Engineering Standard

SAES-Z-004 25 October 2010

Supervisory Control and Data Acquisition (SCADA) System
Document Responsibility: Process Control Standards Committee

Saudi Aramco DeskTop Standards

Table of Contents

1 Scope............................................................ 2
2 Conflicts and Deviations................................ 2
3 References.................................................... 3
4 Definitions...................................................... 4
5 Management of Change............................... 8
6 System Design Requirements....................... 9
7 Data Acquisition and Processing................. 14
8 System Sizing, Spare Capacity
and Expansion..................................... 17
9 System Performance Requirements............ 18
10 Telecommunications.................................... 19
11 External Interfaces....................................... 21
12 Display Design Philosophy.......................... 22
13 Security and System Access....................... 29
14 Instrument Asset Management
System (IAMS)..................................... 37
15 Documentation............................................ 38
16 Inspection and Testing................................ 38
17 System Maintainability................................. 39
18 Environmental Conditions............................ 39
19 Rtu Cabinet Requirements.......................... 39
20 Wiring and Power Supply............................ 40

Previous Issue: 7 November 2009 Next Planned Update: 25 October 2013

Page 1 of 1
Primary contact: Khalifah, Abdullah Hussain on 966-3-8738981

Copyright©Saudi Aramco 2010. All rights reserved.

Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

1 Scope

This Standard defines the minimum mandatory requirements and guidelines governing
the engineering, design, installation, testing and commissioning of Supervisory Control
and Data Acquisition (SCADA) systems for upstream oil and gas applications, pipeline
applications and utility applications in Saudi Aramco plants. Parties involved in the
commissioning of new SCADA systems are required to comply with this standard.

This standard is applicable for RTUs, communications channels, and interface with 3rd
party subsystems.

Where the project Functional Specification Document (FSD) calls for an integrated
process control system and SCADA, this standard shall apply to the SCADA portion of
the automation system. Project specific requirements and any requirements above and
beyond those included here shall be defined in project specification documents.
Exclusions:

1) The requirements and guidelines governing the engineering, design and installation of
proprietary Process Control Systems is covered in SAES-Z-001.

2) The requirements and guidelines governing the engineering, design and installation of
Process Automation Networks (PAN) is covered in SAES-Z-010.

The procedural requirements and guidelines to govern minimum mandatory Security for
SCADA Systems are covered in SAEP-99 and excluded from this document.

This entire standard may be attached to and made a part of purchase orders.

2 Conflicts and Deviations

2.1 Any conflicts between this standard and other applicable Saudi Aramco
Materials Systems Specifications (SAMSSs), Engineering Standards (SAESs),
Engineering Procedures (SAEPs), Standard Drawings (SASDs), or other
Mandatory Saudi Aramco Engineering Requirements (MSAERs) shall be
resolved in writing by the Company or Buyer Representative through the
Chairman, Process Control Standards Committee, Process & Control Systems
Department, Dhahran.

2.2 Direct all requests to deviate from this standard in writing to the Company or
Buyer Representative, who shall follow internal Company Engineering
Procedure SAEP-302 and forward such requests to the Manager, Process &
Control Systems Department, Dhahran.

Page 2 of 2
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

3 References

Material or equipment supplied to this standard shall comply with the latest edition of
the references listed below, unless otherwise noted.

3.1 Saudi Aramco References

Saudi Aramco Engineering Procedures

SAEP-99 Process Automation Networks & Systems Security
SAEP-302 Instructions for Obtaining a Waiver of a Mandatory
Saudi Aramco Engineering Requirement
SAEP-1634 Factory Acceptance Test
SAEP-1638 Site Acceptance Test Plan

Saudi Aramco Engineering Standards

SAES-J-003 Basic Design Criteria
SAES-J-902 Electrical Systems for Instrumentation
SAES-J-904 FOUNDATION™ Fieldbus (FF) Systems
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
SAES-Z-020 Design and Installation of Fiber Optic Cable Systems
for Process Control Networks

Saudi Aramco Materials System Specifications

23-SAMSS-020 Supervisory Control and Data Acquisition (SCADA)
Systems
23-SAMSS-030 Remote Terminal Unit
23-SAMSS-060 Applications Integration Middleware
34-SAMSS-623 Programmable Controller Based ESD Systems
34-SAMSS-820 Instrument Control Cabinets - Indoor
34-SAMSS-821 Instrumentation Control Cabinets - Outdoor

Saudi Aramco Engineering Reports

SAER-5895 Alarm Management Guidelines for Process
Automation Systems
SAER-6123 Process Automation Networks Firewall Evaluation
Criteria

Page 3 of 3
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

Saudi Aramco Inspection Requirements

Form 175-230200 Inspection Requirements for SCADA System

Saudi Aramco General Instructions

GI-0710.002 Classification of Sensitive Information
GI-0299.120 Sanitization and Disposal of Saudi Aramco Electronic
Storage Devices and Industry Codes and Standard

Saudi Aramco Information Protection Manual (IPM)

IPSAG-007 Computer Accounts Security Standards & Guidelines

Corporate Policy
INT-7 Data Protection and Retention

3.2 Industry Codes and Standards

International Electrotechnical Commission

IEC 61000-4-3 Electromagnetic Compatibility (EMC) - Part 4-3:
Testing and Measurement Techniques - Radiated,
Radio-Frequency, Electromagnetic Field Immunity
Test
IEC 61000-6-2 Electromagnetic Compatibility (EMC) - Part 6-2:
Generic Standards - Immunity for Industrial
Environments

European Council
2004/108/EC Directive on Electromagnetic Compatibility

4 Definitions

This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document. For definitions not listed, the latest issue of the
"Comprehensive Dictionary of Measurement and Control", International Society for
Measurement and Control, shall apply.

4.1 Acronyms and Abbreviations

API Application Program Interface
CBO Check Before Operate
COTS Commercial-Off-The-Shelf

Page 4 of 4
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

DAHS Data Acquisition and Historization System

DCS Distributed Control System
EIA Electronic Industries Association
FAT Factory Acceptance Test
FSD Functional Specification Document
GUI Graphical User Interface
HMI Human Machine Interface
OPC OLE for Process Control
PDR Preliminary Design Review
PLC Programmable Logic Controller
RBE Report by Exception
RTU Remote Terminal Unit
SAEP Saudi Aramco Engineering Procedures
SAES Saudi Aramco Engineering Standards
SAMSS Saudi Aramco Material System Specifications
SAT Site Acceptance Test
SDD System Design Document

4.2 Words and Terms

Address: An identifying name, label, or number for a data terminal, source, or

storage location calculation.

Analog data: Data represented by scalar values.

Application Account: refer to the account name used to run applications as

either a service or a background process.

Application Software: The software written specifically to perform functional

requirements for an individual plant when standard software packages cannot be
configured to meet the requirements. Application software works with the
standard operating software and access the SCADA real-time and historical
database data.

Availability: The percent of time a system or component remains on line and

performs as specified.

Page 5 of 5
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

Bidirectional: Providing for information transfer in both directions between

master and remote terminals (of a communication channel).

Binary digit: A character used to represent one of the two digits in the binary
number system and the basic unit of information in a two-state device. The two
states of a binary digit are usually represented by “0” and “1”. Synonym: bit.

Buffer: A device in which data are stored temporarily in the course of

transmission from one point to another; used to compensate for a difference in
the flow of data, or time of occurrence of events, when transmitting data from
one device to another.

Call Up Time: The time between when the operator initially enters a display
request and when all objects, lines, values (good or invalid), trends and other
parts of the display have been fully presented to the operator.

Command: Commands are sent by operators or by applications. Commands

can be binary or analog (set-point). Commands require reliable, secure, and
timely delivery. Command data should be delivered to its target as quickly as
possible, typically in the order of seconds or sub-seconds. If a command cannot
be delivered or acted upon, the SCADA system should report this to the
operator.

Communication channel: A facility that permits signaling between two

terminals i.e. a path between master station and an RTU, PLC or a subsystem.

Communications Subsystem: The hardware and software that performs the

transmitting and receiving of digital information.

Configurable: The capability to select and connect standard hardware modules

to create a system, or the capability to change functionality or sizing of software
functions by changing parameters without having to modify or regenerate
software.

Console: A collection of one or more workstations and associated equipment

such as printers and communications devices used by an individual to interact
with the SCADA and perform other functions.

Cycle: The scanning of inputs, execution of algorithms and transmission of

output values to devices.

Cyclic Polling (data request): The process by which a data acquisition system
selectively requests data from one or more of its RTUs. An RTU may be
requested to respond with all, or a selected portion of, the data available.

Page 6 of 6
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

Dead Band: The range through which an input signal may be varied without
initiating an action or observable change in output signal.

Flag: A character that signals the occurrence of some event. Usually, a field of
1 bit.

Faceplate: A graphic element that mimics the front panel of an analog

controller instrument, hardwired push-button or switch.

Fail-Over: Occurs automatically without user intervention, transparent to the

user.

Intelligent Electronic Devices (IED): An intelligent electronic device that

perform specific control and/or data gathering function.

Logs: Files or printouts of information in chronological order.

Master Station: Server or servers and software responsible for communicating

with the field equipment (RTUs, PLCs, etc.), and then to the HMI software
running on workstations in the control room, or elsewhere. Master station may
include multiple servers, distributed software applications, and disaster recovery
sites. The Master Station includes all networks switch and connectivity devices
required to communicate with RTUs and remote sites.

Operating System: software that runs on computers and manages the computer
hardware and provides common services for execution of application software.

Protocol: A strict procedure required to initiate and maintain communication

with the RTU or a PLC. Open Industry Standard communication protocol is
defined as a protocol that has a published specification and available for all
suppliers to read and implement and will not lock the customer into a particular
vendor or group. The Protocol may be extended, or offered in subset form and
supported by publication of reference information.

Redundant Configuration: A system and/or subsystem that provides for a

standby module with automatic switchover from the primary unit to the standby
module, in the event of a failure, without loss of a system function. Both active
and standby modules utilize diagnostics to assist in identifying and locating
failures and to permit modules to be removed for repair and/or replacement.

Report-by-Exception: The reporting of data (e.g., from RTU to master station)

only when the data either changes state (e.g., for a status or digital input point)
or exceeds a predefined dead-band (e.g., for an analog input point).

Round Trip Delay (latency): The time required for a packet of data to travel
from a specific source to a specific destination and back again. Latency is

Page 7 of 7
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

measured by sending a packet that is returned to the sender and the round-trip
time is considered the latency.

Scan: The process by which a data acquisition system interrogates remote

terminals or points for data.

Security code: A group of data bits calculated by a transmitting terminal from

the information within its message by use of a prearranged algorithm, appended
to the transmitted message, and tested by the receiving terminal to determine the
validity of the received message.

Self-Diagnostic: The capability of an electronic device to monitor its own

status and indicate faults that occur within the device.

Supervisory control: A telemetry based process control command initiated

from a Master Central Station either manually by operator or automatically by
an application to initiate an action and/or change analog set point in a remotely
located Control Stations over a bidirectional communications link using specific
communication protocol. Such command is dependent of having quality process
related alarm/event data and follows timely bidirectional confirmation and
acknowledgment executing sequences between the master and the station known
as select/check before Operate (CBO).

System Account: refer to account names used by the operating system.

Tag: A collection of attributes that specify either a control loop or a process

variable, or a measured input, or a calculated value, or some combination of
these, and all associated control and output algorithms. Each tag is unique.

Tag ID: The unique alphanumeric code assigned to inputs, outputs, equipment
items, and control blocks. The tag ID might include the plant area identifier.

Transaction: A sequence of messages between cooperating terminals to

perform a specific function. Usually, a minimum of one message in each
direction that is comprised of a command followed by a response.

5 Management Of Change

A written procedure should be in place at each operating facility detailing the

requirements for the review and approval of all changes made to SCADA equipment.

5.1 This procedure shall be part of the plant operation instruction manuals.

5.2 This procedure shall be followed for new implementations, expansions and
upgrades of SCADA equipment.

Page 8 of 8
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

6 System Design Requirements

The SCADA system can support any type of telecommunication technologies.

However, the selection of the telecommunication technology and/or topology is outside
the scope of this document. The following design requirements shall be complied with
to provide highly efficient and reliable SCADA system performance for each
application using the provided technology.

6.1 General

A detailed Performance analysis shall be conducted for each application

(Project) to recommend the optimum architecture to meet the performance
requirement stated in the performance section of this standard.

6.1.1 The performance analysis shall be based on the expected data scan
frequency and spare capacity for each application as stated in the
project functional specification document.

6.1.2 The analysis shall address SCADA server(s) loading, bandwidth

capacity and utilization of each telecommunication channel based on
the used communication protocol messaging structure.

6.1.3 Data communication channel loading and capacity calculation shall be

performed prior to adding new RTU to an existing wireless or serial
communication channel.

6.1.4 Communication protocol(s) used to communicate with the RTU and

other system components shall be on Open Industry Standard
protocol(s) as defined in 23-SAMSS-020 and 23-SAMSS-030.

6.1.5 All functional requirements shall be implemented using the protocol‟s

standard features. However, if the vendor needs to use any of the
optional protocol functions to meet any of the project specific
functional requirements, vendor shall provide full documentation of the
implementation at the PDR phase. Such implementation shall not
result in a proprietary interface.

6.1.6 All TCP/IP Addressing shall be obtained from Information

Technology.

6.2 Design Architecture

6.2.1 The SCADA Host station software shall be based on Client/Server

architecture. Processing load shall be balanced and distributed among
the system components to achieve the scalability and highest
performance level.

Page 9 of 9
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

6.2.2 The master station shall consist of online redundant SCADA servers
configuration interconnected by a redundant high-speed local area
network (LAN) using dedicated Layer 3 network switches.

6.2.3 SCADA system redundant components shall include Human Machine

Interface (HMI), Front End Processor (FEP) when required to run on a
separate machine, the real time database, all applications servers and
the data historian.

6.2.4 The SCADA LAN shall be physically and logically isolated from all
other non SCADA network traffic. Voice, CCTV and non process
control traffic shall not share the SCADA LAN hardware.

6.2.5 The SCADA server(s) shall be dedicated to perform the real time data
acquisition and telecommunication processing functionalities and shall
not be shared and/or used to perform any non-SCADA related data
processing functions.

6.2.6 All SCADA servers and workstations shall have redundant LAN
connectivity.

6.2.7 Operator workstations located in the main control center shall run thick
client software. Operator work stations shall not be based on Windows
Terminal Services, Remote Desktop protocol, Web Servers, or any
other thin client architecture. Thin client architecture may be used for
view only workstations.

6.2.8 Remotely located engineering work station(s), and view only work
station(s) (Clients) shall be connected to the SCADA network through
a logically separated 2 Mbps data link as a minimum. For special
application requiring continuous data access such as software modeling
applications, a 10 Mbps data link shall be provided.
Commentary note:

For SCADA applications, wireless extension of the PAN can be used

with prior approval from manager P&CSD.

6.2.9 For application requiring redundant RTU communication modules, the

design shall provide dedicated communication path from each
communication module to the to the telecommunication network.

6.2.10 There shall be a minimum of one dedicated engineering workstation

configured on the system. Engineering workstation shall be capable of
functioning as operator workstation.

Page 10 of 10
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

6.2.11 Serial and IP based communication protocols shall be implemented in

the SCADA server and shall run in native mode. Use of external
communication protocol converter (hardware unit) or internal
converter (third party software driver) shall be limited and shall require
approved by Manager, P&CSD.
Commentary Note:

The above requirement is not intended to exclude the use of media

converters.

6.2.12 Active and standby SCADA servers shall be kept in a fully

synchronized state. Synchronization shall include but not limited to
applications and databases.

6.2.13 In the event of a failure of the active (primary) server, the standby
server shall automatically assume control of all peripherals and
communications lines within a maximum of 30 seconds without
requiring manual intervention.

6.2.14 If and whenever RTU redundancy is required, the switchover shall be

immediate and shall not result in any process upset.

6.2.15 The system shall allow access to any RTU from any engineering
station in the network with appropriate access authority.

6.2.16 The SCADA system shall incorporate set of tools to commission,

monitor, and maintain the communication channels and end devices.
Provided tools shall allow connectivity to the overall system from a
central location.

6.2.17 It shall be possible to operate the process from any SCADA client,
except if this is explicitly disabled for certain users or clients via
removing the corresponding access privileges.

6.2.18 The SCADA server shall be connected to a GPS and shall serve as the
master time source to synchronize the time of all network devices and
connected slaves (RTU/PLC).

6.2.19 Time Synchronization shall occur whenever a network device, RTU or

a slave device is restarted from a power down via the standard
communication protocol synchronization command.

6.2.20 For communication protocols that do not support standard time

synchronization function, i.e., MODBUS, the SCADA server shall
provide functionality to write time values to specific registers in all

Page 11 of 11
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

connected slave devices. The Slave device shall also accept and
process the new time value settings.

6.2.21 The system shall be configured to switch to a predefined alternate

communication ports (or IP addresses) that can be used to reach the
RTUs.

6.2.22 On a series of communication errors with an RTU, the system shall

generate an alarm and switch ports or IP address after a user-definable
port retry count expires. A separate port status point for each RTU
shall be maintained to indicate which port is currently being used to
poll each RTU.

6.2.23 If the communication line is looped, it shall be possible to determine

between which two RTUs a break exists by examining the values of
the port status points.

6.2.24 For each RTU, the system shall maintain communication statistics in
the form of analog points that may be viewed on displays, printed in
reports, or stored in historical data files. Such statistics shall include
percentage of successful communication, number of timeouts and
number of security errors.

6.2.25 After an RTU has been declared failed, the system shall continue to
poll it but at a reduced rate, for example: poll only one failed RTU on
each round-robin poll cycle. If all RTUs are failed on a
communication line (on both ports, if two ports are defined), the
system shall declare the entire communication line as failed.

6.2.26 Communication protocol monitoring tools shall be provided for each

communication protocol used in the SCADA system to allow users to
view the messages issued to and returned from individual RTUs or all
RTUs.

6.2.27 For application where FOUNDATION™ Fieldbus (FF) based RTU is

specified, refer to SAES-J-904 for the design requirements.

6.3 Availability and Reliability

6.3.1 The SCADA System architecture including the telemetry network

design shall provide a 99.50% hardware and software availability and
reliability.

6.3.2 SCADA communication network flooding generated by a faulty

communication device shall not block network, cause network
jamming and/or degrade system performance.

Page 12 of 12
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

6.3.3 The SCADA Host Station including the SCADA LAN shall be
designed with no single point of failure. For application where
redundant RTU/PLC is required, the no single point of failure
requirement shall include the communication modules and
communication links to the RTU/PLC.

6.3.4 Replacement of any failed SCADA LAN component shall not affect
the operations of the process.

6.3.5 There shall be no effect on programs, control application, tasks running

in the RTU and no loss of field data when a switchover takes place
between a primary and a redundant SCADA server.

6.3.6 Switch back to repaired equipment shall be permitted only after the
system diagnostics function has determined that the module is fully
functional.

6.3.7 Failure of any primary or backup systems components, including

communication channel shall be alarmed as a system alarm and shall
be logged.

6.3.8 Health Status of the backup equipment shall be monitored all the time.
The system shall generate an alarm and log if the backup system is
incapable of assuming primary equipment functions.

6.3.9 Automatic and manual switchover shall be displayed, logged, and

alarmed by the system.

6.3.10 The system shall continuously monitor and test all backup equipment
to determine whether the backup equipment is capable of assuming
primary equipment functions.

6.3.11 Intelligent Electronic Devices (IEDs) and/or I-Field surface units‟ data
gathered by the RTU shall be reported to the Master Station along with
the RTU‟s own data.

6.3.12 The RTU shall retain all configuration parameters of all devises
connected to the RTU through serial link such as Intelligent Electronic
Devices (IEDs) and/or I-Field surface units register and addresses of
slave devices.

6.3.13 Failure of an Electronic Devices (IEDs) and/or I-Field surface units

connected in multi drop serial link shall not impact data access from
other units in the same link. All units in a multi drop link shall be
wired such that a unit can be removed from the link without impacting
other units.

Page 13 of 13
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

7 Data Acquisition and Processing

7.1 Data Acquisition

7.1.1 The Data Acquisition shall be based on a communication protocol that

supports report by exception scanning (RBE). The dead band setting
for all analog values shall ensure conformance to each application data
transmission frequency update and data value resolution.

7.1.2 In events of RTU failure, the system shall mark all points that are
telemetered by the RTU with some visible indication that the data is
not current. For each point, this telemetry failed quality code shall not
clear until a value is subsequently received from the RTU or the slave
device.

7.1.3 Data acquisition shall be automatic and transparent to the user. The
RTU data, when presented to the user on a display or used in any of the
functions defined by the project specification, shall reflect the current
field conditions as of the last scheduled acquisition of data for a given
point. The data shall be in the current engineering units as defined in
the real time database.

7.2 Status Data Processing

The system shall process changes of the following types of status points as follow:
a) 2-state status. This is a 1-bit alarm that can decode 2 states to indicate the
status of a device that may be in one of two possible states. The user shall
be able to define the names of each state, e.g., ON and OFF, Open and
Closed. In addition, a color shall be associated with each state.
b) 3-state status. This is a 2-bit alarm that can decode 4 states. The user shall
be able to define the names and colors associated with each state, e.g., in
the case of a valve, Open, Closed and Moving, or failed.

7.3 Analog Data Processing

a) The system shall scan every analog input in the RTUs at predefined
scanning intervals. Any failure to complete a scan shall be marked with a
Telemetry Failed data quality flag.
b) The user shall be able to specify the scale factor and offset to represent the
conversion factors for a linear conversion of the telemetered analog values
to engineering units.
c) The deadband associated with each limit is used to prevent multiple alarms
from being generated when the value hovers near a limit value.

Page 14 of 14
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

Zero clamp option shall not be used for points that will perform totalization.

7.4 Pulse Accumulator Data Processing

7.4.1 The system shall send a command to freeze the accumulators either to
all RTUs or to selected RTU. However, this freeze command shall not
reset the accumulators in the individual RTUs. Upon receiving the
accumulator readings at the master station, the system shall
automatically calculate the difference from the last reading.

7.4.2 Alternatively, the RTU can implement a cyclic freeze based on

synchronized RTU clock, e.g., on hour change without freeze
command from SCADA.

7.4.3 The system shall also be able to retrieve accumulators at user-definable

intervals from 15 to 60 minute intervals.

7.5 Sequence of Events Data Processing

7.5.1 For power and substation automation applications that require

Sequence of Events data processing (SOE), the SCADA system shall
process digital indications from the RTUs which are tagged with the
time of event occurrence.

7.5.2 Sequence of Events data shall have a 1 msecond time stamp.

7.5.3 The system shall provide a filtered view for all SOE signals.

7.6 Control Output Requirements

7.6.1 The system shall perform all control operations to field devices in a
safe secure manner. The operator shall be promptly informed if any
anomalies occur during the control sequence.

7.6.2 The system shall allow the system operator at any HMI workstation to
issue controls commands ( Digital outputs and Analog outputs) to
operate equipment, close valves and/or change analog set point through
a select-before operate sequence and automatically monitor the field
device to ensure full and successful command operation. Control
action response times shall take the highest priority over all other data
communication.

7.6.3 The pulse output controls shall be implemented in the RTU with either
variable duration pulse or a train of pulses. The RTU shall monitor the
feedback value and stop the pulses when the setpoint is reached.

Page 15 of 15
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

7.6.4 All output command shall utilize Select-Check-Before-Operate (CBO)

technique that requires secure handshaking with the RTU before any
controls are executed. In such cases, control of a point requires the
following exchange of messages:
Master to RTU - control point selection
RTU to Master - point address check-back
Master to RTU - control execution
RTU to Master - execute acknowledgement

7.6.5 If the Master Station does not receive proper acknowledgement of

either the select request or the execute command, a check-back failure
alarm shall be generated by the system. If the acknowledgements are
correct, but the expected status change does not occur within the
point‟s control response timeout, a control failure alarm shall be
generated.

7.7 Supervisory Control

It shall be possible for supervisory control applications to be scheduled, run on

demand or triggered by events.

7.8 Alarm and Message Handling

SAER-5895 shall be followed to provide the required consistency and avoid

configuration of unnecessary alarms. Priority shall be established by severity of
consequence and time to respond for each process variable, rather than a blanket
policy such as setting alarms on all analog inputs at 80%.

7.9 Data Historization

7.9.1 There shall be a configurable, real time and historical data collection
package to support trending, logging, and reporting.

7.9.2 On-line storage media shall be redundant.

7.9.3 When a process point is not collected, an unavailable code shall be

entered in the history file.

7.9.4 Option to store the value of any of the following parameters in on-line
history storage shall be provided:
 process input/output values/status
 calculated value/state
 controller parameters such setpoint, output, mode

Page 16 of 16
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

 digital input/output states

 system alarms and events

7.9.5 The system shall support configurable historical data collection rates
ranging from point scan time to one hour averages. The system shall
also support the following rates:
 Shift averages
 Daily average
 Monthly average
 User-defined rate

7.9.6 The historical data collection package shall be capable of storing the
following number of recent alarm and events as a minimum:
10,000 Process alarms
5,000 System Alarms
5,000 Operator Actions
5,000 Engineering Actions.

The above listed entry shall include as minimum: time and date of the
event, associate tag, equipment, user, description of the event on which
the alarm has been acknowledged.

7.9.7 Option to recall and display any data stored in on-line historical data
storage device shall be provided.

7.9.8 Option to transfer archived data in a format that can be displayed on a

PC using word processing or spreadsheet software shall be provided.

7.9.9 The historical database shall be able to store any data from the real-
time database on a periodic or snapshot basis definable by the user.
The historical information subsystem shall be able to provide storage
of unlimited quantities of historical data depending only on the
limitation of hardware resources (disk storage, etc.).

7.9.10 The stored historical data shall be accessible to other applications for
data review and analysis and to trending displays.

8 System Sizing, Spare Capacity and Expansion

8.1 System expansion and upgrading of system operating and application software
shall be achievable with no impact to the running facilities operation, without

Page 17 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

losing the operator interface, without the loss of access to any control function
and without impact on the controlled or monitored process.

8.2 All displays on all workstations shall be updated and responsive to controls
throughout the alarm burst and during primary/backup server‟s synchronization
process.

8.3 The system database size shall be expandable to handle the system expansion
requirements as stated in the project specific FSD without any need to expand
the hardware, perform any software change, or purchase additional licenses.

9 System Performance Requirements

9.1 All displays and graphics including fully active dynamic elements for up to 100
fields, displaying their current values, shall be completed within 2 seconds of the
graphic display being requested.

9.2 The update frequency for real time data, displayed alphanumerically and
symbolically (shape change, color change, etc.), shall be at least once every
2 seconds for all displays and graphics.

9.3 Operator command initiation shall receive feedback response within 2 seconds.
If the system fails to respond to a command, then a fail-to-operate event is
displayed.

9.4 The system shall update calculation algorithms, and dynamic fields of the
displays within one second of actual events and data values received at the
system realtime database.

9.5 SCADA host shall upload the RTU data after restoring the communication and
fetch the data in the real-time database with the correct time stamp.

9.6 Historical data display updates shall occur within two seconds of display call up.

9.7 The number of RTU per communication channel shall be determined based on
the following:
 Number and type of data points per RTU including the connected subsystem
IOs
 The Scan frequency specified in the project Functional Specification
Document (FSD) for each data point type
 Round trip delay of data pockets for the provided data network considering
the transmission medium, number of nodes, amount of traffic on the
SCADA LAN, the number of other requests being handled by intermediate
nodes and other services.

Page 18 of 18
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

 Channel utilization shall be between 40-80% for serial communication.

 Channel utilization shall be between 10-30% for IP communication.
Commentary Note:

The average channel utilization can be estimated considering only the data
values to be routinely serviced by the channel. This typically includes status and
analog data acquisition or only analog data where status-by-exception reporting
is implemented. Any high-periodicity control commands should be added to the
routine data acquisition utilization. Where the channel will be subject to large
bursts of data acquisition loads (such as during a disturbance where report-by-
exception techniques are employed), the highest percentage of the desired
channel utilization range shall be used on estimating the channel utilization.

9.8 SCADA system components utilization, such as memory, disk space, CPU
loading, disk access shall not exceed 30% under normal conditions for the
system size and the future expansion requirement specified in the project
functional specification document.

9.9 The system shall be able to fully process a continuous alarm throughput of
50 alarms per second for at least 60 seconds on receipt of the alarms at the host.

9.10 PAS server and workstation operating systems should be configured to capture
all necessary systems related events to detect performance and availability
related information.
 System alarms and failures
 CPU utilization
 Memory utilization
 IO rates (i.e., physical and buffer) and device utilization
 File store utilization (e.g., disks, partitions, segments)
 Applications
 Databases (e.g., utilization, record locks, indexing, contention)
 Network utilization (e.g., transaction rates, error and retry rates)
 Response time for SCADA System and application transaction

10 Telecommunications

10.1 Communications Interface and Connectivity

10.1.1 Industrial Ethernet using a self healing ring configuration topology

shall be used for all new wired SCADA communication connectivity
architecture.

Page 19 of 19
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

10.1.2 Industrial Ethernet Switches shall be used to expand existing

installation of Fiber Optics communication networks.

10.1.3 If Peer to Peer Communications between ESD systems is required,

the network design shall follow the requirements outlined in
34-SAMSS-623.

10.2 Communication Channels

10.2.1 The communication Data link shall be logically segregated from any
other services such as Voice, CCTV and all other IT services.
Segregation at the SCADA Host level should be done using separate
Network cards and switches.

10.2.2 In cases where the RTU protocol supports exception polling, the
communication software shall make use of it to optimize data
communication throughput and to provide rapid alarm throughput and
capture of multiple, rapid succession alarms.

10.2.3 When IP based data communication is used, the SCADA Host station
communication subsystem shall include functionality to limit the
number of open communication ports. Number of open
communication ports shall not degrade the overall system performance.

10.2.4 SCADA communication channels should be available to the RTU

continuously and without change to message routing to achieve
adequate system response time.

10.2.5 The system shall verify the operation and periodically test and validate
the integrity of the primary and backup communication ports and the
communication channels and shall alarm on any failure. Availability
of the failed channel shall be checked using retries at least once every
minute.

10.2.6 The system shall alarm when any RTU fails to respond to a message
after three unsuccessful retries.

10.2.7 The system shall be configured to generate an alarm when

communications error rates exceed a predetermined limit.

10.2.8 The communication facility shall provide bidirectional data transfer

with maximum bit error rate (BER) of 10e-7 for wired links. For
wireless communication a bit error rate (BER) of 10e-6 is acceptable.

10.2.9 The SCADA system shall be configured to collect and historize critical
communications statistics covering the health and performance of each

Page 20 of 20
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

communication channel for each RTU connected to the system. A

communications overview display shall be built to enable engineers to
quickly ascertain the health of the overall communications network.

10.3 Telecommunications Channels Redundancy

10.3.1 Redundant network interface in the RTU is generally not required.

However, for applications where alternate communication route is
required per the FSD, i.e., wired and wireless, the SCADA Host shall
monitor the availability of both data channels.

10.3.2 When the SCADA Host declares any of the two communication
channels inoperative or marginal, it should discontinue its use, issue an
appropriate alarm to the local operator, and transmit all subsequent
messages on the alternate channel.

10.4 Network Management

10.4.1 Recoverable and unrecoverable communications errors shall be

counted by the system for each communications channel and stored in
a history file.

10.4.2 A graphical display shall be provided to show the health status of the
Network infrastructure devices such as switches, routers, and gateways.

11 External Interfaces

11.1 Configuration and implementation of the interface between SCADA Network and
corporate network shall comply with the following in addition to SAES-Z-010,
„Process Automation Network‟ requirements.

11.2 Communication software components and/or communication drivers required to

interface with the RTU shall be included in the SCADA server.

11.3 OPC usage shall be limited between the SCADA LAN components to exchange
data between the SCADA system and other application, such as DAHS.

11.4 OPC server and client shall conform to OPC Data Access (DA) and OPC
Historical Data Access (HDA) latest specification as minimum.

11.5 Software and/or Hardware gateways such as communication protocol converter

to OPC shall not be used.

11.6 Data exchange, read and write, with other plant process automation systems
shall be through industry standard interface.

Page 21 of 21
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

11.7 Failures of external systems shall be logged and shall not degrade internal
communications.

11.8 Interface between Intelligent Electronic Devices (IEDs) and/or I-Field surface
units shall use standard Ethernet port communication using standard open
protocol. Standard RS-232/485 Serial interface may be used if the slave device
is not equipped with Ethernet port.

11.9 The control system communication to Corporate Wide Area Network and other
non-control computer systems shall be designed to ensure that failure, request
for information shall not create network loading problem or impact the
performance and availability of the SCADA System.

11.10 Integration to software packages such as process simulator, leak detection, etc.,
shall be through middleware as per 23-SAMSS-060.

11.11 When Serial Terminal Servers are required to connect the RTU's to the SCADA
LAN, the Terminal Server implementation shall comply with the following:
 The terminal servers shall be provided in redundant configurations where
each terminal server shall be connected to a Local Area Network (LAN) in a
redundant LAN configuration.
 The terminal servers shall be modular and easily expandable.
 Shall block endless transmitted packets generated by a faulty device and
shall not cause network jamming or degradation of the system.
 The RS-232/485 serial data ports provided by the terminal servers shall be
capable of two-way serial communications.

12 Display Design Philosophy

12.1 When designing operator displays, a consistent approach shall be used for the
appearance (look-and-feel) and functionality. Highly animated objects that may
inadvertently divert the operator from important process information shall be
avoided.

12.2 The design approach shall include standardized approach for the entire facility:
 Layout - line sizes, equipment representation, orientation, fonts, titles,
etc.
 Data representation - process values and alarms.
 Color choices - process lines, control lines, process equipment, titles, etc.
 Display access and navigation

Page 22 of 22
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

 How options are chosen via switches

 How control strategies are commissioned and de-commissioned
 How status pairs are defined (on/off, open/closed, start/stop, etc.)
 Control modes (manual/auto/computer etc.), either by color or by a small
text next to the controller.
 Data validity (invalid, out-or-range, unknown status) by color change.

12.3 Operator Interface

12.3.1 Operators shall be able to easily access specific displays and graphics
by selecting from a list of displays in directories or menus, or by typing
display or graphic names.

12.3.2 A link shall be provided to move between related displays and graphics
with different detail levels or of the same detail level.

12.3.3 Invalid values shall be highlighted with different color. Invalid value
can be out of range, no communication, etc.

12.3.4 Each display or graphic shall have a dedicated alarm zone which shall
display, as a minimum, the three most recent alarms.

12.3.5 Graphics design shall maximize the use of single display with several
layers, such that the layers disappear/reappear (declutter/clutter)
automatically depending on the level of magnification.

12.3.6 The operator interface shall utilize a windowing graphical user

interface (GUI) environment such as Microsoft Windows, making
extensive use of mouse point-click-drag functions, pull-down menus
and interactive dialog boxes.

12.3.7 The operator interface software shall provide a graphical view of the
system, arranged schematically or geographically as defined by the
user.

12.3.8 The displays shall contain static graphical information, as well as

dynamic elements that reflect the information contained in the host
computer‟s database. Database point values displayed by such
dynamic elements may be either telemetered from RTUs or calculated
by the host server.

12.3.9 Operator interaction with database points shall be by means of clicks of

the mouse on the dynamic display elements. This will include
operations such as controlling field devices, setting database values,

Page 23 of 23
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

e.g., manual updates, acknowledging or blocking alarms and tagging

data points to inhibit control.

12.3.10 The user shall be able to use elements on the display as pushbuttons to
initiate pre-defined actions. These shall include, as a minimum, the
ability to:
 bring up pop-up notes
 bring up trend graphs
 bring up other displays
 bring up Microsoft Excel or Access based reports
 run command sequences
 access records in other databases

12.3.11 The user shall be able to define any number of displays. The operator
shall be able to go to a display by means of either a pushbutton or by
selection from a list. To facilitate navigation through the list of
displays, it shall be possible to organize the list in a hierarchical set of
named folders.

12.3.12 The Human Machine Interface (HMI) provides the operator interface
and visualization tools of the system via single or multiple monitor
displays. Fully configurable HMI screen and displays, provides
realistic plant representation (dynamic and background).

12.3.13 The operator shall be able to:

 Access data stored in the real-time and historical databases.
 Issue and monitor supervisory controls.
 Use the administrative displays to perform managerial functions.
 Activate the Database Configuration and other utilities.

12.3.14 The following types of displays shall be provided for use by the
operators:

a) Single Line Display shall consist of the user‟s process equipment

and pipelines network with the current analog values and status
of devices superimposed on the map. The display(s) shall allow
the operator to select displayed objects in order to issue or inhibit
controls, acknowledge or block alarms, or modify operating
parameters such as limits.

b) Alarm Summary Display shall show a user-customizable list of

Page 24 of 24
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

alarms that are in the system. The operator shall have the ability
to acknowledge and/or block alarms and to control the operation
of the audible alarm. This display shall be configurable by the
operator by means of filtering by station, zone of responsibility,
alarm priorities, chronological or reverse chronological order,
typeface and size of text, blocked alarms, any combination of
active, cleared, acknowledged or unacknowledged alarms.

c) Operator Summary Display shall show the operations messages

that have been logged by the system. This display shall be
configurable by the operator by means of filtering by alarm
priority, station, zone of responsibility, specific database points,
time range, typeface and size of text.

d) Tabular Data Display shall list the status and analog points by
station and system wide. The information shown on this display
shall include the point names, descriptions, current values and
quality codes and other parameters from the database, e.g.,
transition counts and alarm limits. This display shall be used for
operation and control in the sense that from this display, the
operator can perform point operations such as control, tag, alarm
acknowledge or block, as well as modify operating limits and
reset transition counts. Single Line display(s)

12.4 Navigation through Displays

12.4.1 Any graphic display shall be accessible via no more than three operator
actions.

12.4.2 When a graphic display has an associated primary control display, e.g.,
a group display, the graphic shall have a target that immediately calls
up the associated control display. This target shall be located in the
same location on every graphic that uses this feature.

12.4.3 When using a windows environment consideration must be given to

prevent the Operator from opening too many windows and potentially
masking important process information.

12.5 General Operator Graphics Requirements

12.5.1 All graphics shall include graphics title, Date & Time and graphics
Description at standard locations.

12.5.2 Process and control line crossovers shall be minimized. Line breaks
shall be used to indicate that crossing lines do not join.

Page 25 of 25
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

12.5.3 Main process lines for each graphic shall be bold with secondary lines
being of finer width.

12.5.4 Process lines shall either be drawn horizontally or vertically.

12.6 Faceplates

12.6.1 Faceplates shall show dynamic process and status information about
process elements such as a single control loop, pump, MOV, etc.

12.6.2 Faceplates shall be provided as separate displays or as graphic

elements. If separate faceplate displays are provided, it shall be
accessible for any tag on a graphic display with a maximum of two
operator actions.

12.6.3 Faceplates shall display the Tag ID, Tag descriptor, Process input,
setpoint, output values displayed numerically with engineering units
and in bar graph representation, Auto/manual mode and remote/local
setpoint status, Visual indication for alarm status (including alarm
inhibited or disabled), Symbolic and alphanumeric indication of
discrete states both for two state devices and multi-state devices.

12.7 Operator Graphics

12.7.1 All control, monitoring, and status attributes of any tag shall be
displayable on graphics. For analog points, this requirement includes
measurement, setpoint, span, alarm limits, and output. For digital
points, this requirement includes input and output status. Status
information includes alarm status, control mode, and control status.

12.7.2 The format of numeric data shall have the capabilities to display
numeric data in formats ranging from a single digit to 8 digits (not
including the sign or decimal place), and from 0 to 5 decimal places.
The numeric formatting shall be configurable on an individual basis.

12.7.3 Each state of a multi-state device shall be indicated by a unique

foreground/background color combination.

12.8 Trend Displays

12.8.1 Option to trend both real-time and historical data in the same trend
shall be provided.

12.8.2 All operator workstations shall be capable of displaying trends.

12.8.3 Trends shall be provided in adjustable window size, which could be

Page 26 of 26
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

full, half screen size, etc.

12.8.4 Text accompanying the trend shall show the following for each tag: tag
ID, minimum scale value, maximum scale value, engineering units,
and current value.

12.8.5 The time periods and process value scales available for trend displays
shall be selectable.

12.8.6 Real time trends shall be updated every two seconds with actual
process data.

12.8.7 A real time trend feature shall be provided to make it possible for an
operator to initiate a real time trend for any process tag or calculated
variable, including both analog and digital types.

12.8.8 Option shall be provided to initiate historical trend displays for any
process tag or calculated variable that has been stored in either the on-
line history or off-line history media, including both analog and digital
types.

12.8.9 Scale and time span adjustment shall be provided on trend displays.

12.9 Diagnostic Displays

12.9.1 Dynamic Communications Overview display shall be provided to show

the status of the communication system and its components including
but not limited to communication servers, communication channels,
routers, terminal servers, and externally connected devices, i.e., RTUs,
PLCs, DCSs, or other systems.

12.9.2 Diagnostic displays shall be provided to show the operational status

and error conditions for all system components.

12.9.3 On-line and off-line diagnostics shall be provided to assist in system

maintenance and troubleshooting. Diagnostics shall be provided for
every major system component and peripheral. If diagnostics do not
exist for particular peripheral devices (for example printers and
terminals,) the system must detect and provide an error indication for
the failure of these devices. The manufacturers' diagnostic tools should
be utilized for trouble shooting OEM hardware.

12.9.4 On-line displays shall indicate the results of self-diagnostic tests.

Failure diagnosis shall be sufficiently specific to indicate which printed
circuit boards, modules, or devices are at fault. The displays shall be
designed to help maintenance and engineering personnel diagnose

Page 27 of 27
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

faults in the system and communications paths. Each category of

diagnostic display shall be organized hierarchically.

12.9.5 Communications diagnostic displays shall show errors for each of the
redundant paths.

12.9.6 System displays shall be provided for cabinet temperature alarms and
system power faults.

12.10 Data Quality

The system shall display data quality indications for analog value and status
point indication. These shall include the following as a minimum:
a) Telemetry failed (value was not reported last scan).
b) Manually set
c) Calculated from manually set data.
d) Alarm blocked for analog points with alarm settings.
e) Digital and analog output Marked Interlocked

12.11 Marked Tag Management

12.11.1 When a controlled device or a line fed by a controlled device requires

maintenance, it is required that the system provide a facility for
limiting control of that device. The system shall allow operators to
inhibit control of devices by means of a secure, multi-level marking
feature.

12.11.2 Each point shall be able to be provided with a visual attribute showing
that the point has one or more tags on each display where that point is
shown.

12.11.3 The system shall permit no means of bypassing the control inhibit
caused by a mark. This applies to any and every application supplied
by the vendor or written by the user using the vendor‟s API.

12.11.4 A group mark function shall be provided that allows an operator to

define a marked point, select multiple points and apply the same
marking to all selected points.

12.12 Control Functions

The operator shall be able to perform all the basic monitoring and control
functions from graphic displays. These functions shall include, but not be

Page 28 of 28
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

limited to, changing process variables, alarm logs, set-points, switching control
modes, manually driving outputs, or initiating maintenance bypasses for input
points.

12.13 Reports

12.13.1 Out-of-range and unknown status inputs and associated calculated

blocks shall be flagged by a special character such as a question mark
or other reserved symbol. Numerical values shall not be used.

12.13.2 The default location for the report printouts shall be the operator
console from which the report was requested.

12.13.3 Reports shall be configured to be activated on Demand (operator

request), Scheduled (shift, daily and monthly) and/or on Event.

12.13.4 The system shall include dedicate printers for reports only.

13 Security And System Access

13.1 SCADA System Isolation

13.1.1 The SCADA system LAN shall be isolated from the internet and the
corporate network through the use of firewall with Demilitarized Zones
(DMZ) architecture as minimum.

13.1.2 All traffic from corporate network and SCADA System shall terminate
at the (DMZ). The firewall shall provide and dedicated interfaces for
the corporate network separate from the dedicate interfaces to the
SCADA LAN.

13.1.3 Data Historian shall be placed in the DMZ where it shall interface with
a Historian data collector installed on the SCADA LAN.

13.1.4 Firewall configuration and rule setting shall be implemented in

accordance to SAER-6123.

13.2 Access Control

13.2.1 Access to SCADA Systems shall be restricted only to person(s) with

legitimate business requirements.

13.2.2 User access to a system shall be restricted by means of User IDs and
Passwords or other suitable technologies for identification and
authentication of users.

Page 29 of 29
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

13.3 User Roles

13.3.1 User Roles shall be created to facilitate application of individual user

access privileges based on the user role or user group to which they are
assigned.

13.3.2 The following user roles shall be configured as a minimum.

Additional user roles may be created based on the particular needs of
the facility:

a) Process Operator: This user role shall be configured to provide

access privileges for process operators and control board
operators. Access privileges shall be defined to enable
monitoring and control of equipment located within specific
process area(s) to which the role is associated. Monitoring of
other process areas without the ability to control these areas is
permissible. View-only access to function block parameters such
as alarm limits and tuning parameters shall also be granted.

This role shall have a restricted user profile so that a user will not
be able to install programs or change software configuration,
access floppy disk or CD drives, or any removable media.
Commentary Note:

It may be necessary to define multiple Process Area Operator

User Roles. Each process area in a plant will typically have a
separate user role. Access to control functions from the
SYSTEM will be limited to those process areas associated with
the specific user role.

b) Process Area Supervisor: This user role shall include all of the
privileges assigned to the area process operator. In addition, any
requirements for special authority commands required for control
of the process area shall be granted to the Process Area
Supervisor role.

c) Maintenance Engineer/Technician: This user role shall provide

access to system and instrument diagnostic and troubleshooting
tools. Access to utilities required for backup and restore of
system information shall also be granted. Other privileges
required to enable maintenance functions (such as replacement of
failed components) shall also be granted as required. View-only
or monitoring-only access to process graphics and function block
parameters shall also be granted.

Page 30 of 30
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

d) Process Engineer: This user role is used to grant access

privileges for process engineers associated with a particular
process area. Access privileges required for monitoring and
control of equipment associated with the particular process are to
which the role is associated shall be granted. Access privileges
required to modify function blocks parameters (such as alarm
limits and tuning constants) shall also be granted. Read-write
privileges for function block parameters shall be limited to those
function blocks associated with the particular plant area to which
the role is associated.

e) System Engineer: This user role shall be used to grant access

privileges to persons responsible for the configuration and
maintenance of the system. Access privileges required to
perform functions necessary for the configuration and support of
the system shall be granted. Permission to modify user role
privileges, user accounts and passwords shall not be granted.

f) System Administrator: This user role shall provide access to the

entire system. Assignment of users to this role shall be restricted
to a limited number of highly trusted and competent employees.
This role shall also contain privileges necessary for configuration
of user role privileges and assignment of user to particular user
roles. The role shall contain privileges necessary to administer
individual user Ids and passwords as well as system and
application user Ids and passwords. The role shall provide access
to utilities required for monitoring and auditing of system access
activities.

g) View Only: This user role shall be used to provide monitoring

only access of all process areas within the plant. Access to
graphics which are specifically required for control operations
(such as controller faceplates) shall be restricted. Access to
system diagnostics, maintenance and configuration utilities shall
also be restricted.

13.4 User Accounts

13.4.1 Each User shall be assigned a unique User ID. All GUEST user
accounts shall be disabled on the system.

13.4.2 Where applicable, all individual User IDs formats should conform to
corporate guidelines as highlighted in Section 11.1.1.3.6 "USER ID
CONSTRUCTION" in IPSAG-007.

Page 31 of 31
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

13.4.3 Systems capable of displaying a warning banner, upon logon, shall be

configured to display the following text “This Computer is for
Company business use only. This system may be monitored as
permitted by law. Unauthorized use may result in criminal
prosecution, termination or other action”. For operator consoles, a
printed sticker may alternatively be used.

13.4.4 Users shall be granted access privileges by assigning the user to a User
Role applicable to their particular job function. Access privileges
which have been defined for that User Role shall be inherited by the
User.

13.4.5 The system shall be configured to require an individual User ID and

password for authentication purposes prior to being allowed access to
any station connected to the system with the exception of the operator
workstations located within operator consoles in the Central Control
Room (CCR) only.

13.4.6 Operator workstations located within operator consoles in the CCR can
be configured with a common 'CONSOLE XX' operator account. This
account can be shared by individuals assigned to the particular console
only. These accounts shall not be valid on any other stations connected
to the system.

13.5 User Account Passwords

13.5.1 Every User ID shall have an individual password.

13.5.2 The system shall be configured to require a minimum password length

of eight characters.

13.5.3 Passwords shall be transmitted and stored in encrypted format.

13.5.4 The system shall be configured to enforce password uniqueness.

A minimum of three unique passwords must be entered before a
password can be re-used.

13.5.5 Password Construction

The system shall be configured to enforce password complexity rules.

13.5.5.1 Easy guessable passwords must be avoided at all times.

As a minimum a password must be constructed as follows:

13.5.5.2 A password must contain at least two of the following four

characteristics:

Page 32 of 32
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

 Lower case characters a-x

 Upper case characters A-Z
 Digits 0-9

13.5.6 Punctuation characters e.g., ! @ # $ % ^ & *, etc., Management of

passwords, User IDs and User Role privileges shall be done via a
central server.

13.5.7 The system shall be configured to require passwords to be reset for all
User IDs every six months.

13.5.8 Facilities shall be provided to enable user account passwords to be

changed at any workstation connected to the system. A password
changed at one location shall be automatically updated at all stations
where the account is valid.

13.5.9 The system should issue a password expiration notification to the user
at least 10 days prior to password expiry date.

13.5.10 Passwords shall be masked on the screen while being entered

13.5.11 User account passwords shall not be stored electronically in

unprotected files.

13.5.12 In order to change user account passwords, users should always be

required to provide both their old and new passwords, if supported by
the system.

13.6 Application and System Accounts and Passwords

13.6.1 Application Accounts may require the account name and/or passwords
to be hardcoded into startup scripts. Passwords used for Application
Accounts shall not be stored in un-encrypted format. Passwords used
for Application Accounts are excluded from the six month password
aging policy described above.

13.6.2 System Accounts require special consideration and shall be managed

by the system administrator. System Account default passwords shall
be changed prior to commissioning the system. System account
passwords shall not be stored in un-encrypted format and shall be
excluded from the six month password aging policy described above.

13.7 Anti-Virus Protection

13.7.1 Anti-virus definition files shall be updated on all SCADA servers and

Page 33 of 33
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

stations via a centralized server on the PAN.

13.7.2 Vendor approved Anti-virus software shall be installed and configured

on all Windows based SCADA workstations and servers.

13.7.3 Anti-Virus software package from McAfee or Norton are highly

recommended.

13.7.4 SCADA equipment shall have Anti-virus software installed with the
latest vendor approved software versions and virus definition files.

13.7.5 Anti-virus software shall be configured according to vendor

procedures, including the different configuration options within the
scanning software such as:

13.7.5.1 On-Access Scanning

13.7.5.2 Full Scanning

13.7.5.3 Buffer Overflow Protection

13.7.5.4 Directories to be excluded from scanning

13.8 Operating System Software and Vendor Software Patch Management

13.8.1 The vendor's recommended procedures for the upgrade of OS software

and patch installation shall be followed.

13.8.2 Access privileges for the upgrade of OS software and OS patch

installation shall be assigned to SCADA System Administrator only.

13.8.3 OS software and patches shall not be installed unless they have been
tested and certified by the vendor as being compatible with the
SCADA System software.

13.8.4 New SCADA System‟s shall be deployed with the latest stable vendor
supported operating system security and operational patches.

13.9 If approved by SCADA System application vendor, audit policies on SCADA

System‟s should be configured to capture the following:

13.9.1 SCADA System Audit Policies

13.9.1.1 System Events

13.9.1.2 Account Management

Page 34 of 34
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

13.9.1.3 Logon Events

13.9.1.4 Privileged activities

13.9.2 SCADA System Logs

13.9.2.1 SCADA System‟s shall be configured to log actions

performed by SCADA System administrators and
maintenance personnel

13.9.2.2 Event logs shall be configured to include user names,

time/date and event type.

13.10 Retention and archival of security audit logs shall be developed in accordance
with Corporate Data Protection and Retention INT-7 policy. The following
requirement should be considered:

13.10.1 The retention period for audit logs shall be set for 3 months as a
minimum.

13.10.2 Minimum storage capacity for logs shall be 500 Gb.

13.11 Security Management Practices

13.11.1 All workstations which are connected to the SCADA system and are
not located on an operator console within the CCR shall be configured
to automatically lock the workstation or switch to "view-only" user
environment after it has been idle for 30 minutes or longer. Password
re-authentication from either the last user or the system administrator
shall be required to unlock the station.

13.11.2 All Workstations, Servers, Remote Terminal Units and networking

equipment, such as switches or hubs, shall be housed in lockable
cabinets or consoles to prevent physical access to the equipment from
unauthorized users.

13.11.3 All unused ports on SCADA Process Control Network equipment shall
be deactivated.

13.11.4 All login events shall be monitored and recorded by the system. Login
events shall be recorded with date and time of login, user account, and
location of login. Records of logins shall be maintained on the system
for a minimum period of six months.

13.11.5 The system shall monitor and record all failed login attempts. If
available, functionality shall be provided to automatically notify the

Page 35 of 35
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

system administrator after five consecutive failed login attempts has

been exceeded.

13.11.6 Failed login attempts shall not initiate an automatic 'lockout' of the user
account.

13.11.7 The system shall be configured to monitor 'stale' user accounts. Stale
accounts are user accounts which have not been used on the system for
a period of three months or longer. The system shall have the produce
a report of stale user accounts.

13.12 System Recovery Planning

13.12.1 Procedures for incremental and complete Backup and Restore of

SCADA system and data shall be documented for each system at a
particular location.

13.12.2 SCADA System‟s shall be configured to automatically backup control

database, system configuration, and other vital information to hard-
drive at a minimum of once per week.

13.12.3 The system shall be configured to maintain a minimum of two sets of

complete backup and recovery data for each workstation, server and
RTU on off-line storage media.

13.12.4 A complete system backup shall be performed on all new installations

of SCADA equipment. This includes operating system and
configuration files.

13.12.4.1 The backup shall be tested and verified.

13.12.4.2 Multiple copies of the backup are made.

One copy shall be stored in a secure onsite location and the

other copy shall be maintained at a secure off-site location.

13.12.5 The SCADA System shall be configured to make the backup to a

„separate‟ hard-drive from the SCADA System being backed up.

13.13 Operating System Hardening

13.13.1 PAS equipment shall be deployed with vender supported security

hardened operating system.

13.13.2 The secure configuration baselines shall be thoroughly tested by the

vendor and shall be provided to the SCADA System administrators to

Page 36 of 36
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

enable them to support and administrator the SCADA System

equipment after deployment.

13.13.3 PAS equipment with unused physical ports/interfaces shall be disabled

prior to commissioning.

13.14 Delegation and Support

13.14.1 A risk assessment, with participation from P&CSD, IT and the Plant
shall precede the official delegation of support responsibilities of
SCADA System components to IT or other support entities.

13.14.2 Any Delegation of support and management responsibility must be

approved by the plant Manager through a Service Level Agreement
(SLA).

13.15 Disposal and Sanitization

Process control equipment that contains data storage shall be sanitized in

compliance with GI-0299.120, when disposed of.

14 Instrument Asset Management System (IAMS)

14.1 An Instrument Asset management System, either integrated or separate from the
SCADA operator/engineering workstation, shall be provided for device
configuration, documentation, calibration, and diagnostics with all smart field
devices.

14.2 The IAMS software shall communicate to SMART field devices from various
manufacturers.

14.3 Device diagnostics data access shall not impact the timely processing of the
process data.

14.4 The IAMS shall have the following functions and features as a minimum:
a) Automatically and continuously, monitor the status, events, and operating
conditions of the field-connected devices without interfering with the
SCADA process Data acquisition functionality.
b) Connect and configure instruments and valves online.
c) Valve diagnostic test shall include dynamic error band, drive signal, output
signal, step response, and signature curve; all shall be presented in
graphical and statistical data format.
d) Access to current device information to determine their health and view of

Page 37 of 37
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

the process variables.

e) Perform device diagnostic with the results documented in the IAMS.

15 Documentation

15.1 Detailed SCADA/RTU data link analysis and bandwidth calculation and RTU
traffic aggregate showing SCADA data transfer performance shall be performed
for each application. Analysis report shall be provided during the project PDR
phase.

15.2 Standard documentation shall be available in CD-ROM or other electronic

format approved by the Saudi Aramco.

15.3 The following documents shall be provided as part of the system documentation
package: Installation Guide, Vendor's Functional Design Standard, Operators
Manual, Engineers Manual, Maintenance Manual, Database Configuration
Manual, Test Procedures and Records, network layout, block diagrams, and the
application configuration software, system standards.

15.4 On-line electronic documentation shall be available and shall include graphics
and text string search.

15.5 The application software written for Saudi Aramco project at Saudi Aramco
expense will be property of Saudi Aramco and source code shall be provided to
Saudi Aramco.

16 Inspection and Testing

16.1 Saudi Aramco Inspection Requirements Form 175-230200 lists all system
components that are subject to verification by Saudi Aramco's inspection
representative.

16.2 Integrated systems that are staged at a vendor's facilities shall be tested
according to Factory Acceptance Test (FAT) procedures produced for each
SCADA project.

16.3 Factory Acceptance Test (FAT) criteria shall be developed by the vendor and
submitted for Saudi Aramco‟s approval. The FAT shall be structured and
include the requirements of SAEP-1634 Factory Acceptance Test.

16.4 The vendor shall supply a list of all required test tools.

16.5 A Site Acceptance Test (SAT) criteria shall be developed by the vendor and
approved by Saudi Aramco. The SAT shall be structured and include the
requirements of SAEP-1638 Site Acceptance Test Plan.

Page 38 of 38
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

17 System Maintainability

17.1 The system shall be designed such that the user will be able to maintain the
SCADA system with minimum reliance on vendor‟s services.

17.2 The system shall include all the necessary software for configuration of the
system and maintenance of the database.

18 Environmental Conditions

18.1 The system shall meet the temperature and humidity requirements as stated in
SAES-J-003.

18.2 The noise levels for all equipment shall be less than or equal to:
 55 dBA for equipment installed in continuously manned areas.
 60 dBA for equipment installed in other areas.

18.3 Requirements in this section shall apply to all RTU, Network components and
power supplies housed inside the cabinet.

18.4 All RTU components shall meet the requirements for environmental conditions
specified in this document.

18.5 All SCADA and Networking equipment specified for outdoor installation shall
be designed to operate continuously at the environmental conditions specified by
SAES-J-003.

18.6 Detailed calculations for the maximum temperature rise inside the cabinet and
heat dissipation under worst ambient conditions shall be provided in the PDR
documentation package.

18.7 VENDOR shall provide certification that all system components are rated for
continuous operation at the worst-case temperatures to which they will be
subjected.

18.8 VENDOR shall provide specifications for both normal maximum ambient
conditions and abnormal short-term-maximum high temperature operations,
including time durations and alarm points.

19 Rtu Cabinet Requirements

19.1 RTU enclosures shall be NEMA 4X, IP 65 enclosure made of stainless steel
materials and shall comply with all requirements defined in 34-SAMSS-820 and
34-SAMSS-821.

Page 39 of 39
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

19.2 Door hardware (hinges, latches, handles, bolts and nuts) shall be made of 316
stainless steel.

19.3 The RTU enclosure size and dimensions shall be determined based on the field
installation plan with a full-length front door to provide access to all components
mounted inside.

19.4 The RTU enclosure shall be sized to ensure maximum temperature inside the
RTU enclosure due to internal heat dissipation pulse heat rise due to solar
radiation will not exceed 60°C. All electronic components to be mounted inside
the RTU enclosure shall have 75°C temperature rating minimum.

19.5 RTU enclosures may be surface mounted or rack mounted depending on the
specific design.

19.6 RTU enclosures shall have locking doors. Each enclosure shall be supplied with
two (2) keys.

19.7 Enclosure shall be fitted with sufficient number of conduit entries at the bottom.

19.8 Terminal strips shall be provided in RTU enclosures to terminate instrument

cables from field signals and for power distribution.

19.9 Each item of equipment and accessory inside the cabinet shall be correctly
tagged, if possible, immediately below the corresponding equipment or
accessory. All nameplates on the exterior surface of the cabinet shall be
attached with stainless steel screws. Internally mounted nameplates may be
attached with two-component epoxy adhesive. Nameplates shall be made from
laminated plastic, white-black-white (information engraved into the black core
with white surface, dull finish).

19.10 Each cabinet design shall be appropriately laid out with sufficient workspace to
allow for installed equipment field wiring termination and access for future
maintenance and installation.

20 Wiring and Power Supply

20.1 Electrical and wiring up to but excluding vendors' standard cabinets shall be
designed in accordance with Saudi Aramco Engineering Standard SAES-J-902.

20.2 For electrical power requirements and grounding and marshaling cabinets for the
SCADA Host Station refer to 34-SAMSS-820.

20.3 For electrical power requirements and grounding for the RTU cabinets refer to
34-SAMSS-821.

Page 40 of 40
Document Responsibility: Process Control Standards Committee SAES-Z-004
Issue Date: 25 October 2010
Next Planned Update: 25 October 2013 Supervisory Control and Data Acquisition (SCADA) System

20.4 Systems shall tolerate a loss of power of 100 msec without any damage,
mal-operation or data corruption.

20.5 For Fiber Optics Data communication cables requirements and design, refer to
SAES-Z-020.

20.6 SCADA equipment designated as 'indoors' shall carry CE Mark for compliance
with European EMC Directive 2004/108/EC or shall comply with immunity
levels stated in IEC 61000-6-2. Alternatively, the vendor shall provide testing
results to confirm that the equipment will operate without disturbance when
energized and subjected to an electromagnetic field from a radiating source
equivalent to a level 3 disturbance as detailed in IEC 61000-4-3. In particular,
RF sources such as hand-held radio transceivers operating at 5 Watts within the
frequency ranges, 50-174 MHz, 406-470 MHz, and 800-870 MHz and held at a
distance off 1.0 meters from the equipment shall not cause any malfunction, data
corruption, or damage to the equipment.

20.7 For control room equipment, two separate, independent, electric circuits shall be
supplied to power redundant modules. If a simplex UPS is provided, one of the
feed to system redundant power modules shall be supplied from a raw 120 VAC
power feed.

20.8 These circuits shall be clearly labeled. Branch circuits or power cords to
redundant modules shall be clearly labeled identifying the circuit that they are
connected to.

20.9 All instruments, push-buttons, switches, lamps and other console mounted
devices, as well as cabinets and workstations shall be identified with tag number
and service description. The nameplates shall be permanently attached using
screwed plate or equivalent.

Revision Summary
25 October 2010 Major revisions were made to this standard to address audit items.

Page 41 of 41