Distributed Control and Programmable Electronic Safety Systems for a Large Offshore Oil and Gas Platform

Abstract

The Paper Describes the various aspects of the selection, design, standards and problems associated with Process Control and Electronic Safety systems for a large offshore oil and gas platform.

It has been written essentially in an educational vain and the principles addressed can assist personnel involved in the specification, design and maintenance of programmable electronic control systems as used in Process or Safety related Applications.

Included are lists and typical examples of the documents which require to be produced, applicable standards which are of use and details of a very advanced hierarchical shutdown system.

Introduction

The design of the Control systems for a large offshore platform is a complex task in that there are many constraints associated with it. These vary from the equipment density, when figures in the order of $80,000 per square metre of platform real estate are quoted there is little wonder at this, weight - severe weight restrictions being in place because the modules must be capable of being lifted, restrictions on the UPS supply available, space and most importantly the hazardous nature of the product.

The Programmable Electronic Control and Safety Systems must be Specified and designed to exacting standards. This is essential in that these systems are responsible for the control of the facility and also the safeguarding of platform personnel and a major oil company strategic asset worth $billions!

Platforms are generally built up of units which are called modules and within these are situated the various items of plant. These items of plant vary from Reinjection Compressors to Pressure Vessels and are generally purchased as discrete packages.

Whilst the package controls are generally 'stand alone' they do need to interface with the Platform Control System and this is achieved by Serial Links for loops of a non critical nature and hard wiring for critical circuits. Also it is necessary to interface these packages with the platform Programmable Electronic Safety System, both these areas are difficult to supervise as there are so many vendors and subvendors involved.

Once the Control systems have been determined conceptually the associated interfaces with the Onshore base and /or other platforms need to be finalised. The Control/ Monitoring being made available to these facilities by means of Telemetry.

The Modules although being located within a very small area lend themselves to Distributed Control in that they may well be fabricated in different locations and by utilising the advantages of a distributed approach can be precommissioned on a 'Standalone basis'.

Of course if the platform has been designed on the single lift 'integrated deck' basis then the control systems are generally centrally located. There are however still advantages in the distributed approach since should an 'event' occur the adjacent module controls continue to report and operate.

There are generally FOUR totally discrete Control systems utilised on Major offshore platforms that should be considered, these being:-

Process Control System (PCS)

Utilised for the process control of the platform.

The Process and Emergency Shutdown System (PSD/ESD)

Responsible for the safe shutdown of the process and utilities in the event of a Process Fault or Fire/Gas detection.

Fire and Gas System (F&G)

This system with its associated sensors detects fire or gas and initiates appropriate fire protection systems ie., Deluge, CO2 or Halon release. It alerts personnel to the location of the event and automatically operates the platform status lights/ audible warning. The appropriate signals to the PSD/ESD system for controlled shutdown of the plant are also initiated.

The Drilling Control System

Provides the Control and Safety Interlocks for the drilling operation. This system is outside the scope of this paper.

The PSD/ESD and F&G system are sometimes called a Combined Safety System and are generally purchased from the same supplier even though the systems are functionally totally independent of each other. There are advantages in this approach in that wherever possible similar hardware is utilised and the interface is clearly defined. Owing to the criticality of the intersystem signals they are generally hardwired and are backed up by serial communication links.

The Central Control Room

Control of an offshore Platform revolves around the Central Control Room, this room is the most important in any Offshore facility since it is the location of the Human Interface.

Operations staff must be capable to effectively and in a well ordered manner control the facility under both normal and 'extreme stress' conditions. This is why in ALL installations an ERGONOMIC STUDY should be undertaken. A study of this nature provides the guidelines for the design of the Control Room, detailing such items as console layout, keyboard height, lighting requirements, functionality, communications, room colours, operator chair type, VDU graphics colours and alarm priority. Of course consideration should be given to Console noise and the location of printers.

When considering printers it is worthwhile to consider ink jet or laser units in the specifications since one day the DCS suppliers may wake up to the office technology which is currently available.

The Controls Engineer has to be prepared to spill blood, have fits, ulcers and tear his hair out over this room, Architects will try to dictate requirements, EVERYONE will say too much space has been allocated and opinionated engineering will rule if one is not careful. It is essential that Operations are involved, after all they have to work in the room and if IGNORED they will ensure that even the best CCR does not suit them! What must be stressed is MAINTAIN THE SPACE requirement, too little space will result in a poor operating environment for operators.

The use of large graphic backwall displays which utilise video projectors is slowly becoming a feature in control rooms, some regard this as a gimmick' but this is just not so. The displays are a very useful tool for replacing the 'old' mimic and also serve for demonstration, documentation and training purposes.

A useful reference document associated with ergonomics is ISA RP60.3-1985 'Human Engineering for Control Centres'.

SYSTEM SELECTION

It is essential that the RIGHT SYSTEM is selected. In the selection there are three distinct phases these being:-

1. Prequalification
2. Selection
3. Implementation

Prequalification

The prequalification is best carried out by utilising a technical questionnaire, this really sorts out the best systems and suppliers with eventual selection being restricted to perhaps three to four bidders from a field of 12 to 15.

The prequalification is a very important document and should for expediency be of a database format, as each supplier answers the same questions it is then possible to easily compare the answers. From this document it can be determined whether there are technical, engineering or support problems with the various systems.

The questionnaire highlights any failings with the system, engineering or support and by utilising this method a equitable prequalification can be made.

Selection

Once the prequalification is complete then the initial functional specification and associated invitation to bid has to be prepared. These documents are then sent out to the suggested MAXIMUM of four bidders and work begins for the poor unfortunates who have to put it all together.

What must be remembered by the Company requesting bids is that they are not cheap to produce and if it is their intent to go to sole tender then they should not waste suppliers time or money, they certainly would not like something similar happening to them!

The bid documents submitted by the vendors should initially be superficially technically reviewed, the idea of this is to immediately identify a non compliant bid. Generally if there has been a good prequalification all bids will be of a high standard technically.

Concurrently with the Technical Bid Evaluation there should be a Commercial review by A CONTROLS ENGINEER IN ASSOCIATION with the purchasing department.

Finally the bid clarification meetings take place, costs are finalised and a supplier is selected.

Implementation

At this stage you have to find out if you have selected the correct supplier, this you do by partitioning the purchase order into two sections, these being 'IMPLEMENTATION SPECIFICATION' and 'DESIGN AND CONSTRUCT'. The supplier must 'pass the test' of implementation (sometimes called preliminary design) where hopefully 90% of the problems can be identified at an early stage.

The Implementation spec also sets down the ground rules and provides a basis on which to engineer and build the system. Particular emphasis should be placed on planning and ensuring that the supplier is fully conversant with what is required and how the system is to be configured. The actual configuration being completed at a later stage during detail design. During this period data which is required by other sections in the platform design team must be supplied, these include layout and footprint, heat dissipation, weights and availability MTBF.

Suppliers generally under estimate the work to be done in the implementation specification phase, it is hard work involving long hours but if done correctly can save both money and schedule delays in the long run.

The Systems

For normal operation the Process Control system is utilised. This system is DISTRIBUTED with OUTSTATIONS in FIELD EQUIPMENT ROOMS (FER) in each module. Each outstation is stand alone and in the event of a communication failure (a pretty remote possibility in that the communication links are duplicated and routed differently) the control actions associated with it still operate.

Also 'critical signals' are hardwired to provide increased reliability.

RELIABILITY and AVAILABILITY are of course paramount with any failure possibly costing $millions. Reliability and Availability of a system is enhanced by the use of 'REDUNDANT CONTROL' in the form of DUAL Multifunction Controllers and automatic transfer of I/O in the event of failure. Availability figures in the order of 97% for the Process Control System and 99.99% for the Combined Safety System are generally required.

Cables, Wiring and Ducting

Fire retardant/ fire resistant cables, wiring and ducting which has low toxic and low smoke emission properties should be included in the functional design specification. Utilising Materials which have these properties has several advantages including the elimination of Halon systems along with the associated environmental problems.

Field Equipment

Electrical equipment selected for use on an offshore oil and gas platform is usually protected against igniting any hazardous atmosphere by some means. This is generally intrinsic safety for the instrumentation and other means for high/medium voltage electrical equipment ie.,Exd Exe etc. Special care should be taken to ensure that the interfaces to the PCS or CSS are compatible with the input/ output devices and that 'ohms law' is addressed ie., calculations are done to ensure that there is sufficient available voltage at the transmitters.

Smart 'Analogue' Transmitters are being used increasingly on platforms. It is very important to ensure that the requirements are included in the functional design specification since when the 'communication mode' is selected it is possible that the interface at the PCS or CSS may not be compatible and spurious control or shutdown actions occur.

Interfaces

It is necessary to have extensive interfaces with the Motor Control System, these are achieved by use of 'System Cables'. System Cables are preformed and utilise plug and socket arrangements. This method of connection is also used for interconnection between the Marshalling and System Cabinets. It is a very efficient means of connection in that (a) module yard terminations are minimised and (b) the system cables can be coiled into the marshalling cabinets for transport.

The Distributed Approach

The advantage of the distributed approach is apparent in that every I/O point can be checked in the module yard thus minimising costly offshore commissioning.

Even if the CCR is in another module simple PC interfaces are used to test that each and every I/O point associated with the module outstation is operating satisfactory. Thus when the system network is finally connected together one can be confident that the system is operable.

Serial Links

Where there are packages then serial links can be used to great effect. On a large platform these may well be numerous, perhaps 15 to 20 and they are very economic in transferring information without hardwiring each I/O point.

Engineers should however be WARY in that many suppliers have a simplistic view of them and the statements 'EASY' 'A PIECE OF CAKE' 'WE CAN IMPLEMENT ANY SIGNAL YOU REQUIRE' are common place. We all know that this is not true. It is very easy to state that a serial link is the PANACEA of the Control Signal world but realities do dictate that there is more to it than that.

It is however quite possible to achieve a fully operational link at an early stage by testing hardware against hardware and protocol against protocol.

The best method of achieving the desired results is to (a) Purchase an interface to your PCS which can be readily connected with the serial links to be tested, (b) ensure that the interface is totally portable in that it can be readily transported to your package supplier's location and finally (c) terminate and test 'EARLY' against the appropriate equipment, producing a serial link specification as you glean the information from the various suppliers. By taking this approach the majority of surprises can be avoided.

Of course the dreaded 'MURPHY'S LAW' cannot always be catered for and may ultimately confound even the most rationally thinking engineer.

It is very important to remember that the signals coming from packages via serial links will have link delays associated with them and in order to get firstup alarming special programming of the PLC may be necessary. Also link speed is critical for accurate event recording on the system.

Special Applications

Offshore platforms today are utilising latest technology to the fullest to achieve the implementation of special applications, typical of these are as follows:-

Wellflow

Other than some experimental systems there are at present no proven way for measuring two phase flow from each well. With this special application flow through the individual wellheads is inferred by comparing three massflow calculations for gas,oil and water, averaging and correcting them. The first calculation utilises the tubing head pressures and the test separator results for the well in question and computes the resultant inferred flow.

Using this method it is proven that accuracies of around + or - 2% will be achieved.

MassFlow

Some platforms are now utilising the Process Control systems for the calculations of Massflow, however in general this is not so as 'Flow Computers' of a 'standalone' nature continue to be used in that they are tried and proven, incorporate self testing features such as pulse integrity and finally use proven algorithms that are readily accepted by the authorities monitoring the fiscal metering.

Choke Control

The choke valves control the flow from each wellhead and the control associated with these devices is becoming increasingly complex. The chokes must have the capability to be stroked individually and also together with other chokes, of course this has to be achieved without causing any major process upsets.

The control normally operates in the following way, the operator selects the choke in question and keys in the opening percentage required. The choke then opens rapidly through what is known as the 'erosion zone' (normally 0 to 25%) which is a zone of operation where rapid wear occurs on the valve. If the operator has selected less than this value the PCS will not allow the action to take place and will advise the operator by way of a help message.

When the valve has been manually positioned then the operator will put the choke into 'cascade'. At this point the chokes in automatic are pulsed sequentially until the desired setpoint is reached. The operator also has the ability to 'bias' any of the chokes so that 'optimisation' of the various wells is achieved.

Should the platform have a Reinjection Compressor it is important to consider the effects of control and shutdown of that unit. This is a very complex subject which requires a Dynamic Stability Study to be performed in order to ensure safe and effective control under these conditions.

Red Tagging

Modern PCS have the ability to 'redtag' or electronically lockout items of equipment.

Red tagging systems now being implemented ensure that the operator is aware of any item of equipment or plant area which is subject to a permit by ensuring that the permit system is tied in with the PCS and that the permit is actually issued by the PCS via the operator responsible.

Of course the maintenance man still has the ultimate responsibility to also physically lock out the unit and complete appropriate documentation ie., site permits.

Energy Management

On an offshore platform Energy Management Systems are used, usually if there are no generation problems then there is sufficient power for all users however when generation capacity is down or drilling activities are in place it is essential that priority of users is defined. These systems are with the technology available being incorporated into the platform PCS system. The system allocates priorities both on startup and shutdown of electrical plant.

Alarm Priority

Process Control Systems have Intelligent alarm systems and these facilities are extensively used on offshore platforms. All alarms are prioritised into priority (Bright RED), normal (MAGENTA) and information (YELLOW) with different alarm tones and frequencies for the various priorities.

Operators are very often subjected to INFORMATION OVERLOAD when confronted with poor alarm management. Priority alarms should direct the operator what to do by effective use of message lists. Also less important alarms should not cloud the operators decision by causing confusion.

Packages on shutdown should alarm only the first two or three alarms the remaining alarms being suppressed. Of course the graphics reflect all alarm states.

Considerable time and effort should be devoted to this subject of alarm priorities as it is crucial to effective operation of any facility.

Electronic Manuals

Office technology has started to make inroads into the offshore environment. Instead of the hard copy manuals which when you really want them are either not available, pages are missing and have scrawlings all over them one can now call up the manual via a video disc system. It is then possible to look, take a copy if necessary and finally include edit comments. These edit comments are not immediately included in the text original but are placed into a special comment column. The process superintendent then has the final choice whether to include the comment in the next manual update.

PCS Design Documents

It is worthwhile considering the extensive use of a database system in the production of the design documents which are to be used as input documentation by the system supplier. Most of the major DCS suppliers use Microsoft Access or Excel programs for the configuration of their database. For instance I/O schedules and Message Lists can be read straight from the disk into the system thus saving time and eventually schedule.

The generation of 'base graphics' MUST be configured by the operating company since a supplier just does not have the experience to produce graphics which accurately reflect the process. It is not simply a job of 'copying' the P&IDs. The most effective way of configuring these base graphics which the supplier enhances is to use the supplier configuration package, thus having the ability to transfer the data to the supplier database easily.

It is also a great idea to use a Database for creation of the Instrument Index , Cable data Sheets, I/O schedules, Message Lists and Motor Schedules as data can then be effectively transferred from one database to another. This does have the added advantage in that errors are minimised once one database has been checked. Mind you if adequate checking does not occur then the problem will be multiplied.

The following input documents should be produced for issue to the PCS supplier. Some operators consider that it is more effective for the PCS suppliers to create some of these documents but that is just not so in that they just CANNOT have adequate experience to provide a comprehensive enough package.

I/O Schedules

this is the base document around which configuration revolves, information contained within it should include tag number, whether it is an Intrinsically safe or Non I.S. loop, digital or analogue, range, units, critical or non critical loop, report input and alarming priority.

Typical PCS I/O schedule fields are detailed in attachment 1.

Functional Logic Diagrams

these are the base documents which the supplier uses for motor and sequence control. They are usually drawn utilising logic blocks around the logic symbols which are identified in AS 1102.9 - 'Graphical Symbols for Electrotechnology - Part 9 Binary Logic Elements'.

Message Lists

these lists are the base document which are used for the generation of reports, alarm and special messages.

They are usually configured using a database format which the supplier can easily transfer to his own database.

Typical PCS Message List fields are detailed in attachment 2.

Basic Graphics

the rudimentary graphics which are initially passed to the operating company OPERATIONS GROUP for comment and then used by the supplier as the base graphic background which the supplier then enhances.

CableData Sheets

these sheets are used rather like termination diagrams where normal termination diagrams do not exist.

MotorSchedule

this document details the requirements needed by the energy management system ie priority of tripping.

Termination Drawings

details of all incoming terminations and cables.

Functional Design Specification

This document specifies the functional and technical requirements of the system. It should be comprehensive and miss nothing. 'Slimline' specifications DO NOT work and leave the customer wide open for variations.

The 'Tail End Charlie Syndrome'

It has always been the case that the Controls/ Instrumentation design could not be finalised until the piping design has been completed because the instrument locations are unable to be adequately determined. This of course is true if total accuracy is required, however, if you have a schedule problem there is a method of achieving 90% accuracy at a very early stage, picking up the remaining 10 % at a later time.

This method utilises the base vessel layout and allocates instrument positions on a 'best guess' basis (usually they are very close to the final position) and 'driving' package vendor terminations at edge of skid. The suppliers we have found are not adverse to this approach as it does do a fair bit of design for them.

The 'Lost' Tags

It is always a problem as to just where you pick up internal system tags and tags which do not appear on the P&IDs. A convenient method of picking up these tags is to use a document called a Instrument Line Diagram. The ILD is essentially a point list and can be in diagrammatic or data format.

This document however must be treated with great care in that it can become a monster if you are not careful. Keep it as simple as possible, utilise it by all means as a tool for creating 'temporary P&IDs' when package P&IDs are not available but ensure that the tagging system used does not cause problems later.

Checking

It is absolutely essential that all documents produced are cross checked, to not check is false economy as eventually the supplier will pick up errors and it takes significantly more effort at that time to rectify them. Considerable cost overruns can result from poor cross checking.

The Combined Safety System

As mentioned previously the CSS is made up of two very distinct sections these being the Process/ Emergency Shutdown Systems and the Fire and Gas System.

The individual system and marshalling racks are segregated into PSD/ESD and F&G outstations within the Field Equipment Rooms.

Typical Combined Safety systems are generally duplex (2 processors) or triplex (3 processors). The reason for this is self explanatory as it would be impossible to achieve the desired levels of reliability or availability with a single processor. The difference between Duplex and Triplex processors is a subject which is outside the scope of this paper.

Generally the system is designed in accordance with the requirements of API RP14C "Recommended Practice for Analysis, Design, Installation and testing of Basic Surface Safety Systems for offshore Production Platforms" and the UK Health and Safety Executive document "Programmable Electronic Systems in Safety Related Applications" which has a number of check sheets. These are very useful indeed when adapted to suit your particular application.

These documents should be read extensively to ensure that requirements are met.

Other useful reference documents are "Defences against common mode failures in redundancy systems" which has been published by the U.K Safety and Reliability Directorate and also the UK Dept of Energy publication "Guidance notes for Emergency Shutdown Systems".

IEC 61508 Programmable Electronic safety Systems in draft.

Further references can be found in the "Useful References" section at the end of this paper.

Many Applications use standard PLCs for safety related services, these units are not suitable for this role as they do not have adequate diagnostics and also being very user friendly are too easily reconfigured by unqualified personnel.

Design Documents

The CSS utilises several documents to develop the necessary logic these being:-

Platform Shutdown Philosophy

This is the most important document associated with the Combined safety System in that it lays down the philosophy applicable to it. In this document are listed the hierarchical shutdowns. One must not lose sight of the fact that although the system has the ability to implement very critical shutdown features it also implements less critical unit and process Shutdowns.

In offshore platforms the usual stages of shutdown are as follows:-

Unit Shutdown

This, the lowest level of shutdown, causes the individual units to stop.

Process Train Shutdown

An individual Process Train will shutdown on occurrence of any applicable trip.

Process Shutdown

On this occurrence the complete process stops but utilities remain running, in effect it is a process 'stop' with NO BLOWDOWN in order to facilitate a easier startup on rectification of the problem.

Emergency Shutdown

This action results generally from fire or Gas being sensed on the platform, obviously a fire in the Galley or in a room in the accommodation does not cause a ESD but more serious events in the Process, Wellhead or other critical areas will result in an ESD. An ESD is actually a Process Shutdown with Blowdown and isolation of the platform trunkline. The blowdown results in flaring of the gas component of the platform inventory whilst the liquid component is maintained within the various process vessels. When co-incident fire detection in the process or wellhead areas occurs one of the two strategically placed firepumps start and deluge occurs automatically.

On some platforms main power is shutdown and the emergency generator starts when an ESD occurs whilst on others main power is maintained by the generators switching to Diesel except when there is fire in a critical area such as the wellheads. This approach is advocated in that maintaining lighting ensures that at night the firefighting crew can see what they are doing.

Total Platform Shutdown

This shutdown hopefully will never require operation during the life of the platform since it usually is the result of abandonment. There are generally only two or three TPSD pushbuttons which are under the control of the Platform Operations Manager. The result of this action is total blackout of the platform including isolation of batteries except for some navaids which continue to run. The intent of this shutdown is to maintain some battery power for when the 'black start team' reboard the platform.

Other documents used in the development of the CSS configuration are as follows:-

I/O Schedules - these detail the fundamental configuration such as tag number, IS or NIS, alarm limits, analogue ranges etc.

PSD/ESD Cause and Effects - these documents which are based on the Process Cause and Effects are used by the CSS supplier as the basis for the logic. The usual appearance of them is to have the cause on the lefthand side with the effect at the top with a 'X' matrix, however it is becoming more standard to also include logic symbols on the drawing.

A typical cause and effect is detailed in Attachment 3.

Fire and Gas Cause and Effects - These documents are similar to the PSD/ESD C&E described above except that they do not have logic symbols incorporated (matrix only).

The logic is developed by the vendor based on the above documentation on the CSS CONFIGURATION PACKAGE. This package is deliberately separate from the executive software of the system since it is very important that software previously developed is not corrupted in any way. After completion the software is tested extensively before being included in the overall software package. Great emphasis is placed on ensuring that the executive software cannot be accessed by unauthorised personnel and once the system is operational the configuration package is usually located onshore.

Message Lists/Cable Data Sheets/ Termination Drawings - As previously described for PCS.

When designing and specifying a CSS it is important to remember that it does have a fundamental common mode failure point this being of course the software. It is all very well to have duplicated and triplicated hardware but if there is a common software bug just what can be done to overcome the problem. Well the answer is that the requirements of API RP14C should be followed in that there should be a primary and secondary safety system. Usually the primary being the electronic system and the secondary, safety relief valves.

Where there is no possible alternative to having a single electronic system then it is absolutely imperative that DUAL sets of software are used which have been written by DIFFERENT personnel. Having to use this route has great disadvantages in that it is very complex, extremely costly and difficult to maintain. The RULE is therefore - devise some form of secondary system.

Planning

Planning is a very critical component of any PCS/CSS design since if the planning is inadequate then schedule and cost overruns will result. Generally PCS and CSS systems are the longest lead time items and are therefore are on the critical path for platform design.

It is essential that in the early stages of design that a manufacturing plan is submitted by the Control Systems supplier. This ensures that the fabrication, fitout and wiring schedule is maintained.

It is recommended therefore that considerable effort is included in the suppliers scope for the provision of bargraphs and precedence networks, this effort must also be 'mirrored' by the consultant in the checking and verification of adherence to the plan.

Factory Acceptance Testing

After the supplier has completed his own factory testing the consultant/operator should conduct a very comprehensive test. These tests should include at a minimum the following:-

1. Heat Soak Test - this test should run over a period of a recommended 200 hours and cycled between ambient and a upper value applicable to the maximum supplier specification.
2. Power Variation Test - this test should vary the input power between the lower and upper voltage and frequency values as specified by the supplier.
3. 100% I/O Test - Every I/O point should be checked for complete operation I/O card to Controller to Graphics thence onto alarms etc.
4. Specisl Applications, Global and Process Unit Function Tests - Extensive testing of all special applications and all process/ global system functions.
5. Full Load Stress Test - In order to ensure that the communications are adequate a full load stress test is recommended. This test involves the switching and manipulation of large amounts of data to load the communications link to ensure that it will operate under high stress conditions and not 'lock up'.
6. Retest - Any modifications post FAT should be comprehensively tested.

Conclusion

There are many 'traps' to be avoided when involved in the selection, design, manufacture and testing of any Control System. Hopefully by utilising some of the suggestions, methods and references suggested in this paper some of these may be overcome.

Useful References and Relevant Standards

Petroleum Submerged Lands Acts (PSLA) Specific Requirements as to Offshore Petroleum Exploration and Production -1985

API RP14C 'Recommended Practice for Analysis, Design, Installation and Testing of Basic Surface Safety Systems for Offshore Production Platforms'

API RP14G 'Fire Prevention and Control on Open Type Offshore Production Platforms'.

AS 1211 'Reliability of Electronic Equipment and Components' - Parts 1,2 and 3.

AS 1670 'Automatic Fire Detection and alarm Systems, System Design, Installation and Commissioning'.

AS 3563-1988 'Software Quality Management System'.

IEC SC65A ' Software and Hardware for Computers in the application of Industrial Safety Related Systems'.

ISA RP60.3 - 1985 'Human Engineering for Control Centres'.

ISA RP55-1 'Hardware Testing of Digital Process Computers'.

MIL-HDBK-217E 'Reliability Prediction of Electronic Equipment'.

UK Health and Safety Executive 'Programmable Electronic Systems in Safety Related Applications'.

UK Safety and Reliability Directorate ' Defences against Common mode Failures in redundancy systems'

UK Safety and Reliability Directorate 'Reduction of Human Error in Process Operation'.

UK Department of Energy "Guidance notes for Emergency Shutdown Systems'.

J.A.(Jim) Russell I.ENG MIICA is at present Lead Controls Engineer with Davy McKee McDermott who are contracted by Woodside Offshore Petroleum to complete the topsides design of the Goodwyn 'A' Platform which is to be installed on the Northwest Shelf. Jim's design responsibilities include the Platform Process Control and Combined Safety Systems and Instrumentation and Control associated with packages. He has been associated with Instrumentation and Control for his whole working life having previously worked with ESSO Fawley UK, Impala Platinum South Africa, British Gas, Worley Engineering (Design of North Rankin A) and West Australian Petroleum.