Hardwired intertrips between FGS and ESD shall be designed to avoid single point of

failure and configured

in 2ooN voting arrangement to reduce spurious trips. Where the FGS and ESD systems
are implemented in
identical hardware that uses a SIL 3 ‘safety bus’ for communication, this shall be
the preferred method of
implementing Intertrips.
Input and output signals shall be voted independently. Fault tolerant output
modules shall be automatically
tested for stuck-on and stActivate FGS alarm via PAGA and beacon/sounder and plant
siren
(b) Fire water pumps start
(c) Activate the fire suppression suck-off components at a regular interval not
exceeding 1 second.
All input faults shall be configured with a default 2 second delay to avoid alarm
chattering and spurious trips
or spurious voting degradation.
The FGS logic solver shall be designed such that once it has placed the process in
a safe shutdown state,
the trips shall be latched to fail safe state and means of resetting it shall be
provided once healthy condition
is restored.
FGS executive action will be based on HSE/Fire and Gas philosophy/respective Cause
and Effects and shall
be interfaced to the following field equipment and perform the following actions:
(a) Activate FGS alarActivate FGS alarm via PAGA and beacon/sounder and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression sm via PAGA and beacon/sounder and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression system and/or deluge release
(d) Equipment shutdown, isolation and depressurisation via ESD system
(e) Process building HVAC closing dampers and tripping air handling units
10.1.6 Third Party Interface
Typical third-party interface will include:
(a) Process Monitoring and Flame detection CCTV
(b) HSSD system
(c) Non-Process building FGS panel
(d) Third party package FGS system
(e) Access Control Systems
Critical signals will be hardwired.
10.1.7 Safety Data requirement
VENDOR shall Activate FGS alarm via PAGA and beacon/sounder and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression sprovide the following data and necessary support
for FGS verification:
(a) PFD and System Failure Rates.
(b) Safe Failure Fraction.
(c) Mean Time Between Failures.
(d) Common cause failure factor as per method detailed in IEC 61508-6.
(e) SIL 3 Certificate as per IEC 61508 from Exida, TUV or equivalent
(f) Safety Manual
AGES-SP-04-003 Rev. No: 1
Page 19 of 49
ADNOC Classification: Public
(g) Documentary evidence of suitability of equipment based on prior use as
described in IEC 61511-1.
(h) Fault tolerance report, showing conformance to IEC 61511-1 requirements
10.2 Functional Specification (FS) and Functional Design Specification (FDS)
The Functional SActivate FGS alarm via PAGA and beacon/sounder and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression specification shall be prepared by CONTRACTOR in
consultation with COMPANY and shall
form the basis for the VENDOR proposals and for the VENDOR to develop the FGS
design in detail and shall
be written specifically for each project.
The FS shall provide the following information:
(1) This specification
(2) Number and spacing of IES;
(3) Number and type of I/O (Analogue, Digital, SOV, ‘Soft’ serial, IS, Non-IS) and
allocation to IES;
(4) Number of Safety functions and allocation to IES;
(5) I/O Criticality ratings
(6) Requirements for ‘island’ operation.
(7) P&IDs (tActivate FGS alarm via PAGA and beacon/sounder and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression so support segregation assessment).
Based on the FS and additional supporting documentation, VENDOR shall develop the
detailed design of the
FGS and document it in the FDS.
The supporting information supplied to VENDOR to develop the FDS shall include:
(8) Logic Descriptions;
(9) Sequence Narratives;
(10) Updated P&IDS;
(11) Operating Philosophies;
The FDS shall detail the project specific architecture, system layout, hardware,
software. It shall be written in
conjunction with COMPANY/CONTRACTOR by VENDOR, based on the Functional
Specification, provided
in the rActivateall detail the project specific architecture, system layout,
hardware, software. It shall be written in
conjunction with COMPANY/CONTRACTOR by VENDOR, based on the Functional
Specification, provided
in the rActivate FGS alarm via PAGA and beacon/sounder and plant siren
(b) Fire water pumps start
(c) Activate the fire sup FGS alarm via PAGA and beacon/sounder and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression sd until the FDS is approved by COMPANY.
Operator interface requirements shall be included in FDS.
The FDS shalActivate FGS alarm via PAGA and beacon/sounder and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression sl provide a detailed inventory and description
of the equipment, functional definition and
equipment data, including, as a minimum:
(1) Definition of data flows to achieve FS requirements
(2) Allocation of controllers to IES/units
(3) Allocation of I/O to controllers
(4) Number of FGS cabinets
(5) Allocation of I/O to cabinets
AGES-SP-04-003 Rev. No: 1
Page 20 of 49
ADNOC Classification: Public
(6) General Arrangement (GA) of cabinets including, rack distribution and mounting,
power distribution,
terminations, trunking, cooling fans, temperature monitoring, cable entry
arrangement and
dimensional drawings
(7) Preliminary configuration database
(8) Function block definitions
(9) HMI station details /GA and dimensional drawings
(10) Access control
10.3 FGS Hardware
10.3.1 Main Processors
Each FGS system shall contain redundant CPU operating synchronously and in
parallel.
Hot replacement of a CPU or modification of a CPU's running application program
shall not require process
interruption or system re-initialisation.
A locking mechanism (hardware switch) for each CPU shall prevent memory
modification from an outside
source.
For CPU with volaActivate FGS alarm via PAGA and beacon/sounder and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression stile (RAM) memory, battery backup on CPU module
shall be provided to retain data for six
months in memory. Batteries on CPU module shall be replaceable online without
degrading FGS system
functionality.
Each processor loading shall not exceed 60% in all memory areas, to allow for
future expansion.
10.3.2 I/O General
The VENDOR shall provide I/O cards of robust design and high quality. I/O cards
shall be installed in I/O
cabinets in I/O raActivate FGS alarm via PAGA and beacon/sounder and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression sActivate FGS alarm via PAGA and beacon/sounder
and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression scks or on individual base plate depending on I/O
mounting design. I/O cards shall be
manufactured to withstand the facility environment, in particular maximum ambient
conditions.
All input and output cardActivate FGS alarm via PAGA and beacon/sounder and plant
siren
(b) Fire water pumps start
(c) Activate the fire suppression ss used in FGS logic shall be redundant, fail
safe design and SIL3 certified as per IEC
61508. All outActivate FGS alarm via PAGA and beacon/sounder and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression sActivate FGS alarm via PAGA and beacon/sounder
and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression sActivate FGS alarm via PAGA and beacon/sounder
and plant siren
(b) Fire water pumps start
(c) Activate the fire suppression sput cards which are driving noncritical alarm
lamps should be approved for non-interaction and
are not SIL rated. Rall detail the project specific architecture, system layout,
hardware, software. It shall be written in
conjunction with COMPANY/CONTRACTOR by VENDOR, based on the Functional
Specification, provided
in the rActivate FGS alarm via PAGA and beacon/sounder and plant siren
(b) Fire water pumps start
(c) Activate the fire supedundant I/O cards shall be used for all inputs and output