1 Scope
NOTE This specification covers programmable logic controllers (PLCs) and programmable automation controllers (PACs) furnished as the real-time logic solver for industrial, process, and water/wastewater control systems. (1.1)
NOTE Equipment covered includes the processor (CPU), the chassis or backplane and power supply, discrete and analog input and output modules and their signal conditioning, specialty and communication modules, remote and distributed I/O, redundancy components (standby CPUs, redundant power supplies, and redundant network interfaces), and the controller firmware and application program. (1.2)
NOTE Both non-redundant single-controller architectures and redundant high-availability architectures are addressed, as are general-purpose controllers and safety-rated controllers used in safety instrumented systems. (1.3)
NOTE A PLC covered by this standard is the device that reads field inputs, executes a deterministic control program on a fixed or event-driven scan, and drives field outputs; it is distinguished from the supervisory and operator layer above it and from the field devices wired to it. (1.4)
NOTE The controller's network connection to peer controllers, remote I/O, and the supervisory layer is specified in
Process Control Networks; the operator interface and data historian are specified in
Scada And Hmi Systems.
(1.5) NOTE The boundary of work under this standard is the controller hardware and its application program, from the I/O module field terminals through the network ports, including all factory-configured redundancy and the loaded, tested control logic. (1.6)
NOTE A distributed control system (DCS) is a distinct platform in which the controller, I/O, operator, and engineering layers are procured and integrated as a single vendor system; where a DCS is specified, that integrated platform governs and this standard does not apply. (1.7)
1.9Equipment shall comply with the equipment requirements and tests of IEC 61131-2.
1.10Application programming shall conform to the languages and program-organization model of IEC 61131-3.
1.11Controllers and associated components shall be listed to UL 61010-2-201 (or the applicable product safety standard) by a Nationally Recognized Testing Laboratory.
1.12Controllers and the safety instrumented functions they execute, where process safety applies, shall comply with IEC 61511 (with device suitability established per IEC 61508).
1.13Installation shall comply with NFPA 70 (National Electrical Code), including the hazardous (classified) location provisions of Articles 500 through 506 where applicable.
2 Referenced Standards
2.1Equipment, materials, and programming shall comply with the latest adopted edition of each of the following unless a specific edition is cited.
2.2Where conflicts exist between referenced standards, the more stringent requirement shall govern unless the Engineer of Record directs otherwise in writing.
| Standard |
Title |
| IEC 61131-1 |
Programmable Controllers — Part 1: General Information |
| IEC 61131-2 |
Programmable Controllers — Part 2: Equipment Requirements and Tests |
| IEC 61131-3 |
Programmable Controllers — Part 3: Programming Languages |
| UL 61010-2-201 |
Safety Requirements for Electrical Equipment for Measurement, Control, and Laboratory Use — Particular Requirements for Control Equipment |
| UL 61131-2 |
Programmable Controllers — Part 2: Equipment Requirements and Tests (US adoption) |
| IEC 61508 (Parts 1–7) |
Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems |
| IEC 61511 (Parts 1–3) |
Functional Safety — Safety Instrumented Systems for the Process Industry Sector |
| ANSI/ISA-84.00.01 |
Functional Safety — Safety Instrumented Systems for the Process Industry Sector (US adoption of IEC 61511) |
| UL 121201 |
Nonincendive Electrical Equipment for Use in Class I and II, Division 2 and Class III, Divisions 1 and 2 Hazardous (Classified) Locations |
| ANSI/ISA-12.27.01 |
Requirements for Process Sealing Between Electrical Systems and Flammable or Combustible Process Fluids |
| NFPA 70 |
National Electrical Code (NEC) — including Articles 500–506 for hazardous (classified) locations |
| ANSI/ISA-71.04 |
Environmental Conditions for Process Measurement and Control Systems: Airborne Contaminants |
| ANSI/ISA-5.1 |
Instrumentation Symbols and Identification |
| NEMA 250 |
Enclosures for Electrical Equipment (1000 Volts Maximum) |
| NEMA ICS 1 |
Industrial Control and Systems: General Requirements |
| IEEE 1588 |
Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems (PTP) |
| RFC 5905 |
Network Time Protocol Version 4 (NTP) |
| IEC 62443 (series) |
Security for Industrial Automation and Control Systems |
3 Submittals
3.1 Action Submittals
3.1.1The Contractor shall submit the following for the Engineer's review and approval prior to procurement.
- Manufacturer's product data for the CPU/PAC, chassis or backplane, power supply, and every I/O and communication module, including model designation, point count and signal type per module, memory capacity, and current draw on each supply rail
- A controller architecture diagram showing the CPU, local and remote I/O, network segments and media, redundancy components, and the time-synchronization source
- I/O assignment schedule (I/O list) cross-referenced to the instrument index, listing each point by tag, rack/slot/channel, signal type and range, and engineering units, with spare-point quantities identified
- Power-supply load calculation demonstrating the supply capacity exceeds the connected module load with the specified spare margin, including backplane and field-power budgets
- Redundancy description for redundant architectures: switchover trigger conditions, switchover (failover) time, state-synchronization method between primary and standby CPUs, and which components are redundant (CPU, power, network)
- Scan-time estimate for the worst-case program and I/O configuration, identifying the configured scan or task periods
- For safety-rated controllers: the manufacturer's IEC 61508 / IEC 61511 safety manual, the certified SIL capability of the logic solver, the safe failure fraction (SFF) and PFDavg data needed for the SIL verification calculation, and the safe-state behavior on fault
- Hazardous-area listing documentation where the controller or I/O is installed in or interfaces with a classified location, including the protection method, area classification, and gas/dust group
- Environmental ratings: operating temperature and humidity range, the ISA-71.04 corrosive-gas severity class the equipment is rated for, and any conformal-coating option
- Network interface data: ports, media, supported protocols, and addressing, coordinated with Process Control Networks
- Firmware and software version data for the CPU, modules, and the programming environment, and the IEC 61131-3 languages to be used
☐ Product data for CPU, chassis, power supply, and all modules
☐ Controller architecture diagram
☐ I/O assignment schedule (I/O list) cross-referenced to instrument index
☐ Power-supply load calculation with spare margin
☐ Redundancy description with switchover time and sync method
☐ Worst-case scan-time estimate
☐ Safety manual and SIL capability data (safety-rated controllers)
☐ Hazardous-area listing documentation
☐ Environmental and ISA-71.04 corrosion-class ratings
☐ Network interface and protocol data
☐ Firmware/software versions and IEC 61131-3 languages
3.1.2Procurement shall not proceed until action submittals have been reviewed and returned.
3.2 Closeout Submittals
3.2.1At substantial completion, the Contractor shall provide the following before the control system is accepted.
- Operation and maintenance manuals for the CPU, chassis, power supply, and each module, organized with a table of contents
- The final, as-commissioned application program in editable source form, with version identification, and the project archive file required to restore the controller
- The as-built I/O assignment schedule reflecting all field changes
- Configuration backups of the CPU, modules, and network devices on durable media
- For safety-rated controllers: the completed SIL verification calculation, the safety requirements specification reference, and the safety validation record (coordinated with Control Systems Integration)
- Factory and site acceptance test reports (FAT/SAT) and loop-check records, as required by Control Systems Integration
- Firmware and software version record for all controller components as left
- Warranty documentation
- Spare parts inventory list with manufacturer part numbers
☐ Operation and maintenance manuals
☐ As-commissioned application program (editable source) and archive file
☐ As-built I/O assignment schedule
☐ Configuration backups on durable media
☐ SIL verification calculation and safety validation record (safety-rated)
☐ FAT/SAT and loop-check reports
☐ Firmware/software version record as left
☐ Warranty documentation
☐ Spare parts inventory list with part numbers
4 Quality Assurance
4.1 Manufacturer Qualifications
4.1.1The controller shall be a current production product of a manufacturer with a minimum of ten years of continuous experience producing programmable controllers for industrial process control.
4.1.2The manufacturer shall maintain an ISO 9001 certified quality management system.
4.1.3Replacement modules, firmware support, and engineering software for the controller product line shall be available for a minimum of ten years from the date of substantial completion.
NOTE A single product line with parts availability and a stable engineering toolchain protects the Owner against forced control-system replacement when a discontinued module fails years into service. (4.1.4)
4.2 Listing and Certification
4.2.1The controller and all modules shall be listed to UL 61010-2-201 (or the applicable product safety standard) by a Nationally Recognized Testing Laboratory and shall bear the listing mark.
4.2.2Equipment installed in or interfacing with a hazardous (classified) location shall additionally carry the listing for that location and protection method.
4.2.3Safety-rated controllers shall carry independent third-party certification of the claimed SIL capability against IEC 61508.
4.3 Programming Standards
4.3.1The application program shall be developed in the languages and program-organization model of IEC 61131-3.
☐ Ladder Diagram (LD)
☐ Function Block Diagram (FBD)
☐ Structured Text (ST)
☐ Sequential Function Chart (SFC)
4.3.2Discrete interlock and motor-control logic should be programmed in Ladder Diagram, and analog, calculation, and continuous-control logic should be programmed in Function Block Diagram or Structured Text, so that the language matches the maintenance staff's familiarity with the logic type.
4.3.3Sequential batch or step processes should be structured with Sequential Function Chart.
4.3.4Instruction List shall not be used, as it is deprecated in IEC 61131-3 and unsupported by current engineering tools.
4.3.5The program shall be organized into modular, reusable program units with descriptive symbol names and comments, and shall not rely on absolute physical addresses in logic where symbolic tags are available.
NOTE Maintainability of the logic is a long-lifecycle asset; plant staff and future integrators must be able to read and modify the program without the original developer, which a documented, symbolic, IEC 61131-3 program supports. (4.3.6)
5 Environmental and Service Conditions
5.1 Operating Environment
NOTE Controllers and I/O shall be rated for the temperature, humidity, vibration, and airborne-contaminant conditions at the installation location. (5.1.1)
NOTE Treatment-plant and outdoor field environments are materially harsher than a clean control room: hydrogen sulfide and chlorine atmospheres, condensing humidity, and wide temperature swings degrade unprotected electronics. (5.1.2)
Standard: 0 to 60°C (climate-controlled control room)
Extended: -20 to 60°C (unconditioned electrical room)
Extreme: -40 to 70°C (outdoor/field enclosure)
5.1.3The controller temperature rating shall equal or exceed the worst-case internal enclosure temperature determined for the housing panel in Industrial Control Panels, not the room ambient. NOTE A controller in a sealed outdoor enclosure under solar load can see internal temperatures well above the rated maximum; the panel thermal calculation, not the nameplate room temperature, governs the controller rating. (5.1.4)
5.2 Corrosive-Gas Severity
NOTE Airborne corrosive gases (notably H2S at headworks and in collection systems, and chlorine at disinfection) attack copper and silver on circuit boards and connectors, causing intermittent and progressive failures. (5.2.1)
G1 (Mild) — typical clean control room
G2 (Moderate)
GX / G3 (Harsh) — H2S or chlorine atmospheres (conformal coating)
GX (Severe) — aggressive process areas (conformal coating + enclosure protection)
NOTE Specifying conformal coating for treatment-plant and lift-station controllers is the single most effective defense against the premature electronics failure that plagues uncoated PLCs in H2S service. (5.2.3)
5.3 Hazardous (Classified) Locations
NOTE Where the controller or its I/O is installed in or wired to a hazardous (classified) location — digester gas areas, certain chemical-feed rooms, and fuel or solvent process areas — the area classification governs the equipment and wiring protection method. (5.3.1)
NOTE The preferred practice is to locate the controller in a non-classified area and bring field signals out of the classified area through intrinsically safe barriers or isolators, rather than placing the controller itself in the classified location. (5.3.2)
○ None — all equipment in non-classified (general purpose) location
○ Controller in non-classified area; intrinsically safe (IS) barriers/isolators on field signals (preferred)
○ Nonincendive (Class I, Division 2) field equipment per UL 121201
○ Explosionproof / flameproof enclosure (Class I, Division 1)
○ Purged/pressurized enclosure (Type X/Y/Z) per NFPA 496
5.3.3Field signals entering a Class I, Division 1 location shall be protected by intrinsically safe barriers or isolators rated for the gas group, with the entity parameters of the barrier and field device verified for the loop.
5.3.4Equipment placed in a Class I, Division 2 location shall be nonincendive-rated per UL 121201 or otherwise listed for the location.
6 Processor and Memory
6.1 Controller Class
NOTE Controller capability ranges from small fixed (brick) units for a single pump station to high-end PACs handling thousands of I/O with floating-point process control. (6.1.1)
NOTE A programmable automation controller (PAC) is a high-performance PLC with a larger instruction set, floating-point math, and richer communications, suited to analog-intensive process control; a conventional PLC is well suited to discrete and sequencing logic. (6.1.2)
Compact fixed PLC — small remote site (pump/lift station)
Modular PLC — plant area controller, mixed discrete/analog
Programmable automation controller (PAC) — large I/O count, analog-intensive process control
Safety-rated controller — safety instrumented system (SIS) logic solver
6.1.3The controller class shall be selected for the point count, the proportion of analog and continuous control, and the redundancy and safety requirements of the application.
6.2 Memory and Spare Capacity
6.2.1Program and data memory shall be sized for the application program with margin for future expansion.
050
1020253050
Default: 25 %
6.2.2At least 25% of program and data memory shall remain unused after the application program is loaded, so that future logic additions do not force a CPU replacement.
NOTE Memory exhaustion late in a plant's life is a common cause of forced controller upgrades; reserving capacity at procurement is far cheaper than a mid-life CPU swap. (6.2.3)
NOTE Scan time is the time the CPU takes to read inputs, execute the program, and update outputs; it bounds how quickly the controller can respond to a process event. (6.3.1)
NOTE A deterministic, bounded scan is the defining property of a PLC and is what makes it suitable for real-time control where a general-purpose computer is not. (6.3.2)
5200
5102050100200
Default: 50 ms
6.3.3The worst-case scan time for the application program shall not exceed the specified maximum, verified by the manufacturer's scan-time estimate and confirmed in commissioning.
6.3.4Fast interlocks and protection logic that must respond faster than the main scan shall be implemented in a dedicated high-priority task or in hardware, not in the main program scan.
NOTE Loading slow logic (such as a large analog block executed every scan) into the main program is a frequent cause of scan overrun and sluggish discrete control; time-critical and slow logic should run in separate tasks at appropriate periods. (6.3.5)
7.1 I/O Module Types
NOTE The I/O subsystem connects the controller to the field: discrete inputs (DI) read on/off field contacts; discrete outputs (DO) command on/off field devices; analog inputs (AI) read continuous measurements; analog outputs (AO) command continuous final elements. (7.1.1)
24 VDC sinking/sourcing (standard for new work)
120 VAC
48 VDC
Dry contact / TTL (specialty)
24 VDC transistor (solid-state, fast, standard for new work)
Relay (dry contact, isolated, higher current/voltage)
120/240 VAC triac or relay
7.1.3Discrete output modules driving inductive loads (relays, solenoids, contactors) shall have the manufacturer's recommended surge suppression applied at the load.
7.1.4Relay outputs should be used where the field device requires isolation, a different voltage, or higher current than a transistor output provides, and solid-state transistor outputs should be used for fast, high-cycle, low-current 24 VDC loads.
7.2 Analog Signal Standards
NOTE The 4-20 mA current loop is the dominant analog signal in process control because it is immune to voltage drop over long runs and a 0 mA reading distinguishes a broken wire from a live zero. (7.2.1)
4-20 mA (standard)
4-20 mA with HART (digital diagnostics over the loop)
0-10 VDC / 1-5 VDC
RTD (Pt100/Pt1000)
Thermocouple
4-20 mA (standard)
4-20 mA with HART
0-10 VDC
7.2.2Analog inputs and outputs shall default to 4-20 mA unless the connected device requires another signal.
7.2.3Where HART-capable field devices are used, HART-pass-through analog modules should be provided so that device diagnostics and configuration are available to the asset-management system without separate wiring.
NOTE Live-zero 4-20 mA (4 mA = 0% rather than 0 mA = 0%) lets the controller detect a failed transmitter or broken wire as an out-of-range under-scale reading; this diagnostic is lost on a 0-based signal. (7.2.4)
7.3 Analog Resolution
12-bit
14-bit
16-bit (standard for process measurement)
7.3.1Analog input and output modules shall provide at least the specified resolution across the signal span.
NOTE Resolution coarser than the field device's accuracy throws away measurement quality the instrument paid for; 16-bit is the practical standard for process analog where the transmitter accuracy warrants it. (7.3.2)
7.4 Signal Isolation and Conditioning
NOTE Channel-to-channel and field-to-logic isolation prevents a ground loop or a fault on one field circuit from corrupting other channels or damaging the controller. (7.4.1)
○ Group-isolated (bank common) — standard, lower cost
○ Individually channel-isolated — mixed grounds or noisy field
7.4.2Analog channels connected to field devices with independent or floating grounds, or routed through electrically noisy areas, shall be individually channel-isolated.
7.5 Spare I/O Capacity
NOTE Plants grow and field changes are constant; spare points and slots installed at construction are an order of magnitude cheaper than adding them later. (7.5.1)
050
101520253050
Default: 20 %
7.5.2A minimum of 20% installed and wired-to-terminal spare points of each signal type (DI, DO, AI, AO) shall be provided.
7.5.3A minimum of one spare chassis/rack slot, or capacity for one additional remote I/O drop, shall be provided for future module addition.
8 Remote and Distributed I/O
8.1 Remote I/O Architecture
NOTE Remote I/O places I/O modules near the field devices and connects them to the CPU over a control network, reducing field wiring runs to the central panel. (8.1.1)
NOTE In a treatment plant, distributing I/O to area panels at each process unit cuts long home-run wiring, shrinks the central panel, and localizes troubleshooting. (8.1.2)
○ Local I/O only — all modules in the controller chassis
○ Local plus remote I/O drops over a deterministic control network
○ Fully distributed I/O — field-mounted I/O at each process area
8.1.3The remote I/O network shall be a deterministic industrial network coordinated with Process Control Networks, sized so that the worst-case remote I/O update time meets the control requirement of the served loops. 8.1.4The remote I/O link for any control function that must keep operating through a network disruption shall be a redundant media path, or the remote drop shall hold a defined safe-state output on loss of communication.
8.1.5A remote I/O drop shall drive its outputs to a configured safe state (typically de-energized or last-known-good, as the process requires) on loss of communication with the CPU.
NOTE Defining the remote-I/O communication-loss output state is a safety decision, not a default; for most water/wastewater loads de-energizing to off is safe, but some final elements must hold position. (8.1.6)
9 Redundancy and Availability
9.1 Redundancy Architecture
NOTE Redundancy adds standby components that take over automatically on a failure, raising availability for processes that cannot tolerate an unplanned controller stop. (9.1.1)
NOTE Cold, warm, and hot standby differ in how much state the standby carries and how fast it takes over: hot standby tracks the primary's state continuously and switches over without interrupting the process. (9.1.2)
NOTE Redundancy is warranted where an unplanned stop has safety, regulatory, or major-cost consequences — primary effluent pumping, disinfection, and plant-critical processes — and is unnecessary cost on non-critical loads. (9.1.3)
○ Non-redundant — single CPU (standard for non-critical processes)
○ Hot-standby CPU — bumpless automatic switchover
○ Warm/cold standby CPU
9.1.4Redundant controllers shall use a hot-standby (bumpless) architecture in which the standby CPU maintains a synchronized copy of the primary's state and assumes control on a primary fault without a process disturbance.
101000
1020501002505001000
Default: 100 ms
9.1.5The switchover from primary to standby CPU shall complete within the specified maximum time without loss of I/O state or interruption of control.
NOTE A failover that exceeds the process's tolerance for an uncontrolled interval is no better than no redundancy; the switchover time, not merely the presence of a standby, must meet the loop requirement. (9.1.6)
9.2 Redundant Power and Network
NOTE A redundant CPU protects against CPU failure but not against the loss of a single power supply or a single network path; full availability requires those paths to be redundant as well. (9.2.1)
○ Single power supply (standard for non-redundant controllers)
○ Redundant (1+1) power supplies with diode auto-sharing
9.2.2Redundant controllers shall be furnished with redundant (1+1) power supplies arranged so that the failure of one supply does not interrupt the controller.
10 Power Supply
10.1 Control Power Source
NOTE The control power source shall be conditioned and backed so that the controller rides through the power disturbances and short outages that are common at plant and remote sites. (10.1.1)
120 VAC from panel control power
24 VDC from panel DC power supply
120 VAC on UPS-backed control power
24 VDC on UPS/battery-backed DC bus
10.1.2The controller, its I/O field power, and the network devices serving it shall be supplied from an uninterruptible source (UPS or battery-backed DC bus) where the process must continue, or shut down in an orderly and safe manner, through a power interruption.
10.1.3The power-supply load calculation shall demonstrate at least 25% spare capacity on each supply rail beyond the connected module and field-power load.
NOTE Sizing a control power supply to exactly the present load leaves no margin for the spare I/O the same specification requires to be installed; the supply must carry the spare modules' potential draw. (10.1.4)
11 Time Synchronization
11.1 Time Source
NOTE A common, accurate time base across controllers makes alarm logs, trends, and sequence-of-events records from different controllers correlate to a single timeline. (11.1.1)
NOTE Without synchronization each controller's clock drifts independently, and a multi-controller event sequence cannot be reconstructed because the timestamps do not agree. (11.1.2)
SNTP/NTP from a plant time server (standard)
IEEE 1588 Precision Time Protocol (PTP) — sub-microsecond, SOE applications
GPS-disciplined master clock feeding NTP/PTP
None — standalone controller, local clock only
11.1.3All controllers shall synchronize to a common plant time source so that timestamps across the system are consistent.
11.1.4Where sequence-of-events resolution finer than the network time accuracy is required, IEEE 1588 Precision Time Protocol shall be used and the SOE input modules shall be the time-tagging source.
NOTE NTP/SNTP to a plant time server is sufficient for normal alarm and trend correlation; reserve IEEE 1588 for the applications that genuinely need sub-millisecond event ordering, as it adds network and device requirements. (11.1.5)
12 Functional Safety
12.1 Safety Instrumented Systems
NOTE A safety instrumented system (SIS) is an independent layer of sensors, a safety-rated logic solver, and final elements that takes the process to a safe state when a hazardous condition is detected, designed to a target safety integrity level (SIL). (12.1.1)
NOTE Functional safety applies only where a process hazard analysis identifies a hazard that an instrumented protection layer must mitigate — for example, overpressure, runaway chemical reaction, or a digester-gas hazard; routine water/wastewater control rarely requires a SIS. (12.1.2)
NOTE Where a SIS is required it shall be separate and independent from the basic process control PLC, so that a failure of the control system does not also disable the protection. (12.1.3)
○ None — basic process control only (no SIS)
○ SIS required — separate safety-rated logic solver
12.1.4Where a process hazard analysis establishes the need for a safety instrumented function, the safety logic shall be executed by a controller certified to the required SIL capability per IEC 61508 and applied per IEC 61511 (ANSI/ISA-84.00.01).
Not applicable (no SIS)
SIL 1
SIL 2
SIL 3
12.1.5The target SIL of each safety instrumented function shall be established by the process hazard analysis and verified by a SIL verification calculation covering the complete function (sensor, logic solver, and final element).
12.1.6The safety controller shall be configured to drive its outputs to the defined safe state on detection of an internal fault.
12.1.7Basic control logic should not be commingled into the safety-rated controller beyond what the safety function requires, to preserve the independence and the validated state of the safety logic.
NOTE SIL applies to the entire safety instrumented function, not the logic solver alone; a SIL 2 logic solver does not make a SIL 2 loop if the sensor or final element does not meet the requirement. The end-to-end verification and the validation testing are covered with the rest of the integration work in
Control Systems Integration.
(12.1.8) 13 Network Interface
13.1 Control Network Connection
EtherNet/IP
Modbus TCP
PROFINET
EtherCAT
OPC UA (to supervisory layer)
13.2 Cybersecurity
NOTE Industrial controllers are network-connected and shall be hardened against unauthorized access, which is an availability and safety concern, not only a data concern. (13.2.1)
13.2.2The controller and its configuration shall follow the applicable provisions of IEC 62443 for the project's security zone, including disabling unused services and ports, changing default credentials, and controlling programming access.
14 Testing
14.1 Factory Acceptance Test
14.1.1Controller hardware, configuration, and application logic shall be verified in a factory acceptance test (FAT) before shipment, witnessed as required by Control Systems Integration. ☐ Hardware inventory and configuration verification against submittals
☐ Power-up, fault, and diagnostic indication check
☐ I/O point-to-point simulation (each point exercised)
☐ Redundancy switchover test (redundant controllers)
☐ Scan-time measurement against the specified maximum
☐ Control logic functional test against the sequence of operation
☐ Network communication and SCADA tag verification
14.1.2The FAT shall verify the hardware against the approved submittals, exercise every I/O point by simulation, test the control logic against the sequence of operation, and, for redundant controllers, demonstrate switchover within the specified time.
14.1.3The measured worst-case scan time shall be recorded and shall not exceed the specified maximum.
14.2 Site Acceptance and Loop Checks
14.2.2Redundancy switchover shall be re-demonstrated on the installed system, and the safe-state behavior on loss of communication and on power loss shall be verified.
14.2.3Where a SIS is provided, the safety instrumented functions shall be validation-tested end to end against the safety requirements specification before the process is placed in service.
15 Installation
15.1 Mounting and Environment
15.1.1Controllers and I/O shall be mounted in the housing panel per Industrial Control Panels, with the manufacturer's required clearance for cooling and module removal maintained. 15.1.2Module orientation and spacing shall follow the manufacturer's thermal-derating instructions, because crowded or wrongly oriented modules overheat and lose rated capacity.
15.1.3Controllers shall not be mounted where they are exposed to direct conduit-entry water, condensation drip, or the heat of adjacent power equipment.
15.2 Wiring and Grounding
15.2.3Shields shall be grounded at a single point to prevent a shield ground loop that injects noise into analog signals.
15.3 Configuration and Program Loading
15.3.1The as-commissioned application program and the configuration of every module and network device shall be loaded, verified, and backed up to durable media before the system is placed in service.
15.3.2The controller firmware versions shall be recorded and shall match the versions tested in the FAT.
16 Delivery, Storage, and Handling
16.1Controllers and modules shall be delivered in the manufacturer's antistatic packaging and shall be handled with electrostatic-discharge precautions.
16.2Equipment shall be stored indoors within the manufacturer's storage temperature and humidity limits and protected from construction dust and moisture.
16.3Modules shall remain in antistatic packaging until installed, and unused chassis slots shall be fitted with filler covers.
16.4Equipment exposed to conditions outside the storage limits, to liquid water, or to construction debris shall not be installed without the manufacturer's inspection and acceptance.
17 Warranty
17.1 Warranty Terms
1 year from substantial completion
2 years from substantial completion
3 years from substantial completion
17.1.1The manufacturer shall warrant the controller hardware against defects in materials and workmanship for a minimum of one year from substantial completion.
17.1.2The Contractor shall warrant the application program and configuration against defects for the same period and shall correct logic and configuration defects identified during the warranty period.
18 Spare Parts
18.1 Spare Parts Package
NOTE Industrial controllers are field-repaired by module replacement; stocking the high-failure-rate and long-lead modules on site is what keeps a single module failure from becoming an extended outage. (18.1.1)
18.1.2The Contractor shall furnish the manufacturer's recommended spare parts for the controller as installed.
- One spare module of each I/O type used, of the highest channel-count variant installed
- One spare power supply of each type installed
- One spare CPU for any non-redundant controller serving a critical process
- One spare communication or specialty module of each type installed
- Field-replaceable fuses and terminal-block components used in the I/O wiring
☐ One spare module of each I/O type installed
☐ One spare power supply of each type installed
☐ One spare CPU (critical non-redundant controllers)
☐ One spare communication/specialty module of each type
☐ Field-replaceable fuses and terminal-block components
18.1.3Where multiple identical controllers are installed, common spare modules shall be stocked once for the plant rather than per controller.
18.1.4The spare-parts list with manufacturer part numbers shall be included in the closeout documentation.