V4-CH01-Instrument and Process Control Philosophy Rev 1

PETRONAS RAPID Project Nov 2012
Johor, Malaysia
350 KTA LLDPE PLANT Vol. : 4
Project n° 61070F
Process Design Package
VOLUME 4
CHAPTER 1
INSTRUMENT AND PROCESS CONTROL PHILOSOPHY
© INEOS Commercial Services UK Limited. All rights reserved. This document is the property of INEOS Commercial
Services UK Limited, and the information and images it contains are strictly confidential and may not be altered or
amended, copied, used or disclosed without the express permission of INEOS Commercial Services UK Limited.
OWNER REFERENCE
Project Package Originator Discipline Doc. Type Unit n° Serial n°
Technologies RAPID L20 INE PRO DES 3200 0011

LICENSOR REFERENCE Rev. Page
PETRONAS RAPID PROJECT Project Unit n° Doc. Type Doc. Code Sequent. n°
350 kta LLDPE PLANT 61070F 3200 SP - 011 1 1 / 24
SPECIFICATION
1 12-Dec-12 PDP update FMA A. CONIL A. CONIL

0 05-Nov-12 ISSUE FOR PDP A. CONIL A. CONIL A. CONIL
XA 16-Sep-12 FOR COMMENT A. CONIL A. CONIL A. CONIL
DATE WRITTEN BY CHECKED BY APPROVED BY
REV. STATUS – REVISION MEMO
DD-MMM-YY (name & visa) (name & visa) (name & visa)
Document revisions.
© INEOS Commercial Services UK Limited. All rights reserved. This document is the property of INEOS Commercial Services UK Limited, and the information and
images it contains are strictly confidential and may not be altered or amended, copied, used or disclosed without the express permission of INEOS Commercial
Services UK Limited.
OWNER REFERENCE

SPECIFICATION
CONTENTS
1. INTRODUCTION................................................................................................................................................................ 3
1.1 ABBREVIATIONS ..................................................................................................................................................... 3
2. CONTROL AND PROTECTION SYSTEM REQUIREMENTS ................................................................................... 5
2.1 RELIABILITY.............................................................................................................................................................. 5
2.2 DCS HARDWARE IMPLEMENTATION ................................................................................................................ 5
2.3 SIS HARDWARE IMPLEMENTATION .................................................................................................................. 6
2.4 CONTROL SYSTEM INTERFACES ...................................................................................................................... 7
2.5 DCS CONFIGURATION .......................................................................................................................................... 8
2.5.1 REGULATORY CONTROL ............................................................................................................................. 8
2.5.2 SEQUENCES.................................................................................................................................................. 10
2.6 INTERLOCK FUNCTIONALITY ............................................................................................................................ 11
2.6.1 SIS INTERLOCK ............................................................................................................................................ 11
2.6.2 DCS INTERLOCK .......................................................................................................................................... 12
2.6.3 RESETS ........................................................................................................................................................... 12
2.6.4 OVERRIDES ................................................................................................................................................... 12
2.7 OPERATOR INTERFACE ..................................................................................................................................... 13
2.7.1 DISPLAYS ....................................................................................................................................................... 14
2.7.2 HISTORICAL DATA AND TREND DISPLAYS .......................................................................................... 14
2.7.3 ALARMS .......................................................................................................................................................... 15
2.7.4 OPERATOR INTERFACE AND PANEL ..................................................................................................... 16
2.8 SECURITY ............................................................................................................................................................... 16
2.9 ENGINEERING FACILITIES ................................................................................................................................. 16
2.10 EARTHING AND LIGHTNING PROTECTION ................................................................................................... 17
2.11 ADVANCED PROCESS CONTROL (APC) ........................................................................................................ 17
3. INSTRUMENTATION...................................................................................................................................................... 18
3.1 GENERAL ................................................................................................................................................................ 18
3.2 FIELDBUS ................................................................................................................................................................ 19
3.3 INSTRUMENT/CONTROL POWER/AIR SUPPLY ............................................................................................ 20
3.3.1 POWER SUPPLY ........................................................................................................................................... 20
3.3.2 INSTRUMENT AIR ......................................................................................................................................... 20
4. ANALYSERS ................................................................................................................................................................... 20
5. FIRE AND GAS DETECTION ....................................................................................................................................... 20
6. PACKAGE INSTRUMENTATION AND CONTROL .................................................................................................. 21
7. MOTOR CONTROL ........................................................................................................................................................ 22
8. DCS/SIS PROJECT ENGINEERING ........................................................................................................................... 23
8.1 DESIGN .................................................................................................................................................................... 23
8.2 TESTING .................................................................................................................................................................. 23
8.3 INEOS TECHNOLOGIES REQUIREMENTS ..................................................................................................... 24
8.4 LIST OF INSTRUMENTATION VENDORS ........................................................................................................ 24
© INEOS Commercial Services UK Limited. All rights reserved. This document is the property of INEOS Commercial Services UK Limited, and
the information and images it contains are strictly confidential and may not be altered or amended, copied, used or disclosed without the
express permission of INEOS Commercial Services UK Limited.
OWNER REFERENCE

SPECIFICATION
1. INTRODUCTION
This document defines the generic standard requirements for the control and instrument protection
systems on INEOS Technologies licensed polyethylene plants.
The overall intent of the PDP with reference to control and instrumentation is to provide the following
information:
Controls and interlocks specific to licensed technology required to operate the plant safely and
reliably.
The minimum general requirements on the licensee and detailed engineering contractor required to
ensure that the overall standard of implementation and operation is sufficient to operate the plant
safely and reliably
Sufficient detail is provided to allow the licensee and detailed engineering contractor to design and
operate the plant safely and to meet the guarantees.
Other sections of the PDP volume 4 provide specification for complex regulatory control, sequences,
interlocks and any supervisory control schemes where this is not clear from the PIDs.
The licensee and detailed engineering contractor are responsible, during the detailed engineering and
implementation, for ensuring that the final installed system is safe, reliable and operable. This
document and the others in the control PDP volume 4 provide guidance in achieving these aims.
Throughout the control PDP the words may, should, and must have the following specific meaning:
May: is used where an alternative provision is acceptable to INEOS Technologies
Should: is used where INEOS Technologies prefers the provision
Must: is used where the provision is mandatory
1.1 ABBREVIATIONS
DCS Distributed Control System (Main plant control system)
SIS Safety Instrumented System (Protective system)
PLC Programmable Logic Controller (May be used for control of package equipment)
PID Piping & Instrumentation Diagram
SIL Safety integrity level. (Defined in IEC61508, IEC61511)
OWNER REFERENCE

SPECIFICATION
APC Advanced Process Control system
PDS Process data sheets (in PDP volume 2)
RTD Resistance Thermal Device
OWNER REFERENCE

SPECIFICATION
2. CONTROL AND PROTECTION SYSTEM REQUIREMENTS
DCS system will consist of a number of controllers which will be configured to carry out the normal
control of the plant. The field instrumentation, actuated valves and motor controls will be connected to
the DCS controllers via field wiring and the DCS I/O system.
Screens and keyboards will allow the panel operator to control and monitor the performance of the
plant through process schematic displays, trends and alarms.
A separate Safety Instrumented System (SIS) with its own instrumentation will protect the plant
against major hazards.
If APC is within the scope of the project then, a PC dedicated to the APC will be interfaced to the
DCS.
The DCS, SIS and other control equipment should be located in an air conditioned control building.
Operator consoles should be located in the central control room. Other equipment including
marshalling systems, controllers and I/O systems should be located in an associated equipment room.
2.1 RELIABILITY
The control system and instrumentation must be of fail safe design. No single fault in controllers,
operator interface, communications highway, power supplies or external interfaces should result in the
loss of process control or loss of process visibility to the operators of any significant section of the
plant. If any failure of an operator screen occurs then it must be possible to use an alternative without
any need for reconfiguration.
Operators and system engineers must be trained on the control system prior to the plant starting up.
2.2 DCS HARDWARE IMPLEMENTATION
DCS controllers should be dual redundant. The total number of controllers for the plant will be
dependent on the DCS system selected. For control purposes the plant must be divided into sections,
each controlled by a single redundant pair of controllers containing all the regulatory control,
sequences and DCS interlocks for that plant section. The sections of the plant must be defined to
remain within controller loading constraints and to minimise peer to peer communication between
controllers. Separate sections of the plant that can be operated independently of each other (e.g.
reactor and extruder) should not share controllers. The effect of complex calculations, sequences and
interfaces on controller loading must be taken into account.
Control functions must be split between I/O cards to minimise the safety and process impact of any
failure. The possibility of multiple control loops failing simultaneously due to I/O card failure must be
assessed by the detailed engineering contractors HAZOP team to ensure that the design case for
relief constraints or other protection limits are not breached.
OWNER REFERENCE

SPECIFICATION
2.3 SIS HARDWARE IMPLEMENTATION
The Safety Instrumented System (SIS) protects people, the plant and the environment against
abnormal situations that result in serious risks and hazards requiring a higher degree of protection
than the DCS system alone can provide.
It forms a protection layer on top of the basic process control system, operator alarms and monitoring.
The overall safety of the plant is dependent on all levels of protection functioning effectively.
The system consists of field instrumentation and actuators, cabling and logic processors. A data link
transfers information to the DCS system and the operator interacts with the SIS through the interlock
displays on the DCS. The process measurements from SIS instrumentation, alarms and trip status are
also available for use on the schematic displays. Hardwired push buttons are provided on the operator
panel for SIS interlocks that can be manually initiated.
During detailed engineering the safety instrumented system must be designed and proof test intervals
defined to meet the required SIL rating and probability of failure on demand. The requirement to avoid
spurious trips must also be considered.
The SIS system must be implemented in accordance with IEC61508/61511. The notes below are for
guidance.
The SIS system should be independent of other layers of protection such as control scheme and pre
alarms.
If an instrument fails and gives a signal outside the normal process range the interlock must trip. The
instrument range must be defined to be well beyond normal and abnormal expected process ranges.
Where multiple instruments are used to measure the same process variable a discrepancy alarm
should be raised in the DCS if they differ by a significant amount and the fault must be corrected.
The entire protection system must be designed to be failsafe: de-energise or open circuit to trip. All
input trip initiation signals and output trip actuation signals must be hardwired. Serial or other
communication links for this duty must not be used.
I/O must be allocated to I/O cards using the same principles as for the DCS I/O allocation.
Any field or local starts must not be able to inhibit operation of any interlocks.
All SIS instruments and valves should be powered from the SIS system power supply.
During detailed engineering the data link to the DCS must be designed to have sufficient speed and
reliability not to cause any impact on control sequences or loops. Signals that may impact on control
should be hardwired to the DCS to give improved speed of response and reliability where required.
All remotely operated on/off valves must have both open and closed limit switches (proximity type).
Where switches are used in an interlock both open and closed switches should be connected to the
OWNER REFERENCE

SPECIFICATION
SIS. Where “not closed” is specified in the interlock description this means that the closed limit switch
is not made or that the open limit switch is made and conversely for “not open”.
The protection system interlocks must be active at all times.
The majority of interlocks in the SIS are likely to be SIL1, which can normally be achieved using
standard instruments and on/off valves or motors operating in a fail safe manner. Generally one
sensor and one final element would be expected as a minimum for each interlock. Specific
requirements are shown on PIDs.
Higher integrity interlocks, SIL2 or 3, will require increased levels of redundancy and / or increased
levels of diagnostics to ensure interlock integrity
Using standard failsafe instrumentation a SIL2 interlock must continue to operate safely in the event of
unsafe failure of any single component of the interlock. Generally a 2 out of 3 or 1 out of 2 voting
system on sensors and a 1 out of 2 voting system on final elements would be expected. In this case
(subject to interlock reliability analysis) it may be possible to use common instruments for control and
interlock functions. Normally a middle of three selection would be carried out in the SIS with the result
hardwired to the DCS for control. Specific requirements are shown on PIDs.
A SIL3 interlock must remain safe following the unsafe failure of any two components and must
normally be engineered independently of other control and interlock systems.
The SIS logic solver must be certified by an appropriate regulatory authority (e.g. TÜV) as suitable for
protection up to at least SIL3.
2.4 CONTROL SYSTEM INTERFACES
Interfaces with the main DCS control system can communicate bulk data to or from other devices
through a serial or specific digital connection.
Interfaces may be required to the following items:

 Plant wide management information system, if required by the Licensee
 Plant data historian
 Independent protection system (SIS)
 Intelligent Motor Control Centre
 Analyser systems
 Package plant: e.g. extruder, weigh feeders, etc
 Machinery monitoring systems: e.g. Bentley and Nevada systems
 Weighing systems
 Fire and gas system
 Anti surge monitor systems
 APC (if APC is within the contract scope)
Where parameters are used in the basic level of control on the DCS they must not be transferred
through an interface unless it has been engineered to be fault tolerant (redundant) and sufficiently
reliable. The interface must be fast enough to achieve the required control functions. Particular care
must be taken over the speed of interface between DCS and motor control centre, safety instrumented
OWNER REFERENCE

SPECIFICATION
system (SIS) and large vendor packages (e.g. extruder). The interface between the DCS and the APC
does not need to be redundant.
Diagnostic signals must inform the operator if any communications interface to the DCS fails. Detailed
engineering must determine if any failsafe actions are required.
2.5 DCS CONFIGURATION
2.5.1 Regulatory Control
The regulatory control forms the basic level of control that is required to operate the plant in a stable
condition without undue operator action. The functionality should reside within the DCS controllers for
the plant.
The requirements for the standard non-complex items of regulatory control are defined by the
standards within this document together with the PIDs and instrument data sheets.
Complex regulatory controls requiring further definition are described in separate documents within
the PDP volume 4.
2.5.1.1 General
All tuning parameters including alarm settings, PID tuning parameters, filter constants, and sequence
tuning parameters must be changeable from the operator console following the entry of a suitable
supervisor password.
It should be possible to enter simulated values for all process variables (PVs) from the operator
screen following the entry of a supervisor password. All simulated signals must be clearly indicated
(as simulated) on the display and it must be possible to generate a list of simulated variables.
All basic control points should be executed at a frequency of 1s or faster.
In the event of a DCS failure all outputs should go to failsafe positions (after a short time delay if the
DCS has such facilities).
2.5.1.2 Analogue inputs
Analogue input should have the following characteristics
Resolution of 3 or 4 significant figures, with a maximum of 4 figures before decimal point or 3 after.
First order input filter to remove noise adjustable on line – default filter time 0s
High and low alarm facilities – to be disabled by default
Alarm hysteresis – 1% of range by default
OWNER REFERENCE

SPECIFICATION
Out of range / hardware failure alarm facilities – to be indication only by default
Historisation – minimum every 5s
2.5.1.3 Controllers
Controllers should have the following characteristics:
Features of an analogue input
Out of range / hardware failure alarm facilities – to be low priority by default
On failure of the input signal the controller should switch to manual mode.
In Manual mode the SP should track the PV value to allow bumpless switch between manual and
auto.
Adjustable setpoint and output limits – to be configured at maximum range by default
Windup prevention – If controller output hits an output limit then integral action must be stopped to
prevent unnecessary controller windup. The master controller in a cascade control scheme should be
output limited if the slave controller hits a setpoint limit.
Initialisation – If a slave controller in a cascade control scheme is in manual or automatic instead of

cascade then the output of the master controller should track the setpoint of the slave controller to
allow bumpless switch between auto or manual and cascade.
It should be possible to change all alarm and limit settings by online calculation.
Historisation of SP, PV and OP – minimum every 5s
2.5.1.4 Discrete input
A discrete input should have the following characteristics:
State change alarm – to be disabled as default
Historisation minimum every 5s
2.5.1.5 Motors
Motors that are controlled from the DCS should have the following characteristics:
Setpoint (SP) manipulated by the operator or automatic control
Indicate running/stopped status (PV) to the DCS from the motor starter.
OWNER REFERENCE

SPECIFICATION
Both SP and PV must be displayed on the operator screen in schematic form.
Failure alarm raised if the SP and PV do not match after a time period (~5s) Default low priority.
Historisation of PV – minimum every 5s
2.5.1.6 Valves
On/off valves should have the following characteristics:
Setpoint (SP) manipulated by the operator or automatic control
One open and one closed limit switch indicating position (PV)
Both SP and PV must be displayed on the operator screen in schematic form.
Failure alarm raised if the SP and PV do not match after a time period (~5s) Default low priority.
2.5.2 Sequences
Sequences carry out actions that it would be impractical for the operator to carry out due to frequency
of or number of actions required.
The functionality should reside within the DCS controllers for the plant. They should execute at
sufficient speed to achieve the process requirements. This is particularly critical for the withdrawal
sequence and the agglomerate detection on rotary valves sequence.
Sequences are defined in additional documents in the PDP volume 4.
The detailed sequence descriptions in the PDP form the basis of a functional design specification for
the DCS vendor, but require further development to include the correct response to DCS hardware
failures etc
The sequences are broken down into a number of named steps carrying out specific process activity.
Each step is broken down into a set of actions described by pseudo code or sequential function charts
(SFC).
Each sequence performs prestart checks, where required, to ensure that process conditions and
equipment line-ups are suitable for the sequence to start.
All controllers and equipment used by the sequence are put into program mode during the prestart
phase of the sequence. This should prevent the operator from manipulating these items of equipment
while the sequence is running.
Each sequence must have a failure monitor to detect abnormal process events or equipment failures
that would prevent the sequence from operating successfully. On detection of a failure condition, the
sequence must drive the plant to a predefined safe condition and then produce a clear message
OWNER REFERENCE

SPECIFICATION
indicating the cause of failure. All equipment/controllers should be released automatically to allow the
operator to take any necessary actions. The operator must be able to easily identify the cause of the
failure and restart the sequence at an appropriate point once the fault has been cleared. On restart or
recovery all equipment and controllers should be returned to program mode (or equivalent) to prevent
changes by the operator.
The failure conditions and actions and recovery actions must be further developed during detailed
engineering.
All parameters used by sequences should be alterable on-line by the engineer, without the need to
restart the sequence.
2.6 INTERLOCK FUNCTIONALITY
Interlocks protect the plant, personnel and the environment in the event of abnormal situations. Such
situations may occur through equipment or control failure or operator error or process upset.
Interlocks with a low integrity requirement should be implemented in the DCS system. Where a higher
integrity is required (SIL1 or above) then the interlocks must be implemented within a separate safety
instrumented system (SIS). (See section on SIS hardware implementation)
The preliminary allocation of interlocks to SIS and DCS is defined on the PIDs. This allocation must be
reviewed during detailed engineering.
The interlocks are marked on the PIDs and a separate document in the PDP gives a description of the
function of each interlock. Interlocks have been separated into those to be implemented on the DCS
and those to be implemented on the SIS based on preliminary SIL calculations. Interlocks to be
implemented in the SIS are marked „I-xxxx-S‟ on the PID and those to be implemented on the DCS
are marked „I-xxxx-O‟.
2.6.1 SIS Interlock
The SIS system must be designed in accordance with IEC61508/61511. Interlock reviews must be
carried out during detailed engineering taking account of local conditions to determine the required
integrity level (SIL) and probability of failure on demand (PFD) for each interlock conditions to satisfy
local and international regulations. Each interlock must then be designed to meet these integrity and
reliability requirements.
The SIL levels specified in the PDP in volume 4 – interlock description - are based on generic safety
hazards without regard to local conditions and practices. The interlocks must be designed to meet
these integrity levels as a minimum. Local safety, environmental or commercial issues or specific
issues resulting from detailed design or identified in interlock reviews may require integrities higher
than those specified and these must be considered during detailed engineering.
Any interlocks specified for machinery protection or required as part of vendor packages should be
installed within the SIS if the integrity requirements are SIL1 or above.
Each interlock consists of input conditions, interlock logic, and outputs.
OWNER REFERENCE

SPECIFICATION
Any live analogue values used in the SIS and the trip status of inputs and outputs must be transmitted
to the DCS for display and alarm.
This alarm should be shown on the relevant schematic display and on the interlock display.
2.6.2 DCS Interlock
The functional requirements for DCS interlocks are identical to those for the SIS (See SIS interlock
section)
The interlocks must function at all times, regardless of whether the plant item involved is being driven
by a sequence or is in manual or local mode.
The logic for DCS interlocks should scan at 1s maximum.
2.6.3 Resets
The reset philosophy is common for the SIS and DCS interlocks.
The licensee must have a safe method for managing interlock resets following a trip. This must
consider both the design of the interlocks and the procedure for operating them to ensure that the
operator can recover from a trip in a safe and controlled manner.
2.6.3.1 Interlocks with Manual Reset
Each trip output must have a separate manual reset (except those with auto reset). When the interlock
trips, the equipment must remain in the tripped state until reset.
2.6.3.2 Interlocks with Automatic Reset
Where auto reset is specified on the interlock (refer to Process Interlock Description within the PDP
volume 4) the interlock must be reset automatically when the trip causes are healthy and then may be
operated by the DCS / operator.
2.6.4 Overrides
The override philosophy is common for the SIS and DCS interlocks. The differences (if any) are
identified in the following text.
The licensee must have a policy for controlling and minimising the application of overrides to ensure
that the plant is operated safely.
OWNER REFERENCE

SPECIFICATION
Overrides on interlocks will be required to allow maintenance and testing. The interlocks must be
designed so that overrides are not required during any normal process activities including startup and
shutdown.
There should be override facilities available on each input and output. If there is an override it should
not disable any associated alarm on the input.
Any applied SIS and DCS override should be shown clearly against the relevant input or final
actuation device on both the schematic display and the interlock display of the DCS screen and
recorded in the DCS event log.
If available on the DCS the received PV of the actuating device (valve or motor) should be shown on
the interlock display.
SIS overrides should be applied to and removed from the SIS system from the DCS interlock displays
and transmitted over a data link to the SIS system. In order to prevent the overrides being applied by
mistake a separate hardwired „permit overrides‟ button on the operator panel must be pressed by the
operator before an override is applied. This button is wired directly to the SIS and initiates a 2 minutes
timer within the SIS. New overrides can be applied from the DCS during this time only. The button
should be keylocked. This button has no effect on the ability of the operators to remove overrides or
reset interlocks from the DCS.
The second „remove SIS overrides‟ push button on the operator panel, hardwired to the SIS, is
required to allow the operator to remove all overrides. This is to ensure that the plant can be put in a
safe state in the event of a failure of the data link between the DCS and the SIS.
Both of these buttons must be designed to be failsafe.
There may be multiple pairs of buttons covering different sections of the plant.
There is no requirement for an independent override permit button for DCS interlocks.
2.7 OPERATOR INTERFACE
The primary operator interface for the plant is the DCS terminals. These allow the panel operator to
monitor and control the plant through operating schematics, alarms and trends. It also provides the
primary interface for the operator to interact with the Safety Instrumented System
A separate panel for emergency stop buttons is used for functions that are required to allow the plant
to be put into a safe state independently of the DCS system.
A separate operator station with screens and panel will be required for each major area of the plant
(See section Operator interface and panel for details)
All aspects of the interface must be designed to be as clear and simple as possible in order to
minimise the risk of operator error.
OWNER REFERENCE

SPECIFICATION
Other aspects of the operator environment such as control room layout, lighting, and location of
telephones and radios must also be designed to minimise impact on operations.
2.7.1 Displays
The DCS displays should consist of plant schematics which allow the operator to monitor the plant.
All measurements shown on the PIDs or developed in detailed design, including those from separate
vendors‟ instrumentation packages, should be available on the displays.
An overview display must be configured to allow the operator to monitor all the most important
variables on the plant on one screen.
Schematic displays should be configured to monitor each plant area and to facilitate specific process
operations (e.g. feed treatment, compressor start-up). Each of these displays should be designed to
contain the appropriate information to minimise the need for operators to switch between displays.
The process flow of the schematic should generally be from left to right and/or from top to bottom.
Interlock displays should be configured for interacting with the interlocks. The preferred format for
these displays is a cause and effect chart.
The displays for the independent protection system must be separate from the displays for the DCS
interlocks, but should include similar information.
Complex control schemes and calculations should have dedicated displays to allow the full control
scheme to be inspected. The preferred format for these is flow diagrams showing the flow of the
calculations involved.
The displays should be designed to be as simple and intuitive as possible. They should not based on
PID drawings. Particular attention should be made to making display standards consistent, minimising
unnecessary or repeated information and making navigation between displays simple.
The call up time for schematics and associated live data must be less than 2 seconds.
2.7.2 Historical data and trend displays
The historical data and trending system is used to monitor plant performance in real time and for
analysing historical plant performance and incidents.
All analogue and discrete measurements, controller setpoints and outputs, calculated variables and
motor and valve conditions should be recorded into the history database.
Data must be sampled at a minimum of 5s and retained for a minimum of 1 week. Some variables
may need to be sampled more frequently depending on their process requirements. Any data
compression must be designed not to impact data quality.
OWNER REFERENCE

SPECIFICATION
Alarms and operator actions must be recorded into an event long with a resolution of 1s minimum and
be retained for a minimum of 1 week.
A set of predefined trends associated with each main display should be configured to assist the
operator in monitoring the plant. The system must allow the operator to define new trends as
necessary for operational conditions with the variables and ranges required without loss of
information.
All variables should be available to be trended at all operating positions.
The licensee may require an additional plant information system interfaced to the DCS that provides
plant data to engineers for analysis over the factory IT system.
2.7.3 Alarms
Alarms are the primary means of alerting the panel operator to events which require manual
intervention. They are a key element in assuring the safety and reliability of the plant.
The PIDs detail the primary process alarms required. Additional alarm points associated with package
plant and other systems must be specified during detailed engineering.
During detailed engineering an alarm review must be carried out to determine the priority of each
alarm. INEOS Technologies recommends three levels of annunciated alarm priorities (Emergency,
high and low). The numbers of higher priority alarms must be small compared to lower priority alarms.
The priority should be determined by the necessary speed of response and the consequences of the
operator failing to respond. The number of alarms must be kept to the minimum necessary, by
avoiding unnecessary duplication of alarms for a single event and removing alarms that require no
immediate action by the operator.
The alarm system must be well designed and maintained otherwise the safety of the plant may be at
risk.
The alarm system must be designed to allow the operator to navigate quickly to the schematic display
showing the alarm.
All alarms should require acknowledgement by the panel operator.
The DCS system must provide an alarm summary display that allows alarms to be sorted in alarm
priority or chronological order.
The alarms generated by the safety instrumented system must be displayed in the DCS. First up
alarms should be clearly identified for operator.
All alarms should be presented to the operator within 3 seconds of the alarm being detected by the
instrument.
OWNER REFERENCE

SPECIFICATION
The licensee must have a procedure for managing and safely eliminating spurious alarms in order to
keep the alarm frequency down to a level where the operator can effectively respond.
2.7.4 Operator interface and panel
It is recommended that the control room equipment be grouped in three sections as follows:
Polymerisation: 4 screens minimum

Finishing: 2 screens minimum
Engineering facilities: See main document.
The number of screens required should be reviewed following DCS selection, taking into account the
requirement for backup facilities. A single keyboard may be used for two screens. Additional screens
may be beneficial during the commissioning period.
A hardwired panel contains facilities which are required to be independent of the DCS system. These
include emergency buttons to put the reaction into a safe state by isolating feeds and killing reaction in
the event of a DCS failure and buttons to permit interlock overrides to be applied to the SIS. The
status of these buttons should be recorded in the DCS event log.
These are described further in the overrides section of this document and the interlock descriptions
section of the PDP volume 4.
2.8 SECURITY
A security system – either, password or keylock and appropriate security policy must be in place to
prevent unauthorised or accidental modifications to the DCS or SIS parameters.
Appropriate protection measures must be put in place to guard against computer viruses and
unauthorized access over computer network
Suitable software back-up facilities should be provided.
2.9 ENGINEERING FACILITIES
For the commissioning and maintenance of the control system an Engineer's console should be
located in a separate room adjacent to the control room. The Engineer‟s console may be used as an
additional operating console. It should consist of:
- a screen and keyboard which duplicates the function of the operator station
- a colour printer used for printing out screens and program listings
- a screen and keyboard for the DCS configuration workstation.
This equipment may be combined depending on the selected DCS manufacturer's approach to
software configuration.
OWNER REFERENCE

SPECIFICATION
Other equipment for configuring the safety system, PLCs and analysers etc. should also be located in
the engineers‟ room
2.10 EARTHING AND LIGHTNING PROTECTION
Earthing and lightning protection for the instrumentation system, including the DCS and plant
protection system, must be in accordance with the DCS vendors practice. In addition, the earthing
requirements as specified by the certifying authority for intrinsic safety systems must be followed.
2.11 ADVANCED PROCESS CONTROL (APC)
If specified, APC is defined in an additional document in the PDP volume 4.
APC allows automatic optimisation of plant performance. Additional calculations determine plant and
/or product parameters that allow the operator to manually optimise the operation of the plant. It is not
required for the basic plant operation. The functionality will reside in a separate PC communicating
with the DCS.
OWNER REFERENCE

SPECIFICATION
3. INSTRUMENTATION
3.1 GENERAL
Instrumentation supplied with package units should also follow these requirements.
The use of local mounted indicating only instrumentation should be kept to a minimum; the PIDs show
the minimum requirements of INEOS Technologies.
Measuring systems should use smart transmitters where possible, fitted with a local indicator
displaying in engineering units. Process switches for alarms and trips should be avoided. Temperature
measurements should use locally mounted transmitters and RTD sensors unless otherwise specified.
In plant areas where hydrocarbon gas may condense under normal ambient temperature conditions,
transmitters should be installed so that the instrument impulse pipe work is free draining, heat traced
and insulated to stop condensation from occurring anywhere in the impulse pipe work.
Differential pressure transmitters should be used for measuring liquid levels. On hydrocarbon service,
the low pressure connection should be kept dry, by heat tracing.
All instruments installed on vessels or pipe work containing dry powder, must have sintered metal
filters installed in the pipe connection to the instrument.
If tuning fork level detectors are installed on vessels containing powder they must slope downwards if
installed on the side of the vessel. Top mounted is the preferred method.
Smart positioners should be fitted to all control valves. Where split range control valve operation is
identified on the PIDs, this must be performed in the DCS.
Flow control loops on pulsating services (e.g. flow meters located at dosing pumps discharge, noted
on instrument datasheets in volume 5) must be carefully designed to eliminate noise on flow signals,
meet accuracy requirement and minimize dead times.
The detailed engineering contractor must ensure that the over size factors applied to the sizing of
control valves are such that the minimum flows specified in the instrument process data sheets can be
easily achieved within the normal rangeability of the selected control valve.
Shut-off class for control valves and on/off valves are specified to be consistent with ANSI/FCI 70.2
and API 598 respectively. The valves must be fail safe for both electrical and instrument air failure, the
PIDs and valve PDS indicating the failure action. Valves are usually spring return. Valves that are also
connected to the plant protection system should be fitted with a solenoid valve, which is de-energized
to force the valve to the failure position.
Remotely operated on/off valves should be fitted with open and close proximity switches.
Safety relief valves should be sized and installed in accordance with API 520 and 521.
OWNER REFERENCE

SPECIFICATION
Restriction orifice plates, non-return valves and piping elements that are used to restrict the flow rate
to be relieved by a safety device must be clearly identified by the engineering contractor, and
displayed on the list of plant safety devices.
Electrically powered equipment including motors, Transmitters and all electrically powered field
instrumentation should be protected to IP55 minimum. In flammable gas area all transmitters and all
electrically powered field instrumentation should be certified suitable for installation in zone 1 or zone
2. In areas where combustible dust is a hazard, the equipment should be certified as suitable for
installation in zone 22 or zone 21 areas, as identified on the drawings. In dust hazard areas the
equipment must have the appropriate IP rating and temperature class. In an area where both
flammable gas and combustible dust hazards are present, all transmitters and all electrically powered
field instrumentation should be certified for installation in both zone 1 or 2 and zone 21 or 22. The
zone definition should be in accordance with IEC60079-10.
Requirements for specific instruments are contained in the Engineering Manual and instrument
datasheets in volume 5.
3.2 FIELDBUS
Foundation Fieldbus or Profibus may be used for communication links between the field
instrumentation and the DCS. The communication links between the field instrumentation and the SIS
must be via conventional 4 -20 mA, and digital on/off signals. Electric motor controls may also
communicate with the DCS via a fieldbus link. A single vendor should be responsible for the complete
system that includes the DCS, the field instrumentation wherever possible, and the fieldbus design
and operation.
Fieldbus must be of fail safe design. Loss of communications or power must cause the valve(s) to
travel to their fail-safe position.
The fieldbus, including power supplies and cards, must be fully redundant for process control, and
process sequence operations; no single failure should result in the loss of more than one control loop,
or the operator‟s ability to access the plant or parts of the plant. In the event of a failure of a measuring
element or transmitter it must still be possible for the operator to move the position of the control valve
from the DCS.
Basic regulatory control may be performed in the field, but the transmitter and associated control valve
must be on the same cable spur. Communication between cable spurs must be avoided for process
control. The higher level controls that involve the primary elements of cascade or advanced controls
must be performed in the DCS. At least 30% spare capacity must exist on each spur at the time of
plant start up.
The fieldbus communications for the very fast operating sequences and field devices identified
elsewhere in the PDP volume 4 must be such that there is no deterioration in the performance of the
sequences, otherwise conventional wiring links must be used instead.
OWNER REFERENCE

SPECIFICATION
3.3 INSTRUMENT/CONTROL POWER/AIR SUPPLY
3.3.1 Power supply
All instruments, control and safety systems must be provided with a secure uninterruptible power
supply (UPS), with at least 30 minutes of battery backup to allow safe shutdown of the plant in the
event of a major power failure
All UPS systems must have fault alarms on the DCS and be regularly tested to ensure static switch
operation and the actual battery capacity.
Failure of the normal feed to a distribution board should be alarmed in the DCS.
Dual redundant items of equipment should have separate electrical supplies.
If smart devices are installed in the Electrical (MCC) switchgear, then these devices should be
powered from a UPS with 30 minutes capacity.
A separate UPS may be required for the plant communications system; the Licensee and detailed
engineering contractor should determine the requirements.
Refer to the Electrical section of the PDP volume 1 for further details of the electrical supply
requirement.
3.3.2 Instrument air
Refer to the utility summary section for the PDP in volume 1.
The plant should have at least 30 minutes spare capacity (provided from Battery limit) in the event of a
major site air supply failure.
4. ANALYSERS
Refer to the analyser datasheets in volume 5 for details of analysers.
5. FIRE AND GAS DETECTION
Refer to the Safety Guidelines document for fire and gas detection requirements in volume 1.
OWNER REFERENCE

SPECIFICATION
6. PACKAGE INSTRUMENTATION AND CONTROL
The vendor must provide functional specifications for control schemes and all instruments required for
control, monitoring and protection of the package. These must be adequate to allow the package to be
started-up, operated (including fault finding) and shutdown in a safe and reliable manner. The
specifications must provide sufficient information to allow the control and protection systems to be
configured in the plant DCS and safety systems if required. All control and instrumentation must be
designed and installed in accordance with the principles defined in Instrument and Process Control
Philosophy. This document must be provided to the package vendor.
As a minimum instruments shown on the PIDs must be included. Any exceptions must be approved by
INEOS Technologies.
The functional specifications for control must include the following:
Regulatory control schemes required for the normal operation of the package including any
controls required to start-up or shutdown the package.
Alarms and the associated settings where required to alert the operator to carry out actions
preventing a hazard, equipment damage or unwanted process condition. This specification must
include details of the hazard protected against and the actions to be taken.
Interlocks and the associated settings required to protect against abnormal situations leading to a
safety hazard, equipment damage or unwanted process condition. This specification must include
details of the hazard protected against. Interlocks must function separately from any control or
sequence (e.g. if a startup sequence is disabled then the interlock must remain operational).
Sequences where required to facilitate the startup or shutdown or other routine operation of the
package.
It is vendor‟s responsibility to specify any required interlocks to mitigate any known or foreseeable
hazard and to ensure integrity
Generic hazards have been identified in INEOS Technologies Technical Documentation (e.g. Interlock
Description, Safety Guidelines, HSE report, comments to HAZOP review report if any, etc…).
However, all hazards must be identified and associated protective measures fully developed by
detailed engineering and package vendor
The interlocks and controls covering “Ineos Technologies” specific process hazards are described in
the PDP volume 2 and volume 4.
All interlocks must be designed to comply with IEC61508/61511. A review must be carried out by the
DE contractor with the licensee and the vendor to determine the safety integrity levels of interlocks.
The interlocks must be designed to meet the safety integrity levels.
OWNER REFERENCE

SPECIFICATION
Control and interlocks may be integrated into the DCS and SIS or remain separate in the vendor‟s
Control and Interlock Systems (refer to packages process data sheets for specific requirements). If the
control and interlocks remain in the vendor's Control and Interlock Systems they must be interfaced to
the DCS. All process information from instruments and control must be available on the DCS.
7. MOTOR CONTROL
Intelligent motor control modules are preferred. Where these are used the detailed engineering
contractor should ensure that a secure redundant software link is provided to interface the intelligent
modules with the DCS. It must be a fast link displaying motor status change within 3 seconds. The
contractor must ensure that the link is fast enough to perform an automatic start of spare equipment
without inducing process shutdown.
Remote and local commands are shown on PIDs.
Motors that are powered at high voltage should have their power consumption displayed on the DCS.
The recommended electrically powered equipment protection is described in the section

Instrumentation/General of this document.
OWNER REFERENCE

SPECIFICATION
8. DCS/SIS PROJECT ENGINEERING
The design, implementation, testing and commissioning of the control system must be carefully
controlled in order to avoid future operational problems and safety hazards.
8.1 DESIGN
A Functional Design Specification (FDS) must be developed by the detailed engineering contractor
and system supplier(s). This should include functionality for all standard components (e.g. PID
controller, valve, interlock etc and standard requirements for display characteristics and navigation,
philosophies for alarm handling, trends, security etc) and detailed specifications for all control,
sequence and interlocks, interfaces, instrument ranges, trip and alarm settings, spares/expansion
philosophy.
Where control of package equipment is included in the DCS the package system vendor should be
involved in the relevant sections of the FDS design. This is particularly important for the complex
packages such as extruders.
The relevant output from HAZOPS, SIL reviews and alarm reviews should be included in the FDS.
8.2 TESTING
The supplier of the DCS must pre-test the software against the FDS.
The detailed engineering contractor/licensee must test the software at a factory acceptance test
(FAT).
This testing of the DCS may be done in several stages covering:
Generic standards testing: This should cover generic system software components and philosophies.
It should be carried out before these standards are used for bulk configuration.
Hardware and standard components: This should cover all system hardware, I/O testing, interfaces to
other systems and all non complex controls, indications and displays. All interfaces to the DCS / SIS
system must be tested. It may be possible to ship the bulk of the DCS system to site following
completion of this stage of testing if the remaining testing can be completed without it.
Complex controls: This should cover all interlocks, complex control schemes and, sequences and their
associated displays. A simple simulation may be required to effectively test these controls.
Where there is significant complexity in package equipment control the vendor should be present for
the testing.
OWNER REFERENCE

SPECIFICATION
The detailed design contractor is responsible for the overall consistency of the integrated control
system and of the fulfilment of all requirements for the overall plant control.
8.3 INEOS TECHNOLOGIES REQUIREMENTS
In order to ensure that INEOS Technologies design and safety requirements are met certain
documents must be supplied for review.
Refer to PDP volume 1 for documents to be reviewed by INEOS Technologies during detailed
engineering. INEOS Technologies may attend the FAT for DCS and SIS.
An engineer who was involved with the control system design and configuration from the DCS vendor
should be on site during the commissioning period of the plant.
The licensee must have a trained engineer responsible for commissioning and operation of the control
systems.
8.4 LIST OF INSTRUMENTATION VENDORS
List of instrument vendors for some items (e.g. withdrawal valves…) are included in the PDP volume
1.

V4-CH01-Instrument and Process Control Philosophy Rev 1

Uploaded by

Copyright:

You might also like

V4-CH01-Instrument and Process Control Philosophy Rev 1

Uploaded by

Document Information

Original Title

Copyright

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

V4-CH01-Instrument and Process Control Philosophy Rev 1

Uploaded by

Copyright:

PETRONAS RAPID Project Nov 2012

INSTRUMENT AND PROCESS CONTROL PHILOSOPHY

Technologies RAPID L20 INE PRO DES 3200 0011

INSTRUMENT AND PROCESS CONTROL PHILOSOPHY

INSTRUMENT AND PROCESS CONTROL PHILOSOPHY

1 12-Dec-12 PDP update FMA A. CONIL A. CONIL

Technologies RAPID L20 INE PRO DES 3200 0011

INSTRUMENT AND PROCESS CONTROL PHILOSOPHY

Technologies RAPID L20 INE PRO DES 3200 0011

INSTRUMENT AND PROCESS CONTROL PHILOSOPHY

May: is used where an alternative provision is acceptable to INEOS Technologies

Should: is used where INEOS Technologies prefers the provision

Must: is used where the provision is mandatory

DCS Distributed Control System (Main plant control system)

SIS Safety Instrumented System (Protective system)

PID Piping & Instrumentation Diagram

SIL Safety integrity level. (Defined in IEC61508, IEC61511)

Technologies RAPID L20 INE PRO DES 3200 0011

INSTRUMENT AND PROCESS CONTROL PHILOSOPHY

APC Advanced Process Control system

PDS Process data sheets (in PDP volume 2)

RTD Resistance Thermal Device

Technologies RAPID L20 INE PRO DES 3200 0011

INSTRUMENT AND PROCESS CONTROL PHILOSOPHY

2. CONTROL AND PROTECTION SYSTEM REQUIREMENTS

2.2 DCS HARDWARE IMPLEMENTATION

Technologies RAPID L20 INE PRO DES 3200 0011

INSTRUMENT AND PROCESS CONTROL PHILOSOPHY

2.3 SIS HARDWARE IMPLEMENTATION

Technologies RAPID L20 INE PRO DES 3200 0011

INSTRUMENT AND PROCESS CONTROL PHILOSOPHY

The protection system interlocks must be active at all times.

2.4 CONTROL SYSTEM INTERFACES

Interfaces may be required to the following items:

Technologies RAPID L20 INE PRO DES 3200 0011

INSTRUMENT AND PROCESS CONTROL PHILOSOPHY

2.5 DCS CONFIGURATION

2.5.1 Regulatory Control

All basic control points should be executed at a frequency of 1s or faster.

2.5.1.2 Analogue inputs

Analogue input should have the following characteristics

High and low alarm facilities – to be disabled by default

Alarm hysteresis – 1% of range by default

Technologies RAPID L20 INE PRO DES 3200 0011

INSTRUMENT AND PROCESS CONTROL PHILOSOPHY

Out of range / hardware failure alarm facilities – to be indication only by default

Historisation – minimum every 5s

Controllers should have the following characteristics:

Features of an analogue input

Out of range / hardware failure alarm facilities – to be low priority by default

Adjustable setpoint and output limits – to be configured at maximum range by default

Initialisation – If a slave controller in a cascade control scheme is in manual or automatic instead of

Historisation of SP, PV and OP – minimum every 5s

2.5.1.4 Discrete input

A discrete input should have the following characteristics:

State change alarm – to be disabled as default

Historisation minimum every 5s

Setpoint (SP) manipulated by the operator or automatic control

Technologies RAPID L20 INE PRO DES 3200 0011

INSTRUMENT AND PROCESS CONTROL PHILOSOPHY

Both SP and PV must be displayed on the operator screen in schematic form.

Historisation of PV – minimum every 5s