SAES-Z-001

Engineering Standard
SAES-Z-001 25 February 2020

Process Control Systems
Document Responsibility: Process Control Standards Committee
Contents
1 Scope ................................................................. 2
2 Conflicts and Deviations ..................................... 2
3 References ......................................................... 2
4 Definitions .......................................................... 4
5 Revision Level .................................................... 8
6 Redundancy ....................................................... 9
7 Segregation ...................................................... 10
8 Spare and Expansion Capabilities.................... 12
9 Process Control and Equipment Protection ...... 13
10 Consoles .......................................................... 18
11 Operator Graphical Displays ............................ 27
12 Alarms and Messages ...................................... 33
13 Historization and Trending ............................... 39
14 System Access and Security ............................ 41
15 Integration and Interface .................................. 47
16 Cabinets ........................................................... 55
17 Electrical Wiring, Power Supply,
and Power Distribution ..................................... 58
18 Process Control Networks ................................ 61
19 Environmental Conditions ................................ 62
20 Control Rooms ................................................. 62
21 Inspection and Testing ..................................... 63
22 Documentation ................................................. 63
Revision Summary ................................................... 63
Previous Issue: 2 May 2019 Next Planned Update: 20 December 2020

Revised paragraphs are indicated in the right margin Page 1 of 56
Contact: Kinsley, John A.(kinsleja) on phone +966-13-8801831
©Saudi Aramco 2020. All rights reserved.

Document Responsibility: Process Control Standards Committee SAES-Z-001
Issue Date: 25 February 2020
Next Planned Update: 20 December 2020 Process Control Systems
1 Scope
1.1 This standard prescribes the minimum mandatory requirements and guidelines
governing the engineering, design, procurement and installation of Process
Control Systems (PCS) in Saudi Aramco plants.
Distributed Control Systems (DCS) and the interface between the DCS and
other process control and monitoring systems are considered within the scope of
this standard. The integrated system shall be referred to as the Process Control
System (PCS).
Parties involved in the engineering, design, procurement and installation of PCS

systems shall comply with this standard.
1.2 Process control networks are included in the scope of this standard.
Other networks used for connectivity between the process control systems and
plant information systems are excluded from the scope of this standard.
1.3 Requirements governing security for the design and operation of Process
Control Systems are detailed in SAEP-99.
1.4 This entire standard shall be attached to and made a part of purchase orders.
2 Conflicts and Deviations
Any conflict between this document and other Applicable Mandatory Saudi Aramco
Engineering Requirements (MSAERs) shall be addressed in writing to the EK&RD
Coordinator.
Any deviation from the requirements herein shall follow internal company procedure
SAEP-302, waiver of a Mandatory Saudi Aramco Engineering Requirements.
3 References
Specific sections of the documents listed below are referenced within the body of this
standard. Material supplied to this standard shall comply with the referenced section(s) of
the latest revision of these documents. Where specific sections are not referenced, the
entire referenced document shall apply.
3.1 Saudi Aramco References
Saudi Aramco Engineering Procedures

SAEP-99 Saudi Aramco Industrial Control System Security
Saudi Aramco: Company General Use

©Saudi Aramco 2019. All rights reserved. Page 2 of 63
SAEP-302 Waiver of a Mandatory Saudi Aramco Engineering

Requirement
SAEP-368 Alarm System Management
SAEP-1626 Configuration and Graphics Design Guidelines
Saudi Aramco Engineering Standards

SAES-J-003 Instrumentation and Control Buildings- Basic
Design Criteria
SAES-J-601 Emergency Shutdown and Isolation Systems
SAES-J-902 Electrical Systems for Instrumentation
SAES-J-904 FOUNDATION™ Fieldbus (FF) Systems
SAES-P-103 UPS and DC Systems
SAES-P-126 Power System Automation
SAES-T-566 Plant Demilitarized Zone (DMZ) Architecture
SAES-Z-010 Process Automation Networks
SAES-Z-020 Design and Installation of Fiber Optic Cable-
Systems for Process Control Networks
Saudi Aramco Materials System Specifications

23-SAMSS-010 Distributed Control Systems
23-SAMSS-072 Data Acquisition and Historization System (DAHS)
34-SAMSS-820 Instrument Control Cabinets
Saudi Aramco Best Practices

SABP-Z-002 Functional Specifications for Process Control
Systems
SABP-Z-047 Data Backup and Restore for Plants Networks and
Systems (PN&S)
SABP-Z-074 Guidelines for Virtual Servers and Thin-clients for
Process Automation Systems
Saudi Aramco Library Drawing

DC-950150 Recommended Grounding Scheme for Process
Automation System

Saudi Aramco Forms and References

IPSAG-007 Saudi Aramco Information Protection Manual for
Computer Accounts Security Standards &
Guidelines
GI-0299.120 Sanitization and Disposal of Saudi Aramco
Electronic Storage Devices and Obsolete /
Unneeded Software
3.2 Industry Standards and References
International Electrotechnical Commission

IEC-61850 Communications Networks and Systems in
Substations
IEC 60807-2 Rectangular Connectors for Frequencies
below 3 MHz
National Electrical Manufacturers Association

NEMA 250 Enclosures for Electrical Equipment
(1,000 Volts Maximum)
NEMA ICS6 Enclosures for Industrial Controls and Systems
4 Definitions
4.1 Abbreviations
APC Advanced Process Control
BMS Burner Management System
CCR Central Control Room
CCS Compressor Control System
DCS Distributed Control System
ESD Emergency Shutdown Systems
FSD Functional Specification Document
HMI Human Machine Interface
I/O Input / Output
MVC Multi-Variable Controller
OPC OLE for Process Control
PAN Process Automation Network

PCS Process Control System

PLC Programmable Logic Controller
PMS Power Monitoring System
PMT Project Management Team
RMPS Rotating Machinery Protection System
SAEP Saudi Aramco Engineering Procedures
SAES Saudi Aramco Engineering Standards
SAMSS Saudi Aramco Material System Specifications
TCS Turbine Control System
UPS Uninterruptible Power Supply
VMS Vibration Monitoring System
4.2 Definitions
In this standard, the terms “must”, “shall”, “should” and “can” are used.
When “must” or “shall” are used, the item is a mandatory requirement.
When “should” is used, the item is strongly recommended but not mandatory.
When “can” is used, compliance may further enhance the system functionality
but is optional.
Advanced Control: Multivariable, constraint and optimizing controls are

labeled advanced controls. Controls that fall into this category are those that are
supervisory in nature, i.e., they normally, but not always, output to the set points
of other control loops rather than to the valves directly.
Algorithm: A prescribed set of well-defined rules or processes for the solution

of a problem in a finite number of steps. (See also control algorithm).
Application: Application packages shall be vendor's standard off-the-shelf

offering configurable to meet job-specific requirements. Modification of source
codes unique for Saudi Aramco is not allowed.
Application Account: refers to the account name used to run applications as

either a service or a background process.
Availability: The percent of time a system or component remains on line and

performs as specified.
Cabinet: A general term describing any enclosure which contains process

control equipment. The requirements for cabinets vary depending on the type of
equipment enclosed in the cabinet.
Cabinet - Network: A cabinet which contains primarily network switches and

other communications devices associated with the DCS Control Network.
Cabinet - Server: A cabinet which contains primarily servers associated with

the DCS. Server cabinets may also contain network switches or fiber optic
patch panels for the purpose of providing communications between the servers
and the DCS Control Network.
Cabinet - System: A cabinet which contains DCS modules such as controllers,

I/O cards, Field Termination Assemblies, power supplies and associated
equipment.
Cabinet - Marshalling: A cabinet containing mainly terminal strips and wire

termination for the purpose of terminating instrument signal cables from the
field.
Cascade (Cascade Control): A control scheme composed of two loops where

the output of one loop (the outer loop) is used as the setpoint of another control
loop (the inner loop).
Control Algorithm: A mathematical representation of the control action to be

performed.
Controller: A microprocessor-based device used primarily to perform control

and monitoring functions.
Control Network: A network which is used to provide communications

between controllers and HMI devices connected to the Process Control System
for the purpose of monitoring and controlling a plant process area.
Console: A collection of one or more workstations and associated equipment

such as printers and communications devices used by an individual to interact
with the PCS and perform control and monitoring functions.
Dead Band: The range through which an input signal may be varied without
initiating an action or observable change in output signal.
Distributed Control System (DCS): A process control system that is

composed of distinct modules. These modules may be physically and
functionally distributed over the plant area. The distributed control system
contains all the modules and associated software required to accomplish the
regulatory control and monitoring of a process plant, excluding field
instruments, remote terminal units, auxiliary control systems and Plant
information systems.

Fault-Tolerant: The property of a system which enables it to carry out its

intended function with one or more active hardware or software faults.
Firmware: Firmware is a combination of both hardware and software.

Hardware such as ROMs (Read Only Memory) or EPROMs that have software
programs or data recorded on them is considered firmware.
Functional Specification Document (FSD): Written requirements of the

functionality required for a piece of equipment or a system.
Hardware: Physical components used within a Process Control System such as:
Controllers, I/O cards, power supplies, network devices, workstations and servers.
Keyboard, Video, and Mouse (KVM): KVM identifies a class of computer

hardware-based devices that enable users to control two or more computers from
a single keyboard, video monitor and mouse.
Operating System: Software that runs on a computer for the purpose of

managing computer hardware and providing common services for the execution
of application software.
Point: A process variable derived from an input signal or calculated in a

process calculation.
Process Control System: An integrated system which is used to monitor and

control an operating facility. The PCS consists of a Distributed Control System
and other related monitoring and control systems which are connected together
to form a single integrated system.
Programmable Logic Controller (PLC): A stand-alone microprocessor-based

control device used primarily to perform discrete or sequential control.
Redundant: A system and/or subsystem that provides for a standby module

with automatic switchover from the active unit to the standby module, in the
event of a failure, without loss of a system function. Both active and standby
modules utilize diagnostics to assist in identifying and locating failures and to
permit modules to be removed for repair and/or replacement.
Regulatory Control: The functions of process measurement, control algorithm

execution, and final control device manipulation that provide closed loop control
of a plant process.
Risk Area: A grouping of Process equipment and associated Control Systems

equipment which together perform a specific process function.

Software: Software shall be considered programming code, computer

instructions or data that can be stored electronically. The storage devices and
display devices are hardware. Software is often divided into two categories:
 Systems Software: Includes the operating system and all the utilities that
enable the computer to function.
 Applications Software: Includes programs that do real work for users.
For example, word processors, spreadsheets, and database management
systems fall under the category of applications software.
System account: refers to account names used by the operating system.
Tag: A collection of attributes that specify either a control loop or a process

variable, or a measured input, or a calculated value, or some combination of
these, and all associated control and output algorithms. Each tag is unique.
Workstation: A computer and its associated monitor(s), keyboards(s) and other

peripheral devices which is connected to the PCS and is used to provide Human -
Machine Interface functions and/or other maintenance and engineering functions.
5 Revision Level
5.1 All control and I/O subsystem hardware and/or firmware and other vendor
proprietary hardware shall be the latest revision level, approved by Saudi
Aramco, at the time of the hardware freeze date as defined in the contract
purchase order or the Preliminary Design Review (PDR); whichever is the latest.
Commentary Note:
It is acceptable for a system to contain different revision levels of a hardware

component as long as the revision level of the component represents a minor
revision. In such cases, the vendor must demonstrate that the two components
work together and remain physically interchangeable as a redundant pair, if
redundancy is required on the system, and that the functionality of the module is
not affected by the revision of the module.
5.2 All software shall be the latest, commercially released, software revision level
that is compatible with the hardware revision level being supplied at the time of
Critical Design Review (CDR).
5.3 All personal computers, monitors, printers, peripherals, Ethernet switches and
other commercial-off-the-shelf (COTS) equipment provided by the vendor as
part of the system shall be the latest model commercially available which has
been tested and approved for compatibility by the vendor at the time of the
hardware freeze date as defined in the contract or purchase order. The Main

Automation Contractor shall standardize COTS equipment for all automation

sub-vendors as much as possible.
5.4 Application packages supplied by the vendor to meet Saudi Aramco requirements
shall be the vendor's standard off-the-shelf software configurable to meet job-
specific requirements.
6 Redundancy
The following equipment shall be supplied in redundant or fault-tolerant configuration

unless otherwise specified in the project specific Functional Specification Document
(FSD). Refer to SABP-Z-002 for guidelines for developing project FSDs:
a) Controllers
b) System and Field Power supply modules
c) Control network equipment
d) Communications equipment used for communications between controllers and I/O
modules (I/O Bus communications)
e) All Input and Output modules used for the following:
 All analog inputs and outputs associated with automatic regulatory control
(i.e., AI-PID-AO)
 Any discrete output connected to a motor (i.e., pump, fan or compressor
motor) or any ON/OFF valve (i.e., AOV, SOV, MOV, HOV) which is used to
change the state of the device.
 Any discrete or analog input which is used in control logic to automatically
start/stop a motor, open/close a valve or change the state of any process
equipment.
 All inputs used for H2S or LEL measurement and any output connected to an
H2S or LEL alarm horn or beacon.
f) FOUNDATION Fieldbus Host interface and power conditioning modules
g) Domain Controllers for user account management and authentication
h) All data storage devices (e.g., hard-drives or networked storage devices) used to
store backup files for workstation / server images, system configuration
information or control strategy database files.
Commentary Note:
RAID 1 or 10 are acceptable methods of meeting the requirement for redundant

hard drives.

i) All auxiliary systems communications interfaces, including communications

modules and paths, where either the communications channel is used to send
commands from the DCS to the auxiliary system or data from the auxiliary system
is used within a regulatory control strategy within the DCS.
j) Redundant control network fiber optic cables shall be terminated in separate Fiber
Optic Patch Panels (FOPP)
Exception:
Where the number of fiber optic strands required are four or less, a single FOPP
may be used. Redundant strands shall be terminated to separate sides of the
FOPP to reduce the risk of inadvertent damage to both redundant strands during
maintenance.
7 Segregation
Process Control Systems shall be segregated into risk areas to increase system and
process availability. Two levels of risk area segregation shall be applied: Operating
area risk areas and redundant equipment risk areas.
7.1 Level 1 segregation – Operating Area risk areas
7.1.1 Level 1 (L1) segregation shall be applied to segregate process control

equipment by operating areas based on the operating philosophy of the
plant.
Commentary Note:
As an example, a multi-train GOSP is typically segregated into the

following operating areas: GOSP-1, GOSP-2, GOSP-N, Gas
Compression, WOSEP / Oil Recovery & Shipping, Utilities & WIP, Cogen.
Each of these seven operating areas would be assigned to separate L1
risk areas.
7.1.2 Equipment located in separate Level 1 risk areas require separate:

 Process Controllers, Input/Output modules, and IO communications
equipment.
 System cabinets and system / field power supplies
 Control Network switches
 Interfaces to auxiliary / 3rd party control systems located within the
operating area.
 Wireless field device networks

Commentary Note:
Level 1 risk areas typically contain multiple process controllers. It is not

necessary or recommended to assign every controller to its own risk area.
7.1.3 Parallel processing trains within a facility (i.e. gas treatment train 1-4,
GOSP Train 1-4, etc.) and major process areas (i.e., crude unit, DHT,
etc.) shall be assigned to separate L1 risk areas. Each train or major
process area shall be provided with a separate Emergency Shutdown
System (ESD).
7.1.4 Level 1 segregation does not apply to operator workstations within an

operating consoles. Operator consoles may be used to monitor multiple
L1 risk areas.
7.1.5 Level 1 segregation does not apply to global system databases; such as:
control configuration DB, Historian DB, system configuration DB, or the
engineering workstations and servers used with these systems.
7.2 Level 2 segregation - Redundant Equipment risk areas
7.2.1 Parallel process equipment (e.g., parallel process heaters) and equipment
installed in redundant configuration (e.g., 3 x 50% pumps) shall be
segregated into separate Level 2 (L2) risk areas.
7.2.2 Equipment located in separate Level 2 risk areas requires separate Input /
Output cards.
7.3 Segregation of Utilities, Inlets, and Tank Farm Process Areas
7.3.1 Process equipment in utilities plant areas, inlets area for gas processing
facilities and tank farms shall be segregated into separate Level 1 risk
areas such that a failure in any L1 risk area shall result in a loss of no
more than 50% of the total throughput of the process area.
Commentary Note:
Combining different utilities (i.e., instrument air, nitrogen, boiler

feedwater, etc.) into the same L1 risk area is allowed and recommended
where segregation by utility area would result in process controllers with
less than 200 IO assigned to each controller.
7.3.2 Many utilities have a master controller which affects the entire
production of that utility stream (i.e., instrument air header pressure
controller, Steam header pressure controller, etc.). It is impossible to
segregate this controller into different risk areas. The master controller
shall be assigned to one of the L1 risk areas and clearly documented.

Where possible, backup control strategies shall be deployed to minimize

the impact of a failure of the master controller.
8 Spare and Expansion Capabilities
8.1 Each system shall be supplied with 10% spare I/O channels per Level 1 risk
area. The spare I/O shall be licensed, installed, and wired to terminal blocks in a
marshalling panel. Spare I/O shall be provided in approximately the same ratio
as that of the actual requirement. This requirement applies to all projects where
new IO and marshalling are being supplied.
Commentary Note:
Where both redundant and simplex I/O models are used for a signal type, the
requirement for spare I/O shall apply for both types. Redundant I/O may be used
to meet requirements for spare simplex I/O where economical to do so.
8.2 Each system shall be installed with 10% spare slots in I/O chassis or baseplates
per level 1 risk area to accommodate future expansion of I/O modules.
This requirement applies to new projects and not for expansions within existing
cabinets.
8.3 Power supplies for I/O modules shall be sized to accommodate the installed
spare and the additional 10% expansion requirement. This requirement applies
to any new power supply module whether used for a new project or a system
expansion.
8.4 DCS shall be supplied with 20% additional licenses for expansion of the control
database (tag / function block licenses) and DCS historian database.
This requirement applies to new projects and not to expansion projects.
8.5 Each system shall be capable of expanding the number of controllers by 10%
from that installed in the base system.
Commentary Note:
Requirements for expansion capacity do not apply to expansion projects where

control and I/O are being added to an existing system.
8.6 The average CPU Loading of any controller during normal operating conditions
shall not exceed 50% overall or the manufacturers recommended maximum
loading specification, whichever is lower. This requirement applies to new
controllers and for expansion projects where additional control loops are added
to existing controllers.
8.7 Servers and workstations shall be configured with additional spare capacity of
40% minimum for hard-drive space, memory, and CPU, or as per the vendor’s
recommendations, whichever is more stringent. CPU and memory spare
requirements shall be verified on the running system during steady-state

conditions with all applicable software running on the system.
8.8 Projects providing new Fiber Optic Patch Panels (FOPP) shall provide the new
FOPP with a minimum of 20% spare termination ports. This requirement does
not apply to projects where existing FOPP are being utilized.
8.9 Network and server cabinets shall be designed with 20% spare space for
expansion capability. This requirement applies to all new network and server
cabinets and not for expansions within existing cabinets.
8.10 System cabinets shall be provided with 10% spare space for future expansion
and shall be provided with a minimum of 10% spare power distribution circuits
(e.g. circuit breakers or fused terminal blocks). This requirement applies to all
new system cabinets and not for expansions within existing cabinets.
This requirement is in addition to the spare slots required in item 8.2 above.
8.11 Spare and expansion capabilities shall be verified during Factory Acceptance
Testing.
9 Process Control and Equipment Protection
9.1 General
9.1.1 The allowable units of measurement are specified in SAES-J-003 and

shall apply.
9.1.2 All field outputs and their associated field inputs shall be implemented
using DCS I/O cards with individual channel isolation.
9.2 Digital Fieldbus
9.2.1 FOUNDATION™ Fieldbus (FF) or HART may be used for digital

Fieldbus implementation. Vendor proprietary protocols and other
industry protocols such as DeviceNet or Profibus shall not be used.
9.2.2 FOUNDATION Fieldbus (FF) shall not be used for expansion projects
where the facility does not already utilize FF. FF shall only be
considered for grass roots plants and for expansions to facilities already
utilizing FF technology.
9.2.3 The Fieldbus layer of any FOUNDATION™ Fieldbus (FF) based system
shall be designed and configured as per SAES-J-904.
9.2.4 Wireless instruments shall comply with the requirements in SAES-J-003.

9.3 Loop Execution Speed
9.3.1 Execution rates for control algorithms shall be set as per the table below
unless otherwise specified in the project FSD.
Application or Execution Rate Range

Loop Type (seconds) (secs)
Flow or Pressure 0.5 0.1 – 2.0
Temperature (inline) 2.0 1.0 – 5.0
Temperature (vessel) 5.0 2.0 – 30.0
Level 5.0 2.0 – 30.0
Discrete Input or Output varies 0.5 – 2.0
9.3.2 Consideration must be given during system design to ensure that the I/O
scan rate is at least as fast as the required control algorithm execution rate.
9.3.3 The project FSD shall provide an estimate of the total number of each
loop type.
9.4 Regulatory Control
9.4.1 Primary control loops (input, control logic, output) shall be executed
within a single controller. Exceptions are permissible within written
approval from the proponent operating organization.
9.4.2 Initialization - Control loops shall be configured to set the output of the
controller equal to the downstream value during the initialization
process. If the downstream value is an output to the field, the initial
output of the controller should equal the position of the field device.
For cascade controllers, the output of the primary controller (outer-loop)
shall equal the setpoint of the secondary controller (inner-loop).
9.4.3 Bumpless Transfer - Control loops shall be configured for bump-less

transfer between manual, automatic, and remote or cascade modes.
Bumpless transfer shall be defined as less than 0.5% deviation of the
output when the transfer occurs.
9.4.4 Bad PV Status - Control loops shall be configured with fallback

strategies during failure of the primary input or PV in order to hold the
controllers output. For systems which support a ‘Hold’ state while in
Auto mode, the controller shall transition to Auto / Hold. For systems
which do not support a ‘Hold’ state, the controller shall be switched to
manual.

9.4.5 Failsafe - Output modules with failsafe functionality shall be configured

to hold last value for a period of two minutes before moving outputs to
the fail-safe state. Failsafe position shall be configured to ‘hold last
value’ as default. Movement of an output to a ‘safe’ position shall be
configured on an exception basis.
9.4.6 Composite tag - Where possible, multiple inputs and outputs for a single
device, such as a pump or MOV, shall be combined into a single tag ID.
Operation of the device shall be through this single tag ID.
9.4.7 Control Strategy Templates – Templates shall be developed for typical

control strategies, such as level control, flow control – liquid / gas, flow
compensations, motor start / stop logic, etc.. Bulk generation of control
strategies shall be based on the control templates. Details of control
strategy templates shall be included in the system configuration and
graphics design guideline, as per SAEP-1626, and shall be reviewed by
operating organizations during Critical Design Review (CDR).
Commentary Note:
It is recommended that MAC configure and demonstrate control strategy

templates prior to CDR.
9.5 Advanced Regulatory Control (ARC)
9.5.1 Written control narratives shall be developed for all advanced regulatory
control strategies and supplied with the project documentation.
9.5.2 Specific DCS graphics shall be developed for each ARC strategy
which describes the control objective and operation of the strategy.
The graphic shall contain a pictorial representation of the equipment
involved and the current state of all inputs and outputs associated with
the loop.
9.6 Startup Sequencing and Startup Permissives
9.6.1 Startup sequence displays shall be provided in the DCS to facilitate the
startup of a process unit or major equipment which require a specific
sequence of events to be executed in order.
9.6.2 Sequencing displays shall be provided in the DCS for any process
requiring a specific sequence to be followed by the operator. Sequence
displays shall provide an overview of each step required in the sequence
with indication on which steps have been completed and which step is
currently active. The display shall indicate the current state of each step,
what conditions / permissives are pending and what actions (if any) are
required to be performed. For sequences which require actions by field
operators (such as confirmation of position of equipment), the sequence

display shall require the control room operator to confirm that the action
has been taken by manually activating a ‘confirmation button’ on the
display. For sequences which have a ‘timed wait’ step, a timer shall be
implemented on the display to indicate the amount of time left for the
‘timed wait’ step.
9.6.3 Sequencing logic shall be implemented using sequential function charts

(SFC) or boolean logic wherever possible.
9.6.4 Startup permissives displays shall be provided to facilitate startup for all
major equipment which utilize startup permissives.
9.6.5 Startup permissive displays shall be provided in the DCS for major
equipment of processes. The display shall show the current state of all
permissives associated with the equipment. ESD logic reset buttons
shall be included, where required, on the startup permissives displays to
facilitate startup of the equipment.
9.7 Equipment protection
9.7.1 Equipment protection can be implemented either in the DCS, ESD, or

other auxiliary systems such as RMPS and CCS. Equipment protection
functions which have been determined to have a Safety Integrity Level
(SIL) of 1 or higher shall be implemented in an ESD system.
9.7.2 Saudi Aramco Engineering Standard, SAES-J-601, ‘Emergency

Shutdown and Isolation Systems”, defines requirements for Equipment
protection when implemented in an Emergency Shutdown System.
9.8 Advanced Process Control
For projects where Advanced Process Control (APC) or Multi-variable Control

(MVC) has been specified, the following requirements shall apply:
9.8.1 Advanced Process Control (APC) shall be implemented in a

hardware/software platform that is supported by the APC supplier.
A virtual platform may be used for APC applications if it meets APC
hardware specifications from the APC supplier.
9.8.2 APC applications shall be of a supervisory nature and provide the set-
points for regulatory control loops. Direct output to the output modules
shall be by exception and clearly documented.
9.8.3 Startup and shutdown of the advanced control application, whether by

hardware failure, communication failure or via operator command, shall
be bumpless to the process.
9.8.4 Mode shedding logic shall be designed and implemented to allow

bumpless transfer of PID controllers from the APC mode to normal
mode when the APC controller is shutdown.
9.8.5 Watch dog timer shall be designed to monitor the communication

between the APC application and the DCS. This timer shall force
shedding of the application if communication is interrupted for a
configurable time period.
9.8.6 If a critical input to an advanced control application is out of service, the

system shall automatically disable the advanced control, control shall
revert automatically to normal regulatory control and an alarm raised to
notify the operator that the change has occurred.
9.8.7 Where an economic objective function is used, it shall be possible to

change all economic parameters on-line.
9.8.8 Alarms shall be provided at the DCS operator workstation when the
advanced process controller or its sub-controllers are turned off for any
reason. Operator shall be able to acknowledge APC alarms from the
DCS workstation.
9.8.9 Graphical Operator displays shall be provided for operators to monitor and
manipulate advanced control application. These displays shall be
accessible through the operator's normal DCS workstation. The operator
display shall provide the following operator functions and information:
 Operator shall be able to turn the application ON/OFF via software
switch accessible to the operator via the operator DCS.
 Operator shall be able to turn ON/OFF the sub-controller via
software switch accessible from the DSC display.
 Operator shall be able to turn On/Off for the manipulated, feed-
forward, and controlled variables status via software switch for
operation and maintenance purposes.
 Operator shall be able to modify upper and lower operator limits for
all the manipulated, feed-forward, and controlled variables.
 Manipulated variables summary shall consist of but not be limited to
displaying variable tag names, descriptions, status (e.g., out of
service, prediction, off-line), process variable value and states,
optimizer targets, set-points, high/low limits, current move values,

and active constraints.

 Controlled variables summary shall consist of but not be limited to
displaying tag names, descriptions, status, process variable value
and states, optimizer targets, high/low limits, and active constraints.
 Feed Forward variables summary shall consist of but not limited to,
displaying tag names, descriptions, status, and process variable
value and states.
9.8.10 Engineering interface shall be provided for engineers to access and

modify the APC application which shall consist of the following features
as a minimum:
 Ability to assign upper/lower validity limits, critical variables,
tuning parameters, and cost values for all manipulated, feed
forward, and controlled variables on-line.
 Ability to Setting of controller execution frequency.
 The capability to change tuning parameters as well as optimizer
costs while on-line APC controller shall be provided.
 Summary display of manipulated variables shall consist of;
displaying tag names and associated process values, descriptions,
upper and lower constraint limits, tuning parameters, and
optimization cost values, status, process variable states, optimizer
targets, high/low limits, prediction errors, and active constraints.
 Summary display of controlled variables shall consist of; displaying
tag names and associated process values, descriptions, upper and
lower constraint limits, tuning parameters, controlled variables
error, and optimization cost values, status, process variable states,
optimizer targets, high/low limits, prediction errors, and active
constraints.
 Feed Forward variables summary shall consist of but not be limited
to: displaying tag names, descriptions, status, and process variable
states.
10 Consoles
10.1 General
10.1.1 Consoles, including panel and monitor mounting structures shall be

equipped with tabletop work surfaces.

10.1.2 Consoles shall be noncombustible. When use of a noncombustible finish

item is not practicable, the flame spread index shall be 25 or less per
NFPA 255.
10.1.3 Workstations which are located within a console shall be housed in a

protective enclosure with a locking mechanism to prevent unauthorized
access to the workstation.
10.1.4 Consoles shall not contain servers or control network switches.

All servers and/or control network switches shall be housed in lockable
system cabinets.
10.1.5 All power supply and distribution wiring, grounding, and I/O termination
wiring within consoles shall comply with the requirements of
34-SAMSS-820, “Instrument Control Cabinets.”
10.1.6 Where required, telecommunication equipment (e.g., telephones, plant

paging system, PA system) and emergency shutdown buttons shall be
incorporated in separate bay within the same console furniture.
Shutdown pull/push-buttons shall comply with the section titled, “Input
Devices” of SAES-J-601.
10.1.7 All push buttons, switches, lamps and other console mounted devices
shall have a nameplate permanently attached indicating the service
description.
10.2 Operator Consoles
10.2.1 Operator workstations within an operator console shall be provided with

dual-headed display monitors to maximize the display work area while
minimizing the total number of workstations required.
10.2.2 Each Operator Console shall be equipped with a minimum of two

operator workstations with equivalent functionality. This requirement
applies to manned consoles only. Consoles in remote locations which
are not permanently manned and not essential for the operation of a
facility may contain a single workstation.
10.2.3 Operator Consoles shall not contain more than four (4), dual-headed
operator workstations (and one large screen monitor) unless sufficient
justification has been provided by operations.
10.2.4 Monitors shall be attached to the console in a manner which allows for
both horizontal and vertical adjustment of the monitor.

10.2.5 Each operator console shall be supplied with a large screen monitor, 40”
or larger, which shall be mounted on top of the primary operational
monitors. The large screen monitor shall be used to show primarily the
plant area overview associate with the console; however, the operator
shall have the ability to change the display shown on this monitor.
Change of graphics on any of the primary operator workstations shall not
affect the display shown on the large screen monitor.
10.2.6 Each operator consoles shall be supplied with the capability to monitor
process alarms and system diagnostics alarms at each workstation within
the console. The capability to acknowledge process alarms shall be
provided for each workstation. The capability to acknowledge system
alarms shall be provided to a minimum of two workstations within the
console.
10.2.7 Each operator console shall be supplied with the capability to generate
and access production reports, sequence of events reports, alarm history
displays and reports and long term historization and trending of tags
associated with the relevant process areas.
10.2.8 Operator workstations within an operator console shall be configured to

limit access to perform control functions to only those process areas and
process units to which the console has been assigned. Designation of
operator console control assignments shall be specified by the project
specific FSD.
10.2.9 Each workstation in the operator console shall have access to a minimum
of two networked printer(s) for reporting and graphical printing
(i.e., printouts of active displays).
Exception:
For smaller systems whose I/O count does not exceed 1,000 pts, a single
printer is acceptable.
10.3 Engineering Consoles
10.3.1 Design
10.3.1.1 Engineering consoles may be designed with dedicated

engineering workstations housed within the console or with
equipment which provides access to rack mounted engineering
servers located in server cabinets which are physically separate
from the console.
10.3.1.2 Where engineering consoles are designed to provide access to

rack mounted servers, a single display screen, keyboard and
mouse may be used to access multiple servers through the use

of KVM switches.
10.3.1.3 When a console design requires more than four (4) workstations,
the use of rack mounted servers and KVM switch technology to
minimize the number of workstations at the console is
recommended.
10.3.1.4 Where KVM switches are utilized, a minimum of two LED or

LCD screens, keyboards and mice are required at the console.
Each screen/keyboard/mouse combination shall have access to
all servers supported by the console.
10.3.1.5 Engineering consoles shall be provided with dedicated

printer(s) or access to a networked printer within the same
physical building for reporting and graphical printing
(i.e., printouts of active displays).
10.3.1.6 Engineering consoles shall be housed in secure rooms equipped

with Access Control systems.
10.3.2 Functionality
Engineering consoles shall be provided with the functionality listed

below. It is envisioned that a single engineering console located in the
central control room building is used to maintain all process automation
systems at a site. Where more than one engineering console is provided,
projects shall specify which functionality is to be provided at each
console.
10.3.2.1 Centralized Backup and Recovery server. This server shall

have network connectivity to all stations in the PCS and shall
contain the necessary software and sufficient hard disk space to
create and store complete backup images for all servers,
workstations and other critical devices connected to the PCS.
Backup server shall be provided with removable media as
means to generate an off-site copy.
10.3.2.2 Network Attached Storage device. The engineering console

shall be provided with a networked disk storage device to
facilitate storage of backup images, data historization
(if applicable), system and performance logs and other critical
system information. The system shall utilize RAID 1
redundancy with a separate RAID controller. The system shall
be supplied with sufficient Hard disk capacity to store

complete workstation / server images of all stations supplied

with the PCS (including HD space allocated for database
storage) plus 50% additional disk space for future expansion.
Commentary:
The Centralized Backup and Recovery Server and the Network

Attached Storage device may be combined into a single server
as long as the requirements for both are met.
10.3.2.3 Centralized Anti-virus and Patch management server.

This server shall have network connectivity to all stations in
the PCS and shall contain the necessary software to distribute
Anti-virus definition files and Operating System and
Application software updates or patches to all workstations and
servers connected to the PCS. Scheduling of update shall be
incorporated to minimize the impact on network traffic during
distribution of files.
10.3.2.4 User account administration. Capabilities shall be provided to

access the centralized user account administration server for
the purpose of monitoring and managing user accounts.
10.3.2.5 Engineering Configuration. Capability shall be provided to

access and configure the engineering database for each system
connected to the PCS.
10.3.2.6 System Configuration. Capability shall be provided to access

and configure the system configuration tools for the purpose of
modifying or expanding the system design for each system
10.3.2.7 Graphics Display configuration and management. Capability

shall be provided to create and modify graphics and trend
displays used on the DCS and to deploy new or modified
graphics to all workstations in the DCS.
10.3.2.8 Tag Search capabilities. Capability shall be provided to search

for a user entered tag in the DCS for the purpose of identifying
all locations where the tag is used in the system (i.e., displays,
control strategies, trends, historian, etc.)
10.3.2.9 Reports generation and retrieval. Capability shall be provided

to generate and view production reports, system performance
reports, and other reports as specified in the project FSD.

10.3.2.10 Loop Tuning / Control Loop Performance monitoring.

Capability shall be provided to monitor the performance of all
control loops in the DCS. The system shall be capable of
identifying control loop performance issues and generating a
report of loops in need of attention (i.e., bad actors).
Capability shall also be provided to assist engineering
personnel in the identification and determination of proper
settings for Proportional, Integral and Derivative control
variables for individual loops.
10.3.2.11 System Diagnostics. Capability shall be provided to enable

monitoring of system diagnostics for all stations connected to
the PCS.
10.3.2.12 Network Configuration and Management. Capabilities shall

be provided to monitor the performance of all Computer and
Network switches which are provided by the MAC and any
3rd party packaged systems PCs or switches. Network
configuration tools shall also be provided for the purpose of
modifying or expanding the network design and managing
user network access and privileges.
10.3.2.13 Long term data historization and trending system. Capability

shall be provided to access the long term data historization and
trending system (e.g., OSI PI system) for the purposes of data
retrieval and configuration of the system.
10.3.2.14 Instrument Asset Management system. Capability shall be

provided to access the Instrument Asset Management system
for all field devices connected to the PCS for the purposes of
diagnostics and maintenance functions.
10.3.2.15 Alarm management system: Capabilities shall be provided to

perform alarm system performance monitoring, assessment
and auditing as detailed in SAEP-368, Alarm System
Management.
10.3.2.16 Sequence of Events / First – Out / Trip Reports. Capability

shall be provided to review First-out or Trip reports and
Sequence of Events data for all systems which collect and
store this type of information.
10.3.2.17 Repository for Project Documentation. PCS Vendor shall

designate and store all project documentation into a specific

folder on a server which is accessible from the engineering

console.
10.3.2.18 Repository for Systems Documentation. PCS Vendor shall

designate and store all system installation, operating and
maintenance manuals provided with the system into a specific
folder on each workstation and/or server located in all
engineering or maintenance consoles.
10.4 Virtual Server / Thin-client Architecture
10.4.1 General
10.4.1.1 Virtual Servers and Thin-clients shall be considered as an

alternative to traditional workstations and/or servers.
Where virtual servers are utilized, the requirements in sections
10.2 and 10.3 shall apply, in addition to the requirements in
this section.
10.4.1.2 Virtual workstations within an operator console shall be

segregated onto different virtual servers. Segregation shall be
achieve by either:
a) Assigning virtual instances to separate servers such that a
complete failure of one physical server does not affect more
than ½ of the operator stations at the console.
b) Utilizing ‘high availability’ server architecture where
failover to the redundant virtual server is handled
automatically by the system and the fail-over time does not
exceed thirty seconds.
10.4.1.3 All servers, switches, and KVM components supplied with

virtual server architecture shall be rack-mounted in server
cabinets.
10.4.1.4 A separate virtualization management station shall be provided.

This station shall enable engineers to perform system
administration tasks, such as: server performance monitoring,
assigning virtual instances to servers, backup and restore of
virtual images to a server and other system administration tasks.
10.4.1.5 System architecture drawings for virtualized systems shall

show both the physical architecture and the logical architecture
of the HMI / Server layer. A separate drawing shall be

provided which shows the assignment of virtualized

workstations to host servers.
Commentary:
Separate virtual servers with proper assignment of virtual

instances are the preferred method of implementing
redundancy for virtual servers. Refer to SABP-Z-074,
Guidelines for Virtual Servers and Thin-clients for Process
Automation Systems, for more details.
10.4.2 Host Servers
10.4.2.1 Host Servers (i.e., Servers used to host virtualized Process

Automation applications) shall be sized to host between four
and eight virtualized instances of process automation
workstations under normal conditions.
10.4.2.2 Host Servers shall contain sufficient processing capacity to run

twice the normal quantity of virtual instances in order to
support transfer of virtual instances from other host servers in
the event of server failure or maintenance.
10.4.2.3 It is highly recommended to utilize separate server processing

cores to host virtual instances within a host server. Sharing of
server processing cores between virtual instances shall utilized
on an exception-only basis.
10.4.2.4 Host servers shall be provided with redundant power supply

connections and shall be powered from redundant UPS power
circuits.
10.4.2.5 Host servers shall be provided with the ability to remotely

monitor the physical performance of server.
10.4.2.6 Host servers shall be provided with redundant hard-drives

(RAID). Hard drives shall be sized to store a minimum of two
complete virtual image exports for each virtual image assigned
to the machine.
10.4.2.7 Where host servers are used to host separate virtual instances
of applications which access a different networks (i.e., either
the Process Control Network or the Process Automation
Network), the server shall be provided with separate Network
Interface Cards (NIC) for each network. Each virtual instance
shall be configured to access only the network / NIC required.

10.4.2.8 Where host servers are used to host virtual instances which
would normally reside in the De-militarized Zone (DMZ), a
separate, dedicated host server shall be supplied to host DMZ
applications. Hosting of applications which would normally
reside outside of the DMZ on a server which is connected to
the DMZ is prohibited.
10.4.3 Thin-clients
10.4.3.1 Each virtual instance of an operator workstation shall be

provided with a separate Thin-client station, located at the
operator console. For engineering consoles, a single thin-client
may be used to access more than one virtual instance.
10.4.3.2 Thin-clients (TCs) shall utilize Operating System embedded

operating system.
10.4.3.3 TCs shall be configured with ‘write-lock’ enabled to prevent

changes to the system software.
10.4.3.4 TCs shall be configured with all normal desktop functions

disabled. TC desktops shall only provide access for users to
call-up pre-configured remote desktop icons to establish
remote connections to virtual servers.
Commentary:
This requirement does not apply when logged into the TC as a

system administrator.
10.4.3.5 TCs shall not store passwords used for user authentication of
remote sessions.
10.4.3.6 TCs may utilize local user accounts or may be integrated into
the domain controller provided for the PCS. Where local user
accounts are used, TCs shall be configured to auto-login to the
local user account on startup.
Commentary:
Refer to SABP-Z-074, Guidelines for Virtual Servers and

Thin-clients for Process Automation Systems, for more details
on thin-client user administration
10.4.3.7 Communication between TCs and virtual servers shall be

through a separate, dedicated TC network.

10.4.3.8 TC networks shall be redundant if supported as a standard

solution from the vendor. Where the vendor’s standard TC
product does not support redundant network interface cards,
two (2) TC network switches shall be supplied per operator
console and connection of TCs to switches shall be segregated
to maximize availability.
10.4.3.9 TCs shall be supplied with complete OS and project specific

configuration on removable media to facilitate replacement of
TCs on failure.
10.5 Performance Monitoring
10.5.1 Tools shall be provided to enable continuous monitoring of the

performance of all workstations and servers in the system. As a
minimum, performance statistics for the following should be monitored
on a per station basis:
 System alarms and failures
 CPU utilization
 Memory utilization
 Hard-disk utilization (e.g., space, partitions, segments)
 Network utilization (e.g., transaction rates, error and retry rates)
10.5.2 Tools shall be provided to capture, store and retrieve all system related
alarms or events.
10.5.3 The performance monitoring tools shall provide the functionality to

record these statistics to a file periodically for review for a period of
seven days or more.
11 Operator Graphical Displays
This section defines graphical displays primarily used by operators to monitor and
control process equipment.
11.1 General
11.1.1 All graphics shall include the following information in standard locations:
a) Display number (i.e., 97DISP01)
b) Display Name (i.e., Instrument Air overview display)
c) The associated P&ID number(s) for the equipment displayed on the
graphic.
Note: This requirement does not apply to overview graphics of faceplates.
11.1.2 Library elements / templates shall be used when assigning elements to a

graphic display. Individual elements within a library element should be
configured using design / display conventions to ensure consistency in
the look and operation of the elements across all graphics.
11.2 Colors
11.2.1 All Process Graphics shall utilize a ‘Grey-Scale’ color palette.

Neutral backgrounds (i.e., grey) shall be used to minimize glare, along
with a generally color-neutral depiction of process lines and objects.
11.2.2 Process data shall be shown with a background color which is grey
(close to the background color) when the process value is in a normal
condition. Background color for process data elements shall only show
colors when the value is in an alarm condition.
11.2.3 There shall be very limited use of color. Colors shall be used only to
highlight abnormal situations, and shall be applied consistently
throughout the system.
11.2.4 Colors shall be used only to display only alarm-related conditions.

If yellow is an alarm color, then yellow shall not be used as a text label,
line color, border, or any other non-alarm-related element.
11.3 Design
11.3.1 A consistent philosophy shall be applied for the appearance (look-and-

feel) and functionality of all operator graphics within an operating
facility.
11.3.2 A plant-wide graphics design guideline shall be developed as required in

SAEP-1626, Configuration and Graphics Design Guidelines.
The following shall be included as a minimum:
 Presentation and Operations of common symbols, such as: analog
indicators, digital indicators, controllers, and common operating
equipment such as control valves, pumps, motors, fin-fans, etc.
 Process alarm color conventions and visual display
 Display Navigation
 Access privileges for Operators, Engineers and Maintenance
 Color convention for Invalid data (i.e., BAD PV).

11.3.3 Careful consideration shall be given to the configuration and display of

equipment, such as pumps and valves, whose state could either be ON or
OFF during normal operation. If the normal state could be either ON or
OFF, the graphic element shall only be shown in Alarm condition when
there is an actual alarm event, such as a change of state which was not
commanded by the operator or through normal control logic.
11.4 Display Navigation
11.4.1 Operators shall be able to easily access specific displays and graphics by
pressing dedicated function keys, selecting from a list of displays in
directories and menus, or by typing display or graphic names.
11.4.2 Display navigation shall be configured such that it is possible to move

between related displays and graphics of different detail levels or of the
same detail level with a maximum of two operator actions.
11.4.3 Any graphic display shall be accessible via no more than three operator
actions.
11.4.4 All process graphics shall include a “Previous Display” button or

capability which shall enable call-up the previous process graphic when
selected.
11.4.5 When a graphic element has an associated call-up display (e.g., PID
faceplate for a controller) the graphic shall have a target that
immediately calls up the associated control display when selected.
11.4.6 Graphics shall be designed to facilitate easy call-up of trend displays for
individual tags from the primary process graphic.
11.5 Control Strategies and Control Faceplates
11.5.1 Control strategy information shall be shown on primary process displays

and shall be dynamic, reflecting the actual current state of the strategy.
Process data associated with control strategies shall be updated at least
once every two seconds.
11.5.2 Process displays shall be designed such that the Process Value (PV) and
the manipulated value (MV) are shown on a single display, wherever
possible.
11.5.3 Control strategy information shall be displayed on process graphics in

such a way that the operator can determine what is being controlled, the
control mode for individual controllers, and whether or not a controller is
constrained or limited in some way.
11.5.4 Manipulation of a controller or control strategy shall not be from the

primary operating display. This shall be done using a dedicated control
faceplate or control graphic window.
11.5.5 Control faceplates shall show dynamic process and status information
about a function block or tag and shall permit an operator to change
required parameter values associated with the function block.
11.5.6 Faceplates shall display the following information as applicable:

 Tag ID
 Tag Descriptor
 Process input, setpoint, and output values displayed numerically with
engineering units.
 Process input, setpoint, and output in bar or graphical representation.
 Control Mode (auto/manual) and setpoint status (remote/local).
 Visual indication of setpoint and output high and low limits.
 Symbolic and alphanumeric indication of discrete states both for two
state devices and multi-state devices.
 For signal selectors, all available process inputs with visual
indication of which input is selected and the selection method
(i.e., High / Low / Median).
 Visual indication for alarm status and ability to acknowledge.
11.5.7 The following actions shall be possible from each Faceplate as applicable:
 Change control block mode.
 Change setpoint and other operator settable parameters.
 Issue commands to multi-state devices.
 Adjust outputs in manual mode.
11.5.8 Control faceplates for PID controllers shall have up/down arrows that
allow the operator to adjust the setpoint or MV rather than having to type
a value. The arrow keys shall also be capable of having two adjustable
rates (i.e., regular click gives 0.1 increment, SHIFT + Click gives 1.0
increment).
11.6 Plant Safety Displays
11.6.1 Plant Safety Displays (PSD) shall be provided and configured with the
PCS.
11.6.2 The PSD shall consist of a collection of displays whose purpose is to

provide status information for the various safety devices located
throughout the plant.
11.6.3 The PSDs shall be configured in a hierarchy allowing the operator to

easily view the overall status of all plant safety equipment on a single
display while enabling the operator to obtain more detailed information
by drilling down to selected process areas.
11.6.4 The top-level PSD shall be an aerial view picture or schematic of the
plant showing the major equipment as it is arranged in the facility.
11.6.5 The top-level PSD shall indicate the status of the H2S / LEL gas
detectors in their physical location throughout the plant as described
below.
11.6.6 The top-level PSD shall contain a wind speed and wind direction
indication dial to enable the viewer to quickly determine the down-wind
direction for any alarm.
11.6.7 The top-level PSD shall contain an indicator showing the ESD bypass
status for each plant area. The indicator shall be configured to combine
the status of all ESD bypasses for that plant area into a single symbol.
The indicator shall be shown in Neutral color if no bypass is active and
shall change color if any bypass is active in that particular plant area.
The indicator shall be placed on the display in the physical location of
that plant area.
11.6.8 The top-level PSD shall contain an indicator showing the gas detector
bypass status for each plant area. The indicator shall be configured to
combine the status of all gas detector bypasses for that plant area into a
single symbol. The indicator shall be shown in Neutral color if no
bypass is active and shall change color if any bypass is active in that
particular plant area. The indicator shall be placed on the display in the
physical location of that plant area.
11.6.9 The top-level PSD shall contain a single symbol to indicate the Fire
Alarm status for the plant. The symbol shall be configured to change
from neutral to the appropriate alarm color when any fire alarm is
active. The symbol shall be configured to call-up a fire alarm status
display when selected to provide more detailed information about the
physical location and status of the fire alarm.
11.6.10 The top-level PSD shall contain a single symbol to indicate the PCS
cabinet alarm status for the plant. The symbol shall be configured to

change color from Neutral to an appropriate alarm color when any

cabinet alarm is active. The symbol shall be configured to call-up a
detailed status display of system cabinet alarms when selected.
11.6.11 In process facilities which are made up of multiple plant or process

areas, the top-level PSD shall be configured to call-up a more detailed
PSD display for each process or plant area by selecting the physical
location of the plant on the top level display.
11.6.12 The process / plant area PSDs shall display an aerial view of the
particular process area. The status of all H2S / LEL gas detectors shall
be shown on these displays, in their specific locations.
11.6.13 Gas detector indicators on the process / plant area PSDs shall be
configured to bring up a removable overlay which displays the detector
measurement by selecting the detector graphic symbol.
11.6.14 The ESD bypass indicators and Gas Detector bypass indicators related
to the plant area shall be displayed on the process / plant area PSD.
These indicators shall be configured to call-up a detailed bypass status
display for the area when selected.
11.6.15 The online / offline status of major equipment shall be indicated on the
process / plant area PSDs. When an aerial photo is used as the basis for
the display, a rectangle around the equipment shall be configured to
change color based on the run status of the equipment or similar
methods may be used to indicate the operational status.
11.6.16 H2S / LEL Gas Detector Indicators for Plant Safety Displays
11.6.16.1 The status of all H2S / gas detectors shall be superimposed on

the PSD displays using a small circle to indicate each device.
Indicators shall be placed onto the plant layout display at the
location in which they exists in the field.
Commentary Note:
On the top-level display, it may be necessary to combine the

status of multiple H2S / LEL gas detectors located in the same
vicinity (i.e., multiple detectors monitoring a single equipment
or analyzer shelter) into a single symbol to avoid overcrowding
of the display.
11.6.16.2 The gas detector indicators shall be configured to change color

based on the alarm status of the device. When no alarm is
present, the symbol shall be shown in Neutral color.

11.6.16.3 Gas Detector symbols shall be configured to change color

when in alarm condition based on the type of detector which is
in alarm. H2S alarms shall cause the symbol to change to a
BLUE color and LEL detector alarms shall be indicated with a
RED color.
11.6.16.4 Gas detector symbols shall be configured to change to a

different color based on the alarm level. High alarms shall be
indicated using a light BLUE or RED color based on the type
of detector in alarm. High-High alarms shall be indicated
using a dark BLUE or RED color.
11.6.16.5 Gas detector indicators shall be configured to show

acknowledge / unacknowledged status for each alarm using a
non-flashing / flashing symbol (respectively) similar to
process alarms.
11.6.16.6 Gas detector indicators shall be configured to show the

detector fault for each detector using a separate color.
The color convention used to indicate bad input status on
process displays shall be used for the gas detector symbols as
long as the color convention is easily distinguishable from an
alarm condition.
12 Alarms and Messages
12.1 General
12.1.1 Procedures defined in SAEP-368, Alarm System Management, shall be

followed in the design and configuration of alarm systems.
12.1.2 Alarm and messages shall be configured to perform the following:

a) To draw the operator's attention to abnormal conditions within his
area of responsibility, both in the process (process alarms) under
his control and in the control system equipment (system alarms).
b) To provide information to facilitate the operator's rapid
understanding of the abnormal condition.
c) To provide rapid access to the tools needed by the operator to
perform corrective action.
d) To provide a comprehensive historical record, accessible to the
operator and other plant personnel, of the information needed to
assess such abnormal conditions.
12.2 Process Alarms
12.2.1 Alarm Priorities and Configuration
12.2.1.1 All process alarms shall be configured with an alarm dead-

band to prevent excessive re-alarming of a tag when the
measurement is fluctuating near to the alarm setpoint.
For analog data, the default alarm dead-band shall be 0.25% of
the full range of the measurement scale or as determined in the
alarm philosophy document. For discrete inputs, an ‘off-delay’
shall be configured such that the value of the input must
transition to the normal state and remain there for a minimum
of 10 seconds before re-alarming on transition back to the
alarm state.
12.2.1.2 Process Alarms shall be assigned to one of four priority levels

depending upon the criticality of the alarm.
a) PRIORITY 4 (LOG-ONLY): Alarm is sent to alarm
history only, not to the operator alarm display.
Examples include: Return-to-normal messages and other
informational type alarms or messages.
b) PRIORITY 3 (LOW): Indicates operator action is required
but the equipment or process is still within the safe
operating range. Alarms such as transmitter BADPV,
deviation alarms for PID controllers, equipment run status
and MOV limit switch change-of-state are typically set to
LOW.
c) PRIORITY 2 (HIGH): Rapid operator action is required,
unit or equipment shutdown is possible, or a safety
violation might occur. Alarms such equipment or unit trip
pre-alarms, H/L alarms for critical process values and
unexpected shutdown of rotating which requires operations
to start a redundant equipment.
d) PRIORITY 1 (EMERGENCY): Immediate operator action
is required to prevent a unit shutdown or a safety violation
if action is not immediately taken. Alarms such as Fire
and Gas detection, pre-alarms associated with shutdown
functions and other safety critical alarms are typically
assigned to priority 1.
12.2.1.3 Alarm priorities shall be assigned using a consistent alarm

philosophy and shall accurately convey the seriousness of the
situation which is being alarmed. It is recommended that the

overall distribution of alarms by priority adhere to the industry
best practices listed below:
Alarm Priority Percentage of total alarms configured

Priority 3 80%
Priority 2 15%
Priority 1 5%
12.2.1.4 All automatic shutdown / trip setpoints, including trip setpoints

implemented in auxiliary systems and ESD systems, shall be
configured with a pre-alarm. Pre-alarms may be implemented
in the DCS or the auxiliary system which is initiating the
shutdown. Where pre-alarms are configured in an auxiliary
system, the pre-alarm shall be transmitted to the DCS for visual
alarm annunciation at the operator console.
12.2.2 Visual Alarm Indication
12.2.2.1 Process alarms shall only be visible on operator graphics when

an alarm is active or unacknowledged.
12.2.2.2 All alarms shall be displayed on process graphic associated

with the tag. The alarm color shall be configured to correlate
to the alarm priority. Alarm priority colors shall be RED for
priority 1 alarms, Orange for priority 2 alarms and yellow for
priority 3 alarms unless specified otherwise in the alarm
philosophy document.
12.2.2.3 The system shall display unacknowledged alarms with a

blinking background color. Blinking shall cease when the
alarm is acknowledged; however, the background color
indicating an alarm is present shall remain until the alarm
condition is cleared.
12.2.2.4 Unacknowledged alarms which have returned to normal shall

be displayed with a visibly distinct appearance from
unacknowledged and active alarms.
12.2.2.5 Overall Indication. All process displays shall have an overall

process alarm status indicator. The indicator shall convey
whether alarms are active, the highest priority active alarm and
whether there are any unacknowledged alarms in the process
area to which the display is associated.
Commentary Note:
LED on keyboard or dedicated section of the workstation

monitor is acceptable.
12.2.2.6 A “Process Alarm Summary” display showing all active

process alarms assigned to the workstation shall be provided
with each workstation. Accessing this alarm summary display
from any other display shall require no more than two operator
actions. Alarms shall be grouped on this display to allow the
operator to readily identify and respond to alarms and
abnormal conditions in his area of responsibility
(e.g., Sorted by priority, time, unacknowledged status).
12.2.3 Alarm Annunciation and Acknowledgement
12.2.3.1 Alarms shall be annunciated only on the workstation(s) or

console configured for those alarms.
12.2.3.2 Distinct audible tones shall be used to distinguish between the

three different priority process alarms. A fourth tone shall be
used to indicate system alarms.
12.2.3.3 Audible tone decibel levels shall be loud enough to be heard

over normal control room background noise. Audible alarm
tone shall be adjustable by engineering with proper access
credentials.
12.2.3.4 The audible alarm signal for an operator console shall continue
until either:
a) a “horn silence” is initiated at the operator console or
b) an active alarm is “selected” (on either alarm summary or
other displays.)
12.2.3.5 Silencing the horn shall NOT result in alarm acknowledgment.
12.2.3.6 Alarms shall be acknowledged only at the console configured

for the alarm.
12.2.3.7 Alarm acknowledge actions shall be logged to the operator

action / event log with the time of the acknowledgement and
the workstation from which the action was taken.
12.2.3.8 It shall be possible for an operator to acknowledge any alarm

configured at a workstation by no more than two actions.

12.2.4 Alarm Inhibiting and Dynamic Alarm Suppression
12.2.4.1 Alarms shall be grouped by process equipment to facilitate

disabling of alarms by equipment when the equipment is taken
out-of-service. Other system processing functions, e.g., data
acquisition, control and logging, shall continue for inhibited
alarms.
Commentary Note:
Such instances must be controlled to ensure proper

re-activation, either manually initiated or upon detection of
some process parameter change.
12.2.4.2 Inhibiting of alarms shall be logged in the system with the time
and date that the alarm was inhibited.
12.2.4.3 The DCS shall be supplied with the capability to move an

active alarm off of the current alarm display into a separate
page. This function is sometimes referred to as ‘Alarm
Shelving’. When implemented, alarm shelving shall be
configured to automatically move any shelved alarms back to
the active / current alarm display at the end of each shift.
Alarms must be re-shelved at the beginning of each shift.
12.2.4.4 The DCS shall be supplied with the built-in capability to

produce a list of alarms which are inhibited and / or shelved for
both display and print-out per operator console. This function
should be readily available to operators from the primary HMI
screen.
12.2.5 Alarm Printing
Printing of alarms at the time of the alarm or event shall not be

implemented. Capabilities shall be provided on all systems to store
alarms in an on-line database and to produce a report of alarms and/or
events during user-defined time periods which can be printed at the time
the report is generated.
12.3 System Alarms
12.3.1 The system shall be configured to activate system alarms for failures to
the following as a minimum:
a) Failed modules,
b) Communication errors,
c) Power supply failures,
d) Diagnostic error detections and messages.

e) Network or communications failures on a per node basis
12.3.2 System alarms shall initiate both audible and visual annunciation at the
operator console to which the failed equipment is associated.
12.3.3 Instrument device alerts from Instrument Asset Management systems

shall not be sent to operator workstations or consoles. Only instrument
failure alarms shall be recorded in the system alarm log.
12.3.4 A “System Alarm Summary” display showing all active system alarms
shall be provided. Accessing this alarm summary display from any other
display shall require no more than two operator actions.
12.3.5 System alarms shall be configured to have a distinct horn tone and visual
indication at the console to distinguish system alarms from process
alarms. Where system alarm priorities are configurable, the priority
should be set based on the criticality of the condition and the potential
impact to production.
12.4 Logging of Operator and Engineering Actions
12.4.1 A log shall be provided for recording operator and engineering actions or
changes. Actions shall be further divided into “Operation” or
“Engineering”. The Operator / Engineer action log shall record the name
of the user who made the change, time of change, the station from which
the change was made and an abbreviated text of the change.
12.4.2 Operator actions that are to be logged in history files shall include the
following as a minimum:
a) Changes made to the mode of a controller,
b) Changes made to the setpoint of a controller,
c) Changes made to the output of a controller,
d) Acknowledgement of an active alarm,
e) Toggle of an alarm between inhibit and enable,
f) Changes made to alarm limit,
g) Activating a soft-bypass of an ESD point accessed via the PCS,
h) Responses to operator prompts.
12.4.3 Engineering actions that are to be logged in history files shall include the
following as a minimum:
a) Change made to tuning parameters,

b) Download or modification of tag or module configuration,

c) Modification to software used by the PCS,
d) Forcing member of a redundant pair on or off primary status,
e) Placing devices on-line or off-line,
f) Placing a tag on-scan or off-scan,
g) Responses to engineer prompts.
12.5 Alarm and Events History
12.5.1 All process alarms, system alarms, sequence of events messages, and
operator, engineering or maintenance actions shall be stored on the
system for a minimum period of thirty days.
12.5.2 For systems which define the alarm retention time based on the number
of messages, the following number of events shall be stored as a
minimum. This requirement shall be met on a per-console basis.
Message Type Number of Events

Process Alarms 10,000
System Alarms 10,000
Operator Actions 5,000
Engineer Actions 5,000
12.5.3 Alarm and event data shall be stored in using a First-in / First-out
mechanism to prevent excessive alarms from being stored on the system.
Systems shall be designed to delete the oldest messages to enable storage
of new messages once the minimum retention period or maximum
number of alarms has been reached.
12.6 Interface to Alarm Management Systems
12.6.1 For projects where and external Alarm Management System (ALMS) is
provided for collection and analysis of alarms from various PCS sources
(i.e. DCS, ESD, CCS, VMS, etc.), the DCS shall be provided with an
OPC Alarm and Event (A&E) server to facilitate transfer of alarm
messages to the external ALMS.
13 Historization and Trending
13.1 On-line Process Data History
13.1.1 On-line historical data shall be stored in the DCS to support history
trends and reports generated within the DCS.
13.1.2 The following parameters shall be historized in the DCS historian, as a

minimum. This requirement applies to hard-wired signals, digital
Fieldbus based signals and soft-signals transmitted to the DCS through
communications gateways.
a) Process Value (PV) for all analog inputs used for monitoring only
b) Process Value (PV) for all discrete inputs
c) For PID controllers, all PV, SP and MV or Output values
d) All calculated variables such as compensated flows or flow totalizers
e) Output value for all analog output only tags (i.e., manual loaders) and
discrete outputs to the field.
13.1.3 The collection rates, longevity, and scope for historical data are to be
specified on a per project basis. The minimum allowable collection rates
and longevity are listed in the following table:
Point Type Sampling Rate Retention Time

Analytical 60 sec 7 days
Temperature 10 sec 7 days
Level 5 sec 7 days
Flow 2 sec 7 days
Pressure 2 sec 7 days
Discrete any change 7 days
13.1.4 For systems which utilize exception based data recording, hard-disks
shall be sized for the worst case logging requirement or an update every
scan rate for the minimum retention period specified above.
13.1.5 DCS Real-time trends shall be configured for all Analog Input tags and
Control Loops irrespective of the source of the tag. This requirement
shall apply to DCS hardwired I/O and all analog values transferred from
auxiliary systems to the DCS through communications interfaces.
13.1.6 The data update rate for DCS real-time trends shall be nominally two (2)
seconds. Update rates can be increased for processes with slow
response.
13.1.7 The system shall be configured to enable an operator to call-up a real

time trend for any process tag or calculated variable in his process area
from any workstation within his operator console.
13.1.8 If supported by the system, DCS Real-time trends shall be configured to

display the last one hour of history data before updating with real-time
information.
14 System Access and Security
14.1 Access Control
14.1.1 Access to Process Control Systems shall be restricted only to person(s)

with legitimate business requirements.
14.1.2 Procedures for control of user registration / de-registration and the

allocation of access rights and privileges for access to process control
systems shall be documented and enforced.
14.1.3 User access to a system shall be restricted by means of User Ids and
Passwords or other suitable technologies for identification and
authentication of users.
14.1.4 Centralized authentication and account management capabilities shall

be implemented for all PCS components. Management of user role
privileges, user accounts and passwords shall be done via a central
server connected to the PCS system.
14.1.5 All workstations which are connected to the PCS and are not located on
an operator console within the CCR shall be configured to automatically
switch to “view-only” user environment after it has been idle for
30 minutes or longer.
14.1.6 Systems capable of displaying a warning banner, upon logon, shall be

configured to display the following text “This Computer is for Company
business use only. This system may be monitored as permitted by law.
Unauthorized use may result in criminal prosecution, termination or
other action”. For operator consoles, a printed sticker may alternatively
be used.
14.1.7 All Workstations, Servers, and networking equipment, such as switches

or hubs, shall be housed in lockable cabinets or consoles to prevent
physical access to the equipment from unauthorized users.
14.1.8 All unused ports on Process Control Network equipment shall be

disabled.
14.1.9 Configuration and implementation of the interface between process

control network(s) and other process automation networks shall be as per
the requirements defined in SAES-Z-010, “Process Automation
Networks”.
14.1.10 The PCS network shall be isolated from the Saudi Aramco corporate
intranet through the use of firewall with Demilitarized Zones (DMZ)
architecture as minimum in accordance with the requirements of
SAES-T-566, “Plant Demilitarized Zone (DMZ) Architecture”.
14.2 User Roles
14.2.1 User Roles shall be created to facilitate individual user access privileges
based on the user role or user group to which they are assigned.
14.2.2 The following user roles shall be configured as a minimum. Additional

user roles may be created based on the particular needs of the facility:
 Operator (per process area)
 Shift supervisor
 Maintenance engineer / technician
 PCS engineer
 PCS administrator
 View-only
14.2.3 Specific privileges and access restriction for each user role shall be
clearly documented in the project design documentation and shall be
tested during Factory Acceptance Testing (FAT).
14.3 User Accounts
14.3.1 Each User shall be assigned a unique User ID.
14.3.2 All GUEST accounts shall be disabled on the system.
14.3.3 Users shall be granted access privileges by assigning the user to a User
Role applicable to their particular job function. Access privileges which
have been defined for that User Role shall be inherited by the User.
14.3.4 The system shall be configured to require an individual User ID and

password for authentication purposes for all users prior to being allowed
access to any station connected to the system. Operator workstations
located within operator consoles in the Central Control Room (CCR) are
excluded from the individual user account requirement.
14.3.5 Operator workstations located within operator consoles in the CCR can
be configured with a common ‘CONSOLE XX’ operator account. This
account can be shared by individuals assigned to the particular console
only. These accounts shall not be valid on any other stations connected
to the PCS.
14.3.6 Shared Operator accounts shall have a restricted user profile to prevent
from installing/uninstalling programs, changing software configuration,
or accessing removable media drives or ports (e.g., USB, Ethernet,
Serial, etc.).
14.3.7 If supported by the system, all individual User IDs formats should
conform to corporate guidelines as highlighted in Section 11.1.1.3.6
“USER ID CONSTRUCTION” in IPSAG-007.
14.3.8 The system shall be configured to monitor ‘stale’ user accounts.

Stale accounts are user accounts which have not been used on the system
for a period of three months or longer. The system shall have the
capability to produce a report on a periodic bases of stale user accounts.
The PCS administrator shall be responsible for manually disabling stale
user accounts.
14.4 User Account Passwords
14.4.1 Every User ID shall have an individual password, except for shared
operator accounts (see item# 14.3.5 above).
14.4.2 The system shall be provided with the capability to meet the password
management requirements defined in SAEP-99.
14.4.3 Capabilities shall be provided to enable user account passwords to be

changed at any workstation connected to the system. A password
changed at one location shall be automatically updated at all
workstations where the account is valid.
14.4.4 Capabilities shall be provided to enable any user to automatically

retrieve or reset his password by entering or answering user specific
authentication questions. During the user’s initial login of the system,
the user shall be asked to select the password reset / retrieval questions
and provide answers to these questions to facilitate this capability.
14.4.5 Capability shall be provided to reset or retrieve a user password at any

workstation connected to the system.
14.5 Application and System Accounts and Passwords
14.5.1 Passwords used for application accounts shall not be stored in un-
encrypted format. Passwords used for application accounts are excluded
from the password aging policy.
14.5.2 System account default passwords shall be changed prior to

commissioning the system. System account passwords shall not be
stored in un-encrypted format and shall be excluded from the six month
password aging policy described above.
14.6 Anti-Virus Protection
14.6.1 Anti-virus (AV) software shall be installed and configured on all Windows
based workstations which are part of the PCS.
14.6.2 The PCS shall be supplied with a central anti-virus (AV) server.
This server shall be configured to deploy updated anti-virus definition
files to all workstations and servers connected to the PCS on a scheduled
basis.
14.6.3 Scheduling of distribution of AV updates from the central server to other

nodes in the system shall be staggered to avoid potential overloading of
the control network.
14.6.4 The vendor’s recommended procedures shall be followed for

configuration of anti-virus software. As a minimum, the following
configuration options shall be specified by the vendor and implemented
on all workstations and servers connected to the PCS:
a) On Access Scanning
b) Frequency of full system scans
c) Buffer overflow protection
d) Directories to be excluded from scanning
14.6.5 The use of anti-virus software shall not negatively impact the
performance of the workstation and overall performance of the PCS.
14.7 Operating System Software and Vendor Software Patch Management
14.7.1 The vendor’s recommended procedures for the upgrade of Operating

System (OS) software and OS patch installation shall be followed.
Operating System software and patches and vendor application software
and patches shall not be installed unless they have been tested and
certified by the vendor as being compatible with the PCS System.
14.7.2 If supported by the vendor, the central Anti-virus server shall also be
used as a central repository for the management and deployment of
Operating System and Application software patches.
14.7.3 Access privileges for updating of Operating System software and Vendor
Application software shall be assigned to PCS Administrator only.

14.7.4 All workstations and servers connected to the PCS shall be deployed
with the latest vendor supported operating system security and
operational patches.
14.7.5 All workstations and/or servers shall be provided with ‘security

hardened’ operating systems. System services, applications, and TCP/IP
ports which are not required for the intended functional purpose of the
primary process control application shall be disabled and/or removed.
14.7.6 PCS vendor shall provide a list of Services and TCP/IP ports which are
required and which are disabled for each workstation supplied. Physical
and logical access to diagnostic and configuration ports shall be
protected.
14.7.7 PCS vendor hardening procedure shall be included as part of the CDR
documents for review and approval.
14.7.8 PCS operating system hardening shall be completed prior to FAT.

Hardening procedures shall be documented in FAT / IFAT test
procedures to enable testing to be conducted prior to the system being
deployed to site.
14.8 Security Monitoring
14.8.1 The system shall be provided with the capability to meet the security
event monitoring requirements defined in SAEP-99.
14.8.2 Security monitoring capabilities shall be provided and configured to

record security management activities, such as:
 System Events
 Security Events (i.e., logon events, privileged activities, user ID, user
type, transaction, and log source, etc.)
14.8.3 All logon events shall be monitored and recorded by the system.
Login events shall be recorded with date and time of login, user account,
and location of login. Records of logins shall be maintained on the
system for a minimum period of twelve months.
14.8.4 Failed login attempts shall not initiate an automatic ‘lock-out’ of the user
account.
14.9 Application Whitelisting
14.9.1 Application whitelisting shall not be applied on PCS engineering

workstations or servers unless the configuration has been tested and is
supported by the automation vendor.
14.9.2 Application whitelisting shall be applied on any server or workstation

which is used to transfer data to removable media.
14.9.3 Application whitelisting shall be applied on any server located in the

DMZ which is used to transfer process data through the IT Firewall.
14.10 Backup and Recovery
14.10.1 Software tools shall be provided to enable a complete hard-drive image

backup for all workstations and servers which are part of the PCS
including all auxiliary systems. The backup and restore shall be capable
of being performed to a networked server which has access to
removable storage media which may reside on the PCS but is typically
implemented in the PAN. This functionality shall be provided using
standard, commercially available backup and restore software from
either Norton, Symantec or Acronis.
14.10.2 The PCS shall be configured to automatically perform backup for

control database, system configuration, and other vital information to a
separate hard-drive from the station where the data resides at a
minimum of once per week.
14.10.3 The system shall be configured to maintain a minimum of two sets of

complete backup and recovery data for each workstation, server and/or
controller connected to the PCS. Backup and recovery data shall be
maintained on a networked storage device connected to the PCS.
14.10.4 A complete system backup shall be performed on all new installations

of PCS equipment. This includes operating system and configuration
files. The backups shall be tested and verified during Factory
Acceptance Testing.
14.10.5 Two (2) backup copies on electronic media shall be provided of all
system software, application software, and system configuration post
SAT. The format and media of these copies shall be such that they can
be loaded directly into the system without additional translation or data
manipulation.
14.10.6 Refer to SABP-Z-047, Data Backup and Restore for Plant Networks and
Systems, for recommendations on development of a data backup and
restore strategy.

14.11 Miscellaneous
14.11.1 The system shall keep track of all configuration changes made to the
online database. A record of each change made to the database shall be
recorded with the user-id of the person who made the change, the time
and date the change was made and what was changed. These records
shall be maintained on the system for a minimum of one year.
14.11.2 Process control equipment that contains data storage shall be sanitized
in accordance with GI-0299.120 prior to disposal.
15 Integration and Interface
15.1 General Interface Requirement
15.1.1 Interfaces between the PCS and other subsystems or auxiliary systems
shall use standard hardware and software devices, which are compliant
with industry standard protocols. Modbus TCP/IP shall be used for
transfer of critical, real-time data. Modbus Serial may be used for systems
which do not support Modbus TCP/IP. For auxiliary systems which do
not support Modbus TCP/IP connection, Modbus Serial interface direct to
the DCS (without the use of protocol converters) is preferred.
Commentary Note:
This requirement does not apply to subsystems designed and

manufactured by the PCS vendor which reside on the same control
network. For systems which reside on the same control network, the
vendor’s standard method of communication between these systems
shall be utilized.
15.1.2 OPC Version 2.0 or higher may be used for monitoring only interfaces
and to interface with supervisory systems such as Data Historians, Alarm
Management Systems, Control Performance monitoring systems,
Advanced Process Control and others.
15.1.3 The interface between DCS and auxiliary control systems (such as ESD,
VMS, CCS, PLC, BMS, and others) shall utilize dedicated DCS
communications interface modules which connect to the DCS system at
the Controller or IO card level. Workstation or Server based interfaces
to other regulatory control or safety systems are not allowed.
15.1.4 Where OPC interfaces between DCS and other systems are implemented
using Operating System based workstations or servers, the
communications channel shall be routed through a Firewall. The firewall
shall be configured to allow only the required communications ports.

15.1.5 Redundant communication interfaces shall be supplied for any interface

which is used to send commands from the DCS to an auxiliary system for
operation and/or control. The requirement for redundant communications
applies to both the DCS and the auxiliary systems interface.
15.1.6 Where an auxiliary system does not support a redundant interface to the
DCS, consideration shall be given to the use of hard-wired I/O for
control commands with data used for monitoring only transmitted
through the communications interface. This decision shall be determined
on a project-by-project basis.
15.1.7 Where redundant communications are specified, no single component

failure in the DCS shall result in the loss of communication to any
subsystem.
15.2 Time Synchronization
15.2.1 Time clocks for all stations which are part of the PCS shall be
synchronized to 100 milliseconds or better.
15.2.2 Time synchronization using Global Positioning System (GPS) and

networked time server which supports Simple Networked Time Protocol
(SNTP) is the preferred method for synchronization of all stations
15.2.3 Synchronization shall be performed at a minimum of once every

24 hours.
15.2.4 The system shall be configured to provide an alarm if any node is not
synchronized to the GPS time server.
15.3 Interface to Emergency Shutdown Systems
15.3.1 Emergency Shutdown Systems (ESD), bypasses, shutdown and reset

functions shall be engineered per Saudi Aramco Engineering Standard
SAES-J-601 requirements.
15.3.2 Communications between DCS and ESD systems for real-time process
data and operator commands shall be via dedicated, redundant
communications paths. The use of external protocol converters or
terminal servers for communications is prohibited.
15.3.3 There shall be no single point of failure in the system which would result
in the loss of communications between the DCS and ESD.

15.3.4 First Out and Sequence of Events
15.3.4.1 ‘First Out’ refers to the specific variable or tag which initiates a
shutdown of a particular process or equipment. First out must
be configured in the system initiating the shutdown.
15.3.4.2 ESD systems shall be configured to record ‘First-out’ data as

specified in SAES-J-601 Section 6.8.2.
15.3.4.3 First-out data shall be transmitted to the DCS for indication and
shall initiate an alarm to the DCS operator console responsible
for monitoring of the equipment.
15.3.4.4 The tagname, description, time & date, and process value of
the parameter which initiated the trip shall be shown on an
HMI display at the primary operator console whenever a
shutdown has occurred.
15.3.4.5 Sequence of Events (SOE) logs refers to a chronological listing

of all event messages from the ESD system.
15.3.4.6 The system shall be configured to enable console operators and

engineering / maintenance personnel to view SOE logs from
their respective consoles.
15.3.4.7 SOE messages shall NOT be configured to initiate a process

alarm at the DCS operator console. Alarming of SOE
messages is a major contributor to alarm floods.
15.3.4.8 For systems which store SOE messages in the DCS, the system
shall be configured to store a minimum of 9,000 messages.
The message repository shall be configured to automatically
overwrite older messages when the maximum number of
messages has been reached.
15.3.5 Input Bypasses
15.3.5.1 All inputs to shutdown logic shall have an input bypass switch
to facilitate maintenance and testing. Bypass switches shall be
software configured using a mechanism to restrict access to
activation or de-activation of the bypass.
15.3.5.2 Bypass commands sent from DCS to external shutdown

systems shall be configured as pulsed outputs to the external
system. Active bypass commands shall not be maintained in a
non-zero state across the interface to the external system.
Suitable logic shall be implemented inside the external system

to latch and unlatch the bypass command.
15.3.5.3 Status indication on the primary operator graphic shall be

visible whenever an input bypass is activated.
15.3.5.4 ESD bypass graphics shall be implemented in the DCS and

shall display the status of all maintenance bypasses, the
feedback from the ESD system that the bypass is activated, and
the current status of the input being bypassed. This is to allow
the operator to determine if the input is in a healthy state before
removing the bypass
15.3.5.5 ESD bypasses statuses may be integrated into ESD Cause and
Effect graphics as defined in Section 15.3.6 below.
15.3.5.6 Activation and De-activation of an input bypass shall be

recorded in an operator event log with time & date, tag ID and
station from which the activation occurred.
15.3.5.7 Input bypasses shall be re-alarmed at the DCS once every

8 hours for the period of time during which the bypass is
active. Re-alarm logic shall be implemented in the DCS.
15.3.6 Startup Bypasses
15.3.6.1 Startup bypass systems shall be configured for devices which

would prevent the normal startup of plant equipment,
(e.g., minimum flow for a pump, etc.).
15.3.6.2 Startup bypasses shall be configured in the system initiating the

shutdown for the equipment.
15.3.6.3 Startup bypasses shall be configured to be automatically

activated when all startup permissives have been met
(i.e., ready to start is active).
15.3.6.4 Automatic startup bypasses shall be reset automatically by the

system whenever the equipment is started successfully or after a
time period not to exceed thirty-minutes, whichever is sooner.
15.3.7 Cause and Effect Displays
15.3.7.1 Cause and Effect (C&E) graphics showing the current status of
inputs and outputs for associated with each Safety
Instrumented Function (SIF) shall be implemented at the
primary operator console HMI (e.g., DCS display) for all

projects installing new ESD systems or upgrade / replacement
of existing ESD systems.
15.3.7.2 C&E graphics shall be arranged to show the inputs for each
SIF with actual process values and the associated outputs or the
SIF, to enable operators to understand the inputs / outputs for
each function.
15.3.7.3 It is highly recommended to show the Bypass Status of each

input device on the C&E graphic and to enable initiation of a
bypass from the same graphic.
15.3.7.4 It is not necessary to have a separate graphic per SIF.

Multiple SIFs may be displayed on the same graphic provided
there is clear differentiation between the inputs / outputs of one
SIF from another.
15.4 Interface to Vibration Monitoring Systems
15.4.1 Vibration Monitoring Systems (VMS) are also referred to as Rotating

Machinery Protection Systems (RMPS) when bearing temperature
monitoring is integrated into the same platform as vibration monitoring.
For the purpose of this standard VMS is referred to as either VMS or
RMPS. VMS systems can be classified into two categories based on
their purpose: equipment protection and monitoring only.
The requirements below apply to VMS systems used for equipment
protection purposes only.
15.4.2 Communications between DCS and VMS systems shall be via dedicated,
redundant communications paths. Modbus TCP/IP is preferred method.
15.4.3 All inputs to the VMS systems shall be transmitted to the DCS for
display at the primary operator console. Real-time values shall be
transmitted once every two seconds as a maximum scan time.
15.4.4 The DCS to VMS link shall be configured to enable the console operator
to bypass individual vibration probes or bearing temperature sensors
from the primary operator screen at the DCS.
15.4.5 A separate graphic for each equipment or equipment train (i.e., pump,
gearbox, motor) to display VMS data. The following requirements apply
to each graphic:
15.4.5.1 The graphic shall contain a diagram of the equipment with the
current process value for VMS tags in the approximate
locations corresponding to where the data is being measure on

the equipment.
15.4.5.2 High and High-High alarms shall be visually indicated on the

process graphic when active. Alarming conventions shall be
similar to other process alarm variables.
15.4.5.3 Individual bypass indicators for each VMS tag shall be shown
on the display. The bypass indicator shall only be visible when
the specific probe to which the measurement relates is in
bypass mode at the VMS system.
15.4.5.4 The display shall be configured to enable the operator to

bypass an individual vibration probe or temperature sensor
within the VMS system from the operator console.
Bypassing shall require a minimum of two actions to initiate.
The decision on whether or not to implement special password
protection to initiate a VMS bypass shall be decided by the
project. Activation of a bypass shall be logged in the system as
an event with the time / date it was activated and the station
name / ID from which the bypass was initiated.
15.4.5.5 The display shall contain a selection box which shall be

configured to call up a real-time trend for all VMS data
associated with the equipment or equipment train. The trend
shall be configured to show the last thirty minutes of data.
For systems where there are more VMS tags than are allowed
on a normal real-time trend, multiple selection boxes shall be
configured to call multiple trends.
15.5 Interface to Compressor Control Systems (CCS)
15.5.1 Communications between the DCS and CCS shall utilize redundant
communications modules and paths.
15.5.2 Critical alarms generated in the CCS shall be transmitted to the DCS for
annunciation at the operator console responsible for operating the
machine.
15.5.3 The DCS / CCS interface and DCS graphics shall be configured to enable
all required control actions from DCS (i.e., changing the controllers to
manual, modifying the suction/discharge limiting setpoints, modifying the
load sharing setpoint, enabling/disabling the load sharing, etc.).
15.5.4 The DCS shall be configured to have a set of graphics for each
compressor. As a minimum, three graphics are required for each
machine: (1) Compressor operating display, (2) Compressor

performance display, and (3) Compressor equipment status display.
15.5.4.1 The compressor operating display shall show the entire

compressor recycle loop on a single graphic. This graphic
shall contain process data for all critical variables associated
with the compressor; including but not limited to: suction
pressure upstream of the suction throttling valve (if present),
compressor KO drum level, compressor suction pressure,
temperature and flow, compressor discharge pressure and
temperature, gas temperature downstream of an exit coolers,
compressor motor HP or Amperage, and recycle valve position.
15.5.4.2 For multi-staged compressor, the compressor operating display

may be designed using a single display per stage.
15.5.4.3 The compressor performance display is intended to show

parameters critical to the operation of the compressor
anti-surge control and compressor load-sharing, if applicable.
The compressor performance display shall display parameters
critical to the operation of the anti-surge control. As a
minimum, the display shall contain a live compressor operating
map which shows the location of the compressor operating
point with respect to the ASC control line. Data displayed on
the compressor operating map shall be transmitted from the
CCS to the DCS for indication and shall not be calculated
within the DCS.
15.5.4.4 Where load-sharing is configured for a compressor, a separate

‘load-share’ display shall be developed. This display shall
indicate the value of the load-share variable for each
compressor, the position of the load-sharing manipulated
variable for each compressor and the Process Value (PV),
Setpoint (SP), and Manipulated Variable (MV) of the overall
load-share control loop.
15.5.4.5 The compressor equipment status display shall show process

data associated with auxiliary systems used to support the
operation of the compressor. These shall include, but not
limited to: lube-oil circulation systems, mechanical seal
systems, vibration and bearing temperature monitoring
systems, and turbine control systems for turbine driven
compressors.

15.6 Interface to Long-term Data Acquisition and Historization System (DAHS)
15.6.1 Communications between the DCS and DAHS shall utilize OPC
protocol.
15.6.2 The interface between the DCS and DAHS shall comply with the
requirements in 23-SAMSS-072.
15.6.3 The system shall be configured to have the DCS OPC Server
communicate with the DAHS OPC client.
15.6.4 The DCS OPC server shall support Data Access (DA) and Historical
Data Access (HDA) functionality to enable backfilling of data in the
event of communications disruption.
15.6.5 The design of the interface shall consider segregation of tags by major
operating area into separate interfaces or scan nodes in order to distribute
loading. Where multiple interfaces or scan nodes are provided, DCS
tags shall be assigned to OPC Servers running on servers within the
operating area to which the interface is assigned.
15.6.6 All field inputs, controller PV, SP, and MV values and other critical
process data shall be configured to be transmitted to the DAHS.
This requirement applies to signals wired directly to the DCS and also
auxiliary systems data interfaced to the DCS through communications
links.
15.6.7 Scan rates for DAHS tags are defined in the DAHS system. The system
design shall ensure that scan rates do not produce excessive loading on
the DCS modules and/or control networks. Testing shall be conducted
during FAT to verify the additional loading due to DAHS scanning is
within the vendors recommended guidelines.
15.7 Interface to Third Party Packaged Systems
15.7.1 Where PLC’s, or stand-alone control systems, are provided to control

process equipment supplied by equipment manufacturer, the PLC shall
be integrated into the DCS.
15.7.2 All critical variables monitored and / or controlled by the PLC shall be
transmitted to the DCS for display on process displays on the associated
operator console. The interface shall not be used to pass signals used for
control action between the DCS and PLC. Control signals, where
required, shall be hard-wired.

15.7.3 If supported by the PLC, PLC device status indication shall be

transmitted to the DCS for monitoring and alarming at the operator
console responsible for the equipment.
15.7.4 The requirements in Section 15.1 above shall apply for interfacing of
third party packaged equipment.
15.8 Interface to Electrical Substation Equipment
15.8.1 The requirements in this section apply to the interface between the PCS
and either a Power Monitoring System, a Substation Automation system,
and to individual motor control centers. These systems are collectively
referred to as ‘Electrical Substation Equipment’ within this standard.
15.8.2 The use of OPC, Modbus or IEC-61850 protocol for transferring run
status of individual motors and for monitoring of the status of electrical
equipment is acceptable.
15.8.3 The use of OPC, Modbus or IEC-61850 protocol for sending commands
(e.g., start / stop) to Electrical Substation Equipment shall be limited to
non-critical motors only.
15.8.4 The requirements for segregation of redundant equipment in the PCS

shall apply to commands sent from the DCS to Electrical Substation
Equipment. This standard does not dictate the design of the Electrical
Substation equipment; however, the PCS designer shall consider the
requirements for segregation and redundancy when determining at what
level to provide the interface.
15.8.5 Where the interface between the DCS and the Power System Automation
(PSA) is implemented as a single interface on a plant-wide level (PSA
Level 3 as per SAES-P-126), the DCS interface shall utilize redundant
interfaces.
16 Cabinets
16.1 General
16.1.1 Any cable used to interconnect equipment which is physically located in

different cabinets, shall be tagged with source and destination on both
ends.
16.1.2 All Cabinets and the equipment therein shall have nameplates permanently
attached indicating the service description. Nameplates shall comply with
the relevant sections of 34-SAMSS-820 specific to nameplates.

16.1.3 All cabinets shall be equipped with lockable doors.
16.2 System Cabinets
16.2.1 System cabinets shall be NEMA Type 1 as per NEMA 250 and
NEMA ICS6.
16.2.2 The requirements for wiring, spacing, cabling, terminal blocks and wire
ducts in 34-SAMSS-820 shall apply for wiring associated with the
following:
 Power supply and power distribution
 Utility power, lighting, and convenience outlets
 Intermediate terminal strips for I/O wiring
 Grounding
Commentary Note:
It is not the intent to dictate to DCS vendors and the like, the method of
interconnecting and mounting their standard proven equipment.
However, the wiring for system power, lighting, convenience outlets, field
terminal wiring and input/output wiring between intermediate terminal
strips within these cabinets shall adhere to this specification.
16.2.3 Input/Output (IO) cards and associated vendor termination assemblies (if
required) shall be housed in the same cabinet.
16.2.4 Vendor standard cables shall be designed and installed in such a way as
to allow cable disconnection in order to service the equipment.
Commentary Note:
Vendor standard cables refers to cables which are pre-manufactured and

have a standard DCS vendor part number. These cables are most often
used for interconnecting chassis within a system cabinet and
communications between various components of the system.
16.2.5 Vendor system cabinets shall be designed to utilize prefabricated system

cables between the system cabinet and marshalling cabinets to facilitate
connection of cables between cabinets at site. Cable connectors shall be
passive devices with screw type connection per cable core on one side
and D-SUB connection on the other. Cable connectors shall meet the
requirements of IEC 60807-2 and shall support a maximum cable
connection size of 12 AWG.
16.2.6 System cabinets shall be fitted with replaceable or washable filter

screens inserted behind slotted louver inlets for air circulation.

Filter screens shall be installed for easy maintenance access and shall be
large enough to provide sufficient air intake flow.
16.3 Marshalling Cabinets
16.3.1 Marshalling cabinets shall comply with the requirements of

34-SAMSS-820, “Instrument Control Cabinets”.
16.3.2 Marshalling cabinets shall be designed for termination of field cables

only as per SAES-J-902, except for systems which would fit into a single
cabinet as per 34-SAMSS-820.
16.4 Network and Server Cabinets
16.4.1 Network / Server equipment located in Central Control buildings (CCB)

may be installed in industrial strength network / server cabinets
conforming to the EIA / ECA 310 specification. NEMA type 1 cabinets
shall be used for network / server cabinets located in Process Interface
Buildings or other locations.
16.4.2 Network / Server cabinets located in CCB which meet the air
conditioning requirements specified in SAES-J-003, Instrumentation and
Control Buildings Basic Design Criteria, may have perforated doors to
facilitate air circulation.
16.4.3 The requirements in Section 17, “Electrical Wiring and Power

Distribution” shall apply for all network and server cabinets.
16.4.4 Network cabinets and server cabinets which contain multiple servers
which utilize fiber optic Network Interface Cards (NIC) shall be
equipped with Fiber Optic Patch Panels to terminate fiber optic cables
entering or exiting the cabinet.
16.5 Cabinet Protection
16.5.1 All cabinets shall contain an analog temperature sensing device.

This device shall be connected to the DCS to provide cabinet
temperature indication and to provide high temperature alarm at 35°C.
Note: This requirement does not apply to marshalling cabinets.
16.5.2 All cabinets shall be designed to ensure the heat rise within the cabinet
does not exceed 10°C.
16.5.3 Air circulation fans shall only be used in cabinets where the heat rise in
the cabinet would exceed 10°C without the use of fans.

Commentary Note:
The requirement for maximum heat rise within the cabinet of 10°C is to
ensure that the temperature within the cabinet does not exceed 35°C.
The normal ambient temperature within air conditioned buildings is 22°C.
16.5.4 Where circulation fans are required, redundant air circulation fans shall
be provided. Heat load calculations may take credit for heat dissipation
from air circulation for only one of the redundant fans.
16.5.5 Cabinet cooling fans shall be sized to handle 20% more air flow by
volume than the amount required from the heat dissipation calculation.
Commentary Note:
As an example, if the heat dissipation calculation requires the air volume

of the fan to be 150 CFM, fans should be sized to deliver 180 CFM.
16.5.6 Cabinets which contain redundant cooling fans, shall be configured to

have one fan run continuously and the other fan to be energized based on
the temperature inside the cabinet. Activation of the redundant fan shall
be at 30°C.
16.5.7 Filter screens for cabinets which contain cooling fans, shall be sized
provide sufficient air intake flow.
16.5.8 Cabinets which house power supply modules shall be equipped with a
High Sensitivity Smoke Detector (HSSD). HSSD devices may be air
sampling or electronic point type. HSSD shall be addressable type and
connected to the Control Room Fire Alarm Control Panel (FACP).
17 Electrical Wiring, Power Supply, and Power Distribution
17.1 Electrical Wiring
Electrical and wiring up to but excluding vendors' standard cabinets shall be

designed in accordance with Saudi Aramco Engineering Standard SAES-J-902.
17.2 Power Supply
17.2.1 DCS Cabinets with active electronic components shall be fed from
parallel redundant UPS system or dual stand-alone UPS systems as per
SAES-P-103. For sites utilizing parallel redundant UPS systems,
separate output power circuit breakers feeding redundant UPS power
distribution panels are required.
17.2.2 Two separate UPS circuits shall be used to supply UPS power to DCS
cabinets. Each circuit shall be connected to separate UPS power
distribution panels.
17.2.3 Redundant UPS power feeders shall be terminated to individual Circuit

Breakers within the DCS cabinet.
17.3 Power Distribution within Cabinets
17.3.1 There shall be no single point of failure which would result in the loss
of functionality of both modules of a redundant pair in the power supply
for DCS controllers, servers, networking equipment or other critical
components.
17.3.2 Cabinets shall be equipped with power distribution panels for

distribution of power to equipment located within the cabinet.
Commentary Note:
The term “power distribution panel” in the above requirement and

subsequent requirements of this section refers to a collection of din-rail
mounted circuit breakers and/or fused terminal blocks, terminal blocks
and wiring used to distribute power to multiple loads from a single
source.
17.3.3 Terminal blocks in the power distribution panel shall be segregated by

voltage level as per SAES-J-902.
17.3.4 Power distribution terminal block wiring shall not be daisy-chained

using wires or crimp connectors. Jumper bars or preformed jumper
combs designed for the specific terminal blocks being shall be used for
distribution of power to multiple terminal blocks.
17.3.5 Each power supply circuit shall be individually fused or protected by a

circuit breaker.
17.3.6 Wiring, terminal blocks, wire tagging, and terminal block coding within
the power distribution panel shall be as per the requirements defined in
the relevant sections of 34-SAMSS-820.
17.3.7 Power supply circuits shall be clearly labeled. Branch circuits or power
cords to redundant modules shall be clearly labeled identifying the
circuit to which they are connected.
17.3.8 Redundant power supply circuits shall be provided for the following, as
a minimum:
a) Process controllers
b) Input and output modules

c) Communication modules
d) Process Control Network equipment
17.3.9 Equipment which accepts redundant AC power supply input circuits

shall be fed from separate, redundant power circuits within the cabinet.
Each circuit shall be fed from separate, redundant UPS power sources
within the cabinet power distribution panel.
17.3.10 Equipment which accepts redundant DC power supply input circuits

shall be fed from separate, redundant DC power supply modules.
Each DC Power supply module shall be sized to accommodate 110% of
the maximum expected load.
17.3.11 Redundant 24 VDC power supplies shall be provided in cabinets

containing Instrument circuits which require an external 24 VDC power
source (e.g., not powered from the DCS I/O card). Both power supplies
shall be used to feed a single DC power bus through the use of DC
diode auctioning to ensure bumpless transfer in the event of a single
power supply failure.
Commentary Note:
It is highly recommended to install external 24 VDC power supply

modules at the top of the cabinet to minimize the effect of radiated heat to
other components within the cabinet.
17.4 Power Supply and Distribution to Consoles and Workstations
17.4.1 Workstation equipment installed within operator consoles shall be fed

from UPS power sources. This requirement applies to the processor,
monitor, and other peripheral devices associated with the workstation.
17.4.2 Automatic AC power Transfer Switch (ATS) shall be supplied where

operator workstations accept only a single power feed. The ATS shall be
connected to redundant UPS power sources in order to provide redundant
UPS power to operator workstations with simplex power connections.
17.4.3 Commercially available multiple outlet power strips may be used to

distribute power to multiple components of a workstation (i.e., processor,
monitor, and associated peripheral devices) provided that each power
strip feeds equipment associated with a single workstation. The power
strip must provide integral short circuit protection, have an integral
circuit breaker and must carry either UL listing, CSA certification,
or CE marking. The power strip shall be capable of locking the power
cord (i.e., twist-lock) to prevent accidental loss of power.

17.5 Utility Power
17.5.1 Duplex-type convenience outlets, rated at 120 or 230 VAC, 15 amp shall
be provided to provide utility power within System Cabinets, Network
Cabinets and Server Cabinets. One convenience outlet shall be provided
per bank of three cabinets, as a minimum. The selection of the cabinet
containing the outlet shall be made to minimize the distance between the
cabinet and the other cabinets for which the outlet may be utilized.
The distance between the cabinet containing the outlet and any other
cabinet in the bank of three cabinets shall not exceed 20 feet.
17.5.2 Two, duplex-type convenience outlets, rated at 120 or 230 VAC, 15 amp
shall be provided within each console for utility power. The outlets shall
be placed on opposite sides of the console to enhance availability.
17.5.3 Convenience outlets shall be wired to a separate terminal strip which in

turn is sourced from a non-UPS AC source.
17.6 Grounding
17.6.1 Grounding design shall be per vendor standard recommendations and per
the applicable sections of SAES-J-902; whichever is more stringent.
17.6.2 Grounding philosophy shall be consistent with Saudi Aramco Library

Drawing number DC-950150 unless specifically prohibited by the PCS
vendor.
18 Process Control Networks
18.1 General
18.1.1 Process Control Network cabling installed indoors shall be placed in

ladder, trough or solid bottom cable trays as per SAES-J-902.
18.1.2 Redundant control network cables installed indoors shall not be installed
in the same cable tray. This requirement does not apply to cables located
within a PCS cabinet.
18.1.3 Redundant control network cables installed outdoors (e.g., between

buildings) shall be diversely routed. Installation of redundant control
network cables in the same cable tray shall be avoided where possible
and practical.
18.1.3 Data Highway or network communication cables shall maintain a

minimum separation of 75 mm from any AC power cables. Fiber optic
cables are excluded from this requirement.
18.1.4 The use of wireless technology for DCS networks shall not be used.
18.1.5 The Process Control Network shall not be routed to Operator Shelters.
Where project requirements dictate a need for system monitoring
capabilities in the operator shelter, workstation in the shelter shall be
provided with capability to establish a remote session with an
Engineering server connected to the PCS through remote desktop or
Windows Terminal Services.
18.2 Fiber Optic Cabling
18.2.1 Fiber optic cables within any cabinet shall be routed in plastic wire ducts
or protective conduit. Where routing within the wire duct would exceed
the minimum bend radius of the cable, protective conduit shall be used.
18.2.2 Fiber Optic (FO) cables used for process control networks may be
installed in the same tube bundle as FO cables used for IT traffic
provided that the fibers used for process control are separate and
dedicated for process control network traffic.
18.2.3 Fiber optic cables routed between process control cabinets shall be
terminated in Fiber Optic Patch Panels (FOPP) located in the source and
destination cabinets. This requirement does not apply to patch cords.
18.2.4 Fiber optic cables which are installed for the Process Control Network
shall have a minimum of 25% spare fiber optic cores. This requirement
does not apply to patch cords.
18.2.5 All fiber optic cables shall be labeled with source and destination
address.
18.2.6 Installation of fiber optic cables between buildings for process control
network cabling shall be in accordance with Saudi Aramco Engineering
Standard, SAES-Z-020, “Design and Installation of Fiber Optic Cable-
Systems for Process Control Networks”.
19 Environmental Conditions
PCS equipment shall meet the environmental requirements defined in 23-SAMSS-010.
20 Control Rooms
Control room design shall be per SAES-J-003.

21 Inspection and Testing
PCS equipment shall be subject to the Inspection and testing requirements defined in
23-SAMSS-010.
22 Documentation
PCS equipment shall be supplied with documentation described in 23-SAMSS-010.
Revision Summary
22 July 2012 Major revision.
29 October 2015 Minor revision to revise security related requirements to align with SAEP-99.
20 December 2017 Revised the “Next Planned Update,” re-affirmed the content of the document, and reissued
as major revision.
1 January 2018 Editorial revision to modify paragraphs 5.4, 14.6.1, 15.3.5.5, 17.6.2, 18.1.4, etc.
2 May 2019 Editorial revision as part of content confirmation assessment
25 February 2020 Editorial revision as part of content confirmation assessment


SAES-Z-001

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAES-Z-001

Uploaded by

Copyright:

Available Formats

Engineering Standard

SAES-Z-001 25 February 2020

Previous Issue: 2 May 2019 Next Planned Update: 20 December 2020

©Saudi Aramco 2020. All rights reserved.

Parties involved in the engineering, design, procurement and installation of PCS

2 Conflicts and Deviations

3.1 Saudi Aramco References

Saudi Aramco Engineering Procedures

Saudi Aramco: Company General Use

SAEP-302 Waiver of a Mandatory Saudi Aramco Engineering

Saudi Aramco Engineering Standards

Saudi Aramco Materials System Specifications

Saudi Aramco Best Practices

Saudi Aramco Library Drawing

Saudi Aramco: Company General Use

Saudi Aramco Forms and References

3.2 Industry Standards and References

International Electrotechnical Commission

National Electrical Manufacturers Association

Saudi Aramco: Company General Use

PCS Process Control System

Advanced Control: Multivariable, constraint and optimizing controls are

Algorithm: A prescribed set of well-defined rules or processes for the solution

Application: Application packages shall be vendor's standard off-the-shelf

Application Account: refers to the account name used to run applications as

Availability: The percent of time a system or component remains on line and

Cabinet: A general term describing any enclosure which contains process

Cabinet - Network: A cabinet which contains primarily network switches and

Cabinet - Server: A cabinet which contains primarily servers associated with

Cabinet - System: A cabinet which contains DCS modules such as controllers,

Cabinet - Marshalling: A cabinet containing mainly terminal strips and wire

Cascade (Cascade Control): A control scheme composed of two loops where

Control Algorithm: A mathematical representation of the control action to be

Controller: A microprocessor-based device used primarily to perform control

Control Network: A network which is used to provide communications

Console: A collection of one or more workstations and associated equipment

Distributed Control System (DCS): A process control system that is

Saudi Aramco: Company General Use

Fault-Tolerant: The property of a system which enables it to carry out its

Firmware: Firmware is a combination of both hardware and software.

Functional Specification Document (FSD): Written requirements of the

Keyboard, Video, and Mouse (KVM): KVM identifies a class of computer

Operating System: Software that runs on a computer for the purpose of

Point: A process variable derived from an input signal or calculated in a

Process Control System: An integrated system which is used to monitor and

Programmable Logic Controller (PLC): A stand-alone microprocessor-based

Redundant: A system and/or subsystem that provides for a standby module

Regulatory Control: The functions of process measurement, control algorithm

Risk Area: A grouping of Process equipment and associated Control Systems

Saudi Aramco: Company General Use

Software: Software shall be considered programming code, computer

System account: refers to account names used by the operating system.

Tag: A collection of attributes that specify either a control loop or a process

Workstation: A computer and its associated monitor(s), keyboards(s) and other

It is acceptable for a system to contain different revision levels of a hardware

Saudi Aramco: Company General Use

Automation Contractor shall standardize COTS equipment for all automation

The following equipment shall be supplied in redundant or fault-tolerant configuration

RAID 1 or 10 are acceptable methods of meeting the requirement for redundant

Saudi Aramco: Company General Use

i) All auxiliary systems communications interfaces, including communications

7.1 Level 1 segregation – Operating Area risk areas

7.1.1 Level 1 (L1) segregation shall be applied to segregate process control

As an example, a multi-train GOSP is typically segregated into the