Field instrumentation: sensors and switches that sense process
conditions such as temperature, pressure or flow. These are
connected over single and multiple pair electrical cables
(hardwired) or communication bus systems called fieldbus.
• Control devices, such as actuators for valves, electrical switchgear
and drives or indicators are also hardwired or connected over
fieldbus.
• Controllers execute the control algorithms so that the desired actions
can be taken. The controllers also generate events and alarms
based on changes of state and alarm conditions, and prepare data
for operators and information systems.
• A number of servers perform the data processing required for data
presentation, historical archiving, alarm processing and engineering
changes.
• Clients, such as operator stations and engineering stations, are
provided for human interfaces to the control system.
• The communication can be laid out in many different configurations,
often including connections to remote facilities, remote operations
support and other similar environments


.
Figure 31. Function blocks define the control
The main function of the control system is to make sure the production,
processing and utility systems operate efficiently within design constraints
and alarm limits. The control system is typically specified in programs as a
combination of logic and control function blocks, such as AND, ADD and
PID. For a particular system, a library of standard solutions such as level
control loops and motor control blocks are defined. This means that the
system can be specified with combinations of typical loop templates,
102
consisting of one or more input devices, function blocks and output devices.
This allows much if not all of the application to be defined based on
engineering databases and templates rather than formal programming.
The system is
operated from a
central control
room (CCR) with a
combination of
graphical process
displays, alarm
lists, reports and
historical data
curves. Smaller
personal screens
are often used in
combination with
large wall screens
as shown on the
right. With modern systems, the same information is available to remote
locations such as onshore corporate operations support centers.
Field devices in most process areas must be protected
to prevent them from becoming ignition sources for
potential hydrocarbon leaks. Equipment is explosive
hazard classified, e.g., as safe by pressurization (Ex.p),
safe by explosive proof encapsulation (Ex.d) or
intrinsically safe (Ex.i). All areas are mapped into
explosive hazard zones from Zone 0 (inside vessels
and pipes), Zone 1 (risk of hydrocarbons), Zone 2 (low risk of hydrocarbons)
and Safe Area.
Beyond the basic functionality, the control system can be used for more
advanced control and optimization functions. Some examples are:
• Well control may include automatic startup and shutdown of a well
and/or a set of wells. Applications can include optimization and
stabilization of artificial lift, such as pump off control and gas lift
optimization.
• Flow assurance ensures that the flow from wells and in pipelines and
risers is stable and maximized under varying pressure, flow and
temperatures. Unstable flow can result in slug formation, hydrates,
etc.
103
• Optimization of various processes to increase capacity or reduce
energy costs. 


• Pipeline management modeling, leak detection and pig tracking.
• Support for remote operations, in which facility data is available to
company specialists located at a central support center.
• Support for remote operations where the entire facility is unmanned
or without local operators full or part time, and is operated from a
remote location.
8.1.1 Safety systems and functional safety
The function of safety systems is to take control and prevent an undesirable
event when the process and the facility are no longer operating within normal
operating conditions. Functional safety is the part of the overall safety of a
system that depends on the correct response of the safety system response
to its inputs, including safe handling of operator errors, hardware failures and
environmental changes (fires, lightning, etc.).
.
The definition of safety is “freedom from unacceptable risk” of physical injury
or of damage to the health of people, either directly or indirectly. It requires a
definition of what is acceptable risk, and who should define acceptable risk
levels. This involves several concepts, including:
1. Identifying what the required safety functions are, meaning that
hazards and safety functions have to be known. A process of
function reviews, formal hazard identification studies (HAZID),
hazard and operability (HAZOP) studies and accident reviews are
applied to identify the risks and failure modes.
2. Assessment of the risk-reduction required by the safety function.
This will involve a safety integrity level (SIL) assessment. A SIL
applies to an end-to-end safety function of the safety-related system,
not just to a component or part of the system.
3. Ensuring the safety function performs to the design intent, including
under conditions of incorrect operator input and failure modes.
Functional safety management defines all technical and
management activities during the lifecycle of the safety system. The
safety lifecycle is a systematic way to ensure that all the necessary
activities to achieve functional safety are carried out, and also to
demonstrate that the activities have been carried out in the right
104
order. Safety needs to be documented in order to pass information
to different engineering disciplines.
For the oil and gas industry, safety standards comprise a set of corporate,
national and international laws, guidelines and standards. Some of the
primary international standards are:
• IEC 61508 Functional safety of electrical/electronic/programmable
electronic safety-related systems
• IEC 61511 Functional safety - Safety instrumented systems for the
process industry sector
A safety integrity level is not directly applicable to individual subsystems or
components. It applies to a safety function carried out by the safety
instrumented system (end-to-end: sensor, controller and final element).
IEC 61508 covers all components of the E/E/PE safety-related system,
including field equipment and specific project application logic. All these
subsystems and components, when combined to implement the safety
function (or functions), are required to meet the safety integrity level target of
the relevant functions. Any design using supplied subsystems and
components that are all quoted as suitable for the required safety integrity
level target of the relevant functions will not necessarily comply with the
requirements for that safety integrity level target.
Suppliers of products intended for use in E/E/PE safety-related systems
should provide sufficient information to facilitate a demonstration that the
E/E/PE safety-related system complies with IEC 6


1508. This often requires
that the functional safety for the system be independently certified.
There is never one single action that leads to a large accident. It is often a
chain of activities. There are many layers to protect against an accident, and
these are grouped two different categories:
• Protection layers – to prevent an incident from happening. Example:
rupture disk, relief valve, dike.
• Mitigation layers – to minimize the consequence of an incident.
Example: Operator intervention or safety instrumented system (SIS)
An SIS is a collection of sensors, controllers and actuators that execute one
or more SIFs/safety loops that are implemented for a common purpose.
Each SIF has its own safety integrity level (SIL) and all sensors, controllers
and final elements in one SIF must comply with the same SIL, i.e., the end-
105
to-end safety integrity level. The SIS is typically divided into the following
subsystems:
• Emergency shutdown system (ESD) to handle emergency
conditions (high criticality shutdown levels)
• Process shutdown system (PSD) to handle non-normal but less
critical shutdown levels
• Fire and gas systems to detect fire, gas leakage and initiate
firefighting, shutdown and isolation of ignition sources