PETRONAS TECHNICAL STANDARDS

INSTRUMENTED PROTECTIVE SYSTEMS

PTS 14.12.12
July 2017

© 2017 PETROLIAM NASIONAL BERHAD (PETRONAS)

All rights reserved. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form
or by any means (electronic, mechanical, photocopying, recording or otherwise) without the permission of the copyright
owner. PETRONAS Technical Standards are Company’s internal standards and meant for authorized users only.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 2 of 24

FOREWORD

PETRONAS Technical Standards (PTS) has been developed based on the accumulated knowledge,
experience and best practices of the PETRONAS group supplementing National and International
standards where appropriate. The key objective of PTS is to ensure standard technical practice across
the PETRONAS group.

Compliance to PTS is compulsory for PETRONAS-operated facilities and Joint Ventures (JVs) where
PETRONAS has more than fifty percent (50%) shareholding and/or operational control, and includes
all phases of work activities.

Contractors/manufacturers/suppliers who use PTS are solely responsible in ensuring the quality of
work, goods and services meet the required design and engineering standards. In the case where
specific requirements are not covered in the PTS, it is the responsibility of the
Contractors/manufacturers/suppliers to propose other proven or internationally established
standards or practices of the same level of quality and integrity as reflected in the PTS.

In issuing and making the PTS available, PETRONAS is not making any warranty on the accuracy or
completeness of the information contained in PTS. The Contractors/manufacturers/suppliers shall
ensure accuracy and completeness of the PTS used for the intended design and engineering
requirement and shall inform the Owner for any conflicting requirement with other international
codes and technical standards before start of any work.

PETRONAS is the sole copyright holder of PTS. No part of this document may be reproduced, stored
in a retrieval system or transmitted in any form or by any means (electronic, mechanical, recording or
otherwise) or be disclosed by users to any company or person whomsoever, without the prior written
consent of PETRONAS.

The PTS shall be used exclusively for the authorised purpose. The users shall arrange for PTS to be
kept in safe custody and shall ensure its secrecy is maintained and provide satisfactory information to
PETRONAS that this requirement is met.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 3 of 24

Table of Contents

1.0 INTRODUCTION ..................................................................................................... 4

1.1 SCOPE .................................................................................................................. 4
1.2 GLOSSARY OF TERM ............................................................................................ 4
1.3 SUMMARY OF CHANGES ..................................................................................... 8
2.0 GENERAL REQUIREMENTS ..................................................................................... 9
2.1 FUNCTIONALITY ................................................................................................... 9
2.2 CERTIFICATION .................................................................................................... 9
2.3 MODIFICATION TO IPS....................................................................................... 10
2.4 CYBERSECURITY REQUIREMENTS......................................................................... 10
2.5 CYCLE AND RESPONSE TIME .............................................................................. 10
2.6 STRUCTURE ........................................................................................................ 10
2.7 ENVIRONMENTAL CONDITION .......................................................................... 10
3.0 HARDWARE REQUIREMENTS ............................................................................... 12
3.1 SELECTION OF IPS TECHNOLOGY ...................................................................... 12
3.2 HARDWARE FAULT TOLERENCE ........................................................................ 12
3.3 SYSTEM HARDWARE.......................................................................................... 13
3.4 WORKSTATION .................................................................................................. 15
3.5 SPARE CAPACITY ................................................................................................ 16
3.6 HARDWARE CONSTRUCTION REQUIREMENT ................................................... 16
3.7 POWER REQUIREMENT ..................................................................................... 17
4.0 SYSTEM REQUIREMENTS ..................................................................................... 19
4.1 SYSTEM AND APPLICATION SOFTWARES .......................................................... 19
4.2 ALARM SIGNAL HANDLING................................................................................ 19
5.0 SYSTEM INTEGRATION ......................................................................................... 20
5.1 SYSTEM CONNECTIVITY ..................................................................................... 20
5.2 COMMUNICATION LINKS .................................................................................. 20
6.0 TESTING REQUIREMENTS ..................................................................................... 21
6.1 FACTORY ACCEPTANCE TEST ............................................................................. 21
7.0 DRAWINGS AND DOCUMENTATIONS ................................................................... 22
8.0 BIBLIOGRAPHY .................................................................................................... 23

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 4 of 24

1.0 INTRODUCTION

This PTS provides the minimum technical requirements for Instrumented Protective System
(IPS), including fire and gas system (FGS) for PETRONAS assets, both new and existing.

1.1 SCOPE

1.1.1 This PTS specifies the system functional design requirements acceptance tests and
documentations for IPS and FGS.

1.1.2 This PTS does not cover pneumatic or hydraulic shutdown systems.

1.2 GLOSSARY OF TERM

1.2.1 General Definition of Terms & Abbreviations

Refer to PTS Requirements, General Definition of Terms, Abbreviations & Reading Guide PTS
00.01.03 for General Definition of Terms & Abbreviations.

1.2.2 Specific Definition of Terms

No Term Definition

The system which carries out the process

control and monitoring of the facility, which is
typically the DCS, by taking inputs from sensor
1 Basic Process Control System of process instruments and providing output
(BPCS) based on control functions in accordance with
approved design control strategy. The BPCS
shall not perform any interlock safety functions
of SIL 1 or higher

A Failure having the potential to affect all

2 duplicated components in a robust
Common Mode Failure
configuration by virtue of common or shared
characteristics

The protection of data and IT resources from

accidental or malicious acts, usually by taking
appropriate actions. These acts may be
3 modification, destruction, access, disclosure, or
Cybersecurity
acquisition, if not authorized. (ISO 2382-8)

Information security is quantified in terms of

availability, integrity and confidentiality

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 5 of 24

No Term Definition

A EWS is a workstation, which contains the

software and / or the database required to
prepare and download configuration changes
4 into the safety system. It may also be used to
Engineering Work Station (EWS)
interpret and diagnose the state of the logic of
the safety system in a “read-only” mode. For
smaller sites the function of the EWS may be
combined with an Operator Work Station

A concept that defines the failure direction of a

5 component or system as a result of specific
Fail Safe
malfunctions. That failure direction is towards a
safer or less hazardous condition

An abnormal condition that may cause a

6
Failure reduction or loss of capability of the IPF to
perform its intended function

Ability of a functional unit to continue to

7
Fault Tolerance perform a required function in the presence of
faults or errors

A device, or combination of devices, that

manipulate a process variable or attract the
attention of the operator to achieve risk
8
Final Element reduction. The Final Element includes output
cards or output relays, solenoid valves and
cabling. Examples are valves, switchgear
(rotating equipment stop circuits) and alarms

A function comprising one or more Sensors,

a Logic Solver and one or more Final
Elements whose purpose is to prevent or
mitigate hazardous situations.
9 Instrumented Protective
An IPF is intended to achieve or maintain a safe
Function
state for the process, in respect of a specific
hazardous event.

In IEC 61508 and IEC 61511, an IPF is referred to

as a Safety Instrumented Function (SIF).

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 6 of 24

No Term Definition

The electromechanical, electronic and/or

programmable electronic Logic Solver
component of the Instrumented Protective
10 Instrumented Protective Function, complete with input and output
System equipment.

In IEC 61508 and IEC 61511, an IPS is referred to

as a “Logic Solver”.

The portion of an Instrumented Protective

Function that performs the application logic
function. The Logic Solver excludes input cards
11
Logic Solver and output cards. Examples are
electromechanical relays, solid-state/magnetic-
core logic and the Central Processing Unit (CPU)
section of programmable electronic systems

A firewall and associated systems that securely

12 Process Control Access Domain
interconnect the Process Control Domain (PCD)
(PCAD)
to other network environments.

13 The network environment to which Process

Process Control Domain (PCD)
Control systems are connected.

Electronic component or device forming part of

a PES and based on computer technology. The
term encompasses both hardware and
software and input and output units.

NOTE: This term covers micro-electronic

devices based on one or more central
processing units (CPUs) together with
associated memories, etc. Examples of
14
Programmable Electronics (PE) process sector programmable electronics
include:

- Smart sensors and final elements;

- Programmable electronic logic solvers
including:
o Programmable controllers;
o Programmable logic controllers
o Process automation system
o Loop controllers.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 7 of 24

No Term Definition

System for control, protection or monitoring

based on one or more programmable
electronic devices, including all elements of the
15 Programmable Electronic system such as power supplies, sensors and
System (PES) other input devices, data highways and other
communication paths, actuators and other
output devices. As an example, an IPS could be
a PES.

The period of time in which the process can be

operated without protection and with a
16
Process Safety Time Demand present without entering a dangerous
condition. The Process Safety Time determines
the dynamic response requirements of the IPF.

A Failure whose occurrence does not have the

17
Safe Failure potential to place an IPF in a dangerous state.
Formerly known as revealed failure.

A configuration in which plant availability is not

18 jeopardized by the safe failure of a single IPF
Safe Fault Tolerance
component. Formerly known as Revealed
Failure Robustness.

Instrumented system used to implement one or

more safety instrumented functions. A SIS is
composed of any combination of sensor (s), logic
19 Safety Instrumented System solver (s), and final elements(s). (IEC 61511) i.e.
(SIS) the collection of IPFs (including sensors and final
elements) that together protect a process unit
or major piece of equipment (furnace,
compressor).

20 An Instrumented Protective Function action to

Trip
bring the Final Element to a safe state.

Tag numbering system to group protection

21 functionality dedicated to specific process
UZ
equipment or group of equipment. Note that
an IPF may span several UZ „blocks‟.
Table 1.1: Specific Definition of Terms

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 8 of 24

1.2.3 Specific Abbreviations

No Abbreviation Description
1 AC Alternating Current

2 AMS Asset Management System

3 BPCS Basic Process Control System

4 CPU Central processing unit

5 DC Direct current

6 DCS Distributed control system

7 EPROM Erasable programmable read-only memory

8 FGS Fire and gas system

9 FLD Functional logic diagrams

10 GPS Global Positioning System

11 HMI Human Machine Interface.

12 I/O Input/output

13 IPS Instrumented protective system

14 MOS Maintenance override switch

15 PC Personal computer

16 PCN Process Control Network

17 PES Programmable Electronic System

18 RAM Random access memory

19 SER Sequence of events recorder

20 SFC Sequential function charts

Table 1.2: Specific Abbreviations

1.3 SUMMARY OF CHANGES

This PTS 14.12.12 (July 2017) replaces PTS 14.12.12 (July 2014).

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 9 of 24

2.0 GENERAL REQUIREMENTS

2.1 FUNCTIONALITY

2.1.1 The IPS shall (PSR) be fail-safe by design. The fail-safe design utilizes normally energized (except
for lamp outputs) where a “1” logic signal is considered to be the normal state and a "0" logic
signal the abnormal (trip or failure) state. If a power failure or component failure, the output
signals should go to a "0" (de-energized) state.
Note: Potential cases utilizing energized-to-trip concept (e.g. emergency depressurizing, FGS inputs / outputs)
shall have line monitoring and earth fault detection for each I/O channel.

2.1.2 Serial communication between the IPS and BPCS shall not be used for executive functions.
Any signals for executive function between IPS and BPCS shall (PSR) be hardwired.

2.1.3 For integrated control and safety system (ICSS), the system shall be design as such failure of
non-safety related function does not cause a dangerous failure of the safety related function
and the possibility of common mode dependent failure is reduce to and acceptable level
according to the SIL class.

2.1.4 ICSS shall employ separate configuration and control databases for a safety and non-safety
related functions to prevent common cause failures.

2.1.5 IPS shall be designed to prevent unauthorized access to the bypass or override functions and
modification of the protective function.

2.2 CERTIFICATION

2.2.1 IPS shall be certified TUV Rheinland to latest IEC 61508 and IEC 61511 standards, covering all
parts of the standards.

2.2.2 All conditions regarding application of the IPS stated in the TUV Rheinland test report and in
the IPS safety manual shall be met.

2.2.3 If the IPS is used as part of the Fire & Gas System (FGS), the system shall also be certified to
NFPA 72.

2.2.4 If the IPS is used as part of the Machine Monitoring and Protection System, the system shall
also be certified to IEC-62061.

2.2.5 If the IPS is used as part of the Burner Management System (BMS), the system shall also be
certified to NFPA 85 and NFPA 86.

2.2.6 The test interval requirement as specified in the certificate or accompanying report must not
be less than once every 5 years. If it is less than once every 5 years, the IPS shall not be
accepted for use.

2.2.7 IPS SIL certificate shall come with test report and up to date safety manual. All limitation and
specific condition for compliance of the SIL certification shall be clearly highlighted in the
safety manual.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 10 of 24

2.2.8 EMC requirements as per latest IEC 61000 standards shall be fully complied with. Evidence of
this compliance shall be made clear in the certificate and test report.

2.3 MODIFICATION TO IPS

2.3.1 All changes to the IPS shall comply with the Management of Change process.

2.3.2 Relevant functional test shall be performed for any logic changes and system software
upgrades.

2.3.3 To protect against unauthorized engineering modification in the IPS, access to EWS shall be
controlled via password and configuration mode change shall only be permissible via manual
switch.

2.4 CYBERSECURITY REQUIREMENTS

2.4.1 All workstations and computer systems that are related to IPS shall comply with Cyber Security
requirements in PTS 14.11.05.

2.5 CYCLE AND RESPONSE TIME

The IPS cycle and response time shall comply with PTS 14.12.10.

2.6 STRUCTURE

2.6.1 The resulting IPS loading and cycle time shall be verified and a different arrangement of IPSs
shall be proposed where required in order to comply with loading criteria.

2.6.2 In general, major process equipment such as boilers, turbines and compressors that are
redundant shall be engineered into separate IPS to avoid common mode failure arising from
a common IPS.

2.6.3 I/O shall be allocated and arranged as such common mode failure and common cause failure
are minimized to comply with the SIL requirement.

2.6.4 For package equipment utilizing independent IPS, the selection of which brand / manufacturer
to be used shall take into account factors such as ease of integration, common spare parts,
trainings and maintenance tools. It may be prudent to standardize these independent IPS to
the same brand / manufacturer as the one used for the main process plant. See PTS 14.10.03
for more details.

2.7 ENVIRONMENTAL CONDITION

2.7.1 IPS shall be installed inside environmentally controlled building to ensure long term reliability
operation of IPS with following ambient conditions:

i. Temperature: 18 °C to 27 °C normal (5 °C to 40 °C abnormal, maximum duration

of abnormal period is 72 hours).

ii. Relative humidity: 35 % to 75 % normal, 20 % to 95 % (non-condensing) abnormal,

maximum duration of one abnormal period 72 h.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 11 of 24

iii. Temperature variation: less than 1 °C per minute.

Note: Heat dissipation study shall be done as such average temperature inside the system cabinet shall not be
more than 30 °C

2.7.2 Installation of IPS outside of environmentally controlled building shall require TA approval.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 12 of 24

3.0 HARDWARE REQUIREMENTS

3.1 SELECTION OF IPS TECHNOLOGY

3.1.1 The IPS shall be Programmable Electronic System (PES). The use of other technologies such as
solid-state / magnetic-core technology and Electromechanical Relay will be based on the
project requirement.

3.1.2 For facilities designed with pneumatic and hydraulic relay based safety system, the philosophy
of dangerous failure robustness prescribed in IEC-61508/61511 shall be applied (e.g.
redundancy requirement, separation between safety and non-safety function etc.).

3.1.3 New or re-instrumentation projects shall not consider pneumatic and hydraulic relay based
IPS, unless approved by Technical Authority.

3.1.4 Particular attention shall be paid to electromechanical relay-based IPSs as they may not fulfil
the requirements of SIL 3 for new or re-instrumentation projects.

3.2 HARDWARE FAULT TOLERENCE

3.2.1 If a hardware fault tolerant component fails the redundant component shall continue to
operate in 'crippled/degraded mode' without causing spurious trips, and shall give an
indication of fault type and location.

3.2.2 The duration of the “cripple/degraded mode” operation shall comply with the SIL
requirements as specified in the IPS safety manual.

3.2.3 To minimize common mode failure, each point of the redundant IPS IOs shall be connected to
independent IO channel in different slot as illustrated in Figure 3.1.

Figure 3.1: IPS Input channel with fault tolerance configuration (2-out-of-3 configuration)

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 13 of 24

3.3 SYSTEM HARDWARE

3.3.1 General

[Link] Redundant field devices shall be wired to separate hardware fault tolerant sets of I/O cards.

EXAMPLE: In the case of 2oo3 transmitters A, B and C, transmitter A is wired to card 1 and 1”, B is wired to 2 and
2” and C to card 3 and 3”. Another transmitter may be wired to another channel of card 1 and 1” or 2 and 2” etc.

[Link] Redundant cards and components (including power supply) shall be hot swappable and
replaceable online without causing interruption to process.

[Link] Any fault on individual I/O channel shall not impair the functionality of the remaining
channels.

[Link] Unused card locations shall be fitted with cover plates.

[Link] The number of different card types shall be minimized.

EXAMPLE: If 20 digital outputs are required within one process unit (excluding spares) and the Supplier has
standard 8 and 16 channels cards, three 8 channel cards or two 16 channel cards shall be proposed, not one 16
channel card plus one 8 channel card.

[Link] Protective systems with more than one initiator shall be supplied with a "first-out" alarm that
provides an indication of which initiator actuated first. Each alarm shall be historized. The
first-out alarms shall be implemented by either:

i. A first-out alarm annunciator using ISA Sequence F3A-3

ii. A sequence of events function with sufficient time resolution to determine the first
event

[Link] Each process initiator, except manual initiators, shall have a pre-alarm which indicates that
the process has reached the point where one or more of the protective system sensors is
about to cause the protective system to operate unless corrective Operator action is taken.
These pre-alarms shall be annunciated at a continuously manned location and shall be
historized. Two separate sensors shall be used—one for the pre-alarm and one for the
protective system initiator—except when redundant sensors are used.

[Link] Each IPS shall have a common non-resettable flashing priority 1 alarm indicating that a
protective function of the system is bypassed. This bypass alarm shall be annunciated at a
continuously manned location and shall be historized.

[Link] Each IPS shall have a common trouble alarm. Protective systems using voting redundancy of
sensors, logic or final elements shall indicate any fault resulting in the failure of one or more
channels. Protective systems using a fail-no-action design shall indicate any fault that results
in the loss of protection. The alarm priority shall be approved by the Owner's Engineer.

[Link] The failure of any environmental conditioning equipment (e.g., fans, HVAC, air filtration)
required to maintain the safety integrity of the protective system, shall be alarmed at a
continuously manned location. The alarm priority shall be as per PTS 14.12.08.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 14 of 24

[Link] An Operator interface shall be provided to indicate the status of the relevant inputs, outputs,
and IPS application program generated flags. This shall be sent to the DCS or to a standalone
PC, via a network or via a serial link, which is read only and does not allow the DCS or stand-
alone PC to write to the IPS for any reason. This interface shall not be used as a programming
terminal, nor shall it allow any access to the application program or affect the operation of
the protective system in any way. Failure of any component(s) in the operator interface
shall not cause a spurious shutdown, nor shall the component failure go undetected.

[Link] The failure of any environmental conditioning equipment (e.g., fans, HVAC, air filtration)
required to maintain the safety integrity of the protective system, shall be alarmed at a
continuously manned location. The alarm priority shall be as per PTS 14.12.08.

3.3.2 Analogue inputs

The IPS shall be able to handle the following types of signals:

i. 4-20 mA, non-earthed, passive, 24 V(dc), 2-wire
ii. 4-20 mA, non-earthed, active, 24 V(dc), 2-wire
iii. Resistance temperature detector (RTD)
iv. Pulse / frequency
v. Thermocouples

Analogue inputs shall have open and short circuit and out-of-range detection. The range shall
be configurable per input channel. The detected results shall be available for use in the
application logic.

3.3.3 Digital inputs

The IPS shall able to handle following signal;

i. Discrete Inputs (Dry/Wet Contacts)

ii. NAMUR signals

Normally Open digital inputs shall be provided with open and short circuit detection per input
channel. The detection results shall be available for use in the application logic.

Normally Open digital inputs for field mounted reset switches, MOS enable switches, lamp
test, acknowledge and reset switches in local panels do not require open and short circuit
detection.

3.3.4 Digital outputs

The IPS shall provide discrete [Link] following output types shall be driven via
interfacing relay:

i. High powered solenoid valves with a coil voltage of 24 VDC, 110 VDC, 110 VAC.

ii. Interfacing signals to motor control units

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 15 of 24

iii. Control room and/or local panel alarm lights

Normally De-Energized outputs, except for lamp outputs, shall be provided with open and
short circuit and earth fault detection per output channel. The detection results shall be
available for use in the application logic. The detection shall be independent of cable length
between output card and final element.
NOTE: The PESs are designed, especially with respect to the internal diagnostics, for the de-energised signal being
the safe state of inputs and outputs. For normally de-energised (NDE) applications which do not employ an external
inverter such as a relay, the PES shall also be designed for the energised signal being the safety related input or
output state. If this is not the case, inverter relays with the appropriate classification shall be used.

Digital outputs of PES shall not be switched via relay contacts; only solid-state switching shall
be used.

3.4 WORKSTATION

3.4.1 Engineering Workstation

[Link] The EWS PC shall be dedicated for use with the IPS only. Sharing of IPS EWS for any other non-
IPS related functions, such as for common EWS with the DCS, is not allowed.

[Link] Engineering Workstation (EWS) Location

The IPS engineering workstation (EWS) shall not be connected to the PCN and shall be
configured so that remote access to the EWS is denied (both from within the PCD and via the
PCAD).

[Link] The EWS shall provide a log of changes made, by whom and with date and time stamps.

[Link] To prevent accidental changes, the EWS shall have a mechanism to confirm that the currently
updated configuration files match the ones running in the safety system. This should be
extended to warnings about the use of configurations that are older than the currently
running configuration. However, it is sometimes necessary to roll-back to a previous
configuration so such use shall not be prevented. The EWS shall provide a log of changes
made, by whom and with date and time stamps.

[Link] Where a EWS provides functionality to force logic states for testing purposes these shall only
be available to specific user accounts for that purpose.

3.4.2 Sequence of Events Recorder (SER) workstation

[Link] Sequence of Event Recorder (SER) requirements;

i. A SER primary objective is to provide a high-resolution event log and audit trail.
SER shall have a capability to store 100,000 time-stamped events in a circular file.

ii. At least the last 100 events shall be stored in a buffer in IPS to allow for SER or
communications failure.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 16 of 24

iii. If separate PC is use as SER, the PC shall follow the requirements specified in
section 2.4.

iv. A unique tag number and service description shall be assigned for each of SER
input. This tag number shall consist of at least 12 alphanumeric characters,
starting with either an alpha or a numeric character. The minimum number of
characters for the service description shall be 30. Any constraint shall be identified
for accepting tag number with maximum system capacity.

v. Disabling or enabling inputs from being recorded on an individual, selected UZ

group or process unit basis shall be made possible. This shall be done with the
correct authorization by means of a password, to disable and enable inputs

vi. During power supply interruption to the system, historical data shall be retained.

3.5 SPARE CAPACITY

3.5.1 A minimum of 10% installed (wired) and 10% uninstalled (unwired) spare capacity shall be
allocated per process unit.

3.6 HARDWARE CONSTRUCTION REQUIREMENT

3.6.1 Cabinets

The cabinets shall comply with the following requirements:

i. Cabinets shall be painted and finished according to the Supplier's standards and
suitable for indoor use.

ii. Cabinets shall be of the free-standing type, with two doors or four doors.

iii. Each cabinet shall be equipped with a heat extraction fan, louvers, dust filters and
temperature switch to generate an alarm in the event of high inside temperature.
This alarm shall be included in the cabinet common utility alarm.

iv. Failure of a single heat extraction fan, shall not impair the operation and
functionality of the IPS. The heat extraction fan shall be maintainable during
normal operation, including fan replacement without the need to power off the
cabinet or remove any IPS chassis or components.

v. Cabinet doors shall have hinged opening and detachable. Eye bolts shall be fitted
on top of the cabinets for lifting purposes.

vi. Anchor bolt holes shall be provided.

vii. With the doors closed, cabinets shall have an ingress protection of at least IP2X.

3.6.2 Cabling

The IPS cabling shall comply with the requirements in PTS 14.00.06.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 17 of 24

3.6.3 Earthing

[Link] The IPS earthing shall comply with the requirement of PTS 14.00.06.

[Link] Screen earth for serial communication lines between the IPS and the DCS shall be connected
at the DCS side only.

[Link] One earth leakage monitor shall be provided at each cabinet. The associated alarm shall be
incorporated in the common cabinet utility alarm.

3.6.4 Labelling

The IPS labelling shall comply with the following:

i. Removable cover plate shall be installed for terminals carrying voltages higher
than 48 V AC to protect against accidental contact.

ii. Sockets, terminals and main wiring shall be clearly identified in accordance with
the system documentation. AC and DC systems and screens earthing shall be
segregated and identified.

iii. Segregation of IS and non IS shall be done according to PTS 14.00.06.

3.7 POWER REQUIREMENT

3.7.1 Power Supply Facilities

IPS systems shall be powered by redundant uninterrupted power supply system (UPS) with
automatic change-over facilities and in case of single failure, remote alarm shall be provided.
For further clarification, see PTS 13.00.01.

The IPS power supply shall comply with the following requirements:

i. Failure of a single power supply source or component in the IPS shall not interrupt
the IPS normal operation impair the redundancy of the processor and other
components.

ii. Mains-to-24 V(dc) power supply units shall be fully safe failure robust. CPU and
I/O internal power supplies shall be separated and galvanically isolated.

iii. Each power supply shall be fully rated to ensure that all loads and spares can be
powered up simultaneously.

iv. Servicing or replacing a faulty power supply unit shall be equipped with
diagnostics, signaling and isolation facilities.

v. IO power supply to input and output cards shall be of floating type (non-earthed).
Earth leakage circuit breaker shall be provided to protect against earth fault. Earth
leakage fault alarms shall be included in the common cabinet utility alarm.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 18 of 24

3.7.2 Power Consumption and Tolerance

[Link] Maximum time for mains power interruptions shall not be more than 100 ms and shall not
affect operation.

3.7.3 Power Distribution

[Link] Power distribution shall be safe failure robust.

[Link] Each process unit shall be provided with separate power isolation in IPS cabinets, i.e.
miniature circuit breakers (including fuse functionality) or switch and fuse. Online fuse
replacement shall be possible without interrupting the operation.

3.7.4 Batteries

[Link] IPS CPUs shall have on-board replaceable battery back-up to prevent loss of software logic
configuration during prolonged power outage, such as during Turn-Around maintenance
activities.

[Link] Batteries charge state shall be indicated.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 19 of 24

4.0 SYSTEM REQUIREMENTS

4.1 SYSTEM AND APPLICATION SOFTWARES

4.1.1 For IPS with Programmable Electronic System (PES), the system and application software shall
comply with the following requirements:

i. Logic programming and configuration shall comply with IEC-61131-3.

ii. Logic shall be configured and allocated in the IPS in accordance with the
requirement stipulated in IEC-61511.

iii. Fault handling of redundant inputs shall be made in accordance with the system
safety manual.

iv. IPS logic may use time delays on all sensor inputs to avoid nuisance trips.
a) Time delay shall not exceed 0.5 seconds unless otherwise specified.
b) Flame detectors and manual initiators shall have zero time delay.
v. IPS logic shall remain in its protective state, either after a trip initiator requests
protective action, or after loss of power sources(s), until manually reset, even if
the power source(s) and/or trip initiators return to their normal operating
positions.

vi. Application programs, if applicable, shall be split into well-defined functional

modules (UZ-blocks).

vii. The application programs (software), if applicable, may initially be stored in RAM
for system testing, commissioning and plant start-up and shall thereafter be
stored either in non-volatile EPROM or flash EPROM.

4.2 ALARM SIGNAL HANDLING

4.2.1 The IPS shall have the ability to generate alarm output signals by either serial or hard wired.

4.2.2 Protective systems with more than one initiator shall be supplied with a "first-out" alarm that
provides an indication of which initiator actuated first. Each alarm shall be historized. The
first-out alarms shall be implemented by either:

i. A first-out alarm annunciator using ISA Sequence F3A-3

ii. A sequence of events function with sufficient time resolution to determine the
first event

4.2.3 Each process initiator, except manual initiators, shall have a pre-alarm. These pre-alarms shall
be annunciated at a continuously manned location and shall be historized.

4.2.4 Management of IPS alarm shall be done in accordance to PTS 14.12.08.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 20 of 24

5.0 SYSTEM INTEGRATION

5.1 SYSTEM CONNECTIVITY

5.1.1 IPS can be connected to a number of systems as listed below:

i. Time synchronization system. Internal system bus for integrated systems or

external clock such as GPS receiver acting as an NTP server to the IPS shall be
used for time synchronization between DCS and IPS.

ii. Other IPS including Machine Protection IPS and BMS.

iii. DCS system

iv. SER (Sequence of Event Recorder)

v. an EWS (Engineering Work Station)

vi. F&G (Fire and Gas system)

vii. Package PLC

viii. HMI (Human Machine Interface) either directly on the IPS controller, on the
Safety Bus or on the Control Bus

5.1.2 The connection between the HART multiplexers on the I/O of the IPS and the AMS is not
considered part of the IPS. These HART multiplexers are only allowed if the security (write
protect) jumpers are enabled inside the field devices. Utilization of HART multiplexers in IPS
shall not induce dangerous or safe failure of the IPS.

5.1.3 The IPS shall not have a direct connection to the PCN.

5.2 COMMUNICATION LINKS

5.2.1 Communication IPS to IPS and IPS to DCS shall comply with IEC-61508.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 21 of 24

6.0 TESTING REQUIREMENTS

6.1 FACTORY ACCEPTANCE TEST

6.1.1 The Factory Acceptance Test shall cover all design element in the FDS, the system safety
manual and IEC 61511.

6.1.2 The Factory Acceptance Test (FAT) shall include system integration test. As a minimum system
integration test shall cover the following:

i. 100 % test of MOS functionality.

ii. 25 % random test of analogue signals transmitted to the DCS. If no failures are
found, the test is considered acceptable. If any failures are found, a further 25 %
shall be tested, and so on.

iii. 25 % random test of digital signals transmitted to DCS. If no failures are found,
the test is considered acceptable. If any failures are found, a further 25 % shall
be tested, and so on.

iv. First-up alarms, testing at least two points per UZ group.

v. All first-up groups.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 22 of 24

7.0 DRAWINGS AND DOCUMENTATIONS

IPS documentation shall include standard documentation, project specific documentation,

manuals and supplier's data books.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 23 of 24

8.0 BIBLIOGRAPHY

In this PTS, reference is made to the following Standards/Publications. Unless specifically

designated by date, the latest edition of each publication shall be used, together with any
supplements/revisions thereto:

PETRONAS STANDARDS
Index to PTS PTS 00.01.01
Requirements, General Definition of Terms, Abbreviations & PTS 00.01.03
Reading Guide
Spare parts PTS 12.00.04
Electrical engineering design PTS 13.00.01
Instrument Signal Line PTS 14.00.06
Instrumentation for equipment packages PTS 14.10.03
Cybersecurity Management for Process Control Network PTS 14.11.05
Classification, verification and implementation of Instrumented PTS 14.12.10
Protective Functions
Management of Instrumented Protective Functions PTS 14.12.11
Alarm Management: Design and Implementation Requirement PTS 14.12.08

INTERNATIONAL STANDARDS
Low-frequency cables and wires with PVC insulation and PVC IEC 60189-2
sheath – Part 2: Cables in pairs, triples, quads and quintuples for
inside installations
Standard colours for insulation for low-frequency cables and wires IEC 60304
Electromagnetic compatibility (EMC) – Part 6-2: Generic IEC 61000-6-2
standards – Immunity for industrial environments
Electromagnetic compatibility (EMC) – Part 6-4: Generic standards – IEC 61000-6-4
Emission standard for industrial environments
Functional safety of electrical/electronic/programmable electronic IEC 61508
safety-related systems
Functional safety – Safety instrumented systems for the process IEC 61511
industry sector
Issued by:
Central Office of the IEC
3, Rue de Varembé
CH 1211 Geneva 20, Switzerland
Copies can also be obtained from national standards organizations.

.
 PTS 14.12.12
INSTRUMENTED PROTECTIVE SYSTEMS July 2017
Page 24 of 24

Programmable controllers - Part 3: Programming languages IEC 61131-3

Annunciator sequences and specifications ISA S18.1
Issued by:
Instrument Society of America
400 Stanwix Street, Pittsburgh
Pennsylvania 15222, USA

Standardization of the signal level for the failure information of

digital transmitters NAMUR NE-43
Issued by:
Bayer Technology Services GmbH PMT-IPS
Building K 9
51368 Leverkusen, Germany