Professional Documents
Culture Documents
SAES-Z-001
SAES-Z-001
Contents
1 Scope ................................................................. 2
2 Conflicts and Deviations ..................................... 2
3 References ......................................................... 2
4 Definitions .......................................................... 4
5 Revision Level .................................................... 8
6 Redundancy ....................................................... 9
7 Segregation ...................................................... 10
8 Spare and Expansion Capabilities.................... 12
9 Process Control and Equipment Protection ...... 13
10 Consoles .......................................................... 18
11 Operator Graphical Displays ............................ 27
12 Alarms and Messages ...................................... 33
13 Historization and Trending ............................... 39
14 System Access and Security ............................ 41
15 Integration and Interface .................................. 47
16 Cabinets ........................................................... 55
17 Electrical Wiring, Power Supply,
and Power Distribution ..................................... 58
18 Process Control Networks ................................ 61
19 Environmental Conditions ................................ 62
20 Control Rooms ................................................. 62
21 Inspection and Testing ..................................... 63
22 Documentation ................................................. 63
Revision Summary ................................................... 63
1 Scope
1.1 This standard prescribes the minimum mandatory requirements and guidelines
governing the engineering, design, procurement and installation of Process
Control Systems (PCS) in Saudi Aramco plants.
Distributed Control Systems (DCS) and the interface between the DCS and
other process control and monitoring systems are considered within the scope of
this standard. The integrated system shall be referred to as the Process Control
System (PCS).
1.2 Process control networks are included in the scope of this standard.
Other networks used for connectivity between the process control systems and
plant information systems are excluded from the scope of this standard.
1.3 Requirements governing security for the design and operation of Process
Control Systems are detailed in SAEP-99.
1.4 This entire standard shall be attached to and made a part of purchase orders.
Any conflict between this document and other Applicable Mandatory Saudi Aramco
Engineering Requirements (MSAERs) shall be addressed in writing to the EK&RD
Coordinator.
Any deviation from the requirements herein shall follow internal company procedure
SAEP-302, waiver of a Mandatory Saudi Aramco Engineering Requirements.
3 References
Specific sections of the documents listed below are referenced within the body of this
standard. Material supplied to this standard shall comply with the referenced section(s) of
the latest revision of these documents. Where specific sections are not referenced, the
entire referenced document shall apply.
4 Definitions
4.1 Abbreviations
APC Advanced Process Control
BMS Burner Management System
CCR Central Control Room
CCS Compressor Control System
DCS Distributed Control System
ESD Emergency Shutdown Systems
FSD Functional Specification Document
HMI Human Machine Interface
I/O Input / Output
MVC Multi-Variable Controller
OPC OLE for Process Control
PAN Process Automation Network
4.2 Definitions
In this standard, the terms “must”, “shall”, “should” and “can” are used.
When “must” or “shall” are used, the item is a mandatory requirement.
When “should” is used, the item is strongly recommended but not mandatory.
When “can” is used, compliance may further enhance the system functionality
but is optional.
Dead Band: The range through which an input signal may be varied without
initiating an action or observable change in output signal.
Hardware: Physical components used within a Process Control System such as:
Controllers, I/O cards, power supplies, network devices, workstations and servers.
5 Revision Level
5.1 All control and I/O subsystem hardware and/or firmware and other vendor
proprietary hardware shall be the latest revision level, approved by Saudi
Aramco, at the time of the hardware freeze date as defined in the contract
purchase order or the Preliminary Design Review (PDR); whichever is the latest.
Commentary Note:
5.2 All software shall be the latest, commercially released, software revision level
that is compatible with the hardware revision level being supplied at the time of
Critical Design Review (CDR).
5.3 All personal computers, monitors, printers, peripherals, Ethernet switches and
other commercial-off-the-shelf (COTS) equipment provided by the vendor as
part of the system shall be the latest model commercially available which has
been tested and approved for compatibility by the vendor at the time of the
hardware freeze date as defined in the contract or purchase order. The Main
5.4 Application packages supplied by the vendor to meet Saudi Aramco requirements
shall be the vendor's standard off-the-shelf software configurable to meet job-
specific requirements.
6 Redundancy
Where the number of fiber optic strands required are four or less, a single FOPP
may be used. Redundant strands shall be terminated to separate sides of the
FOPP to reduce the risk of inadvertent damage to both redundant strands during
maintenance.
7 Segregation
Process Control Systems shall be segregated into risk areas to increase system and
process availability. Two levels of risk area segregation shall be applied: Operating
area risk areas and redundant equipment risk areas.
Commentary Note:
7.1.3 Parallel processing trains within a facility (i.e. gas treatment train 1-4,
GOSP Train 1-4, etc.) and major process areas (i.e., crude unit, DHT,
etc.) shall be assigned to separate L1 risk areas. Each train or major
process area shall be provided with a separate Emergency Shutdown
System (ESD).
7.1.5 Level 1 segregation does not apply to global system databases; such as:
control configuration DB, Historian DB, system configuration DB, or the
engineering workstations and servers used with these systems.
7.2.1 Parallel process equipment (e.g., parallel process heaters) and equipment
installed in redundant configuration (e.g., 3 x 50% pumps) shall be
segregated into separate Level 2 (L2) risk areas.
7.2.2 Equipment located in separate Level 2 risk areas requires separate Input /
Output cards.
7.3.1 Process equipment in utilities plant areas, inlets area for gas processing
facilities and tank farms shall be segregated into separate Level 1 risk
areas such that a failure in any L1 risk area shall result in a loss of no
more than 50% of the total throughput of the process area.
Commentary Note:
7.3.2 Many utilities have a master controller which affects the entire
production of that utility stream (i.e., instrument air header pressure
controller, Steam header pressure controller, etc.). It is impossible to
segregate this controller into different risk areas. The master controller
shall be assigned to one of the L1 risk areas and clearly documented.
8.1 Each system shall be supplied with 10% spare I/O channels per Level 1 risk
area. The spare I/O shall be licensed, installed, and wired to terminal blocks in a
marshalling panel. Spare I/O shall be provided in approximately the same ratio
as that of the actual requirement. This requirement applies to all projects where
new IO and marshalling are being supplied.
Commentary Note:
Where both redundant and simplex I/O models are used for a signal type, the
requirement for spare I/O shall apply for both types. Redundant I/O may be used
to meet requirements for spare simplex I/O where economical to do so.
8.2 Each system shall be installed with 10% spare slots in I/O chassis or baseplates
per level 1 risk area to accommodate future expansion of I/O modules.
This requirement applies to new projects and not for expansions within existing
cabinets.
8.3 Power supplies for I/O modules shall be sized to accommodate the installed
spare and the additional 10% expansion requirement. This requirement applies
to any new power supply module whether used for a new project or a system
expansion.
8.4 DCS shall be supplied with 20% additional licenses for expansion of the control
database (tag / function block licenses) and DCS historian database.
This requirement applies to new projects and not to expansion projects.
8.5 Each system shall be capable of expanding the number of controllers by 10%
from that installed in the base system.
Commentary Note:
8.6 The average CPU Loading of any controller during normal operating conditions
shall not exceed 50% overall or the manufacturers recommended maximum
loading specification, whichever is lower. This requirement applies to new
controllers and for expansion projects where additional control loops are added
to existing controllers.
8.7 Servers and workstations shall be configured with additional spare capacity of
40% minimum for hard-drive space, memory, and CPU, or as per the vendor’s
recommendations, whichever is more stringent. CPU and memory spare
Saudi Aramco: Company General Use
©Saudi Aramco 2019. All rights reserved. Page 12 of 63
Document Responsibility: Process Control Standards Committee SAES-Z-001
Issue Date: 25 February 2020
Next Planned Update: 20 December 2020 Process Control Systems
8.8 Projects providing new Fiber Optic Patch Panels (FOPP) shall provide the new
FOPP with a minimum of 20% spare termination ports. This requirement does
not apply to projects where existing FOPP are being utilized.
8.9 Network and server cabinets shall be designed with 20% spare space for
expansion capability. This requirement applies to all new network and server
cabinets and not for expansions within existing cabinets.
8.10 System cabinets shall be provided with 10% spare space for future expansion
and shall be provided with a minimum of 10% spare power distribution circuits
(e.g. circuit breakers or fused terminal blocks). This requirement applies to all
new system cabinets and not for expansions within existing cabinets.
This requirement is in addition to the spare slots required in item 8.2 above.
8.11 Spare and expansion capabilities shall be verified during Factory Acceptance
Testing.
9.1 General
9.1.2 All field outputs and their associated field inputs shall be implemented
using DCS I/O cards with individual channel isolation.
9.2.2 FOUNDATION Fieldbus (FF) shall not be used for expansion projects
where the facility does not already utilize FF. FF shall only be
considered for grass roots plants and for expansions to facilities already
utilizing FF technology.
9.2.3 The Fieldbus layer of any FOUNDATION™ Fieldbus (FF) based system
shall be designed and configured as per SAES-J-904.
9.3.1 Execution rates for control algorithms shall be set as per the table below
unless otherwise specified in the project FSD.
9.3.2 Consideration must be given during system design to ensure that the I/O
scan rate is at least as fast as the required control algorithm execution rate.
9.3.3 The project FSD shall provide an estimate of the total number of each
loop type.
9.4.1 Primary control loops (input, control logic, output) shall be executed
within a single controller. Exceptions are permissible within written
approval from the proponent operating organization.
9.4.2 Initialization - Control loops shall be configured to set the output of the
controller equal to the downstream value during the initialization
process. If the downstream value is an output to the field, the initial
output of the controller should equal the position of the field device.
For cascade controllers, the output of the primary controller (outer-loop)
shall equal the setpoint of the secondary controller (inner-loop).
9.4.6 Composite tag - Where possible, multiple inputs and outputs for a single
device, such as a pump or MOV, shall be combined into a single tag ID.
Operation of the device shall be through this single tag ID.
9.5.1 Written control narratives shall be developed for all advanced regulatory
control strategies and supplied with the project documentation.
9.5.2 Specific DCS graphics shall be developed for each ARC strategy
which describes the control objective and operation of the strategy.
The graphic shall contain a pictorial representation of the equipment
involved and the current state of all inputs and outputs associated with
the loop.
9.6.1 Startup sequence displays shall be provided in the DCS to facilitate the
startup of a process unit or major equipment which require a specific
sequence of events to be executed in order.
9.6.2 Sequencing displays shall be provided in the DCS for any process
requiring a specific sequence to be followed by the operator. Sequence
displays shall provide an overview of each step required in the sequence
with indication on which steps have been completed and which step is
currently active. The display shall indicate the current state of each step,
what conditions / permissives are pending and what actions (if any) are
required to be performed. For sequences which require actions by field
Saudi Aramco: Company General Use
©Saudi Aramco 2019. All rights reserved. Page 15 of 63
Document Responsibility: Process Control Standards Committee SAES-Z-001
Issue Date: 25 February 2020
Next Planned Update: 20 December 2020 Process Control Systems
9.6.4 Startup permissives displays shall be provided to facilitate startup for all
major equipment which utilize startup permissives.
9.6.5 Startup permissive displays shall be provided in the DCS for major
equipment of processes. The display shall show the current state of all
permissives associated with the equipment. ESD logic reset buttons
shall be included, where required, on the startup permissives displays to
facilitate startup of the equipment.
9.8.2 APC applications shall be of a supervisory nature and provide the set-
points for regulatory control loops. Direct output to the output modules
shall be by exception and clearly documented.
9.8.8 Alarms shall be provided at the DCS operator workstation when the
advanced process controller or its sub-controllers are turned off for any
reason. Operator shall be able to acknowledge APC alarms from the
DCS workstation.
9.8.9 Graphical Operator displays shall be provided for operators to monitor and
manipulate advanced control application. These displays shall be
accessible through the operator's normal DCS workstation. The operator
display shall provide the following operator functions and information:
Operator shall be able to turn the application ON/OFF via software
switch accessible to the operator via the operator DCS.
Operator shall be able to turn ON/OFF the sub-controller via
software switch accessible from the DSC display.
Operator shall be able to turn On/Off for the manipulated, feed-
forward, and controlled variables status via software switch for
operation and maintenance purposes.
Operator shall be able to modify upper and lower operator limits for
all the manipulated, feed-forward, and controlled variables.
Manipulated variables summary shall consist of but not be limited to
displaying variable tag names, descriptions, status (e.g., out of
service, prediction, off-line), process variable value and states,
optimizer targets, set-points, high/low limits, current move values,
10 Consoles
10.1 General
10.1.5 All power supply and distribution wiring, grounding, and I/O termination
wiring within consoles shall comply with the requirements of
34-SAMSS-820, “Instrument Control Cabinets.”
10.1.7 All push buttons, switches, lamps and other console mounted devices
shall have a nameplate permanently attached indicating the service
description.
10.2.3 Operator Consoles shall not contain more than four (4), dual-headed
operator workstations (and one large screen monitor) unless sufficient
justification has been provided by operations.
10.2.4 Monitors shall be attached to the console in a manner which allows for
both horizontal and vertical adjustment of the monitor.
10.2.5 Each operator console shall be supplied with a large screen monitor, 40”
or larger, which shall be mounted on top of the primary operational
monitors. The large screen monitor shall be used to show primarily the
plant area overview associate with the console; however, the operator
shall have the ability to change the display shown on this monitor.
Change of graphics on any of the primary operator workstations shall not
affect the display shown on the large screen monitor.
10.2.6 Each operator consoles shall be supplied with the capability to monitor
process alarms and system diagnostics alarms at each workstation within
the console. The capability to acknowledge process alarms shall be
provided for each workstation. The capability to acknowledge system
alarms shall be provided to a minimum of two workstations within the
console.
10.2.7 Each operator console shall be supplied with the capability to generate
and access production reports, sequence of events reports, alarm history
displays and reports and long term historization and trending of tags
associated with the relevant process areas.
10.2.9 Each workstation in the operator console shall have access to a minimum
of two networked printer(s) for reporting and graphical printing
(i.e., printouts of active displays).
Exception:
For smaller systems whose I/O count does not exceed 1,000 pts, a single
printer is acceptable.
10.3.1 Design
10.3.1.3 When a console design requires more than four (4) workstations,
the use of rack mounted servers and KVM switch technology to
minimize the number of workstations at the console is
recommended.
10.3.2 Functionality
10.4.1 General
10.4.2.7 Where host servers are used to host separate virtual instances
of applications which access a different networks (i.e., either
the Process Control Network or the Process Automation
Network), the server shall be provided with separate Network
Interface Cards (NIC) for each network. Each virtual instance
shall be configured to access only the network / NIC required.
10.4.2.8 Where host servers are used to host virtual instances which
would normally reside in the De-militarized Zone (DMZ), a
separate, dedicated host server shall be supplied to host DMZ
applications. Hosting of applications which would normally
reside outside of the DMZ on a server which is connected to
the DMZ is prohibited.
10.4.3 Thin-clients
10.4.3.5 TCs shall not store passwords used for user authentication of
remote sessions.
10.4.3.6 TCs may utilize local user accounts or may be integrated into
the domain controller provided for the PCS. Where local user
accounts are used, TCs shall be configured to auto-login to the
local user account on startup.
Commentary:
10.5.2 Tools shall be provided to capture, store and retrieve all system related
alarms or events.
This section defines graphical displays primarily used by operators to monitor and
control process equipment.
11.1 General
11.1.1 All graphics shall include the following information in standard locations:
a) Display number (i.e., 97DISP01)
b) Display Name (i.e., Instrument Air overview display)
c) The associated P&ID number(s) for the equipment displayed on the
graphic.
Saudi Aramco: Company General Use
©Saudi Aramco 2019. All rights reserved. Page 27 of 63
Document Responsibility: Process Control Standards Committee SAES-Z-001
Issue Date: 25 February 2020
Next Planned Update: 20 December 2020 Process Control Systems
11.2 Colors
11.2.2 Process data shall be shown with a background color which is grey
(close to the background color) when the process value is in a normal
condition. Background color for process data elements shall only show
colors when the value is in an alarm condition.
11.2.3 There shall be very limited use of color. Colors shall be used only to
highlight abnormal situations, and shall be applied consistently
throughout the system.
11.3 Design
11.4.1 Operators shall be able to easily access specific displays and graphics by
pressing dedicated function keys, selecting from a list of displays in
directories and menus, or by typing display or graphic names.
11.4.3 Any graphic display shall be accessible via no more than three operator
actions.
11.4.5 When a graphic element has an associated call-up display (e.g., PID
faceplate for a controller) the graphic shall have a target that
immediately calls up the associated control display when selected.
11.4.6 Graphics shall be designed to facilitate easy call-up of trend displays for
individual tags from the primary process graphic.
11.5.2 Process displays shall be designed such that the Process Value (PV) and
the manipulated value (MV) are shown on a single display, wherever
possible.
11.5.5 Control faceplates shall show dynamic process and status information
about a function block or tag and shall permit an operator to change
required parameter values associated with the function block.
11.5.7 The following actions shall be possible from each Faceplate as applicable:
Change control block mode.
Change setpoint and other operator settable parameters.
Issue commands to multi-state devices.
Adjust outputs in manual mode.
11.5.8 Control faceplates for PID controllers shall have up/down arrows that
allow the operator to adjust the setpoint or MV rather than having to type
a value. The arrow keys shall also be capable of having two adjustable
rates (i.e., regular click gives 0.1 increment, SHIFT + Click gives 1.0
increment).
11.6.1 Plant Safety Displays (PSD) shall be provided and configured with the
PCS.
Saudi Aramco: Company General Use
©Saudi Aramco 2019. All rights reserved. Page 30 of 63
Document Responsibility: Process Control Standards Committee SAES-Z-001
Issue Date: 25 February 2020
Next Planned Update: 20 December 2020 Process Control Systems
11.6.4 The top-level PSD shall be an aerial view picture or schematic of the
plant showing the major equipment as it is arranged in the facility.
11.6.5 The top-level PSD shall indicate the status of the H2S / LEL gas
detectors in their physical location throughout the plant as described
below.
11.6.6 The top-level PSD shall contain a wind speed and wind direction
indication dial to enable the viewer to quickly determine the down-wind
direction for any alarm.
11.6.7 The top-level PSD shall contain an indicator showing the ESD bypass
status for each plant area. The indicator shall be configured to combine
the status of all ESD bypasses for that plant area into a single symbol.
The indicator shall be shown in Neutral color if no bypass is active and
shall change color if any bypass is active in that particular plant area.
The indicator shall be placed on the display in the physical location of
that plant area.
11.6.8 The top-level PSD shall contain an indicator showing the gas detector
bypass status for each plant area. The indicator shall be configured to
combine the status of all gas detector bypasses for that plant area into a
single symbol. The indicator shall be shown in Neutral color if no
bypass is active and shall change color if any bypass is active in that
particular plant area. The indicator shall be placed on the display in the
physical location of that plant area.
11.6.9 The top-level PSD shall contain a single symbol to indicate the Fire
Alarm status for the plant. The symbol shall be configured to change
from neutral to the appropriate alarm color when any fire alarm is
active. The symbol shall be configured to call-up a fire alarm status
display when selected to provide more detailed information about the
physical location and status of the fire alarm.
11.6.10 The top-level PSD shall contain a single symbol to indicate the PCS
cabinet alarm status for the plant. The symbol shall be configured to
11.6.12 The process / plant area PSDs shall display an aerial view of the
particular process area. The status of all H2S / LEL gas detectors shall
be shown on these displays, in their specific locations.
11.6.13 Gas detector indicators on the process / plant area PSDs shall be
configured to bring up a removable overlay which displays the detector
measurement by selecting the detector graphic symbol.
11.6.14 The ESD bypass indicators and Gas Detector bypass indicators related
to the plant area shall be displayed on the process / plant area PSD.
These indicators shall be configured to call-up a detailed bypass status
display for the area when selected.
11.6.15 The online / offline status of major equipment shall be indicated on the
process / plant area PSDs. When an aerial photo is used as the basis for
the display, a rectangle around the equipment shall be configured to
change color based on the run status of the equipment or similar
methods may be used to indicate the operational status.
11.6.16 H2S / LEL Gas Detector Indicators for Plant Safety Displays
12.1 General
Commentary Note:
12.2.3.4 The audible alarm signal for an operator console shall continue
until either:
a) a “horn silence” is initiated at the operator console or
b) an active alarm is “selected” (on either alarm summary or
other displays.)
12.2.4.2 Inhibiting of alarms shall be logged in the system with the time
and date that the alarm was inhibited.
12.3.1 The system shall be configured to activate system alarms for failures to
the following as a minimum:
a) Failed modules,
b) Communication errors,
c) Power supply failures,
Saudi Aramco: Company General Use
©Saudi Aramco 2019. All rights reserved. Page 37 of 63
Document Responsibility: Process Control Standards Committee SAES-Z-001
Issue Date: 25 February 2020
Next Planned Update: 20 December 2020 Process Control Systems
12.3.4 A “System Alarm Summary” display showing all active system alarms
shall be provided. Accessing this alarm summary display from any other
display shall require no more than two operator actions.
12.3.5 System alarms shall be configured to have a distinct horn tone and visual
indication at the console to distinguish system alarms from process
alarms. Where system alarm priorities are configurable, the priority
should be set based on the criticality of the condition and the potential
impact to production.
12.4.1 A log shall be provided for recording operator and engineering actions or
changes. Actions shall be further divided into “Operation” or
“Engineering”. The Operator / Engineer action log shall record the name
of the user who made the change, time of change, the station from which
the change was made and an abbreviated text of the change.
12.4.2 Operator actions that are to be logged in history files shall include the
following as a minimum:
a) Changes made to the mode of a controller,
b) Changes made to the setpoint of a controller,
c) Changes made to the output of a controller,
d) Acknowledgement of an active alarm,
e) Toggle of an alarm between inhibit and enable,
f) Changes made to alarm limit,
g) Activating a soft-bypass of an ESD point accessed via the PCS,
h) Responses to operator prompts.
12.4.3 Engineering actions that are to be logged in history files shall include the
following as a minimum:
a) Change made to tuning parameters,
12.5.1 All process alarms, system alarms, sequence of events messages, and
operator, engineering or maintenance actions shall be stored on the
system for a minimum period of thirty days.
12.5.2 For systems which define the alarm retention time based on the number
of messages, the following number of events shall be stored as a
minimum. This requirement shall be met on a per-console basis.
12.5.3 Alarm and event data shall be stored in using a First-in / First-out
mechanism to prevent excessive alarms from being stored on the system.
Systems shall be designed to delete the oldest messages to enable storage
of new messages once the minimum retention period or maximum
number of alarms has been reached.
12.6.1 For projects where and external Alarm Management System (ALMS) is
provided for collection and analysis of alarms from various PCS sources
(i.e. DCS, ESD, CCS, VMS, etc.), the DCS shall be provided with an
OPC Alarm and Event (A&E) server to facilitate transfer of alarm
messages to the external ALMS.
13.1.1 On-line historical data shall be stored in the DCS to support history
trends and reports generated within the DCS.
Saudi Aramco: Company General Use
©Saudi Aramco 2019. All rights reserved. Page 39 of 63
Document Responsibility: Process Control Standards Committee SAES-Z-001
Issue Date: 25 February 2020
Next Planned Update: 20 December 2020 Process Control Systems
13.1.3 The collection rates, longevity, and scope for historical data are to be
specified on a per project basis. The minimum allowable collection rates
and longevity are listed in the following table:
13.1.4 For systems which utilize exception based data recording, hard-disks
shall be sized for the worst case logging requirement or an update every
scan rate for the minimum retention period specified above.
13.1.5 DCS Real-time trends shall be configured for all Analog Input tags and
Control Loops irrespective of the source of the tag. This requirement
shall apply to DCS hardwired I/O and all analog values transferred from
auxiliary systems to the DCS through communications interfaces.
13.1.6 The data update rate for DCS real-time trends shall be nominally two (2)
seconds. Update rates can be increased for processes with slow
response.
display the last one hour of history data before updating with real-time
information.
14.1.3 User access to a system shall be restricted by means of User Ids and
Passwords or other suitable technologies for identification and
authentication of users.
14.1.5 All workstations which are connected to the PCS and are not located on
an operator console within the CCR shall be configured to automatically
switch to “view-only” user environment after it has been idle for
30 minutes or longer.
14.1.10 The PCS network shall be isolated from the Saudi Aramco corporate
intranet through the use of firewall with Demilitarized Zones (DMZ)
architecture as minimum in accordance with the requirements of
SAES-T-566, “Plant Demilitarized Zone (DMZ) Architecture”.
14.2.1 User Roles shall be created to facilitate individual user access privileges
based on the user role or user group to which they are assigned.
14.2.3 Specific privileges and access restriction for each user role shall be
clearly documented in the project design documentation and shall be
tested during Factory Acceptance Testing (FAT).
14.3.3 Users shall be granted access privileges by assigning the user to a User
Role applicable to their particular job function. Access privileges which
have been defined for that User Role shall be inherited by the User.
14.3.5 Operator workstations located within operator consoles in the CCR can
be configured with a common ‘CONSOLE XX’ operator account. This
account can be shared by individuals assigned to the particular console
only. These accounts shall not be valid on any other stations connected
to the PCS.
Saudi Aramco: Company General Use
©Saudi Aramco 2019. All rights reserved. Page 42 of 63
Document Responsibility: Process Control Standards Committee SAES-Z-001
Issue Date: 25 February 2020
Next Planned Update: 20 December 2020 Process Control Systems
14.3.6 Shared Operator accounts shall have a restricted user profile to prevent
from installing/uninstalling programs, changing software configuration,
or accessing removable media drives or ports (e.g., USB, Ethernet,
Serial, etc.).
14.3.7 If supported by the system, all individual User IDs formats should
conform to corporate guidelines as highlighted in Section 11.1.1.3.6
“USER ID CONSTRUCTION” in IPSAG-007.
14.4.1 Every User ID shall have an individual password, except for shared
operator accounts (see item# 14.3.5 above).
14.4.2 The system shall be provided with the capability to meet the password
management requirements defined in SAEP-99.
14.5.1 Passwords used for application accounts shall not be stored in un-
encrypted format. Passwords used for application accounts are excluded
from the password aging policy.
stored in un-encrypted format and shall be excluded from the six month
password aging policy described above.
14.6.1 Anti-virus (AV) software shall be installed and configured on all Windows
based workstations which are part of the PCS.
14.6.2 The PCS shall be supplied with a central anti-virus (AV) server.
This server shall be configured to deploy updated anti-virus definition
files to all workstations and servers connected to the PCS on a scheduled
basis.
14.6.5 The use of anti-virus software shall not negatively impact the
performance of the workstation and overall performance of the PCS.
14.7.2 If supported by the vendor, the central Anti-virus server shall also be
used as a central repository for the management and deployment of
Operating System and Application software patches.
14.7.3 Access privileges for updating of Operating System software and Vendor
Application software shall be assigned to PCS Administrator only.
14.7.4 All workstations and servers connected to the PCS shall be deployed
with the latest vendor supported operating system security and
operational patches.
14.7.6 PCS vendor shall provide a list of Services and TCP/IP ports which are
required and which are disabled for each workstation supplied. Physical
and logical access to diagnostic and configuration ports shall be
protected.
14.7.7 PCS vendor hardening procedure shall be included as part of the CDR
documents for review and approval.
14.8.1 The system shall be provided with the capability to meet the security
event monitoring requirements defined in SAEP-99.
14.8.3 All logon events shall be monitored and recorded by the system.
Login events shall be recorded with date and time of login, user account,
and location of login. Records of logins shall be maintained on the
system for a minimum period of twelve months.
14.8.4 Failed login attempts shall not initiate an automatic ‘lock-out’ of the user
account.
14.10.5 Two (2) backup copies on electronic media shall be provided of all
system software, application software, and system configuration post
SAT. The format and media of these copies shall be such that they can
be loaded directly into the system without additional translation or data
manipulation.
14.10.6 Refer to SABP-Z-047, Data Backup and Restore for Plant Networks and
Systems, for recommendations on development of a data backup and
restore strategy.
14.11 Miscellaneous
14.11.1 The system shall keep track of all configuration changes made to the
online database. A record of each change made to the database shall be
recorded with the user-id of the person who made the change, the time
and date the change was made and what was changed. These records
shall be maintained on the system for a minimum of one year.
14.11.2 Process control equipment that contains data storage shall be sanitized
in accordance with GI-0299.120 prior to disposal.
15.1.1 Interfaces between the PCS and other subsystems or auxiliary systems
shall use standard hardware and software devices, which are compliant
with industry standard protocols. Modbus TCP/IP shall be used for
transfer of critical, real-time data. Modbus Serial may be used for systems
which do not support Modbus TCP/IP. For auxiliary systems which do
not support Modbus TCP/IP connection, Modbus Serial interface direct to
the DCS (without the use of protocol converters) is preferred.
Commentary Note:
15.1.2 OPC Version 2.0 or higher may be used for monitoring only interfaces
and to interface with supervisory systems such as Data Historians, Alarm
Management Systems, Control Performance monitoring systems,
Advanced Process Control and others.
15.1.3 The interface between DCS and auxiliary control systems (such as ESD,
VMS, CCS, PLC, BMS, and others) shall utilize dedicated DCS
communications interface modules which connect to the DCS system at
the Controller or IO card level. Workstation or Server based interfaces
to other regulatory control or safety systems are not allowed.
15.1.4 Where OPC interfaces between DCS and other systems are implemented
using Operating System based workstations or servers, the
communications channel shall be routed through a Firewall. The firewall
shall be configured to allow only the required communications ports.
15.1.6 Where an auxiliary system does not support a redundant interface to the
DCS, consideration shall be given to the use of hard-wired I/O for
control commands with data used for monitoring only transmitted
through the communications interface. This decision shall be determined
on a project-by-project basis.
15.2.1 Time clocks for all stations which are part of the PCS shall be
synchronized to 100 milliseconds or better.
15.2.4 The system shall be configured to provide an alarm if any node is not
synchronized to the GPS time server.
15.3.2 Communications between DCS and ESD systems for real-time process
data and operator commands shall be via dedicated, redundant
communications paths. The use of external protocol converters or
terminal servers for communications is prohibited.
15.3.3 There shall be no single point of failure in the system which would result
in the loss of communications between the DCS and ESD.
15.3.4.1 ‘First Out’ refers to the specific variable or tag which initiates a
shutdown of a particular process or equipment. First out must
be configured in the system initiating the shutdown.
15.3.4.3 First-out data shall be transmitted to the DCS for indication and
shall initiate an alarm to the DCS operator console responsible
for monitoring of the equipment.
15.3.4.4 The tagname, description, time & date, and process value of
the parameter which initiated the trip shall be shown on an
HMI display at the primary operator console whenever a
shutdown has occurred.
15.3.4.8 For systems which store SOE messages in the DCS, the system
shall be configured to store a minimum of 9,000 messages.
The message repository shall be configured to automatically
overwrite older messages when the maximum number of
messages has been reached.
15.3.5.1 All inputs to shutdown logic shall have an input bypass switch
to facilitate maintenance and testing. Bypass switches shall be
software configured using a mechanism to restrict access to
activation or de-activation of the bypass.
15.3.5.5 ESD bypasses statuses may be integrated into ESD Cause and
Effect graphics as defined in Section 15.3.6 below.
15.3.7.1 Cause and Effect (C&E) graphics showing the current status of
inputs and outputs for associated with each Safety
Instrumented Function (SIF) shall be implemented at the
Saudi Aramco: Company General Use
©Saudi Aramco 2019. All rights reserved. Page 50 of 63
Document Responsibility: Process Control Standards Committee SAES-Z-001
Issue Date: 25 February 2020
Next Planned Update: 20 December 2020 Process Control Systems
15.3.7.2 C&E graphics shall be arranged to show the inputs for each
SIF with actual process values and the associated outputs or the
SIF, to enable operators to understand the inputs / outputs for
each function.
15.4.2 Communications between DCS and VMS systems shall be via dedicated,
redundant communications paths. Modbus TCP/IP is preferred method.
15.4.3 All inputs to the VMS systems shall be transmitted to the DCS for
display at the primary operator console. Real-time values shall be
transmitted once every two seconds as a maximum scan time.
15.4.4 The DCS to VMS link shall be configured to enable the console operator
to bypass individual vibration probes or bearing temperature sensors
from the primary operator screen at the DCS.
15.4.5 A separate graphic for each equipment or equipment train (i.e., pump,
gearbox, motor) to display VMS data. The following requirements apply
to each graphic:
15.4.5.1 The graphic shall contain a diagram of the equipment with the
current process value for VMS tags in the approximate
Saudi Aramco: Company General Use
©Saudi Aramco 2019. All rights reserved. Page 51 of 63
Document Responsibility: Process Control Standards Committee SAES-Z-001
Issue Date: 25 February 2020
Next Planned Update: 20 December 2020 Process Control Systems
15.4.5.3 Individual bypass indicators for each VMS tag shall be shown
on the display. The bypass indicator shall only be visible when
the specific probe to which the measurement relates is in
bypass mode at the VMS system.
15.5.1 Communications between the DCS and CCS shall utilize redundant
communications modules and paths.
15.5.2 Critical alarms generated in the CCS shall be transmitted to the DCS for
annunciation at the operator console responsible for operating the
machine.
15.5.3 The DCS / CCS interface and DCS graphics shall be configured to enable
all required control actions from DCS (i.e., changing the controllers to
manual, modifying the suction/discharge limiting setpoints, modifying the
load sharing setpoint, enabling/disabling the load sharing, etc.).
15.5.4 The DCS shall be configured to have a set of graphics for each
compressor. As a minimum, three graphics are required for each
Saudi Aramco: Company General Use
©Saudi Aramco 2019. All rights reserved. Page 52 of 63
Document Responsibility: Process Control Standards Committee SAES-Z-001
Issue Date: 25 February 2020
Next Planned Update: 20 December 2020 Process Control Systems
15.6.1 Communications between the DCS and DAHS shall utilize OPC
protocol.
15.6.2 The interface between the DCS and DAHS shall comply with the
requirements in 23-SAMSS-072.
15.6.3 The system shall be configured to have the DCS OPC Server
communicate with the DAHS OPC client.
15.6.4 The DCS OPC server shall support Data Access (DA) and Historical
Data Access (HDA) functionality to enable backfilling of data in the
event of communications disruption.
15.6.5 The design of the interface shall consider segregation of tags by major
operating area into separate interfaces or scan nodes in order to distribute
loading. Where multiple interfaces or scan nodes are provided, DCS
tags shall be assigned to OPC Servers running on servers within the
operating area to which the interface is assigned.
15.6.6 All field inputs, controller PV, SP, and MV values and other critical
process data shall be configured to be transmitted to the DAHS.
This requirement applies to signals wired directly to the DCS and also
auxiliary systems data interfaced to the DCS through communications
links.
15.6.7 Scan rates for DAHS tags are defined in the DAHS system. The system
design shall ensure that scan rates do not produce excessive loading on
the DCS modules and/or control networks. Testing shall be conducted
during FAT to verify the additional loading due to DAHS scanning is
within the vendors recommended guidelines.
15.7.2 All critical variables monitored and / or controlled by the PLC shall be
transmitted to the DCS for display on process displays on the associated
operator console. The interface shall not be used to pass signals used for
control action between the DCS and PLC. Control signals, where
required, shall be hard-wired.
15.7.4 The requirements in Section 15.1 above shall apply for interfacing of
third party packaged equipment.
15.8.1 The requirements in this section apply to the interface between the PCS
and either a Power Monitoring System, a Substation Automation system,
and to individual motor control centers. These systems are collectively
referred to as ‘Electrical Substation Equipment’ within this standard.
15.8.2 The use of OPC, Modbus or IEC-61850 protocol for transferring run
status of individual motors and for monitoring of the status of electrical
equipment is acceptable.
15.8.3 The use of OPC, Modbus or IEC-61850 protocol for sending commands
(e.g., start / stop) to Electrical Substation Equipment shall be limited to
non-critical motors only.
15.8.5 Where the interface between the DCS and the Power System Automation
(PSA) is implemented as a single interface on a plant-wide level (PSA
Level 3 as per SAES-P-126), the DCS interface shall utilize redundant
interfaces.
16 Cabinets
16.1 General
16.1.2 All Cabinets and the equipment therein shall have nameplates permanently
attached indicating the service description. Nameplates shall comply with
the relevant sections of 34-SAMSS-820 specific to nameplates.
16.2.1 System cabinets shall be NEMA Type 1 as per NEMA 250 and
NEMA ICS6.
16.2.2 The requirements for wiring, spacing, cabling, terminal blocks and wire
ducts in 34-SAMSS-820 shall apply for wiring associated with the
following:
Power supply and power distribution
Utility power, lighting, and convenience outlets
Intermediate terminal strips for I/O wiring
Grounding
Commentary Note:
It is not the intent to dictate to DCS vendors and the like, the method of
interconnecting and mounting their standard proven equipment.
However, the wiring for system power, lighting, convenience outlets, field
terminal wiring and input/output wiring between intermediate terminal
strips within these cabinets shall adhere to this specification.
16.2.3 Input/Output (IO) cards and associated vendor termination assemblies (if
required) shall be housed in the same cabinet.
16.2.4 Vendor standard cables shall be designed and installed in such a way as
to allow cable disconnection in order to service the equipment.
Commentary Note:
Filter screens shall be installed for easy maintenance access and shall be
large enough to provide sufficient air intake flow.
16.4.2 Network / Server cabinets located in CCB which meet the air
conditioning requirements specified in SAES-J-003, Instrumentation and
Control Buildings Basic Design Criteria, may have perforated doors to
facilitate air circulation.
16.4.4 Network cabinets and server cabinets which contain multiple servers
which utilize fiber optic Network Interface Cards (NIC) shall be
equipped with Fiber Optic Patch Panels to terminate fiber optic cables
entering or exiting the cabinet.
16.5.2 All cabinets shall be designed to ensure the heat rise within the cabinet
does not exceed 10°C.
16.5.3 Air circulation fans shall only be used in cabinets where the heat rise in
the cabinet would exceed 10°C without the use of fans.
Commentary Note:
The requirement for maximum heat rise within the cabinet of 10°C is to
ensure that the temperature within the cabinet does not exceed 35°C.
The normal ambient temperature within air conditioned buildings is 22°C.
16.5.4 Where circulation fans are required, redundant air circulation fans shall
be provided. Heat load calculations may take credit for heat dissipation
from air circulation for only one of the redundant fans.
16.5.5 Cabinet cooling fans shall be sized to handle 20% more air flow by
volume than the amount required from the heat dissipation calculation.
Commentary Note:
16.5.7 Filter screens for cabinets which contain cooling fans, shall be sized
provide sufficient air intake flow.
16.5.8 Cabinets which house power supply modules shall be equipped with a
High Sensitivity Smoke Detector (HSSD). HSSD devices may be air
sampling or electronic point type. HSSD shall be addressable type and
connected to the Control Room Fire Alarm Control Panel (FACP).
17.2.1 DCS Cabinets with active electronic components shall be fed from
parallel redundant UPS system or dual stand-alone UPS systems as per
SAES-P-103. For sites utilizing parallel redundant UPS systems,
separate output power circuit breakers feeding redundant UPS power
distribution panels are required.
17.2.2 Two separate UPS circuits shall be used to supply UPS power to DCS
cabinets. Each circuit shall be connected to separate UPS power
Saudi Aramco: Company General Use
©Saudi Aramco 2019. All rights reserved. Page 58 of 63
Document Responsibility: Process Control Standards Committee SAES-Z-001
Issue Date: 25 February 2020
Next Planned Update: 20 December 2020 Process Control Systems
distribution panels.
17.3.1 There shall be no single point of failure which would result in the loss
of functionality of both modules of a redundant pair in the power supply
for DCS controllers, servers, networking equipment or other critical
components.
17.3.6 Wiring, terminal blocks, wire tagging, and terminal block coding within
the power distribution panel shall be as per the requirements defined in
the relevant sections of 34-SAMSS-820.
17.3.7 Power supply circuits shall be clearly labeled. Branch circuits or power
cords to redundant modules shall be clearly labeled identifying the
circuit to which they are connected.
17.3.8 Redundant power supply circuits shall be provided for the following, as
a minimum:
a) Process controllers
b) Input and output modules
c) Communication modules
d) Process Control Network equipment
17.5.1 Duplex-type convenience outlets, rated at 120 or 230 VAC, 15 amp shall
be provided to provide utility power within System Cabinets, Network
Cabinets and Server Cabinets. One convenience outlet shall be provided
per bank of three cabinets, as a minimum. The selection of the cabinet
containing the outlet shall be made to minimize the distance between the
cabinet and the other cabinets for which the outlet may be utilized.
The distance between the cabinet containing the outlet and any other
cabinet in the bank of three cabinets shall not exceed 20 feet.
17.5.2 Two, duplex-type convenience outlets, rated at 120 or 230 VAC, 15 amp
shall be provided within each console for utility power. The outlets shall
be placed on opposite sides of the console to enhance availability.
17.6 Grounding
17.6.1 Grounding design shall be per vendor standard recommendations and per
the applicable sections of SAES-J-902; whichever is more stringent.
18.1 General
18.1.2 Redundant control network cables installed indoors shall not be installed
in the same cable tray. This requirement does not apply to cables located
within a PCS cabinet.
18.1.4 The use of wireless technology for DCS networks shall not be used.
18.1.5 The Process Control Network shall not be routed to Operator Shelters.
Where project requirements dictate a need for system monitoring
capabilities in the operator shelter, workstation in the shelter shall be
provided with capability to establish a remote session with an
Engineering server connected to the PCS through remote desktop or
Windows Terminal Services.
18.2.1 Fiber optic cables within any cabinet shall be routed in plastic wire ducts
or protective conduit. Where routing within the wire duct would exceed
the minimum bend radius of the cable, protective conduit shall be used.
18.2.2 Fiber Optic (FO) cables used for process control networks may be
installed in the same tube bundle as FO cables used for IT traffic
provided that the fibers used for process control are separate and
dedicated for process control network traffic.
18.2.3 Fiber optic cables routed between process control cabinets shall be
terminated in Fiber Optic Patch Panels (FOPP) located in the source and
destination cabinets. This requirement does not apply to patch cords.
18.2.4 Fiber optic cables which are installed for the Process Control Network
shall have a minimum of 25% spare fiber optic cores. This requirement
does not apply to patch cords.
18.2.5 All fiber optic cables shall be labeled with source and destination
address.
18.2.6 Installation of fiber optic cables between buildings for process control
network cabling shall be in accordance with Saudi Aramco Engineering
Standard, SAES-Z-020, “Design and Installation of Fiber Optic Cable-
Systems for Process Control Networks”.
19 Environmental Conditions
20 Control Rooms
PCS equipment shall be subject to the Inspection and testing requirements defined in
23-SAMSS-010.
22 Documentation
Revision Summary
22 July 2012 Major revision.
29 October 2015 Minor revision to revise security related requirements to align with SAEP-99.
20 December 2017 Revised the “Next Planned Update,” re-affirmed the content of the document, and reissued
as major revision.
1 January 2018 Editorial revision to modify paragraphs 5.4, 14.6.1, 15.3.5.5, 17.6.2, 18.1.4, etc.
2 May 2019 Editorial revision as part of content confirmation assessment
25 February 2020 Editorial revision as part of content confirmation assessment