NORSOK STANDARD

COMMON REQUIREMENTS

SAFETY AND AUTOMATION SYSTEMS

(SAS)

I-CR-002
Rev. 1, December 1994

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

CONTENTS
1. FOREWORD

2. SCOPE

3. NORMATIVE REFERENCES

4. DEFINITIONS AND ABBREVIATIONS

4.1 Definitions
4.2 Abbreviations

2
2
4

5. FUNCTIONAL REQUIREMENTS
5.1 Control levels, distribution
5.2 SAS functions
5.3 Package integration and categorising
5.4 Man machine interface
5.5 Process and system alarms, events
5.6 Programming

5
5
6
9
10
12
13

6. SYSTEM REQUIREMENTS
6.1 Hardware
6.2 Software

14
14
15

ANNEX A

16
18

GUIDELINE FOR TESTING

ANNEX B
Guidelines for Time Response

_______________________________________________________________________________
NORSOK Standard
1 of 20

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

FOREWORD
This standard has been developed by the NORSOK Standardisation Work Group.

SCOPE
This standard covers functional and technical requirements and establishes a basis for
engineering related to Instrument Control and Safety System Design. This standard shall be
used together with I-CR-001, Field Instruments and I-CR-003, Installation of electrical,
instrument & telecommunication. It is the companies aim to utilise system vendors
standards in order to achieve the most cost effective solution, also considering LCC.

NORMATIVE REFERENCES
ISO 10418 Recommended practice for analysis, design, installation and testing of basic
surface safety systems on offshore production platforms.
EN 50081-2 Electromagnetic compability generic emission standard.
EN 50082-2 Electromagnetic compability generic immunity standard.

DEFINITIONS AND ABBREVIATIONS

4.1

Definitions
SAS

SAS is defined as the overall Safety and Automation System.

SAS performs monitoring, logic control and safeguarding of a
plant. SAS comprises all control equipment as a total, integral
concept, either from one vendor or aquired from from several
sources.
Subsystems made as stand-alone units communicating through
custom made serial links are also considered as part of SAS.
System Topology Principles as shown in figure 1 are applicable
independent of the SAS size and complexity.

_______________________________________________________________________________
NORSOK Standard
2 of 20

Safety and Automation Systems (SAS)

Figure 1

I-CR-002
Rev. 1, December 1994

Typical SAS Topology

_______________________________________________________________________________
NORSOK Standard
3 of 20

Safety and Automation Systems (SAS)

4.2

I-CR-002
Rev. 1, December 1994

SAS unit

SAS unit consists of CPU with associated equipment such as I/O

racks and cards, bus communication, power supplies, signal
conditioning units and termination facilities for field cables.
Operator stations and gateways are also considered as SAS units.

Inhibit

Inhibit function disables action of the input signals, however the

alarm will be displayed.

Override

Overide function set the output signal to predefined position,

independent of changes in logic status.

Supression of alarm

A supression function disables the alarm while the signal action

is maintained.

Alarm filtering

Alarm filtering is a supression of secondary alarms.

PDS

PDS is a reliablility/availability calculation procedure available

from SINTEF

Abbreviations
ANSI
API
CCR
CPU
DnV
ESD
F&G
FAT
FB
FWP
HVAC
IEC
IFEA
IMS
ISA
ISO
LED
LER
MCC
MMI
NDE
NE
NPD
OLF

American National Standard Institute

American Petroleum Institute
Central Control Room
Central Processing Unit
Det norske Veritas
Emergency Shut-Down (System), including Process
Depressurisation
Fire and Gas
Factory Acceptance Test
Function Block
Fire Water Pump
Heating Ventilation and Air Conditioning
International Electrotechnical Commission
(The Association for Electrotechnic and Automation in Industry)
Industriens Forening for Elektroteknikk og Automasjon
Information Management System
Instrument Society of America
International Standard Organisation
Light Emitting Diode
Local Equipment Room
Motor Control Centre
Man-Machine Interface
Normally de-energised
Normally Energised
Norwegian Petroleum Directorate
Oljeindustriens Landsforbund

_______________________________________________________________________________
NORSOK Standard
4 of 20

Safety and Automation Systems (SAS)

OS
PCS
PDCS
PDS
PSD
RIO
RTD
SINTEF

T/C
SAS
UPS
VDU
LCC

I-CR-002
Rev. 1, December 1994

Operator Station
Process Control System
Power Distribution Control System
Plitelighet av datamaskin baserte sikkerhetssystemer (reliability
of computer based safety systems)
Process Shut-Down (System)
Remote Inputs/Outputs
Resistance Temperature Device
Stiftelsen for Industriell og Teknisk Forskning ved Norges
Tekniske Hyskole (The Foundation for Scientific and Industrial
Research at the Norwegian Institute of Technology)
Thermo Couple
Safety and Automation System
Uninterrupted Power Supply
Visual Display Unit
Life Cycle Cost

FUNCTIONAL REQUIREMENTS

5.1

Control levels, distribution

Main high speed communication bus shall always be redundant. Each SAS unit shall be
connected to both buses.

5.1.1

Area related distribution

The area related distribution as described below is considered as a guideline and shall not
exclude alternative solutions and combinations.
ESD
I.
II.
III.

Shall be located in room safe by location.

Shall be centralised, in vicinity of CCR.
RIOs may be used.

F&G
I.
II.
III.

Shall be located in rooms safe by location.

May be distributed/or centralised.
Addressable detectors (field bus) and RIOs may be used.

PCS
I.
II.
III.
IV.

Should be located in rooms safe by location.

May be distributed and/or centralised.
Instrument field bus and RIOs may be utilized.
Field bus units (multiplexers) may be utilized.

_______________________________________________________________________________
NORSOK Standard
5 of 20

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

PSD
I.
II.
III.
IV.

Should be located in rooms safe by location.

May be distributed or centralised.
Instrument field bus and RIOs may be utilized.
Field bus units (multiplexers) may be utilized.

PDCS
I.
II.
III.
5.1.2

Should be located in rooms safe by location.

May be distributed and/or centralised.
Intelligent MCC bus and/or RIOs may be utilized.

Functional Distribution
The process systems shall be logically distributed into separate SAS units and/or SAS
programs in order to optimise mechanical completion, commissioning and maintenance.

5.2

SAS functions

5.2.1

ESD
The ESD system shall have the following features:
I.

It shall be possible to test the ESD logic without degrading the platform safety and
reducing the production rate.

II.

The platform shall be protected even in case of loss of power or single failure of
electronic parts.

III.

Common ESD reset function shall be provided in the CCR, in addition to local
resets.

IV.

Status of the ESD system, ESD valve status, inhibit and override facilities shall be
available in the CCR.

V.

It shall be possible to initiate any ESD level from the CCR.

VI.

PDS or an equal calculation method shall determine the ESD system configuration,
aiming for a simple solution.

VII. The ESD information and operation shall be easily accessible to the CCR operator
without unnecessary time delay.
VIII. The operator interface may be a VDU based solution or a combination of LED/switch
operated matrix and VDU(s).
IX. The ESD output signals to field devices shall be hardwired.
_______________________________________________________________________________
NORSOK Standard
6 of 20

Safety and Automation Systems (SAS)

5.2.2

I-CR-002
Rev. 1, December 1994

X.

ESD dedicated field bus may be used for ESD inputs.

XI.

Communication between ESD and F&G can be by means of a dedicated safety bus,
serial links or hardwired.

F&G
The F&G system shall have the following features:
I.

The F&G system should be non-redundant provided successful verification based on

PDS or an equal calculation method.

II.

It shall be possible to override PA alarms and FWP start due to the on-line test
requirements.

III.

Delay of audible PA alarms to LQ and possibility for inhibition of the audible alarms
shall be provided in the CCR.

IV.

Facility for manual start of FWPs shall be provided in the CCR.

V.

Addressable detectors (field bus) may be used.

VI.

Fire fighting release from the F&G system shall be hardwired.

VII. Communication F&G and ESD can be by means of dedicated safety bus, serial links
or hardwired.
VIII. Information about geographical arrangements of detectors and fire areas shall be
available in the CCR.
IX.

It shall be visually distinguished between fire and gas alarms.

X.

Hot work status, per safety area should be available in the CCR.

XI.

Status of F&G alarms, inhibits, override and release of protection facilities shall be
provided in the CCR.

XII. Selection of FWP priorities, running/available status of FWPs, ring main pressure
and FWP fault indication shall be available in the CCR.
XIII. The F&G information shall be easily accessible to the CCR operator without
unnecessary delay.
XIV. The information on an integrated F&G mimic/matrix shall be kept to a minimum and
the F&G mimic/matrix shall typically contain:
XV. Common gas alarm per safety area.
XVI. Common fire alarm per safety area.
_______________________________________________________________________________
NORSOK Standard
7 of 20

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

XVII. Common indication of any inhibit per safety area.

XVIII.Override and release facilities of protection skids and electrical isolation.
XIX. The mimic/matrix interface will normally be a LED/switch operated solution,
however other techniques can be utilised.
5.2.3

HVAC
The HVAC safety related functions should be integrated in the F&G system. No separate
SAS unit for HVAC functions should be implemented.

5.2.4

PCS
LED/switch operated process mimic should be avoided. PCS statuses and operation
commands should be available on VDU only.

5.2.5

PSD
PSD functions shall be implemented in separate SAS unit(s). Machinery protection is not
considered as PSD level.

5.2.6

PDCS
The purpose of the PDCS is to control and monitor the electric power generation and
distribution network.

5.2.7

MCC
The MCC may be controlled from any SAS unit and following principles are acceptable:
I. Distributed concept based on suppliers standard intelligent MCC bus concept.
II. RIO with potential free contacts rated for the voltage used in MCC control circuitry.
III.Hardwired signals.
The MCC shall proceed into pre-defined selectable state (on/off/steady) in the event of loss
of data communication.
The PDCS status shall be available in CCR. Separate LED/switch operated electrical
mimic panels should be avoided. PDCS status should be available on VDU screen pictures.

5.2.8

IMS (when required)

On line communication to shore shall be possible.
IMS shall typically receive and process data from the following external systems:
I. Fiscal Metering

II. Mooring and Positioning System

_______________________________________________________________________________
NORSOK Standard
8 of 20

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

III.Ballast system
IV.Environmental and Platform Monitoring System
V. Corrosion Monitoring System
VI.Condition Monitoring System
VII.Fuel & flare gas metering
VIII.Oil Storage and Off-loading System
Typical IMS functionality is:
I. Long term storage of alarms and events.
II. Trend data storage.
III.Long term storage of selected measurements values.
IV.Alarm analysis.
5.3

Package integration and categorising

This section gives guidelines to how process and utility equipment supplier packages can
be integrated into the SAS, and how operation and control accordingly will be carried out.
The individual package unit can have different operation and control philosophy within a
plant, depending on operational requirements. Start-up of equipment packages may be
performed from the CCR, while other packages may have a requirement for local start.

5.3.1

Category of packages.
I. Category A, SAS integrated packages.
Packages fully integrated in SAS standard hardware/software. Control and monitoring
are programmed / configured in the SAS system by the project according to Package
Vendor specifications.
I. Category B, SAS partly integrated packages.
Package with control functions programmed/configured by Package Vendor in standard
SAS hardware / software. Non standard hardware may be used for special functions
like turbine governor.
I. Category C, SAS Stand-alone packages.
Packages with only serial link or hardwired signal communication interface to other

_______________________________________________________________________________
NORSOK Standard
9 of 20

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

SAS units. Vendor supplies separate logic for machinery protection, control and
monitoring.
I. Category D, Stand-alone locally controlled packages.
Packages with local control only. Vendor supplies separate logic unit for control.
These control units are not considered as SAS units and no external communication is
required.
5.4

Man machine interface

The general design basis for the MMI shall be the SAS Vendor standard .

5.4.1

Operator station
The CCR Operator Stations shall as a minimum meet the following functional
requirements:
I. The SAS shall give possibility to monitor all process and safety signals from any
Operator Station. Silent type of alarm/event printers shall be located in CCR or in area
adjacent to CCR.
I. The operator shall be able to request a colour hard copy of any VDU picture.
I. Number of printers shall be kept at a minimum. Failure of one OS or one printer shall
not stop printing possibilities. The printout shall be available on request.
Local operator stations may be used in local panels.
Temporary Operator Stations should be available for test and commissioning purposes.

5.4.2

Display system arrangement

The display system shall allow for a minimum of three levels - overview, system and subsystem displays. Additionally the system shall allow for object displays. Direct jump
between pictures shall be possible.
The following display types should be available to the operator:
I. Process / utility mimic display.
II. Cause and effect shutdown display.
III.Object display.
IV.Trend display.

V. Alarm list.
_______________________________________________________________________________
NORSOK Standard
10 of 20

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

VI.Event list.
VII.Sequence display.
VIII.Control display.
5.4.3

Use of colour
The colour coding as shown in tables below shall be used for process and service lines and
equipment. Further definition may call for lines consisting of dashes of different colours if
lines or equipment are designed for multiple fluids.
Table 1 Coulors of process and utility medium
Process/utility medium
Oil
including diesel, crude, lubrication,
seal, hydraulic oil and drilling mud.
Gas
including fuel, HP, LP, injection,
relief, flare gas.
Water
including potable, ballast, drill,
produced, cooling, injection water and
steam.
Air
including instrument and plant air.
Fire fighting
including fire water and foam.
Chemicals
including glycol, scavenger, chemicals,
cooling and heating medium, drilling
and other chemical additives.

Colour selections
Brown

Yellow

Green

Blue
Orange
Violet

Table 2 Colours of electrical systems

Electrical systems

Colour selection

11 kV
690 V
400/230 V
230V UPS

Blue
Orange
Yellow
Brown

_______________________________________________________________________________
NORSOK Standard
11 of 20

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

Table 3 Colours of alarms

Process / Utility medium

Colour selection

Active alarm
Warning
Fault alarm status
Suppressed/blocked

Red
Yellow
Violet
Blue

System related functions should be the SAS suppliers standard.

5.4.4

Use of symbols
SAS vendor standard VDU symbols shall be used.

5.4.5

Trend facilities
The SAS shall have capabilities for short and long term trending of any analogue signal.
On line structuring of trends should be available.

5.5

Process and system alarms, events

5.5.1

Definitions
Alarms arise when an abnormal situation occurs.
Example: HH level in separator, motor overload.
Event is a change of process status or operators interaction with process.
Example: Change of controller's setpoint.
System alarm is activated if SAS functions fail or exceed pre-defined limits.
Example: Digital input card failure or analogue input less than 3mA.

5.5.2

Time tagging
Events, process and system alarms must be time tagged with highest resolution but not less
than the scan rate, and related to the central Real Time Clock.
No events or alarms shall be lost in the SAS.
The alarms shall be time tagged where it is first detected.

_______________________________________________________________________________
NORSOK Standard
12 of 20

Safety and Automation Systems (SAS)

5.5.3

I-CR-002
Rev. 1, December 1994

Alarm suppression and filtering

Alarm suppression and/or filtering shall be possible for individual alarms, pre-defined
groups of tags (e.g process system or safety area), or initiated by logic (e.g. suppression of
low flow alarm from a pump that has stopped).
The SAS shall on request provide lists of all suppressed alarms.

5.5.4

Alarm and event presentation

The system shall offer means for alarm annunciation as follows:
I.

Acoustically

II.

Visually on VDU in process displays, alarm overviews and on alarm lists.

Event information is displayed chronologically in an event list available on VDU and

printed on operators request.
The system must include a historic alarm and event file able to store lists on hard disc.
5.6

Programming

5.6.1

Programming tools ( Engineering work station)

The programming tool should have the following features:
I.

Change parameters on line without disturbing process control.

II.

On line programming.

III.

Load and unload application programs including database structure via common bus.

IV.

Graphical MMI is preferred.

V.

It shall be possible to monitor on line any dynamic variable in any relevant SAS unit
via bus for debugging purposes.

VI.

Override/inhibit of signals and/or data base elements.

VII. Start/stop of application programs.

5.6.2

Function blocks
To the extend possible, the SAS vendors or Company standard existing function blocks
shall be applied. Function block oriented programming should be used.

_______________________________________________________________________________
NORSOK Standard
13 of 20

Safety and Automation Systems (SAS)

SYSTEM REQUIREMENTS

6.1

Hardware

I-CR-002
Rev. 1, December 1994

Equipment shall meet requirements to EN50081-2 and EN50082-2 regarding

electromagnetic compatibility.
6.1.1

Remote I/O
In order to minimise cabling and hook-up offshore RIO should be used where applicable.

6.1.2

Input/output cards requirements

Field devices shall always be powered from SAS. In cases where active galvanic isolated
barriers are not used, I/O cards should have galvanic isolation between field and CPU side.
The number of different I/O card types shall be kept to a minimum.
I/O cards shall be powered in a way that damage on one card do not have any influence on
other cards. Short-circuit in the field shall not damage I/O cards.

6.1.3

Power supplies, power distribution

Availability calculations shall define whether single or redundant power supplies are
required.
CPU and I/O-field instruments shall be powered from different galvanically isolated power
supply.
Power supplies shall be designed for 150% normal consumption or based upon a modular
system which can be expanded without rewiring.

6.1.4

SAS termination
Any cross wiring shall be included in the SAS units termination part. Signal conditioning
units shall be rack or rail mounted.
It shall be possible to isolate field signals from the SAS unit(s) without disconnecting the
cable cores from the terminals.
All I/O channels, including spares shall be pre-wired.
The SAS shall be designed in such way that the termination part can be delivered to site at
an early stage while testing of application programs continue at SAS vendors workshop.
Reconnection facilities shall be pluggable.

6.1.5

Instrument field bus/ field bus units

Instrument field bus/field bus unit (multiplexer) solutions shall be considered if the concept
clearly demonstrates economical savings and requirements to time response are satisfied.

_______________________________________________________________________________
NORSOK Standard
14 of 20

Safety and Automation Systems (SAS)

6.1.6

I-CR-002
Rev. 1, December 1994

Hardware expandability
Spare capacity shall be measured per SAS unit and per card type at time of plant start-up.
For a well defined mechanical package, a lower quantity of spare/ expandability can be
accepted.
Table 4 Hardware expandibility table
Task
I/O cards
Disk capacity

6.2

Software

6.2.1

CPU performance

Spare capacity
10 % installed spare
25 % possible extension
40 % spare installed
100 % possible extension

CPU load of SAS unit(s) at the time of plant start-up shall not exceed 75%. CPU load
means percentage of time available for application program (internal CPU handling tasks
excluded).
Memory
It shall be possible to expand memory without any change of application programs and
there shall be 75% spare capacity at time of plant start-up of SAS.
6.2.2

Bus load
Bus load at the time of plant startup shall not exceed 75% of by the vendor recommended
bus load.

6.2.3

Time synchronisation
Time synchronisation means that internal time between different units shall not deviate
more than 50 msec. The SAS system shall get time vector from platform clock.

_______________________________________________________________________________
NORSOK Standard
15 of 20

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

ANNEX A

GUIDELINE FOR TESTING

_______________________________________________________________________________
NORSOK Standard
16 of 20

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

ANNEX A GUIDELINE FOR TESTING

The SAS vendor shall have available test equipment for all I/O configured in SAS.
Facilities for measuring of dynamic loads for SAS unit, communication system and OS
shall be made available by the vendor of the SAS.
The tests shall be performed hierarchically, starting first SAS units tests, then system tests
and finally the Integration test.
All tests shall be documented. All I/O's shall be tested from the field side of SAS unit(s).
SAS unit test
Complete test of hardware and software applications of all SAS units, including
applications on OS. The tests shall be performed in accordance with approved test
procedures. Signals/telegrams to other SAS/systems will be tested during system test.
System test
Several SAS units forming a system shall be tested together. Example F&G SAS units, OS
and F&G mimic/matrix tested together. All I/O shall be simulated. System test shall
include all inter-unit signals.
Integration test
The test shall cover complete SAS including simulation of Partly Integrated Packages
(category B). In addition to functional test of all systems, dynamic bus and CPU load shall
be measured. The SAS should be alarm and failure free for at least 24 hours.

_______________________________________________________________________________
NORSOK Standard
17 of 20

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

ANNEX B

GUIDELINES FOR TIME RESPONSE

_______________________________________________________________________________
NORSOK Standard
18 of 20

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

ANNEX B GUIDELINES FOR TIME RESPONSE

This chapter establishes a common definition of system response time including guidelines
for accept criteria.
Alarm response time/resolution
Alarm response is a period of time from the time when process conditions exceeds predefined limit until the alarm is tagged. (Defined as A+B in figure A2) Recommended time
response is as follows:
Table 5 Process/PSD/ESD alarm response time
Process /PSD/ESD alarms
are in general dependant on process criticality.
For long time constant process variables
substantially slower time response may be
accepted (4 - 16 sec), example temperature
changes.

Time
response
1 sec

Table 6 Fire & Gas alarm response time

Fire & Gas alarms
Gas in air intake. Calculation to be
provided dependent on the length of the air
duct and response time of the activated
device (damper)
Gas detectors generally
Fire, smoke, heat detectors
Addressable detectors

Time response
Max. 2 sec

2 sec
4 sec
15 sec

Table 7 Electrical alarm response time

Electrical alarms
Switch gear alarms

Time response
2 0 msec

_______________________________________________________________________________
NORSOK Standard
19 of 20

Safety and Automation Systems (SAS)

I-CR-002
Rev. 1, December 1994

VDU picture update times

Table 8 Guidelines for VDU time response requirements.
Task
Call up of new picture with 100
analogue values and 100 digital points. Values are
picked up from 5 different units. The time is
measured from operators request until the picture
is on screen and all dynamic values are updated.
Updating dynamic values only for DU picture as
defined above.
Operator command request. Time from operator
command until the execution starts in SAS unit.
For critical actions the time should be close to 1
sec.
Alarm display time. Is the time from a generation
of alarm in the SAS unit until the alarm is
displayed on the VDU.

Digital clock
synchronisation

Alarm tagging

Sensor response time

I/O and program scan

A
D
Field actuator
response time

Figure 2

Time response
5 sec

3 sec
2 sec

2 sec

OS scan/display time

Communication time

CPU
Analogue clock
synchronisation

Principles of time response.

_______________________________________________________________________________
NORSOK Standard
20 of 20