< Previous | Contents | Next >
Section 2 Control Systems
201. General
1. Application
(1) Requirements in this Section apply to the instrumentation and control systems for offshore facilities.
(2) The design of these systems is to comply with API RP I4C or other recognized standards in
addition to requirements in this Section.
2. General
(1) The control and instrumentation systems are to provide an effective means for monitoring and controlling pressures, temperatures, flow rates, liquid levels and other process variables for the safe and continuous operation of the facilities.
(2) Where control over the electrical power generation and distribution is required for the operation of the facilities then the control system should also be arranged to cover this.
(3) Control and instrumentation systems for process, process support, utility and electrical systems
are to be suitable for the intended application.
(4) All control and safety shutdown, systems are to be designed for safe operation of the equipment during start-up, shutdown and normal operational conditions.
202. Components
1. All control system components are to be designed for use in a marine environment, resistant to corrosion, and capable of operating under all anticipated environmental conditions.
2. Each component is to be designed and tested for the extremes of pressure and temperature that it can encounter in service.
3. Where safety related functions are performed by computer based equipment then the equipment is to be in accordance with the requirements of Pt 6, Ch 2, 201. 7 of Rules for the Classification of Steel Ships.
4. Loss of control power to any device is not to cause the system to go into an unsafe condition.
Cause and effect matrices are to demonstrate loss of control power effects.
203.
Instruments
1. Temperature gauge
All temperature-sensing elements or devices are to be installed in separable socket type thermo- wells, so that they can be removed without danger of pressure or fluid release.
2. Pressure gauge
(1) Pressure switches supplied as safety devices are to be equipped with test connections to enable application of an external pressure source without disturbing the switch installation.
(2) Pressure gauges and sensors are to be provided with an isolation valve to permit the safe re- moval of the gauge without the need to reduce the pressure in the system.
(3) The open or closed position of the valve is to be readily identifiable from the position of the
handle or stem.
3. Level gauge
(1) Liquid or interface level gauges are to be installed to cover the operating range and set points of level controllers or level switches.
(2) Direct viewing level gauges in processing or combustible fluid service are to be of the
heavy-duty flat glass type and are to be equipped with self-closing valves at their ends.
204.
Alarm systems
1. General
(1) Alarm systems are to be of the self-monitoring type and designed so that a fault in the alarm system is self-revealing or will cause it to fail to the alarmed condition.
(2) Alarms are not to react to normal transient conditions or false signals.
(3) Alarm systems are to be independent of control and safety systems, except that common sensors will be acceptable for non-shutdown related systems.
2. Visual and audible alarms
(1) Alarms are to be both audible and visual, and are to be provided at the control stations.
(2) Alarms are to be such that each abnormal condition of the machinery and equipment is readily distinguishable and so arranged that acknowledgement is clearly noticeable.
(3) Visual alarms are to be displayed in a distinguishable manner such that alarms for similar proc- ess components or systems are grouped together, and the colors representing a particular func-
tion or condition remain uniform.
(4) Visual alarms are to flash when first activated.
(5) Audible alarms associated with the process systems are to be of distinctive tone from other
alarms such as fire alarm, general alarm, gas detection, etc., and they are to be of sufficient loudness to attract the attention of personnel on duty.
(6) For spaces of unusual high noise levels, a beacon light or similar device, installed in a con-
spicuous place is to supplement any of the audible alarms in such spaces; however, red light beacons are only to be used for fire alarms.
(7) A fault in the visual alarm circuits is not to affect the operation of the audible alarm circuits.
3. Acknowledgement of alarms
(1) Alarms are to be acknowledged by manually changing the flashing display of the incoming alarm to a steady display and by silencing the audible signal; the steady state light display is to remain activated until the fault condition is rectified.
(2) Alarming of other faults that may occur during the acknowledgement process is pressed by such action of above (1).
(3) Where a centralized control and monitoring station is provided, the silencing
not to be sup- of the audible
alarm from an associated remote control station is not to lead automatically to the silencing of the original alarm at the centralized control and monitoring station.
4. Disconnection and resumption of alarm functions
Alarm circuits may be temporarily disabled for maintenance purposes or during initial plant start-up, provided such action is clearly indicated at the associated station in control and, where such station is provided, at the centralized control and monitoring station. However, such alarm is to be auto- matically re-activated after a preset time period.
5. Summary alarms
When individual alarms are displayed and alarmed at a centralized control and monitoring station, the visual alarms may be displayed and alarmed at other associated remote control stations as sum- mary alarms.
6. Built-in testing
Alarm systems are to be provided with effective means for testing all audible and visual alarms and indicating lamps without disrupting the normal machinery or system operation. Such means are to be fitted in the associated remote stations.
7. Adjustable set-points
Where means are provided to field adjustable set-points, either locally or remotely, positive in- dication of the value of the set-point is to be clearly identified at the control location.
205. Control and monitoring
1. Loss of control signal from a field sensing device is to initiate an alarm or cause a shutdown.
2. Display of parameters
(1) Operating parameter displays are to be clear, concise, consistent and grouped logically.
(2) Operating parameter displays are to be included in control stations.
3. Logic circuit features
(1) When logic circuits are used for sequential start-up or for operating individual process compo- nents, indicators are to be provided at the control console to show the successful completion of the sequence of operations by the logic-circuit and start-up and operation of the process component.
(2) If some particular step is not carried out during the sequence, the sequence is to stop at this point, and such condition is to be alarmed at the control console or, where provided, at the
centralized control and monitoring station.
(3) Feedback devices are to be employed in order to sense steps carried out during the start-up sequence. Sequence operation is to stop upon lack of feedback signal.
(4) Where valves are employed in any start-up sequence, valve condition is to be sensed as valve
stem position and not as a function of control or power signal to the valve.
4. Overrides
(1) No condition of tective device or
(2) Where shutdown
operation within normal ranges is to require the override of a required pro- function.
functions are bypassed during special operational modes described below, sens-
ing devices are to be arranged to continue to indicate the condition of each process variable.
(3) In addition, an indicator for each function is to alert the operator that the shutdown function is being “by-passed”.
(4) Provisions to override shutdown functions are to include the following:
(A) To periodically test or calibrate field sensing device.
(B) To take the vessel or other process component out of service.
(C) To allow process conditions to stabilize, automatic bypass of shutdown functions on start-up
may be installed, provided the process variable condition is indicated, and an automated de- vice is fitted which will return the shutdown function to operation once the normal process condition has been attained. The use of timers in association with this required automatic function will be considered.
206. Safety systems
1. General
(1) Safety systems are to be of the fail-safe type and are to respond automatically to fault con- ditions that may endanger the plant or safety of the crew.
(2) Unless otherwise required in this Section or specially approved, this automatic action is to cause
the plant to take the least drastic action first, as appropriate, by reducing its normal operating output or switching to a stand-by process component, and last, by stopping it.
(3) Actuation is to result in audible and visual alarm.
2. Constitution of systems
Safety systems are to be completely independent of the control and alarm systems so that a failure in one of these systems will not prevent the safety system from operating.
3. Function of safety systems
(1) Each safety action is to be alarmed at the associated remote station.
(2) Where a centralized control and monitoring station is fitted, individual alarms are to be provided at that station; in which case, a summary alarm for the specific safety system will be accept- able at other associated remote stations.
(3) When both an alarm and a safety action are required for a specific failure condition, the operat-
ing points are to be arranged such that alarm is activated earlier.
(4) Process components that are stopped as a result of a safety action are to be manually reset be- fore their operation is resumed.
4. Override of safety provisions
(1) Any overrides of safety provisions are to be so arranged that they cannot go unnoticed, and their activation and condition are to be alarmed and indicated at the associated remote station.
(2) The override is to be arranged to preclude inadvertent operation and is not to deactivate alarms
associated with safety provisions.
(3) The override mechanism to disconnect safety provisions is to be fitted at the associated remote station, except that where a centralized control and monitoring station is fitted, the override
mechanism may be fitted at the centralized station instead.
207. Emergency control station
At least two emergency control stations are to be provided. One of the stations is to be located in a normally manned space such as the process control room, or near the drilling console if the unit is fitted with drilling systems. The other is to be at a suitable location outside of the hazardous area. The emergency control stations are to be provided with the following:
(1) Manually operated switches for actuating the general alarm system
(2) An efficient means of communication with locations vital to the safety of the installation
(3) Manual activation of a emergency shutdown system
(4) Means for shutdown, either selectively or simultaneously, of the following equipment, except for electrical equipment listed in 207.11
(A) ventilating systems, except for prime movers
(B) main generator prime movers
(C) emergency generator prime movers
208.
Emergency shutdown
1. An emergency shutdown (ESD) system with manual stations is to be provided to shut down the flow of hydrocarbon from all wells and pipelines, and to terminate all production and injection ac- tivities of the facility.
2. Shutdown is to take place within 45 seconds or less as may be considered necessary for the safety of the plant after activation of the ESD system at a manual ESD station, or after detection of a trouble condition by an automatic shutdown device.
3. The emergency shutdown system is to be automatically activated by:
(1) The detection of an abnormal operating condition by flowline pressure sensors and sensors on any downstream component through which the pipeline fluids flow;
(2) The detection of fire in the wellhead and process areas;
(3) The detection of combustible gas at a 60% level of the lower explosive limit (LEL)
(4) The detection of
hydrogen sulfide (H2S) gas at a level of 50 ppm.
4. Station lows:
for activation of the ESD system for complete platform shutdown should be located as fol-
(1) Helicopter decks
(2) Exit stairway landings at each deck level
(3) Boat landings
(4) At the center or each end of a bridge connecting two units
(5) Emergency evacuation stations
(6) Near the main exits of living quarters
(7) Emergency control station
(8) Process control station
(9) Main exit of production area
5. Emergency shutdown stations are to be identified by shutdown function, and shutdown position is to be clearly indicated.
6. Emergency stopping devices are to function independently and be able to operate after the loss of main power.
7. Electric circuits essential to ESD that rely on the continued operation of the cable for correct oper- ation of the system are to be of the fire resisting type.
8. All electrical circuits used in the manual ESD system are to be dedicated to this purpose and hard wired.
9. In cases where emergency stopping devices are put into action and the operation of production sys- tem components are stopped, such components are not to automatically restart before manual reset is made.
10.Emergency shutdown valves for flowlines and pipelines are to be located as far away from the unit as practical.
11.The following services are to be operable after total shutdown of a unit:
(1) Emergency lighting required for evacuation from service/accommodation spaces and machinery spaces to embarkation stations. This includes lighting at all control stations, stowage positions for firemen’s outfits, helicopter landing deck, alleyways, stairways and exits, embarkation station deck, launching appliances, and the area of water where they are to be launched, etc. The light- ing is to be provided for thirty minutes.
(2) General alarm
(3) Blowout preventer control system if fitted on the installations
(4) Public address system
(5) Distress and safety radio communications
All equipment in exterior locations that is capable of operation after activation of the prime mov- er/ventilation shutdown system, is to be suitable for installation in Zone 2 locations.
209. Computer-based systems
1. General
(1) Computer-based systems are to be designed so that failure of any of the system’s process com- ponents will not cause unsafe operation of the system.
(2) Hardware and software serving vital and non-vital systems are to be arranged to give priority to
vital systems.
2. Independence
(1) Control, alarm and safety shutdown system functions are to be arranged such that a single fail- ure or malfunction of the electronic computer equipment will not affect more than one of these system functions.
(2) This is to be achieved by dedicated equipment for
each of these functions within a single sys-
tem, or by the provision of back-up equipment, or by other suitable means considered equal or more effective.
3. Failure Mode and Effect Analysis (FMEA)/Failure Mode, Effect and Criticality Analysis (FMECA)
Where computer-based systems include safety functions (i.e., safety functions are not backed-up by hard- wired safety systems) an FMEA or FMECA is to be performed and submitted to the Society for review.
4. Visual display of alarms
(1) Incoming Signals
(A) In addition to the requirements contained in 204., alarms are to be presented in an identifi- able manner when displayed by way of a computer monitor (video display unit), and are to appear in the sequence the incoming signals are received.
(B) Alarming of incoming fault signals are to automatically appear on the screen to alert the on-duty personnel, regardless of whether the computer and monitor are in a mode other than
the monitoring mode.
(2) Unrectified Alarms
Alarms associated with faults which have not been rectified may be displayed in a summarized fashion until all the faults have been dealt with.
(3) Computer Monitor
(A) Displays on the computer monitor are to be clearly visible under ambient lighting conditions.
(B) Data displayed on computer monitors are to be readable by the operator from normal oper- ating position.
5. Memory capacity and response time
(1) Computer system’s memory is to be of sufficient capacity to handle the operation of all com- puter programs as configured in the computer system.
(2) The time response for processing and transmitting data is to be such that an undesirable chain
of events may not arise as a result of unacceptable data delay or response time during the computer system's worst data overload operating condition.
6. Data loss and corruption
To preclude the possible loss or corruption of data as a result of power disruption, programs and data considered to be essential to the operation of a specific system are to be stored in non-volatile memory, or in volatile memory with a secure un-interruptible power supply (UPS).
7. Local Area Network (LAN)
For safety systems where an automatic or remote control and monitoring system for specific proc- ess components is arranged to operate in a local area network (LAN), the following is to be com- plied with:
(1) The network topology is to be configured so that in the case of a failure between nodes, or at a node, the system on the network remains operational.
(2) In case of failure of the network controller, the network is to be arranged to automatically
switch to a standby controller. A network controller failure is to be alarmed at the associated remote control station.
(3) Safeguards are to be provided to prevent unacceptable data transmission delays (overloading of network). An alarm is to be activated at the associated remote control stations prior to a critical
network data overload condition.
(4) The communication data highway is to be provided in duplicate and is to be arranged so that upon failure of the on-line highway, the standby data highway is automatically connected to the system. The standby data highway is not to be used to reduce traffic in the on-line highway.
8. Start-up after power failure
The system's software and hardware is to be designed so that upon restoration of power supply af- ter power failure, automatic or remote control and monitoring capabilities can immediately be avail- able after the pre-established computer control access procedure has been completed.
9. Parameters and program changes
Alteration of parameters that may affect the system's performance is to be limited to authorized personnel by means of keyswitch, keycard, password, or other approved methods.
10. Multiple points of control
Systems with multiple control stations are to be provided with clear indication at each location to
identify control.
the station in control, and are to be provided with procedures to ensure proper transfer of