cage clamp type) and non-hygroscopic type. Terminals shall be tinned and clearly identified. The size of the terminal blocks shall be consistent with the wire size. Segregation of IS and Non-IS signals is required as per IEC 60079. Terminal colour for Non-IS wiring shall be Grey and Intrinsic Safe wiring shall be Blue. Terminals utilized for voltages higher than 48 volts shall be protected against accidental contact with removable cover plates which carry high voltage warning labels. Terminal blocks shall be labelled and numbered.’

Added after the last paragraph:

‘Refer to AGES-SP-04-001 section 11.6.10 Wiring for other wiring requirement applicable for SIS.’

10.12.3 Power Supply

Add after third paragraph:

‘The system shall withstand a 20 msec power outage without interrupting system operation.’

10.13 Partial Stroke Test

Substitute the last paragraph ‘Refer to project function specification for Shutdown Valves for further PST implementation requirements.’

with:

‘Refer to RLNG-000-IC-SP-0431 Specification for On/Off valves for further PST implementation requirements.’

10.14 Cyber Security

Add after the last paragraph:

‘The cyber security requirements shall also refer to Cybersecurity Requirements for Vendors Doc.No. RLNG-000-PM-SP-0001 and ADNOC Group projects and engineering OT Cyber Security Security Specification AGES-SP-04-013.’

10.15 Spare Capacity/Expandability

10.15.3 Communication Interfaces

Revised the first paragraph ‘Communication interfaces shall not be loaded more than 50% at maximum loading after plant start-up.’ With:

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 60 OF 228

‘Communication interfaces shall not be loaded more than 60% at maximum loading after plant start-up.’

SECTION C

13. QUALITY CONTROL AND ASSURANCE

Add after last paragraph:

‘Refer to AGES-SP-04-001 Section 14. Quality Control and Assurance wherever applicable for SIS.’

15. INSPECTION & TESTING REQUIREMENTS

Add below paragraph:

‘Inspection & Testing requirements shall refer also to Philosophy for Automation & Instrumentation Design Doc.No. RLNG-000-IC-PP-0002 and to AGES-SP-04-001 Section 16. Inspection & Testing Requirements wherever applicable.’

15.3 Pre-Factory Acceptance Test

Substitute the second paragraph ‘The system equipment will be inspected by CONTRACTOR representative at the Pre- Factory Acceptance Test for satisfactory quality and workmanship. In addition, COMPANY or CONTRACTOR shall have the right to inspect the work in progress at any stage.’

With:

‘The system equipment may be inspected by CONTRACTOR representative at the Pre- Factory Acceptance Test for satisfactory quality and workmanship. In addition, COMPANY or CONTRACTOR shall have the right to inspect the work in progress at any stage.’

Add to the last paragraph: ‘Pre-FAT is part of the mandatory VENDOR internal test.’

19. COMMISSIONING

19.1 Installation

Add to the first paragraph ‘VENDOR shall provide supervision assistance for Installation and Commissioning of ESD System at site. Installation will be carried out by the CONTRACTOR with supervision assistance from the VENDOR. Assistance for installation, power up and all SAT and SAT related activities, clearance of ‘fault logs’ shall be part of ICSS vendor scope. The VENDOR shall notify the CONTRACTOR of any special tools required for installation and supply these, if necessary, to the CONTRACTOR.

21. DOCUMENTATION

Add to the first paragraph ‘The list of documents to be issued by ICSS VENDOR shall be compliant with CONTRACTOR requirements given in MR for Integrated Control and Safety System (DCS, SIS, FGS, OTS) Doc.No. RLNG-000-IC-R-0101.’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 61 OF 228

23. PROJECT ADMINISTRATION

Add before the first paragraph:

‘Project administration requirements shall also refer to AGES-SP-04-001 Section 24 Project Administration wherever applicable for SIS.

Project Execution shall refer to AGES-SP-04-001 Section 25 ICSS Execution Plan wherever applicable for SIS.’

23.4 Coordination Meetings

Add to the last paragraph ‘Meetings can be done in Remote but KOM, pre-inspection Meetings shall be done in face to face. KOM shall be held at the VENDOR or CONTRACTOR offices/premises; pre- inspection meeting shall be done at the VENDOR premises.

SECTION E

APPENDIX 1 ESD SYSTEM REQUIREMENTS FOR SPECIAL MECHANICAL PACKAGES

2. HIGH INTEGRITY PRESSURE PROTECTION (HIPPS) – Substitute entire section for below:

Section not applicable to the scope of the Project.

3. BURNER MANAGEMENT SYSTEM (BMS) – Substitute entire section for below:

Section not applicable to the scope of the Project.

4. HYDRAULIC SAFETY SHUTDOWN SYSTEM (HSSS) – Substitute entire section for below:

Section not applicable to the scope of the Project.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 62 OF 228

4.0

AMENDMENTS TO ADNOC GENERAL ENGINEERING SPECIFICATION AGES-SP-04-003

Instructions contained below such as “Add”, “Substitute”, “Revised”, or “New” shall be interpreted as follows:

1. Add: Requirements shall be a continuation of the paragraph in the referenced specification.

2. Substitute: The requirement of the referenced specification shall be replaced in its entirety by the

requirements below.

3. Revised: The requirement of the referenced specification shall be revised by the specific wording

below.

4. New: A new requirement as described below.

GENERAL

1. PURPOSE – Add to paragraph:

‘When reading this specification, Process Control System (PCS) shall be read as Distributed Control System (DCS).

ESD System shall be read as Safety Instrumented System (SIS).

This is to align with the terminology used on the Reference Project.’

3. DEFINED TERMS / ABBREVIATIONS / REFERENCES – Add below definitions:

DCS

FGS

Distributed Control System

Fire & Gas System

9. DESIGN CONSIDERATIONS /MINIMUM DESIGN REQUIREMENTS

9.7

Engineering Units – Substitute entire paragraph for below:

‘Units of Measure shall be as defined in RLNG-000-PM-BOD-2002, Project design basis’.

SECTION A

4. NORMATIVE REFERENCES

4.2

ADNOC Specifications

The following AGES references are substituted with Project documents as detailed below:

AGES Reference Project Document No.

Project Document Title

AGES-SP-04-001 RLNG-000-IC-SP-0101

(This document)

Specification for Integrated Control & Safety System

AGES-SP-04-004 RLNG-000-IC-SP-0101

(This document)

Specification for Integrated Control & Safety System

AGES-PH-03-002 RLNG-000-HS-PP-0201

Fire & Gas Detection Philosophy

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 63 OF 228

Add the below Project Specification reference:

RLNG-000-IC-SP-0661

Specification for F&G Detectors

9 DESIGN CONSIDERATIONS /MINIMUM DESIGN REQUIREMENTS

9.3

Electric Utility Data

Substitute the second paragraph with below:

‘The Electrical power supply details are as follows:

(a) Nominal voltage 240V AC, UPS and non-UPS

(b) Single Phase, 50 Hz, earthed

(c) Steady state Voltage variation ± 5% nominal voltage

(d) Steady state Frequency variation ± 2 %’

SECTION B

10. FGS TECHNICAL REQUIREMENTS

10.1.1 System Architecture – Substitute first paragraph with below:

‘The Process facilities will be controlled from the CCR utilising an Integrated Control and Safety System (ICSS) architecture. This approach consists of a Distributed Control System (DCS), a Safety Instrumented System (SIS) and a Fire & Gas System (FGS), with the DCS serving as the prime control and command system.’

Revise paragraph five as below:

‘SIS and FGS shall be functionally independent with separate, dedicated controllers, I/O and marshalling including System and Marshalling cabinets, Servers and Workstations. ICSS VENDOR can propose combined SIS/FGS Engineering Workstation (EWS).’

10.1.3 Redundancy

Add after the first paragraph:

‘For Universal I/O, I/O Modules provides communication interface between I/O channels and the controllers. The FGS I/O Modules shall be redundant.’

10.1.5 Functional Requirements

Add to the second paragraph:‘ FGS System I/O modules shall be segregated by process areas and fire zone to increase system and process availability. In general, one I/O card shall not contain the I/O of more than one process unit. Process unit I/O split unit wise is not required for Non-Fail-safe output cards driving alarm lamps. Cards belonging to one logic group shall be located together and spare points shall be left within the I/O group for expansion. Distribution of I/O shall be governed by Unit segregation and to avoid common mode failure.’

With below addition:

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 64 OF 228

‘Taking into consideration the capacity of controllers and the redundancy of all CPUs and networks, below additional guidelines distribution of I/Os shall be considered:

Definition

Type C is package is excluded from the additional guidelines, assuming that packages are connected to different PLCs but can be connected to the same ICSS controller (Logic/sequence are managed in PLCs).

With the assumption that universal I/O’s will be used, I/O module defined as the card that is connecting a number of universal I/O’s to the controller. All the I/O modules shall be considered redundant.

Equipment/Unit is identified as critical when a failure is leading immediately or in short time to a high level shutdown. (Train shutdown).

Non critical is identified Equipment/Unit as when a failure doesn’t lead to a train shutdown (or after a delay where operator has time to react and prevent it).

Critical and Non-Critical Equipment

All critical units/equipment will be merged in the same controller. In case of controller lost, train will be tripped. Merging will be applied also for all for the dependent units (Example Unit 111 & 112 for the train).

All units/equipment merged in the same controller will be subjected to COMPANY Approval.

•

Special case of Parallel Process/Utility Equipment

A redundant equipment is defined as a part of identical equipment that are working with a logic of backup (2*100%). If one this equipment failed, another one is replacing the one failed.

A parallel equipment (2*50%). is defined as a part of identical equipment that are working together in operation (without backup).

a/ Non critical equipment

I/O’s associated with parallel or redundant equipment shall be:

Connected to different I/O modules.

b/ Critical equipment

For redundant equipment, a segregated controller for each equipment shall be implemented.

For parallel equipment, a segregated controller for each equipment should be implemented only in case of one equipment failed, it is possible to operate in degraded mode during significant time (Time for maintenance for the failed one).

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 65 OF 228

Duty Standby pumps

Duty/standby pumps will use common controllers (with COMPANY approval).

Peer to peer signals should be minimized and interface logic between controllers makes it more complex with more risk of mistakes, reaction delays, etc.

I/O’s from duty/standby pumps shall be segregated by I/O module and if only one I/O module available in different IO baseplate (Generally split by 16I/O’s).

Segregation of voted signals

FGS is not designed/split by process unit but by fire zone (with COMPANY approval). Segregation of IO modules by fire zone will be applied instead of by process unit.

In addition of that these segregations rules will be applied:

• FGS inputs voted (2ooN where N>3) signals should be connected to different baseplates within the

2oo3 voted signals shall be segregated on 3 different I/O modules in the same controller.

same controller as much as practicable.

• Where number of FGS voted inputs exceeds six, then inputs should be distributed evenly across

same baseplates.’

Delete the third paragraph ‘Wherever voted multiple I/O is required, each device shall be allocated to a separate I/O module.’

10.3 FGS Hardware

10.3.2 I/O General

Revised the second paragraph ‘All input and output cards used in FGS logic shall be redundant, fail safe design and SIL3 certified as per IEC 61508. All output cards which are driving noncritical alarm lamps should be approved for non-interaction and are not SIL rated. Redundant I/O cards shall be used for all inputs and outputs except for maintenance override inputs and annunciators / lamps outputs. For I/O cards installed in I/O racks, single I/O cards with empty hot spare slots are to be used for maintenance override and outputs to annunciators/lamps.’ with:

‘All input and output cards used in FGS logic shall be redundant and SIL3 certified as per IEC 61508. All output cards which are driving noncritical alarm lamps should be approved for non-interaction and are not SIL rated. Redundant I/O cards shall be used for all inputs and outputs except for maintenance override inputs and annunciators / lamps outputs. For I/O cards installed in I/O racks, single I/O cards with empty hot spare slots are to be used for maintenance override and outputs to annunciators/lamps.’

Add to the second paragraph: ‘For Universal I/O, I/O modules used in FGS logic shall be redundant and SIL3 certified as per IEC 61508. I/O Modules provides communication interface between I/O channels and the controllers.’

Add to the third paragraph ‘SIL 3 relays shall be proposed if used.’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 66 OF 228

Add to the sixth paragraph ‘Number of I/O channels per I/O card shall be limited to 32 nos for conventional I/O. For the Universal I/O, it can have up to 96 nos I/O channels per I/O card (I/O Modules).’

Add after the tenth paragraph: ‘ICSS Vendor shall provide DI/DO line monitoring for FGS signals which are not fail safe. Refer to below general guidelines:

Signal type

Line monitoring (SIS/FGS)

DO SIS trip

No (If fail safe)

DO lamps

No (test lamps in matrix panel)

DO trip not fail safe (Ex:FGS)

Yes

DI status switches)

(Ex

limit

Yes

ESD pushbutton

No (Fail safe)

ESD Selector Switch (MOS)

Yes (not fail safe)

Trip order (Ex from package)

No (If fail safe)

MAC (FGS)

Yes (not fail safe)

FGS pushbutton

Yes (not fail safe)

FGS Selector Switch (MOS)

Yes (not fail safe)

’

10.5 Surge Protection

Add after the last paragraph:

‘ICSS VENDOR shall design the protection system against lightning, and state all requirements that must be followed, in order to ensure maximum effectiveness of the lightning protection system. Further details will be provided by EPC CONTRACTOR with the Lightning study. The ICSS VENDOR shall present typical per type of I/O, in special analog inputs/outputs, that includes SPDs. Also, the ICSS VENDOR shall detail the maximum galvanic isolation that the input/output characterizer module can withstand.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 67 OF 228

ICSS Vendor shall consider surge protection for 10% of FGS IOs as OPTIONAL.’

10.6.3 Engineering Workstation

Delete the eight paragraph ‘Additionally, for process plants with multiple FGS systems located at various Instrument Equipment Rooms, it shall be possible to connect PC-laptop based EWS at each FGS location, for purposes of monitoring or programming. The VENDOR is responsible for providing all necessary communication ports and internal cabinet wiring to support these requirements.’

Add after last paragraph:

‘The EWS/OWS shall be able to access the controllers data directly.

Refer to AGES-SP-04-001 Section 11.6.3 for the FGS EWS screen requirement and where it shall be installed and other EWS requirements applicable for FGS EWS.’

10.8 Human Machine Interface

Add below paragraph:

‘Refer to RLNG-000-IC-SP-0005 Specification for HMI Graphics for further details of HMI requirements.’

10.8.2 FGS Console

Revised first paragraph: ‘FGS Console shall be provided in CCR to install Push Buttons, key Switches for input Overrides, and Visual and Audible Annunciator of critical alarms.’

With

‘FGS Console shall be provided in CCR and JCR to install Push Buttons, key Switches for input Overrides, and Visual and Audible Annunciator of critical alarms.’

Add after the last paragraph: ‘Refer to RLNG-000-IC-SP-0005 Specification for HMI Graphics and RLNG-000-IC-DWG-0101 Overall Control & Safety System Architectural Diagram where the FGS Console shall be installed.’

10.10 Alarm Management

Substitute the last paragraph ‘Refer to ADNOC Group Company AMS specification for further details.’

with:

‘Refer to RLNG-000-IC-SP-0102 Specification for Alarm Management System for further details and RLNG-000-IC-PP-0002 Philosophy for Automation & Instrumentation Design.’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 68 OF 228

10.12 Cabinets

10.12.1 Construction

Revised the third paragraph ‘Unless otherwise specified in Purchase order, the dimensions of the cabinets shall be 2000 mm (H) (excluding plinth) x 800mm (W) x 800 mm (D) (front access). If cabinets are permanently bolted to form sections, the length of these sections shall not exceed 2400 mm.’

with:

‘Unless otherwise specified in Purchase order, the dimensions of the cabinets shall be 2000 mm (H) (excluding plinth) x 800mm (W) x 800 mm (D) (front and rear access). If cabinets are permanently bolted to form sections, the length of these sections shall not exceed 2400 mm. Cabinets shall be double doors opening. Refer to Instrument Rooms Layouts.’

Substitute paragraph seven with below:

“Cabinet shall be vertically ventilated (bottom to top) and a hole shall be provided at the top of the cabinet to connect the sampling tube from the High Sensitivity Smoke Detection (HSSD) System. Tube connection hole size will be defined by CONTRACTOR during detailed design stage.”

Add after the last paragraph:

‘Cabinets shall be tagged as per the document Instrumentation & Control System Numbering Procedure Doc.No. RLNG-000-IC-PP-0001.

Cabinets requirements shall also refer to RLNG-000-IC-SP-0701 Specification for Instrument Installation & Design.’

10.12.2 Wiring

Revised the ninth paragraph: ‘All internal and external wiring shall be connected to terminals. Splices are not permitted in wiring. Terminal blocks shall be Push-in Spring type (cage clamp type) and non- hygroscopic type. Terminals shall be tinned and clearly identified. The size of the terminal blocks shall be consistent with the wire size. Segregation of IS and Non-IS marshalling is required. Terminal colour for Non-IS wiring shall be Grey and Intrinsic Safe wiring shall be Blue. Terminals utilised for voltages higher than 48 volts shall be protected against accidental contact with removable cover plates which carry high voltage warning labels. Terminal blocks shall be labelled and numbered.’

With:

‘All internal and external wiring shall be connected to terminals. Splices are not permitted in wiring. Terminal blocks shall be Push-in Spring type (cage clamp type) and non-hygroscopic type. Terminals shall be tinned and clearly identified. The size of the terminal blocks shall be consistent with the wire size. Segregation of IS and Non-IS signals is required as per IEC 60079. Terminal colour for Non-IS wiring shall be Grey and Intrinsic Safe wiring shall be Blue. Terminals utilised for voltages higher than 48 volts shall be protected against accidental contact with removable cover plates which carry high voltage warning labels. Terminal blocks shall be labelled and numbered.’

Added after the last paragraph:

‘Refer to AGES-SP-04-001 section 11.6.10 Wiring for other wiring requirement applicable for FGS.’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 69 OF 228

10.13 Cyber Security

Add after the last paragraph:

‘The cyber security requirements shall also refer to Cybersecurity Requirements for Vendors Doc.No. RLNG-000-PM-SP-0001 and ADNOC Group projects and engineering OT Cyber Security Security Specification AGES-SP-04-013.’

10.14 Spare Capacity/Expandability

10.14.3 Communication Interfaces

Revised the first paragraph ‘Communication interfaces shall not be loaded more than 50% at maximum loading after plant start-up.’ With:

‘Communication interfaces shall not be loaded more than 60% at maximum loading after plant start-up.’

SECTION C

13. QUALITY CONTROL AND ASSURANCE

Add after last paragraph:

‘Refer to AGES-SP-04-001 Section 14. Quality Control and Assurance wherever applicable for FGS.’

15. INSPECTION & TESTING REQUIREMENTS

Add following paragraph ‘Inspection & Testing requirements shall refer also to Philosophy for Automation & Instrumentation Design Doc.No. RLNG-000-IC-PP-0002 and to AGES-SP-04-001 Section 16. Inspection & Testing Requirements wherever applicable.’

15.3 Pre-Factory Acceptance Test

Substitute the second paragraph ‘The system equipment will be inspected by CONTRACTOR representative at the Pre- Factory Acceptance Test for satisfactory quality and workmanship. In addition, COMPANY or CONTRACTOR shall have the right to inspect the work in progress at any stage.’

With:

‘The system equipment may be inspected by CONTRACTOR representative at the Pre- Factory Acceptance Test for satisfactory quality and workmanship. In addition, COMPANY or CONTRACTOR shall have the right to inspect the work in progress at any stage.’

Add to the last paragraph: ‘Pre-FAT is part of the mandatory VENDOR internal test.’

19. COMMISSIONING

19.1 Installation

Add to the first paragraph ‘VENDOR shall provide supervision assistance for Installation and Commissioning of FGS System at site. Installation will be carried out by the CONTRACTOR with supervision assistance from the VENDOR. Assistance for installation, power up and all SAT and SAT

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 70 OF 228

related activities, clearance of ‘fault logs’ shall be part of ICSS vendor scope. The VENDOR shall notify the CONTRACTOR of any special tools required for installation and supply these, if necessary, to the CONTRACTOR.

21 DOCUMENTATION

Add to the first paragraph ‘The list of documents to be issued by ICSS VENDOR shall be compliant with CONTRACTOR requirements given in MR for Integrated Control and Safety System (DCS, SIS, FGS, OTS) Doc.No. RLNG-000-IC-R-0101.’

23. PROJECT ADMINISTRATION

Add before the first paragraph:

‘Project administration requirements shall also refer to AGES-SP-04-001 Section 24 Project Administration wherever applicable for FGS.

Project Execution shall refer to AGES-SP-04-001 Section 25 ICSS Execution Plan wherever applicable for FGS.’

23.4 Coordination Meetings

Add to the last paragraph ‘Meetings can be done in Remote but KOM, pre-inspection Meetings shall be done in face to face. KOM shall be held at the VENDOR or CONTRACTOR offices/premises; pre- inspection meeting shall be done at the VENDOR premises.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 71 OF 228

5.0

APPENDIX 1 (AGES-SP-04-001 – PROCESS CONTROL SYSTEM SPECIFICATION)

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

AGES-SP-04-001_PROCESS CONTROL SYSTEM SPECIFICATION.PDF

THE CONTENTS OF THIS DOCUMENT ARE PROPRIETARY AND CONFIDENTIAL.

ADNOC GROUP PROJECTS AND ENGINEERING

PROCESS CONTROL SYSTEM SPECIFICATION

Specification

APPROVED BY:

Abdulmunim Saif Al Kindy

NAME: Abdulmunim Al Kindy TITLE: Executive Director PT&CS EFFECTIVE DATE:

AGES-SP-04-001

GROUP PROJECTS & ENGINEERING / PT&CS DIRECTORATE

CUSTODIAN ADNOC

Group Projects & Engineering / PT&CS Specification applicable to ADNOC & ADNOC Group Companies

REVISION HISTORY

DATE

REV.

NO

1 June 2020

1

PREPARED BY (Designation / Initial) Asadullah Malik / Sr. Engineer, I&C, TE.

REVIEWED BY (Designation / Initial) Ashwani Kumar Kataria/ A/MES,TC- Eng

ENDORSED BY (Designation / Initial) Abdulla Al Shaiba/

ENDORSED BY (Designation / Initial) Zaher Salem/

VP-GPE

SVP-GPE

Reuben Yagambaram/ SPM-GPE

Group Projects & Engineering is the owner of this Specification and responsible for its custody, maintenance and periodic update.

In addition, Group Projects & Engineering is responsible for communication and distribution of any changes to this Specification and its version control.

This specification will be reviewed and updated in case of any changes affecting the activities described in this document.

Document No: AGES-SP-04-001

Rev. No: 1 Page 2 of 47

1.

INTER-RELATIONSHIPS AND STAKEHOLDERS

a) The following are inter-relationships for implementation of this Specification:

i.

ii.

ADNOC Upstream and ADNOC Downstream Directorates and

ADNOC Onshore, ADNOC Offshore, ADNOC Sour Gas, ADNOG Gas Processing. ADNOC LNG, ADNOC Refining, ADNOC Fertilisers, Borouge, Al Dhafra Petroleum, Al Yasat

b) The following are stakeholders for the purpose of this Specification:

ADNOC PT&CS Directorate.

c) This Specification has been approved by the ADNOC PT&CS is to be implemented by each ADNOC Group company included above subject to and in accordance with their Delegation of Authority and other governance-related processes in order to ensure compliance

d) Each ADNOC Group company must establish/nominate a Technical Authority responsible for

compliance with this Specification.

DEFINED TERMS / ABBREVIATIONS / REFERENCE

“ADNOC” means Abu Dhabi National Oil Company.

“ADNOC Group” means ADNOC together with each company in which ADNOC, directly or indirectly, controls fifty percent (50%) or more of the share capital.

“Approving Authority” means the decision-making body or employee with the required authority to approve Policies & Procedures or any changes to it.

“Business Line Directorates” or “BLD” means a directorate of ADNOC which is responsible for one or more Group Companies reporting to, or operating within the same line of business as, such directorate.

“Business Support Directorates and Functions” or “Non- BLD” means all the ADNOC functions and the remaining directorates, which are not ADNOC Business Line Directorates.

“CEO” means chief executive officer.

“Group Company” means any company within the ADNOC Group other than ADNOC.

“Specification” means this Process Control System Specification.

CONTROLLED INTRANET COPY

The intranet copy of this document located in the section under Group Policies on One ADNOC is the only controlled document. Copies or extracts of this document, which have been downloaded from the intranet, are uncontrolled copies and cannot be guaranteed to be the latest version.

Document No: AGES-SP-04-001

Rev. No: 1 Page 3 of 47

TABLE OF CONTENTS

GENERAL … 7

PURPOSE … 7

SCOPE … 7

DEFINED TERMS / ABBREVIATIONS / REFERENCES … 7

SECTION A … 10

NORMATIVE REFERENCES … 10

INTERNATIONAL CODE(S) AND STANDARDS … 10

COMPANY SPECIFICATIONS … 11

REFERENCE DOCUMENTS … 11

STANDARD DRAWINGS … 11

GUIDELINES/RECOMMENDED PRACTICES … 11

DOCUMENTS PRECEDENCE … 11

SPECIFICATION DEVIATION/CONCESSION CONTROL … 12

PROCESS SAFETY REQUIREMENTS … 13

DESIGN CONSIDERATIONS /MINIMUM DESIGN REQUIREMENTS … 13

OPERATION & DESIGN LIFE … 13

ENVIRONMENTAL REQUIREMENTS … 13

ELECTRIC UTILITY DATA… 13

SEISMIC REQUIREMENTS … 13

HAZARDOUS AREA PROTECTION … 14

INGRESS PROTECTION … 14

ENGINEERING UNITS … 14

SECTION B … 15

10. TECHNICAL REQUIREMENTS … 15

GENERAL DESIGN … 15

PROVEN TECHNOLOGY… 15

STANDARDIZATION … 15

ARCHITECTURE … 15

FUNCTIONAL SPECIFICATION (FS) AND FUNCTIONAL DESIGN SPECIFICATION

(FDS) … 17

HARDWARE … 19

Document No: AGES-SP-04-001

Rev. No: 1 Page 4 of 47

 SOFTWARE … 26

MAINTAINABILITY … 28

REPORTS … 28

INSTRUMENT ASSET MANAGEMENT SYSTEM (IAMS) … 28

CONTROLLERS … 29

HMI … 30

DESIGN DATA … 31

11. ADDITIONAL SPECIFIC REQUIREMENTS … 32

SECTION C … 33

12. SCOPE OF SUPPLY … 33

13. QUALITY CONTROL AND ASSURANCE … 34

14. MATERIAL & CERTIFICATIONS … 34

INSPECTION & TESTING REQUIREMENTS … 34

GENERAL … 34

SHOP INSPECTION … 35

PRE-FACTORY ACCEPTANCE TEST … 35

FACTORY ACCEPTANCE TEST … 35

INTEGRATED FACTORY ACCEPTANCE TEST (IFAT) … 36

SITE INSTALLATION TEST (SIT) … 36

SITE ACCEPTANCE TEST (SAT) … 37

CERTIFICATES OF ACCEPTANCE … 37

SERVICES BY THE VENDOR … 38

16. SUBCONTRACTORS/SUBVENDORS … 38

17. SPARE PARTS … 38

SPARE PARTS … 38

SPAREAGE … 38

18. PRESERVATION & SHIPMENT … 39

PACKING AND SHIPPING … 39

PRESERVATION AND STORAGE … 39

19. COMMISSIONING … 40

INSTALLATION … 40

LIFE CYCLE / LONG TERM SUPPORT … 40

MAINTENANCE … 40

20. TRAINING … 41

Document No: AGES-SP-04-001

Rev. No: 1 Page 5 of 47

 GENERAL … 41

TRAINING COURSE DOCUMENTATION … 41

MAINTENANCE TRAINING COURSE … 41

SYSTEM ENGINEERING COURSE … 41

21. DOCUMENTATION … 41

22. GUARANTEES & WARRANTY … 43

23. PROJECT ADMINISTRATION … 44

PROJECT PERSONNEL … 44

PROJECT SCHEDULE … 44

PROGRESS REPORTING … 44

COORDINATION MEETINGS … 44

SECTION D … 46

24. DATA SHEETS TEMELATES (AS APPLICABLE) … 46

25. STANDARD DRAWINGS (AS APPLICABLE) … 46

SECTION E … 47

26. APPENDIX … 47

Document No: AGES-SP-04-001

Rev. No: 1 Page 6 of 47

GENERAL

PURPOSE

The purpose of this specification is to supply a proprietary Process Control System (PCS), being part of the ICSS, which shall be a microprocessor-based control and data acquisition system, comprising multiple modules operating over a network. It defines the general requirements for all business units. The hardware and programming of all devices in the system shall be developed by the VENDOR using proprietary designs, which shall not be interconnected with other equipment without use of proven gateways.

This specification is intended to provide the minimum basic requirements and shall not relieve the VENDOR of his contractual obligations. Any deviation from this Specification shall be identified by VENDOR and shall require written approval from COMPANY.

The ICSS shall comprise a distributed system including PCS, ESD, F&G and BMS (if required).

SCOPE

The scope of this Standard covers the minimum requirements for the design, engineering, supply and commissioning of the Process Control System, which is part of ICSS. The scope of supply shall include, but is not limited to, the following equipment components and services.

DEFINED TERMS / ABBREVIATIONS / REFERENCES

Abbreviations ADNOC

AMS

BMS

BSI

CCR

CPU

DMZ

DVT

EMI

ESD

EWS

FAT

F&G

FDS

FLD

FS

GPS

Abu Dhabi National Oil Company

Alarm Management System

Burner Management System

British Standards Institute

Central Control Room

Central Processing Unit

Demilitarised Zone

Design Validation Test

Electromagnetic Interference

Emergency Shutdown System

Engineering Workstation

Factory Acceptance Test

Fire and Gas System

Functional Design Specification

Functional Logic Diagrams

Functional Specification

Global Positioning System

Document No: AGES-SP-04-001

Rev. No: 1 Page 7 of 47

Abbreviations HART

HMI

IAMS

ICSS

IEC

IES

IEEE

IFAT

I/O

IP

IS

ISA

ISO

LAN

LED

LSD

MCB

MTTR

NESA

OWS

PAC

PCS

OT

OTS

QMS

RFI

SAT

SER

SIS

SNTP

SOE

TCP/IP

UPS

Highway Addressable Remote Transducer

Human Machine Interface

Instrument Asset Management System

Integrated Control & Safety System

International Electrotechnical Commission

Instrument Equipment Shelter

Institute of Electrical and Electronics Engineers

Integrated Factory Acceptance Test

Input/ Output

Ingress Protection (rating)

Intrinsically Safe

International Society of Automation

International Organisation for Standards

Local Area Network

Light Emitting Diode

Large Screen Displays

Miniature Circuit Breaker

Mean Time to Restore

New Standard of Information Security in the UAE

Operator Workstation

Plant Acceptance Certificate

Process Control System

Operational Technology

Operational Technology Security

Quality Management System

Radio Frequency Interference

Site Acceptance Test

Sequence of Events Recording

Safety Instrumented System

Simple Network Time Protocol

Sequence Of Events

Transmission Control Protocol / Internet Protocol

Uninterruptible Power Supply

Document No: AGES-SP-04-001

Rev. No: 1 Page 8 of 47

Abbreviations VDRL

References

Vendor Data Requirement List

ADNOC Group Companies PCS documents part of PCS Purchase Order shall be referred for design

and supply of equipment.

Document No: AGES-SP-04-001

Rev. No: 1 Page 9 of 47

SECTION A

NORMATIVE REFERENCES

International Code(s) and Standards

The following codes and standards, to the extent specified herein, form a part of this specification. When an edition date is not indicated for a code or standard, the latest edition in force at the time of VENDOR’S proposal submitted shall apply.

INSTITUTE OF ELECTRICAL AND ELECTRONIC ENGINEERS (IEEE)

IEEE 802.3

IEEE STD 829

Local Area Network (LAN) protocols

Standard for Software and System Test Documentation IEEE Computer Society Document

IEEE STD 830

Recommended Practice for Software Requirements Specifications

INTERNATIONAL SOCIETY OF AUTOMATION (ISA)

ISA 71.04

Environmental Conditions for Process Measurement and Control Systems: Airborne Contaminants (2013)

BRITISH STANDARDS INSTITUTE (BSI)

BS 7671

Requirements for electrical installations

BS ISO 80000-1

Quantities and Units Part-1: General

INTERNATIONAL ELECTROTECHNICAL COMMISSION (IEC)

IEC 60079

IEC 60364

IEC 60529

Explosive Atmospheres

Low Voltage Electrical Installations

Degrees of Protection Provided by Enclosures (IP Code)

IEC 61000 Series

Electromagnetic Compatibility (EMC)

IEC 61131

IEC 61326-1

IEC 61158

IEC 61499

IEC 61508

IEC 61511

Programmable Controllers

Electrical equipment for measurement, control and laboratory use — EMC requirements Part 1: General requirements

Digital data communications for measurement and control - Fieldbus specifications

Function Blocks

Functional safety of electrical, electronic and programmable electronic safety related systems.

Functional safety - safety instrumentation systems for the process industry sector

Document No: AGES-SP-04-001

Rev. No: 1 Page 10 of 47

IEC 61643

IEC 62443

IEC 62591

IEC 62734

Low-voltage surge protection devices

Industrial communication networks - Network and system security

Industrial communication networks - Wireless communication network and communication profiles-Wireless/Hart.

Industrial networks communication profiles - ISA 100.11a

• Wireless communication network and

COMPANY Specifications

DOCUMENT NUMBER

TITLE

AGES-SP-04-004

Emergency Shutdown (SIS) System Specification

AGES-SP-04-003

Fire and Gas System Specification

REFERENCE DOCUMENTS

Standard Drawings

Not Applicable

Guidelines/Recommended practices

ENGINEERING EQUIPMENT AND MATERIALS USERS ASSOCIATION (EEMUA)

Pub. 191

Pub. 201

Alarm systems - a guide to design, management and procurement

Control rooms: a guide to their specification, design, commissioning and operation

INTERNATIONAL ORGANISATION FOR STANDARDS (ISO) ISO 11604

Ergonomic Design of Control Centres – Part 7: Principles for the Evaluation of Control Centres

INTERNATIONAL SOCIETY OF AUTOMATION (ISA) ISA RP 60.3

Human Engineering for Control Centres

DOCUMENTS PRECEDENCE

The Codes and Standards referred to in this specification shall, unless stated otherwise, be the latest approved issue at the time of Purchase Order placement.

It shall be the VENDOR’S and CONTRACTORS’S responsibility to be, or to become, knowledgeable of the requirements of the referenced Codes and Standards.

The VENDOR/CONTRACTOR shall notify the COMPANY of any apparent conflict between this specification, the related data sheets, the Codes and Standards and any other specifications noted herein.

Resolution and/or interpretation precedence shall be obtained from the COMPANY in writing before proceeding with the design/manufacture.

Document No: AGES-SP-04-001

Rev. No: 1 Page 11 of 47

In case of conflict, the order of document precedence shall be:

UAE Statutory requirements

ADNOC Codes of Practice

Equipment datasheets and drawings

Project Specifications and standard drawings

Company Specifications

National/International Standards

SPECIFICATION DEVIATION/CONCESSION CONTROL

Deviations from this specification are only acceptable where the VENDOR has listed in his quotation the requirements he cannot, or does not wish to comply with, and the COMPANY/CONTRACTOR has accepted in writing the deviations before the order is placed.

In the absence of a list of deviations, it will be assumed that the VENDOR complies fully with this specification.

Any technical deviations to the Purchase Order and its attachments including, but not limited to, the Data Sheets and Narrative Specifications shall be sought by the VENDOR only through Concession Request Format. Concession requests require CONTRACTOR’S and COMPANY’S review/approval, prior to the proposed technical changes being implemented. Technical changes implemented prior to COMPANY approval are subject to rejection.

Document No: AGES-SP-04-001

Rev. No: 1 Page 12 of 47

9.

PROCESS SAFETY REQUIREMENTS

Sr.No. Description

1

2

3

4

All alarm and trip settings shall be within 10% to 90% of the relevant instrument ranges to ensure visibility of the success or failure of automatic or manual actions.

A main database of all alarms shall be created, including all associated data - ranges, set- points, response times, required operator actions (section 11.7.2)

Alarms on out-of-service equipment shall not be suppressed if the related hazard can arise while non-operational.

ICSS communication networks shall be divided into zones of appropriate security levels with adequate protection between zones. (section 11.4.2)

DESIGN CONSIDERATIONS /MINIMUM DESIGN REQUIREMENTS

Operation & Design Life

The PCS shall be designed for minimum life of 15 years (see section 20.2)

Environmental Requirements

Unless otherwise specified, PCS system cabinets, other than field local panels, shall be installed within a climate-controlled area.

The indoor installed PCS system shall be suitable for an air-conditioned environment to ISA S71.04, G3 classification.

Normal indoor operating conditions will be 22°C ± 2°C and 50% Relative Humidity.

Control layer equipment shall continue to operate in HVAC upset conditions during which the temperature in the indoor location of the installation can fall to 0ºC or rise to 60ºC, and the humidity can vary between 5% and 95% non-condensing. Control layer equipment shall be considered to include network switches used in the Control Network.

Electric Utility Data

Two separate power feeders from UPS and one feeder from Utility power supply shall be made available for use by the VENDOR for powering PCS system cabinets.

The Electrical power supply details are as follows:

(a) Nominal voltage -

240V AC,

(b) Single Phase,

50 Hz, earthed

(c)

Steady state Voltage variation

± 10% nominal voltage

(d) Steady state Frequency variation

± 5 %

Seismic Requirements

The system shall be designed to operate in the presence of a sinusoidal vibration of 2g at 10 - 500 Hz and withstand a shock of 15g for 11 milliseconds.

Document No: AGES-SP-04-001

Rev. No: 1 Page 13 of 47

 Hazardous Area Protection

Unless otherwise specified, PCS system cabinets shall be installed within a general purpose, non- classified electrical area.

If equipment is located in hazardous area, the Hazardous area classification and method of protection shall comply with IEC 60079. PCS Equipment located in certified Hazardous Area enclosures shall comply with the maximum ambient conditions for continuous operation.

Instrumentation located in hazardous areas shall be certified to IEC Ex standards by a certifying body acceptable to COMPANY.

All equipment within the scope of supply shall be suitable for the area classification as defined within the requisition. The PCS equipment supplied shall be located in non-hazardous areas, however interconnecting system cabling may, in certain cases, pass through hazardous areas, and should be adequately designed and protected for this duty.

Field equipment connected to the PCS will typically be located in hazardous areas and will be certified to National or other Certifying Authorities.

Field equipment located in these hazardous areas shall in general be interfaced via galvanic isolation safety devices and will be certified in accordance with IEC 60079 by an acceptable approval body as Ex’ia’ or EX’ib’ with the exception of solenoid valves which will be certified Ex’d’ or Ex’m’. Other protection standards for SOVs may be used where appropriate if specifically approved by COMPANY.

Ingress Protection

The degree of Ingress Protection (IP) for equipment enclosure shall comply with IEC 60529 and equipment data sheets. The equipment minimum IP rating shall be as follows:

IP 42 for Indoor climate-controlled environments

IP 65 for Outdoor field environments

Engineering Units

Reference shall be made to Project Engineering Design basis for Units of Measure.

Document No: AGES-SP-04-001

Rev. No: 1 Page 14 of 47

SECTION B

TECHNICAL REQUIREMENTS

General Design

The PCS shall provide a control system based on the project I/O list and functional design specification.

The PCS system VENDOR shall have a proven track record over a minimum 20 years in providing design, engineering, Supply and Commissioning services for large scale Oil, Gas, Petrochemical and related process facilities.

The PCS system shall be engineered considering the full life cycle from design, installation, commissioning, start-up, operations and maintenance through to decommissioning.

Proven Technology

Only field proven hardware/technology should be used. Field proven should be defined as minimum 3 year of operation in the similar operating environment that the new system is deployed for control layer equipment and 1 year of proven service for Console equipment.

Only System Hardware and Software that is field proven shall be included in the VENDOR’s scope of supply. Prototypes shall not be proposed. In instances where ‘new’ technologies may be considered beneficial to the project the VENDOR must present a case detailing benefits, time frames and a fall back scenario.

Standardization

The PCS shall be based on ‘off the shelf’ standard products of a field proven design. It shall have a high degree of availability, reliability and tolerance to faults and fulfil the projects requirements.

The system shall be designed in a modular fashion. The number of different parts shall be minimized and standardized in order to reduce spare parts holding. Standardization will also minimize the maintenance and Operator training requirements.

Standardization shall apply to all software and hardware components (operating system, communication network equipment).

Architecture

11.4.1 General

The Process Control System Network topology shall be ‘Open System Architecture’ which is Vendor- independent, based on official and/or popular standards that allow flexibility, functionality and interoperability, between various control functions/ systems on the same network

Network topology shall be addressed, but for current environment openness, is limited by security requirements, which must be discussed with COMPANY on a project by project basis.

The VENDOR shall produce a topology drawing showing the arrangement of operational segments and security zones and conduits in the proposed network. A preliminary version of this drawing shall be provided with VENDOR’s proposal.

Document No: AGES-SP-04-001

Rev. No: 1 Page 15 of 47

Where specified, the PCS architecture shall be designed to support an ‘island’ (local) mode of operation of equipment in each Instrument Equipment Shelter in case communication with the Central control Room is lost.

VENDOR shall include all equipment necessary to allow basic operation and historisation of the plant units under control by operators located within the IES in the PCS design.

11.4.2 Cybersecurity

PCS networks shall form the basis of networking for all elements of facility control and safety systems. The network shall be divided into zones with separate levels of security.

All communication between the ICSS zone and Enterprise zones shall be via a Demilitarized Zone (DMZ) and Firewalls.

In addition, the Safety Zone shall be separated from the Control Zone by an additional Firewall.

VENDOR shall provide details of their proposed 3rd party interfacing strategy and procedures, and alternatives available that give due cognizance to COMPANY’s system security requirements.

All automation installations shall comply with COMPANY’s OT Security policies and procedures.

Applied security should have the capability to allow remote performance monitoring by either Company Personnel or, third parties. The VENDOR shall implement UAE national Digital Security Authority requirements after discussing with COMPANY and in compliance with Company OT Security policy and procedures.

The PCS functionality shall provide for user configurable access security control via software password recognition to limit the access rights of personnel to the PCS system functionality. VENDOR shall describe the mechanisms available to achieve this, the logging facilities for access requests and how the access rights can be modified as necessary to suit commissioning and operational purposes.

A cyber security risk assessment as per IEC 62443-2-1 shall be performed by COMPANY/CONTRACTOR. VENDOR shall provide all required support for this assessment.

The cyber security risk assessment shall be performed as follows and shall be an iterative and continuous process:

Define the risk analysis methodology (for example architecture based)

Identify major items (organization, systems, subsystems, networks)

Identification, evaluation of the threat scenarios with their impact and likelihood

Reduce the risks by designing adequate countermeasures

Summarize the results in a Risk Register.

The cyber security risk assessment findings and recommendations relating to PCS design and configuration shall be implemented by VENDOR.

VENDOR shall provide the necessary firewalls to control data transfer between the different ICSS zones.

Document No: AGES-SP-04-001

Rev. No: 1 Page 16 of 47

Functional Specification (FS) and Functional Design Specification (FDS)

The Functional Specification shall be prepared by CONTRACTOR in consultation with COMPANY and shall form the basis for the VENDOR proposals and for the VENDOR to develop the PCS design in Detail. shall be written specifically for each project.

The FS shall provide the following information:

This specification

Number and spacing of IES;

Number and type of I/O (Analogue, Digital, SOV, Fieldbus, ‘Soft’ serial, IS, Non-IS) and allocation

to IES;

Number of Control functions (Controllers, sequences, interlocks, batches, etc.) and allocation to IES;

I/O Criticality ratings

Requirements for ‘island’ operation.

Identification of Security Levels for each zone of the system

Interfaces to third-party packages;

Interfaces to other networks;

Historisation requirements;

Trending requirements

Number and location of OWS;

Number and location of EWS;

Estimated number of Operating Graphics;

Number of Console groups;

Requirement for Large Screen Displays;

Number and type of additional Workstations (for example maintenance) required

P&IDs (to support segregation assessment).

Based on the FS and additional supporting documentation, VENDOR shall develop the detailed design of the PCS and document it in the FDS.

The supporting information supplied to VENDOR to develop the FDS shall include:

Control Narratives;

Logic Descriptions;

Sequence Narratives;

Updated P&IDS;

Operating Philosophies;

Document No: AGES-SP-04-001

Rev. No: 1 Page 17 of 47

Interface details for third-party packages;

Interface details for complex instruments.

The FDS shall detail the project specific architecture, system layout, hardware, software and graphics structure. It shall be written in conjunction with COMPANY/CONTRACTOR by VENDOR, based on the Functional Specification, provided in the requisition, and the additional supporting documents.

The system design and build will not be approved until the FDS is approved by COMPANY.

Operator interface requirements shall be included in FDS.

The FDS shall provide a detailed inventory and description of the equipment, functional definition and equipment data, including, as a minimum:

Number and nature of communication networks:

(e)

(f)

(g)

(h)

(i)

(j)

(k)

(l)

Identification of networks

Identification of network criticality & redundancy

Communication link capacities

Communication link loadings for all operational cases

Identification of security zones

Identification of conduits

Definition of security measures between zones

Definition of data flows to achieve FS requirements

(m)

Communication details of all network elements

(ii) Controllers

(iii) Gateways

(iv) Servers

(v) Switches

(vi) Firewalls

(vii) HMI stations

Network architecture

Details of Historisation

Details of DMZ/interface to Enterprise zone

Number and type of controllers

Allocation of controllers to IES/units

Allocation of I/O to controllers

Number of PCS cabinets

Allocation of I/O to cabinets

(n)

(o)

(p)

(q)

(r)

(s)

(t)

(u)

Document No: AGES-SP-04-001

Rev. No: 1 Page 18 of 47

(i) General Arrangement (GA) of cabinets including, rack distribution and mounting, power distribution, terminations, trunking, cooling fans, temperature monitoring, cable entry arrangement and dimensional drawings

(v)

(w)

(x)

(y)

(z)

Preliminary configuration database

Function block definitions (Valve Control, Pump Control, etc.)

Detailed descriptions of agreed graphics elements/standards

HMI station details including GA and dimensional drawings

Access control

Hardware

11.6.1 General

The hardware of all parts of the PCS shall be designed and configured to carry out the functions described in the FDS. Special consideration shall be given to:

Environmental (temperature, humidity, vibration, etc.) and transport conditions;

Design of the cooling requirements for equipment mounted in enclosures;

Protection of the electronic components from static electricity and electromagnetic radiation; all hardware components of the PCS shall allow use of High Frequency radio communication in the vicinity of the installed equipment.

Each PCS input/output shall be individually protected against electrical failure.

All digital and analogue outputs shall have a configurable failure position (hold, on or off).

Dedicated marshalling cabinets shall be used for each system (PCS, ESD, F&G etc.), if an ICSS

system is required, with segregation of IS and Non-IS.

11.6.2 Functional Requirements

VENDOR is responsible for ensuring that all items of equipment and components provided (including equipment from sub-Suppliers) are suitable for the specified operating conditions.

VENDOR shall detail the equipment items proposed and their relationship to the operational functions defined tin the FS

Dual redundant Simple Network Time Protocol (SNTP) time servers each with their own Global Positioning System (GPS) aerial in the Central Control Building signal shall be provided by VENDOR for time synchronization of all servers, workstations, controllers and other device clocks connected to the Process Control Network, third party systems and the Plant-Wide Network.

For the purpose of establishing the Total Cost of Ownership over the design life of the equipment, the VENDOR shall provide the reliability and life cycle data as specified in the requisition.

11.6.3 EWS/OWS

A workstation shall consist of display screens, keyboard, and mouse that allows the operator to interact with the process control system. An operator’s console shall consist of multiple independent operator stations. The PCS Operator Workstation (OWS) should be the primary operator interface to control and monitor the entire process and shall also be used to monitor and control the signals from all third party systems.

Document No: AGES-SP-04-001

Rev. No: 1 Page 19 of 47

The OWS shall be the primary operator interface to control and monitor the entire process The OWS shall also be able to monitor and control signals from all third party systems.

The number of OWS will be determined by the size and complexity of the process being controlled and the number of operators assigned to the unit or process complex.

Within the HMI layer, each OWS shall have its own electronics or virtualized hardware and failure of any hardware shall not affect more than one operator station. Virtualisation should be considered for the entire HMI/console layer including EWS, OWS, servers & workstation, interface stations, gateways etc. Where systems are virtualised, the design shall ensure that failure of a single host platform cannot disrupt operator access to maintain control of the plant. Vendor shall demonstrate how design of OWS satisfies the requirements of ISO 11604 & ISA RP 60.3 respectively.

Wireless operator interfaces may be considered for remote locations provided that adequate consideration is given to reliability and security. Unless otherwise agreed by COMPANY, use of such access shall be limited to indication or information use. Wireless Operator Stations intended for outdoor use shall be classified for Zone 1 with a suitable electrical protection method.

A point detail display shall be provided for every hard and soft tag configured into the PCS system. All parameters applicable to each tag shall be available for display. Operating parameters shall be accessible by the operator. Engineering and tuning parameters shall available for change only under access password or key lock

VENDOR shall offer their standard trend display capability for COMPANY review

Separate engineering workstations shall be used to configure the subsystems of the process control system. When engineering workstations are used then the workstation will consist of electronics, storage media, display screen, keyboard, and printer to allow authorized personnel to configure, download, monitor, trend, document, modify, and verify software configuration.

All EWS workstations shall have the same functionality / features as the OWS, however they shall also have access to the application software, configuration and graphic builder software to allow maintenance and onsite modifications.

EWS shall be provided with the engineering functions to configure the PCS system, with password protection. EWS shall be configured in such a way that the operator functions and Engineering functions shall be performed with different login ID and passwords.

11.6.4 Power Supplies

The VENDOR shall incorporate an overall AC/DC power distribution, incorporating dual redundancy feeds to control equipment and single feeds to utility outlets.

Power supply to the PCS will be from 2 (dual redundant) UPS feeds. Each UPS feed will supply 240V AC, 50Hz power.

For each incoming power feed a double pole isolation switch shall be provided. Individual alarms will be generated for each of these when turned to the off position or on any fault.

System power supply located inside PCS cabinets shall be dual redundant and each shall be capable of supplying 100% system power if other fails. All power supplies, without considering redundancy shall include a spare capacity of 25 percent of the maximum load considering all spare I/O slots were filled.

The PCS shall support automatic switching between dual redundant power supplies for continuous service without risking transient voltage effects.

Power supplies shall be replaceable on-line without disrupting the process and without affecting functioning of PCS System. Distribution of all power levels to all system chassis and modules shall also be completely redundant as a minimum. This is to be inclusive of all voltage levels required for logic processors, all

Document No: AGES-SP-04-001

Rev. No: 1 Page 20 of 47

chassis requirements, I/O modules and communication modules. This means that the failure of a power supply or incoming line shall not take out a leg of I/O or a main processor. The system shall withstand a 20 ms power outage without interrupting system operation. Cabinet power supplies shall have over- temperature protection, integral fuse protection, and status LEDs to indicate power supply faults.

Miniature circuit breakers (MCB) and fuses shall be employed to provide electrical protection and isolation for all powered components. The distribution circuit shall ensure that at no point of single MCB failure will result in other consequences or cascade effect. MCB fault contacts shall be wired in series to generate a common fault alarm. Selection of fuses and MCB ratings shall be carefully coordinated with upstream fuses / MCBs including UPS distribution, taking into account power up inrush currents.

Additionally, separate 24 VDC redundant power supply for powering field instruments shall be provided. The VENDOR shall be responsible for designing the 24 VDC power distribution with circuit protection for all system I/O. All 24VDC –ve terminals shall be connected to Instrument earth (floating earth is not allowed).

Failure of any power supply must be signalled via a dry normally open (N/O) contact which shall be wired in series to a common discrete input point for alarm indication for each self-contained suite of cabinet(s). Each power supply shall be provided with primary and secondary overload protection. The secondary overload shall be self- resetting or have a time overload delay to prevent an instantaneous fault from tripping the system off. Over voltage protection must be provided if it is necessary for the protection of the connected loads. All individual fuses shall be considered with fault LED indication and common fault alarm for monitoring by PCS. No hidden fault is allowed without remote common alarm.

The VENDOR shall wire cabinet lighting and utility outlets to a separate breaker which will be fed from a single phase 240 VAC 50 Hz utility non -UPS supply.

VENDOR shall provide the power consumption including inrush currents and crest factors for each cabinet to size incoming power feeders.

11.6.5 I/O Modules

These modules can be integral with the process control rack (for example communications, control processors mounted on the same back plane as the I/O modules) or mounted in separate modules/carriers

Distribution of I/O shall also be governed by Unit segregation and reduction of common-mode failure risk. Unless otherwise approved b COMPANY, control loops from different units shall be processed by different controllers and I/O channels shall be segregate so that failure of a single card/module only affects one unit. I/O module for primary and standby equipment items shall also be segregated.

I/O modules will be capable of handling the following I/O –

analogue input;

discrete input;

discrete output;

analogue output;

frequency input;

thermocouple input;

RTD input

Serial communications.

Document No: AGES-SP-04-001

Rev. No: 1 Page 21 of 47

Serial I/O modules shall be able to communicate with various digital systems such as Fieldbus, HART or other serial data communications. Other I/O modules shall allow HART data to pass to the PCS.

The location and environment of the installation must be considered in selecting the modules. If the modules are to be located in remote locations, they must be have valid hazardous area certification for the full range of temperatures specified and be capable of continuous operation over the full range of all of the specified environmental conditions. Purging of I/O enclosures may be required to meet hazardous area requirements. The likelihood of EMI or RFI must be assessed and mitigated.

The power supplies to the I/O modules and the I/O channels must be identified and appropriately designed. Power for the modules from same source as the process control modules or one of equal reliability. Power supplies must be suitable for the area classification and ambient temperatures in which they will be installed.

If the I/O is remote from the control modules, the communications to the remote I/O must be evaluated for suitability. The impact of loss of communications must be assessed and the need for redundant and/or separately routed communications must be identified.

All I/O modules shall be remotely configurable and publish their entire configuration on request.

The I/O system design shall allow for removal of any failed module, whether redundant or non- redundant, without affecting the operation of any other modules and with no impact to the running plant beyond the loops related to the affected module. I/O modules shall be HART pass through and have the capability to connect to Asset Management System without a MUX/ Demux.

The PCS system shall be designed such that upon failure of the primary module/unit in service, the control shall be transferred to the backup module /unit and the changeover shall be bump less transfer and shall not result in loss of an operator’s ability to view or manipulate real time data from the work station. The failure shall create an alarm to alert the operator. Automatic equalization between redundant modules shall be provided to ensure consistency and bump less switching in any case.

Different style input modules may be required for 2-wire and 4-wire devices depending on the manufacturer of the module to address power supply and isolation issues. Input modules shall be able to be configured to do filtering, characterization and other functions.

11.6.6 I/O Signals

Use of wireless or semi-wireless network for PCS field devices shall be considered for monitoring of instruments located a long distance from Control Centres. If there are instances where a number of devices are on a given unit that all need wireless communication, it will be simpler to use a wireless remote I/O device that gathers the data and sends it back using one wireless Ethernet radio rather than individual transmitters.

Wireless networks for field instrumentation shall be Wireless HART (IEC 62591) and/or ISA 100 (IEC 62734).

Wireless instruments shall support authentication and cryptography for enhanced security mechanisms.

11.6.7 De-Centralized Logic

As the base case the control will be done in the PCS controller located in a specified Control Room or Equipment Room. Vendor should indicate whether they can support control in the field and how well this will be integrated within the PCS in terms of engineering tools, operator graphics, backup controls, alarming etc.

If the VENDOR offers a De-Centralized Logic solution for all green field projects, the I/O’s shall comply with the requirements included in this specification.

Document No: AGES-SP-04-001

Rev. No: 1 Page 22 of 47

De-Centralized Logic are considered as ‘smart junction boxes’. They consist of I/O modules, power supplies, communication bus interface and field terminals enclosed in boxes or cubicles according to the number of field instruments and valves.

Maintenance facilities shall include:

Replacement of I/O or power supply modules under power;

Diagnostic data available at the PCS maintenance/Operator stations in the same way as for

standard I/O’s;

When used, the I/O bus design shall be such that a loss of one I/O rack will not impact the other I/O racks: for instance, the de-energization of one I/O rack shall not impede the control and monitoring of the other I/O racks.

11.6.8 Cabinets

All cabinets will be vendor standard, but with the following details. Two types of cabinet shall be provided:

System cabinets including CPUs, I/O boards, communication boards, power supplies, switches, firewall, routers and Patch panels. Each Subsystem shall have dedicated cabinets, except for specific cases described in this specification.

Marshalling cabinets equipped to receive all process and safety signals from and to the field, the electrical room, or other technical rooms or to receive signals from other systems such as package control systems.

Each Subsystems (PCS, ESD BMS and F&G) shall have dedicated cabinets.

PCS system and marshalling cabinets shall be rigid and self-supporting. Cabinets shall be constructed of sheet steel with a rigid internal steel frame. Cabinets shall be braced for shock and vibration normally encountered during transport and construction.

The cabinet’s structure thickness shall be minimum 1.5 mm for cabinet steel plate sides, roof and bottom, and minimum 2 mm for doors and plinths.

The dimensions of the cabinets shall be 2000 mm (H) (excluding plinth) x 800mm (W) x 800 mm (D) (front access). If cabinets are permanently bolted to form sections, the length of these sections shall not exceed 2400 mm.

All cabinets shall have the same exterior and interior finish and colour. Cabinet colour shall be RAL 7035. Plinth colour shall be RAL 7022.

The cabinet Internal layout shall be designed to provide safe and unimpeded access to all electronic modules, power distribution, fuses, terminals and cables termination areas, cables and wiring routings and replacement of defective parts with the minimum amount of dismantling or removal of associated equipment.

All cabinets shall be bottom entry unless with approval from COMPANY.

IP42 shall be standard for all indoor cabinets.

Cabinets shall have redundant ventilation fans for heat removal. Alarms shall be provided for cabinet high temperature and fan failure. Cabinets shall be equipped with ventilation louvers with dust filters units. Inlet louvers shall be installed at the bottom of cabinet doors. Filter screens shall be readily accessible and easily removable.

Cabinet and inside equipment support shall be designed to dampen effects of external vibration.

Document No: AGES-SP-04-001

Rev. No: 1 Page 23 of 47

Eyebolts shall be mounted on each cabinet to facilitate handling during unloading and permit transportation of the enclosure by crane.

All unused I/O module slots shall be fitted with removable cover plates.

Cabinet shall have lockable hinged doors. Hinges shall be the lift off type for example doors shall be easily removable from cabinet. All door locks shall be provided with the same lock and key combination. Keys shall be removable with the doors either locked or unlocked.

Internal lighting lamp at the top of the cabinet shall be controlled by a door switch or movement detector and incorporating a manual on/off/auto switch.

All PCS components shall be safe to personal and environment that shall comply with listed international electrical safety standards. All terminals containing voltages in excess of 50V shall be shrouded and labelled as hazardous.

Each Cabinet and all its major components shall be clearly labelled and identified with a Tag Number. Cabinet nameplates shall be by engraving on three-layer plastic. Material layers shall be white-black-white for PCS and shall be attached with stainless steel screws. Nameplate engraving shall be subject to COMPANY review and approval.

When available space inside the technical room is limited, combined marshalling/system cabinets may be considered. However, physical segregation between marshalling and systems sections, and easy access to any equipment/device/terminal requirements shall be fulfilled. Such arrangement shall be submitted to COMPANY for approval, as a cost saving.

Side mounting of components shall not be permitted, unless approved by COMPANY.

All cabinets shall have drawing/document folders located on front and rear doors.

All components shall be safe to personal and environment and shall comply with electrical safety standards.

Prefabricated system cables shall be provided to connect the system cabinets to the marshalling cabinets, if remote I/O is not used. All cabling, sockets, plugs and terminating blocks shall be arranged and positioned to facilitate easy access for testing, inspection and maintenance.

Terminals shall be Blue for Intrinsically Safe and grey for all others.

11.6.9 Earthing

There shall be three separate isolated Earthing Systems within the PCS cabinets as follows:

ii.

i. Safety Earth: Each cabinet shall have a M10 brass earth stud, complete with nuts and washers for dedicated safety earthing. All metal racks, internal panels, cable tray, doors and detachable panels shall be earth bonded together to this safety earth with a flexible copper braid strap of at least 10mm2 to ensure effective earthing. Instrument Earth: Each system and marshalling cabinet shall be provided with one 5mm x 15mm copper galvanically isolated instrument earth bus-bar across the full width of, and insulated from, the panel for earthing System electronics and electrostatic screens of field cables. In general, field instrument shields shall be grounded to instrument earth within the Marshalling Cabinet. Intrinsically Safety Earth – IS Earth: Marshalling cabinets with non-isolating IS barrier (for example Zenner barrier) circuits shall be supplied with an additional isolated IS earth bus-bar clearly labelled.

iii.

11.6.10 Wiring

Prefabricated system cables shall be provided to connect the system cabinets to the marshalling cabinets, if remote I/O is not used. All cabling, sockets, plugs and terminating blocks shall be arranged and positioned to facilitate easy access for testing, inspection and maintenance.

Document No: AGES-SP-04-001

Rev. No: 1 Page 24 of 47

Unless otherwise specified in the requisition, or approved by COMPANY, the colour coding of wires within system cabinets shall be as follows:

Power 24V DC positive / negative - RED / BLACK

Power 110V/240V AC phase / neutral - BROWN / LIGHT BLUE

Input and output signals - BLACK/WHITE or BLACK/ BLUE (to indicate intrinsically Safe signals)

. Signal earth - GREEN

. Intrinsically Safe Earth - GREEN/BLUE

All interconnecting cables shall be tagged at both ends with cable number and cabinet number. Wiring core shall be tagged at both ends (where applicable) with tag number using shrink sleeve type markers or equivalent.

Internal wiring shall be laid in PVC close slotted ducting (raceway) with a covering lid colour coded blue for Intrinsically Safe and Grey for non-Intrinsically Safe wiring. Ducting (raceways) shall have at least 40% spare capacity after commissioning.

Internal cabinet wiring, cables and wire ways shall be minimum flame retardant in accordance with IEC 60332.

All internal and external wiring shall be connected to terminals. Splices are not permitted in wiring. Terminal blocks shall be Push-in Spring type (cage clamp type) and non-hygroscopic type. Terminals shall be tinned and clearly identified. The size of the terminal blocks shall be consistent with the wire size. Terminal colour for Non-IS wiring shall be Grey and Intrinsic Safe wiring shall be Blue. Terminals utilized for voltages higher than 48 volts shall be protected against accidental contact with removable cover plates which carry high voltage warning labels. Terminal blocks shall be labelled and numbered.

All panel cabinet tagging for cabinets, racks, TBs, Distribution boards, Terminal blocks, shall be engraved tagging fixed in a permanent manner. Sticker or temporary tagging is not acceptable.

11.6.11 Availability/Redundancy/Reliability

Hardware redundancy shall be provided to meet the requirement that ‘no single PCS component fault, failure or replacement shall affect availability of the Process asset’. The systems shall contain diagnostic routines to alert the operator to any faults and failure.

The following components shall, as a minimum, be redundant:

PCS networks, servers and communication equipment (such as switches, firewalls, routers, etc)

PCS nodes: controllers, power supplies

I/O modules for loops which provide a ‘critical’ control function, where a ‘critical’ Function is defined as a function that, if lost due to a fault, would adversely affect asset safety or cause a significant loss of production.

The goal of providing redundancy is to increase the overall availability. If, in the case of servers, if it can be shown that sufficient availability is achieved using non-redundant servers but with redundant powers supplies and disks (mirroring or raid) then this may be proposed.

The required availability of the PCS shall be at least 99.99% based on an MTTR of 8 hours.

Document No: AGES-SP-04-001

Rev. No: 1 Page 25 of 47

 Software

11.7.1 General

The VENDOR shall supply clarification of the standard system software with release of expected software updates for the coming 5 years. This shall be included in the bid. The migration path for future software upgrades shall be clearly specified by the VENDOR. Once any single piece of software has been signed- off by COMPANY the VENDOR shall not change any part of the system software without first consulting fixes and new features in the later version of software. The agreement on whether or not to install the later version and the timing thereof shall be with the agreement of COMPANY.

Operator interface shall be the latest proven version of VENDOR’s windows based system.

The VENDOR shall provide as part of the system all system and application software (fully configured & documented) necessary to implement the functionality described in the FDS. The software shall be designed and programmed to facilitate maintenance, modification and future expansion of facilities and be of modular structure.

Standard Functions are developed to define the Hardware interface and Software requirements for individual instrument and equipment. These standard software blocks shall be used to develop the project specific requirements. COMPANY subsidiaries may use their own library of Standards Functions if already developed.

These Standard Functions are key requirements for the development of the Functional Specification which would then define how these functions are applied to specific process/utility and safety sub systems.

The Functional Specification shall be the basis of the development of the application software.

Applications software shall be designed, programmed and documented to facilitate maintenance, modification and future expansion. For this reason it shall be of a logical modular structure.

Special attention shall be paid to the functions split within the different controllers belonging to the same subsystem to minimise the consequences of:

Any process shut-down when losing one controller (or a part of it);

Too many data exchanges between controllers.

VENDOR shall be required to develop and implement a comprehensive Software Lifecycle Management Process. The process shall identify, and store with revision numbering, the master versions of software at all stages from the start of the project and VENDOR toolkit development, through modular code implementation and testing, integration testing, commissioning, and handover to the site support organization for the engineering support phase.

The PCS shall have communication between security zones which must meet cyber security requirements and support multiple local and remote operator stations including distributed server architecture over industry standard LAN/WAN.

If ICSS is by a single VENDOR is adopted, then communication between the subsystems shall be VENDOR’s native system protocol.

The PCS shall provide a secured bi-directional flow of information between third party devices and the PCS.

The PCS communication with ESD and F&G should be seamless redundant communication utilizing the Ethernet (TCP/IP) protocol, if ICSS is adopted.

The PCS shall provide a secured bi-directional flow of information between third party devices and the PCS.

Document No: AGES-SP-04-001

Rev. No: 1 Page 26 of 47

VENDOR shall assume total responsibility for the control of software up to the date of handover to COMPANY and the system shall be auditable by COMPANY. VENDOR shall provide details of their proposed Software Lifecycle Management Process and the tools that are proposed for deployment and use for this project.

The PCS shall have the capability of extensive historization and trending of data. Selection of the tag and sampling time for real time and historical trending shall be possible from operator keyboard. The PCS shall have the facility to record all data points on the system at one second resolution for one month and one minute average for 3 months. The system shall be capable of uploading all tags in 30 seconds or less to a central database system

Instrument configurable engineering databases shall be used as an engineering tool in designing the PCS system for example allocation of Input/output.

11.7.2 Alarm Management

Alarm Management software shall be provided to ensure that the operator is alerted to plant upsets in a clear manner without being overloaded during normal operation and even plant upset.

An Alarm Management System (AMS) shall be implemented in ICSS.

Alarm Management shall comply with the EEMUA Publication 191 and the ISA 18.2 requirements.

A database of all alarms on the ICSS and their variables, with ranges; setpoints, criticality, notifications and actions shall be developed, initially by VENDOR, and maintained throughout the system life.

Operator required actions for each alarm shall be available to console operators at all times.

Alarms on out-of-service equipment shall not be suppressed if any cause has been identified for the related hazard to arise while the equipment is non-operational.

The alarm management software for PCS system shall have the following AMS capabilities, as a minimum:

(aa) Alarm and event logging

(bb) Storage of alarms and events for retrieval

(cc) Sorting of alarms and events in chronological order

(dd) Sorting of alarms by priority

(ee) Providing statistical analysis of alarms and events

(ff) Alarm reports (shelved alarms, filtered alarms, masked alarms, statistics)

(gg) Alarm change management (alarm threshold modification, alarm priority change)

(hh) Printing and reporting.

(ii)

(jj)

First out alarm.

Alarm masking and dynamic suppression, including suppression between units.

The alarm and event history shall be periodically backed onto another central server for permanent storage.

Refer to ADNOC Group Company AMS specification for further details.

Vendor shall configure the alarm management defined in the FS documents and the software shall be suitable for further refinement by COMPANY operators. Training in the use of Alarm Management software shall be offered by VENDOR.

Document No: AGES-SP-04-001

Rev. No: 1 Page 27 of 47

 Maintainability

System maintainability requirements shall include the need to perform diagnostics and system maintenance functions, including software updates. This will topology requirements for data links and communications in order to facilitate this process. Additional control module redundancy may be necessary to meet system maintainability.

Provisions should be made for major maintenance or upgrades that can only be performed when the process is shut down. In large complexes, this means that equipment should be segregated so that processes areas that cannot or do not come down together do not share key equipment.

The control system hardware shall be located where it can be repaired and maintained. All modules shall be replaceable with the system powered and plant running. Modules shall have mechanical keying to prevent physical insertion and on-line activation of a module in an incorrect slot in the chassis. Shorting or grounding the field wires connected to any I/O module shall not damage the module itself.

The process control system shall incorporate comprehensive self-diagnostics so that all permanent and transient faults are identified, located, alarmed and reported. All diagnostics should be performed automatically on-line, without disturbing the process or reducing the reliability of the system.

Where specified in the FS, separate Maintenance Workstations shall be provided. These shall comprise identical hardware to the Operator stations but shall be located in a separate Maintenance Engineering location.

Reports

The PCS shall be provided with report generation and historisation tools that have been tested and certified for use with the rest of the process control system.

The capability for the creation of custom reports shall be such that all values, measured or calculated, within the system can be accessible for these custom reports.

The PCS shall incorporate an event logger which shall store messages for future reports and displays and should be provided with the capability to accumulate and store process information history. The PCS specification shall also be capable of storing user defined network data for a period of six months.

The PCS shall support management of change, including tracking user changes and providing hardcopies on demand of system configuration.

The PCS shall have file backup management application for routine backup to magnetic media storage on a scheduled basis.

An automatic archiving facility shall be included to archive the historical data and events on a removable media, which shall be in line with COMPANY procedure.

The OWS shall provide the operator with the means to initiate reports on demand or to schedule regular reports that have previously been configured.

The VENDOR shall supply a software package within the OWS to allow personnel to create or modify reports.

Printers shall be provided as part of the ICSS for log and report printing. Colour printers shall be supplied for Graphic printing.

Instrument Asset Management System (IAMS)

IAMS, which shall be included shall constantly monitor defined instrumentation/equipment parameters and automatically generate alarms and fault reports when specified thresholds are exceeded along with operator guidelines, which will improve plant operations.

Document No: AGES-SP-04-001

Rev. No: 1 Page 28 of 47

The VENDOR shall supply an IAMS Server, plus network to store and display all diagnostic data transmitted from the field, to reduce equipment failure.

Provide configurable device scan rate capability, of 100ms or less. The scan times for third party devices shall be no more than 1sec. No system should be able to change parameters of process measurement without authorization due to security protection. It shall enable filtering of status messages from any field device to avoid nuisance alarms.’ IAMS shall not prevent field devices from raising Process or Bad PV alarms on PCS.

The following shall also be included:

Automatically build and maintain a database of installed devices.’

Provide unlimited character tag device tag capability.’

Provide automatic device foot-print comparison checks against device benchmark performance

including as a minimum friction, spring rate, bench set, seat load, and torque.

It shall be able to carry out partial stroke test and establish a valve signature.

Generate equipment inspection requests.

Maintain an equipment audit trail and operational history.

The IAMS shall provide a common field device interface and database for connectivity to all types of instrumentation, including all package instrumentation.

The IAMS shall automatically update maintenance records by tracking work orders.

Controllers

The controllers shall be inherent redundant architecture and shall demonstrate availability figure of greater than 99.99%.

The controllers shall have the following functions as a minimum:

Configurable PID loops

Alarming (PV, deviation and rate of change)

Bump less transfer

Output ramping and output limiting.

Dead time compensation

Internal cascade control

Ratio Control, Gap control

Rate of change calculation

Totalizing and mass flow computation

Step sequencing and interlocking

Pulse control input

Selectors overrides and flip flop commands

Spilt-range controllers

Document No: AGES-SP-04-001

Rev. No: 1 Page 29 of 47

The controllers shall be capable of scan rates of 100ms or faster. For logical processing of digital signals, the processing rate for each controller shall not be more than 0.2 second.

When an active controller fails another controller will automatically take control. An alarm will be displayed on the operator console to indicate that a controller has failed. The failed controller will be capable of being replaced on-line. The new controller should be configured automatically by the control system when it is installed.

Controllers shall be capable of executing both pre-defined configurable algorithms and user algorithms coded in a high level programming language, as defined in IEC-61131 part 3.

Controller loading shall not exceed 50% during peak load (Alarm flooding condition). Loading measurement shall include I/O addressing capability and processor CPU loading.

Controller shall have the capability to interface either directly (preferred) or via a gateway with the industrial standard protocols such as Modbus, Profibus, Foundation Fieldbus and other standard protocols, through a firewall.

Upon Failure of controller, it shall be possible to remove it and install a replacement on-line, without interrupting the system function. Also, an alarm shall be initiated on the Operator Interface Station.

HMI

11.12.1 General

The HMI for the PCS is provided by the OWS and shall consist of the following features as a minimum:

VENDOR’s standard displays such as alarm and event lists, system status displays and alarms.

VENDOR’s standard functions such as alarm annunciators, keypads, audible sounds

Project specific graphics

All OWS’s shall be able to access all graphics, however access to alarms, events, set points, mode change and state change controls shall be restricted to the operator and OWS(s) assigned responsibility for that specific plant. Alarms and events from one operating area shall not be visible in another operating area unless specifically enabled.

VENDOR shall detail the constraints for each OWS configuration with respect to the maximum number of tags / points, display call-up time etc. To assist in the assessment of capability, VENDOR shall also provide for typical display objects, the functionality they provide and the number of tags / points they use. Functions such as menu pick, pushbutton and navigation target shall be either removed or greyed out if unavailable; this is to avoid an operator being unsure as to whether the function is available or not or there is a fault.

It shall be possible to configure the system so that the HMI defaults to operator area overview and/or alarm list if not used for a period of time. For OWS terminals not in the Control Room, it shall be possible to configure them to default to view only mode if not used for a period of time.

Requirement for Large Screen Displays (LSDs) used for incident control and general overviews for operator and non-operator personnel shall be Project defined.

The PCS shall ensure a safe, reliable and efficient control and monitoring function for the facility. It shall also provide the ‘backbone’ of the ICSS communication network and thus allow the Operator to view and manage the entire facility from the HMI located in the control room (s).

Document No: AGES-SP-04-001

Rev. No: 1 Page 30 of 47

11.12.2 Graphics

The PCS HMI will provide the operator with a single window to the process control and safety systems. The operator will have the capability to control and monitor the process, apply overrides to and monitor the status of the ESD and F&G systems and monitor the status of all of the major packages.

PCS custom graphic libraries, including all symbols, shapes and dynamic objects / elements shall be verified as fit for purpose and approved by COMPANY prior to commencement of project graphic bulk build process. Each element must be tested with the associated function block(s) and standard configurations for which it is to be used for the test to be valid.

In addition, graphic templates covering all project graphic types, shall be developed to satisfy Operations hierarchical display design requirements, and verified as fit for purpose by VENDOR (with respect to graphic performance) and approved by COMPANY prior to commencement of project graphic bulk build process.

Project specific graphics shall integrate all automation systems to provide a common ‘look and feel’ for operator monitoring, control, and diagnostics and shall be built using the graphic objects, templates and standards approved as part of the toolkit to ensure a consistent look and feel for operators and as an essential part of reducing the risk of misinterpretation or misoperation. Any new graphic requirements identified during the project shall go through the toolkit design process to ensure integrity is maintained. The project graphics shall consist of the following:

(kk) Project field overview graphics.

(ll)

Process Control Schematic graphics:

(i)

(ii)

(iii)

Process overview graphics

Process unit graphics

Process detail graphics (P&ID)

(mm) F&G graphics

(nn) ESD graphics

(oo) Electrical System Graphics

(pp) HVAC graphics

(qq) Sequence graphics

A point detail display shall also be provided for every hard and soft tag configured in the PCS System. Maintenance displays that show the data communication links and system hardware status shall be available.

Design Data

One of the primary design sources will be Instrument configurable engineering databases which shall be utilized for two-way data exchange of design information between COMPANY and the VENDOR. As part of the FDS, VENDOR shall detail the proposed database exchange requirements; these include:

Database verification - essential to this is the agreement of a primary key(s) which are used to link

databases with PCS data.

Data exchange management

Document No: AGES-SP-04-001

Rev. No: 1 Page 31 of 47

 Database revision control, on the basis that the central Company database shall continue to be a

live working database.

Configuration auto-build rules and tools

User Defined Fields

During the course of the project large amounts of data will transfer between Company and VENDOR to align the database and the PCS, maintaining control of this to allow updates and verification is seen as essential by COMPANY and will be jointly developed during the FDS phase.

ADDITIONAL SPECIFIC REQUIREMENTS

Not Applicable

Document No: AGES-SP-04-001

Rev. No: 1 Page 32 of 47

SECTION C

SCOPE OF SUPPLY

Detailed engineering and design of the ESD system in accordance with all specifications, standards, datasheets and other statements of requirement include with or referenced in the requisition.

The VENDOR shall have single point responsibility for all aspects of the works, inclusive of all components sub-contracted or purchased from other parties. These shall include, but not be limited to:

Total system engineering definition of the PCS in the form of a Functional Design Specification (FDS) based upon the Functional Specification (FS), datasheets and COMPANY specifications provided by CONTRACTOR. FDSs shall be written by the VENDOR and approved by COMPANY during the Design Phase to detail the VENDOR scope of work.

the agreed FDS

Control System Topology

Design and supply of the PCS Operator Control Console, including the integration design and

resulting facilities for all free issued materials to be mounted thereon

Design and supply of the PCS System Cabinets

Design and supply of the PCS Marshalling Cabinets

Design and supply of the PCS Auxiliary Cabinets

Design of the PCS communications network and supply of all communication equipment and cables

up to but excluding communication bridges to domains outside the Process area

all System Interconnecting cables

Supply of operating system software and firmware.

Supply of system configuration and application software including design and configuration of

database, graphics and reports

Supply of specialist integration services for third party equipment forming part of the PCS scope

Supply of System test procedures, all necessary test equipment and personnel for all tests. Perform

tests for witness by the Contractor’s representative

Human Machine Interface

Alarm processing and management

Data communications

Documentation

Documentation and certification in accordance with the material requisition, this specification and

the standards referenced herein.

Special tools required installation, operation and maintenance of the equipment;

Painting, Preservation and Packing;

Document No: AGES-SP-04-001

Rev. No: 1 Page 33 of 47

Insurance spares;

Spares (commissioning and 2 year);

Certified calculations shall form part of the scope of supply as follows:

Design and supply of power distribution system within the PCS

Sizing Calculations; Power Calculations; Commissioning; start-up and long term support.

Heat loading calculations.

In addition to the above requirements, design, fabrication, configuration, testing and installation shall also be compliant with cyber-security requirements.

The PCS shall be configured so that a user at any level (from the PCS to the business network) can tag values. immediately ascertain A tag’s data quality shall be determined and set in the PCS module hosting the instrument data acquisition.

real-time and historical process

the validity

(quality) of

QUALITY CONTROL AND ASSURANCE

Equipment shall only be purchased from Vendors approved by COMPANY Category Management. This approval indicates that the VENDOR has an approved Quality management system and a proven track record in supply of this equipment type.

COMPANY/CONTRACTOR reserves the right to inspect materials and workmanship at all stages of manufacture and to witness any or all tests.

VENDOR shall comply to Criticality Rating for Equipment outlined in respective ADNOC Group Company’s Quality System Specifications for requirements of production checks, shop inspection, testing and material certification.

The VENDOR shall provide equipment inspection and test reports as per approved Inspection and Test Plan by CONTRACTOR.

VENDOR shall submit a quality plan for approval by COMPANY.

MATERIAL & CERTIFICATIONS

Material certification is not applicable to PCS system equipment.

INSPECTION & TESTING REQUIREMENTS

General

The VENDOR shall be responsible for workmanship, testing and quality assurance of the material supplied.

Inspection and Testing will be carried out by VENDOR and it will be witnessed by the CONTRACTOR and COMPANY representatives at various stages and locations as follows:

Pre-Factory Acceptance - conducted at the system assembly/manufacturer location.

Factory Acceptance Test - may be conducted at the system assembly location as a standalone PCS

Integrated Factory Acceptance Test – conducted following FAT at the PCS location.

Site Installation Test- conducted at the job site once system is installed and powered up.

Site Acceptance Test - conducted at the job site as a system operating test after commissioning.

Document No: AGES-SP-04-001

Rev. No: 1 Page 34 of 47

VENDOR shall provide all test procedures to CONTRACTORS and COMPANY for review and approval at least two months prior to the proposed test schedule. Each formal acceptance test must be signed by a VENDOR, CONTRACTOR and COMPANY representative at the successful completion of the test(s).

Shop Inspection

CONTRACTOR’S representative will periodically visit the VENDOR’S shop facilities and inspect system progress from a hardware and software perspective.

Pre-Factory Acceptance Test

VENDOR shall detail all physical tests and inspections which will be performed in the Pre-FAT procedure. As a minimum these tests shall include complete physical inspection of all cabinetry, system components, wiring, labelling, etc. Additionally, the procedure shall list all internal VENDOR test/inspection records which can be provided to the CONTRACTOR during the Pre-FAT. As a minimum, project related QA inspections covering bought out components and internal inspections of assemblies are to be included.

The system equipment will be inspected by CONTRACTOR representative at the Pre- Factory Acceptance Test for satisfactory quality and workmanship. In addition, COMPANY or CONTRACTOR shall have the right to inspect the work in progress at any stage.

The VENDOR is responsible to maintain a punch list during the Pre-FAT. The Pre-FAT punch list shall list the problems discovered, include the date discovered, the name of the person reporting the problem, the date corrected, the name of the person who performed the correction, the date retested and accepted, and the name of the individual accepting the retest. This entire Pre-FAT punch list shall be given one System Log report number and maintained as part of the PCS system log. Unless otherwise agreed by COMPANY, all items on the Pre-FAT punch list shall be cleared before the commencement of FAT.

The entire Pre-Factory Acceptance Test (Pre-FAT) procedure must have been successfully exercised on the system by the VENDOR prior to the FAT.

Factory Acceptance Test

The FAT shall include the complete testing and acceptance of both hardware and software.

The VENDOR shall be required to submit FAT procedures for approval prior to FAT. These shall cover, but not be limited to:

(rr) Complete hardware testing including simulation of all input and output channels, testing of all system redundancy (CPU’s, power supplies, I/O buses, I/O comm modules, highway communication modules, etc.), observation of fault reporting via hardware indicators and data transfers, and hot swap component replacement.

(ss) Complete simulation of all functional groups. This testing is to be inclusive of I/O simulation through the marshalling cabinets and system cables to ensure healthy HW and SW configuration for all I/O. Functional test shall be performed through software simulation for all tested I/O. Additionally, full redundancy testing of the communications interface shall be performed.

(tt) As the functions are checked, proper recording of SOE data shall be verified. Additionally, the SOE

sorting and reporting capabilities shall be demonstrated and certified correct.

During FAT the system shall be made available to CONTRACTOR and COMPANY for sufficient periods to verify satisfactory performance.

COMPANY and CONTRACTOR’S representative will witness the entire FAT. The FAT procedure/checklist will be signed off by the VENDOR, CONTRACTOR and COMPANY representative at the successful conclusion of testing. A copy of the signed off FAT procedures/checklist and related printouts shall be

Document No: AGES-SP-04-001

Rev. No: 1 Page 35 of 47

furnished to CONTRACTOR and COMPANY representative. Each punch point shall be categorised to define criticality and time frame for completion. This is applicable to all tests & punch lists.

All process inputs and outputs must be simulated during the FAT. The purpose of this simulation is to provide a facsimile of the production process, with all points of an individual loop or interconnected loops hooked up for test simultaneously.

All system programs must be complete and resident in the system prior to the start of FAT. All program listings must be free of pencilled (patched) corrections. The system software loaded must be the final version encompassing all required changes incorporated after VENDOR internal testing. Any changes which were made as a result of internal testing shall be documented as part of the PCS system log.

The VENDOR is responsible to maintain a punch list during the FAT. The FAT punch list shall list the problems discovered, include the date discovered, the name of the person reporting the problem, the date corrected, the name of the person who performed the correction, the date retested and accepted, and the name of the individual accepting the retest. This entire FAT punch list shall be given one System Log report number and maintained as part of the PCS system testing log.

Diagnostic programs which are tested during FAT shall be shipped to IFAT with system.

Integrated Factory Acceptance Test (IFAT)

Following FAT, IFAT shall follow and include testing of communication interfaces between FGS, ESD, PCS and third-party systems. Data transfer between FGS/ ESD/PCS shall be checked. FGS/ESD/third-party graphics implemented in PCS OWS shall be 100% tested.

IFAT testing procedure shall be furnished by VENDOR for CONTRACTOR and COMPANY approval.

Site Installation Test (SIT)

After the system has been installed on site and site QA as well as VENDOR inspection of the mechanical and electrical installation has been successfully completed, a Site Installation Test will be conducted by the VENDOR when directed by the CONTRACTOR.

SIT shall include as a minimum:

(uu) An audit and inspection of equipment as installed. A deficiency report shall be written, and

appropriate action taken to rectify any problems.

(vv) All alarm status, analogue and pulse inputs, and controlled end devices shall be disconnected by

means of isolating terminals.

(ww) Each system shall be powered up and system and application software will be loaded. System

diagnostics shall be run and checked to ensure the system is error free.

(xx) Communications shall be established between all components of the system.

(yy) Redundancy testing of processor, power supply systems, I/O buses and communication modules

shall be performed.

(zz) At least one point from every input/output module shall be verified by signal simulation/monitoring

from the associated marshalling cabinet.

(aaa) A random sampling of data transfers between the PCS and other systems shall be performed to

ensure proper operation of the data links.

(bbb) All MOS enable switches shall be checked for proper operation by exercising the enable switches, implementing PCS soft MOS functions, checking the ESD/FGS implements the MOS and then

Document No: AGES-SP-04-001

Rev. No: 1 Page 36 of 47

observing the ESD/FGS clearing imposed soft MOS functions when the MOS enable switches are switched to the off position.

(ccc) Random sampling of SOE data shall be conducted.

Full details of all tests to be performed shall be defined in the SIT procedure.

The VENDOR is responsible to maintain a punch list during the SIT. The SIT punch list shall list the problems discovered, include the date discovered, the name of the person reporting the problem, the date corrected, the name of the person who performed the correction, the date retested and accepted, and the name of the individual accepting the retest. This entire SIT punch list shall be given one System Log report number and maintained as part of the PCS system test log.

COMPANY and CONTRACTOR representative will witness the entire SIT. The SIT procedure will be signed off by the VENDOR, CONTRACTOR and COMPANY representative at the successful conclusion of testing. A copy of the signed off SIT procedures and related printouts shall be furnished to CONTRACTOR and COMPANY representative.

Upon completion of the SIT, the system shall remain powered on and loop checks shall be conducted as loops are made ready. System status shall continue to be monitored and all detected faults and/or changes/modifications to system hardware and software shall be recorded in the System test log. During commissioning, loop checking shall include the whole loop, from the control room to the field device.

Site Acceptance Test (SAT)

After the system has been commissioned and put in service the Site Acceptance Test period commences. The purpose of the site acceptance test is to verify that all hardware and software is correctly installed and functioning according to the specifications in the real environment and verify integrated performance of the ICSS system.

The Site Acceptance Test will also be done to a previously approved procedure prepared by the VENDOR and approved by the CONTRACTOR. This procedure will detail the monitoring functions to be performed, the methods to be employed, and clearly stipulate the conditions which must be met for acceptance.

This test shall include monitoring the system data transfer and update times. SOE data capture and time synchronization between the PCS and other systems shall be verified. Transmission and display of correct first out alarm notifications as well as secondary alarms shall be observed. System diagnostics shall be routinely checked. The SAT procedure shall fully detail all acceptance test criteria. Duration of SAT shall not be less than 72 hours.

The VENDOR is responsible to maintain a punch list during the SAT. The SAT punch list shall list the problems discovered, include the date discovered, the name of the person reporting the problem, the date corrected, the name of the person who performed the correction, the date retested and accepted, and the name of the individual accepting the retest. This entire SAT punch list shall be given one System Log report number and maintained as part of the PCS system test log.

The SAT procedure will be signed off by the VENDOR, CONTRACTOR and COMPANY representative at the successful conclusion of testing. A copy of the signed off SAT procedures and related printouts shall be furnished to CONTRACTOR and COMPANY representative.

Successful completion and approval of the SAT will constitute system acceptance by the CONTRACTOR and COMPANY.

Certificates of Acceptance

At the satisfactory conclusion of the FAT, IFAT, SIT, and SAT a Certificate of Acceptance shall be provided by the VENDOR for signature by the CONTRACTOR and COMPANY.

Document No: AGES-SP-04-001

Rev. No: 1 Page 37 of 47

Following documents as minimum shall be attached to Certificate of Acceptance dossier:

(ddd) Signed and Approved FAT, IFAT, SIT and SAT test reports

(eee) Electric Equipment Test Certificates

(fff) Hardware Test Certificates

(ggg) Software Test Certificates

(hhh) Approved As-Built Drawings

Services by the VENDOR

The VENDOR shall supply necessary manpower and specialist personnel and all necessary tools and equipment to support testing at Vendor’s shop and at site as defined above sections.

SUBCONTRACTORS/SUBVENDORS

The list of SUB-CONTRACTORS must be approved by COMPANY.

VENDOR shall assume responsibility and overall guarantee for all supply and services provided by SUB- CONTRACTOR/SUBVENDOR.

The VENDOR shall transmit all relevant Purchase Order documents including specifications to his SUBCONTRACTORS.

It is the VENDOR’S responsibility to enforce all Purchase Order and Specification requirements on his SUBCONTRACTORS.

The VENDOR shall submit all relevant SUBCONTRACTOR drawings and engineering data to the CONTRACTOR.

Any subcontracted services or hardware must be approved by in writing by company. The term service includes design, fabrication, assembly and testing.

VENDOR shall obtain necessary warranties from SUBCONTRACTORS/ SUBVENDORS.

SPARE PARTS

Spare Parts

VENDOR shall include the provision of all commissioning spares in the bid. The VENDOR shall also include list of spares required for two years operation, FAT Spares and insurance spares along with price schedule for each item along with the bid.

VENDOR shall complete Spare Parts Interchangeability Record (SPIR) Form in COMPANYS approved formats. Parts data shall be supplemented with appropriate drawings / bulletins identifying each part in their respective position.

The VENDOR shall propose the minimum required number of different card types.

Spareage

The PCS shall be delivered with an installed spareage of 20% for each type of input and output and associated support hardware and adequate space within the cabinets to allow for installation of an additional 15% inputs and outputs and any additional support hardware. This spareage shall be utilised to accommodate additions due to design development after the delivery of the system. Prior to delivery

Document No: AGES-SP-04-001

Rev. No: 1 Page 38 of 47

additional I/O shall be added as required by the Design Update Packages to maintain the 15% installed spareage target.

Processors, memory, software, communications and software shall be adequately sized to allow for the specified inputs and/or outputs (including all spareage detailed above) and associated controllers, algorithms, system functions and applications (logic and / or sequences) without any upgrade being required, accordingly processor loading and memory utilisation shall at no time exceed 60%.

Specified spare capacity should include only cabinet space and power supply capacity, unless specific pre-investment is approved.

The VENDOR shall propose the minimum required number of different card types.

Minimum 30% spare space shall be provided for future use.

PRESERVATION & SHIPMENT

Packing and Shipping

Preparation for shipment shall be in accordance with purchase order Preservation and Export Packing requirements. VENDOR shall be solely responsible for the adequacy of the preparation for shipment provisions with respect to materials and application, and to provide equipment at the destination in ex- works condition when handled by commercial carriers. Adequate protection shall be provided to prevent mechanical damage and atmospheric corrosion in transit and at the jobsite. Preparation for shipment and packing will be subject to inspection and rejection by COMPANY’S/CONTRACTOR’S inspectors. All costs occasioned by such rejection shall be to the account of the VENDOR. Equipment shall be packed, securely anchored, and skid mounted when required. Bracing, supports, and rigging connections shall be provided to prevent damage during transit, lifting, or unloading. Separate, loose, and spare parts shall be completely boxed. Pieces of equipment and spare parts shall be identified by item number and service and marked with CONTRACTOR’S order number, tag number, and weight, both inside and outside of each individual package or container. A bill of material shall be enclosed in each package or container of parts. One complete set of the installation, operation, and maintenance instructions shall be packed in the boxes or crates with equipment. This is in addition to the number called for in the Purchase Order.

All kinds of regulatory / non-regulatory approvals and procedures required for shipping shall be in the scope of CONTRACTOR / VENDOR.

Preservation and Storage

Equipment and materials shall be protected to withstand ocean transit and extended period of storage at the jobsite for a minimum period of 18 months. Equipment shall be protected to safeguard against all adverse environments, such as humidity, moisture, rain, dust, dirt, sand, mud, salt air, salt spray, and seawater. All equipment and material shall be preserved, and export packed in accordance with project specifications.

The VENDOR shall provide preservation plan to protect and ensure the integrity of PCS equipment during the period that starts when the PCS equipment is prepared for the first shipment from the point of origin and ends at the completion of project commissioning and start-up. The plan shall identify protective measures to be implemented during each phase of the project, inclusive of maximum ambient conditions. The completion plan shall be submitted to COMPANY for review and comment no later than 90 days prior to the first shipment of PCS equipment from the factory.

Document No: AGES-SP-04-001

Rev. No: 1 Page 39 of 47

20.

COMMISSIONING

Installation

VENDOR shall provide supervision assistance for Installation and Commissioning of PCS System at site. Installation will be carried out by the CONTRACTOR with supervision assistance from the VENDOR. The VENDOR shall notify the CONTRACTOR of any special tools required for installation and supply these, if necessary, to the CONTRACTOR.

The VENDOR shall include the provision for all commissioning spares in its bid.

VENDOR shall be required to support COMPANY / CONTRACTOR by preparing detailed ICSS

Commissioning procedures, together with detailed plans covering all site based activities necessary to fully commission the ICSS.

The VENDOR shall identify any special requirements or recommendations for VENDOR support during commissioning and start-up of the equipment supplied.

Life Cycle / Long Term Support

VENDOR must provide assurances that system equipment will not be obsolete in the next 15 years. In the belief that portions of the system will eventually be withdrawn from sale, a firm commitment by the VENDOR that for his standard products there will be either repair capability or equivalent parts and/or products available for a minimum of 15 years from the withdrawal date is required.

The entire system shall be in ‘Active life’ for a minimum period of minimum 15 Years. VENDORs shall provide life cycle commitment including:

(iii) Start of Active life

(jjj) End of active life

(kkk) Start of limited support

(lll) End of limited support

(mmm)

Start of Obsolescence

Active life: Denotes the system is active and available for sale for new projects and revamp projects, full support from R&D, continuous support in terms of upgrade, patch update, bug fixing etc.

Limited Support: Product has limited support with local maintenance and engineering support; bug fixing, continue to supply of spares (refurbished or new parts)

Obsolete: Out of sale and support is discontinued

Between active to support phase, vendor shall provide a minimum support period of 7 years for company to plan for a smooth upgrade or replacement.

Maintenance

During warranty period, VENDOR shall provide service personnel for periodic fault finding, repair and replacement of all faulty hardware, firmware and software.

During bidding stage, Vendor proposal shall include the details and costs of all standard maintenance services available after SAT. COMPANY shall be under no obligation to select all or any of the agreements detailed and shall be free to negotiate a unique maintenance agreement with the VENDOR.

Document No: AGES-SP-04-001

Rev. No: 1 Page 40 of 47

21.

TRAINING

General

The following training courses are proposed for the selective attendance of suitable personnel such as Engineers, Supervisors and Technicians. The purpose of these training courses will range from gaining an appreciation of the PCS, its software and associated hardware, to acquiring an in-depth knowledge for administration and system configuration and software development purposes:

(nnn) System Architecture (all)

(ooo) Systems Software and Maintenance (System Administrator)

(ppp) System Administration (System Administrator)

(qqq) Network /Cyber Security (System Administrators, Supervisors)

(rrr) Application Programming (Engineers, Supervisors)

(sss) Advance Programming Techniques (Engineers, Supervisors)

Above training shall be included nominally for 10 Engineers / Supervisors and 6 Technicians.

Training Course Documentation

For each trainee who will attend a training course, a copy of the complete training course, notes, and drawings shall be provided to COMPANY eight weeks prior to the commencement of the training course. The copies shall be retained by the trainees on completion of the training course and shall be the property of COMPANY.

In addition, five copies of the training course documentation shall be available on site prior to the installation and pre-commissioning for reference purposes.

Maintenance Training Course

The purpose of the course is to train Engineers/ Supervisors/ Technicians for first line fault diagnosis, and repair by replacement.

System Engineering Course

The purpose of this course is to enable COMPANY Engineers/Supervisors to be able to modify system I/O and system application software including interfaces to the PCS. The course shall include:

(ttt) System Hardware.

(uuu) System operating software.

(vvv) Review of project specific typical application software modules, data formats, data table allocations.

DOCUMENTATION

VENDOR shall submit the type and quantity of drawings for COMPANT/CONTRACTOR authorization or information as per VENDOR Document Register and Schedule (SDRS) provided in Purchase Order.

Document No: AGES-SP-04-001

Rev. No: 1 Page 41 of 47

The VENDOR shall provide all standard and project-specific documentation and software required for system definition, installation, initialisation, operation, maintenance, troubleshooting and training. This information shall provide complete documentation for the PCS in sufficient scope and detail to permit programming and maintenance of the equipment.

Mutual Agreement on document list and documents issue dates shall be an integral part of Purchase Order.

Comments made by CONTRACTOR on drawing submittal shall not relieve VENDOR of any responsibility in meeting the requirements of this specification. Such comments shall not be construed as permission to deviate from requirements of the Purchase Order unless specific and mutual agreement is reached and confirmed in writing.

All drawings, documents, information, correspondence, test reports, operating and maintenance instructions and like items shall be in the English language and metric Units.

All documents and drawings issued by the VENDOR shall be produced in an electronic format compatible with Microsoft Office computer software. Documentation shall also be provided in Native format, in order to allow company to update during operational upgrade and future projects. VENDOR shall provide final documentation on DVD-ROM with search and retrieval capabilities.

All system drawings shall be prepared and submitted in accordance with recognized standards. Every effort shall be made to minimize the total number of drawings prepared by use of common drawings, where practicable without loss of clarity.

Before SAT, VENDOR shall issue As-Built drawings incorporating all changes that have taken place during installation, testing and commissioning at site. Each drawing shall be clearly marked ‘As-Built’ and dated.

The below list of documents required is intended to define the minimum technical documents to be provided by the VENDOR. This list is not exhaustive and additional documentation necessary for the work execution be provided by VENDOR. PCS system documentation to be supplied by VENDOR shall include, but not be limited to:

System Architecture Diagrams

System Block Diagrams and interface schematic

Functional Design Specifications for Hardware and Software, Cabinets, Networking, Interfaces, Cyber Security etc

System Configuration Specifications including Logic and Application Program Design

Reliability/Availability Calculations and Reports

Loading Calculations (CPU, memory, networks, power supplies, spares)

Cabinet and Console General Arrangement drawings

Cabinet internal wiring diagrams

Inter-panel Cable Connection Schedule

Interconnection Wiring Diagrams

Input/Output Assignment List.

Configuration database.

Functional Logic diagrams.

Loop Diagrams

Document No: AGES-SP-04-001

Rev. No: 1 Page 42 of 47

 Software licenses

Power supply, distribution and earthing drawings.

Power and Heat Loading calculations

Electrical Load Schedule

I.S. certification dossier (if applicable).

Bill of Materials

Comprehensive data sheets for all major items, including completed data sheets included in the

enquiry/purchase order.

Inspection Test Plan (ITP)

QA/QC Procedures

Internal Testing and Pre-FAT Report

FAT Procedure & Report

SAT Procedure& Report

SIT Report

List of all spare parts, tools, test equipment and installation materials.

Spare Part Interchangeability List

Packing, Marking and Shipping Procedure

Preservation and Site Storage Procedure

Complete catalogue sheets of all furnished items.

System Hardware Manuals

Programming Manual

Application software manuals.

System Security Manual

Functional Safety Manual

Operation and Maintenance Manuals

Installation and Configuration Manuals

Quality Manuals

Third Party Manuals

GUARANTEES & WARRANTY

VENDOR shall provide warranty support for a period of two years, commencing on the date of the system PAC following the site acceptance test. Warranty shall apply to defective material workmanship and facility

Document No: AGES-SP-04-001

Rev. No: 1 Page 43 of 47

design, and/or facility software. Warranty work shall be done at COMPANY local facilities. The cost of diagnostics and/or correction of any warranty items shall be borne by the VENDOR.

The VENDOR will not be required to provide resident maintenance personnel during the warranty period, but shall have competent technical personnel available from the local facility within 24 hours, if so required by COMPANY.

The VENDOR shall guarantee that the software to be supplied shall be free from errors, for example software/firmware failure to perform function(s) as specified in this specification or COMPANY documentation.

PROJECT ADMINISTRATION

Project Personnel

The VENDOR shall insure that sufficient qualified personnel are at all times allocated to the project. The VENDOR shall utilize a project team structure to achieve continuity and accuracy of implementation. The VENDOR shall submit for CONTRACTOR’S approval the résumés of all personnel engaged in the project.

It is anticipated that the project team shall comprise at least the following disciplines:

(www) Project Manager (Commercial/Technical) (shall be nominated representative of the VENDOR with responsibility and authority to fully implement the project with technical correctness, on schedule and within the budget).

(xxx) Senior System Designer (Technical).

(yyy) Hardware Design (Technical Hardware).

(zzz) Software Designer (Technical Software).

(aaaa)

(bbbb)

Test Technician (Technical Testing).

Site Engineer (Installation/Commissioning).

Project Schedule

The VENDOR shall include with his quotation, a detailed Project Schedule showing the VENDOR’S best estimate of the achievable major schedule milestones.

The Project schedule shall be used as the main progress control document during the implementation of the project. The Project Schedule shall clearly show any ‘float’ or ‘slack’ time available together with any freeze dates required by the VENDOR and major milestones for equipment design, manufacture and delivery. The schedule shall clearly indicate required dates for each of CONTRACTOR supplied design data.

The VENDOR may include in the proposal any additional material which clarifies the procedure for implementing the Project Schedule.

Progress Reporting

The Project Schedule shall be used as the basis for monthly progress reporting, schedule controlling and schedule forecasting. At regular intervals, the VENDOR shall revise the Project Schedule to include the effect of changes and to reflect actual Project Progress.

Coordination Meetings

Coordination meetings shall be held as required between COMPANY, CONTRACTORS and VENDOR. The agenda for each coordination meeting will be prepared by the VENDOR prior to each meeting. Detailed

Document No: AGES-SP-04-001

Rev. No: 1 Page 44 of 47

meeting minutes will be taken by the VENDOR and submitted for COMPANY and CONTRACTORS for approval. An ‘action item’ log shall be prepared and continuously updated by the VENDOR.

Coordination meetings, to be held either in Abu Dhabi or home office, will be a part of the purchase order scope.

Document No: AGES-SP-04-001

Rev. No: 1 Page 45 of 47

SECTION D

DATA SHEETS TEMPLATES (AS APPLICABLE)

Not Applicable

STANDARD DRAWINGS (AS APPLICABLE)

Not Applicable

Document No: AGES-SP-04-001

Rev. No: 1 Page 46 of 47

SECTION E

APPENDIX

Not Applicable

Document No: AGES-SP-04-001

Rev. No: 1 Page 47 of 47

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 119 OF 228

6.0

APPENDIX 2 (AGES-SP-04-004 – EMERGENCY SHUTDOWN (SIS) SYSTEM SPECIFICATION)

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

AGES-SP-04-004_EMERGENCY SHUTDOWN SYSTEM SPECIFICATION.PDF

THE CONTENTS OF THIS DOCUMENT ARE PROPRIETARY AND CONFIDENTIAL.

ADNOC GROUP PROJECTS AND ENGINEERING

EMERGENCY SHUTDOWN (SIS) SYSTEM SPECIFICATION

Specification

APPROVED BY:

Abdulmunim Saif Al Kindy

NAME: Abdulmunim Al Kindy TITLE: Executive Director PT&CS EFFECTIVE DATE:

AGES-SP-04-004

GROUP PROJECTS & ENGINEERING / PT&CS DIRECTORATE

CUSTODIAN ADNOC

Group Projects & Engineering / PT&CS Specification applicable to ADNOC & ADNOC Group Companies

REVISION HISTORY

DATE

REV.

NO

1 June 2020

1

PREPARED BY (Designation / Initial) Asadullah Malik / Sr. Engineer, I&C, TE.

REVIEWED BY (Designation / Initial) Ashwani Kumar Kataria/ A/MES,TC- Eng

ENDORSED BY (Designation / Initial) Abdulla Al Shaiba/

ENDORSED BY (Designation / Initial) Zaher Salem/

VP-GPE

SVP-GPE

Reuben Yagambaram/ SPM-GPE

Group Projects & Engineering is the owner of this Specification and responsible for its custody, maintenance and periodic update.

In addition, Group Projects & Engineering is responsible for communication and distribution of any changes to this Specification and its version control.

This specification will be reviewed and updated in case of any changes affecting the activities described in this document.

Document No: AGES-SP-04-004

Rev. No: 1 Page 2 of 59

INTER-RELATIONSHIPS AND STAKEHOLDERS

a) The following are inter-relationships for implementation of this Specification:

i.

ii.

ADNOC Upstream and ADNOC Downstream Directorates and

ADNOC Onshore, ADNOC Offshore, ADNOC Sour Gas, ADNOG Gas Processing. ADNOC LNG, ADNOC Refining, ADNOC Fertilisers, Borouge, Al Dhafra Petroleum, Al Yasat

b) The following are stakeholders for the purpose of this Specification:

ADNOC PT&CS Directorate.

c) This Specification has been approved by the ADNOC PT&CS is to be implemented by each ADNOC Group company included above subject to and in accordance with their Delegation of Authority and other governance-related processes in order to ensure compliance

d) Each ADNOC Group company must establish/nominate a Technical Authority responsible for compliance with

this Specification.

DEFINED TERMS / ABBREVIATIONS / REFERENCES

“ADNOC” means Abu Dhabi National Oil Company.

“ADNOC Group” means ADNOC together with each company in which ADNOC, directly or indirectly, controls fifty percent (50%) or more of the share capital.

“Approving Authority” means the decision-making body or employee with the required authority to approve Policies & Procedures or any changes to it.

“Business Line Directorates” or “BLD” means a directorate of ADNOC which is responsible for one or more Group Companies reporting to, or operating within the same line of business as, such directorate.

“Business Support Directorates and Functions” or “Non- BLD” means all the ADNOC functions and the remaining directorates, which are not ADNOC Business Line Directorates.

“CEO” means chief executive officer.

“Group Company” means any company within the ADNOC Group other than ADNOC.

“Specification” means this Emergency Shutdown (SIS) System Specification

CONTROLLED INTRANET COPY

The intranet copy of this document located in the section under Group Policies on One ADNOC is the only controlled document. Copies or extracts of this document, which have been downloaded from the intranet, are uncontrolled copies and cannot be guaranteed to be the latest version.

Document No: AGES-SP-04-004

Rev. No: 1 Page 3 of 59

TABLE OF CONTENTS

GENERAL … 7

1

2

3

PURPOSE … 7

SCOPE … 7

DEFINED TERMS / ABBREVIATIONS / REFERENCES … 7

SECTION A … 11

4

NORMATIVE REFERENCES … 11

4.1

INTERNATIONAL CODE(S) AND STANDARDS … 11

4.2 ADNOC SPECIFICATIONS … 14

5

REFERENCE DOCUMENTS … 14

5.1 STANDARD DRAWINGS … 14

5.2 OTHER REFERENCES … 14

6

7

8

9

DOCUMENTS PRECEDENCE … 15

SPECIFICATION DEVIATION/CONCESSION CONTROL … 15

PROCESS SAFETY REQUIREMENTS … 16

DESIGN CONSIDERATIONS … 16

9.1 OPERATION & DESIGN LIFE … 16

9.2 ENVIRONMENTAL REQUIREMENTS … 16

9.3 ELECTRIC UTILITY DATA … 16

9.4 SEISMIC REQUIREMENTS … 17

9.5 HAZARDOUS AREA PROTECTION … 17

9.6

INGRESS PROTECTION … 17

9.7 ENGINEERING UNITS … 17

SECTION B … 18

10

TECHNICAL REQUIREMENTS … 18

10.1 GENERAL DESIGN … 18

10.2 FUNCTIONAL SPECIFICATION (FS) AND FUNCTIONAL DESIGN

SPECIFICATION (FDS) … 21

10.3 ESD HARDWARE … 22

10.4 ELECTROMAGNETIC COMPATIBILITY … 25

10.5 SURGE PROTECTION … 25

10.6 ESD SOFTWARE … 25

Document No: AGES-SP-04-004

Rev. No: 1 Page 4 of 59

10.7 COMMUNICATION … 28

10.8 HUMAN MACHINE INTERFACE … 29

10.9 DIAGNOSTICS … 30

10.10 ALARM MANAGEMENT … 31

10.11 SOE REQUIREMENTS … 32

10.12 CABINETS … 33

10.13 PARTIAL STROKE TEST … 36

10.14 CYBER SECURITY … 36

10.15 SPARE CAPACITY/EXPANDABILITY … 37

11

ESD REQUIREMENTS FOR SPECIAL PACKAGE UNITS … 37

SECTION C … 38

12

SCOPE OF SUPPLY … 38

13 QUALITY CONTROL AND ASSURANCE … 39

14 CERTIFICATIONS … 39

15

INSPECTION & TESTING REQUIREMENTS … 40

15.1 GENERAL … 40

15.2 SHOP INSPECTION … 40

15.3 PRE-FACTORY ACCEPTANCE TEST … 40

15.4 FACTORY ACCEPTANCE TEST … 40

15.5 INTEGRATED FACTORY ACCEPTANCE TEST (IFAT) … 42

15.6 SITE INSTALLATION TEST (SIT) … 42

15.7 SITE ACCEPTANCE TEST (SAT) … 43

15.8 CERTIFICATES OF ACCEPTANCE … 43

15.9 SERVICES BY THE VENDOR … 44

16

17

SUBCONTRACTORS/SUBVENDORS … 44

SPARE PARTS … 44

17.1 SPARES … 44

17.2 SPECIAL TOOLS … 44

18

PRESERVATION & SHIPMENT … 45

18.1 PACKING AND SHIPPING … 45

18.2 PRESERVATION AND STORAGE … 45

19 COMMISSIONING … 46

Document No: AGES-SP-04-004

Rev. No: 1 Page 5 of 59

19.1 INSTALLATION … 46

19.2 LIFE CYCLE/LONG TERM SUPPORT … 46

19.3 MAINTENANCE … 46

20

TRAINING … 47

20.1 GENERAL … 47

20.2 TRAINING COURSE DOCUMENTATION … 47

20.3 MAINTENANCE TRAINING COURSE … 47

20.4 SYSTEM ENGINEERING COURSE … 47

21 DOCUMENTATION … 48

21.1 SPECIFIC REQUIREMENTS … 50

21.2 TYPICAL PROGRAM MACROS … 50

21.3 DETAILED LOGIC APPLICATION DIAGRAMS WITH FULL DESCRIPTION … 50

22 GUARANTEES & WARRANTY … 50

23

PROJECT ADMINISTRATION … 51

23.1 PROJECT PERSONNEL … 51

23.2 PROJECT SCHEDULE … 51

23.3 PROGRESS REPORTING … 51

23.4 COORDINATION MEETINGS … 51

SECTION D … 52

24 DATA SHEETS TEMPLATES … 52

25

STANDARD DRAWINGS … 52

SECTION E … 53

APPENDIX 1 ESD SYSTEM REQUIREMENTS FOR SPECIAL MECHANICAL PACKAGES … 53

INTRODUCTION … 53

HIGH INTEGRITY PRESSURE PROTECTION SYSTEM (HIPPS) … 53

2.2 HIPPS LOGIC SOLVER … 54

2.3 HIPPS PRESSURE SENSORS … 55

2.4 OTHER REQUIREMENTS … 55

BURNER MANAGEMENT SYSTEM (BMS) … 55

HYDRAULIC SAFETY SHUTDOWN SYSTEM (HSSS)… 57

Document No: AGES-SP-04-004

Rev. No: 1 Page 6 of 59

GENERAL

1 PURPOSE

The purpose of this specification is to define the minimum mandatory technical requirements for design, manufacturing, testing, packing, installation and commissioning of Emergency Shutdown System (ESD)/Safety Instrumented System (SIS).

2 SCOPE

2.1 The scope of this specification is limited to Programmable Electronic System (PES) type ESD/SIS.

This specification excludes solid state ESD System, field input devices (transmitters, switches etc), and output devices (shutdown valves, electrical switchgears etc).

2.2 For project specific additional requirements, refer to ESD system requirements stated in respective

project’s Purchase Requisition documentation.

3 DEFINED TERMS / ABBREVIATIONS / REFERENCES

Abbreviations

AMS

BMS

CCR

CPU

EMI

EDP

ESD

EWS

FAT

FDS

HART

HVAC

HIPPS

HMI

HSSD

HSSS

IAMS

ICSS

Alarm Management System

Burner Management System

Central Control Room

Central Processor Unit

Electromagnetic Interference

Emergency Depressurisation System

Emergency Shutdown System

Engineering Workstation

Factory Acceptance Test

Functional Design Specification

Highway Addressable Remote Transducer

Heating, Ventilation and Air Conditioning

High Integrity Pressure Protection System

Human Machine Interface

High Sensitivity Smoke Detection

Hydraulic Safety Shutdown System

Instrument Asset Management System

Integrated Control and Safety System

Document No: AGES-SP-04-004

Rev. No: 1 Page 7 of 59

Abbreviations

IP

I/O

LAN

LCD

LCP

LED

MCB

MOS

MTTF

MTTR

OWS

PCN

PCS

PES

PFD

PLC

PST

RAM

RFI

SAT

SER

SIF

SIL

SIS

SIT

SOE

SNTP

TETRA

TCP/IP

TUV

UPS

Ingress Protection

Inputs/Outputs

Local Area Network

Liquid Crystal Display

Local Control Panel

Light Emitting Diode

Miniature Circuit Breaker

Maintenance Override Switch

Mean Time To Failure

Mean Time To Restore

Operator Workstation

Process Control Network

Process Control System

Programmable Electronic System

Probability of Failure on Demand

Programme Logic Controller

Partial Stroke Test

Random Access Memory

Radio Frequency Interference

Site Acceptance Test

Sequence Events Recording

Safety Instrumented Function

Safety Integrity Level

Safety Instrumented System

Site Installation Test

Sequence Of Events

Simple Network Time Protocol

Terrestrial Trunked Radio

Transmission Control Protocol / Internet Protocol

Technischer Uberwachungs Verein

Uninterruptible Power Supply

Document No: AGES-SP-04-004

Rev. No: 1 Page 8 of 59

Technical Definitions

Term

Definition

ESD and SIS System

PFD

Reliability

Fail Safe

It is an Electrical / Electronic / Programmable Electronic safety-related System that provides the safeguarding of the process and equipment to protect personnel, assets and environment. It comprises of sensors/transmitters, the final control elements, and the logic solver.

A value that indicates the probability that a device or system will fail to respond to a demand in a specified interval of time.

The probability that when operating under stated environmental conditions, the system will perform continuously, as specified, over a specific time interval.

The capability to go to a predetermined safe-state in the event of a specific malfunction.

Fault-Tolerant System

A system incorporating design features which enable the system to detect and log transient or steady-state fault conditions and take appropriate corrective action while remaining on-line and performing its specified function.

MTTF

MTTR

‘Mean Time To Failure’ is the expected time to failure of a system in a population of identical systems.

Mean Time To Restore’ is the statistical average of time taken to identify and repair a fault (including diagnosis).

Response Time

Total maximum time required to read all field inputs, program execution and change field output state at I/O card channel level.

Safety Instrumented Function (SIF)

Safety function with a specified safety integrity level which is necessary to achieve functional safety and which can be either a safety instrumented protection function or a safety instrumented control function.

Safety integrity

Safety Integrity Level (SIL)

SIL Validation

SIL Verification

Watchdog

Average probability of a safety instrumented system satisfactorily performing the required safety instrumented functions under all the stated conditions within a stated period of time.

Discrete level (one out of four) for specifying the safety integrity requirements of the safety instrumented functions to be allocated to the safety instrumented Systems. Safety integrity level 4 has the highest level of safety integrity; safety integrity level 1 has the lowest.

Activity of demonstrating that the safety instrumented function(s) and safety instrumented system(s) under consideration after installation meets in all respects the safety requirements specification.

Activity of demonstrating for each phase of the relevant safety life cycle by analysis and/or tests that, for specific inputs, the outputs meet in all respects the objectives and requirements set for the specific phase.

Combination of diagnostics and an output device (typically a switch) for monitoring the correct operation of PES device and taking action upon detection of an incorrect operation.

Document No: AGES-SP-04-004

Rev. No: 1 Page 9 of 59

References

ADNOC Group Companies ESD/SIS documents part of ESD/SIS Purchase Order shall be referred

for design and supply of equipment.

Document No: AGES-SP-04-004

Rev. No: 1 Page 10 of 59

SECTION A

4 NORMATIVE REFERENCES

4.1

International Code(s) and Standards

The following codes and standards, to the extent specified herein, form a part of this specification. When an edition date is not indicated for a code or standard, the latest edition at the time of order placement shall apply:

Standard

Description

American Petroleum Institute

API RP 521

Pressure-relieving and Depressuring Systems

American National Standards Institute / The International Society of Automation (ANSI/ISA)

ANSI/ISA 5.1

Instrumentation Symbols and Identification

ISA 5.3

ISA 5.4

ISA S5.5

ISA 18.1

ISA 18.2

ISA 71.01

ISA 71.04

Graphic Symbols Instrumentation, Logic and Computer Systems

for Distributed Control/Shared Display

Instrument Loop Diagram

Graphic Symbols for Process Displays

Annunciator Sequences and Specifications

Management of Alarm Systems for the Process Industries

Environmental Conditions for Process Management and Control System, Temperature and Humidity

Environmental Conditions for Process Measurement and Control Systems: Airborne Contaminants

ANSI/ISA-TR99.00.01

Security Technologies for Industrial Automation and Control Systems

The Engineering Equipment and Materials Users Association (EEMUA)

EEMUA PUB No 191

Engineering Equipment and Material User’s Association Alarm Systems - A Guide to Design, Management and Procurement

The International Electrotechnical Commission (IEC)

IEC 60079

Explosive Atmospheres – All parts

Document No: AGES-SP-04-004

Rev. No: 1 Page 11 of 59

IEC 60297-3-101

Basic dimensions of front panels, sub-racks, chassis, racks and cabinets

IEC 60332

IEC 60364

IEC 60529

IEC 60445

IEC 61000

IEC 61131

IEC 61508

IEC 61511

IEC 61326-3-1

IEC 62402

IEC 62443

IEC 17799

IEC 60947-5-6

Tests for Electric and Optical Fibre Cables Under Fire Conditions – All parts

Electrical installations of buildings - All parts

Degrees of protection provided by enclosures (IP code)

Basic and Safety Principles for Man-Machine Interface, Marking and Identification of Equipment Terminals, Conductor Terminations and Conductors

Identification -

Electromagnetic Compatibility (EMC) – All Parts

Programmable controllers– All Parts

Functional Safety of Electrical/electronic/Programmable Electronic (E/E/EP) Safety Related Systems- all parts

Functional safety - Safety instrumented systems for the process industry sector – all parts

Immunity requirements for safety-related systems and for equipment functions (functional safety) - General industrial applications

to perform safety-related

intended

Obsolescence Management – Application guide

Industrial communication networks - Network and system security

• All parts

Information technology - Security techniques - Code of practice for information security management

Control circuit devices and switching elements - DC interface for proximity sensors and switching amplifiers (NAMUR)

Institute of Electrical and Electronics Engineers (IEEE)

IEEE 802.3

Standard for Ethernet

International Organization for Standardization (ISO)

ISO 9001

ISO 9004

Quality Management Systems - Requirements.

Managing for the Sustained Success of an Organization – A Quality Management Approach

Document No: AGES-SP-04-004

Rev. No: 1 Page 12 of 59

ISO 19011

Guidelines for Auditing Management Systems

Military Handbook

MIL HDBK 217F

Reliability Prediction of Electronic Equipment

NATIONAL FIRE PROTECTION ASSOCIATION (NFPA)

NFPA 70

NFPA 85

NFPA 86

NFPA 87

European Standards (EN)

EN 298

Standard for the safe installation of electrical wiring and equipment

Boiler and Combustion Systems Hazards Code

Standard for Ovens and Furnaces

Standard for Fluid Heaters

Automatic burner control systems for burners and appliances burning gaseous or liquid fuels

EN 746 Part 1 & 2

Industrial Thermo-processing Equipment – Safety Requirements

EN 50156

Electrical equipment for furnaces and ancillary equipment

NAMUR (Normenarbeitsgemeinschaft für Mess- und Regeltechnik in der Chemischen Industrie)

NAMUR NE 43

Standardisation of the Signal Level for the Failure Information of Digital Transmitters

Document No: AGES-SP-04-004

Rev. No: 1 Page 13 of 59

4.2 ADNOC Specifications

Document Number

Title

AGES-SP-04-001

AGES-SP-04-003

Process Control System Specification

Fire and Gas System Specification

5 REFERENCE DOCUMENTS

5.1 Standard Drawings

Not Applicable.

5.2 Other References

Not Applicable.

Document No: AGES-SP-04-004

Rev. No: 1 Page 14 of 59

6 DOCUMENTS PRECEDENCE

The Codes and Standards referred to in this specification shall, unless stated otherwise, be the latest approved issue at the time of Purchase Order placement.

It shall be the VENDOR’S and CONTRACTORS’S responsibility to be, or to become, knowledgeable of the requirements of the referenced Codes and Standards.

The VENDOR/CONTRACTOR shall notify the COMPANY of any apparent conflict between this specification, the related data sheets, the Codes and Standards and any other specifications noted herein.

Resolution and/or interpretation precedence shall be obtained from the COMPANY in writing before proceeding with the design/manufacture.

In case of conflict, the order of document precedence shall be:

(1) UAE Statutory requirements

(2) ADNOC Codes of Practice

(3) Equipment datasheets and drawings

(4) Project Specifications and standard drawings

(5) Company Specifications

(6) National/International Standards

7 SPECIFICATION DEVIATION/CONCESSION CONTROL

Deviations from this specification are only acceptable where the VENDOR has listed in his quotation the requirements he cannot, or does not wish to comply with, and the COMPANY/CONTRACTOR has accepted in writing the deviations before the order is placed.

In the absence of a list of deviations, it will be assumed that the VENDOR complies fully with this specification.

Any technical deviations to the Purchase Order and its attachments including, but not limited to, the Data Sheets and Narrative Specifications shall be sought by the VENDOR only through Concession Request Format. Concession requests require CONTRACTOR’S and COMPANY’S review/approval, prior to the proposed technical changes being implemented. Technical changes implemented prior to COMPANY approval are subject to rejection.

Document No: AGES-SP-04-004

Rev. No: 1 Page 15 of 59

8 PROCESS SAFETY REQUIREMENTS

Sr.No. Description

1

2

3

4

5

ESD/SIS Logic Solver shall be highly reliable and certified for safety integrity level of SIL3 as per IEC 61508 and IEC 61511.

ESD/SIS Logic Solver hardware architecture shall be redundant and fault tolerant to provide availability of 99.99%.

ESD digital output fail-safe state shall be the ‘de-energized’ unless otherwise specified. ESD digital output shall go to a ‘0’ (deenergized) state on shutdown conditions, power failure and on component failure.

CONTRACTOR shall carry a Functional Safety Assessment (FSA) as per IEC 61511-1 clause 5.2.6.1.5 prior to the hazards that the SIF are designed to prevent.

A detailed safety integrity assessment review to establish SIF integrity targets (SIL) shall be completed by CONTRACTOR during FEED and Detailed Design engineering phase.

9 DESIGN CONSIDERATIONS

9.1 Operation & Design Life

The ESD system shall be designed for minimum life duration 15 years.

9.2 Environmental Requirements

Other than field local panels (Remote I/O, Electronic JB etc), all ESD system cabinets will be installed in climate controlled unclassified indoor locations. Use of field mounted Electronic JB/Remote I/O are subject to COMPANY approval based on proven track and compliance with SIL requirements.

The indoor installed ESD system shall be suitable for an air-conditioned environment to ISA S71.04, G3 classification. Normal indoor operating conditions will be 22°C ± 2°C and 50% Relative Humidity. The System shall continue to operate in HVAC upset conditions during which in the indoor location of installation temperature can fall to 0ºC or rise to 60ºC, and the humidity can vary between 5% and 95% non-condensing.

9.3 Electric Utility Data

Two separate power feeders from dual redundant UPS and one feeder from Utility power supply shall be made available for use by the VENDOR for powering ESD system cabinets.

The Electrical power supply details are as follows:

(a)

240V AC, Single Phase, 50 Hz, earthed

(b) Steady state Voltage variation ± 10% nominal voltage

(c)

Steady state Frequency variation ± 5 %

Document No: AGES-SP-04-004

Rev. No: 1 Page 16 of 59

9.4 Seismic Requirements

The system shall be designed to operate in the presence of a sinusoidal vibration of 2g at 10 - 500 Hz and withstand a shock of 15g for 11 milliseconds.

9.5 Hazardous Area Protection

Unless otherwise specified, ESD system cabinets shall be installed within a general purpose, non-classified electrical area.

If equipment is located in hazardous area, the Hazardous area classification and method of protection shall comply with IEC 60079. ESD/SIS Equipment located in certified Hazardous Area enclosures shall comply with maximum ambient conditions for continuous operation.

Instrumentation in hazardous areas shall be certified by recognised certifying body, IEC or equivalent.

For instrumentation installed in hazardous area, Ex i (Intrinsically Safe) design is the preferred method for hazardous area protection., exception is solenoid valves which should be Ex’d’ or Ex’m’ certified. Other protection standards for SOVs may be used where appropriate if specifically approved by COMPANY.

9.6

Ingress Protection

The degree of Ingress Protection (IP) for equipment enclosure shall comply with IEC 60529 and equipment data sheets. The equipment minimum IP rating shall be as follows:

(a)

IP 42 for Indoor climate-controlled environments

(b)

IP 65 for Outdoor field environments

9.7 Engineering Units

Reference shall be made to Project Engineering Design basis for Units of Measurements.

Document No: AGES-SP-04-004

Rev. No: 1 Page 17 of 59

SECTION B

10 TECHNICAL REQUIREMENTS

10.1 General Design

The Emergency Shutdown Systems (ESD) shall provide an independent protection system to maintain the plant processes in a safe state when the plant Process Control System (PCS) is unable to keep the process within predetermined safe operating limits. The ESD shall perform its safety function by sensing abnormal process conditions and by actuating final elements to bring plant in a safe state. Safe state should be achieved by isolating sections of plant via isolation valves (Emergency Shutdown Valves / Emergency Inventory Valves), stopping rotating equipment machinery such as compressors and pumps, and blowdown / depressurising sections of plant.

The ESD System also called as Safety Instrumented System (SIS) shall have a high degree of availability, reliability and fault tolerance.

ESD System Logic Solver shall be Programmable Electronic System (PES) based certified for SIL3 as per IEC 61508.

ESD system shall be ‘off the shelf’ equipment with ‘Field Proven’ design in industrial safety applications and certified for intended use.

The ESD system VENDOR shall have a proven track record over a minimum 15 years in providing design, engineering, supply, and commissioning services for large scale Oil, Gas, Petrochemical and related process facilities.

The ESD system shall be engineered considering the full life cycle from design, installation, commissioning, start-up, operations and maintenance through to decommissioning as per IEC 61508 and IEC 61511 requirements.

10.1.1 System Architecture

The Process facilities will be controlled from CCR utilising an Integrated Control and Safety System (ICSS) architecture. This approach consists of a Process Control System (PCS), an Emergency Shutdown (ESD) system, and a Fire & Gas (F&G) system, with the PCS serving as the prime control and command system.

ESD system shall have ‘suitable modular redundant’ architecture (for example. Triple or Quadruple redundant) utilising two-out-of-three or two-out-of-4D voting or any other equivalent redundant system architecture with appropriate voting configuration to maintain SIL 3 integrity. ESD System architecture shall support hot mode (online) replacement of faulty modules without degradation of system functionality, SIL 3 integrity and high availability.

The ESD system shall have a robust, fault-tolerant, redundant architecture. A single fault shall not reduce the safety availability of the system and the safe failure rate shall remain below that of a simplex processor. Process shutdown shall not occur as a result of any single component failure in the ESD system.

For large process plants with multiple units, the ESD system architecture shall be geographically distributed. The individual ESD sub-system will be located in respective unit’s Instrument Equipment Room. Each ESD sub-system shall be capable of functioning independently and should automatically switch to ‘Island’ mode in the event communication failure with CCR or between any ESD nodes located in other Instrument Equipment Room. Communication failure between ESD Systems located at CCR and Instrument Equipment Rooms

Document No: AGES-SP-04-004

Rev. No: 1 Page 18 of 59

shall not automatically lead to plant shutdown. ‘Island’ mode response to communication failure shall be programmable.

10.1.2 Reliability

The ESD system shall be highly reliable and certified to SIL 3 rating as per IEC 61508.

The system shall be designed for an availability of 99.99 percent or better. Availability is defined as:

System availability % = MTTF V MTTF + MTTR

SIL and Availability figures must be provided by the VENDOR with method of calculation and all assumptions clearly stated. Data for failure rates shall be derived from FMEDA analysis by recognised bodies.

MTTR of eight (8) hours and Proof Test Interval of 10 years shall be used in PFD and SIL calculations.

10.1.3 Redundancy

The basic architecture of ESD shall utilize redundant processors, I/O modules, power supply, internal buses and communication interfaces so that failure of any single component shall not degrade system safety functionality.

In redundant hardware configuration, it shall be possible to replace and repair any faulty module without interrupting system operation. Faulty module replacement shall not disrupt system safety or functionality or impact operation of the controlled process. The transition to the healthy module shall be bumpless (for example no loss of process safety and protection. No operator action shall be required to restore the system to normal operation other than simple mechanical replacement of modules.

ESD hardware and software configuration shall be designed to eliminate or subsequently minimize common mode failures.

10.1.4 Performance

The response time (input change to output response) for ESD processing shall be less than 300 msec unless specified otherwise in project functional specification for shorter response time due to process licensor or package equipment manufacturer requirements.

Loading of controllers, processor memory capacity, operator interface stations, data communications devices and networks shall not exceed 60% of total operable capacity under maximum loading conditions including all spares capacity defined in this document. Maximum loading conditions shall be based on the heaviest alarm load possible.

10.1.5 Functional Requirements

ESD System hardware shall be allocated process area and unit wise to reduce impact of any hardware failure on production loss. Using this topology, each ESD system shall operate in a self-contained mode, minimising the potential impact of any inter-nodal communications loss.

ESD System I/O modules shall be segregated by process and risk areas to increase system and process availability. In general, one I/O card shall not contain the I/O of more than one process unit. Process unit I/O split unit wise is not required for Non-Fail safe output cards driving alarm lamps. Cards belonging to one logic group shall be located together and spare points shall be left within the I/O group for expansion. Distribution of I/O shall also be governed by Unit segregation, identification as Independent Protective Layer for a specific Safety Instrumented Function and avoidance of common mode failures.

Document No: AGES-SP-04-004

Rev. No: 1 Page 19 of 59

Wherever voted logic (for example. 1oo2, 2oo3 etc) is required for multiple devices, each device shall be allocated to separate I/O cards. Critical duty and stand-by equipment such as boilers, turbines, compressors and pumps that are spared shall be segregated into separate I/O cards.

Hardware portions of ESD which shares different SIF functionalities, shall be rated for highest SIL among SIF functionalities contained within. This shall include main CPU’s, communication modules, I/O cards, Barriers, Relays; and power supplies to ESD system and field devices. The operating system and programming software shall also be validated as suitable for the highest required SIL of SIF functionalities executed by ESD system.

Generally, a ‘1’ logic signal on inputs is to be used for the normal (safe) state, and a ‘0’ logic signal for an abnormal (trip or failure) state.

Any safety critical fault resulting in a system failure shall drive ESD/SIS outputs to fail safe state. The fail-safe state shall be the de-energized mode unless otherwise specified. The ESD system outputs shall be normally energized, de-energize to trip, except for alarm/status lamp outputs. Output signals should go to a ‘0’ (deenergized) state on power failure or on component failure. Note that certain specific applications may be designed as energized to trip. All cases where the design is to be energize to trip shall be approved by the COMPANY.

The ESD logic solver shall be designed such that once it has placed the process in a safe shutdown state, the outputs shall be latched to fail safe state. They shall be restored to energise state only after process healthy condition is restored followed by interlock reset command by operator.

10.1.6 SIL Review

Each SIF shall be SIL Validated and then Verified during detail design by CONTRACTOR during FEED and EPC stage.

CONTRACTOR shall carry SIL Validation and Verification assessments as per IEC 61511.

VENDOR shall provide necessary support to CONTRACTOR for SIL Verification activity.

VENDOR shall provide following data and necessary support for SIL Verification activity:

(a) PFD and System Failure Rates.

(b) Safe Failure Fraction.

(c) Diagnostic Coverage factors.

(d) Mean Time Between Failures.

(e) Common cause failure factor as per method detailed in IEC 61508-6.

(f)

SIL 3 Certificate as per IEC 61508 from Exida, TUV or equivalent.

(g) Safety Manual.

(h) Documentary evidence of suitability of equipment based on prior use as described in IEC 61511-1.

(i)

Fault tolerance report, showing conformance to IEC 61511-1 requirements.

Document No: AGES-SP-04-004

Rev. No: 1 Page 20 of 59

10.1.7 Emergency Depressurisation System (EDP)

The Emergency Depressurisation System is provided to reduce the pressure in a system below the normal operating pressure to achieve following: (a)

To reduce the risk of vessel or pipeline rupture during a fire.

(b)

To minimize the hydrocarbon inventory which may expose to fire hazard.

(c)

To minimize the uncontrolled release of flammable or toxic gas.

The Emergency Depressurisation facility shall be designed in accordance with API RP 521.

The Emergency Depressurisation Valves (EDV) located on piping will be opened from CCR to release gases to vent system during hazardous situation. Activation of emergency depressurisation sequence shall be automatic or manual as per respective plant shutdown philosophy. EDP functionality shall be implemented in plant ESD/SIS. EDVs and depressurisation activation Push Buttons shall be wired to plant ESD/SIS. The EDP activation Push Buttons with protected cover and lamp indication shall be located on ESD console in CCR.

10.2 Functional Specification (FS) and Functional Design Specification (FDS)

The Functional Specification shall be prepared by CONTRACTOR in consultation with COMPANY and shall form the basis for the VENDOR proposals and for the VENDOR to develop the ESD system design in Detail. shall be written specifically for each project.

The FS shall provide the following information:

(1)

(2)

(3)

(4)

(5)

(6)

(7)

This specification

Number and spacing of IES;

Number and type of I/O (Analogue, Digital, SOV, ‘Soft’ serial, IS, Non-IS) and allocation to IES;

Number of Safety functions and allocation to IES;

I/O Criticality ratings

Requirements for ‘island’ operation.

P&IDs (to support segregation assessment).

Based on the FS and additional supporting documentation, VENDOR shall develop the detailed design of the ESD system and document it in the FDS.

The supporting information supplied to VENDOR to develop the FDS shall include:

(8)

(9)

Logic Descriptions;

Sequence Narratives;

(10)

Updated P&IDS;

(11) Operating Philosophies;

The FDS shall detail the project specific architecture, system layout, hardware, software. It shall be written in conjunction with COMPANY/CONTRACTOR by VENDOR, based on the Functional Specification, provided in the requisition, and the additional supporting documents.

Document No: AGES-SP-04-004

Rev. No: 1 Page 21 of 59

The system design and build will not be approved until the FDS is approved by COMPANY.

Operator interface requirements shall be included in FDS.

The FDS shall provide a detailed inventory and description of the equipment, functional definition and equipment data, including, as a minimum:

(1)

(2)

(3)

(4)

(5)

(6)

(7)

(8)

(9)

Definition of data flows to achieve FS requirements

Allocation of controllers to IES/units

Allocation of I/O to controllers

Number of ESD cabinets

Allocation of I/O to cabinets

General Arrangement (GA) of cabinets including, rack distribution and mounting, power distribution, terminations, trunking, cooling fans, temperature monitoring, cable entry arrangement and dimensional drawings

Preliminary configuration database

Function block definitions (Valve trip, Pump trip, etc.)

HMI station details /GA and dimensional drawings

(10)

Access control

10.3 ESD Hardware

10.3.1 Main Processors

Each ESD system shall contain redundant CPU operating synchronously and in parallel.

Hot replacement of a CPU or modification of a CPU’s running application program shall not require process interruption or system re-initialization.

A locking mechanism (hardware switch) for each CPU shall prevent memory modification from an outside source.

For CPU with volatile (RAM) memory, battery backup on CPU module shall be provided to retain data for six months in memory. Batteries on CPU module shall replaceable online without degrading ESD system functionality.

Each processor loading shall not exceed 60% in all memory areas, to allow for future expansion.

10.3.2 I/O General

The VENDOR shall provide I/O cards of robust design and high quality. I/O cards shall be installed in I/O cabinets in I/O racks or on individual base plate depending on I/O card mounting design. I/O cards shall be manufactured to withstand the facility environment, the maximum ambient conditions.

All input and output cards used in SIF shutdown logic shall be redundant, fail safe design and SIL3 certified as per IEC 61508. All output cards which are driving noncritical alarm lamps should be approved for non- interaction and are not SIL rated. Redundant I/O cards shall be used for all inputs and outputs except for maintenance override inputs and annunciators / lamps outputs. For I/O cards installed in I/O racks, single I/O

Document No: AGES-SP-04-004

Rev. No: 1 Page 22 of 59

cards with empty hot spare shall be provided for maintenance override inputs and outputs to annunciators/lamps.

‘Single Component’ hardware such as signal conditioners, I.S barriers, Signal converters, relays used for individual SIF must be arranged in voting scheme to meet the targeted SIL of each SIF. PFD values and architectural constrains must be taken in the consideration when evaluating the achieved SIL of each SIF.

The I/O system shall be of a modular design. The I/O modules will include an electronic design that allows ease of installation. The system shall permit any I/O module to be removed or inserted into the system backplane under power without causing a system upset. The system shall include diagnostics to prevent signal scan errors due to card removal or insertion.

Except for Universal type I/O cards, a mechanical keying facility shall be provided to prevent physical insertion and on-line activation of a module in a wrong location. No address links or switches shall be mounted on the I/O modules. The module type identifier shall be located in the firmware of the module and automatically recognised by the operating system.

Number of I/O channels per I/O card shall be limited to 32 nos.

I/O Modules should preferably be universal type for example each I/O Module can be configurable to Analogue or Digital input/outputs as per requirement.

All individual I/O channels shall be electrically isolated (opto-isolator) from the main CPU and provide galvanic isolation from field equipment. Failure in any I/O card shall not affect other I/O cards. Failure or fault in any I/O channel shall not affect other I/O channels. I/O cards shall be designed so that a short circuit or high voltage on one input (or output) shall not induce a fault on any other input (or output) on the same module. Ground/Earth fault shall be automatically detected and reported preferably per individual I/O card or per individual I/O channel.

All Input and Output cards/modules shall have built in capability of ‘Line Monitoring’ to detect I/O channels faults like open circuit, short circuit, earth fault, load failure, supply failure, circuit fault.

For digital inputs, end line resistors used for the line monitoring purpose shall be installed on the terminal of the field switches. When isolation barriers are used in safety critical applications, line monitoring thresholds shall be configured to detect barrier faults. This ensures that barrier faults do not inhibit safety critical functions.

Input faults like open circuit, short circuit, earth fault etc which are not safety critical shall be configured with a default 2 second delay to avoid alarm chattering and spurious trips.

For the purpose of standardisation, ESD system digital outputs shall provide power to the field devices for example. solenoids, relays etc, while digital inputs shall provide 24 VDC to input switches.

All input and output points shall be individually provided with current limiting and isolation circuity.

All discrete I/O modules should include local status indicators (LED) to monitor the status of each input and output and any communication and I/O faults. Spare I/O points, which are pre-configured within the ESD system shall be shorted or terminated according to manufacturer’s recommendations to avoid nuisance faults or diagnostic alarms.

Unless otherwise specified by the CONTRACTOR during detailed design, the ESD System VENDOR must assume that all Field devices, both Inputs and Outputs are located in potentially hazardous atmospheres. Inputs shall provide intrinsic safety isolation through the use of appropriately certified, galvanically isolated intrinsically safe interface units. The barriers may be either inherent in the System I/O cards or termination assemblies, or in separate field termination blocks mounted within the marshalling cabinets.

Document No: AGES-SP-04-004

Rev. No: 1 Page 23 of 59

Field Cable Termination Board design shall ensure that all active components used for signal conditioning and for loop power to input/output signals are redundant. Failure of any component inside them shall not generate fault in redundant I/O signal channel simultaneously.

10.3.2.1 Analogue Inputs

The ESD system shall support following analogue inputs:

(a)

4-20mA, HART compatible, 24VDC powered by the System and load resistance 600Ω nominal.

(b)

1 to 5 V DC

(c) Range of Thermocouple and RTD inputs (Note- Temperature transmitters with HART 4-20 mA output

shall be used for RTD and Thermocouple sensors unless specified otherwise)

(d) Pulse Inputs for Rate measurement

The ESD System shall be capable of interfacing with 2, 3 and 4 wire instruments with or without powering from system.

Analogue input card characteristics shall meet or exceed the following requirements:

(a) Analogue to digital conversion shall exhibit high common mode line frequency noise rejection.

(b) Normal mode rejection shall meet or exceed 60 dB at line frequency and harmonics.

(c) Common mode rejection shall meet or exceed 120 dB at line frequency and harmonics.

(d) Common mode voltage rejection shall be 500 V DC or peak AC.

(e) Automatic gain and zero shift compensation are preferred.

(f) Minimum acceptable resolution is 12 bits (1 in 4096).

(g) Accuracy, including linearity shall be 0.1% of full scale or better.

a. Open loop/thermocouple burnout (either direct or via an appropriate interface) feature is required.

HART signals connected to ESD shall be directly accessible from the Asset Management System. It is preferred to use HART compatible Field Termination Assemblies and HART enabled AI/AO instead using HART multiplexers and modems for HART interface. Exceptions shall require prior approval from COMPANY. ‘Smart’ transmitters HART data must be configured to ‘read only’.

Analogue inputs shall have open circuit, short circuit and out of range detection capability as per NAMUR NE43 standard.

History/trending data storage functionality shall be available for all Analogue I/Os.

10.3.2.2 Analogue Outputs

The ESD system shall support analogue output of 4-20 mA with HART protocol for PST of Shutdown Valves.

10.3.2.3 Digital Inputs

The ESD System shall support discrete inputs as follows:

(a)

Input type- Volt free Contact and NAMUR Proximity switches.

(b)

Inputs powered from ESD by 8–24 VDC wetting voltage and capable of detecting status changes with loop impedance (including contact resistance) of at least 1000 ohms.

Document No: AGES-SP-04-004

Rev. No: 1 Page 24 of 59

(c) Digital input signals shall be conditioned by a low-pass filter, typically up to 15 msec, to reduce the

effects of noise and bounce.

(d) A minimum of 1000 VDC opto-isolation shall be provided between each input signal and

microprocessor.

10.3.2.4 Digital Outputs

The ESD System shall support discrete outputs as follows:

(a) Digital Output shall power Solenoid Valves, Interposing Relays and Alarm Lamps of voltage rating 24V

DC, 48V DC or as specified in purchase order.

(b) Digital outputs shall be current rated for minimum 0.5 amp for an inductive load per point at 60°C. Output circuits shall be provided with protection against reverse EMF and voltage transients caused by the switching of inductive loads and protection against current overloads.

(c)

Voltage loop back circuitry shall automatically verify that the commanded state is equivalent to the field state.

(d) Digital output modules shall operate within ±10% voltage variation, provide a minimum of 1000 VDC opto-isolation between each output signal and microprocessor, accept surge current on each point of 12A per cycle for AC voltage and 10A for 24 VDC voltage for 10 msec and 5A for 48 VDC voltage for 10 msec.

(e) Output modules shall be automatically tested for stuck-on and stuck-off components at a regular

interval not exceeding 1 second.

10.4 Electromagnetic Compatibility

ESD system equipment shall comply to IEC 61000 and IEC 61326-3-3 for immunity to Radio Frequency Interface (RFI), Electromagnetic Interference (EMI) and electrostatic discharge.

The systems shall be capable of accepting various signal inputs for its direct use while preventing noise errors due to electromagnetic or radio frequency interference including hand-held or mobile communications equipment, nearby radio stations, electrical storms, solenoids, relays or contactors carrying heavy currents.

The most probable source of radio frequency interference (RFI) at the site is the use of handheld radio transceivers with nominal radiated power of 5 watts. VENDOR shall state any frequencies in the VHF and UHF and TETRA bands for which they cannot comply.

10.5 Surge Protection

VENDOR shall provide protection for the ESD system equipment against surges and transient over- voltage/currents that may be induced via the power supply, communications and signal cabling Systems. ESD system Surge protection shall be comply to IEC 61000-4-5. Protection shall be built to withstand 2kV surges on power supply cabling and 1kV on communications and signal cabling.

10.6 ESD Software

10.6.1 Programming

The CONTRACTOR shall develop Logic diagrams from ESD Cause and Effect Diagrams in line with standard formats during FEED stage and shall be further detailed during EPC stage. VENDOR shall develop application programs to implement safety logics based on Cause and Effect/Logic Diagrams, and safety requirements documentation provided by CONTRACTOR.

Document No: AGES-SP-04-004

Rev. No: 1 Page 25 of 59

The application program shall be user friendly. This means that detailed comments and descriptions shall be included throughout all function block elements which identify elements by tag numbers and intended functionality.

Application software shall be designed in conformance to IEC 61511-1, clause 12.

Standard Function blocks that are pre-tested and certified by a recognized external organization like TUV shall be used be to develop the application programs.

Maximise use of standard function blocks for all frequently used functional logics. This reduces software configuration time, results in standardised application logic which simplifies operation, maintenance and future projects configuration work.

The program development software shall be capable of supporting both on-line and off-line programming. On-line programming or making on-line application program changes while an ESD system is operating, (for example., configuring new I/O points, tags and addresses, revising or adding logic and changing dynamic element parameters) shall be possible without having to reset or re-initialize application programs currently running within the CPU. Off-line program emulation shall be provided unless specified otherwise.

Program editing and saving shall incorporate automatic time-dated and revision level file saving functionality. To monitor software changes, there shall be a software utility for comparing two revisions (present and past) of application program which shall report all changes in a high level readable format to evaluate result of changes and identify extent of testing required. Verification of application software by software tool shall be possible on-line.

VENDOR shall issue Functional Design Specifications which should clearly define all standard Function Blocks (non-custom ones) developed to implement ESD functional requirements along with VENDOR’s Hardware, Software, Firmware and Network solution for the Project. The methodology of preparing this documentation shall comply with IEC 61508 for software development and implementation. COMPANY approval of Functional Design Specification is mandatory prior to commencement of manufacture.

Each ESD system shall be programmed using IEC 61131 compliant software. The configuration software shall be capable of implementing all logic and safety functions required by the application. VENDOR shall state the programming method used, and the operating system required for the programming system. Additionally, the VENDOR shall advise where the programming/monitoring software resides, and the various licensing agreements for single and multiple uses of the software.

Where separate ESD functional logic groups are implemented within the same ESD, the software for each shall be kept fully segregated. As a minimum, dedicated areas within the ESD program shall be applied for each ESD functionality. These dedicated areas shall be clearly documented within the program using program comment capability. Spare internal bit and register addresses shall be maintained for each ESD functionality program or program area.

Software shall be protected from unauthorized changes by the use of both passwords and key lock switches. VENDOR shall advise what methods are available in his system for such protection.

ESD CPU shall support following software utilities for logic implementation:

(a) Math functionality with both integer and real numbers.

(b) Relay logic including transitional inputs and latching outputs.

(c)

Time delays and counters.

(d) Median Select and Median Deviation function for analogue input voting.

Document No: AGES-SP-04-004

Rev. No: 1 Page 26 of 59

The EWS and Logic Solver operating system, application and configuration software shall be supplied by VENDOR with the latest up-to-date software revision and associated patches till SAT. In addition, VENDOR shall make available all the software updates and patches during entire life cycle of ESD system as part of Long-term technical support contract.

10.6.2 System Log

To monitor changes in configuration, a system log shall be maintained by VENDOR from the FDS approval date till FAT, SAT and Commissioning is completed.

The system log is to record the date of changes or occurrence of problems, the cause / originator of the change or problem, summary of the change or problem, an assigned change or problem report number and action taken relating to the change or problem correction. The list shall be maintained in chronological log report number order in a format such as MS Excel (.xls) that can be easily uploaded into a database. Application program changes requested shall be kept filed by functional logic group. Each change shall be filed marked with the assigned system log report number. Maintenance of these records is required to comply with IEC 61508.

10.6.3 Engineering Workstation

Engineering Workstation shall be provided to allow the user to enter, add, delete, or modify logic program, fault diagnostics, system monitoring, and application documentation.

Access to Engineering Workstation for configuration purposes shall be restricted to users with appropriate credentials. The user access to ESD system shall be restricted by means of User Ids and Passwords or other suitable technologies for identification and authentication of users. Two factor authentication and password protection shall be provided for each user. The system shall be capable of defining user groups as per roles Engineer, technician. System access privileges shall be configurable for each user group.

The Engineering Workstation shall be capable of monitoring the status of application programs in real-time. Manual forcing of input or output states and visible power flow on logic diagram shall be possible.

All programming shall be done using alphanumeric tag name references and allow on-screen comments for functional description of application program.

Off-line programming shall provide run emulation capability for testing and troubleshooting of the application program. Software changes shall be done off-line, tested, and then compiled into the running application.

The VENDOR shall detail in the ESD FDS the methods of version control and storing of master and backup copies of application programs for all the ESDs located at different geographical locations. Each change shall have the detail of the change, the time and the personnel who performed the change logged.

VENDOR shall fully describe and quote as an option any offline and remote diagnostic tools that are available for use with the system.

Additionally, for process plants with multiple ESD systems located at various Instrument Equipment Rooms, it shall be possible to connect PC-laptop based EWS at each ESD location, for purposes of monitoring or programming. The VENDOR is responsible for providing all necessary hardware, communication ports and internal cabinet wiring to support this EWS connectivity requirement at each ESD system location.

VENDOR shall provide an EWS software backup and restore system.

Document No: AGES-SP-04-004

Rev. No: 1 Page 27 of 59

10.7 Communication

ESD System shall consists of following two networks for communication:

(1) Safety Network (SN)- this shall be a SIL 3 rated, redundant network used to communicate safety critical

signals such as inter-trips between various ESD system nodes.

(2) Process Control Network (PCN) - used for interfacing with PCS for ESD I/O display, alarming of shutdowns and diagnostics, invoking of operational and maintenance overrides from PCS OWS.

The SN and PCN communication networks shall be dual redundant and support IEEE-802.3 Ethernet interface capability. The communications modules shall include an internal program (self-diagnostics) and transmission error detection mechanism to locate hardware malfunctions and aid in locating coding errors in the configurations and software programs.

Connections to networks and devices outside of the ESD system shall be performed through dedicated firewall devices. ESD communication networks shall be ‘Achilles’ certified for cyber security and robustness.

Communication interfaces shall be off-the-shelf, using existing, industry standard media and communications protocols such as Modbus or Ethernet as identified in project specifications.

All communications ports shall permit connection or disconnection of cabling without interrupting or jeopardizing ESD system operation.

Error checking schemes shall include Cyclical Redundancy Checking (CRC), Longitudinal Redundancy Checking (LRC) in conjunction with bit parity checks, fail safe transmission time-out, message fault words, and loss of communication path alarms.

No adverse effect shall occur on communications networks during transients when many variables are changing rapidly or by data queries from the maintenance station. Data highway broadcast ‘storms’ shall not cause the ESD system to lock up or operate improperly.

The communication interface shall be sufficiently robust to withstand electromagnetic interference including power surges without causing a dangerous failure of safety functions.

The communication interface shall be suitable for communication between devices referenced to different electrical ground potentials.

VENDOR is responsible for the correct design of the Communication Network interface to affect bi-directional transfer of all ESD information and maintain ICSS screen update of 1 to 3 seconds maximum.

Loss of data communication to PCS PCN shall not result in trips or status changes of the ESD communication points. Recovery of communication shall be automatic. The VENDOR shall indicate the type of output (hardwired) will be made available for annunciation of communication failure at PCS OWS.

For connecting ESD Systems located at different locations, the SN and PCN communication networks shall use redundant fibre optic cables and components, installed by others across various plant units, utilising segregated path routing to minimise common mode failure of redundant links. Fibre Optical cables shall be terminated directly through Network switch/media converter. Communication system components including Network Switches, Media Converter, power supplies shall be redundant.

to ESD communication module or

Document No: AGES-SP-04-004

Rev. No: 1 Page 28 of 59

10.8 Human Machine Interface

10.8.1 Operator Interface

The ESD system shall be designed to operate on a stand-alone basis. Under normal conditions, the ESD system shall utilize the PCS OWS to display status of all ESD I/O’s and alarm notifications.

From PCS OWS, Operators shall be able to view all data related to ESD for example process parameters current values, states of all ESD inputs and outputs, alarms, maintenance overrides, resets.

ESD system data shall be displayed on the PCS Process Graphic displays in the same way as native PCS data. Though ESD system I/O’s are not directly connected to the PCS, same shall be transparent from the PCS OWS to the maximum extent possible.

The PCS shall be utilised to display ESD system shutdown hierarchy, architecture and ESD shutdown logics in Cause and Effect diagrams format.

The PCS OWS shall display various faults and process alarms generated in ESD system for analogue and digital I/Os. Fault alarms shall include Open circuit, Short circuit, Earth fault. Process alarms shall include measuring parameter High High, High, Low, Low Low alarms for example. LAHH, LALL.

To transfer display and alarm data, ESD shall communicate with the PCS OWS seamlessly as with any other PCS nodes on the PCN Communication Network.

Separate ESD hardwired Mimic or Matrix panel is not required unless specified otherwise in purchase order.

10.8.2 ESD Console

ESD Console shall be provided in CCR to install Push Buttons (Shutdown, De-pressurisation, Reset), key Switches for Input Overrides (MOS), and Visual and Audible Annunciator for critical alarms.

Where applicable, in addition to CCR, the Emergency Shutdown and Depressurisation Push Buttons shall be provided on ESD console at Local Control Rooms near to process units. If ESD Processor cabinets are installed in remote Instrument Equipment Room, then ESD console Digital I/O data shall be transferred to ESD Processor on dual redundant SIL3 certified Safety Network.

To avoid spurious trips, the Total Plant and Unit Shutdown, De-pressurisation and Critical equipment shutdown activation Push Buttons shall be triplicate contacts (provide 3 separate contacts) for 2oo3 voting.

Shutdown and Depressurisation push buttons shall be fitted with mechanical protection to avoid accidental initiation.

10.8.3 Maintenance Override Switch

The Maintenance Override Switch (MOS) functionality shall be provided only for ESD inputs to bypass inputs during plant start-up and maintenance operations. The application of ESD Input Overrides during maintenance shall be controlled at supervisory level via Master Inhibit Enable key switch with lamp indication on ESD console. When it is in the ‘Override On’ position, a limited number of individual maintenance overrides from PCS HMI can be applied. Turning the key to the ‘Off’ position shall remove all overrides and extinguish the warning lamp.

Start-up overrides from PCS HMI shall be granted if Master Start-up Inhibit Enable Key Switch is in ‘Override On’ position. Timers shall be used on start-up override, to remove these after a pre-defined time.

The MASTER Inhibit Enable key-switch shall be of ‘stay put’ type with key reset. The key shall be removable in the ‘Off’ position.

ESD system shall support following functionality for MOS Management:

Document No: AGES-SP-04-004

Rev. No: 1 Page 29 of 59

(1)

Two factor authentication and password protection to activate individual input override in addition to hardwired MASTER Inhibit Enable key-switch on ESD console

(2) MOS activation incident shall be logged and generate alarm in PCS.

(3) MOS timeouts shall be configurable to remove input overrides either automatically or manually

(4) Alert operator if input is in override state for long time than timeout limits

(5)

(6)

The history of MOS activities for example enabled, removed, timeout etc shall be available in SOE and displayed in dedicated MOS display in EWS and PCS OWS.

In order to maintain adequate protection, multiple overrides enable at a time shall be limited. The input overrides shall be organised in groups (process system wise) and limits on number of overrides per group shall be configured (typically 2 input override per group maximum).

(7)

For 2oo3 voting logic, it shall not be possible to override more than one input at the same time. During override condition, the 2oo3 logic shall automatically degrade to 1oo2 unless otherwise specified.

10.9 Diagnostics

The system shall incorporate comprehensive self-diagnostics such that all permanent and transient faults are identified, alarmed and reported.

ESD system shall have ‘Watchdog’ functionality to monitor healthiness of hardware and software.

ESD system shall be capable of identifying, locating and reporting the following faults as a minimum:

(1) CPU faults

(2) Communication faults.

(3)

I/O module faults.

(4) Scan failure of main or I/O processors.

(5) Memory faults.

(6)

I/O interface or addressing faults.

(7) Application program and hardware layout inconsistency.

(8) Voted signal discrepancy on inputs and outputs.

(9) Voted discrepancy on calculated values within application program.

(10) Load power or fuse faults on field circuits.

(11) Power supply faults including battery back-up monitoring and output voltage verification.

(12) Over temperature conditions.

(13) Transmitters Bad Quality (BQ) status as per NAMUR 43.

(14) System cabinet high temperature.

(15) MCB fault.

(16) Fan failure/Temperature alarm of CPU system rack.

Document No: AGES-SP-04-004

Rev. No: 1 Page 30 of 59

(17) Watchdog failure.

(18)

I/O forcing status.

(19) Common fuse blown indication for I/O cards and power supply units.

(20)

Incoming feed power supplies failure status.

(21) Earth fault of I/O Channel.

(22) Open Circuit fault for Normally de-energized I/O loop.

(23) Short Circuit fault.

(24) Safety Network status.

I/O module diagnostics shall be able to detect and alarm I/O point faults of the following types:

(i)

(ii)

‘stuck-on’ - short circuited failure of a discrete input or output.

‘stuck-off’ - open circuit failure of a discrete output.

The Diagnostic Test Interval for faults monitoring of ESD System and its I/O’s shall not exceed 1 second. This self-testing for fault monitoring shall not affect performance of the ESD system.

The diagnostics of the system shall allow identification of all faults that a system component can alarm on the network up to and including the module level for all types of components. For I/O modules, the diagnoses, in addition, should be available up to channel level. The diagnostics shall be presented through PCS graphics depicting the cabinet and locating the faulty component. The status of the component shall be green if healthy and red if an alarm condition is present.

Status indicators shall be provided to indicate normal operation or fault conditions on each replaceable module. In addition, each fault shall initiate a hard alarm contact or an internal fault flag for communication to a PCS host computer or other operator interface.

Diagnostic Reports should be generated by the system with clear and interpretable diagnostic information. It is not acceptable to generate report files which can only be analysed at VENDOR’S facility. The ESD shall provide reports detailing active overrides and inhibits that are generated on shift changes.

10.10 Alarm Management

An Alarm Management software shall be provided to ensure that the operator is alerted to plant upsets in a clear manner without being overloaded during normal operation and even plant upset.

An Alarm Management System (AMS) shall be implemented in ICSS.

Alarm Management shall comply with the EEMUA Publication 191 and the ISA 18.2 requirements.

The alarm management software for ESD system shall have the following AMS capabilities:

(a) Alarm and event logging

(b) Storage of alarms and events for retrieval

(c)

Sorting of alarms and events in chronological order

(d) Sorting of alarms by priority

Document No: AGES-SP-04-004

Rev. No: 1 Page 31 of 59

(e) Providing statistical analysis of alarms and events

(f)

Alarm reports (shelved alarms, filtered alarms, masked alarms, statistics)

(g) Alarm change management (alarm threshold modification, alarm priority change)

(h) Printing and reporting.

(i)

(j)

First out alarm.

Alarm masking and dynamic suppression

The alarm and event history shall be periodically backed onto another central server for permanent storage.

Refer to ADNOC Group Company AMS specification for further details.

10.11 SOE Requirements

SOE application shall accurately record the sequence of events in the order of their occurrence and enable rapid root cause analysis of trips after multiple events have occurred.

SOE shall be configured to perform both event logging and first-out reporting, for example, the time-tagged discrimination of trip events as well as first out event capture, that will allow the determination of the first event which caused individual or collective process equipment to trip.

First-out alarm/event sequence configuration shall comply to ISA 18.1. First-out (first alert) alarm/event functionality shall be used to indicate which one alarm in a group of alarms operated first. To accomplish this, the HMI indication for the alarm point that operates first must be different from the visual display indication for subsequent alarm points in that group. Only one first out alarm indication must exist in any one first out group.

The SOE and SER shall be a standard feature of ESD system. The SOE shall utilise time stamping carried out at ESD Processor and I/O module level to log events. Along with basic process alarms and trips, the system faults, device health, operator actions shall be captured.

VENDOR shall verify feasibility of using EWS as SER without loss of SOE functionality while EWS is being used for configuration.

SER shall be capable of storing 100,000 time stamped events in a circular file. The time stamp shall equal the respective ESD-PLCs clock time at the time the trip alarm is generated with a resolution equal to or better than the smallest scan time of ESD. Cater to processor communication failure, at least the last 1000 events per processor shall be stored in internal non-volatile memory.

ESD system master clock shall have 1 ms resolution. Events (faults and alarms) shall be time stamped at I/O module level. The minimum time resolution between SOE events shall be 1 ms. No events shall be missed, and all events shall be recorded on each scan.

Each ESD CPU shall be synchronize with all other nodes on the PCN communication network via a time signal broadcast on the PCN from an SNTP Time server. As with all nodes of the ICSS, the time synchronization of the ESD and SOE clocks shall be kept within 10 - 25 msec.

Combined SOE reporting of PCS and ESD events via the PCS shall be provided. ESD SOE information should be passed to the PCS via a direct PCS highway node communication module resident in the ESD. The SOE data together with time stamp information should be transferred from the ESD to the PCS. The ESD must buffer SOE data in memory until the interface communication module successfully completes transmission of the data to the PCS. Software resident in the PCS shall then assimilate and store all ESD SOE data with PCS generated SOE data, as well as SOE data transmitted to the PCS by other subsystems.

Document No: AGES-SP-04-004

Rev. No: 1 Page 32 of 59

10.12 Cabinets

10.12.1 Construction

ESD system and marshalling cabinets shall be rigid and self-supporting. Cabinets shall be constructed of sheet steel with a rigid internal steel frame. Cabinets shall be braced for shock and vibration normally encountered during transport and construction.

The cabinet’s structure thickness shall be minimum 1.5 mm for cabinet steel plate sides, roof and bottom, and minimum 2 mm for doors and plinths.

Unless otherwise specified in Purchase order, the dimensions of the cabinets shall be 2000 mm (H) (excluding plinth) x 800mm (W) x 800 mm (D) (front access). If cabinets are permanently bolted to form sections, the length of these sections shall not exceed 2400 mm.

All cabinets shall have the same exterior and interior finish and colour. Cabinet colour shall be RAL 7035. Plinth colour shall be RAL 7022.

The cabinet Internal layout shall be designed to provide safe and unimpeded access to all electronic modules, power distribution, fuses, terminals and cables termination areas, cables and wiring routings and replacement of defective parts with the minimum amount of dismantling or removal of associated equipment.

Cabinets shall have redundant ventilation fans at cabinet top section for heat removal. Alarms shall be provided for cabinet high temperature and fan failure. Cabinets shall be equipped with ventilation louvers with dust filters units. Inlet louvers shall be installed at the bottom of cabinet doors. Filter screens shall be readily accessible and easily removable.

At the top of cabinet, a hole shall be provided to connect air sampling tube from High Sensitivity Smoke Detection (HSSD) System. Tube connection hole size shall be as per Purchase Order requirements.

Cabinet and inside equipment support shall be designed to dampen effects of external vibration.

Eyebolts shall be mounted on each cabinet to facilitate handling during unloading and permit transportation of the enclosure by crane.

All unused I/O module slots shall be fitted with removable cover plates.

Cabinet shall have lockable hinged doors. Hinges shall be the lift off type for example doors shall be easily removable from cabinet. All door locks shall be provided with the same lock and key combination. Keys shall be removable with the doors either locked or unlocked.

Internal lighting lamp at the top of the cabinet shall be controlled by a door switch or movement detector and incorporating a manual on/off/auto switch.

A pocket shall be provided on the inside of the door to keep cabinet drawings.

Each Cabinet and all its major components shall be clearly labelled and identified with a Tag Number. Cabinet nameplates shall be by engraving on three-layer plastic. Material layers shall be red-white-red for ESD system and shall be attached with stainless steel screws. Nameplate engraving shall be subject to CONTRACTOR review and approval.

VENDOR shall assemble a typical cabinet for approval by COMPANY prior to commencing assembly of all cabinets. Final cabinet layouts shall be a part of Functional Design Specification and will be subject to COMPANY approval.

Document No: AGES-SP-04-004

Rev. No: 1 Page 33 of 59

10.12.2 Wiring

In case of conventional system (I/O cards installed in CPU cabinets), VENDOR shall provide Field Termination Assemblies (FTA) in ESD Marshalling cabinets for wiring field signals to I/O cards. VENDOR shall provide all interconnection cables from marshalling to CPU cabinets and between CPU cabinets. All wiring except power wiring between cabinets shall utilize VENDOR standard multicore cables with pluggable pre-assembled terminators/connectors. For Solenoid or similar higher loads cabling shall utilize terminal boards suitable for 2.5 mm2 or higher size conductor cables. I/O cards shall not be split over more than one cable connector and shall not contain I/O of more than one process unit.

All wiring shall be segregated according to type (input or output) and voltage levels.

Colour coding for wiring shall be as follows:

Power 24V DC positive - RED negative - BLACK 240V AC phase - BROWN neutral - LIGHT BLUE Input and output signals - WHITE (or BLUE if a colour is to be used to indicate Intrinsically Safe signals)

Safety Earth - GREEN/YELLOW Signal Earth - GREEN Intrinsic Safe Earth - GREEN/BLUE

All interconnecting cables shall be tagged at both ends with cable number and cabinet number. Wiring core shall be tagged at both ends with terminal and module number using shrink sleeve type markers or equivalent.

All internal wires shall be stranded copper except for thermocouple type where it should match the thermocouple type.

Internal wiring shall be laid in PVC close slotted ducting (raceway) with a covering lid colour coded blue for Intrinsically Safe and Grey for non-Intrinsically Safe wiring. Ducting (raceways) shall have at least 40% spare capacity after commissioning.

Internal cabinet wiring, cables and wire ways shall be minimum flame retardant in accordance with IEC 60332.

Cable entries shall be from the cabinet bottom and provide facilities for sealing (such as gland plate) to prevent ingress of moisture, contaminants and rodents from entering the cabinet.

All internal and external wiring shall be connected to terminals. Splices are not permitted in wiring. Terminal blocks shall be Push-in Spring type (cage clamp type) and non-hygroscopic type. Terminals shall be tinned and clearly identified. The size of the terminal blocks shall be consistent with the wire size. Segregation of IS and Non-IS marshalling is required. Terminal colour for Non-IS wiring shall be Grey and Intrinsic Safe wiring shall be Blue. Terminals utilized for voltages higher than 48 volts shall be protected against accidental contact with removable cover plates which carry high voltage warning labels. Terminal blocks shall be labelled and numbered.

All panel cabinet tagging for cabinets, racks, TBs, Distribution boards, Terminal blocks, shall be engraved tagging fixed in a permanent manner. Sticker or temporary tagging is not acceptable.

Document No: AGES-SP-04-004

Rev. No: 1 Page 34 of 59

10.12.3 Power Supply

Unless otherwise specified in the Purchase Order, each cabinet will be powered from redundant 240 VAC, 50 Hz UPS dual redundant feeders by the CONTRACTOR. For each incoming power feed, a double pole isolation switch shall be provided. Individual alarms will be generated for each of these when turned to the off position or on any fault.

System power supply located inside ESD cabinets shall be dual redundant and each shall be capable of supplying 100% system power if other fails. All power supplies, without considering redundancy shall include a spare capacity of 25 percent of the maximum load considering all spare I/O slots were filled.

Power supplies shall be replaceable on-line without disrupting the process and without affecting functioning of ESD System. Distribution of all power levels to all system chassis and modules shall also be completely redundant as a minimum. This is to be inclusive of all voltage levels required for logic processors, all chassis requirements, I/O modules and communication modules. This means that the failure of a power supply or incoming line shall not take out a leg of I/O or a main processor. Cabinet power supplies shall have over- temperature protection, integral fuse protection, and status LEDs to indicate power supply faults.

Miniature circuit breakers (MCB) and fuses shall be employed to provide electrical protection and isolation for all powered components. The distribution circuit shall ensure that at no point of single MCB failure will result in other consequences or cascade effect. MCB fault contacts shall be wired in series to generate a common fault alarm. Selection of fuses and MCB ratings shall be carefully coordinated with upstream fuses / MCBs including UPS distribution, taking into account power up inrush currents.

Additionally, separate 24 VDC redundant power supply for powering field instruments shall be provided. The VENDOR shall be responsible for designing the 24 VDC power distribution with circuit protection for all system I/O. All 24VDC –ve terminals shall be connected to Instrument earth (floating earth is not allowed). Power supply +ve outlet shall have diode.

Failure of any power supply must be signalled via a dry normally open (N/O) contact which shall be wired in series to a common discrete input point for alarm indication for each self-contained suite of cabinet(s). Each power supply shall be provided with primary and secondary overload protection. The secondary overload shall be self- resetting or have a time overload delay to prevent an instantaneous fault from tripping the system off. Over voltage protection must be provided if it is necessary for the protection of the connected loads. All individual fuses shall be considered with fault LED indication and common fault alarm for monitoring by PCS. No hidden fault is allowed without remote common alarm.

The VENDOR shall wire cabinet lighting and utility outlets to a separate breaker which will be fed from a single phase 240 VAC 50 Hz utility non-UPS power supply.

VENDOR shall provide the power consumption including inrush currents and crest factors for each cabinet to size incoming power feeders.

10.12.4 Earthing

There shall be three separate isolated Earthing Systems within the ESD cabinets as follows:

(1) Safety Earth: Each cabinet shall have a M10 brass earth stud, complete with nuts and washers for dedicated safety earthing. All metal racks, internal panels, cable tray, doors and detachable panels shall be earth bonded together to this safety earth with a flexible copper braid strap of at least 10mm2 to ensure effective earthing.

(2)

Instrument Earth: Each system and marshalling cabinet shall be provided with one 5mm x 15mm copper galvanically isolated instrument earth busbar across the full width of, and insulated from, the

Document No: AGES-SP-04-004

Rev. No: 1 Page 35 of 59

panel for earthing System electronics and electrostatic screens of field cables. In general, field instrument shields shall be grounded to instrument earth within the Marshalling Cabinet.

(3)

Intrinsically Safety Earth – IS Earth: Marshalling cabinets with non-isolating IS barrier (for example Zenner barrier) circuits shall be supplied with an additional isolated IS earth busbar clearly labelled.

10.13 Partial Stroke Test

Valve Partial Stroke Test (PST) shall be carried to verify Shutdown valve performance during plant operation as per IEC 61511 requirements to maintain valve PFD within acceptable limits and to avoid frequent proof (full stroke) test.

PST facility shall be designed such that shutdown valve shall be always available to respond to a process demand during test period.

Preferably, PST shall be through Asset Management System via ESD System. PST diagnosis software shall be installed on IAMS PC. To carry PST, the ESD Output with HART protocol shall be wired to valve SMART E/P (Electro Pneumatic) Positioner. IAMS shall retrieve this HART PST data from ESD System over PCN Network to carry diagnostics. PST initiation shall be from PCN OWS using IAMS client interface.

Refer to project function specification for Shutdown Valves for further PST implementation requirements.

10.14 Cyber Security

Cyber Security implementation shall comply to IEC 62443 for safety level SL2. ESD system shall be ISASecure certified for cyber security.

ESD shall integrate securely into ICSS PCN communication network through firewall. VENDOR shall implement a ‘Safety domain’ separated from the ‘Control domain’ either by firewalls or by implementation of a localised safety communication network that is separate from the Control Domain. ESD Engineering Workstation and Controller shall sit on SN in ‘Safety domain’. PCN and SN shall not terminate on the same switch to ensure that two separate networks are maintained.

ESD Controller and Engineering Workstation shall be cyber secure by design for example it shall have built in firewall functionality to restrict access to authorized protocols and devices. It shall be able validate communication with devices using encryption and digital signatures. It shall have software whitelisting so that only authorized programs or applications are executable and malware or unauthorized programs are blocked.

Cyber Security design shall comply with the ADNOC Group Company’s Digital Security policies.

A cyber security risk assessment as per IEC 62443-3-2 shall be performed by COMPANY/CONTRACTOR. VENDOR shall provide all required support for this assessment.

The cyber security risk assessment shall be performed by CONTRACTOR as follows and shall be seen as an iterative and continuous process from hardware freeze to FAT and SAT:

1. Define the risk analysis methodology (for example architecture based)

2. Identify major items (organization, systems, subsystems, networks)

3. Identification, evaluation of the threat scenarios with their impact and likelihood

4. Reduce the risks by designing adequate countermeasures

5. Summarize the results in a Risk Register.

The cyber security risk assessment findings and recommendations shall be implemented by VENDOR.

VENDOR shall provide firewalls to enforce data transfer between ESD and PCS/ICSS.

Document No: AGES-SP-04-004

Rev. No: 1 Page 36 of 59

The ESD system software patch update and security programs requirements shall comply to COMPANY Cyber Security guidelines/policies.

All unused ports on switches and routers of ESD system shall be disabled to assist in preventing unauthorized access to the ICSS network infrastructure.

VENDOR shall provide Firewall and Malware protection for Cyber Security in line with COMPANY Cyber Security guidelines/policies.

10.15 Spare Capacity/Expandability

10.15.1 Installed I/O and Cabinet Space

Each Marshalling and System cabinet shall be provided with 20% installed and wired spare for each type of I/O card. Each I/O card shall have at least 20% spare I/O channels available. The installed 20% spare shall include all associated terminations, terminal block, cable ducts, trays Field cable spare cores shall be terminated on terminal blocks.

In addition to wired spares there shall be an average 20% empty space inside cabinets for future use.

10.15.2 Memory/Processing

Spare memory for application program and database shall be at least 40%. CPU loading shall not exceed 60% of its maximum capacity at full system loading.

10.15.3 Communication Interfaces

Communication interfaces shall not be loaded more than 50% at maximum loading after plant start-up.

11 ESD REQUIREMENTS FOR SPECIAL PACKAGE UNITS

Refer to Appendix 1 for ESD System requirements for Special Mechanical Packages.

Document No: AGES-SP-04-004

Rev. No: 1 Page 37 of 59

SECTION C

12 SCOPE OF SUPPLY

Detailed engineering and design of the ESD system in accordance with all specifications, standards, datasheets and other statements of requirement include with or referenced in the requisition.

The VENDOR shall have single point responsibility for all aspects of the works, inclusive of all components sub-contracted or purchased from other parties. These shall include, but not be limited to:

(1) Total system engineering definition of the ESD system in the form of a Functional Design Specification (FDS) based upon the Functional Specification (FS), datasheets and COMPANY specifications provided by CONTRACTOR. FDSs shall be written by the VENDOR and approved by COMPANY during the Design Phase to detail the VENDOR scope of work.

(2) The agreed FDS

(3) ESD System Topology

(4) Design and supply of the ESD system Console, including the integration design and resulting facilities

for all free issued materials to be mounted thereon

(5) Design and supply of the ESD System Cabinets

(6) Design and supply of the ESD Marshalling Cabinets

(7) Design and supply of the ESD Auxiliary Cabinets

(8) Design of the ESD system communications network and supply of all communication equipment and

cables up to and including firewalls at interface to Process Control Network.

(9) Supply of ESD hardware, software, cabinets, consoles, EWS, printers, power supply units,

peripherals,

(10) All System Interconnecting cables, network switches, licenses and all other equipment required for a

fully functional, operable, reliable and maintainable ESD System.

(11) Supply of operating system software and firmware.

(12) Supply of system configuration and application software including design and configuration of

database, and reports

(13) Supply of specialist integration services for third party equipment forming part of the ESD system

scope

(14) Supply of System test procedures, all necessary test equipment and personnel for all tests. Perform

tests for witness by the Contractor’s representative

(15) Human Machine Interface for local access.

(16) Data communications

(17) Documentation

(18) Documentation and certification in accordance with the material requisition, this specification and the

standards referenced herein.

(19) Special tools required installation, operation and maintenance of the equipment;

Document No: AGES-SP-04-004

Rev. No: 1 Page 38 of 59

(20) Painting, Preservation and Packing;

(21) Insurance spares;

(22) Spares (commissioning and 2 year);

(23) Design and supply of power distribution system within the ESD system

(24) Certified calculations shall form part of the scope of supply as follows:

i. Sizing Calculations;

ii. Power Calculations;

iii. Heat loading calculations.

(25) Commissioning; start-up and long term support.

(26) Site assistance for ESD system installation and commissioning

In addition to the above requirements, design, fabrication, configuration, testing and installation shall also be compliant with cyber-security requirements.

13 QUALITY CONTROL AND ASSURANCE

Equipment shall only be purchased from Vendors approved by ADNOC Category Management. This approval indicates that the VENDOR has an approved Quality management system and a proven track record in supply of this equipment type.

COMPANY/CONTRACTOR reserves the right to inspect materials and workmanship at all stages of manufacture and to witness any or all tests.

VENDOR shall comply to Criticality Rating for Equipment outlined in respective ADNOC Group Company’s Quality System Specifications for requirements of production checks, shop inspection, testing and material certification.

The VENDOR shall provide equipment inspection and test reports as per approved Inspection and Test Plan by CONTRACTOR.

14 CERTIFICATIONS

VENDOR shall provide SIL 3 certificates for offered ESD system from Exida, TUV or equivalent.

VENDOR shall provide all Test Certificates as per Supplier Document Register and Schedule (SDRS) provided in Purchase Order.

Document No: AGES-SP-04-004

Rev. No: 1 Page 39 of 59

15

INSPECTION & TESTING REQUIREMENTS

15.1 General

The VENDOR shall be responsible for workmanship, testing and quality assurance of the material supplied.

Inspection and Testing will be carried out by VENDOR and it will be witnessed by the CONTRACTOR and COMPANY representatives at various stages and locations as follows:

(1) Pre-Factory Acceptance - conducted at the system assembly/manufacturer location.

(2)

Factory Acceptance Test - may be conducted at the system assembly location as a standalone ESD test and then again at the PCS location as an integrated test, or entire testing may be done at the PCS location.

(3)

Integrated Factory Acceptance Test – conducted following FAT at the PCS location.

(4) Site Installation Test- conducted at the job site once system is installed and powered up.

(5) Site Acceptance Test - conducted at the job site as a system operating test after commissioning.

VENDOR shall provide all test procedures to CONTRACTOR and COMPANY for review and approval at least two months prior to the proposed test schedule.. Each formal acceptance test must be signed by a VENDOR, CONTRACTOR and COMPANY representative at the successful completion of the test(s).

15.2 Shop Inspection

CONTRACTOR’S representative will periodically visit the VENDOR’S shop facilities and inspect system progress from a hardware and software perspective.

15.3 Pre-Factory Acceptance Test

VENDOR shall detail all physical tests and inspections which will be performed in the Pre-FAT procedure. As a minimum these tests shall include complete physical inspection of all cabinetry, system components, wiring, labelling, Additionally, the procedure shall list all internal VENDOR test/inspection records which can be provided to the CONTRACTOR during the Pre-FAT. As a minimum, project related QA inspections covering bought out components and internal inspections of assemblies are to be included.

The system equipment will be inspected by CONTRACTOR representative at the Pre- Factory Acceptance Test for satisfactory quality and workmanship. In addition, COMPANY or CONTRACTOR shall have the right to inspect the work in progress at any stage.

The VENDOR is responsible to maintain a punch list during the Pre-FAT. The Pre-FAT punch list shall list the problems discovered, include the date discovered, the name of the person reporting the problem, the date corrected, the name of the person who performed the correction, the date retested and accepted, and the name of the individual accepting the retest. This entire Pre-FAT punch list shall be given one System Log report number and maintained as part of the ESD system log. Unless otherwise agreed by COMPANY, all items on the Pre-FAT punch list shall be cleared before the commencement of FAT.

The entire Pre-Factory Acceptance Test (Pre-FAT) procedure must have been successfully exercised on the system by the VENDOR prior to the FAT.

15.4 Factory Acceptance Test

The FAT shall include the complete testing and acceptance of both hardware and software.

The VENDOR shall be required to submit FAT procedures for approval prior to FAT. These shall cover, but not be limited to:

Document No: AGES-SP-04-004

Rev. No: 1 Page 40 of 59

(a) Complete hardware testing including simulation of all input and output channels, testing of all system redundancy (CPU’s, power supplies, I/O buses, I/O comm modules, highway communication modules, ), observation of fault reporting via hardware indicators and data transfers, and hot swap component replacement.

(b) Complete simulation of all functional logic groups. This testing is to be inclusive of I/O simulation through the marshalling cabinets and system cables to ensure healthy HW and SW configuration for all I/O. Functional test shall be performed through software simulation for all tested I/O. It is intended that this testing be performed with the ESD system data linked with the PCS. In this case all PCS/ESD data transfers associated with each functional logic group shall be exercised and observed during the function logic validation testing. If schedule or other requirements necessitate testing of the ESD functional logic prior to a PCS integration test, all data transfer bit sets and register values will be exercised/observed for correct operation by means of a test computer simulating a PCS while testing the functional logic. In this case, later Integrated testing with the PCS shall include PCS highway interface of the ESD processors with the project application software loaded. At least 10 percent of all interface data points shall again be simulated, and correct results observed. Additionally, full redundancy testing of the communications interface shall be performed. CONTRACTOR and COMPANY approval to perform the ESD FAT first separately, and then integrated as described above must be obtained in writing by the VENDOR.

(c)

As the functional logics are checked, proper recording of SOE data shall be verified. Additionally, the SOE sorting and reporting capabilities shall be demonstrated and certified correct.

During FAT the system shall be made available to CONTRACTOR and COMPANY for sufficient periods to verify satisfactory performance.

COMPANY and CONTRACTOR’S representative will witness the entire FAT. The FAT procedure/checklist will be signed off by the VENDOR, CONTRACTOR and COMPANY representative at the successful conclusion of testing. A copy of the signed off FAT procedures/checklist and related printouts shall be furnished to CONTRACTOR and COMPANY representative. Each punch point shall be categorised to define criticality and time frame for completion. This is applicable to all tests & punch lists.

All process inputs and outputs must be simulated during the FAT. The purpose of this simulation is to provide a facsimile of the production process, with all points of an individual loop or interconnected loops hooked up for test simultaneously.

All system programs must be complete and resident in the system prior to the start of FAT. All program listings must be free of pencilled (patched) corrections. The system software loaded must be the final version encompassing all required changes incorporated after VENDOR internal testing. Any changes which were made as a result of internal testing shall be documented as part of the ESD system log.

The VENDOR is responsible to maintain a punch list during the FAT. The FAT punch list shall list the problems discovered, include the date discovered, the name of the person reporting the problem, the date corrected, the name of the person who performed the correction, the date retested and accepted, and the name of the individual accepting the retest. This entire FAT punch list shall be given one System Log report number and maintained as part of the ESD system testing log.

Diagnostic programs which are tested during FAT shall be shipped to IFAT with system.

Document No: AGES-SP-04-004

Rev. No: 1 Page 41 of 59

15.5

Integrated Factory Acceptance Test (IFAT)

Following FAT, IFAT shall follow and include testing of communication interface between ESD and PCS. Data transfer between ESD and PCS shall be checked. ESD graphics implemented in PCS OWS shall be 100% tested.

IFAT testing procedure shall be furnished by VENDOR for CONTRACTOR and COMPANY approval.

15.6 Site Installation Test (SIT)

After the system has been installed on site and site QA as well as VENDOR inspection of the mechanical and electrical installation has been successfully completed, a Site Installation Test will be conducted by the VENDOR when directed by the CONTRACTOR.

SIT shall include as a minimum:

(d) An audit and inspection of equipment as installed. A deficiency report shall be written, and appropriate

action taken to rectify any problems.

(e) All alarm status, analogue and pulse inputs, and controlled end devices shall be disconnected by

means of isolating terminals.

(f)

Each system shall be powered up and system and application software will be loaded. System diagnostics shall be run and checked to ensure the system is error free.

(g) Communications shall be established between all components of the system and from the ESD to the

PCS.

(h) Redundancy testing of processor, power supply systems, I/O buses and communication modules shall

be performed.

(i)

(j)

(k)

At least one point from every input/output module shall be verified by signal simulation/monitoring from the associated marshalling cabinet.

A random sampling of data transfers between the PCS and ESD shall be performed to ensure proper operation of the data links.

All MOS enable switches shall be checked for proper operation by exercising the enable switches, implementing PCS soft MOS functions, checking the ESD implements the MOS and then observing the ESD clearing imposed soft MOS functions when the MOS enable switches are switched to the off position.

(l)

Random sampling of SOE data shall be conducted.

Full details of all tests to be performed shall be defined in the SIT procedure.

The VENDOR is responsible to maintain a punch list during the SIT. The SIT punch list shall list the problems discovered, include the date discovered, the name of the person reporting the problem, the date corrected, the name of the person who performed the correction, the date retested and accepted, and the name of the individual accepting the retest. This entire SIT punch list shall be given one System Log report number and maintained as part of the ESD system test log.

COMPANY and CONTRACTOR representative will witness the entire SIT. The SIT procedure will be signed off by the VENDOR, CONTRACTOR and COMPANY representative at the successful conclusion of testing. A copy of the signed off SIT procedures and related printouts shall be furnished to CONTRACTOR and COMPANY representative.

Document No: AGES-SP-04-004

Rev. No: 1 Page 42 of 59

Upon completion of the SIT, the system shall remain powered on and loop checks shall be conducted as loops are made ready. System status shall continue to be monitored and all detected faults and/or changes/modifications to system hardware and software shall be recorded in the System test log. During commissioning, loop checking shall include the whole loop, from the control room to the field device.

15.7 Site Acceptance Test (SAT)

After the system has been commissioned and put in service the Site Acceptance Test period commences. The purpose of the site acceptance test is to verify that all hardware and software is correctly installed and functioning according to the specifications in the real environment and verify integrated performance of the ESD with the ICSS system.

The SAT shall be conducted as per SAT procedure/checklist approved by COMPANY. The SAT procedure/checklist shall fully detail all acceptance tests criteria. The SAT shall only be deemed as completed only after all loops, logics, hardware, software, functional requirements and ICSS integration checks are thoroughly completed.

This test shall include monitoring the system data transfer and update times. SOE data capture and time synchronization between the PCS and ESD shall be verified. Transmission and display of correct first out alarm notifications as well as secondary alarms shall be observed. System diagnostics shall be routinely checked. The SAT procedure shall fully detail all acceptance test criteria. Duration of SAT shall not be less than 72 hours.

The VENDOR is responsible to maintain a punch list during the SAT. The SAT punch list shall list the problems discovered, include the date discovered, the name of the person reporting the problem, the date corrected, the name of the person who performed the correction, the date retested and accepted, and the name of the individual accepting the retest. This entire SAT punch list shall be given one System Log report number and maintained as part of the ESD system test log.

The SAT procedure/checklist will be signed off by the VENDOR, CONTRACTOR and COMPANY representative at the successful conclusion of testing. A copy of the signed off SAT procedures and related printouts shall be furnished to CONTRACTOR and COMPANY representative.

Successful completion and approval of the SAT will constitute system acceptance by the CONTRACTOR and COMPANY.

15.8 Certificates of Acceptance

At the satisfactory conclusion of the FAT, IFAT, SIT, and SAT a Certificate of Acceptance shall be provided by the VENDOR for signature by the CONTRACTOR and COMPANY.

Following documents as minimum shall be attached to Certificate of Acceptance dossier: (1) Signed and Approved FAT, IFAT, SIT and SAT test reports

(2) Electric Equipment Test Certificates

(3) SIL Certificates

(4) Hardware Test Certificates

(5) Software Test Certificates

(6) Approved As-Built Drawings

Document No: AGES-SP-04-004

Rev. No: 1 Page 43 of 59

15.9 Services by the VENDOR

The VENDOR shall supply necessary manpower and specialist personnel and all necessary tools and equipment to support testing at Vendor’s shop and at site as defined above sections.

16 SUBCONTRACTORS/SUBVENDORS

The VENDOR shall assume unit responsibility and overall guarantee for the equipment package and associated equipment.

The VENDOR shall transmit all relevant Purchase Order documents including specifications to his SUBCONTRACTORS.

It is the VENDOR’S responsibility to enforce all Purchase Order and Specification requirements on his SUBCONTRACTORS.

The VENDOR shall submit all relevant SUBCONTRACTOR drawings and engineering data to the CONTRACTOR.

The VENDOR shall obtain and transmit all SUBCONTRACTOR warranties to the CONTRACTOR/COMPANY, in addition to the system warranty.

17 SPARE PARTS

17.1 Spares

The VENDOR shall identify the following spares:

(1) Pre-commissioning, commissioning and start-up spares

(2) Recommended spares list for two years operation

Spares shall be itemised and priced in VENDOR quotation.

VENDOR shall support supply of spare parts for 15 years.

The VENDOR shall complete the Spare Parts Interchangeability Record (SPIR) Form to be supplied by the CONTRACTOR. The CONTRACTOR shall agree Spares to be included in Purchase Order.

17.2 Special Tools

The CONTRACTOR shall agree the Special Tools to be included in Purchase Order.

The VENDOR shall identify all necessary standard and special tools, test software, and test and calibration equipment required to perform routine maintenance and any other recommended tools for specialised procedures.

The VENDOR shall provide design and performance specifications for all special tools, test software, and calibration equipment.

The list of the standard tools shall state the following:

(a) Description of its service

(b) Manufacturer and Catalogue No

(c) Quantity recommended.

Document No: AGES-SP-04-004

Rev. No: 1 Page 44 of 59

Special tools shall be itemised in VENDOR quotation.

18 PRESERVATION & SHIPMENT

18.1 Packing and Shipping

Preparation for shipment shall be in accordance with purchase order Preservation and Export Packing requirements. VENDOR shall be solely responsible for the adequacy of the preparation for shipment provisions with respect to materials and application, and to provide equipment at the destination in ex-works condition when handled by commercial carriers. Adequate protection shall be provided to prevent mechanical damage and atmospheric corrosion in transit and at the jobsite. Preparation for shipment and packing will be subject to inspection and rejection by COMPANY’S/CONTRACTOR’S inspectors. All costs occasioned by such rejection shall be to the account of the VENDOR. Equipment shall be packed, securely anchored, and skid mounted when required. Bracing, supports, and rigging connections shall be provided to prevent damage during transit, lifting, or unloading. Separate, loose, and spare parts shall be completely boxed. Pieces of equipment and spare parts shall be identified by item number and service and marked with CONTRACTOR’S order number, tag number, and weight, both inside and outside of each individual package or container. A bill of material shall be enclosed in each package or container of parts. One complete set of the installation, operation, and maintenance instructions shall be packed in the boxes or crates with equipment. This is in addition to the number called for in the Purchase Order.

All kinds of regulatory / non-regulatory approvals and procedures required for shipping shall be in the scope of CONTRACTOR / VENDOR.

18.2 Preservation and Storage

Equipment and materials shall be protected to withstand ocean transit and extended period of storage at the jobsite for a minimum period of 18 months. Equipment shall be protected to safeguard against all adverse environments, such as humidity, moisture, rain, dust, dirt, sand, mud, salt air, salt spray, and seawater. All equipment and material shall be preserved, and export packed in accordance with project specifications.

The VENDOR shall provide preservation plan to protect and ensure the integrity of ESD equipment during the period that starts when the ESD equipment is prepared for the first shipment from the point of origin and ends at the completion of project commissioning and start-up. The plan shall identify protective measures to be implemented during each phase of the project, inclusive of maximum ambient conditions. The completion plan shall be submitted to COMPANY for review and comment no later than 90 days prior to the first shipment of ESD equipment from the factory.

Document No: AGES-SP-04-004

Rev. No: 1 Page 45 of 59

19 COMMISSIONING

19.1

Installation

VENDOR shall provide supervision assistance for Installation and Commissioning of ESD System at site. Installation will be carried out by the CONTRACTOR with supervision assistance from the VENDOR. The VENDOR shall notify the CONTRACTOR of any special tools required for installation and supply these if necessary, to the CONTRACTOR.

19.2 Life Cycle/Long Term Support

VENDOR must provide assurances that system equipment will not be obsolete in the next 15 years. In the belief that portions of the system will eventually be withdrawn from sale, a firm commitment by the VENDOR that for his standard products there will be either repair capability or equivalent parts and/or products available for a minimum of 15 years from the withdrawal date is required.

The ESD design shall consider the requirement that the system will require to be upgraded during the design life of the facilities. ESD supply shall be given specific attention to ensure all systems, components, software and individual elements and the respective running tools, test equipment, software and human skills can be maintained or replaced such that the original function and integrity of the whole ESD can continue in an uninterrupted manner for the field life.

The entire system shall be in ‘Active life’ for a minimum period of minimum 15 Years. Vendors shall provide life cycle commitment including:

(a) Start of Active life

(b) End of active life

(c)

Start of limited support

(d) End of limited support

(e) Start of Obsolescence

Active life: Denotes the system is active and available for sale for new projects and revamp projects, full support from R&D, continuous support in terms of upgrade, patch update, bug fixing

Limited Support: Product has limited support with local maintenance and engineering support; bug fixing, continue to supply of spares (refurbished or new parts).

Obsolete: Out of sale and support is discontinued.

Between active to support phase, vendor shall provide a minimum support period of 7 years for company to plan for a smooth upgrade or replacement.

19.3 Maintenance

During warranty period, VENDOR shall provide service personnel for periodic fault finding, repair and replacement of all faulty hardware, firmware and software.

During bidding stage, Vendor proposal shall include the details and costs of all standard maintenance services available after SAT. COMPANY shall be under no obligation to select all or any of the agreements detailed and shall be free to negotiate a unique maintenance agreement with the VENDOR.

Document No: AGES-SP-04-004

Rev. No: 1 Page 46 of 59

20 TRAINING

20.1 General

The following training courses are proposed for the selective attendance of suitable personnel such as Engineers, Supervisors and Technicians. The purpose of these training courses will range from gaining practical experience and functional knowledge on ESD system, its software and associated hardware, to acquiring an in-depth knowledge for administration and system configuration and software development purposes:

(a) System Architecture (all)

(b) Systems Software and Maintenance (System Administrator)

(c)

System Administration (System Administrator)

(d) Network/Cyber Security (System Administrators, Supervisors)

(e) Application Programming (Engineers, Supervisors)

(f)

Advance Programming Techniques (Engineers, Supervisors)

Above training shall be included nominally for 10 Engineers / Supervisors and 6 Technicians.

20.2 Training Course Documentation

For each trainee who will attend a training course, a copy of the complete training course, notes, and drawings shall be provided to COMPANY eight weeks prior to the commencement of the training course. The copies shall be retained by the trainees on completion of the training course and shall be the property of COMPANY.

In addition, five copies of the training course documentation shall be available on site prior to the installation and pre-commissioning for reference purposes.

20.3 Maintenance Training Course

The purpose of the course is to train Engineers/Supervisor/Technicians for first line fault diagnosis, and repair by replacement.

20.4 System Engineering Course

The purpose of this course is to enable COMPANY Engineers/Supervisors to be able to modify system I/O and system application software including interfaces to the PCS. The course shall include:

(a) System Hardware.

(b) System operating software.

(c) Review of project specific typical application software modules, data formats, data table allocations.

Document No: AGES-SP-04-004

Rev. No: 1 Page 47 of 59

21 DOCUMENTATION

VENDOR shall submit the type and quantity of drawings for COMPANY/CONTRACTOR authorization or information as per Supplier Document Register and Schedule (SDRS) provided in Purchase Order.

The VENDOR shall provide all standard and project-specific documentation and software required for system definition, installation, initialisation, operation, maintenance, troubleshooting and training. This information shall provide complete documentation for the ESD in sufficient scope and detail to permit programming and maintenance of the equipment.

Mutual Agreement on document list and documents issue dates shall be an integral part of Purchase Order.

Comments made by COMPANY/CONTRACTOR on drawing submittal shall not relieve VENDOR of any responsibility in meeting the requirements of this specification. Such comments shall not be construed as permission to deviate from requirements of the Purchase Order unless specific and mutual agreement is reached and confirmed in writing.

All drawings, documents, information, correspondence, test reports, operating and maintenance instruction manuals shall be in the English language.

All documents and drawings issued by the VENDOR shall be produced in an electronic format compatible with Microsoft Office computer software. Documentation shall also be provided in Native format, in order to allow company to update during operational upgrade and future projects. VENDOR shall provide final documentation on DVD-ROM with search and retrieval capabilities.

ESD safety related documentation shall conform to IEC 61511-1, clause 19.

All system drawings shall be prepared and submitted in accordance with recognized standards. Every effort shall be made to minimize the total number of drawings prepared by use of common drawings, where practicable without loss of clarity.

Before SAT, VENDOR shall issue As-Built drawings incorporating all changes that have taken place during installation, testing and commissioning at site. Each drawing shall be clearly marked ‘As-Built’ and dated.

The below list of documents required is intended to define the minimum technical documents to be provided by the VEDNOR. This list is not exhaustive and additional documentation necessary for the work execution be provided by VENDOR. ESD system documentation to be supplied by VENDOR shall include, but not be limited to:

(1) System Architecture Diagrams

(2) System Block Diagrams and interface schematic

(3)

Functional Design Specifications for Hardware and Software, Cabinets, Networking, Interfaces, Cyber Security etc

(4) System Configuration Specifications including Logic and Application Program Design

(5) Reliability/Availability Calculations and Reports

(6) SIL Calculations as per IEC 61508

(7) SIL and Safety System certification dossiers

(8)

Loading Calculations (CPU, memory, networks, power supplies, spares)

(9) Cabinet and Console General Arrangement drawings

Document No: AGES-SP-04-004

Rev. No: 1 Page 48 of 59

(10) Cabinet internal wiring diagrams

(11)

Inter-panel Cable Connection Schedule

(12)

Interconnection Wiring Diagrams

(13)

Input/Output Assignment List

(14) Configuration database

(15) Functional Logic diagrams

(16) Loop Diagrams

(17) Software licenses

(18) Power supply, distribution and earthing drawings

(19) Power and Heat Loading calculations

(20) Electrical Load Schedule

(21)

I.S. certification dossier (if applicable)

(22) Bill of Materials

(23) Comprehensive data sheets for all major items, including completed data sheets included in the

enquiry/purchase order

(24)

Inspection Test Plan (ITP)

(25) QA/QC Procedures

(26)

Internal Testing and Pre-FAT Report

(27) FAT Procedure & Report

(28) SIT Report

(29) SAT Procedure& Report

(30) List of all spare parts, tools, test equipment and installation materials

(31) Spare Part Interchangeability List

(32) Packing, Marking and Shipping Procedure

(33) Preservation and Site Storage Procedure

(34) Complete catalogue sheets of all furnished items

(35) System Hardware Manuals

(36) Programming Manual

(37) Application software manuals

(38) System Security Manual

Document No: AGES-SP-04-004

Rev. No: 1 Page 49 of 59

(39) Functional Safety Manual

(40) Operation and Maintenance Manuals

(41)

Installation and Configuration Manuals

(42) Quality Manuals

(43) Third Party Manuals

21.1 Specific Requirements

VENDOR shall issue Software Functional Design Specification which details application software, configuration procedures and compliance to IEC 61508 & IEC 61511 programming requirements for safety applications.

Application program files in function block format including all pertinent embedded comments describing logic functionality shall be provided. Descriptors for logic element/blocks shall include completed I/O addresses and tag numbers, set points, logic element parameter identification. Flow charts and Logic diagram drawings shall be produced for all safety interlocking functions and they shall comply with the IEC 61131-3.

This document will be reviewed jointly by the CONTRACTOR and COMPANY and technical review meetings will be held to finalize and freeze the hardware and software prior to the FAT. COMPANY approval of the FDS is mandatory prior to System build and FAT.

The system software functional design specification shall be complete and follow the format given below:

21.2 Typical Program Macros

Typical program macros which are used repeatedly shall have written descriptions of the objectives and functions that are provided. It shall be in sufficient detail to allow a person familiar with individual programming elements of the system to determine the function of each module.

21.3 Detailed Logic Application Diagrams with Full Description

Each separate functional logic group shall be shown as ISA or IEC standard logic symbology, which is fully annotated and described, including all I/O tag numbers. A complete listing of all I/O points with tag numbers, descriptions, point configuration parameters (ranges, engineering. units, ) and cross references shall also be included. This documentation may be generated by the actual programming software if the format is reviewed and approved by the CONTRACTOR and COMPANY. It shall include all logic functionalities, equations, calculations, scaling required for each functional logic group. Clear demarcation of each functional logic group shall be provided within the documentation.

22 GUARANTEES & WARRANTY

VENDOR shall provide warranty support for a period of two years, commencing on the date of COMPANY written acceptance of the system following the site acceptance test. Warranty shall apply to defective material workmanship and facility design, and/or facility software. Warranty work shall be done at COMPANY local facilities. The cost of diagnostics and/or correction of any warranty items shall be borne by the VENDOR.

The VENDOR will not be required to provide resident maintenance personnel during the warranty period but shall have competent technical personnel available from the local facility within 24 hours, if required by COMPANY.

The VENDOR shall guarantee that the software to be supplied shall be free from errors, for example software/firmware failure to perform function(s) as specified in this specification or COMPANY documentation.

Document No: AGES-SP-04-004

Rev. No: 1 Page 50 of 59

23 PROJECT ADMINISTRATION

23.1 Project Personnel

The VENDOR shall insure that sufficient qualified personnel are always allocated to the project. The VENDOR shall utilize a project team structure to achieve continuity and accuracy of implementation. The VENDOR shall submit for CONTRACTOR’S approval the résumés of all personnel engaged in the project.

It is anticipated that the project team shall comprise at least the following disciplines:

(a) Project Manager (Commercial/Technical) (shall be nominated representative of the VENDOR with responsibility and authority to fully implement the project with technical correctness, on schedule and within the budget).

(b) Senior System Designer (Technical).

(c) Hardware Design (Technical Hardware).

(d) Software Designer (Technical Software).

(e)

Test Technician (Technical Testing).

(f)

Site Engineer (Installation/Commissioning).

23.2 Project Schedule

The VENDOR shall include with his quotation, a detailed Project Schedule showing the VENDOR’S best estimate of the achievable major schedule milestones.

The Project schedule shall be used as the main progress control document during the implementation of the project. The Project Schedule shall clearly show any ‘float’ or ‘slack’ time available together with any freeze dates required by the VENDOR and major milestones for equipment design, manufacture and delivery. The schedule shall clearly indicate required dates for each of CONTRACTOR supplied design data.

The VENDOR may include in the proposal any additional material which clarifies the procedure for implementing the Project Schedule.

23.3 Progress Reporting

The Project Schedule shall be used as the basis for monthly progress reporting, schedule controlling and schedule forecasting. At regular intervals, the VENDOR shall revise the Project Schedule to include the effect of changes and to reflect actual Project Progress.

23.4 Coordination Meetings

Coordination meetings shall be held as required between COMPANY, CONTRACTORS and VENDOR. The agenda for each coordination meeting will be prepared by the VENDOR prior to each meeting. Detailed meeting minutes will be taken by the VENDOR and submitted for COMPANY and CONTRACTORS for approval. An ‘action item’ log shall be prepared and continuously updated by the VENDOR.

Coordination meetings, to be held either in Abu Dhabi or home office, will be a part of the purchase order scope.

Document No: AGES-SP-04-004

Rev. No: 1 Page 51 of 59

SECTION D

24 DATA SHEETS TEMPLATES

Not Applicable.

25 STANDARD DRAWINGS

Not Applicable.

Document No: AGES-SP-04-004

Rev. No: 1 Page 52 of 59

SECTION E

APPENDIX 1 ESD SYSTEM REQUIREMENTS FOR SPECIAL MECHANICAL PACKAGES

INTRODUCTION

For keeping consistency in design and ease of integration, the Mechanical Package Suppliers should preferably use the same safety system hardware as that of the main plant ESD. This design standardisation of Package Safety Systems has following benefits:

(a)

Integrated operating interface.

(b)

Integrated peer control.

(c)

Integrated diagnosis.

(d)

Fast data exchange due to direct communication.

(e) Minimize the quantity of spare parts.

(f)

Easier and less expensive engineering and maintenance.

(g) Reduce the number of operating personals.

(h) Reduce training requirements and time.

To achieve above, Package Safety System shall utilise PCN and SN of plant PCS and ESD for data transfer and system integration.

Package Units ESD system shall comply to this specification and additional functional requirements specified in the following sections.

HIGH INTEGRITY PRESSURE PROTECTION SYSTEM (HIPPS)

The function of HIPPS is to prevent over pressurisation in equipment or pipeline by shutting off the source of the high pressure before operating pressure exceeds design pressure and thus preventing rupture of equipment or pipeline for personnel and environment safety.

The HIPPS is an instrumented safety system consists of:

(a) Redundant pressure sensors, typically in a 2oo3 arrangement, that detect the high pressure.

(b)

Final control element (fail safe shutdown valves or relays in case of tripping compressors and pumps).

(c)

The Logic Solver in a redundant architecture.

The HIPPS shall be designed to:

(a) Standalone SIL 3 certified system as per IEC 61508 and IEC 61511.

(b) Entire system Response time shall be less than 0.5 x process safety time.

(c)

Be as simple as possible, complex design shall be avoided.

(d) Be fail safe, therefore sensors, signals, logic solvers and final elements shall be designed to be fail

safe.

Document No: AGES-SP-04-004

Rev. No: 1 Page 53 of 59

(e) Permit on-line testing without reduction of trip integrity.

(f)

Provide Fault diagnostic capability.

2.2

HIPPS Logic Solver

The following minimum requirements:

(a)

Logic solver shall PES or Solid-state type and SIL 3 certified as per IEC 61508.

(b)

2oo3 voted HIPPS process pressure sensing elements shall be connected to three separate HIPPS logic solver input cards.

(c) Discrepancy monitoring and alarm between the three (3) analogue sensor values shall be implemented.

(d) Separate HIPPS logic solver input cards from other inputs that influence 2oo3 voting for example

process sensor isolation valve limit switches.

(e) Where a SIF has more than one final element or dual trip circuits (for example two solenoid valves)

these shall be allocated across 2 or more HIPPS logic solver output cards.

(f)

Trip thresholds (set points) shall be locked to prevent adjustment through human error.

HIPPS Logic Solver shall be installed in a dedicated cabinet. In general HIPPS cabinets shall be installed inside equipment room or shelter in environmentally controlled atmosphere. For limited cases where locations are remote and equipment room is not available, the cabinet can be installed in field with prior approval from COMPANY.

For outdoor installation, panel design shall be such that it is:

(a) Suitable for the required hazardous area classification.

(b) Easily accessible.

(c)

Suitable for the environmental conditions.

(d) Safe to operate.

Following status monitoring shall be available on HIPPS Logic Solver cabinet:

(a)

Transmitter fault.

(b)

Transmitter in test mode.

(c)

Transmitter deviation.

(d) HIPPS shutdown activated.

(e) Valve open permissive.

(f)

Shutdown valve open/close.

(g) Powers supply fault.

(h) Common fault.

(i)

Valve testing activated

Document No: AGES-SP-04-004

Rev. No: 1 Page 54 of 59

Following control facilities shall be available on HIPPS Logic Solver cabinet:

(a) System Reset.

(b)

Lamp Test (Ongoing/Completed/Failed).

(c)

Valves open/close.

(d) Valve Test.

HIPPS trip and fault signals shall be hardwired to PCS and ESD. HIPPS monitoring data shall be transferred to PCS on Modbus TCP/IP data link.

2.3

HIPPS Pressure Sensors

The field sensing side shall employ 2oo3 architecture to activate pressure isolation.

Pressure sensors shall be analogue 4-20 mA loop powered. HART communication protocols shall be used for diagnostic purposes. Transmitters shall have hardware switches or jumpers to lock the write protection.

Each HIPPS transmitter can be tested individually by means of a transmitter test interlocking with limit switches on the Double Block & Bleed Valve located in the field. If one of the three transmitters are in maintenance mode with block valve closed, the 2oo3 voting will degrade to 1oo2 voting.

2.4

Other Requirements

The HIPPS valves shall be highly reliable, fast acting and fail close type. Valve shall be SIL rated as per SIL class specified in Valve Data Sheet.

The HIPPS design shall enable the periodic testing of individual sensors and final elements. This shall include methodology and test facilities to achieve HIPPS activation and repeatable response time measurement with adequate resolution and automated recording of results to provide test traceability.

The complete HIPPS design, manufacturing, installation and testing shall be subject to third party verification to demonstrate compliance to SIL 3 reliability and availability requirements as per IEC 61508 & IEC 61511. The SIL Verification program is in VENDOR scope, performed by a specialised independent third party approved by COMPANY.

BURNER MANAGEMENT SYSTEM (BMS)

The objective of the BMS is to ensure the safe operation of fired equipment like boiler, furnace or fired heater. The system design shall include all those factors that contribute to the start-up, operation and shutdown of the unit in accordance with EN 298 & 746 and NFPA 85, 86 & 87 as well as applicable local, national or international codes.

The major checks to be carried by BMS shall include checking fired equipment self-protection during start- up, pre-purging, pilot ignite, main burner ignite, verify air/fuel ratio according to the load demand, trip burner on abnormal conditions and post-purging after burner stop.

BMS design shall provide the functional sequences and timing logic necessary for furnace safe start-up and shutdown.

BMS shall perform following functions as a minimum:

(a) Prohibit start-up of burner unless all permissive are healthy.

(b) Prevent firing unless furnace purge has been completed.

Document No: AGES-SP-04-004

Rev. No: 1 Page 55 of 59

(c) Control fuel valves opening and closing during start and stop sequences.

(d)

Ignition of pilot and main burners at light-off.

(e) Control air/fuel ratio according to heat load demand.

(f)

Take Shutdown of furnace if flame loss or any abnormal condition detected.

(g) Execute Master Fuel Trip (MFT) upon certain adverse process operating conditions.

(h)

Interface with Local Control Panel adjacent to fired equipment.

(i)

Interface with plant PCS to control BMS operations via PCS OWS.

The BMS control, safeguarding and sequential functional logic shall be implemented using PLC based fault- tolerant, fail safe and SIL 3 certified system identical to Plant ESD System.

BMS will be integrated into the COMPANY’s Integrated Control and Safety System (ICSS) so that it will have seamless interface with PCS for displaying and controlling BMS start/stop sequences from PCS OWS. Additionally, BMS cabinet shall be also provided with integral HMI which shall be used during BMS testing, commissioning and subsequent maintenance of the BMS PLC.

BMS interface with plant PCS and OWS shall be on dual redundant Process Control Network (PCN).

BMS interface with plant ESD shall be on dual redundant fault tolerant SIL 3 certified Safety Network (SN).

If BMSs are in duty/standby arrangements, they shall have segregated processors, I/O systems and cabinets/chassis, allowing each system to have individual turnaround. If major equipment has any parallel equipment downstream it shall be assigned to different nodes/chassis of the same controller.

Following conditions as minimum shall initiate a Master Fuel Trip burner shutdown:

(a)

Loss of all flames.

(b) Burner fuel gas/oil header pressure low low or high high.

(c)

Furnace pressure high high or low low.

(d) Main gas or oil fuel header valve position fault.

(e) Combustion air flow low low.

(f)

Instrument air header pressure low low.

(g) Draft Fan(s) tripped.

(h) Actuation of manual Master Fuel Trip from Local Panel or CCR Console pushbutton.

In the event of Master Fuel Trip condition, BMS shall execute following actions:

(a) Close all fuel gas/oil header safety shutoff valves and open vent valves, as applicable.

(b) Close all burner fuel gas/oil safety shutoff valves and open vent valves, as applicable.

(c) Close ignitor gas header safety shutoff valves and open vent valves.

(d)

Illuminate appropriate shutdown lamps and initiate alarms.

Document No: AGES-SP-04-004

Rev. No: 1 Page 56 of 59

(e) Return system to the pre-purge state.

(f)

De-energize all ignitors.

BMS design and control requirements shall be solely Package Supplier responsibility to meet Fired Equipment guarantee for safe operation, however following functional requirements shall be considered as a minimum:

(a) Provide push buttons on CCR console and LCP to initiate Master Fuel Trip (MFT) burner shutdown. (b) Provide burner stop pushbuttons on CCR console and LCP for manual shutdown of burners. (c) (d)

The interlocks shall be such that it is possible to relight the pilot without shutting down the main flame. The main flame shall have its own flame failure detector. This device shall be capable of differentiating between the pilot and the main flame. In the event of main flame failure on a single burner heater, both the fuel supply to the main flame and the pilot flame shall be shut off. Where heaters are fitted with more than one burner, failure of the main flame shall result in the isolation of the fuel supply to that burner. All the pilots shall remain a light. If a burner fails to ignite within the prescribed period, then the main burner shut off valves should close and a period sufficient to disperse any accumulation of un-burnt gas shall elapse before a further ignition attempt is made (on any burner in the heater). If the failure to ignite is the result of the loss of combustion in air, then a furnace pre-purge should be carried out in order to obtain a minimum of 5 volume changes in the furnace. Individual burner and pilot flame failures shall be indicated on the local panel with repeated alarms to control room. The re-start of the pilot and main flame shall be initiated locally by the operator. Automatic restart is not permitted. Fuel gas valves shall be of a fail-close design with local electrical reset and shall have a closed position proving switch. Failure of valve to close shall operate an alarm only. The LCP near furnace shall provide the operator with all the necessary pushbuttons and indicators required to control various operations like purge, pilot/burner light-off, shutdown.

(e)

(f)

(g)

(h)

(i)

HYDRAULIC SAFETY SHUTDOWN SYSTEM (HSSS)

The wellhead control panel shall be used to control the oil or gas producing well Surface Safety Valves (SSV), Downhole Valve (DHV), Wing Valve (WV) and open lift gas Shutdown Valve (if applicable) by applying pressurized hydraulic oil (pressure to Open). The oil pressure shall be generated by an electric motor pump combination with hydraulic oil reservoir generating the required pressure for opening above valves.

The control panel shall be designed as a stand-alone single wellhead control system and shall be totally independent of the flow line fluid using clean hydraulic oil as the operating medium in a closed, leak tight circuit.

The HSSS shall be housed in a completely enclosed stainless steel cabinet with front and back access doors in order to ensure total maintainability of the control system equipment. The front door shall be fitted with a framed window that encloses the operators control panel. All doors and windows shall be provided with handles having padlock arrangement. The Panel shall be mechanically protected to IP 65 according to IEC 60529 as minimum.

The hydraulic control and safety circuits shall be completed with filters, regulators, relief valves, pilots, accumulators, non-return valves, Flow line pilot trip indicators, pressure gauges and other accessories as required for the smooth, trouble free and safe operation of the well. All valves, fitting, tubing, pipe and pipe fittings, and reservoir fabrication shall comply to COMPANY ‘Instruments Tubing, Fittings & Valves Specification’. Control Panel shall be stainless steel 316L and provided with a breather.

Document No: AGES-SP-04-004

Rev. No: 1 Page 57 of 59

When HSSS utilises PES for logic execution, the PES shall be identical to platform ESD System so that it can be easily integrated into platform ICSS. The PES in HSSS shall be SIL 3 certified as per IEC 61508.

For PES based HSSS, one of the following options should be considered for PES location:

(1) Packaged HSSS: In this Option, PES shall be installed in separate compartment within the HSSS panel. The Packaged HSSS cabinet shall be the SIS of the Wellhead Tower and it shall have external hardwired interfaces for remote shutdown signal and redundant serial interfaces with PCS for remote monitoring and control. Design of the Control panel and PES shall address outdoor installation related issues such as area classification, ingress protection, harsh environment, H2S presence,

(2) Separated HSSS: In this option, PES shall be installed remotely in separate cabinet. All instruments of the HSSS shall be wired to terminal strips inside the cabinet which shall be connected at site to the PES panel by means of multi-core cables.

For Separated HSSS, logic solver could be implemented in plant/Wellhead Tower SIS system as separate SIF function provided that SIL assessment does not consider HSSS and SIS as two independent protection layers.

HSSS shall be configured to carry out the following functions as a minimum:

(a) Hydraulic Pump start/stop based on oil pressure and oil tank level.

(b)

Logic for Open / Close wellhead valves.

(c) Remote monitoring (all panel parameters) / control to PCS.

(d) Provide facility to allow local testing of hydraulic pump operation.

Shutdown Push button (Panic Mushroom-button valve Type with red plastic handle) with mechanical protection against accidental access shall be provided in panel front to enable immediate shutdown of the well in case of emergency situation. Remote mounted shutdown Push button shall be provided at adequate distance from the panel for the same function.

On activation of the shutdown command (local shutdown button, Remote shutdown button or remote command from ESD system), hydraulic supply pressure to all valves shall be immediately exhausted through block/bleed circuit and oil shall return to the main reservoir. The return line for the safety valves shall be different from the return line from the control valves (for example choke valves).

The wellhead control system shall allow manual operation of SSV and DHV, wing valves and lift gas shutdown (if applicable) Valves. The controls shall be designed for the fail safe operations.

Opening of the valves shall always be a manual operation either locally or remotely. Under no circumstances shall any of the valves open automatically. The operating sequence shall be designed such that the valves can be opened only in the following order. Control system design (logic) shall ensure that opening sequence is always maintained. Change in the opening sequence shall not be permitted:

(a) DHV

(b) SSV

(c) WV

(d) Open Lift Gas Shutdown Valves (SDV)

Document No: AGES-SP-04-004

Rev. No: 1 Page 58 of 59

Control system design (logic) in the wellhead control system shall ensure that closing sequence of the wellhead towers is always maintained through the following sequence:

(a) WV

(b) SSV

(c) DHV

(d) Close Lift Gas shutdown valves (SDV)

The panel shall incorporate start-up bypass requirements to bypass the low pressure trips. The bypass systems shall be auto reset when the low pressure pilot / trip points have been cleared. Indicators shall be provided at the panel front as well as remote indication at PCS for the status of the High/Low pilots / trips.

HSSS logic shall be designed to ensure that it shall not be possible to open the valves when SIS circuit is unhealthy.

SSV shall close immediately, without time delay. The requirement of the closure of this valve is governed by the following:

(a) ESD push button on the control panel.

(b) Remote ESD actuation.

(c)

Fusible plugs actuation.

(d) High or Low pilot actuation on sensing flow line pressure relative to the pressure set points.

(e) Manually closed from the well head control panel.

The DHV shall close only under ESD condition (ESD push button mounted in front of the panel, remote ESD actuation or fusible plugs actuation).

HSSS panel components internal and external shall be tagged and labelled. The exterior name plates shall be colour laminated.

The panel shall be designed to be lifted from the top, by providing four lifting eyes for this purpose.

Electronic compartment shall be totally isolated from accumulation of oil/dust/

The hydraulic control and safety circuits drawing shall be printed on the back-access doors from inside for technician guidance during maintenance.

Document No: AGES-SP-04-004

Rev. No: 1 Page 59 of 59

RUWAIS LNG PROJECT

Specification For Integrated Control & Safety System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0101

CONTRACTOR DOC. REF.

215122C-000-JSS-1510-0001

REVISION: 1A

PAGE 179 OF 228

7.0

APPENDIX 3 (AGES-SP-04-003 – FIRE & GAS SYSTEM SPECIFICATION)

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

AGES-SP-04-003_FIRE AND GAS SYSTEM SPECIFICATION.PDF

THE CONTENTS OF THIS DOCUMENT ARE PROPRIETARY AND CONFIDENTIAL.

ADNOC GROUP PROJECTS AND ENGINEERING

FIRE & GAS SYSTEM SPECIFICATION

Specification

APPROVED BY:

Abdulmunim Saif Al Kindy

NAME: Abdulmunim Al Kindy TITLE: Executive Director PT&CS EFFECTIVE DATE:

AGES-SP-04-003

GROUP PROJECTS & ENGINEERING / PT&CS DIRECTORATE

CUSTODIAN ADNOC

Group Projects & Engineering / PT&CS Specification applicable to ADNOC & ADNOC Group Companies

REVISION HISTORY

DATE

REV.

NO

1 June 2020

1

PREPARED BY (Designation / Initial) Asadullah Malik / Sr. Engineer, I&C, TE.

REVIEWED BY (Designation / Initial) Ashwani Kumar Kataria/ A/MES,TC- Eng

ENDORSED BY (Designation / Initial) Abdulla Al Shaiba/

ENDORSED BY (Designation / Initial) Zaher Salem/

VP-GPE

SVP-GPE

Reuben Yagambaram/ SPM-GPE

Group Projects & Engineering is the owner of this Specification and responsible for its custody, maintenance and periodic update.

In addition, Group Projects & Engineering is responsible for communication and distribution of any changes to this Specification and its version control.

This specification will be reviewed and updated in case of any changes affecting the activities described in this document.

AGES-SP-04-003

Rev. No: 1 Page 2 of 49

INTER-RELATIONSHIPS AND STAKEHOLDERS

a) The following are inter-relationships for implementation of this Specification:

i.

ii.

ADNOC Upstream and ADNOC Downstream Directorates and

ADNOC Onshore, ADNOC Offshore, ADNOC Sour Gas, ADNOG Gas Processing. ADNOC LNG, ADNOC Refining, ADNOC Fertilisers, Borouge, Al Dhafra Petroleum, Al Yasat

b) The following are stakeholders for the purpose of this Specification:

ADNOC PT&CS Directorate.

c) This Specification has been approved by the ADNOC PT&CS is to be implemented by each ADNOC Group company included above subject to and in accordance with their Delegation of Authority and other governance-related processes in order to ensure compliance

d) Each ADNOC Group company must establish/nominate a Technical Authority responsible for compliance

with this Specification.

DEFINED TERMS / ABBREVIATIONS / REFERENCES

“ADNOC” means Abu Dhabi National Oil Company.

“ADNOC Group” means ADNOC together with each company in which ADNOC, directly or indirectly, controls fifty percent (50%) or more of the share capital.

“Approving Authority” means the decision-making body or employee with the required authority to approve Policies & Procedures or any changes to it.

“Business Line Directorates” or “BLD” means a directorate of ADNOC which is responsible for one or more Group Companies reporting to, or operating within the same line of business as, such directorate.

“Business Support Directorates and Functions” or “Non- BLD” means all the ADNOC functions and the remaining directorates, which are not ADNOC Business Line Directorates.

“CEO” means chief executive officer.

“Group Company” means any company within the ADNOC Group other than ADNOC.

“Specification” means this Fire & Gas System Specification

CONTROLLED INTRANET COPY

The intranet copy of this document located in the section under Group Policies on One ADNOC is the only controlled document. Copies or extracts of this document, which have been downloaded from the intranet, are uncontrolled copies and cannot be guaranteed to be the latest version.

AGES-SP-04-003

Rev. No: 1 Page 3 of 49

TABLE OF CONTENTS

GENERAL … 7

1

2

3

PURPOSE … 7

SCOPE … 7

DEFINED TERMS / ABBREVIATIONS / REFERENCES … 7

SECTION A … 11

4

NORMATIVE REFERENCES … 11

4.1

INTERNATIONAL CODE(S) AND STANDARDS … 11

4.2 ADNOC SPECIFICATIONS … 13

5

REFERENCE DOCUMENTS … 13

5.1 STANDARD DRAWINGS … 13

5.2 OTHER REFERENCES (OTHER CODES AND STANDARDS). … 13

5.3 OTHER REFERENCED DOCUMENTATION … 13

DOCUMENTS PRECEDENCE … 13

SPECIFICATION DEVIATION/CONCESSION CONTROL … 14

PROCESS SAFETY REQUIREMENTS … 14

DESIGN CONSIDERATIONS /MINIMUM DESIGN REQUIREMENTS … 14

6

7

8

9

9.1 OPERATION & DESIGN LIFE … 14

9.2 ENVIRONMENTAL REQUIREMENTS … 14

9.3 ELECTRIC UTILITY DATA … 14

9.4 SEISMIC REQUIREMENTS … 15

9.5 HAZARDOUS AREA PROTECTION … 15

9.6

INGRESS PROTECTION … 15

9.7 ENGINEERING UNITS … 15

SECTION B … 16

10

FGS TECHNICAL REQUIREMENTS … 16

10.1 GENERAL DESIGN … 16

10.2 FUNCTIONAL SPECIFICATION (FS) AND FUNCTIONAL DESIGN SPECIFICATION

(FDS) … 19

10.3 FGS HARDWARE … 20

10.4 ELECTROMAGNETIC COMPATIBILITY … 23

10.5 SURGE PROTECTION … 23

AGES-SP-04-003

Rev. No: 1 Page 4 of 49

10.6 FGS SOFTWARE … 23

10.7 COMMUNICATION … 25

10.8 HUMAN MACHINE INTERFACE … 26

10.9 DIAGNOSTICS … 27

10.10 ALARM MANAGEMENT … 28

10.11 SOE REQUIREMENTS … 28

10.12 CABINETS … 29

10.13 CYBER SECURITY … 32

10.14 SPARE CAPACITY/EXPANDABILITY … 33

11 REQUIREMENTS FOR SPECIAL PACKAGE UNITS … 33

SECTION C … 34

12

SCOPE OF SUPPLY … 34

13 QUALITY CONTROL AND ASSURANCE … 35

14 CERTIFICATIONS … 35

15

INSPECTION & TESTING REQUIREMENTS … 35

15.1 GENERAL … 35

15.2 SHOP INSPECTION … 36

15.3 PRE-FACTORY ACCEPTANCE TEST … 36

15.4 FACTORY ACCEPTANCE TEST… 36

15.5 INTEGRATED FACTORY ACCEPTANCE TEST (IFAT) … 37

15.6 SITE INSTALLATION TEST (SIT) … 37

15.7 SITE ACCEPTANCE TEST (SAT) … 38

15.8 CERTIFICATES OF ACCEPTANCE … 39

15.9 SERVICES BY THE VENDOR … 39

16

17

SUBCONTRACTORS/SUBVENDORS … 40

SPARE PARTS … 40

17.1 SPARES … 40

17.2 SPECIAL TOOLS … 40

18

PRESERVATION & SHIPMENT … 41

18.1 PACKING AND SHIPPING … 41

18.2 PRESERVATION AND STORAGE … 41

AGES-SP-04-003

Rev. No: 1 Page 5 of 49

19 COMMISSIONING … 42

19.1 INSTALLATION … 42

19.2 LIFE CYCLE/LONG TERM SUPPORT … 42

19.3 MAINTENANCE … 42

20

TRAINING … 43

20.1 GENERAL … 43

20.2 TRAINING COURSE DOCUMENTATION … 43

20.3 MAINTENANCE TRAINING COURSE … 43

20.4 SYSTEM ENGINEERING COURSE … 43

21 DOCUMENTATION … 44

21.1 SPECIFIC REQUIREMENTS … 46

21.2 TYPICAL PROGRAM MACROS … 46

21.3 DETAILED LOGIC APPLICATION DIAGRAMS WITH FULL DESCRIPTION … 46

22 GUARANTEES & WARRANTY … 46

23

PROJECT ADMINISTRATION … 47

23.1 PROJECT PERSONNEL … 47

23.2 PROJECT SCHEDULE … 47

23.3 PROGRESS REPORTING … 47

23.4 COORDINATION MEETINGS … 47

SECTION D … 48

24 DATA SHEETS TEMPLATES … 48

25

STANDARD DRAWINGS … 48

SECTION E … 49

26 APPENDIX … 49

AGES-SP-04-003

Rev. No: 1 Page 6 of 49

GENERAL

1 PURPOSE

The purpose of this specification is to define the minimum mandatory technical requirements for design, manufacturing, testing, packing, installation and commissioning of the Fire and Gas System (FGS) hardware and excludes all field devices.

2 SCOPE

2.1

The scope of this specification is limited to Programmable Electronic System (PES) type FGS System.

This specification excludes solid state FGS System, field input devices (detectors, transmitters, switches) and output devices (beacons, sounders and hooters).

This specification does not cover the requirements for localised addressable FGS panels in Non- Process buildings or third-party package FGS system.

2.2

For project specific additional requirements, refer to FGS system requirements stated in respective project’s Purchase Requisition documentation.

3 DEFINED TERMS / ABBREVIATIONS / REFERENCES

Abbreviations

AMS

CCR

CPU

EMI

ESD

EWS

FAT

FDS

HART

HVAC

HMI

HSSD

IAMS

ICSS

IP

I/O

LAN

Alarm Management System

Central Control Room

Central Processor Unit

Electromagnetic Interference

Emergency Shutdown System

Engineering Workstation

Factory Acceptance Test

Functional Design Specification

Highway Addressable Remote Transducer

Heating, Ventilation and Air Conditioning

Human Machine Interface

High Sensitivity Smoke Detection

Instrument Asset Management System

Integrated Control and Safety System

Ingress Protection

Inputs/Outputs

Local Area Network

AGES-SP-04-003

Rev. No: 1 Page 7 of 49

Abbreviations

LCD

LCP

LED

MCB

MOS

MTTF

MTTR

OWS

PCN

PCS

PES

PFD

PLC

QMR

RAM

RFI

SAT

SER

SIL

SIS

SIT

SOE

SNTP

TETRA

TCP/IP

TUV

UPS

Liquid Crystal Display

Local Control Panel

Light Emitting Diode

Miniature Circuit Breaker

Maintenance Override Switch

Mean Time To Failure

Mean Time To Restore

Operator Workstation

Process Control Network

Process Control System

Programmable Electronic System

Probability of Failure on Demand

Programme Logic Controller

Quadruple Modular Redundant

Random Access Memory

Radio Frequency Interference

Site Acceptance Test

Sequence Events Recording

Safety Integrity Level

Safety Instrumented System

Site Installation Test

Sequence Of Events

Simple Network Time Protocol

Terrestrial Trunked Radio

Transmission Control Protocol / Internet Protocol

Technischer Uberwachungs Verein

Uninterruptible Power Supply

AGES-SP-04-003

Rev. No: 1 Page 8 of 49

Technical Definitions

Term

Definition

Fire and Gas System

ESD and SIS System

PFD

Reliability

Fail Safe

It is an Electrical / Electronic / Programmable Electronic safety-related System that provides risk reduction and recovery controls for mitigation of hazardous conditions such as fire or loss of containment. It comprises inputs from sensors/transmitters, direct outputs to equipment such as fire suppressants, audible and visible alarms, and interfaces to other systems such as ESD, PCS, Human Machine Interface and the logic solver.

It is an Electrical / Electronic / Programmable Electronic safety-related System that provides the safeguarding of the process and equipment to protect personnel, assets and environment. It comprises of sensors/transmitters, the final control elements, and the logic solver.

A value that indicates the probability that a device or system will fail to respond to a demand in a specified interval of time.

The probability that when operating under stated environmental conditions, the system will perform continuously, as specified, over a specific time interval.

The capability to go to a predetermined safe-state in the event of a specific malfunction.

Fault-Tolerant System

A system incorporating design features which enable the system to detect and log transient or steady-state fault conditions and take appropriate corrective action while remaining on-line and performing its specified function.

MTTF

MTTR

‘Mean Time To Failure’ is the expected time to failure of a system in a population of identical systems.

Mean Time To Restore’ is the statistical average of time taken to identify and repair a fault (including diagnosis).

Response Time

Total maximum time required to read all field inputs, program execution and change field output state at I/O card channel level.

Safety integrity

Safety Integrity Level (SIL)

Watchdog

Average probability of a safety instrumented system satisfactorily performing the required safety instrumented functions under all the stated conditions within a stated period of time.

Discrete level (one out of four) for specifying the safety integrity requirements of the safety instrumented functions to be allocated to the safety instrumented Systems. Safety integrity level 4 has the highest level of safety integrity; safety integrity level 1 has the lowest.

Combination of diagnostics and an output device (typically a switch) for monitoring the correct operation of PES device and taking action upon detection of an incorrect operation

AGES-SP-04-003

Rev. No: 1 Page 9 of 49

References

ADNOC Group Companies FGS documents part of FGS Purchase Order shall be referred to design

and supply of equipment.

AGES-SP-04-003

Rev. No: 1 Page 10 of 49

SECTION A

4 NORMATIVE REFERENCES

4.1

International Code(s) and Standards

The following codes and standards, to the extent specified herein, form a part of this specification. When an edition date is not indicated for a code or standard, the latest edition at the time of order placement shall apply:

Standard

Description

American National Standards Institute / The International Society of Automation (ANSI/ISA)

ANSI/ISA 5.1

Instrumentation Symbols and Identification

ISA 5.3

ISA 5.4

ISA S5.5

ISA 18.1

ISA 18.2

ISA 71.01

ISA 71.04

Graphic Symbols Instrumentation, Logic and Computer Systems

for Distributed Control/Shared Display

Instrument Loop Diagram

Graphic Symbols for Process Displays

Annunciator Sequences and Specifications

Management of Alarm Systems for the Process Industries

Environmental Conditions for Process Management and Control System, Temperature and Humidity

Environmental Conditions for Process Measurement and Control Systems: Airborne Contaminants

ANSI/ISA-TR99.00.01

Security Technologies for Industrial Automation and Control Systems

The Engineering Equipment and Materials Users Association (EEMUA)

EEMUA PUB No 191

Engineering Equipment and Material User’s Association Alarm Systems - A Guide to Design, Management and Procurement

The International Electrotechnical Commission (IEC)

IEC 60079

Explosive Atmospheres – All parts

IEC 60297-3-101

Basic dimensions of front panels, sub-racks, chassis, racks and cabinets

AGES-SP-04-003

Rev. No: 1 Page 11 of 49

IEC 60332

IEC 60364

IEC 60529

IEC 60445

IEC 61000

IEC 61131

IEC 61508

IEC 61511

IEC 62402

IEC 62443

IEC 17799

Tests for Electric and Optical Fibre Cables Under Fire Conditions – All parts

Electrical installations of buildings - All parts

Degrees of protection provided by enclosures (IP code)

Basic and Safety Principles for Man-Machine Interface, Marking and Identification of Equipment Terminals, Conductor Terminations and Conductors

Identification -

Electromagnetic Compatibility (EMC) – All Parts

Programmable controllers– All Parts

Functional Safety of Electrical/electronic/Programmable Electronic (E/E/EP) Safety Related Systems- all parts

Functional safety - Safety instrumented systems for the process industry sector – all parts

Obsolescence Management – Application guide

Industrial communication networks - Network and system security

• All parts

Information technology - Security techniques - Code of practice for information security management

Institute of Electrical and Electronics Engineers (IEEE)

IEEE 802.3

Standard for Ethernet

International Organisation for Standardisation (ISO)

ISO 9001

ISO 9004

ISO 19011

Military Handbook

Quality Management Systems - Requirements.

Managing for the Sustained Success of an Organisation – A Quality Management Approach

Guidelines for Auditing Management Systems

MIL HDBK 217F

Reliability Prediction of Electronic Equipment

NATIONAL FIRE PROTECTION ASSOCIATION (NFPA)

NFPA 72

National Fire Alarm and Signalling Code

AGES-SP-04-003

Rev. No: 1 Page 12 of 49

NAMUR (Normenarbeitsgemeinschaft für Mess- und Regeltechnik)

NE043

Standardisation of the Signal Level for the Failure Information of Digital Transmitters

4.2 ADNOC Specifications

Document Number

Title

AGES-SP-04-001

AGES-SP-04-004

AGES-PH-03-002

Process Control System Specification

Emergency Shutdown (SIS) System Specification

Fire & Gas Detection & Fire Protection System Philosophy

5 REFERENCE DOCUMENTS

5.1 Standard Drawings

Not Applicable

5.2 Other References (Other Codes and Standards).

Not Applicable

5.3 Other Referenced Documentation

Not Applicable

6 DOCUMENTS PRECEDENCE

The Codes and Standards referred to in this specification shall, unless stated otherwise, be the latest approved issue at the time of Purchase Order placement.

It shall be the VENDOR’S and CONTRACTORS’S responsibility to be, or to become, knowledgeable of the requirements of the referenced Codes and Standards.

The VENDOR/CONTRACTOR shall notify the COMPANY of any apparent conflict between this specification, the related data sheets, the Codes and Standards and any other specifications noted herein.

Resolution and/or interpretation precedence shall be obtained from the COMPANY in writing before proceeding with the design/manufacture.

In case of conflict, the order of document precedence shall be:

(1) UAE Statutory requirements

(2) ADNOC Codes of Practice

(3) Equipment datasheets and drawings

AGES-SP-04-003

Rev. No: 1 Page 13 of 49

(4) Project Specifications and standard drawings

(5) Company Specifications

(6) National/International Standards

7 SPECIFICATION DEVIATION/CONCESSION CONTROL

Deviations from this specification are only acceptable where the VENDOR has listed in his quotation the requirements he cannot, or does not wish to comply with, and the COMPANY/CONTRACTOR has accepted in writing the deviations before the order is placed.

In the absence of a list of deviations, it will be assumed that the VENDOR complies fully with this specification.

Any technical deviations to the Purchase Order and its attachments including, but not limited to, the Data Sheets and Narrative Specifications shall be sought by the VENDOR only through Concession Request Format. Concession requests require CONTRACTOR’S and COMPANY’S review/approval, prior to the proposed technical changes being implemented. Technical changes implemented prior to COMPANY approval are subject to rejection.

8 PROCESS SAFETY REQUIREMENTS

SR.NO. DESCRIPTION

1

2

3

FGS Logic Solver shall be highly reliable and certified for safety integrity level of SIL3 as per IEC 61508 and IEC 61511.

FGS Logic Solver hardware architecture shall be redundant and fault tolerant to provide availability of 99.99%.

A firewall shall be used to control communication between the Control and Safety Zone.

9 DESIGN CONSIDERATIONS /MINIMUM DESIGN REQUIREMENTS

9.1 Operation & Design Life

The FGS shall be designed for minimum life duration 15 years.

9.2 Environmental Requirements

Other than field local panels (Remote I/O, Electronic JB) all FGS system cabinets will be installed in climate controlled unclassified indoor locations. Use of field mounted Electronic JB/Remote I/O are subject to COMPANY approval based on proven track and compliance with SIL requirements.

The indoor installed FGS system shall be suitable for an air-conditioned environment to ISA S71.04, G3 classification. Normal indoor operating conditions will be 22°C ± 2°C and 50% Relative Humidity. The System shall continue to operate in HVAC upset conditions during which in the indoor location of installation temperature can fall to 0ºC or rise to 60ºC, and the humidity can vary between 5% and 95% non-condensing.

9.3 Electric Utility Data

Two separate power feeders from dual redundant UPS and one feeder from Utility power supply shall be made available for use by the VENDOR for powering FGS system cabinets.

The Electrical power supply details are as follows: 240 VAC, Single Phase, 50 Hz, earthed (a)

AGES-SP-04-003

Rev. No: 1 Page 14 of 49

(b) Steady State Voltage ± 10% nominal voltage

(c)

Steady State Frequency 50Hz ± 3 Hz.

(d) Backup UPS time 8 hours as standard unless specific operational requirement is identified.

9.4 Seismic Requirements

The system shall be designed to operate in the presence of a sinusoidal vibration of 2g at 10 - 500 Hz and withstand a shock of 15g for 11 milliseconds.

9.5 Hazardous Area Protection

Unless otherwise specified, FGS system cabinets shall be installed within a general purpose, non-classified electrical area.

If equipment is located in hazardous area, the Hazardous area classification and method of protection shall comply with IEC 60079. FGS equipment located in certified Hazardous Area enclosures shall comply with maximum ambient conditions for continuous operation.

Instrumentation in hazardous areas shall be certified by recognised certifying body, IEC or equivalent. For instrumentation installed in hazardous area, EEx i (Intrinsically Safe) design is the preferred method for hazardous area protection, exception is solenoid valves which should be Ex’d’ or Ex’m’ certified. Other protection standards for SOVs may be used where appropriate if specifically approved by COMPANY.

9.6

Ingress Protection

The degree of Ingress Protection (IP) for equipment enclosure shall comply with IEC 60529 and equipment data sheets. The equipment minimum IP rating shall be as follows: (a)

IP 42 for Indoor climate-controlled environments

(b)

IP 65 for Outdoor field environments

9.7 Engineering Units

Reference shall be made to Project Engineering Design basis for Units of Measurements.

AGES-SP-04-003

Rev. No: 1 Page 15 of 49

SECTION B

10 FGS TECHNICAL REQUIREMENTS

10.1 General Design

The function of the Fire and Gas System (FGS) is to provide an independent protection system to monitor significant gas leak or fire occurrence and initiate alarm to alert personnel and initiate executive actions automatically or perform process safety function/plant shutdown through ESD system.

The FGS logic solver hardware shall have a high degree of availability, reliability and be fault tolerant. The FGS logic solver shall be functionally separate from the process unit ESD logic solver.

FGS system shall be Programmable Electronic System (PES) based certified for SIL3 as per IEC 61508.

FGS system shall be ‘off the shelf’ equipment with Field Proven design in industrial safety applications and certified for intended use.

The FGS System VENDOR shall have a proven track record over a minimum 15 years in providing design, engineering, supply, and commissioning services for large scale Oil, Gas, Petrochemical and related process facilities.

The FGS system shall be engineered considering the full life cycle from design, installation, commissioning, start-up, operations and maintenance through to decommissioning as per IEC 61508 and IEC 61511 requirements.

10.1.1 System Architecture

The Process facilities shall be controlled from CCR utilising an Integrated Control and Safety System (ICSS) architecture. This approach consists of a Process Control System (PCS), an Emergency Shutdown (ESD) system, and a Fire & Gas system (FGS), with the PCS serving as the prime control and command system.

FGS system shall have ‘suitable modular redundant’ architecture (for example Triple or Quadruple redundant) utilising two-out-of-three or two-out-of-4D voting or any other equivalent redundant system architecture with appropriate voting configuration to maintain SIL 3 integrity. FGS System architecture shall support hot mode (online) replacement of faulty modules without degradation of system functionality, SIL 3 integrity and high availability.

The FGS processors shall have a robust fault-tolerant redundant architecture. A single fault shall not reduce the safety availability of the system and the safe failure rate shall remain below that of a simplex processor. The failure of any single component shall not result in a failure to execute any safety function.

For large process plants with multiple units, the FGS system architecture shall be geographically distributed. The individual FGS sub-system will be located in respective unit’s Instrument Equipment Room. Each FGS sub-system shall be capable of functioning independently and should automatically switch to ‘island’ mode in the event of communication failure with CCR or between any FGS nodes located in other Instrument Equipment Room. Communication failure between FGS Systems located at CCR and Instrument Equipment Rooms shall not automatically lead to the shutdown of any of the FGS sub-systems. ‘Island’ mode response to communication failure shall be programmable.

For small installations, FGS and ESD system may be combined into a single system, if agreed by COMPANY. For all other implementations, the two systems shall be separated with separate controllers, I/O and marshalling including System and Marshalling cabinets, Servers and Workstations.

AGES-SP-04-003

Rev. No: 1 Page 16 of 49

10.1.2 Reliability

The FGS system shall be highly reliable and certified to SIL 3 rating as per IEC 61508.

The system shall be designed for an availability of 99.99 percent or better. Availability is defined as:

System availability % = MTTF V MTTF + MTTR

SIL and Availability figures must be provided by the VENDOR with method of calculation and all assumptions clearly stated. Data for failure rates shall be derived from FMEDA analysis by recognised bodies.

MTTR of eight (8) hours and Proof Test Interval of 10 years shall be used in PFD and SIL calculations.

10.1.3 Redundancy

The basic architecture of FGS shall utilise redundant processors, I/O modules, power supply, internal buses and communication interfaces so that failure of any single component shall not degrade system safety functionality.

In redundant hardware configuration, it shall be possible to replace and repair any faulty module without interrupting system operation. Faulty module replacement shall not disrupt system safety or functionality or impact operation of the controlled process. The transition to the healthy module shall be bump-less (for example no loss of functionality or protection). No operator action shall be required to restore the system to normal operation other than simple mechanical replacement of modules.

FGS hardware and software configuration shall be designed to eliminate or substantially minimise common mode or common cause failure mechanisms.

10.1.4 Performance

The response time (input change to output response) for FGS processing shall be less than 300 msec unless specified otherwise in project functional specification for shorter response time due to process licensor or package equipment manufacturer special requirements.

Loading of logic processor memory capacity, operator interface stations, controllers, data communications devices and networks shall not exceed 60% of total operable capacity under maximum loading conditions including all spares capacity defined in this document. Maximum loading conditions shall be based on the heaviest alarm load possible.

10.1.5 Functional Requirements

System hardware shall be allocated process area and unit wise, reducing the potential impact of any hardware failures. Using this topology, each FGS System shall operate in a self-contained mode, minimising the potential impact of any inter-nodal communications loss.

FGS System I/O modules shall be segregated by process areas and fire zone to increase system and process availability. In general, one I/O card shall not contain the I/O of more than one process unit. Process unit I/O split unit wise is not required for Non-Fail-safe output cards driving alarm lamps. Cards belonging to one logic group shall be located together and spare points shall be left within the I/O group for expansion. Distribution of I/O shall be governed by Unit segregation and to avoid common mode failure.

Wherever voted multiple I/O is required, each device shall be allocated to a separate I/O module.

The FGS system outputs shall be normally de-energised, energised to trip. However specific applications or plant philosophies may require to be designed as deenergised to trip. Energise to trip inputs and outputs shall have line monitoring for open circuit and short circuit conditions.

AGES-SP-04-003

Rev. No: 1 Page 17 of 49

Hardwired intertrips between FGS and ESD shall be designed to avoid single point of failure and configured in 2ooN voting arrangement to reduce spurious trips. Where the FGS and ESD systems are implemented in identical hardware that uses a SIL 3 ‘safety bus’ for communication, this shall be the preferred method of implementing Intertrips.

Input and output signals shall be voted independently. Fault tolerant output modules shall be automatically tested for stuck-on and stuck-off components at a regular interval not exceeding 1 second.

All input faults shall be configured with a default 2 second delay to avoid alarm chattering and spurious trips or spurious voting degradation.

The FGS logic solver shall be designed such that once it has placed the process in a safe shutdown state, the trips shall be latched to fail safe state and means of resetting it shall be provided once healthy condition is restored.

FGS executive action will be based on HSE/Fire and Gas philosophy/respective Cause and Effects and shall be interfaced to the following field equipment and perform the following actions:

(a) Activate FGS alarm via PAGA and beacon/sounder and plant siren

(b)

Fire water pumps start

(c)

Activate the fire suppression system and/or deluge release

(d) Equipment shutdown, isolation and depressurisation via ESD system

(e) Process building HVAC closing dampers and tripping air handling units

10.1.6 Third Party Interface

Typical third-party interface will include:

(a) Process Monitoring and Flame detection CCTV

(b) HSSD system

(c) Non-Process building FGS panel

(d)

Third party package FGS system

(e) Access Control Systems

Critical signals will be hardwired.

10.1.7 Safety Data requirement

VENDOR shall provide the following data and necessary support for FGS verification:

(a) PFD and System Failure Rates.

(b) Safe Failure Fraction.

(c) Mean Time Between Failures.

(d) Common cause failure factor as per method detailed in IEC 61508-6.

(e) SIL 3 Certificate as per IEC 61508 from Exida, TUV or equivalent

(f)

Safety Manual

AGES-SP-04-003

Rev. No: 1 Page 18 of 49

(g) Documentary evidence of suitability of equipment based on prior use as described in IEC 61511-1.

(h)

Fault tolerance report, showing conformance to IEC 61511-1 requirements

10.2 Functional Specification (FS) and Functional Design Specification (FDS)

The Functional Specification shall be prepared by CONTRACTOR in consultation with COMPANY and shall form the basis for the VENDOR proposals and for the VENDOR to develop the FGS design in detail and shall be written specifically for each project.

The FS shall provide the following information:

(1)

(2)

(3)

(4)

(5)

(6)

(7)

This specification

Number and spacing of IES;

Number and type of I/O (Analogue, Digital, SOV, ‘Soft’ serial, IS, Non-IS) and allocation to IES;

Number of Safety functions and allocation to IES;

I/O Criticality ratings

Requirements for ‘island’ operation.

P&IDs (to support segregation assessment).

Based on the FS and additional supporting documentation, VENDOR shall develop the detailed design of the FGS and document it in the FDS.

The supporting information supplied to VENDOR to develop the FDS shall include:

(8)

(9)

Logic Descriptions;

Sequence Narratives;

(10)

Updated P&IDS;

(11) Operating Philosophies;

The FDS shall detail the project specific architecture, system layout, hardware, software. It shall be written in conjunction with COMPANY/CONTRACTOR by VENDOR, based on the Functional Specification, provided in the requisition, and the additional supporting documents.

The system design and build will not be approved until the FDS is approved by COMPANY.

Operator interface requirements shall be included in FDS.

The FDS shall provide a detailed inventory and description of the equipment, functional definition and equipment data, including, as a minimum:

(1)

(2)

(3)

(4)

(5)

Definition of data flows to achieve FS requirements

Allocation of controllers to IES/units

Allocation of I/O to controllers

Number of FGS cabinets

Allocation of I/O to cabinets

AGES-SP-04-003

Rev. No: 1 Page 19 of 49

(6)

(7)

(8)

(9)

General Arrangement (GA) of cabinets including, rack distribution and mounting, power distribution, terminations, trunking, cooling fans, temperature monitoring, cable entry arrangement and dimensional drawings

Preliminary configuration database

Function block definitions

HMI station details /GA and dimensional drawings

(10)

Access control

10.3 FGS Hardware

10.3.1 Main Processors

Each FGS system shall contain redundant CPU operating synchronously and in parallel.

Hot replacement of a CPU or modification of a CPU’s running application program shall not require process interruption or system re-initialisation.

A locking mechanism (hardware switch) for each CPU shall prevent memory modification from an outside source.

For CPU with volatile (RAM) memory, battery backup on CPU module shall be provided to retain data for six months in memory. Batteries on CPU module shall be replaceable online without degrading FGS system functionality.

Each processor loading shall not exceed 60% in all memory areas, to allow for future expansion.

10.3.2 I/O General

The VENDOR shall provide I/O cards of robust design and high quality. I/O cards shall be installed in I/O cabinets in I/O racks or on individual base plate depending on I/O mounting design. I/O cards shall be manufactured to withstand the facility environment, in particular maximum ambient conditions.

All input and output cards used in FGS logic shall be redundant, fail safe design and SIL3 certified as per IEC 61508. All output cards which are driving noncritical alarm lamps should be approved for non-interaction and are not SIL rated. Redundant I/O cards shall be used for all inputs and outputs except for maintenance override inputs and annunciators / lamps outputs. For I/O cards installed in I/O racks, single I/O cards with empty hot spare slots are to be used for maintenance override and outputs to annunciators/lamps.

‘Single Component’ hardware such as signal conditioners, I.S barriers, Signal converters, relays used for individual loops must be arranged in a voting scheme to meet the targeted SIL of each loop.

The I/O system shall be of a modular design. The I/O modules will include an electronic design that allows ease of installation. The system shall permit any I/O module to be removed or inserted into the system backplane under power without causing a system upset. The system shall include diagnostics to prevent signal scan errors due to card removal or insertion.

Except for Universal type I/O cards, a mechanical keying facility shall be provided to prevent physical insertion and on-line activation of a module in a wrong location. No address links or switches shall be mounted on the I/O modules. The module type identifier shall be located in the firmware of the module and automatically recognised by the operating system.

AGES-SP-04-003

Rev. No: 1 Page 20 of 49

Number of I/O channels per I/O card shall be limited to 32 nos.

I/O modules should preferably be universal type for example each I/O module can be configurable to Analogue or Digital input/output as per requirement.

All individual I/O channels shall be electrically isolated (opto-isolator) from the main CPU and provide galvanic isolation from field equipment. Failure in any I/O card shall not affect other I/O cards. Failure or fault in any I/O channel shall not affect other I/O channels. I/O cards shall be designed so that a short circuit or high voltage on one input (or output) shall not induce a fault on any other input (or output) on the same module. Ground/Earth fault shall be automatically detected and reported per individual I/O card and per individual I/O channel.

All Input and Output cards/modules shall have built in capability of ‘Line Monitoring’ to detect I/O channels faults like open circuit, short circuit, earth fault, load failure, supply failure, circuit fault.

For digital inputs, end line resistors used for the line monitoring purpose shall be installed on the terminal of the field switches. When isolation barriers are used in safety critical applications, line monitoring thresholds shall be configured to detect barrier faults. This ensures that barrier faults do not inhibit safety critical functions.

Input faults like open circuit, short circuit, earth fault which are not safety critical shall be configured with a default 2 second delay to avoid alarm chattering and spurious trips

For the purpose of standardisation, FGS digital outputs shall preferably provide power to the field devices for example solenoids, relays, hooters, and beacons while digital inputs shall provide 24 VDC to input switches.

All FGS input and output points shall be individually fused with ‘blown fuse’ indication and provided with knife disconnect terminals. Current limiting protection is preferred over fuses.

All discrete I/O modules should include local status indicators (LED) to monitor the status of each input and output and any communication and I/O faults. Spare I/O points, which are pre-configured within the FGS system shall be shorted or terminated according to manufacturer’s recommendations to avoid nuisance faults or diagnostic alarms.

Unless otherwise specified by the CONTRACTOR during detailed design, the FGS System VENDOR must assume that all Field devices, both Inputs and Outputs are located in potentially hazardous atmospheres. Inputs shall provide intrinsic safety isolation through the use of appropriately certified, galvanically isolated intrinsically safe interface units. The barriers may be either inherent in the System I/O cards or termination assemblies, or in separate field termination blocks mounted within the marshalling cabinets.

Field Cable Termination Board design shall ensure that all active components used for signal conditioning and for loop power to input/output signals are redundant. Failure of any component inside them shall not generate fault in redundant I/O signal channel simultaneously.

10.3.2.1 Analogue Inputs

The FGS system shall support following analogue inputs:

(a)

4-20mA, HART compatible, 24VDC powered by the System and load resistance 600Ω nominal.

(b)

1 to 5 V DC

(c)

Pulse Inputs for Rate measurement

The FGS System shall be capable of interfacing with 2, 3 and 4 wire instruments with or without powering from system.

Analogue input card characteristics shall meet or exceed the following requirements:

AGES-SP-04-003

Rev. No: 1 Page 21 of 49

(a) Analogue to digital conversion shall exhibit high common mode line frequency noise rejection.

(b) Normal mode rejection shall meet or exceed 60 dB at line frequency and harmonics.

(c) Common mode rejection shall meet or exceed 120 dB at line frequency and harmonics.

(d) Common mode voltage rejection shall be 500 V DC or peak AC.

(e) Automatic gain and zero shift compensation are preferred.

(f) Minimum acceptable resolution is 12 bits minimum (1 in 4096).

(g) Accuracy, including linearity shall be 0.1% of full scale or better.

HART signals connected to FGS shall be directly accessible from the Asset Management System. It is preferred to use HART compatible Field Termination Assemblies and HART enabled AI/AO instead using HART multiplexers and modems for HART interface. Exceptions shall require prior approval from COMPANY ‘Smart’ transmitters HART data must be configured to ‘read only’.

Analogue inputs shall have open circuit, short circuit and out of range detection capability as per NAMUR NE43 standard.

History/trending data storage functionality shall be available for all Analogue I/Os

10.3.2.2 Digital Inputs

The FGS System shall support discrete inputs as follows:

(a)

Input type- Volt free Contact and NAMUR Proximity switches

(b)

Inputs powered from FGS by 8–24 VDC wetting voltage and capable of detecting status changes with loop impedance (including contact resistance) of at least 1000 ohms

(c) Digital input signals shall be conditioned by a low-pass filter, typically up to 15 msec, to reduce the

effects of noise and bounce.

(d) A minimum of 1000 VDC opto-isolation shall be provided between each input signal and

microprocessor.

10.3.2.3 Digital Outputs

The FGS System shall support discrete outputs as follows:

(a)

For powering Solenoid Valves, Beacons, Hooters, Interposing Relays and Alarm Lamps of voltage rating 24 VDC and 48 VDC or as specified in purchase order.

(b) Digital outputs shall be current rated for minimum 0.5 A for an inductive load per point at 60°C. Output circuits shall be provided with protection against reverse EMF and voltage transients caused by the switching of inductive loads and protection against current overloads.

(c)

Voltage loop back circuitry shall automatically verify that the commanded state is equivalent to the field state.

(d) Digital output modules shall operate within ±10% voltage variation, provide a minimum of 1000 VDC opto-isolation between each output signal and microprocessor, accept surge current on each point of 12A per cycle for AC voltage and 10A for 24 VDC voltage for10 msec and 5A for 48 VDC voltage for 10 msec.

AGES-SP-04-003

Rev. No: 1 Page 22 of 49

(e) Output modules shall be automatically tested for stuck-on and stuck-off components at a regular

interval not exceeding 1 second.

10.4 Electromagnetic Compatibility

FGS equipment shall comply to IEC 61000 and IEC 61326-3-3 for immunity to Radio Frequency Interface (RFI), Electromagnetic Interference (EMI) and electrostatic discharge.

The systems shall be capable of accepting various signal inputs for its direct use while preventing noise errors due to electromagnetic or radio frequency interference including hand-held or mobile communications equipment, nearby radio stations, electrical storms, solenoids, relays or contactors carrying heavy currents.

The most probable source of radio frequency interference (RFI) at the site is the use of handheld radio transceivers with nominal radiated power of 5 watts. VENDOR shall state any frequencies in the VHF, UHF and TETRA bands for which they cannot comply.

10.5 Surge Protection

VENDOR shall provide protection for the FGS System equipment against surges and transient over- voltage/currents that may be induced via the power supply, communications and signal cabling Systems. FGS system surge protection shall comply with IEC 61000-4-5. Protection shall be built to withstand 2kV surges on power supply cabling and 1kV on communications and signal cabling.

10.6 FGS Software

10.6.1 Programming

The CONTRACTOR shall develop Logic diagrams from FGS Cause and Effect Diagrams in line with standard formats during FEED stage and shall be further detailed during EPC stage. VENDOR shall develop application programs to develop safety logics based on Cause and Effect/Logic Diagrams, and Safety Philosophies provided by CONTRACTOR.

The application program shall be user friendly. This means that detailed comments and descriptions shall be included throughout all function block elements which identify elements by tag numbers and intended functionality.

Application software shall be designed in conformance to IEC 61511-1, clause 12.

Standard Function Blocks that are pre-tested and certified by a recognised external organisation like TUV shall be used be to develop the application programs.

Maximise use of standard function blocks for all frequently used functional logics. This reduces software configuration time, results in standardised application logic which simplifies operation, maintenance and future projects configuration work.

The program development software shall be capable of supporting both on-line and off-line programming. On-line programming or making on-line application program changes while an FGS system is operating, (for example, configuring new I/O points, tags and addresses, revising or adding logic and changing dynamic element parameters) shall be possible without having to reset or re-initialise application programs currently running within the CPU. Off-line program emulation shall be provided unless specified otherwise. Program editing functions shall incorporate automatic time-dated, and revision level file saving routines which store all file revisions.

AGES-SP-04-003

Rev. No: 1 Page 23 of 49

Program editing and saving shall incorporate automatic time-dated and revision level file saving functionality. To monitor software changes, there shall be a software utility for comparing two revisions (present and past) of application program which shall report all changes in a high level readable format to evaluate result of changes and identify extent of testing required. Verification of application software by software tool shall be possible on-line.

VENDOR shall issue Functional Design Specifications which should clearly define all standard Function Blocks (non-custom ones) developed to implement FGS functional requirements. along with VENDOR’s Hardware, Software, Firmware and Network solution for the Project. The methodology of preparing this documentation shall comply with IEC 61508 for software development and implementation. COMPANY approval of Functional Design Specification is mandatory prior to commencement of manufacture.

Each FGS system shall be programmed using IEC 61131 compliant software. The configuration software shall be capable of implementing all logic and safety functions required by the application. VENDOR shall state the programming method used, and the operating system required for the programming system. Additionally, the VENDOR shall advise where the programming/monitoring software resides, and the various licensing agreements for single and multiple uses of the software.

Where separate FGS functional logic groups are implemented within the same FGS, the software for each shall be kept fully segregated. The desired segregation is utilisation of separate programs sequentially running for each FGS functionality. As a minimum, dedicated areas within the FGS program shall be applied for each FGS functionality. These dedicated areas shall be clearly documented within the program using program comment capability. Spare internal bit and register addresses shall be maintained for each FGS functionality program or program area.

Software shall be protected from unauthorised changes by the use of both passwords and key lock switches. VENDOR shall advise what methods are available in his system for such protection.

FGS CPU shall support following software utilities for logic implementation:

(a) Math functionality with both integer and real numbers.

(b) Relay logic including transitional inputs and latching outputs.

(c)

Time delays and counters.

(d) Arithmetic, Algebraic, and Trigonometric functions.

(e) Median Select and Median Deviation function for analogue input voting.

The EWS and Logic Solver operating system, application and configuration software shall be supplied by VENDOR with the latest up-to-date software revision and associated patches till SAT. In addition, VENDOR shall make available all the software updates and patches during entire life cycle of FGS system as part of Long-term technical support contract.

10.6.2 System Log

To monitor changes in configuration a system log shall be maintained by VENDOR from the FDS approval date till FAT, SAT, and Commissioning is completed.

The system log is to record the date of changes or occurrence of problems, the cause / originator of the change or problem, summary of the change or problem, an assigned change or problem report number and action taken relating to the change or problem correction. The list shall be maintained in chronological log report number order in a format such as MS Excel (.xls) that can be easily uploaded into a database. Application program changes requested shall be kept filed by functional logic group. Each change shall be

AGES-SP-04-003

Rev. No: 1 Page 24 of 49

filed marked with the assigned system log report number. Maintenance of these records is required to comply with IEC 61508.

10.6.3 Engineering Workstation

Engineering Workstation shall be provided to allow the user to enter, add, delete, or modify logic program, fault diagnostics, system monitoring, and application documentation.

Access to Engineering Workstation for configuration purposes shall be restricted to users with appropriate credentials. The user access to FGS system shall be restricted by means of User Ids and Passwords or other suitable technologies for identification and authentication of users. Two factor authentication and password protection shall be provided for each user. The system shall be capable of defining user groups as per roles for example Engineer, technician. System access privileges shall be configurable for each user group.

The Engineering Workstation shall be capable of monitoring the status of application programs in real-time. Manual forcing of input or output states and visible power flow on logic diagram shall be possible.

All programming shall be done using alphanumeric tag name references and allow on-screen comments for functional description of application program.

Off-line programming shall provide run emulation capability for testing and troubleshooting of the application program. Software changes shall be done off-line, tested, and then compiled into the running application.

The VENDOR shall detail in the FGS FDS the methods of version control and storing of master and backup copies of application programs for all the FGSs located at different geographical locations. Each change shall have the detail of the change, the time and the personnel who performed the change logged.

VENDOR shall fully describe and quote as an option any off line and remote diagnostic tools that are available for use with the system.

Additionally, for process plants with multiple FGS systems located at various Instrument Equipment Rooms, it shall be possible to connect PC-laptop based EWS at each FGS location, for purposes of monitoring or programming. The VENDOR is responsible for providing all necessary communication ports and internal cabinet wiring to support these requirements.

VENDOR shall provide an FGS application software backup and restore system.

10.7 Communication

FGS System shall consists of following two networks for communication:

(a) Safety Network (SN) - this shall be a SIL 3 rated, redundant network used to communicate safety

critical signals such as inter-trips between FGS nodes.

(b) Process Control Network (PCN) - used for interfacing with PCS for FGS I/O display, alarming of shutdowns and diagnostics, invoking of operational and maintenance overrides from the PCS.

The SN and PCN communication networks shall be dual redundant and support IEEE-802.3 Ethernet interface capability. The communications modules shall include an internal program (self-diagnostics) and transmission error detection mechanism to locate hardware malfunctions and aid in locating coding errors in the configurations and software programs.

Connections to networks and devices outside of the FGS system shall be performed through dedicated firewall devices.

AGES-SP-04-003

Rev. No: 1 Page 25 of 49

Communication interfaces shall be off-the-shelf, using existing, industry standard media and communications protocols such as Modbus or Ethernet as identified in project specifications.

All communications ports shall permit connection or disconnection of cabling without interrupting or jeopardising FGS system operation.

Error checking schemes shall include Cyclical Redundancy Checking (CRC), Longitudinal Redundancy Checking (LRC) in conjunction with bit parity checks, fail safe transmission time-out, message fault words, and loss of communication path alarms.

No adverse effect shall occur on communications networks during transients when many variables are changing rapidly or by data queries from the maintenance station. Data highway broadcast ‘storms’ shall not cause the FGS to lock up or operate improperly.

The communication interface shall be sufficiently robust to withstand electromagnetic interference including power surges without causing a dangerous failure of safety functions.

The communication interface shall be suitable for communication between devices referenced to different electrical ground potentials.

VENDOR is responsible for the correct design of the Communication Network interface to affect bi-directional transfer of all FGS information and maintain ICSS screen update of 1 second maximum.

Loss of data communication to the ICSS/PCN/ Communication Network shall not result in trips or status changes of the FGS communication points. Recovery of communication shall be automatic. The VENDOR shall indicate the type of output (hardwired) that can be made available, to permit (back up) annunciation of communication failure at the ICSS Operator Workstations.

For connecting FGS Systems located at different locations, the SN and PCN communication networks shall use redundant fibre optic cables and components, installed by others across various plant units, utilising segregated path routing to minimise common mode failure of redundant links. Fibre Optical cables shall be terminated directly through Network switch/media converter. Communication system components including Network Switches, Media Converter, power supplies shall be redundant.

to FGS communication module or

10.8 Human Machine Interface

10.8.1 Operator Interface

The FGS system shall be designed to operate on a stand-alone basis. Under normal conditions, the FGS system shall utilise the PCS OWS to display status of all FGS I/O’s and alarm notifications.

From PCS OWS, Operators shall be able to view all data related to FGS for example process parameters current values, states of all FGS inputs and outputs, alarms, maintenance overrides, resets.

FGS system data shall be displayed on the PCS Process Graphic displays in the same way as native PCS data. Though FGS system I/O’s are not directly connected to the PCS, same shall be transparent from the PCS OWS to the maximum extent possible.

The PCS OWS shall be utilised to display FGS system shutdown hierarchy, architecture and FGS shutdown logics in Cause and Effect diagrams format.

The FGS shall generate various fault alarms for FGS system analogue inputs. This shall include Open circuit and Short circuit alarms, and HH, H, L and LL alarms.

To transfer display and alarm data, FGS shall communicate with the PCS OWS seamlessly as with any other PCS nodes on the PCN Communication Network.

AGES-SP-04-003

Rev. No: 1 Page 26 of 49

Separate FGS hardwired Mimic or Matrix panel is not required unless specified otherwise in purchase order.

10.8.2 FGS Console

FGS Console shall be provided in CCR to install Push Buttons, key Switches for input Overrides, and Visual and Audible Annunciator of critical alarms.

Input Overrides shall be provided for plant maintenance. The application and removal of FGS overrides during maintenance shall be controlled at supervisory level via Master Override enable key with lamp indication on ESD/FGS console. When it is in the ‘Override On’ position, a limited number of individual maintenance overrides from PCS HMI can be applied. Turning the key to the ‘Off’ position shall remove all overrides and extinguish the warning lamp. The key shall be removable in the ‘Off’ position. All Inputs Overrides shall generate alarm in PCS.

To ensure adequate protection, maintenance overrides shall be organised in groups, in order to minimise the number of overrides applied to each group (typically 2 per group maximum). Voting circuits within a group shall not permit more than one voting input to be overridden at the same time.

The MASTER Inhibit Enable key-switch will be of ‘stay put’ type with key reset and protected by lift flap.

If FGS Processor cabinets are installed in remote Instrument Equipment Room, then FGS console Digital I/O data shall be transferred to FGS Processor on dual redundant SIL3 certified Safety Network.

All FGS push buttons shall have dual wired contacts for 1oo2 voting to initiate executive action.

10.9 Diagnostics

The system shall incorporate comprehensive self-diagnostics such that all permanent and transient faults are identified, alarmed and reported.

FGS shall have ‘Watchdog’ functionality to monitor healthiness of system hardware and software.

Diagnostics shall be capable of identifying, locating and reporting the following faults as a minimum:

(1) Microprocessor faults.

(2) Communication faults.

(3)

I/O module faults.

(4) Scan failure of main or I/O processors.

(5) Memory faults.

(6)

I/O interface or addressing faults.

(7) Application program and hardware layout inconsistency.

(8) Voted signal discrepancy on inputs and outputs.

(9) Voted discrepancy on calculated values within application program.

(10) Load power or fuse faults on field circuits.

(11) Power supply faults including battery back-up monitoring and output voltage verification.

(12) Over temperature conditions.

I/O module diagnostics shall be able to detect and alarm I/O point faults of the following types:

AGES-SP-04-003

Rev. No: 1 Page 27 of 49

(i)

‘stuck-on’ - short circuited failure of a discrete input or output.

(ii)

‘stuck-off’ - open circuit failure of a discrete output.

All I/O’s shall be tested at a regular interval not exceeding 1 second for fault monitoring. Fault information shall be available and displayed for the maintenance staff in a manner that enables fault diagnosis to at least the module level.

Status indicators shall be provided to indicate normal operation or fault conditions on each replaceable module. In addition, each fault shall initiate a hard alarm contact or an internal fault flag for communication to a PCS host computer or other operator interface.

Diagnostic Reports should be generated by the system with clear and interpretable diagnostic information. It is not acceptable to generate report files which can only be analysed at VENDOR’S facility. The FGS shall provide reports detailing active overrides and inhibits that are generated on shift changes.

10.10 Alarm Management

An Alarm Management software shall be provided to ensure that the operator is alerted to plant upsets in a clear manner without being overloaded during normal operation and even plant upset. It shall be integrated with the ICSS.

Alarm Management shall comply with the EEMUA Publication 191 and the ISA 18.2 requirements.

The alarm management software for FGS system shall have the following AMS capabilities:

(a) Alarm and event logging

(b) Storage of alarms and events for retrieval

(c)

Sorting of alarms and events in chronological order

(d) Sorting of alarms by priority

(e) Providing statistical analysis of alarms and events

(f)

Alarm reports (shelved alarms, filtered alarms, masked alarms, statistics)

(g) Alarm change management (alarm threshold modification, alarm priority change)

(h) Printing and reporting.

(i)

(j)

First out alarm

Masking/Dynamic suppression

The alarm and event history shall be periodically backed onto another central server for permanent storage.

Refer to ADNOC Group Company AMS specification for further details.

10.11 SOE Requirements

SOE application shall accurately record the sequence of events in the order of their occurrence and enable rapid root cause analysis of trips after multiple events have occurred.

SOE shall be configured to perform both event logging and first-out reporting, for example, the time-tagged discrimination of trip events as well as first out event capture, that will allow the determination of the first event which caused individual or collective process equipment to trip.

AGES-SP-04-003

Rev. No: 1 Page 28 of 49

First-out alarm/event sequence configuration shall comply to ISA 18.1. First-out (first alert) alarm/event functionality shall be used to indicate which one alarm in a group of alarms operated first. To accomplish this, the HMI indication for the alarm point that operates first must be different from the visual display indication for subsequent alarm points in that group. Only one first out alarm indication must exist in any one first out group.

The SOE and SER shall be a standard feature of FGS system. The SOE shall utilise time stamping carried out at FGS Processor and I/O module level to log events. Along with basic process alarms and trips, the system faults, device health, operator actions. shall be captured.

VENDOR shall verify feasibility of using EWS as SER without loss of SOE functionality while EWS is being used for configuration.

SER shall be capable of storing 100,000 time stamped events in a circular file. The time stamp shall equal the respective FGS-PLCs clock time at the time the trip alarm is generated with a resolution equal to or better than the smallest scan time of FGS. Cater to processor communication failure, at least the last 2000 events shall be stored in processor internal non-volatile memory.

FGS system master clock shall have 1 ms resolution. Events (faults and alarms) shall be time stamped at I/O module level. The minimum time resolution between SOE events shall be 1 ms. No events shall be missed, and all events shall be recorded on each scan.

Each FGS shall synchronise with all other nodes on the PCN communication network via a time signal broadcast on the PCN from an SNTP Time server. As with all nodes of the ICSS, the time synchronisation of the FGS and SOE clocks shall be kept within 10 - 25 msec.

Combined SOE reporting of PCS and FGS events via the PCS shall be provided. FGS SOE information should be passed to the PCS via a direct PCS highway node communication module resident in the FGS. The SOE data together with time stamp information should be transferred from the FGS to the PCS. The FGS must buffer SOE data in memory until the interface communication module successfully completes transmission of the data to the PCS. Software resident in the PCS shall then assimilate and store all FGS SOE data with PCS generated SOE data, as well as SOE data transmitted to the PCS by other subsystems.

10.12 Cabinets

10.12.1 Construction

FGS system and marshalling cabinets shall be rigid and self-supporting. Cabinets shall be constructed of sheet steel with a rigid internal steel frame. Cabinets shall be braced for shock and vibration normally encountered during transport and construction.

The cabinet’s structure thickness shall be minimum 1.5 mm for cabinet steel plate sides, roof and bottom, and minimum 2 mm for doors and plinths.

Unless otherwise specified in Purchase order, the dimensions of the cabinets shall be 2000 mm (H) (excluding plinth) x 800mm (W) x 800 mm (D) (front access). If cabinets are permanently bolted to form sections, the length of these sections shall not exceed 2400 mm.

All cabinets shall have the same exterior and interior finish and colour. Cabinet colour shall be RAL 7035. Plinth colour shall be RAL 7022.

The cabinet Internal layout shall be designed to provide safe and unimpeded access to all electronic modules, power distribution, fuses, terminals and cables termination areas, cables and wiring routings and replacement of defective parts with the minimum amount of dismantling or removal of associated equipment.

AGES-SP-04-003

Rev. No: 1 Page 29 of 49

Cabinets have redundant ventilation at cabinet top section for heat removal. Alarms shall be provided for cabinet high temperature and fan failure. Cabinets shall be equipped with ventilation louvers with dust filters units. Inlet louvers shall be installed at the bottom of cabinet doors. Filter screens shall be readily accessible and easily removable.

At the top of cabinet, a hole shall be provided to connect air sampling tube from High Sensitivity Smoke Detection (HSSD) System. Tube connection hole size shall be as per Purchase Order requirements.

Cabinet and inside equipment support shall be designed to dampen effects of external vibration.

Eyebolts shall be mounted on each cabinet to facilitate handling during unloading and permit transportation of the enclosure by crane.

All unused I/O module slots shall be fitted with removable cover plates.

Cabinet shall have lockable hinged doors. Hinges shall be the lift off type; for example doors shall be easily removable from cabinet. All door locks shall be provided with the same lock and key combination. Keys shall be removable with the doors either locked or unlocked.

Internal lighting lamp at the top of the cabinet shall be controlled by a door switch or movement detector and incorporating a manual on/off/auto switch.

A pocket shall be provided on the inside of the door to contain cabinet drawings.

Each Cabinet and all its major components shall be clearly labelled and identified with a Tag Number. Cabinet nameplates shall be by engraving on three-layer plastic. Material layers shall be red-white-red for FGS shall be attached with stainless steel screws. Nameplate engraving shall be subject to COMPANY review and approval.

VENDOR shall assemble a typical cabinet for approval by COMPANY prior to commencing assembly of all cabinets. Final cabinet layouts shall be a part of Functional Design Specification and will be subject to COMPANY approval.

10.12.2 Wiring

For conventional I/O VENDOR shall provide Field Termination Assemblies (FTA) in FGS Marshalling cabinets for wiring field signals to I/O cards. VENDOR shall provide all interconnection cables from marshalling to CPU cabinets and between CPU cabinets. All wiring except power wiring between cabinets shall utilise VENDOR standard multicore cables with pluggable pre-assembled terminators/connectors. For Solenoid or similar higher loads cabling shall utilise terminal boards suitable for 2.5 mm² or higher size conductor cable. I/O cards shall not be split over more than one cable connector and one shall not contain I/O of more than one process unit.

All wiring shall be segregated according to type (input or output) and voltage levels.

Colour coding for wiring shall be as follows:

Power 24V DC positive - RED negative - BLACK 240V AC phase - BROWN neutral - LIGHT BLUE Input and output signals - WHITE (or BLUE if a colour is to be used to indicate Intrinsically Safe signals)

Safety Earth - GREEN/YELLOW Signal Earth - GREEN Intrinsically Safe Earth - GREEN/BLUE

AGES-SP-04-003

Rev. No: 1 Page 30 of 49

All interconnecting cables shall be tagged at both ends with cable number and cabinet number. Wiring core shall be tagged at both ends with terminal and module number using shrink sleeve type markers or equivalent.

All internal wires shall be stranded copper except for thermocouple type where it should match the thermocouple type.

Internal wiring shall be laid in PVC close slotted ducting (raceway) with a covering lid colour coded blue for Intrinsically Safe and Grey for non-Intrinsically Safe wiring. Ducting (raceways) shall have at least 40% spare capacity after commissioning.

Internal cabinet wiring, cables and wire ways shall be minimum flame retardant in accordance with IEC 60332.

Cable entries shall be from the cabinet bottom and provide facilities for sealing (such as gland plate) to prevent ingress of moisture, contaminants and rodents from entering the cabinet.

All internal and external wiring shall be connected to terminals. Splices are not permitted in wiring. Terminal blocks shall be Push-in Spring type (cage clamp type) and non-hygroscopic type. Terminals shall be tinned and clearly identified. The size of the terminal blocks shall be consistent with the wire size. Segregation of IS and Non-IS marshalling is required. Terminal colour for Non-IS wiring shall be Grey and Intrinsic Safe wiring shall be Blue. Terminals utilised for voltages higher than 48 volts shall be protected against accidental contact with removable cover plates which carry high voltage warning labels. Terminal blocks shall be labelled and numbered.

All panel cabinet tagging for cabinets, racks, TBs, Distribution boards, Terminal blocks, shall be engraved tagging fixed in a permanent manner. Sticker or temporary tagging is not acceptable.

10.12.3 Power Supply

Unless otherwise specified in the Purchase Order, each cabinet will be powered from redundant 240 VAC, 50 Hz UPS dual redundant feeders by the CONTRACTOR. For each incoming power feed a double pole isolation switch shall be provided. Individual alarms will be generated for each of these when turned to the off position or on any fault.

System power supply located inside FGS cabinets shall be dual redundant and each shall be capable of supplying 100% system power if other fails. All power supplies, without considering redundancy shall include a spare capacity of 25 percent of the maximum load considering all spare I/O slots were filled.

Power supplies shall be replaceable on-line without disrupting the process and without affecting functioning of FGS System. Distribution of all power levels to all system chassis and modules shall also be completely redundant as a minimum. This is to be inclusive of all voltage levels required for logic processors, all chassis requirements, I/O modules and communication modules. This means that the failure of a power supply or incoming line shall not take out a leg of I/O or a main processor. The system shall withstand a 20 msec power outage without interrupting system operation. Cabinet power supplies shall have over-temperature protection, integral fuse protection, and status LEDs to indicate power supply faults.

Miniature circuit breakers (MCB) and fuses shall be employed to provide electrical protection and isolation for all powered components. The distribution circuit shall ensure that at no point of single MCB failure will result in other consequences or cascade effect. MCB fault contacts shall be wired in series to generate a common fault alarm. Selection of fuses and MCB ratings shall be carefully coordinated with upstream fuses / MCBs including UPS distribution, taking into account power up inrush currents.

Additionally, separate 24 VDC redundant power supply for powering field instruments shall be provided. The VENDOR shall be responsible for designing the 24 VDC power distribution with circuit protection for all system I/O. All 24VDC –ve terminals shall be connected to Instrument earth (floating earth is not allowed). Power supply +ve outlet shall have a diode.

AGES-SP-04-003

Rev. No: 1 Page 31 of 49

Failure of any power supply must be signalled via a dry normally open (N/O) contact which shall be wired in series to a common discrete input point for alarm indication for each self-contained suite of cabinet(s). Each power supply shall be provided with primary and secondary over load protection. The secondary overload shall be self- resetting or have a time overload delay to prevent an instantaneous fault from tripping the system off. Over voltage protection must be provided if it is necessary for the protection of the connected loads. All individual fuses shall be considered with fault LED indication and common fault alarm for monitoring by PCS. No hidden fault is allowed without remote common alarm.

The VENDOR shall wire cabinet lighting and utility outlets to a separate breaker which will be fed by CONTRACTOR from a single phase 240 VAC 50 Hertz utility non-UPS power supply.

VENDOR will be responsible to provide the power requirements for each cabinet and total power for each system to size the incoming line power requirements. VENDOR will include inrush currents and crest factors in supplied information.

10.12.4 Earthing

There shall be three separate isolated Earthing Systems within the FGS System as follows:

a. Safety Earth: Each cabinet shall have a M10 brass earth stud, complete with nuts and washers for dedicated safety earthing. All metal racks, internal panels, cable tray, doors and detachable panels shall be earth bonded together to this safety earth with a flexible copper braid strap of at least 10mm2 to ensure effective earthing.

b.

Instrument Earth: Each system and marshalling cabinet shall be provided with one 5mm x 15mm copper galvanically isolated instrument earth bus-bar across the full width of, and insulated from, the panel for earthing System electronics and electrostatic screens of field cables. In general, field instrument shields shall be grounded to instrument earth within the Marshalling Cabinet.

c.

Intrinsically Safe Earth – I.S. Earth: Marshalling cabinets with non-isolating IS barrier (for example Zenner barrier) circuits shall be supplied with an additional isolated IS earth bus-bar clearly labelled.

10.13 Cyber Security

Cyber Security implementation shall comply to IEC 62443 for safety level SL2. FGS system shall be ISASecure certified for cyber security.

FGS shall integrate securely into ICSS PCN communication network through firewall. VENDOR shall implement a ‘Safety domain’ separated from the ‘Control domain’ either by firewalls or by implementation of a localised safety communication network that is separate from the Control Domain. FGS Engineering Workstation and Controller shall sit on SN in ‘Safety domain’ PCN and SN shall not terminate on the same switch to ensure that two separate networks are maintained.

FGS Controller and Engineering Workstation shall be cyber secure by design for example it shall have built in firewall functionality to restrict access to authorised protocols and devices. It shall validate communication with devices using encryption and digital signatures. It shall have software whitelisting so that only authorised programs or applications are executable and malware or unauthorised programs are blocked.

Cyber Security design shall comply with the ADNOC Group Company’s Digital Security policies.

A cyber security risk assessment as per IEC 62443-3-2 shall be performed by COMPANY/CONTRACTOR. VENDOR shall provide all required support for this assessment.

The cyber security risk assessment shall be performed by CONTRACTOR as follows and shall be seen as an iterative and continuous process from hardware freeze to FAT and SAT:

(a) Define the risk analysis methodology (for example architecture based)

AGES-SP-04-003

Rev. No: 1 Page 32 of 49

(b)

Identify major items (organisation, systems, subsystems, networks)

(c)

Identification, evaluation of the threat scenarios with their impact and likelihood

(d) Reduce the risks by designing adequate countermeasures

(e) Summarise the results in a Risk Register.

The cyber security risk assessment findings and recommendations shall be implemented by VENDOR.

VENDOR shall provide firewalls to enforce data transfer between FGS and ESD/PCS/ICSS.

The FGS system software patch update and security programs requirements shall comply to COMPANY Cyber Security guidelines/policies.

All unused ports on switches and routers of FGS system shall be disabled to assist in preventing unauthorised access to the ICSS network infrastructure.

VENDOR shall provide Firewall and Malware protection for Cyber Security in line with COMPANY Cyber Security guidelines/policies.

10.14 Spare Capacity/Expandability

10.14.1 Installed I/O and Cabinet Space

Each Marshalling and System cabinet shall be provided with 20% installed and wired spare for each type of I/O card. Each I/O card shall have at least 20% spare I/O channels available. The installed 20% spare shall include all associated terminations, terminal block, cable ducts and trays. Field cable spare cores shall be terminated on terminal blocks.

In addition to wired spares there shall be an average 20% empty space inside cabinets for future use.

10.14.2 Memory/Processing

Spare memory for application program and database shall be at least 40%. CPU loading shall not exceed 60% of its maximum capacity at full system loading.

10.14.3 Communication Interfaces

Communication interfaces shall not be loaded more than 50% at maximum loading after plant start-up

11 REQUIREMENTS FOR SPECIAL PACKAGE UNITS

Not Applicable

AGES-SP-04-003

Rev. No: 1 Page 33 of 49

SECTION C

12 SCOPE OF SUPPLY

Detailed engineering and design of the FGS system in accordance with all specifications, standards, datasheets and other statements of requirement include with or referenced in the requisition.

The VENDOR shall have single point responsibility for all aspects of the works, inclusive of all components sub-contracted or purchased from other parties. These shall include, but not be limited to:

(1) Total system engineering definition of the FGS system in the form of a Functional Design Specification (FDS) based upon the Functional Specification (FS), datasheets and COMPANY specifications provided by CONTRACTOR. FDSs shall be written by the VENDOR and approved by COMPANY during the Design Phase to detail the VENDOR scope of work.

(2) The agreed FDS

(3) FGS System Topology

(4) Design and supply of the FGS system Console, including the integration design and resulting facilities

for all free issued materials to be mounted thereon

(5) Design and supply of the FGS System Cabinets

(6) Design and supply of the FGS Marshalling Cabinets

(7) Design and supply of the FGS Auxiliary Cabinets

(8) Design of the FGS system communications network and supply of all communication equipment and

cables up to and including firewalls at interface to Process Control Network.

(9) Supply of FGS hardware, software, cabinets, consoles, EWS, printers, power supply units,

peripherals,

(10) All System Interconnecting cables, network switches, licenses and all other equipment required for a

fully functional, operable, reliable and maintainable FGS System.

(11) Supply of operating system software and firmware.

(12) Supply of system configuration and application software including design and configuration of

database, and reports

(13) Supply of specialist integration services for third party equipment forming part of the FGS system

scope

(14) Supply of System test procedures, all necessary test equipment and personnel for all tests. Perform

tests for witness by the Contractor’s representative

(15) Human Machine Interface for local access

(16) Data communications

(17) Documentation

(18) Documentation and certification in accordance with the material requisition, this specification and the

standards referenced herein.

AGES-SP-04-003

Rev. No: 1 Page 34 of 49

(19) Special tools required installation, operation and maintenance of the equipment;

(20) Painting, Preservation and Packing;

(21) Insurance spares;

(22) Spares (commissioning and 2 year);

(23) Design and supply of power distribution system within the FGS system

(24) Certified calculations shall form part of the scope of supply as follows:

i. Sizing Calculations;

ii. Power Calculations;

iii. Heat loading calculations.

(25) Commissioning; start-up and long term support.

(26) Site assistance for FGS system installation and commissioning

In addition to the above requirements, design, fabrication, configuration, testing and installation shall also be compliant with cyber-security requirements.

13 QUALITY CONTROL AND ASSURANCE

Equipment shall only be purchased from Vendors approved by ADNOC Category Management. This approval indicates that the VENDOR has an approved Quality management system and a proven track record in supply of this equipment type.

COMPANY/CONTRACTOR reserves the right to inspect materials and workmanship at all stages of manufacture and to witness any or all tests.

VENDOR shall comply to Criticality Rating for Equipment outlined in respective ADNOC Group Company’s Quality System Specifications for requirements of production checks, shop inspection, testing and material certification.

The VENDOR shall provide equipment inspection and test reports as per approved Inspection and Test Plan by CONTRACTOR.

14 CERTIFICATIONS

VENDOR shall provide SIL 3 certificates for offered FGS system from Exida, TUV or equivalent.

VENDOR shall provide all Test Certificates as per Supplier Document Register and Schedule (SDRS) provided in Purchase Order.

15

INSPECTION & TESTING REQUIREMENTS

15.1 General

The VENDOR shall be responsible for workmanship, testing and quality assurance of the material supplied.

Inspection and Testing will be carried out by VENDOR and it will be witnessed by the CONTRACTOR and COMPANY representatives at various stages and locations as follows:

(1) Pre-Factory Acceptance - conducted at the system assembly/manufacturer location.

AGES-SP-04-003

Rev. No: 1 Page 35 of 49

(2) Factory Acceptance Test - may be conducted at the system assembly location as a standalone FGS test and then again at the PCS location as an integrated test, or entire testing may be done at the PCS location.

(3)

Integrated Factory Acceptance Test – conducted following FAT at the PCS location.

(4) Site Installation Test- conducted at the job site once system is installed and powered up.

(5) Site Acceptance Test - conducted at the job site as a system operating test after commissioning.

VENDOR shall provide all test procedures to CONTRACTORS and COMPANY for review and approval at least two months prior to the proposed test schedule. Each formal acceptance test must be signed by a VENDOR, CONTRACTOR and COMPANY representative at the successful completion of the test(s).

15.2 Shop Inspection

CONTRACTOR’S representative will periodically visit the VENDOR’S shop facilities and inspect system progress from a hardware and software perspective.

15.3 Pre-Factory Acceptance Test

VENDOR shall detail all physical tests and inspections which will be performed in the Pre-FAT procedure. As a minimum these tests shall include complete physical inspection of all cabinetry, system components, wiring, labelling. Additionally, the procedure shall list all internal VENDOR test/inspection records which can be provided to the CONTRACTOR during the Pre-FAT. As a minimum, project related QA inspections covering bought out components and internal inspections of assemblies are to be included.

The system equipment will be inspected by CONTRACTOR representative at the Pre- Factory Acceptance Test for satisfactory quality and workmanship. In addition, COMPANY or CONTRACTOR shall have the right to inspect the work in progress at any stage.

The VENDOR is responsible to maintain a punch list during the Pre-FAT. The Pre-FAT punch list shall list the problems discovered, include the date discovered, the name of the person reporting the problem, the date corrected, the name of the person who performed the correction, the date retested and accepted, and the name of the individual accepting the retest. This entire Pre-FAT punch list shall be given one System Log report number and maintained as part of the FGS system log. Unless otherwise agreed by COMPANY, all items on the Pre-FAT punch list shall be cleared before the commencement of FAT.

The entire Pre-Factory Acceptance Test (Pre-FAT) procedure must have been successfully exercised on the system by the VENDOR prior to the FAT.

15.4 Factory Acceptance Test

The FAT shall include the complete testing and acceptance of both hardware and software.

The VENDOR shall be required to submit FAT procedures for approval prior to FAT. These shall cover, but not be limited to:

(a) Complete hardware testing including simulation of all input and output channels, testing of all system redundancy (CPU’s, power supplies, I/O buses, I/O comm modules, highway communication modules,.) observation of fault reporting via hardware indicators and data transfers, and hot swap component replacement.

(b) Complete simulation of all functional logic groups. This testing is to be inclusive of I/O simulation through the marshalling cabinets and system cables to ensure healthy HW and SW configuration for

AGES-SP-04-003

Rev. No: 1 Page 36 of 49

all I/O. Functional test shall be performed through software simulation for all tested I/O. It is intended that this testing be performed with the FGS system data linked with the PCS. In this case all PCS/FGS data transfers associated with each functional logic group shall be exercised and observed during the function logic validation testing. If schedule or other requirements necessitate testing of the FGS functional logic prior to a PCS integration test, all data transfer bit sets and register values will be exercised/observed for correct operation by means of a test computer simulating while testing the functional logic. In this case, later Integrated testing with the PCS shall include highway interface of the FGS processors with the project application software loaded. At least 10 percent of all interface data points shall again be simulated, and correct results observed. Additionally, full redundancy testing of the communications interface shall be performed. CONTRACTOR and COMPANY approval to perform the FGS FAT first separately, and then integrated as described above must be obtained in writing by the VENDOR.

(c)

As the functional logics are checked, proper recording of SOE data shall be verified. Additionally, the SOE sorting and reporting capabilities shall be demonstrated and certified correct.

During FAT the system shall be made available to CONTRACTOR and COMPANY for sufficient periods to verify satisfactory performance.

COMPANY and CONTRACTOR’S representative will witness the entire FAT. The FAT procedure/checklist will be signed off by the VENDOR, CONTRACTOR and COMPANY representative at the successful conclusion of testing. A copy of the signed off FAT procedures/checklist and related printouts shall be furnished to CONTRACTOR and COMPANY representative. Each punch point shall be categorised to define criticality and time frame for completion. This is applicable to all tests & punch lists.

All process inputs and outputs must be simulated during the FAT. The purpose of this simulation is to provide a facsimile of the production process, with all points of an individual loop or interconnected loops hooked up for test simultaneously.

All system programs must be complete and resident in the system prior to the start of FAT. All program listings must be free of pencilled (patched) corrections. The system software loaded must be the final version encompassing all required changes incorporated after VENDOR internal testing. Any changes which were made as a result of internal testing shall be documented as part of the FGS system log.

The VENDOR is responsible to maintain a punch list during the FAT. The FAT punch list shall list the problems discovered, include the date discovered, the name of the person reporting the problem, the date corrected, the name of the person who performed the correction, the date retested and accepted, and the name of the individual accepting the retest. This entire FAT punch list shall be given one System Log report number and maintained as part of the FGS system testing log.

Diagnostic programs which are tested during FAT shall be shipped to IFAT with system.

15.5

Integrated Factory Acceptance Test (IFAT)

Following FAT, IFAT shall follow and include testing of communication interface between FGS and FGS/PCS. Data transfer between FGS and FGS/PCS shall be checked. FGS graphics implemented in PCS OWS shall be 100% tested.

IFAT testing procedure shall be furnished by VENDOR for CONTRACTOR and COMPANY approval.

15.6 Site Installation Test (SIT)

After the system has been installed on site and site QA as well as VENDOR inspection of the mechanical and electrical installation has been successfully completed, a Site Installation Test will be conducted by the VENDOR when directed by the CONTRACTOR.

AGES-SP-04-003

Rev. No: 1 Page 37 of 49

SIT shall include as a minimum:

(a) An audit and inspection of equipment as installed. A deficiency report shall be written, and appropriate

action taken to rectify any problems.

(b) All alarm status, analogue and pulse inputs, and controlled end devices shall be disconnected by

means of isolating terminals.

(c)

Each system shall be powered up and system and application software will be loaded. System diagnostics shall be run and checked to ensure the system is error free.

(d) Communications shall be established between all components of the system and from the FGS to the

FGS/PCS.

(e) Redundancy testing of processor, power supply systems, I/O buses and communication modules shall

be performed.

(f)

At least one point from every input/output module shall be verified by signal simulation/monitoring from the associated marshalling cabinet.

(g) A random sampling of data transfers between the PCS and FGS shall be performed to ensure proper

operation of the data links.

(h) All MOS enable switches shall be checked for proper operation by exercising the enable switches, implementing PCS soft MOS functions, checking the FGS implements the MOS and then observing the FGS clearing imposed soft MOS functions when the MOS enable switches are switched to the off position.

(i)

Random sampling of SOE data shall be conducted.

Full details of all tests to be performed shall be defined in the SIT procedure.

The VENDOR is responsible to maintain a punch list during the SIT. The SIT punch list shall list the problems discovered, include the date discovered, the name of the person reporting the problem, the date corrected, the name of the person who performed the correction, the date retested and accepted, and the name of the individual accepting the retest. This entire SIT punch list shall be given one System Log report number and maintained as part of the FGS system test log.

COMPANY and CONTRACTOR representative will witness the entire SIT. The SIT procedure will be signed off by the VENDOR, CONTRACTOR and COMPANY representative at the successful conclusion of testing. A copy of the signed off SIT procedures and related printouts shall be furnished to CONTRACTOR and COMPANY representative.

Upon completion of the SIT, the system shall remain powered on and loop checks shall be conducted as loops are made ready. System status shall continue to be monitored and all detected faults and/or changes/modifications to system hardware and software shall be recorded in the System test log. During commissioning, loop checking shall include the whole loop, from the control room to the field device.

15.7 Site Acceptance Test (SAT)

After the system has been commissioned and put in service the Site Acceptance Test period commences. The purpose of the site acceptance test is to verify that all hardware and software is correctly installed and functioning according to the specifications in the real environment and verify integrated performance of the FGS with the ICSS system.

AGES-SP-04-003

Rev. No: 1 Page 38 of 49

The Site Acceptance Test will also be done to a previously approved procedure prepared by the VENDOR and approved by the CONTRACTOR. This procedure will detail the monitoring functions to be performed, the methods to be employed, and clearly stipulate the conditions which must be met for acceptance.

This test shall include monitoring the system data transfer and update times. SOE data capture and time synchronisation between the PCS and FGS shall be verified. Transmission and display of correct first out alarm notifications as well as secondary alarms shall be observed. System diagnostics shall be routinely checked. The SAT procedure shall fully detail all acceptance test criteria. Duration of SAT shall not be less than 72 hours. The SAT procedure shall fully detail all acceptance test criteria.

The VENDOR is responsible to maintain a punch list during the SAT. The SAT punch list shall list the problems discovered, include the date discovered, the name of the person reporting the problem, the date corrected, the name of the person who performed the correction, the date retested and accepted, and the name of the individual accepting the retest. This entire SAT punch list shall be given one System Log report number and maintained as part of the FGS system test log.

The SAT procedure will be signed off by the VENDOR, CONTRACTOR and COMPANY representative at the successful conclusion of testing. A copy of the signed off SAT procedures and related printouts shall be furnished to CONTRACTOR and COMPANY representative.

Successful completion and approval of the SAT will constitute system acceptance by the CONTRACTOR and COMPANY.

15.8 Certificates of Acceptance

At the satisfactory conclusion of the FAT, IFAT, SIT, and SAT a Certificate of Acceptance shall be provided by the VENDOR for signature by the CONTRACTOR and COMPANY.

Following documents as minimum shall be attached to Certificate of Acceptance dossier: (1) Signed and Approved FAT, IFAT, SIT and SAT test reports

(2) Electric Equipment Test Certificates

(3) SIL Certificates

(4) Hardware Test Certificates

(5) Software Test Certificates

(6) Approved As-Built Drawings

15.9 Services by the VENDOR

The VENDOR shall supply necessary manpower and specialist personnel and all necessary tools and equipment to support testing at Vendor’s shop and at site as defined above sections.

AGES-SP-04-003

Rev. No: 1 Page 39 of 49

16 SUBCONTRACTORS/SUBVENDORS

The VENDOR shall assume unit responsibility and overall guarantee for the equipment package and associated equipment.

The VENDOR shall transmit all relevant Purchase Order documents including specifications to his SUBCONTRACTORS.

It is the VENDOR’S responsibility to enforce all Purchase Order and Specification requirements on his SUBCONTRACTORS.

The VENDOR shall submit all relevant SUBCONTRACTOR drawings and engineering data to the CONTRACTOR.

The VENDOR shall obtain and transmit all SUBCONTRACTOR warranties to the CONTRACTOR/COMPANY, in addition to the system warranty.

17 SPARE PARTS

17.1 Spares

The VENDOR shall identify the following spares: (1) Pre-commissioning, commissioning and start-up spares

(2) Recommended spares list for two years operation

Spares shall be itemised and priced with the Tender.

VENDOR shall support supply of spare parts for 15 years.

The VENDOR shall complete the Spare Parts Interchangeability Record (SPIR) Form to be supplied by the CONTRACTOR. The CONTRACTOR shall agree Spares to be included in Purchase Order.

17.2 Special Tools

The CONTRACTOR shall agree the Special Tools to be included in Purchase Order.

The VENDOR shall identify all necessary standard and special tools, test software, and test and calibration equipment required to perform routine maintenance and any other recommended tools for specialised procedures.

The VENDOR shall provide design and performance specifications for all special tools, test software, and calibration equipment.

The list of the standard tools shall state the following:

(a) Description of its service

(b) Manufacturer and Catalogue No

(c) Quantity recommended.

Special tools shall be itemised in the VENDOR quotation.

AGES-SP-04-003

Rev. No: 1 Page 40 of 49

18 PRESERVATION & SHIPMENT

18.1 Packing and Shipping

Preparation for shipment shall be in accordance with purchase order Preservation and Export Packing requirements. VENDOR shall be solely responsible for the adequacy of the preparation for shipment provisions with respect to materials and application, and to provide equipment at the destination in ex-works condition when handled by commercial carriers. Adequate protection shall be provided to prevent mechanical damage and atmospheric corrosion in transit and at the jobsite. Preparation for shipment and packing will be subject to inspection and rejection by COMPANY’S/CONTRACTOR’S inspectors. All costs occasioned by such rejection shall be to the account of the VENDOR. Equipment shall be packed, securely anchored, and skid mounted when required. Bracing, supports, and rigging connections shall be provided to prevent damage during transit, lifting, or unloading. Separate, loose, and spare parts shall be completely boxed. Pieces of equipment and spare parts shall be identified by item number and service and marked with CONTRACTOR’S order number, tag number, and weight, both inside and outside of each individual package or container. A bill of material shall be enclosed in each package or container of parts. One complete set of the installation, operation, and maintenance instructions shall be packed in the boxes or crates with equipment. This is in addition to the number called for in the Purchase Order.

18.2 Preservation and Storage

Equipment and materials shall be protected to withstand ocean transit and extended period of storage at the jobsite for a minimum period of 18 months. Equipment shall be protected to safeguard against all adverse environments, such as humidity, moisture, rain, dust, dirt, sand, mud, salt air, salt spray, and seawater. All equipment and material shall be preserved, and export packed in accordance with project specifications.

The VENDOR shall provide preservation plan to protect and ensure the integrity of FGS equipment during the period that starts when the FGS equipment is prepared for the first shipment from the point of origin and ends at the completion of project commissioning and start-up. The plan shall identify protective measures to be implemented during each phase of the project, inclusive of maximum ambient conditions. The completion plan shall be submitted to COMPANY for review and comment no later than 90 days prior to the first shipment of FGS equipment from the factory.

AGES-SP-04-003

Rev. No: 1 Page 41 of 49

19 COMMISSIONING

19.1

Installation

VENDOR shall provide supervision assistance for Installation and Commissioning of FGS System at site. Installation will be carried out by the CONTRACTOR with supervision assistance from the VENDOR. The VENDOR shall notify the CONTRACTOR of any special tools required for installation and supply these if necessary, to the CONTRACTOR.

19.2 Life Cycle/Long Term Support

VENDOR must provide assurances that system equipment will not be obsolete in the next 15 years. In the belief that portions of the system will eventually be withdrawn from sale, a firm commitment by the VENDOR that for his standard products there will be either repair capability or equivalent parts and/or products available for a minimum of 15 years from the withdrawal date is required.

The FGS design shall consider the requirement that the system will require to be upgraded during the design life of the facilities. FGS supply shall be given specific attention to ensure all systems, components, software and individual elements and the respective running tools, test equipment, software and human skills can be maintained or replaced such that the original function and integrity of the whole FGS can continue in an uninterrupted manner for the field life.

The entire system shall be in ‘Active life’ for a minimum period of minimum 15 Years. Vendors shall provide life cycle commitment including:

(a) Start of Active life

(b) End of active life

(c)

Start of limited support

(d) End of limited support

(e) Start of Obsolescence

Active life: Denotes the system is active and available for sale for new projects and revamp projects, full support from R&D, continuous support in terms of upgrade, patch update, bug fixing.

Limited Support: Product has limited support with local maintenance and engineering support; bug fixing, continue to supply of spares (refurbished or new parts).

Obsolete: Out of sale and support is discontinued.

Between active to support phase, vendor shall provide a minimum support period of 7 years for company to plan for a smooth upgrade or replacement

19.3 Maintenance

During warranty period, VENDOR shall provide service personnel for periodic fault finding, repair and replacement of all faulty hardware, firmware and software.

During bidding stage, Vendor proposal shall include the details and costs of all standard maintenance services available after SAT. COMPANY shall be under no obligation to select all or any of the agreements detailed and shall be free to negotiate a unique maintenance agreement with the VENDOR.

AGES-SP-04-003

Rev. No: 1 Page 42 of 49

20 TRAINING

20.1 General

The following training courses are proposed for the selective attendance of suitable personnel such as Engineers, Supervisors and Technicians. The purpose of these training courses will range from gaining practical experience and functional knowledge on FGS system, its software and associated hardware, to acquiring an in-depth knowledge for administration and system configuration and software development purposes:

(a) System Architecture (all)

(b) Systems Software and Maintenance (System Administrator)

(c)

System Administration (System Administrator)

(d) Network/Cyber Security (System Administrators, Supervisors)

(e) Application Programming (Engineers, Supervisors)

(f)

Advance Programming Techniques (Engineers, Supervisors)

Above training shall be included nominally for 10 Engineers / Supervisors and 6 Technicians.

20.2 Training Course Documentation

For each trainee who will attend a training course, a copy of the complete training course, notes, and drawings shall be provided to COMPANY eight weeks prior to the commencement of the training course. The copies shall be retained by the trainees on completion of the training course and shall be the property of COMPANY.

In addition, five copies of the training course documentation shall be available on site prior to the installation and pre-commissioning for reference purposes.

20.3 Maintenance Training Course

The purpose of the course is to train Engineers/Supervisors/Technicians for first line fault diagnosis, and repair by replacement.

20.4 System Engineering Course

The purpose of this course is to enable COMPANY Engineers/Supervisors to be able to modify system I/O and system application software including interfaces to the PCS.

(a) System Hardware.

(b) System operating software.

(c) Review of project specific typical application software modules, data formats, data table allocations,.

AGES-SP-04-003

Rev. No: 1 Page 43 of 49

21 DOCUMENTATION

VENDOR shall submit the type and quantity of drawings for COMPANY/CONTRACTOR authorisation or information as per Supplier Document Register and Schedule (SDRS) provided in Purchase Order.

The VENDOR shall provide all standard and project-specific documentation and software required for system definition, installation, initialisation, operation, maintenance, troubleshooting and training. This information shall provide complete documentation for the FGS in sufficient scope and detail to permit programming and maintenance of the equipment.

Mutual Agreement on document list and documents issue dates shall be an integral part of Purchase Order.

Comments made by COMPANY/CONTRACTOR on drawing submittal shall not relieve VENDOR of any responsibility in meeting the requirements of this specification. Such comments shall not be construed as permission to deviate from requirements of the Purchase Order unless specific and mutual agreement is reached and confirmed in writing.

All drawings, documents, information, correspondence, test reports, operating and maintenance instruction manuals shall be in the English language.

All documents and drawings issued by the VENDOR shall be produced in an electronic format compatible with Microsoft Office computer software. Documentation shall also be provided in Native format, in order to allow company to update during operational upgrade and future projects. VENDOR shall provide final documentation on DVD-ROM with search and retrieval capabilities.

FGS safety related documentation shall conform to IEC 61511-1, clause 19.

Prior to start of manufacture, the VENDOR shall submit engineering and fabrication drawings for CONTRACTOR and COMPANY’S approval as per document list provided in Purchase Order.

All system drawings shall be prepared and submitted in accordance with recognised standards. Every effort shall be made to minimise the total number of drawings prepared by use of common drawings, where practicable without loss of clarity.

Before SAT, VENDOR shall issue As-Built drawings incorporating all changes that have taken place during installation, testing and commissioning at site. Each drawing shall be clearly marked ‘As-Built’ and dated.

The below list of documents required is intended to define the minimum technical documents to be provided by the VEDNOR. This list is not exhaustive and additional documentation necessary for the work execution be provided by VENDOR. FGS system documentation to be supplied by VENDOR shall include, but not be limited to:

(1) System Architecture Diagrams

(2) System Block Diagrams and interface schematic

(3) Functional Design Specifications for Hardware and Software, Cabinets, Networking, Interfaces, Cyber

Security

(4) System Configuration Specifications including Logic and Application Program Design

(5) Reliability/Availability Calculations and Reports

(6) SIL Calculations as per IEC 61508

(7) SIL and Safety System certification dossiers

(8) Loading Calculations (CPU, memory, networks, power supplies, spares)

AGES-SP-04-003

Rev. No: 1 Page 44 of 49

(9) Cabinet and Console General Arrangement drawings

(10) Cabinet internal wiring diagrams

(11) Inter-panel Cable Connection Schedule

(12) Interconnection Wiring Diagrams

(13) Input/Output Assignment List.

(14) Configuration database.

(15) Functional Logic diagrams.

(16) Loop Diagrams

(17) Software licenses

(18) Power supply, distribution and earthing drawings.

(19) Power and Heat Loading calculations

(20) Electrical Load Schedule

(21) I.S. certification dossier (if applicable).

(22) Bill of Materials

(23) Comprehensive data sheets for all major items, including completed data sheets included in the

enquiry/purchase order.

(24) Inspection Test Plan (ITP)

(25) QA/QC Procedures

(26) Internal Testing and Pre-FAT Report

(27) FAT Procedure & Report

(28) SIT Report

(29) SAT Procedure& Report

(30) List of all spare parts, tools, test equipment and installation materials.

(31) Spare Part Interchangeability List

(32) Packing, Marking and Shipping Procedure

(33) Preservation and Site Storage Procedure

(34) Complete catalogue sheets of all furnished items.

(35) System Hardware Manuals

(36) Programming Manual

(37) Application software manuals.

AGES-SP-04-003

Rev. No: 1 Page 45 of 49

(38) System Security Manual

(39) Functional Safety Manual

(40) Operation and Maintenance Manuals

(41) Installation and Configuration Manuals

(42) Quality Manuals

(43) Third Party Manuals

21.1 Specific Requirements

VENDOR shall issue Software Functional Design Specification which details application software, configuration procedures and compliance to IEC 61508 & IEC 61511 programming requirements for safety applications.

Application program files in function block format including all pertinent embedded comments describing logic functionality shall be provided. Descriptors for logic element/blocks shall include completed I/O addresses and tag numbers, set points, logic element parameter identification. Flow charts and Logic diagram drawings shall be produced for all safety interlocking functions and they shall comply with the IEC 61131-3.

This document will be reviewed jointly by the CONTRACTOR and COMPANY and technical review meetings will be held to finalise and freeze the hardware and software prior to the FAT. COMPANY approval of the FDS is mandatory prior to System build and FAT. The details of NFPA 72 conformant solution shall be described in the FDS.

The system software functional design specification shall be complete and follow the format given below:

21.2 Typical Program Macros

Typical program macros which are used repeatedly shall have written descriptions of the objectives and functions that are provided. It shall be in sufficient detail to allow a person familiar with individual programming elements of the system to determine the function of each module.

21.3 Detailed Logic Application Diagrams with Full Description

Each separate functional logic group shall be shown as ISA or IEC standard logic symbology, which is fully annotated and described, including all I/O tag numbers. A complete listing of all I/O points with tag numbers, descriptions, point configuration parameters (ranges, engineering. units) and cross references shall also be included. This documentation may be generated by the actual programming software if the format is reviewed and approved by the CONTRACTOR and COMPANY. It shall include all logic functionalities, equations, calculations, scaling, required for each functional logic group. Clear demarcation of each functional logic group shall be provided within the documentation.

22 GUARANTEES & WARRANTY

VENDOR shall provide warranty support for a period of two years, commencing on the date of COMPANY written acceptance of the system following the site acceptance test. Warranty shall apply to defective material workmanship and facility design, and/or facility software. Warranty work shall be done at COMPANY local facilities. The cost of diagnostics and/or correction of any warranty items shall be borne by the VENDOR.

The VENDOR will not be required to provide resident maintenance personnel during the warranty period but shall have competent technical personnel available from the local facility within 24 hours, if required by COMPANY.

AGES-SP-04-003

Rev. No: 1 Page 46 of 49

The VENDOR shall guarantee that the software to be supplied shall be free from errors, for example software/firmware failure to perform function(s) as specified in this specification or COMPANY documentation.

23 PROJECT ADMINISTRATION

23.1 Project Personnel

The VENDOR shall insure that sufficient qualified personnel are at all times allocated to the project. The VENDOR shall utilise a project team structure to achieve continuity and accuracy of implementation. The VENDOR shall submit for CONTRACTOR’S approval the résumés of all personnel engaged in the project.

It is anticipated that the project team shall comprise at least the following disciplines:

(a) Project Manager (Commercial/Technical) (shall be nominated representative of the VENDOR with responsibility and authority to fully implement the project with technical correctness, on schedule and within the budget).

(b) Senior System Designer (Technical).

(c) Hardware Design (Technical Hardware).

(d) Software Designer (Technical Software).

(e)

Test Technician (Technical Testing).

(f)

Site Engineer (Installation/Commissioning).

23.2 Project Schedule

The VENDOR shall include with his quotation, a detailed Project Schedule showing the VENDOR’S best estimate of the achievable major schedule milestones.

The Project schedule shall be used as the main progress control document during the implementation of the project. The Project Schedule shall clearly show any ‘float’ or ‘slack’ time available together with any freeze dates required by the VENDOR and major milestones for equipment design, manufacture and delivery. The schedule shall clearly indicate required dates for each of CONTRACTOR supplied design data.

The VENDOR may include in the proposal any additional material which clarifies the procedure for implementing the Project Schedule.

23.3 Progress Reporting

The Project Schedule shall be used as the basis for monthly progress reporting, schedule controlling and schedule forecasting. At regular intervals, the VENDOR shall revise the Project Schedule to include the effect of changes and to reflect actual Project Progress.

23.4 Coordination Meetings

Coordination meetings shall be held as required between COMPANY, CONTRACTORS and VENDOR. The agenda for each coordination meeting will be prepared by the VENDOR prior to each meeting. Detailed meeting minutes will be taken by the VENDOR and submitted for COMPANY and CONTRACTORS for approval. An ‘action item’ log shall be prepared and continuously updated by the VENDOR.

Coordination meetings, to be held either in Abu Dhabi or home office, will be a part of the purchase order scope.

AGES-SP-04-003

Rev. No: 1 Page 47 of 49

SECTION D

24 DATA SHEETS TEMPLATES

Not Applicable

25 STANDARD DRAWINGS

Not Applicable

AGES-SP-04-003

Rev. No: 1 Page 48 of 49

SECTION E

26 APPENDIX

Not Applicable

AGES-SP-04-003

Rev. No: 1 Page 49 of 49

Project: Q-32859 - NMDC - Ruwais Folder: RFQ Files