Materials System Specification

Materials System Specification
34-SAMSS-629 15 February 2016

Wellhead High Integrity Protection System
- Offshore Oil (ESP) Service
Document Responsibility: High Integrity Protection Systems Stds Committee
Contents
1 Scope................................................................... 2
2 Conflicts and Deviations....................................... 2
3 References.......................................................... 3
4 Terminology......................................................... 4
5 Environmental Conditions.................................... 6
6 General................................................................ 8
7 System Requirements........................................ 10
8 Functional Requirements................................... 16
9 Identification Tagging......................................... 18
10 Inspection and Testing....................................... 19
11 Packing and Shipping........................................ 20
12 Documentation................................................... 21
13 Notes to Purchaser............................................ 23
Appendix A - Logic Solver System
I/O Assignment............................................. 24
Appendix B - Cause and Effect................................ 25
Appendix C - List of Sub-Components
from Approved RVL...................................... 26
Previous Issue: New Next Planned Update: 15 February 2019

Page 1 of 26
Contact: Miller, Chan Eldon (millerce) on +966-013-8804750
Copyright©Saudi Aramco 2016. All rights reserved.

Document Responsibility: High Integrity Protection Systems Standards Committee 34-SAMSS-629
Issue Date: 15 February 2016 Wellhead High Integrity Protection System
Next Planned Update: 15 February 2019 - Offshore Oil (ESP) Service
1 Scope
1.1 This specification defines the minimum mandatory requirements for the Logic
Solver and Cabinet associated with an offshore wellhead High Integrity
Protection System (HIPS) in electric submersible pump (ESP) service (crude
oil). The system covered by this specification may be installed on a new
offshore platform or an existing offshore platform where some of the
components are existing.
1.2 The HIPS design shall be independent of any other control or safety system and
shall be designed for outdoor sheltered offshore installation.
1.3 The overall HIPS includes but is not limited to the following system components:
1.3.1 Three Pressure Transmitters with individual pressure taps upstream of
the Export Safety Valve (ZV) for 2oo3 high pressure voting architecture.
1.3.2 HIPS Solid State Logic Solver
1.3.3 HIPS Solid State Logic Solver Cabinet
1.3.4 Electrical System Final Elements
1.3.4.1 Trip of individual ESP Controllers
1.3.4.2 Trip of Main Power Feeds to multiple ESP Controllers.
1.3.5 Interface with the Wellhead Shutdown Panel (WSDP) including modular
hydraulic ESD System and platform export safety valve (ZV).
1.3.6 Interface with Remote Terminal Unit (RTU).
1.4 The HIPS Logic Solver and Logic Solver Cabinet are the scope of supply of the
Vendor. All components external to the Logic Solver Cabinet are the scope of
supply of the Contractor.
2 Conflicts and Deviations
2.1 If there are any conflicts between this specification and associated purchasing,
project or engineering documents, this specification shall take precedence.
Any conflicts between this specification and other applicable Mandatory Saudi
Aramco Engineering Requirements (MSAERs), or industry standards, codes,
and forms shall be resolved in writing by the Company or buyer's representative
through the Manager, Process & Control Systems Department of Saudi Aramco,
Dhahran.
Page 2 of 26
2.2 Direct all requests to deviate from this specification in writing to the Company or
buyer's representative, who shall follow internal company procedure SAEP-302
and forward such requests to the Manager, Process & Control Systems
Department of Saudi Aramco, Dhahran.
3 References
The following is a summary of all the documents referenced within this specification.
Material or equipment supplied to this specification shall comply with the latest edition
of the references listed below, unless otherwise noted.
3.1 Saudi Aramco References
Saudi Aramco Engineering Procedures

SAEP-302 Instructions for Obtaining a Waiver of a Mandatory
Saudi Aramco Engineering Requirement
SAEP-354 High Integrity Protection Systems Design
Requirements
SAEP-375 HIPS - SAP Tracking System Workflows
Saudi Aramco Engineering Standard

SAES-A-202 Saudi Aramco Engineering Drawing Preparation
Saudi Aramco Materials System Specifications

34-SAMSS-621 ESD Systems - Hard-Wired - Solid-State
(Nonprogrammable)
34-SAMSS-820 Instrument Control Cabinets - Indoor
34-SAMSS-821 Instrument Control Cabinets - Outdoor
Saudi Aramco Inspection Requirements

175-343100 Instrument Control Panels
175-344200 ESD System: Hard Wired, Solid State (Non-
Programmable)
Saudi Aramco Nonmaterial Requirements

NMR-7930 Nonmaterial Requirements for
Page 3 of 26
3.2 Industry Codes and Standards
American National Standards Institute

ANSI/NFPA 70 National Electrical Code
International Electrotechnical Committee

IEC 60529 Degrees of Protection Provided by Enclosures
IEC 61508 Functional Safety of Electrical/Electronic /
Programmable Electronic Safety-related Systems
IEC 61511 Functional Safety - Safety Instrumented Systems for
the Process Industry Sector
International Society of Automation

ISA-71.04 Environmental Conditions for Process Measurement
and Control Systems: Airborne Contaminants
National Electrical Manufacturers Association

NEMA 250 Enclosures for Electrical Equipment
4 Terminology
4.1 Acronyms
DBB double block and bleed
EMC electromagnetic compatibility
ESP electric submersible pump
FAT Factory Acceptance Test
HFT Hardware Fault Tolerance
HIPS High-Integrity Protection System
LED Light Emitting Diode
MAWP maximum allowable working pressure
MDP main distribution panel
PFD Probability of Failure on Demand
RTD resistance temperature detector
RTU remote terminal unit
SAT Site Acceptance Test
SIL safety integrity level
Page 4 of 26
SSV surface safety valve

SSSV subsurface safety valve
VFD variable frequency drive
ZV export safety valve
4.2 Definitions
1oo2: One out of two voting; if one out of two devices reaches a trip setpoint, a
trip is initiated.
2oo3: Two out of three voting; if two out of three devices reaches a trip
setpoint, a trip is initiated.
Buyer: Saudi Aramco, or nominated representative placing an order for the

materials and services.
Contractor: Lump Sum Turn Key/Long Term Agreement contractor or

Engineering Procurement and Construction contractor depending on the
procurement method selected for the project. There may be more than one
Contractor involved in the project. In this case, the term contractor refers to all
applicable contractors.
Crude Oil Service: Directly producing crude oil or produced water in support
of crude oil production.
Electric Submersible Pump (ESP): An electric motor driven pump installed

downhole in a well to provide artificial lift to maintain or increase production
rates.
Factory Acceptance Test (FAT): A FAT is done at the equipment

manufacturer’s shop and consists of functional test of all components using
actual or simulated signals.
High Integrity Protection Systems (HIPS): High availability, fail safe SIL-3
system that consists of sensors, logic solvers, and final control elements used to
prevent over-pressurization and loss of containment on process and equipment
by shutting off the source of high pressure before exceeding the process design
pressure. A HIPS system is designed as an independent and separate safety
protection layer separate from the ESD system. A HIPS system must be in
compliance throughout the systems lifecycle to the strict conditions of approval
resulting from a quantitative risk assessment, dynamic process simulations and
other specific design considerations.
Modular: A self-contained unit intended to perform a certain function that is

interchangeable with a standard interface; a modular unit may be disconnected
Page 5 of 26
and moved to a new location or replaced with a spare unit without disassembly
of subcomponents.
Nearshore Environment: Any outdoor, onshore location within one kilometer

from the shoreline of the Arabian Gulf; all of the Ras Tanura Refinery and
Terminal; and within three kilometers from the shoreline of the Red Sea.
Offshore: Over water
Onshore: On land
PFDavg: Probability of Failure on Demand is the probability that the safety

instrumented function fails to respond to a process demand or a manual initiation.
Safety Integrity Level (SIL): The level of overall safety availability for the
safety instrumented function or an ESD system component calculated as one
minus the sum of the average probability of dangerous failures on demand.
Site Acceptance Test (SAT): SAT is done at the field location and consists of
functional test of all components using actual field parameters.
Shall: Indicates a mandatory requirement.
Shunt Trip/Coil: A feature added to a circuit breaker or fusible switch to

permit the remote opening of the breaker or switch by an electrical signal.
Stainless Steel: Either 316 series or 317 series stainless steel material for the
purpose of this specification.
Variable Frequency Drive (VFD): An electrical system used to control the

speed and or torque of mechanical equipment by varying the frequency and
voltage to the driven load. Also known as Adjustable Speed Drive (ASD),
Adjustable Frequency Drive (AFD), and Variable Speed Drive (VSD).
Vendor: The manufacturer supplier (including sub-suppliers) of the equipment

to buyer. The vendor shall assume overall responsibility for the equipment
being provided.
5 Environmental Conditions
5.1 Temperature
The equipment shall operate continuously under the following ambient air
temperatures without any degradation of the manufacturer's guaranteed
performance:
Page 6 of 26
Outdoor Outdoor
Sheltered (1)(2)(3) Unsheltered (2)(3)
Maximum 55°C 65°C
(131°F) (149°F)
Minimum 0°C 0°C
(32°F) (32°F)
Notes:
(1) Refers to permanent, ventilated enclosures or buildings, or permanently fixed
sunshades with a top and three sides.
(2) For instruments which dissipate internal heat and are installed in custom engineered
enclosures (e.g., enclosures not included in the original manufacturer's temperature
certification), an additional 15°C shall be added to the above maximum temperatures.
An example, for “indoor air conditioned” installation, the equipment must perform at
35 + 15 = 50°C. Similarly, for outdoor unsheltered, the equipment shall be designed
for a maximum operating temperature of 65 + 15 = 80°C.
(3) For the outdoor installations only, the designer can take credit for forced or passive
cooling to eliminate or reduce the 15°C heat rise. For example, if vortex coolers are
used, the heat removal capacity of the coolers may be subtracted from the generated
heat. No more than 15°C reduction in temperature will be given as credit.
The designer shall substantiate his claim by providing the support data and
calculations.
5.2 Contaminants
The instrument manufacturer shall ensure that all equipment is designed to

withstand the following air quality requirements.
5.2.1 Dust Concentration
Usual airborne dust concentration is 1 mg/m³. During sandstorms, dust

concentrations may reach 500 mg/m³. Particle sizes are as follows:
95% of all particles are less than 20 micrometers
50% of all particles are less than 1.5 micrometers
Elements present in dust include compounds of calcium, silicon,

magnesium, aluminum, potassium, chlorides and sodium. When wetted
(high humidity conditions) these compounds function as electrolytes and
can result in severe corrosion.
5.2.2 Other pollutants present in the atmosphere under the most extreme
conditions are:
H2S 20 ppm (Vol/Vol)
Hydrocarbon 150 ppm (Vol/Vol)
SO2 10 ppm (Vol/Vol)
Page 7 of 26
CO 100 ppm (Vol/Vol)

NOx 5 ppm (Vol/Vol)
O3 1 ppm (Vol/Vol)
5.3 Offshore and Nearshore Environment
Equipment which is not enclosed or hermetically sealed, but is situated offshore

or nearshore, shall be protected against corrosion and operational failure due to
wind-borne sea water spray and the accumulation of wetted salt (NaCl).
Nearshore is defined as any outdoor, onshore location within one kilometer from
the shoreline of the Arabian Gulf or within three kilometers from the shoreline
of the Red Sea.
5.4 Humidity
Outdoor design basis shall be between 5% to 95% relative humidity

(non-condensing).
5.5 Noise
Instruments shall not generate noise exceeding the permissible noise exposure
levels of 85 dBA at a distance of 1 meter radius and shall be rated to operate
continuously at this level.
6 General
6.1 All dimensions and measurements shall be in the International System of Units
(SI) followed by the equivalent value in English (conventional) units between
brackets. When not critical, the equivalent dimensions may be rounded off to
the nearest practical value.
Exception:
This requirement does not apply to the vendor’s standard documentation.
6.2 All components shall be of high grade industrial standard varieties rated for
environmental conditions listed in Section 5 Environmental Conditions.
6.3 Components shall be sourced from the applicable 9COM per Appendix C.
6.4 The pressure transmitters and logic solver cabinet shall be located on the
platform equivalent to sheltered or permanent sunshade, such as the mezzanine
deck.
6.5 Saudi Aramco Offshore Wellhead HIPS Design for ESP Service
Page 8 of 26
The HIPS function shall be designed to protect all piping and equipment located
downstream of the fully rated export safety valve (ZV) to the inlet of the plant
with a pressure class less than the well shut-in pressure by detecting high pressure
and quickly isolating the high pressure by the shutdown of all pressure-producing
equipment, the ESPs. Shutdown of the ESPs is facilitated by tripping the power
to the individual ESP Controllers and the main power feeds to the ESPs.
As an added measure (separate from the safety critical function), the HIPS will
initiate a Level 1 ESD in the wellhead shutdown panel resulting in the closure of
the platform export safety valve and each individual well surface safety valve
(SSV) and subsurface safety valve (SSSV). A HIPS may provide over-pressure
protection on a platform with a maximum of ten wells.
Figure 1 - Typical ESP Wellhead HIPS Schematic
6.5.1 The wellhead HIPS shall provide a fail-safe design via two types of final
elements in series that remove power from the ESPs when high pressure
is sensed by 2oo3 redundant pressure transmitters.
Page 9 of 26
6.5.2 Triple redundant pressure transmitters shall be able to sense high

pressures. Pressure transmitter connections will be in the common header
upstream of the platform export safety valve (ZV).
6.5.3 The platform piping and valves upstream of and including the platform
export safety valve (ZV) shall be fully rated with a maximum allowable
working pressure (MAWP) exceeding the maximum wellhead shut-in
pressure.
6.5.4 The HIPS shall be designed and implemented as a Safety Integrity Level
(SIL) 3 compliant and fail safe system per SAEP-354.
6.5.5 The Vendor shall verify and document the SIL compliance of the
Logic Solver using their assigned engineer(s) or third party consultant.
The responsible individual for the verification shall be a certified
functional safety engineer/expert, qualified to meet the competency
requirements of IEC 61508 and IEC 61511. The Logic Solver shall be
certified by a third party safety entity (TUV, Exida, or Lloyd’s)
independent of the entity who performed the vendor’s SIL verification.
6.5.6 The HIPS shall respond to a demand (from sensing to safety critical final
element response) in less than 4 seconds. Response of the Wellhead
Shutdown Panel and associated valve closures is excluded from this
time.
6.5.7 Vendor compliance with the provisions of this SAMSS does not relieve
vendor from the responsibility to furnish equipment of proper design to
meet the specified environment, application, service, and operating
conditions.
6.5.8 All vendor-supplied electrical equipment shall be suitable for the area
classification specified in the platform design documents and shall
comply with the requirements stated in NFPA 70, Article 505.
7 System Requirements
7.1 Pressure Transmitters
Pressure Transmitters and associated process connections shall be the contractor’s

scope of supply.
7.1.1 Pressure transmitters shall be functionally identical, smart electronic

transmitters with ±0.5% accuracy or better, 4-20 mA HART output,
SIL compliance-certified, and configured to fail high (signal goes above
21 mA on a fault or failure).
Page 10 of 26
7.1.2 All pressure transmitter wetted parts shall be compatible with the
production fluid and rated to withstand the full design pressure of the
system to which it is connected.
7.1.3 Independent process root valves shall be provided for pressure transmitter
connections and meet the requirements of the pipe specification.
7.1.4 In addition to the root valve, each pressure transmitter shall have a
instrumentation valves/manifold to allow for isolation and testing.
7.1.5 The process connections for the pressure transmitters will be in the
common header upstream of the platform export safety valve (ZV).
The connections, sensing lines, and pressure transmitters shall be located
on the platform equivalent to a shelter location (blocked from direct sun),
such as the mezzanine deck.
7.2 HIPS Logic Solver
The HIPS Logic Solver shall be as per 34-SAMSS-621 except where superseded
by this specification. HIPS Logic Solver shall be the vendor’s scope of supply.
7.2.1 Power supplied to the logic solver /logic solver cabinet will be from
redundant sources.
7.2.1.1 Unless otherwise specified, the primary source will be

120 VAC, Single Phase, 60 hz nominal power from platform
AC power panel.
7.2.1.2 Unless otherwise specified, the secondary source will be

24 VDC power from dedicated platform battery back-up.
7.2.2 The Logic Solver and cabinet shall be suitable for continuous operation
under the conditions specified in Section 5 Environmental Conditions
for outdoor sheltered.
7.2.3 Online setup, testing and repair of each input channel of the Logic Solver
System shall be possible without shutting down the system.
7.2.4 The Logic Solver System shall be composed of VENDOR’s standard

equipment that can be configured to meet the stated requirements.
7.2.5 The Logic Solver System shall employ three independent channels on
separate modules capable of receiving individual 4-20 mA signal from
field pressure transmitters.
7.2.6 Each analog I/O channel shall as a minimum consist of power supply,
Page 11 of 26
current loop receiver, input out of range low comparator with adjustable
trip threshold, input out of range high comparator with adjustable trip
threshold and process pressure high comparator with adjustable trip
threshold (trip delay timer).
7.2.7 The Logic Solver System shall employ both volt-free digital output
contacts that open (de-energize) in the event of detecting overpressure.
See Appendix A.
7.2.8 If Logic Solver System SIL-3 digital outputs require the use of
interposing relays then IEC standards shall be followed. For SIL-3
outputs a minimum of two SIL-2 compliant relay contacts shall be used
in series from separate relays. As an alternative, the vendor may use a
certified SIL-3 safety relay with a Hardware Fault Tolerance (HFT) of
zero, provided there shall be an additional diagnostic circuit that alarms
in the event of a covert relay failure.
7.2.9 The Logic Solver System shall employ volt free digital output contacts
for remote alarms and shall provide local indications, alarms, system
reset and lamp test inputs and outputs. Outputs for primary final
elements shall be on separate IO modules than for the secondary final
elements. See Appendix A.
7.2.10 The Logic Solver System electronic boards (printed circuit board
components) shall be G3 conformal coated in accordance with
ISA-71.04 including power supply modules/units.
7.2.11 The Logic Solver System 2oo3 input voting logic unit shall be provided
with tolerance time delay for process variable input discrepancies and
shall be adjustable from 0 to 15 seconds. In case the set time is
exceeded, the 2oo3 voting logic unit shall generate a deviation alarm
annunciated on the front door of the Logic Solver System cabinet from
outside and on the serial link to the RTU.
7.2.12 The Logic Solver System shall be provided with trip delay timer, turn on
delay timer and output trip relay (if necessary). The trip delay timer
circuit shall delay the activation of the output trip relay. The trip delay
timer shall be adjustable from 0.2 to 5 seconds.
7.2.13 The safe operation of the Logic Solver System shall not be affected by
the communication modules which transfers the data via a serial link.
7.2.14 All equipment shall be electromagnetically compatible (EMC)

(i.e., equipment rating and performance shall not be impaired thermally
or electromagnetically by other equipment in the vicinity).
Page 12 of 26
7.2.15 The system shall include protection techniques to protect against system
errors and hardware damage resulting from electrical transients on power
or signal wiring.
7.3 HIPS Logic Solver Cabinet
The HIPS Logic Solver Cabinet shall be as per 34-SAMSS-820 and

34-SAMSS-821 except where superseded by this specification. HIPS Logic
Solver Cabinet shall be the vendor’s scope of supply.
7.3.1 The cabinet shall have a side to side configuration with dimensions not
to exceed 600 mm deep x 1600 mm wide x 2000 mm high with two front
access doors.
7.3.2 The cabinet shall be rigid, self- supporting, free standing, floor mounted
and NEMA type 4X in accordance with NEMA 250/NEMA ICS 6 or
IEC 60529 type IP 66 for installation in non-classified area, highly
corrosive environment on offshore platform. The enclosure shall be
manufactured of 316L stainless steel material or better including the
door.
7.3.3 The cabinet shall be provided with all the required mounting hardware
and accessories. All the hardware and accessories including hinges,
back-pans, sub-pans, latches, fittings, door mechanical stops, plates shall
be 316L stainless steel material or higher.
7.3.4 The cabinet doors shall be full height and lockable. The doors shall have
removable gasket trim with exceptional durability, memory and high-
temperature resistance. The inside of the cabinet doors shall have a
pocket suitable for holding A4 documents and/or cabinet drawings.
7.3.5 The cabinet shall be mounted on 300 mm high mounting feet

manufactured of 316L stainless steel material or higher.
7.3.6 Vendor shall provide removable blank gland plates (bottom entry) to
facilitate installation of cables through the bottom of the cabinet (the
gland plate will be removed for on-site drilling). Gland plates shall be
manufactured of 316L stainless steel material or better. There shall be
no penetrations on the top of the enclosure.
7.3.7 The cabinet shall be provided with a single drain and breather fitting of
316L stainless steel material or better and shall be located at lowest point
on the floor of the cabinet (in cabinet floor or gland plate, whichever is
lowest). Drain and breather fitting shall be one piece; separate drain and
breather is not acceptable.
Page 13 of 26
7.3.8 The cabinet shall be equipped with door closure devices for holding the
doors in open position at 90o to 105o (adjustable).
7.3.9 The Logic Solver shall be mounted on one side and the field terminations
on the other side of the cabinet with an internal separation wall between
the sides.
7.3.10 All switches, push buttons, and associated indicating lights shall have a
name plate identifying the associated tag number of the device.
7.3.11 Vendor-installed cables shall be designed and installed in such a way as to

allow the cables to be disconnected in order to service the equipment.
Cables shall not obscure removal of any cabinet component or equipment.
7.3.12 Cabinet components or equipment shall be replaceable without the

removal of field or terminal panel wiring.
7.3.13 Interconnecting cables shall be specified with a minimum insulation

rating of 600 volts, at 75oC wet / 90oC dry and conform to UL standard.
7.3.14 Each device with a direct AC power input shall be protected by a circuit
breaker or fuse installed in the hot line. If these are part of the vendor’s
standard equipment, they may be provided in a power distribution panel
mounted and wired within the relevant cabinet.
7.3.15 There shall be an individual circuit breaker on each primary power feed
into the equipment cabinet.
7.3.16 Each AC electrical power circuit breaker or fuse shall be tagged with a
permanently mounted nameplate that identifies its service.
7.3.17 Incoming power shall be distributed within the cabinet on individually fused
terminal strips. Power supply cable entry shall be from the bottom of the
cabinet. Daisy chaining of power distribution wiring is not permitted.
7.3.18 Unless otherwise specified, the Logic Solver System cabinet

shall include 120 VAC/24 VDC main power supply/converter,
24 VDC/24 VDC backup power supply/converter, a feed and decoupling
module (diode bridge module) to alternate between 120 VAC and
24 VDC, 24 VDC buffer module, feeding and current distribution unit.
7.3.19 Terminal rails shall be furnished with approved anti-vibration screwed

terminals.
7.3.20 Terminal blocks used for marshaling of field cables shall be fused knife
and fused disconnect type (or equivalent make-or-break) for all input and
Page 14 of 26
output signals.
7.3.21 Adequate space and or barriers shall be provided to prevent personnel

touching electronic hardware when working at the terminal blocks.
7.3.22 Crimp type ferrule terminals shall be installed on all the wires terminated
inside the cabinet.
7.3.23 At least one cabinet light 60 watt equivalent LED type per side and a
duplex power outlet rated 10 amps shall be provided as a minimum.
Unless otherwise specified, the voltage shall be 120 VAC.
7.3.24 A Resistance Temperature Detector (RTD) with 4-20 mA temperature

transmitter shall be provided inside the cabinet and shall be wired to the
cabinet terminal blocks for connection to RTU. The temperature
measuring range of the detector shall be -20oC to +80oC.
7.4 Final Elements
The platform may have up to ten wells. Each well may have an ESP with
associated transformers and ESP controller. Power is distributed to the ESP
controllers through a main distribution panel (MDP). A MDP may supply
power to five ESP controllers. The MDP has a main feed breaker and individual
supply breakers for each ESP controller.
Final elements and confirming the interface with the Logic Solver shall be the
contractor’s scope of supply.
7.4.1 The primary final element located in the MDP is considered the
individual breakers to ESP VFD controllers. Each breaker will have an
under-voltage release that will open the breaker on a de-energized signal
from the Logic Solver. For ten wells there will be ten breakers (five per
MDP).
7.4.2 The secondary final element located in the MDP is considered the main
incoming feed breaker from the ESP transformer switchgear. The breaker
will have an under-voltage release that will open the breaker on a
de-energized signal from the Logic Solver. For ten wells, there will be
two outputs (one per MDP).
7.4.3 The signal wiring for the two types of final elements shall be run in two
separate cables.
7.5 Wellhead Shutdown Panel
To facilitate the HIPS initiating a closure of the platform export safety valve
Page 15 of 26
(ZV), two 3-way solenoid valves shall be connected in series in the Level 1 ESD
hydraulic circuit of the wellhead shutdown panel. The HIPS solenoids will de-
energize upon a HIPS trip via independent Logic Solver outputs and initiate an
ESD Level 1 that closes the platform export safety valve.
The wellhead shutdown panel, including HIPS solenoid valves, shall be the
contractor’s scope of supply.
7.5.1 The HIPS solenoids should be the last initiating devices in the hydraulic
circuit.
7.5.2 The solenoids shall be SIL compliance certified, 24 VDC, de-energize to

trip, and rated for the area classification.
7.6 Remote Terminal Unit (RTU)
The HIPS Logic Solver shall communicate to the Platform Process Control
System/Remote Terminal Unit via MODBUS RTU / RS485 or Modbus TCP/IP
per the material requisition. Device states and diagnostic information shall be
communicated.
The RTU is the Contractor’s scope of supply. Providing the Interface from the
Logic Solver to the RTU is the Vendor’s scope of supply.
7.6.1 Only one RS-485 communication bus or Ethernet Cat5 (cable) is

required to connect the Logic Solver System to the RTU.
7.6.2 The RTU will be the master and the HIPS Logic Solver shall function as
the slave.
7.6.3 The Logic Solver System shall be capable of operating in a stand-alone

manner, with full functionality, independent of communication with the
RTU.
7.6.4 Communication cabling between Logic Solver System sub-racks within

the same cabinet shall be connected directly between sub-racks.
8 Functional Requirements
The following functional requirements are for the Logic Solver and Cabinet:
8.1 Trip Settings and Voting
If all three input signals from the pressure transmitters are available, the HIPS
logic requests a trip when 2oo3 pressure transmitter signals exceed the trip
point. If one pressure transmitter is faulty or bypassed, the HIPS logic degrades
Page 16 of 26
to 1oo2 voting of the healthy signals and a deviation alarm will be activated.
If two pressure transmitters are faulty or detect an overpressure, the HIPS logic
shall initiate a trip.
All final elements shall trip simultaneously when a trip condition is voted.
8.2 Trip Indications
The system shall be provided with three separate indication lamps to indicate
trip status of the input signals from the three field-mounted pressure transmitters
(“Input A Tripped”, “Input B Tripped”, “Input C Tripped”). Individual “System
Tripped”, and “Fault Alarm” indicators shall also be provided. Indicators shall
be located on the external side of the front door of the Logic Solver cabinet.
8.3 Deviation Alarm
When the process variable inputs to the 2oo3 voting logic varies for more than a
set time, a “Deviation Alarm” shall be generated. The alarm shall be
annunciated on the external side of the front door of the Logic Solver System
cabinet and on the serial link to the RTU.
8.4 Reset Function
After a trip has taken place due to any reason, the HIPS prevents automatic reset
of the system when the process pressure returns to below the trip threshold.
The Logic Solver includes a reset pushbutton integrated inside of the Logic
Solver cabinet. The reset will require local manual intervention by operations
personnel to activate when satisfied that process conditions are safe to do so.
8.5 Maintenance Override/Bypass Switch
Individual key-lockable input bypass switches shall be provided for each input
pressure transmitter, totaling three input bypass switches. Each bypass switch
shall have an associated INPUT CLEAR indicator next to it, showing that the
switch may be safely returned to its normal position. A separate and unique
BYPASS indicator shall also be provided next to the bypass switch, identifying
that the switch is in the bypass position. All bypass switch contacts are sealed.
Each bypass switch shall have a pair of independent contacts, wired to a
terminal strip, for remote indication via the RTU.
The input bypass switches shall be located inside of the Logic Solver cabinet
and provided with an interlock which shall allow bypassing only one input at a
time. When a bypass is active, the HIPS logic degrades to 1oo2 voting of the
healthy signals. The interlock will be realized using logic modules. The three,
key-lockable input bypass switches shall be provided with a mechanical
Page 17 of 26
interlock that prevents the Logic Solver cabinet front door from closing when a
key is located in an input bypass switch.
8.6 Lamp Test
The System shall be provided with a “Lamp Test” push button located on the
external side of the front door of the Logic Solver System cabinet.
8.7 Serial Communication
Device states, pressure transmitter process variable, logic solver states (alarm,
trip, faults), and diagnostic information (module faults) shall be communicated
via MODBUS to the RTU.
8.8 Indicator Colors
Indicator Description Indicator Color

Inside Panel
Input A Clear Green
Input B Clear Green
Input C Clear Green
Input A Bypassed Amber
Input B Bypassed Amber
Input C Bypassed Amber
Front Panel
Input A Tripped Red
Input B Tripped Red
Input C Tripped Red
System Tripped Red
Fault Alarm Amber
Deviation Alarm Amber
9 Identification Tagging
9.1 An identification tag or name plate made of 316L stainless steel (3 mm

minimum thickness) shall be attached to the Logic Solver cabinet securely with
stainless steel or Monel fasteners. The tag or nameplate shall be located so that
the information is clearly visible and legible after the equipment is installed.
The tag shall be marked by raised letters or die stamping with the following
information:
a) Purchase Order Number
Page 18 of 26
b) Manufacturer Name and Location

c) Part/Model Number
d) Serial Number
e) Date of Manufacture
f) Equipment Tag Number
g) Total Weight
9.2 The tagging system for all instruments, control devices, enclosures, terminal
blocks, cables, and valves, shall be in compliance with SAES-A-202.
9.3 Warning nameplates shall be of phenolic material with red letters on a white
background.
10 Inspection and Testing
10.1 General
10.1.1 A copy of the manufacturer's test procedures shall be submitted to Saudi

Aramco HIPS Unit for approval.
10.1.2 The manufacturer's test procedures shall clearly indicate:

a) The conditions under which the testing is to be carried out
b) Any standards and/or specifications with which the manufacturer's
test procedure complies
10.2 Inspection
10.2.1 Instruments shall be tested, examined and qualified to the established

manufacturer tests and applicable industry standard requirements.
10.2.2 Major components (HIPS Logic Solver and cabinet) shall be

manufactured and are subject to the following minimum Inspection
Requirements of the associated specifications:
a) HIPS Logic Solver 175-344200
b) HIPS Logic Solver cabinet 175-343100
10.3 Factory Acceptance Test (FAT)
10.3.1 The completed Logic Solver shall undergo a Factory Acceptance Test
(FAT) per the manufacturer’s approved test procedure. Manufacturer
shall submit FAT procedure for Saudi Aramco approval minimum of
Page 19 of 26
30 days prior to commencement of test. The FAT shall be witnessed and

accepted by a qualified Saudi Aramco Representative at the vendor’s
facility. Saudi Aramco HIPS Unit shall be notified and be given the
opportunity to participate and witness the FAT.
10.3.2 Vendor shall be responsible for the setup and performance of the FAT.
Test shall be conducted to prove validation of complete functional,
performance, and hardware including system configuration.
10.3.3 The vendor shall provide all necessary personnel, tools, and test
equipment required for the FAT. Test equipment shall be calibrated with
valid certificates if applicable. Test equipment calibration frequency
shall not be more than one year.
10.3.4 Functional checks during the FAT shall include witness of fail-safe
operation, all trip and reset functions, and operation of all cabinet
accessories under simulated operating conditions.
10.4 Site Acceptance Test (SAT)
10.4.1 The completed system shall undergo a Site Acceptance Test (SAT) per
the manufacturer’s approved test procedure. Manufacturer shall submit
SAT procedure for Saudi Aramco approval minimum of 30 days prior to
commencement of test. The SAT shall be witnessed and accepted by a
qualified Saudi Aramco Representative at the site after installation.
Saudi Aramco HIPS Unit shall be notified and be given the opportunity
to participate and witness the SAT.
10.4.2 Vendor shall be responsible for the setup, performance, and recording of
the SAT. Test shall be conducted to prove validation of logic and correct
functionality of the Logic Solver System.
10.4.3 Vendor shall identify special requirements or recommendations during

installation, commissioning and start-up of the equipment supplied.
11 Packing and Shipping
11.1 Before packing, all foreign bodies and traces shall be removed from the system
cabinet. Cabinet shall be packed and protected.
11.2 Open ports shall be capped and/or plugged with metal and/or plastic caps/plugs.
11.3 All equipment and materials shall be supplied suitably protected from corrosion
during transit, storage, after installation.
Page 20 of 26
11.4 The supplier shall advise any requirements for preservation of equipment and
materials should they require long term (greater than 6 months) storage after
delivery. The supplier shall provide all materials required for preservation and
protection during shipment and storage on site prior to installation.
12 Documentation
12.1 All documentation shall be in English and be in compliance with SAES-A-202.

As a minimum, the following documents shall be submitted in electronic,
searchable formats:
12.1.1 Cabinet general arrangement drawings with Bill of Materials and

overall weight
12.1.2 Cabinet fabrication and assembly drawings
12.1.3 Cabinet Layout Drawings showing client interfaces
12.1.4 Cabinet heat dissipation calculations
12.1.5 Power and load calculations and certificates
12.1.6 Wiring Diagrams and schematic drawings
12.1.7 Functional Design Specification
12.1.8 Logic drawings
12.1.9 Logic Solver System Block Diagram
12.1.10 Inspection and Testing Procedures and test reports
12.1.11 List of approved deviations from this engineering specification.
12.1.12 Manufacturer’s literature for all components
12.1.13 Installation, Operation, and Maintenance Manuals
12.1.14 Recommended Pre-commissioning and Start-up Spare Parts and

Consumables List
12.1.15 Recommended 2- and 5-year Operations Spare Parts List with detailed
price breakdown
12.1.16 Lifting procedure and drawing with certified lifting points and center of
gravity
Page 21 of 26
12.1.17 Start-up and normal power requirements for complete Logic Solver
and cabinet
12.1.18 MODBUS Map
12.1.19 SIL Certificates of Components issued by an internationally

recognized independent third party (TUV, exida, or Lloyd’s)
12.1.20 SIL Certificate and Report for the Logic Solver issued by an
internationally recognized independent third party (TUV, exida, or
Lloyd’s)
12.1.21 Packing and shipping procedures
12.1.22 Cabinet NEMA 4X / IP66 Certificate
12.1.23 Documentation in accordance with the Nonmaterial Requirements per

form NMR-7930 attached to the purchase order
12.2 Vendor shall provide unique sets of final/certified documentation for each
individual Logic Solver System.
12.3 Vendor documentation shall include complete information/instructions to allow

the buyer organization to install, operate and maintain the equipment or material
throughout it’s operating life.
12.4 Vendor documentation shall include plan layouts, elevations, sections, design
details, weights and dimensions relevant to equipment positioning, electrical and
instrument connections, required access for local control, equipment removal,
access for maintenance and electric power consumption.
12.5 Vendor drawings shall be dimensioned in metric units with imperial dimensions
shown in parenthesis.
12.6 All vendor drawings, data, and correspondence shall show the Purchase Order
number, job title, location, and equipment tag numbers as referenced in the
Purchase Order. The exception is standard documents such as manuals for
components.
12.7 Appropriate drawings shall be submitted complete with a comprehensive Bill of

Materials (BOM). All pertinent documentation should be provided by the
vendor as project deliverable key drawings such as field interconnection/wiring
diagrams, cabinet layouts, and instrument/equipment loop diagrams shall be
submitted on Saudi Aramco format.
Page 22 of 26
12.8 In addition to the general document requirements, two sets of installation,

configuration and operating manuals shall be provided in a plastic weatherproof
envelope packed with the system.
12.9 The installation and configuration drawings and documents shall provide all
necessary details for the installation and commissioning of the Logic Solver
System.
12.10 Data sheets shall be supplied for all components of the system and shall state the
respective manufacturer’s operating and construction specification, as applicable.
12.11 Wiring diagrams shall show all interconnections, termination strips, including
names and equipment/terminal identification.
13 Notes to Purchaser
13.1 The following information and documents must be completed and provided to
the supplier:
13.1.1 Tag numbers for the system per SAEP-375 and instrument components
13.1.2 Nonmaterial Requirements per form NMR-7930
13.1.3 Basic logic and/or cause and effect diagrams
Revision Summary
15 February 2016 New Saudi Aramco Materials System Specification defines the minimum mandatory
requirements for all the necessary equipment to provide a wellhead High Integrity Protection
System (HIPS) in offshore ESP service that fully meets SAEP-354 requirements. The ESP
HIPS described within 34-SAMSS-629 was designed with input from proponent
representatives, design contractors, central engineering, LPD and PMT to meet both
operational requirements of Saudi Aramco offshore platforms and safety performance
requirements within SAEP-354. 34-SAMSS-629 includes clear and inspectable requirements
for offshore ESP HIPS in oil service. This is a new document that is needed to provide a
consistent design and deployment of HIPS as part of offshore maintain potential projects.
Page 23 of 26
Logic Solver System I/O Assignment
I/O Field Equip./Device description I/O signal type and contact I/O functional requirement
Quantity and contact rating demand rating requirement Remarks
Type
SIL rated field pressure 4-20 mA HART Monitor production header Each analog input
Analog transmitters pressure to detect over pressure segregated and
3 each Analog signal scenarios utilizes a
Input 4-20 mA HART separate module
AFD Main Distribution Panels Volt free De-energize to open contact

main feed breakers (dry contact relay output) (De-energize to trip main
2 each
Issue Date: 15 February 2016
24 VDC @ 0.125 A (3 Watts) 24 VDC @ 2 A (48 Watts) breaker)

See Note 1 See Note 1
Safety critical
AFD Main Distribution Panels Volt free De-energize to open contact outputs
Next Planned Update: 15 February 2019
Individual Breakers to ESP (dry contact relay output)

10 each Controllers (De-energize to trip individual
24 VDC @ 5.5 mA (0.132 Watts) 24 VDC @ 2 A (48 Watts) AFD controller breaker)
De-energize to open contact Safety related

Digital Solenoid valve located inside the Powered tputou
2 each ESD system in the field (wet contact) (De-energize to trip solenoid
Output
24 VDC @ 0.125 A (3 Watts) 24 VDC @ 2 A (48 Watts) valve)
RTU located in the field De-energize to open contact

3 each (De-energize to initiate alarm to
24 VDC @ 5 mA (0.12 Watts) Volt free RTU)
Not safety critical
(dry contact relay output)
or related
Indication lamp located inside Initiate local alarm at the Logic
outputs
and on the front door from 24 VDC @ 2 A (48 Watts) Solver System cabinet
12 each
outside of the Logic Solver
System cabinet
Document Responsibility: High Integrity Protection Systems Standards Committee
“Input Bypass” key-lockable Bypassing an individual field

switch located inside the Logic pressure transmitter
3 each Solver System cabinet (auxiliary (input channel)
Appendix A - Logic Solver System I/O Assignment
contact to RTU)
24 VDC volt free (dry
“System Reset” push button Manual reset of Logic Solver
Digital contact)
1 each located inside of the Logic Solver System
System cabinet
Input
“Lamp Test” push button located Manual lamp test for all the
on the front door of the Logic indication lamps of the Logic
1 each
Solver System cabinet from Solver System cabinet
outside
Wellhead High Integrity Protection System
- Offshore Oil (ESP) Service
34-SAMSS-629
Page 24 of 26
Note 1: Wired to Low Voltage Relay of the main breaker in Main Distribution Panels (MDP-001 and MDP-002)
Appendix B - Cause and Effect
Page 25 of 26
Appendix C - List of Sub-Components from Approved RVL
No. Sub-component Applicable SAMSS 9COM

1 Logic Solver - ESD; ELECTRONIC; SOLID STATE 34-SAMSS-621 6000002725
Control Panels - PANEL; CONTROL;

2 34-SAMSS-821 6000002698
INSTRUMENT; OUTDOOR
Page 26 of 26

Materials System Specification

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Materials System Specification

Uploaded by

Copyright:

Available Formats

Materials System Specification

34-SAMSS-629 15 February 2016

Previous Issue: New Next Planned Update: 15 February 2019

Copyright©Saudi Aramco 2016. All rights reserved.

2 Conflicts and Deviations

3.1 Saudi Aramco References

Saudi Aramco Engineering Procedures

Saudi Aramco Engineering Standard

Saudi Aramco Materials System Specifications

Saudi Aramco Inspection Requirements

Saudi Aramco Nonmaterial Requirements

3.2 Industry Codes and Standards

American National Standards Institute

International Electrotechnical Committee

International Society of Automation

National Electrical Manufacturers Association

SSV surface safety valve

Buyer: Saudi Aramco, or nominated representative placing an order for the

Contractor: Lump Sum Turn Key/Long Term Agreement contractor or

Electric Submersible Pump (ESP): An electric motor driven pump installed

Factory Acceptance Test (FAT): A FAT is done at the equipment

Modular: A self-contained unit intended to perform a certain function that is

Nearshore Environment: Any outdoor, onshore location within one kilometer

Offshore: Over water

PFDavg: Probability of Failure on Demand is the probability that the safety

Shall: Indicates a mandatory requirement.

Shunt Trip/Coil: A feature added to a circuit breaker or fusible switch to

Variable Frequency Drive (VFD): An electrical system used to control the

Vendor: The manufacturer supplier (including sub-suppliers) of the equipment

The instrument manufacturer shall ensure that all equipment is designed to

5.2.1 Dust Concentration

Usual airborne dust concentration is 1 mg/m³. During sandstorms, dust

Elements present in dust include compounds of calcium, silicon,

CO 100 ppm (Vol/Vol)

5.3 Offshore and Nearshore Environment

Equipment which is not enclosed or hermetically sealed, but is situated offshore

Outdoor design basis shall be between 5% to 95% relative humidity

This requirement does not apply to the vendor’s standard documentation.

Figure 1 - Typical ESP Wellhead HIPS Schematic

6.5.2 Triple redundant pressure transmitters shall be able to sense high

7.1 Pressure Transmitters

Pressure Transmitters and associated process connections shall be the contractor’s

7.1.1 Pressure transmitters shall be functionally identical, smart electronic

7.2 HIPS Logic Solver

7.2.1.1 Unless otherwise specified, the primary source will be

7.2.1.2 Unless otherwise specified, the secondary source will be

7.2.4 The Logic Solver System shall be composed of VENDOR’s standard

7.2.14 All equipment shall be electromagnetically compatible (EMC)

7.3 HIPS Logic Solver Cabinet

The HIPS Logic Solver Cabinet shall be as per 34-SAMSS-820 and

7.3.5 The cabinet shall be mounted on 300 mm high mounting feet

7.3.11 Vendor-installed cables shall be designed and installed in such a way as to

7.3.12 Cabinet components or equipment shall be replaceable without the

7.3.13 Interconnecting cables shall be specified with a minimum insulation

7.3.18 Unless otherwise specified, the Logic Solver System cabinet

7.3.19 Terminal rails shall be furnished with approved anti-vibration screwed

7.3.21 Adequate space and or barriers shall be provided to prevent personnel

7.3.24 A Resistance Temperature Detector (RTD) with 4-20 mA temperature

7.4 Final Elements

7.5 Wellhead Shutdown Panel

7.5.2 The solenoids shall be SIL compliance certified, 24 VDC, de-energize to

7.6 Remote Terminal Unit (RTU)

7.6.1 Only one RS-485 communication bus or Ethernet Cat5 (cable) is