safety manager r151 specification and technical … infi90 documentation...01/2013 fs75-15x safety...

© 2013 – Honeywell International Inc.

Safety Manager R151 Specification and Technical Data

FS75-15x

01/2013

FS75-15x 01/2013 Safety Manager R151 Specifications and Technical Data

Copyright, Notices and Trademarks


All rights reserved While this information is presented in good faith and believed to be accurate, Honeywell Safety Management Systems disclaims the implied warranties of merchantability and fitness for a particular purpose and makes no express warranties except as may be stated in its written agreement with and for its customer. In no event is Honeywell Safety Management Systems liable to anyone for any indirect, special or consequential damages. The information and specifications in this document are subject to change without notice. Experion, TotalPlant, TDC 3000 and Universal Control Network are U.S. registered trademarks of Honeywell Inc. PlantScape is a trademark of Honeywell International Inc. FSC and QMR are trademarks of Honeywell Safety Management Systems. Other brands or product names are trademarks of their respective holders. No part of this document or the information contained in it may be copied, reproduced, conveyed or transmitted in any form or by any means (including verbally or in written, electronic or mechanical form), without the written permission of Honeywell. This document and the information contained in it may be used solely by the recipient to whom it is conveyed by Honeywell for the purpose of evaluating a transaction(s) with Honeywell.

01/2013 FS75-15x Safety Manager R151 specifications and Technical Data

Table of Contents

Introduction ........................................................................................................................................................................................... 5

Improves business results ................................................................................................................................................................ 5 Built on QMR Technology ................................................................................................................................................................ 5 Benefits............................................................................................................................................................................................. 6 Compliance to Safety Standards ...................................................................................................................................................... 7 Engineering Environment ................................................................................................................................................................. 8 Process Availability........................................................................................................................................................................... 9 Operation and Maintenance Performance ....................................................................................................................................... 9 System Reliability and Robustness .................................................................................................................................................. 9

Safety Solutions .................................................................................................................................................................................. 10 Emergency Shutdown Solutions .................................................................................................................................................... 10 Burner Management Solutions ....................................................................................................................................................... 11 Fire and Gas Safety Solutions ........................................................................................................................................................ 12

Functional Description ........................................................................................................................................................................ 13 Basic Architecture........................................................................................................................................................................... 13 Safety vs. Availability ...................................................................................................................................................................... 14 Redundancy and Availability .......................................................................................................................................................... 15 IO configurations ............................................................................................................................................................................ 16 Fault Detection and Response ....................................................................................................................................................... 17 Principle of Fault Detection ............................................................................................................................................................ 18 Principle of Fault Response ........................................................................................................................................................... 18 Safety Manager Architectures and Availability ............................................................................................................................... 21 Safety Manager Communication Protocols .................................................................................................................................... 23 Human Machine Interfaces ............................................................................................................................................................ 24

System Features ................................................................................................................................................................................. 29 Safety Manager Configurations ...................................................................................................................................................... 29 Safety Manager Architectures ........................................................................................................................................................ 30 Network Architectures .................................................................................................................................................................... 38 Safety Manager SafeNet ................................................................................................................................................................ 41 Safety Manager SafeNet Topologies ............................................................................................................................................. 43 Safety Manager distributed and remote solutions .......................................................................................................................... 44 Safety Manager Integration into Experion PKS .............................................................................................................................. 46 Safety Builder ................................................................................................................................................................................. 47 Functional Logic Diagrams (FLDs) ................................................................................................................................................. 48 Multi User: Concurrent use of Safety Builder ................................................................................................................................. 51 Safety Manager Simulation mode .................................................................................................................................................. 54 Safety Manager Diagnostics .......................................................................................................................................................... 56 On-Line Modification ...................................................................................................................................................................... 56 Power System ................................................................................................................................................................................ 56 Write Protection (Firewall) .............................................................................................................................................................. 57 IO Signal Forcing ............................................................................................................................................................................ 57 Experion PKS Integration ............................................................................................................................................................... 58 Communication with Basic Process Computer Systems ................................................................................................................ 63 Field Device Manager (FDM) integration ....................................................................................................................................... 64

Safety Manager Physical Characteristics ........................................................................................................................................... 68 Safety Manager Controller components ......................................................................................................................................... 69 Controller chassis ........................................................................................................................................................................... 69 Control Processor ........................................................................................................................................................................... 69 Battery & Key switch Module (BKM) .............................................................................................................................................. 71 SM IO components ......................................................................................................................................................................... 71 Field Interface ................................................................................................................................................................................. 76 Safety Manager Universal Safety IO .............................................................................................................................................. 78 Safety Manager Universal Safety IO components ......................................................................................................................... 82 Safety Manager Universal Safety IO special features .................................................................................................................... 85 Safety Manager Universal Safety IO Field Terminal Assemblies ................................................................................................... 86 Standard Safety Manager Universal Safety IO Solutions ............................................................................................................... 87

Safety Services ................................................................................................................................................................................... 92 System Services ............................................................................................................................................................................. 92 Training........................................................................................................................................................................................... 92 Safety Consultancy......................................................................................................................................................................... 93

Standards Compliance ........................................................................................................................................................................ 94 Specifications ...................................................................................................................................................................................... 95


Model Numbers ................................................................................................................................................................................... 97


Introduction Safety Manager is a highly reliable, high-integrity safety system for safety-critical control applications. As part of Honeywell’s Experion Process Knowledge System (PKS), integrated or in stand-alone applications, Safety Manager forms the basis for functional safety, providing protection of persons, plant equipment, and the environment, combined with optimum availability for continuous plant operation. Safety Manager offers safety, reliability and efficiency form its foundations. Safety Manager is a user-programmable, modular, microprocessor-based safety system, which can perform a wide range of critical process control and safety instrumented functions, including: High-integrity process control, Burner/boiler management systems, Process safeguarding and emergency shutdown, Turbine and compressor control and safeguarding, Fire and gas detection systems, and Pipeline monitoring.

Improves business results

Safety Manager is the natural evolution of the proven Fail Safe Controller (FSC®) safety system platform, in use for over 20 years. It embeds proven technology with two decades of Honeywell process safety management expertise in integrating process safety data, applications, system diagnostics and critical control strategies. Safety Manager is designed to improve a company’s business results by fundamentally enhancing process safety and protecting plant assets and people. Through tight integration with Experion PKS, safety systems are unified into one single safety system architecture, assuring a unique opportunity to improve the safety, reliability and efficiency of processes. Experion PKS provides unprecedented connectivity through all levels of process and business operations and optimizes work processes, improves routine maintenance efficiencies, enhances safety management, and releases personnel from manual processes.

Built on QMR Technology

Safety Manager is based on the unique and field proven Quadruple Modular Redundant (QMR) diagnostic based technology with a 2oo4D architecture. QMR enhances system flexibility, increases diagnostic messaging capabilities and improves system fault tolerance for critical applications. It enables the handling of multiple system faults within Safety Manager, matching the needs of critical control applications.


Additionally, Safety Manager provides the basis for integrating SIL rated sensors and valve actuators, ensuring that your safety instrumented functions are well in place to protect complex and hazardous processes. Whether it is integrating Safety Integrity Level (SIL) rated transmitters or safety valve positioners for improved safety and field asset management, Safety Manager is the ideal enabler for your Safety Instrumented Systems (SIS).

Benefits

Safety Manager delivers the following benefits: Engineering and design efficiency – designing safety networks has never been

easier. Safety Inside – The safety function of Safety Manager is embedded into the

Safety Manager system design. Unlike other systems, there is no need to “program” safety into Safety Manager.

Robustness – Several improvements have been made to improve the robustness of Safety manager further. Amongst others native redundant Analog Output support, “hot” back-up of applications, self-learning principle, improved output failure handling capability and fault configuration per point.

Unique system reliability and robustness – through rigorous Design for Six Sigma (DFSS) process and the IEC 61508 development criteria.

Unique process availability – applying the proven-in-use QMR technology allows uninterrupted process operation in case of any system degradation

Highest level of operation and maintenance performance – through unification of critical process data and information with the process control information, allowing single window access for operation and maintenance.

Investment protection – Safety Manager allows and supports migration to the latest safety technology. Applications from any release can be migrated to the latest release without affecting the process.

Compliance to safety standards – with all SIL1, 2 and 3 safety compliance tools, hardware and software, Safety Manager provides excellent protection for safety applications across multiple industries throughout the lifetime of an installation.

Operational integration of process safety and process control without jeopardizing the segregation requirements as defined in IEC 61508 / IEC 61511. One window for both Safety and Control supporting Alarms & Events, notifications, and detailed diagnostics support reducing operational cost over the lifetime of the solution. The seamless integration into the overall Experion topology allows for integrated data exchange, peer to peer communication to Experion process controllers and Console station support. Robust communication features such as SafeNet, a SIL4 approved communication protocol, distributes safety from a small off-shore rig to an integrated LNG facility.

Safety Manager Universal Safety IO enables maximum architectural flexibility. It has the unique feature that each channel can be configured individually to a different IO type. This enables soft marshalling and eliminates the need for marshalling panels, junction boxes and homerun cables. Universal Safety IO is also an ideal fit for remote solutions under harsh conditions.

Safety Manager Universal Safety Logic Solver, a SIL1, SIL2 and SIL3 IO module containing 32 Universal Safety IO channels with Logic Solver


capability delivering localized safeguarding with maximum flexibility and increased availability, fully integrated in Safety Manager.

Safety Manager Universal Safety IO HART pass thru; high performance HART communication directly from the HART device through the standard system network infrastructure into Honeywell’s Field Device Manager (FDM) without the need for any additional infrastructure, engineering or application configuration.

4-step unsurpassed TÜV approved on-line modification capabilities.

Compliance to Safety Standards

A major requirement for compliance to IEC 61508 / IEC 61511 is the availability of a change history of applications. Honeywell’s Safety Builder includes a tool, Safety Audit Tracker that provides an automatically enabled audit trail. It automatically tracks the changes performed on an application. Difficult procedures or extensive loggings are not required. The Safety Audit Tracker, together with the integrated application validation features, is all that is necessary to maintain the safety during its safety lifecycle including application modifications. Safety Manager complies with the following international standards: For BMS: NFPA 85, 86, 87 VDE 0116 For ESD: IEC61508, IEC 61511, ISA S84.01, DIN V 19250, UL, FM, ATEX For F&G: EN54-2, NFPA 72, FM 3010, Lloyd’s Register. With all SIL1, SIL2 and SIL3 certified hardware and software safety compliance tools, Honeywell’s Safety Manager provides excellent protection for safety applications across all industries throughout the lifetime of an installation. As part of the Experion topology, Safety Manager provides the basis for critical control and safety unification, reducing risks and installed costs, and improving plant safety. Latest information about Safety Manager can be found via the TÜV website. http://www.tuv-fs.com/plchoney.htm Safety Manager also complies to the latest globally recognized ISASecure EDSA Cyber security standard. The ISASecure cyber security standard is using the the ISA99 framework and is modeled after IEC61508 safety standard. More information can be found via the ISA Secure website. http://www.isasecure.org/


Engineering Environment

The Safety Builder improves engineering and design efficiency. With the self explanatory Network Configurator, designing safety networks has never been easier. With simple drag and drop functionality, a complete network can be designed within minutes. Network configuration details are handled by Safety Builder in the background, which saves valuable engineering and testing time. Moreover, the complete network design is available on a one-page view, no longer requiring additional documentation and programming. The proven Functional Logic Diagram (FLD) Editor facilitates fast and effective application design allowing clear and distinct views of all logic, with full compliance to IEC 61131 standards. Logic inputs, outputs and symbols are placed with drag and drop functionality from the toolbar and are easily configurable. Dedicated features make the life of a project engineer (in particular when engineering bigger projects) easier. These include: - Copy application from another plant, including all physical and logical

connections - Bulk copy of points - Bulk rename of points - Bulk copy FLD - Multi users using one Safety Manager database - Multi users connecting to one Safety Manager controller - Multi site support to allow for distributed logic development Additional features improve the safety, availability and efficiency of the process during the overall lifecycle. These include: - Easy to configure and manage SafeNet peer-to-peer Communication

configuration methodology, providing safe, secure and reliable networking capabilities of Safety Manager.

- Extended operational integration into Experion using the CDA (Control Data Access) protocol. Using this protocol allows for a seamless PtP integration which is also used by the C300 process controller. This guarantees for a safe and cost effective integrated solution over the lifetime of the system.

- Operational integration into FDM (Field Device Manager) enabling cost effective maintenance capabilities for field equipment.

The support of Universal Safety IO and the Universal Safety Logic Solver will provide flexible architectures for both centralized and remote safety solutions; configuration is such that application design is transparent from an application point of view. While designing the safety application there is no difference between the usage of chassis IO, Universal Safety I/O or the Universal Safety Logic Solver. Therefore an application can easily span multiple Universal and chassis IO locations.


Process Availability

Safety Manager uses the proven-in-use QMR technology, this allows for unlimited run time, even for single channel operation. This increases process availability, allowing uninterrupted process operation in case of any system degradation. Online system modification procedures have been redesigned and simplified; an easy 4-step modification wizard allows for an easy upgrade of both the application and embedded system during plant start-ups or throughout the life-time of the process.

Operation and Maintenance Performance

Safety Manager unifies critical process data and information with the process control information, allowing single window access for operation and maintenance. When connected to the Experion Fault Tolerant Ethernet (FTE) network via TÜV SIL4 approved SafeNet communication protocol, multiple Safety Managers are unified into a single safety system architecture. Extensive use of Ethernet technology enables fast, safe and reliable data exchange with Experion, enhancing operator and maintenance performance. Additionally, with inherent extensive system self-testing and diagnostic capability, Safety Manager extends the system proof test interval, reducing operational and maintenance costs.

System Reliability and Robustness

Safety Manager deploys a 1oo2D configuration providing SIL3 compliance even in a non-redundant configuration. Safety Manager provides maximum system availability and process uptime by adding full redundancy (QMR, 2oo4D) on the control processor, communication, power distribution and IO level. Optionally Safety Manager A.R.T. (advanced Redundancy Technique) provides additional processing paths between the control processor and IO modules, making the IO communication multi fault tolerant. Providing an ideal solution for deployment in unmanned locations or locations where not the right maintenance skills are available in a timely fashion. The software design robustness is achieved through the rigorous Design for Six Sigma (DFSS) process and the IEC 61508 development criteria. When it comes to safety, there is absolutely no compromise in Safety Manager. In addition, extensive design enhancement and simplification of the Safety Manager Controller hardware architecture reduces controller complexity, and promotes ease of use, system reliability and safety. Hardware robustness is enhanced through packaging using metallic enclosures for both controller and safety input/outputs. This improves EMC performance. Additionally, with integrated 24 Vdc and 5 Vdc power supplies and plug and play cabling, adding either IO modules or IO chassis will save valuable onsite time and reduces risks and costs for installation. The system availability surpasses 99.99% and meets the stringent safety integrity SIL3 required in critical processes.


Safety Solutions Government regulatory agencies, as well as insurance companies, place the highest criteria on the safety of company personnel, communities, and the environment. Consequently, they require companies to perform process hazards analysis to determine the measures necessary for maximum safety. Safety Manager embeds proven technology with over two decades of Honeywell Process Safety Management expertise in integrating process safety data, applications, system diagnostics and critical control strategies, aligning with your goals for increased safety, reliability and maximum operability. It provides the ultimate evolutionary safety solution for critical safety control, flexibility and reliability for your processes. Safety Manager is the ideal choice for applications in a wide range of industries, including refining, petrochemicals, bulk and fine chemicals, oil and gas, and energy production. Safety Manager can be used for a broad field of safety applications like:

High-integrity process control Burner/boiler management systems Process safeguarding and emergency shutdown Turbine and compressor safeguarding Fire and gas detection systems Pipeline monitoring.

Being IEC61508 and IEC61511 certified Honeywell safety products and its project execution guarantee optimum safety and availability over the lifetime of solution.

Emergency Shutdown Solutions

Safety Manager Emergency Shutdown Solutions (ESD) are found in a wide variety of industries protecting personnel, equipment, and the environment. An Emergency Shutdown System represents a layer of protection that mitigates and prevents a hazardous situation from occurring Safety is of primary concern, it is also important to have an Emergency Shutdown system designed for availability. The economic impact of a spurious or nuisance trip of an ESD system can be disastrous. Therefore an ESD system must be extremely reliable and function on demand. During an emergency, it must shutdown the process in a safe and orderly fashion. Internationally recognized standards such as IEC61508 and ANSI/ISA S84.01 serve as guidelines to insure a proper safety solution (Field Instruments, Safety Logic Solver and Final Elements) is in place to mitigate or avoid hazardous situations. Safety Manager Emergency Shutdown Solutions are designed to minimize the consequences of emergency situations, typically related to uncontrolled flooding,


escape of hydrocarbons, or outbreak of fire in hydrocarbon carrying areas or areas which may otherwise be hazardous. Typically the Emergency Shutdown System will be configured with customer-defined actions with either partial or total plant shutdown procedures. For example:

Shutdown transport of flammable fluids/gases Vent to flare waste gases due to process halt Depressurize the process Perform electrical isolation Start emergency generators or power supplies Halt turbines or rotating machinery due to a vibration, high bearing

temperature, or lubrication failure Start backup pumps or other auxiliary safety equipment Isolate hydrocarbon inventories Prevent escalation of events

Burner Management Solutions

Honeywell Safety Manager applied to Power Boiler and Recovery Boiler Burner Management applications can improve plant uptime, reduce ownership costs and ensure regulatory compliance compared to relay or general purpose Programmable Logic Controller (PLC) based applications. The usage of Honeywell Safety Manager also improves personnel safety by removing the need to access old relay boxes located in high temperature areas of the boiler. A burner management system (BMS) is responsible for the safe start-up, operation and shutdown of a boiler. It monitors and controls igniters and main burners; utilizes flame scanners to detect and discriminate between the igniter and main flames; employs safety shut-off valves, pressure, temperature, flow and valve position limit switches and uses blowers to cool the scanners and/or provide combustion air for the igniters. Its proper operation is crucial to the safety of a boiler. A BMS is an integral part of the Experion® Process Knowledge System (PKS) offering a single source operator interface. The system can expand to include engineering, controller and “burner front” products and services which form a superior BMS solution when combined. A typical solution may also provide protection for the boiler water circulation pump, replacement of the master fuel trip (MFT) relay, and link the burner management system of the auxiliary boiler to the main burner management system. Honeywell Safety Manager provides SIL1, 2 and, 3 TÜV approved Burner Management System solutions that cover requirements according to the National Fire Protection Association (NFPA) 85, 86 and 87 standards and European EN 50156-1.


Fire and Gas Safety Solutions

Safety Manager provides an approved Fire and Gas Safety Solution that covers Safety Instrumented System requirements as part of the mitigation safety layer described in the IEC 61508, IEC 61511 and ANSI/ISA S84.01 standards. Safety Manager Fire and Gas safety system is designed to detect hazards like fires or gas leakages in a fast and accurate way connecting to a wide range of fire and gas detector devices. Safety Manager is the process industries’ first safety instrumented system to receive the National Fire Protection Association (NFPA) 72 Standard for Fire Protection and FM 3010 from a United States certifying body. With the certification from Factory Mutual (FM), Safety Manager can be used for applications where local authorities, governments and customers require a U.S.-certified NFPA 72 or FM 3010 certificate. Safety Manager also attained NFPA 72 certification through Germany-based TÜV. The NFPA 72 certification is needed for industries regulated for fire and gas requirements such as refining, oil and gas and power generation.

Safety Manager supports standard connection of fire & gas detector and notification devices of most major field device suppliers. The supported connections are proven in use and/or are fully tested as part of Honeywell’s MVIP (Multiple Vendor Interface Program) test program. For signal handling inside Safety Manager of these connected F&G devices, special, standardized function blocks are developed to create an optimum response from these devices. For connection of the devices special interfaces are developed to achieve the optimum connection. The Safety Manager Fire and Gas manual describes an approved basic Fire and Gas Safety application. This application provides a Fire and Gas Safety Solution that can easily be integrated into Honeywell’s Experion PKS. The basic application can be developed and adjusted easily to design a project specific Fire and Gas Safety Solution. The integrated layer of the fire and gas solution within Experion contains the integrated alarm listing and Safety Historian functionality that records all detected alarms, all actions initiated by the Fire and Gas Safety system and all actions executed by this system or connected integrated sub-systems. This layer also shows the actual situation of the fire and gas application by using overall plant displays and various detailed area displays that contain locations and actual status of all connected fire and gas field detectors.


Functional Description Basic Architecture

Three major system components can be distinguished: Safety Manager Controller, and Safety Manager Chassis IO, Safety Manager Universal Safety IO. Figure 1 shows the basic components of Safety Manager.

Figure 1 — Safety Manager basic components

Safety Manager Controller The Safety Manager Controller runs and controls the Safety Manager application logic, communicates to other systems, performs diagnostics on safety-critical functions and responds to detected faults while maintaining safety. A Safety Manager Controller consists of a Control Processor, a Controller Chassis, a Battery and Keyswitch Module (BKM) and a Control Processor Backplane (CPB), which includes a redundant system bus. Control Processor A Control Processor consists of core components such as a Quad Processor Pack (QPP), communication modules (COM) and a Power Supply unit (PSU). For more information, see “SM Controller components”. Input/Output Input/output modules connect the SM Controller to the sensors and actuators in the field. The variety of chassis IO modules includes safe modules, analog and digital, redundant and non-redundant and different voltages. For more information, see “SM IO components”. The optional support of the Universal Safety IO provides a flexible architecture for both centralized and remote safety solutions.


IO Bus The IO bus is the interface to transport field data and diagnostic data between the IO and the controller. For more information, see “SM IO components”. SM RIO Link Universal Safety IO modules do interface to the SM controller via the SIL3 certified SM RIO Link communication protocol.

Safety vs. Availability

Safety and availability do not easily coexist in the process industry: Safety means “freedom from unacceptable risk”.

To achieve safety it is mandatory to keep process away from its production limits.

Availability is usually translated in productivity. To achieve optimum productivity, one must operate a process as close as possible to its production limits. In a SIS, safety prevails over availability, meaning that when a SIS has to choose between safety and availability, safety is chosen. Safety The basic design of Safety Manager allows the system to comply to SIL1, SIL2 or SIL3, regardless the system architecture chosen, even the most basic architecture (single controller, single IO) is certified to be used for SIL3 applications. SIL3 is the highest level of safety required for most process industries. Availability Safety Manager is highly available due to the system’s ability and flexibility to: locate faults accurately, and isolates faulty parts from the process whenever

possible to continue a safe operating state with minimum effect on the remaining process parts. The fault location algorithm also reduces repair time and possible down time to an absolute minimum.

repair on-line, such as on-line exchange of communication modules and all redundant components.

automatically upload the required software in replaced modules, while being on-line. All software will be uploaded into both QPP modules of a redundant systems, allowing for a complete system restore point even when all modules are removed. No need to configure or program replacement modules, just insert them and they automatically will get the correct system and application software. This self-educating principle is also applicable when on-line changes are carried out.

exchange all modules without degrading the system. One can replace all faulty modules (including all output modules) without a stop of a Control Processor. This further improves the availability.

implement analog output modules in any configuration: non-redundant, dual redundant and in mixed arrangements.

when using the Universal Safety Logic Solver, maximum availability of the local safety solution is guaranteed, even when the connection to Safety Manager is lost or the complete Safety Manager system is in shutdown.


Redundancy and Availability

Availability can be further increased by implementing redundancy in the architecture. Depending on the level of redundancy one refers to “increased availability” or “optimal availability”. Fault tolerance With redundancy, Safety Manager becomes fault tolerant with respect to availability. This means that any single system fault shall not lead to a nuisance trip. Each new system fault is diagnosed within the DTI (typically 3 seconds) and isolated instantly allowing for multiple faults in the overall system without affecting plant operation. Online repair and online modification Redundancy also allows online repair of redundant components. When replacing Controller and communication modules these are automatically loaded with the required system and application software. With a redundant Controller you can also perform online upgrades of configuration, application or embedded system software without disturbing the process. Safety Manager’s online modification functionality is TUV SIL3 approved. Exchange Output Module On model level the availability of the output modules type SDO-0824, SAO-0220, SDOL-0424 and SDOL-0448 is optimal. This means that these output modules can be replaced without degrading the system. This applies for redundant IO configuration and non-redundant configurations. Architecture and availability levels Table 1 shows the relation between applied redundancy within Safety Manager with the level of system availability. Table 1 Safety Manager Architectures

Controller configuration

IO Configuration supports SIF Availability

Redundant A.R.T. (Advanced Redundancy

Technique)

Redundant SIL1, SIL2, SIL3 Maximized

Mixed redundant and non-redundant

SIL1, SIL2, SIL3 Mixed Maximized and increased

Non-redundant SIL1, SIL2, SIL3 Increased

Redundant Redundant SIL1, SIL2, SIL3 Optimal

Mixed redundant and non-redundant

SIL1, SIL2, SIL3 Mixed optimal and increased

Non-redundant SIL1, SIL2, SIL3 Increased

Non-redundant Non-redundant SIL1, SIL2, SIL3 Normal


IO configurations

Redundant IO configurations Redundant IO configurations can be used in Safety Manager with a redundant Controller. In this fully redundant configuration, each Control Processor has its own IO system to which it has exclusive access. Each Control Processor reads its own input interfaces once every program cycle. After input matching, both Control Processors execute the user-defined control program and update their output interfaces according to the results. Before setting, the Control Processors compare the calculated output results to ensure identical operation. Redundant IO configurations are typically used for safety functions that require optimal availability. All IO configurations are available in non-redundant, redundant and mixed arrangements. Configurations as described above are available for all IO families. Non-redundant IO configurations Non-redundant IO configurations can be used in systems with a non-redundant Controller as well as in systems with redundant Controller. Fully non-redundant systems are typically used for safety applications where redundancy is embedded in the process design, or on less critical processes. In a Safety Manager setup with a redundant Controller, and (partly) non-redundant IO, both Control Processors alternately assume responsibility for the non-redundant IO interfaces. This ensures both Control Processors can always access the IO interfaces correctly. Safety Manager configurations with a redundant Controller and non-redundant IO interfaces are typically used for safety critical applications with increased demands for system availability, for example because of redundancy in plant equipment. The combinations of redundant and non-redundant IO interfaces are extremely powerful. Process safeguarding functions requiring optimal availability are controlled through the redundant IO interfaces, and less demanding safety functions -such as alarming- through the non-redundant IO interfaces. Any fault in the non-redundant IO interfaces will be isolated and not affect other IO sections. Configurations as described above are available for all IO families.


Fault Detection and Response

Concept The fault detection-and-response technology is just one of the innovative concepts embodied by Safety Manager, allowing it to operate in SIL3 per default. It is important to understand the concepts behind fault detection and response before addressing the actual fault detection and response principles. Process safety time Process safety time is defined as the time a process can be left running uncontrolled without losing the ability to regain control. Diagnostic Test Interval (DTI) A Diagnostic Test Interval is Safety Managers’ response to Process Safety Time: DTI is the time period used by Safety Manager to cyclically locate and isolate safety related faults within on-line system components that could otherwise cause a hazardous situation. Secondary means of de-energization Figure 2 shows that all safe output modules have a secondary means of de-energization (SMOD), to ensure “single fault tolerance for safety”. With this SMOD any faulty output channel can be isolated from the process. The series connection of a SMOD and the channel output, combined with full functional testing, creates “single fault tolerance for safety”. Software driven full functional testing is executed by the QPP and the actual readback status is compared with the expected value. Any discrepancy found will result in safety corrective actions, meaning isolation of the fault from the process and notification of the operator while saving data in the diagnostics file. Within the Chassis IO architecture, the SMOD for output modules is combined in groups of 2 or 4 channels.

Figure 2 — Schematic diagram of the SMOD architecture

Within the Universal Safety IO architecture every channel is equipped with a SMOD, the software driven functional testing is executed autonomously. Behavior on detected discrepancies is similar and results in safety corrective actions taken independently from Safety Manager Controller.


Fault reaction Fault reaction is the systems’ actual response towards detected faults. The response can depend on a number of things, such as the severity of the fault, the availability of a redundant component, the fault reaction setting. See “Principle of fault response”.

Principle of Fault Detection

A SIS operating in “high demand mode of operation” must detect and safely isolate any single fault within the PST.

Fault detection Fault detection is the first step towards fault response. Faults in Safety Manager are detected conform the Failure Mode and Effect Analysis (FMEA) model, which provides adequate diagnostics on any detected fault. Test algorithms and / or test circuits are embedded in the safety related software and hardware components, such to allow the detection of these faults. A running Safety Manager Controller continuously performs a series of extensive diagnostic checks on all safety related software and hardware components. This way it will find faults before they can jeopardize the safety of the Process Under Control (PUC) and Equipment Under Control (EUC) Fault detection cycle The fault detection and diagnostic checks are executed during a fault detection cycle, which is usually split-up over a number of application cycles. A fault detection cycle always lasts less than one DTI. Fault detection within the Universal Safety IO family is executed autonomously and independent from the Safety Manager Controller. Fault database Upon detection, a fault is stored in a fault database, where it is further processed by the Safety Manager Controller. Upon the severity of the fault, the configuration settings, the redundancy in the Controller and other user settings, the Safety Manager Controller will decide what action is appropriate. To clear a fault from the fault database, the fault must be resolved and a fault reset must be initiated (e.g. turn and release the Reset key switch on the BKM or initiate a remote reset from the Safety Builder or Experion station).

Principle of Fault Response

Each detected fault is reported by means of a diagnostic message, alarm markers and/or diagnostic markers. If the nature of the fault requires the system to respond, Safety Manager will isolate the faulty component. At the same time, the system acts on the effect of loosing the function of that component. That action may be: None, a redundant component can cover for the lost function. None, losing the function has no impact on safety. Apply the fault reaction state to the affected IO. Apply the fault reaction state to all channels of the affected IO module Start the repair timer.


Halt the affected Control Processor. de-energize all non-redundant outputs via the watchdog De-energize all outputs of the affected control processor via the watchdog. These are explained below in more detail.

Redundancy When available, the redundant component in the system will continue to perform the safeguarding function. This means that, when redundancy is provided, the system remains available for the process. No impact on safety The following examples show a number of faults that have no impact on safety: Fault detected on non-safety modules Loss of communication with a process control system such as Experion Failure of the Controller back-up battery. Loop faults When such faults occur, the system will report the anomaly but take no action by itself. However the system can be programmed to initiate action if needed. Fault reaction state If Safety Manager detects a fault related to the IO, this may result in the IO to go to the configured fault reaction state. The fault reaction state is a state used as response to faults arising related to IO. The fault reaction state is user configurable per point. The following fault reaction states exist: ‘High’ is a fault reaction state for digital inputs:

Upon a detected fault the input is energized, or –in other words, the input goes high or becomes ‘1’.

‘Low’ is a fault reaction state for digital inputs and digital outputs: Upon a detected fault the digital input or output is de-energized, or –in other words, the digital input or output goes low or becomes ‘0’.

‘Top Scale’ is a fault reaction state for analog inputs: Upon a detected fault the input is set to the top scale of the range.

‘Bottom Scale’ is a fault reaction state for analog inputs: Upon a detected fault the analog input is set to the bottom scale of the range.

‘Scan’ is a fault reaction state for tested (analog or digital) inputs and (non) tested digital outputs: Upon a detected fault the input or output continues to carry the processing value, even if this value is not correct.

‘Hold’ is a fault reaction state for analog and digital inputs: Upon a detected fault the input freezes to the last known good value.

‘0 mA’ is a fault reaction state for analog outputs: Upon a detected fault the analog output is de-energized.

‘Appl’ is a fault reaction state for analog outputs: Upon a detected fault analog output continues to carry the processing value.

‘Fixed value’ is a fault reaction state for inputs located on a communication channel: Upon detected fault the input is preset to a predefined value (not necessary being the startup value).


Table 2 shows the settings applicable to fault reaction for hardware IO.

Table 2 — Fault Reaction settings for hardware IO Signal type Fault Reaction settings

Digital Inputs Tested High/Low/Scan/Hold

Safe Digital Inputs with Line Monitoring High/Low/Scan/Hold

Digital Outputs Tested Low/Appl

Not Tested Appl

Tested Digital Outputs with Line Monitoring Low/Appl

Tested Analog Inputs Top Scale/Bottom Scale/Scan/Hold

Analog Outputs* Tested 0 mA/Appl

Not Tested Appl

Table 3 shows the settings applicable to fault reaction for communication IO.

Table 3 — Fault reaction settings for communication IO Signal type Fault Reaction settings

Digital Points (DI) High/Low/Freeze

Numeric Points (BI) Fixed value/Freeze

Halt Control Processor A Control Processor halts if: A fault is detected in one of its safety functions.

For example: corrupted software, safety processors out of sync, watchdog fault.

The repair timer runs out. The Control Processor is disabled by its own watchdog. The Control Processor is disabled by the watchdog of the other Control

Processor. Availability All default configurations of Safety Manager are single fault tolerant towards faults that affect safety. In case a critical fault is detected on an output module, all channels of that particular output module are de-energized. By using a secondary means Safety Manager is always able to bring the outputs to the safe state, regardless of the fault. Universal Safety IO channels have an independent SMOD architecture, only those channels detected faulty will be isolated. For extended operational availability requirements, Safety Manager Advanced Redundancy Technique (A.R.T) delivers a multi fault tolerant I/O bus architecture.


Safety Manager Architectures and Availability

Full module and IO bus redundancy can be provided to warrant process availability. Distinction is made between the architectures of these architectures: Safety Manager, Safety Manager A.R.T. Safety Manager Figure 3 shows the reliability block diagram for Safety Manager.

Figure 3 — Reliability block diagram for Safety Manager

The architecture of Safety Manager shows redundant control paths that principally function independent from each other. The execution is synchronized at the Control Processors. The system performs continuous diagnostics on all critical parts of the system. All SIF related diagnostics are executed every execution cycle. Certain generic diagnostics are executed over multiple execution cycles however, but all system diagnostics are completed within the user configurable Diagnostic Time Interval. When the system detects a fault, the diagnostic will be reported and the corresponding action is performed, isolating the faulty part of the system. In principle the equipment under control will continue to be safeguarded as the safeguarding function will be performed by the healthy partner. This architecture provides optimal availability and is suitable for SIL1, SIL2 and SIL3 solutions.


Safety Manager A.R.T. Figure 4 shows the reliability block diagram for Safety Manager A.R.T.

Figure 4 — reliability block diagram for Safety Manager A.R.T.

The architecture of Safety Manager A.R.T. shows redundant control paths that also function independent from each other. Here however, additional alternative processing routes are available for the Control Processors. The system performs continuous diagnostics on all critical parts of the system. All SIF related diagnostics are executed every execution cycle. Certain generic diagnostics are executed over multiple execution cycles however, but all system diagnostics are completed within the user configurable Diagnostic Time Interval. When the system detects a fault, the diagnostic will be reported and the corresponding action is performed, isolating the faulty part of the system. In principle the equipment under control will continue to be safeguarded as the safeguarding function will be performed by the healthy partner. This architecture provides maximized availability and is suitable for SIL1, SIL2 and SIL3 solutions


Safety Manager Communication Protocols

Safety Manager communicates and exchanges data with its surroundings (for example a Safety Station or an Experion Station). Table 4 describes what data can be communicated and the supported protocols that can be used.

Table 4 — Overview of peer to peer connections Connection Logical

network Physical network

Safe Options

Safety Manager – Safety Station (Safety Builder)

Safety Builder protocol

RS232 RS485 RS422

Ethernet

no data viewing diagnostics

forcing loading remote

management

Safety Manager – Safety Manager (SafeNet)

SafeNet protocol RS485 RS232 RS422

Ethernet

yes data viewing diagnostics

remote reset remote loading remote start

Safety Manager – Experion Experion SCADA Ethernet no data viewing diagnostics

remote reset SOE

Safety Manager – C300 controller

PCDI Ethernet no Point data Remote reset

Safety Manager – Advanced Experion integration

Experion CDA Ethernet no data viewing diagnostics

remote reset SOE

Point data

Safety Manager - FDM FDM Ethernet no HART device Diagnostics HART device configuration

Safety Manager (Slave) – Modbus Device

Modbus serial RS232 RS485 RS422

no Point data Remote reset

Time Set

Safety Manager (Slave) – Modbus Device

Modbus TCP Ethernet no Point data Remote reset

Time Set

Safety Manager (Master) – Modbus Device

Modbus TCP Ethernet no Point data Remote reset

Safety Manager – Safety Historian

Experion SCADA Ethernet no SOE


Human Machine Interfaces

Within Experion PKS, different methods to retrieve process and system information are available. When working with Safety Manager: Process information is available via stations and LEDs, System information, such as diagnostics and systems’ temperature is

available via both stations and hardware interfaces. These interface options are discussed below. Hardware interfaces The hardware interfaces are intended for basic information exchange between man and machine. Display on Quad Processor Pack (QPP) Figure 5 shows the user interface display, located on the Control Processor. It provides system status, diagnostic information and IP addresses of the communication gateways.

display pushbuttons

Figure 5 — the user interface display of the QPP LED indicators Most modules have one or more LED indicators at the front. Controller modules have a single bi-color LED with the word “status” written

next to it. A green color means “OK”. Communication modules and digital IO modules also have dedicated LEDs per

channel, indicating the channel status. The Universal Safety IO family has 2 LED’s (one normal and one bi-color)

providing details on the status of the module


Examples Figure 6 shows the module front of 16 channel digital input modules. With this example, each channel has one LED to indicate its status.

Figure 6 — Front Chassis Mounted IO Module Figure 7 shows the Universal Safety IO module. With this example the module has 2 LEDs to show the status of the module. The top green LED is used for power indication. The bottom bi-colored LED is used for status indication, this LED shows the

current status of the module and is depending on the LED color or behavior (steady or flashing)

Figure 7 — Front: Universal Safety IO Module


Key switches Key switches are used for specific functions that require key access before they can be performed.

Figure 8 — Key switches at the front of the BKM Safety Manager has 3 different key switches: Figure 8 shows the front view of the Battery and Key switch Module (BKM),

where the Reset and Force Enable key switch are installed. The key switches on the BKM are wired to both CP1 and CP2. - Under normal circumstances the Reset key switch is used to start the

system or restart halted system components without switch-over effect. (Turning this key switch will not interrupt process safeguarding.)

- When performing on-line modification (changing the application / system configuration on-line) the Reset key switch can be used to switch applications.

- The Force key switch is used to enable / disable the use of forcing of IO points. With this key switch in the “on” position, forcing via a safety station is allowed. With this key switch in the “off” position all forces are cleared.

Each Quadruple Processor Pack (QPP) has a 3 position key switch installed. - The key switch on the QPP is used to idle, halt or run the QPP. When idle,

the QPP can be fitted with a new application program. If remote loading is enabled, the QPP key does not need to be in the idle position to load a new application. Safety Manager can be completely managed remotely from the Safety Builder.


Stations The software interfaces are intended for extended information exchange between man and machine. Safety Stations and Experion Stations Safety Manager can run software packages on different types of Stations (PCs) or use these Stations for interfacing. The following Stations (PCs) can be distinguished: Station name Description Safety Station PC that runs Safety Builder and/or Safety Historian Experion Station* PC that runs the Process control application * Safety Builder software may also be installed on an Experion Station Usability Table 5 shows the main Station functions related to Safety Manager versus their availability on each Station type.

Table 5 — Station functions Safety Station

Experion Station

Experion Station (Advanced

integration)

Function

Yes Yes Yes View Safety Manager system status

Yes Yes Yes View Safety Manager point status

Yes Yes Yes View Safety Manager diagnostics

Yes No No View Safety Manager functional logic diagrams

No Yes Yes Integrate Safety Manager alarms in Experion alarm window

No Yes Yes Integrate Safety Manager SOE in Experion SOE window

Yes No No View Safety Manager SOE in Safety Historian SOE

window

Yes No No Remote management of Safety Manager applications (load, start, stop)

Yes Yes Yes Reset non-critical faults in Safety Manager (loop faults, communication faults)

Yes Yes Yes Reset critical faults in Safety Manager Yes No No Forcing of system variables Yes Yes* Yes* Maintenance overrides

* only when application is developed according TuV guidelines

Figure 9 and Figure 10 on the following pages provide screenshots of Experion Station displays, related to Safety Manager, these displays are available as a standard without the need of any engineering


Figure 9 — Example of an Experion Station “system information display

Figure 10 — Example of an Experion Station “diagnostics display


System Features Safety Manager Configurations

Safety Manager is available in several configurations to suit virtually every process control requirement. Table 6 below lists Safety Manager configurations that are available, together with their main characteristics.

Table 6 — Safety Manager Configurations Type Safety

Manager Controller

Safety Manager IO Interface

Typical Application examples

Architecture SIL

Non-redundant (single)

Non-redundant Non-redundant Critical process control with redundancy in field equipment DMR

1,2 and 3

Redundant Redundant Non-redundant Critical process control with

redundancy in field equipment QMR 1,2 and 3

Redundant Redundant Critical process control QMR 1,2 and 3

Combined Redundant Redundant & Non-redundant

Burner/Boiler Management System with Safety Manager -

controlled alarm panel Fire and Gas

QMR

1,2 and 3

All Safety Manager architectures can be used for safety applications. The preferred architecture depends on the availability requirements.


Safety Manager Architectures

Dual Modular Redundant and Quadruple Modular Redundant architectures In general Safety Manager supports Dual Modular and Quadruple modular architectures. Dual Modular Redundant (DMR) architecture The Dual Modular Redundant (DMR) architecture comprises of: non-redundant (single) input module(s) non-redundant (single) output module(s) non-redundant QPP Control Processor Module non-redundant Watch-dog function integrated in the QPP-module non-redundant Secondary Means Of De-energization, integrated in the output

module The expression DMR addresses the usage of redundant (2) processors and memories within the QPP-module. These are configured in a 1oo2 voting structure and therefore are both (dual) needed to achieve the required level of SIL-3 safety functionality. Furthermore it addresses the redundant (2) outputs in a 1oo2 serial voter. The DMR architecture can be applied for SIL1, SIL2 and SIL3 applications.

Figure 11 — Functional diagram: DMR architecture

In Figure 11 the independent and different measures for safety are clearly shown: -Yellow: the micro-processor based programmable logic controller -Green: the solid state electronics based watch-dog controlling the SMOD. With this combination of dual technologies, a non-redundant or single channel Safety Manager DMR-system copes with all requirements for SIL1, SIL2 and SIL3 level applications. Typical applications for a DMR-safety system are: Burner or Boiler Manager Systems (BMS) Safeguarding of Batch processes Safeguarding Machinery, covered by the Machine Directive

Processor

Processor

Watchdog

QPP Control Processor

SD

Input Interfaces Output Interfaces

InputModule

Sensor

xxyyy

Final Element

SMOD

OutputModule


Quadruple Modular Redundant (QMR) architecture For processes without redundant EUCs, process impact avoidance due to safety system internal failures, is a must. Fault tolerant configurations for continuous operation are required, resulting in a redundant configuration of previous mention DMR-configuration, called QMR-architecture. Each leg of the redundant system executes its own 1oo2 voting; these results are exchanged and voted with in both CPU’s and memories, ultimately resulting in a 1oo2D architecture. Voting takes place on two levels: on a module level and at system level, both executed by the QPP-modules. This is referenced as a 2oo4D configuration. See also Figure 12 below.

Figure 12 — Functional diagram: QMR architecture

In redundant IO configurations, each path is controlled by one of the Control Processors and an independent switch (secondary means of de-energization, SMOD), which is controlled by the diagnostic software and an independent watchdog. Furthermore, each Control Processor is able to switch off the output channels of the other Control Processor. The QMR architecture can be applied for SIL1, SIL2 and SIL3 applications.

InputModule

InputModule

Processor

Processor

Watchdog

QPP Control Processor 1


SD

Input Interfaces

SMOD

OutputModule

Final Element

Output Interfaces

SMOD

OutputModule

QuadVoter

Processor

Processor

Watchdog

Sensor

xxyyy


System architectures Safety Manager allows for combinations of the earlier described architectures (DMR and QMR). This allows for optimum solutions in relation to safety and availability tailored to process and end user requirements. Non-redundant Controller and non-redundant IO This Safety Manager architecture has a non-redundant Controller and non-redundant input and output (IO) modules (see Figure 13) The IO modules are controlled via the IO bus drivers (located in the QPP) and the IO Bus, which can control up to 8 IO chassis per cabinet. Each IO chassis is controlled via an IO Extender. There is no redundancy except for those modules with built-in redundancy (QPP, memory and watchdog). This architecture can be applied for SIL1, SIL2 and SIL3 applications.

Figure 13 — Functional diagram: non-redundant Controller,

non-redundant IO

Redundant Controller and non-redundant IO This Safety Manager architecture has a redundant Controller and non-redundant input and output (IO) modules (see Figure 14) The IO modules are controlled via the IO bus drivers (located in the QPP) and the IO Bus, which can control up to 8 IO Chassis per cabinet. Each IO Chassis is controlled via the IO Extender. This architecture can be applied for SIL1, SIL2 and SIL3 applications. Interaction between Control Processors Both Control Processors run in parallel, meaning that they simultaneously read input states and write output states. Through the redundant link, both Control Processors continuously inform each other about the achieved IO states, application states. The redundant link is used to synchronize actions and compare results. A redundant Controller is single fault tolerant with respect to availability.

Processor

Processor

Watchdog

QPP Control Processor

SD


InputModule

Sensor

xxyyy

Final Element

SMOD

OutputModule


Figure 14 — Functional diagram: redundant Controller,

non-redundant IO Redundant Controller and redundant IO This Safety Manager architecture has a redundant Controller and redundant input and output (IO) modules (see Figure 15). The IO modules are controlled via the IO bus drivers (located in the QPP) and the IO Bus, which can control up to 8 IO chassis per cabinet. Each IO chassis is controlled via the IO Extender. The processor and IO are fully redundant, which allows continuous operation and smooth (zero-delay) transfer of the control in case of a Control Processor or IO failure. This architecture can be applied for SIL1, SIL2 and SIL3 applications. Interaction between Control Processors Both Control Processors run in parallel, meaning that they simultaneously read input states and write output states. Through the redundant link, both Control Processor’s continuously inform each other about the achieved IO states, application states. The redundant link is used to synchronize activities and compare results. Interaction between redundant IO Both IO modules reside next to each other in the same IO chassis. On the backplane they are wired parallel.

- In principle, when a fault is detected in an input channel, this channel is deactivated by its corresponding Control Processor. The correct value is obtained from the IO module connected to the other Control Processor via the redundant internal link before the application cycle is started.

- In principle, when a fault is detected in an output channel, all channels of the affected output channel are de-energized (At that moment the module can be replaced with a spare module without affecting the running state of the Control Processor.)

The correct value is driven into the field by the

Processor

Processor

Watchdog



SD


Processor

Processor

Watchdog

InputModule

Final Element

SMOD

OutputModule

Sensor

xxyyy


redundant Control Processor, but not after both Control Processors have agreed upon its value via the redundant internal link.

Figure 15 — Functional diagram: redundant

Controller, redundant IO Redundant Controller with redundant and non-redundant IO This Safety Manager architecture has a redundant Controller and redundant input and output (IO) modules (OR function outputs) combined with non-redundant input and output modules (see Figure 16). This architecture can be applied for SIL1, SIL2 and SIL3 applications. This architecture is a mix of the described:

- Redundant Controller and non-redundant IO - Redundant Controller and redundant IO”.

Selective watchdog In a system with combined redundant and non redundant IO 3 watchdog lines are active:

- WD1 This is the Watchdog line dedicated for Control Processor 1. De-energizes upon a safety related fault in Control Processor 1. When de-energized, Control Processor 1 and the related outputs are

halted. - WD2

This is the Watchdog line dedicated for Control Processor 2. De-energizes upon a safety related fault in Control Processor 2. When de-energized, Control Processor 2 and the related outputs are

halted.

InputModule

InputModule

Processor

Processor

Watchdog



SD

Input Interfaces

SMOD

OutputModule

Final Element

Output Interfaces

SMOD

OutputModule

QuadVoter

Processor

Processor

Watchdog

Sensor

xxyyy


- WD3 This is the combined watchdog line, controlled by both Control Processors. When de-energized, the non-redundant outputs are de-energized,

but the redundant outputs and the Control Processors remain operational.

Figure 16 — Functional diagram: redundant Controller with redundant

and non-redundant IO

InputModule

InputModule

Processor

Processor

Watchdog



SD

Input Interfaces

SMOD

OutputModule

Final Element

Output Interfaces

SMOD

OutputModule

QuadVoter

Processor

Processor

Watchdog

InputModule

Final Element

SMOD

OutputModule

Sensor

xxyyy

Sensor

xxyyy


Safety Manager Universal Safety IO Architecture Safety Manager Universal Safety IO is based up on the proven in use QMR architecture delivering optimal safety and availability Safety Manager Universal Safety IO modules have 32 freely configurable channels, AI DI, AO, DO; this means that the type of every channel is defined via the application software Safety Manager Universal Safety IO modules are integrated into Safety Manager by using the SIL3 approved SM RIO link. The SM RIO link provides a redundant infrastructure and allows for long distance integration of multiple Safety Manager Universal Safety IO modules. Both Universal Safety IO processors have their own watchdog function and a direct ESD functionality which optional can be configured to an input channel to allow for immediate ESD actions (see also Universal Safety IO Specific features) Safety Manager Universal Safety IO is available in redundant and non-redundant configurations. oth architectures can be applied for SIL1, SIL2 and SIL3 applications. A functional diagram can be found in Figure 17 below

Figure 17 — Functional diagram Universal Safety IO


Safety Manager A.R.T. Safety Manager with Advanced Redundancy Technique (Safety Manager A.R.T.) uses specific hardware in a dedicated architecture and has extended availability compared to Safety Manager. Safety Manager A.R.T. has the capability to continue normal operation with a combination of a Control Processor fault and an IO fault. Typical applications of the Safety Manager A.R.T. architecture are process safeguarding applications for which continuous operation is essential like deployment in unmanned locations or locations where not the right maintenance skills are available in a timely fashion. The Safety Manager A.R.T. architecture is based on 2oo4D voting, dual-processor technology in each QPP. This means that it is characterized by a ultimate level of self diagnostics and fault tolerance. The Safety Manager A.R.T. architecture is only supported with a redundant Controller. This redundant architecture contains two QPPs, which results in quadruple redundancy making it fault tolerant for safety. The 2oo4D voting is realized by combining 1oo2 voting of both CPUs and memory in each QPP, and 1oo2D voting between the two QPPs. Voting takes place on two levels: on a module level and between the QPPs. In redundant IO configurations, both paths can be controlled by each Control Processor. The watchdog function for the output modules is controlled at chassis based IO level. This is done by the main watchdogs and additional control by the software. The result of Safety Manager A.R.T. architecture is a more granular reaction to output module faults. The Safety Manager A.R.T architecture can be applied for SIL1, SIL2 and SIL3 applications. A functional diagram can be found below in Figure 18

Figure 18 — Functional diagram: Safety Manager A.R.T Architecture


Network Architectures

Process control and safeguarding functions in today's process industry are highly automated through computerized systems. One advantage of computerization is the possibility of gathering and exchanging digitized information of process parameters. In order to make optimal use of this information and to be able to provide adequate information to plant operators, both the process control systems and the safeguarding systems must have communication capabilities to exchange process information. Safety Manager can communicate with the following devices: - The Safety Station - Other Safety Managers - Experion PKS - C300 controller - Safety Historian Station - FDM Server - Any other serial or TCP/IP device supporting Modbus This section contains a brief description of all communication architectures. Network components Time master To ensure accurately time-stamped process event data, the real-time clocks of Safety Managers in a network need to be synchronized by a time master. - A time master can be a any node in the network. - If a system can choose from multiple time masters a hierarchical protocol is

applied. If multiple time sources are available in a network it is possible to rank the time source s putting the time source with the highest priority first Time sources of a lower priority are ignored as long as time sources of a higher priority are available. Safety Manager can use the following external sources to synchronize their real-time clock: - Experion system (connected via Ethernet) - GPS receiver via PTP (Precision Time Protocol) according the IEEE 1588

protocol - Safety Station - Time master - Modbus communication - Simple Network Time Protocol (SNTP) When a higher-level source of time synchronization becomes available again, the Safety Manager network automatically switches back to the source with the highest priority.


Station A Station is a human machine interface for the process control and safeguarding components connected to the network. Using Safety Builder as Station software for Safety Manager enables a number of functions: - Monitoring the application. - Monitoring the system status. - Viewing extended diagnostics. - Clock synchronization. - Loading software. - Verifying the application as present in Safety Manager. - Forcing and writing of variables. - Remote management of Safety Manager: (loading, starting, stopping,

resetting) of Safety Manager without the need to physical presence to the system.

Link types Point to point link A point to point link is a physical link that interconnects one master and one slave only. Within the context of the SafeNet communication, a point to point link is the connection between a single master and a single slave. Point to point communication is available when using RS-485 or Ethernet as the physical media. Multidrop link A multidrop link is a physical link that interconnects multiple systems (see Figure 19). Within the context of the SafeNet communication, a multidrop link is the connection of a single master with multiple slaves or multiple masters with one slave. Multidrop communication is available when using RS-485 or Ethernet as the physical media.

Figure 19 — Multidrop link

CP 1

CP 1

Master

Slave 1 Slave 2 Slave 3CP 1 CP 1


Peer-to-peer communication A peer to peer communication is communication between any Safety Manager system with any other Safety Manager system without the need of a Master system in between see Figure 20 Peer-to-peer SafeNet communication is available when using Ethernet as the physical media

Figure 20 – SafeNet peer-to-peer

Redundant link A redundant link is a communication link based on two independent physical links. If one Safety Manager in a network is redundant, the SafeNet connections with other Safety Manager will always be redundant. Redundant communication with other systems Figure 21 below shows the three options of redundant communication with other systems. The middle configuration is also known as “connected Control Processors”, as the actual link to the other system is not redundant.

Figure 21 — Example of redundant communication

with other systems

CP 1 CP 2

Safety Manager

Othersystem

CP 1 CP 2

Othersystem

CP 1

Othersystem

Safety Manager Safety Manager


Safety Manager SafeNet

Safety Manager supports Distributed Safety Solutions (DSSTM) through its extensive networking capabilities. Safety Manager networks provide the means to decentralize process safeguarding with central process monitoring and control capabilities. In a DSS network, multiple Safety Managers are interconnected via dedicated Ethernet (or serial) communication links. Both point-to-point and multidrop networks are supported. For optimum availability of the communication, the redundant Safety Manager configurations require the use of redundant communication links. The communication is based on the Honeywell proprietary, TÜV-approved SIL 4 SafeNet communication protocol. SafeNet is the only SIL4 certified protocol available in the process industry today. The SafeNet protocol includes a high level of error detection and recovery, which makes it suitable for exchanging safety-related information while maintaining optimum availability. The network is also used to route diagnostic data to central operator stations and maintenance workstations. Communication within Safety Manager networks is based on the master-slave (serial) or peer-to-peer (Ethernet) concept. In the Master-slave concept, the master system is responsible for all communication activities. It initiates requests for data from the slave systems, and sends data to the slaves. With the peer-to-peer concept, data communication with any connected Safety Manager in a SafeNet topology is possible. Applying peer-to-peer concepts will only be possible when using Ethernet as the transmission media. The SafeNet concept supports safety solutions in line with the plant design, with every independent process unit being safeguarded by a separate Safety Manager. This minimizes the risk of nuisance plant trips during unit maintenance.


Safety Manager supports SafeNet communication via Ethernet, RS232, RS485 and Fiber optic. This allows easy integration of fail-safe networking via third-party equipment (black channel), enabling the use of existing media, equipment, and cabling to exchange safety-critical Safety Manager data, e.g. using public telephone lines, satellites, or radio links. This TÜV-approved function provides flexible solutions for FPSOs, pipelines, and other remote system applications. It is completely embedded into the Safety Manager design, and no additional effort is needed to configure this type of communication. Figure 22 below shows an example of a SafeNet Network.

Figure 22 — Example SafeNet Network


Safety Manager SafeNet Topologies

SafeNet can run on any media, including e.g. the process control infrastructure such as the FTE network see Figure 23 below. It is however recommended to segregate SafeNet from other physical infrastructure. The operation safety is not affected because the safety is guaranteed by the SIL 4 certified protocol stack. The availability however is depending on the infrastructure and capability to send data across. In one physical SafeNet segment, a maximum of 63 controllers can be connected. One SafeNet network consists of 1024 controllers as a maximum. An example of a Segregated SafeNet topology is shown below in Figure 24

Figure 23 — SafeNet Integrated Topology

Figure 24 — SafeNet Segregated Topology


Safety Manager distributed and remote solutions

Depending on the situation and specific facility requirements, DSSTM may be the best solution to build Safety networks. DSSTM provides safety where it is needed using the SIL4 certified proprietary SafeNet network technology Figure 25 shows a typical distributed safety solution using DSSTM

Figure 25 — an example of a distributed safety solution using DSSTM

For other safety requirements like universality of channels, robust design or typical applications like wellhead, offshore and pipeline safeguarding, Safety Manager Universal Safety IO may be the best safety solution. Using the SIL3 certified proprietary SM RIO Link network, safety is distributed within or outside a facility. Figure 26 shows a typical remote safety solution using SM RIO Link

Figure 26 — an example of a remote safety solution using Safety Manager Universal Safety IO


To provide maximum flexibility in relation to the distribution of safety solutions, both the Safety Manager Distributed Safety Solutions (DSSTM) and the Safety Manager Universal Safety IO can be combined within one distributed safety architecture. Remote areas within a facility can easy be reached by adapting the Safety Manager Universal Safety IO technology using SM RIO link. Also the safeguarding of off-site installations like pomp stations, loading facilities, well heads and pipelines can be integrated and managed within the Safety Manager distributed architecture Existing Safety Manager solutions can easily be extended with the Safety Manager Universal Safety IO technology. This allows to integrate safety at remote locations without the need of an expensive infrastructure like field auxiliary rooms. Figure 27 shows a typical combined distributed safety architecture

Figure 27 — an example of a combined distributed architecture


Safety Manager Integration into Experion PKS

Safety Manager supports operational integration into Experion PKS which unifies Honeywell’s safety controller with its equally reliable Experion platform. The integration is realized through the Safety Manager Universal Safety Interface (USI) module to the Fault Tolerant Ethernet (FTE) layer, which is placed in the control processor of the Safety Manager Controller. This USI module makes Safety Manager an integrated part of the Experion architecture, which means that Safety Manager related information can easily be exchanged between Safety Manager and Experion and made available on the Experion Server displays. Safety Manager supports two methods for operational integration:

Advanced Experion integration via CDA protocol through a full FTE connection providing direct peer to peer with CEE controllers and console station support.

Experion SCADA integration and Peer Control Data Interface through a dual LAN Ethernet connection to FTE

Figure 28 shows an architectural overview of Experion including Safety Manager

Figure 28 — Experion architecture

The integration architecture is build such that it allows for a fully redundant, robust, fast and cost-effective data-exchange between process safety and process control without jeopardizing the IEC 61508 segregations requirements It automatically distributes relevant data related to process, safeguarding and controller status within the Experion environment without the need of complex application engineering or configuration. This unique and straightforward data integration will give maximum operational availability of relevant process data and simplify analysis and decision making.


Safety Builder

Safety Builder is the user friendly safety engineering tool for Safety Manager. Safety builder is used to create and maintain plant wide safety solutions. The Safety Builder engineering tool provides a user interface with Safety Manager and supports the user in performing a number of design and maintenance tasks (see Figure 29 below).

Figure 29 — Safety Builder function: Network Configurator

Safety Builder’s design and implementation features include: Intelligent user interface, presenting menu items only when applicable, Network Configurator, Hardware Configurator, Point Configurator, Application Editor, Database import and export, Publication of Experion integration data, Configuration of HART enabled field devices and export to Field Device

Manager (FDM), Automatic control program documentation, FLD revision control, Audit trail, and Easy loading of system software and control program into the Control

Processors.


Safety Builder’s maintenance support features include: Live viewing of Application execution, Detailed monitoring of process signal behavior, Collection of diagnostics of Safety Manager, automatically or on user demand, Diagnostic message storage, with user-definable browsing functions, and Forcing of Safety Manager input and output interfaces. Remote management (loading, starting, stopping, fault reset) Online migration to latest software releases (enabling new functions &

features)

Functional Logic Diagrams (FLDs)

Safety Manager safety-critical control functions (contained in the control program) are determined by the safety instrumented functions assigned to the system for the specific application. Safety Builder supports the design of the control program by the user. The control functions are defined with graphical Functional Logic Diagrams (IEC 61131-3: Continuous Function Charts). Figure 30 below shows an example of a Functional Logic Diagram (FLD).

Figure 30 — Functional Logic Diagram (FLD)

An FLD is split into four main areas: Information area (bottom) (on hardcopy only), Input area (left), Control function area (center), and Output area (right).


The FLD information area, at the bottom of the FLD, is included on printouts, and provides information to identify the Functional Logic Diagram, including revision data. The FLD input area, on the left-hand side of the FLD, contains all the points and sheet references that serve as the input to the control function. Input points

may originate from the field equipment or from other computer equipment (Experion, Safety Manager or other 3rd party communication devices). Special input points are provided available to indicate the: Diagnostic status of the Safety Manager IO interfaces, Status of field loops, and System alarm summary, e.g. temperature pre-alarm or device

communication failure. Data can be exchanged between FLDs via sheet transfer functions. This allows a structured design of complex functions across multiple diagrams. Table 7 below lists the input functions that are available in Safety Manager functional logic diagrams, together with their source.

Table 7 — FLD Input Functions Input Type Source

Analog Input Field Equipment

Boolean Input Field Equipment, Process Computer, Other Safety Manager.

Numerical Input Field Equipment, Process Computer, Other Safety Manager .

Diagnostic Input Diagnostic status of Safety Manager IO interfaces

Loop Status Input Field loop status of Safety Manager IO interfaces with loop monitoring

System Alarm Input Safety Manager controller

Sheet Transfer Other FLDs

The FLD control function area, which is the central area of the FLD, contains the actual implementation of the control function. The function is realized by interconnecting predefined symbols, which provide a variety of functions including logical, numerical and time-related functions. Apart from these standard functions, user-definable blocks are supported: Function Blocks - standard FLDs for repetitive use within the control program,

and Equation Blocks - for tabular definition of complex functions, e.g. non-linear

equations.


Table 8 below lists the control functions that are available in Safety Manager functional logic diagrams.

Table 8 — FLD Control Functions Data type conversion functions INT SINT

DINT INT, SINT REAL DINT, INT, SINT

Boolean functions Boolean Constant, AND, OR, XOR, NOT, NAND, NOR, XNOR, flip-flop set and reset dominant

Arithmetical functions Numerical Constant, AND filter, ADD, SUB, MUL, DIV, SQR, SQRT, ln(x), ex

Comparison functions EQ, NEQ, GT, GTE, LT, LTE

Timer functions (with constant or variable time value)

Pulse, Pulse-retriggerable, Delayed-ON, Delayed-OFF, Delayed-ON memorize

Count & storage functions Counter, Register

User-definable blocks Equation Block Function Block

The supported data types are: Boolean, Byte (-128 .. 128) Word (-32768 .. 32767), LongInt (-232..232-1), Real (-1038..1038). The FLD output area, on the right-hand side of the FLD, contains the results of the control function. These variables may be used to drive the field equipment or may be transferred to other computer equipment, e.g. a process computer or another Safety Manager. Table 9 below lists the output functions that are available in Safety Manager functional logic diagrams, together with their destination.

Table 9 — FLD Output Functions Output Type Destination

Analog Output Field Equipment

Boolean Output Field Equipment, Process Computer, Other Safety Manager.

Numerical Output Field Equipment, Process Computer, Other Safety Manager.

Sheet Transfer Other FLDs


Multi User: Concurrent use of Safety Builder

Safety Builder: Five different Safety Builders will be able to connect to one Safety Manager database via the Network Configurator program as a maximum. Migrate: During the migration of the Safety Manager plant database, the Safety Builder plant database is opened exclusively, which means that no other Safety Builder session is able to access the plant or one of the controllers within the plant During the Migration of the Safety Manager Controller databases, the plant is opened exclusively and all other Safety Builder sessions are locked out for this plant and all its Safety Manager Controllers. If the lock on the plant database is not possible then the Migration will not proceed. Network Configurator: The network configuration can be modified by one Safety Builder. The plant is opened exclusively by default (with "Start configuration"). If the plant is opened in exclusive mode, all other Safety Builder sessions are locked out for this plant and all its Safety Manager Controllers, except for plant and Safety Manager Controller selection via the Network Configurator If exclusive open fails, then the user is informed and the plant is opened in view only mode. The plant and Safety Manager Controller selection will be possible. The "Start Configuration" function remains enabled to allow the user to retry opening the plant exclusively. Hardware Configurator, Application Editor, Application Compiler: The controller configuration can be modified by one Safety Builder per Safety Manager Controller. The Safety Manager plant database is opened for shared use. Other Safety Builder sessions are allowed to also open the plant in shared mode. Exclusive access to the plant by other Safety Builder sessions is denied. The Safety Manager Controller database is opened exclusively. Access to the same controller by other Safety Builder sessions is denied. If the lock on the plant or controller fails the program function will not proceed. Point Configurator: The concurrent access behavior of the Point Configurator is in line with the behavior applicable for Hardware Configurator, Application Editor and Application Compiler except:

1. When a point is modified that affects a SafeNet allocation then the peer Safety Manager Controller will also be locked temporarily to prevent database inconsistencies. This lock will remain active until Point Configurator is closed. If the peer Safety Manager Controller database can not be locked, the SafeNet allocation will not be changed.

2. During point import, the plant is opened in exclusive mode and all other Safety Builder sessions are locked out for this plant and all its controllers until the import is finished. This is to prevent any database inconsistencies when SafeNet allocations are updated during import. If the plant can not be locked, the import function will not proceed.


Controller Management: System Information, COM Statistics, Link Status, Diagnostics, loop monitoring, Remote Reset: One Safety Manager Controller can be viewed by 4 Safety Builders per

configured Safety Builder Ethernet connection concurrently. The Safety Manager Controller can be viewed by 1 Safety Builder per

configured Safety Builder serial connection concurrently. Note: When a Safety Builder session is configuring the Safety Manager Controller (e.g. during download of a new application) you can not view the Safety Manager Controller with an Application Viewer installed on another Safety Station. Application Viewer: The plant is opened for shared use. Other Safety Builder sessions are allowed

to also open the plant in shared mode. Exclusive access to the plant by other Safety Builder sessions is denied.

The Safety Manager Controller is opened for shared use. Other Application Viewer and Controller Management sessions can be started for the same Safety Manager Controller. Exclusive access to the Safety Manager Controller by other Safety Builder sessions is denied.

If the lock on the plant database or Safety Manager database fails the Application Viewer will not proceed.

Controller Management: Load The concurrent access behavior of the Point Configurator is almost equal to the behavior applicable for the Application Viewer. Except:

During Load the Safety Manager Controller database is opened in exclusive mode and all other Safety Builder sessions for the same Safety Manager Controller are denied until Load finishes.

Copy Plant The copy plant functionality allows to make exact copies of existing safety solutions via a menu driven step by step procedure. Copy plant enables cost effective engineering when similar process units are used within a facility or within a company. Figure 31 shows an example of a plant being copied within Safety Builder

Figure 31 — Copy plant


Bulk copy: Safety Builder supports bulk copy of Safety Manager Controller applications from any plant. This allows for easy configuration of multiple similar controllers and limits the possibility of human errors during the application design. By default, all point data will be copied. The Safety Builder import wizard uses an easy 3-step procedure, below an overview of the steps to take: 1. Select the Safety Manager Controller to import FLDs from. (Figure 32) 2. Define the FLDs desired position and name. (Figure 33) 3. Import the FLDs (Figure 34)

Figure 32 — Select the Safety Manager Controller to import FLDs from.

Figure 33 — Define the FLDs desired position and name

Figure 34 — Import the FLDs


Bulk rename: Safety Builder supports bulk rename of Safety Manager Controller applications from any plant. This allows for easy bulk renaming of tagnumbers in a Safety Manager Controller database and limits the possibility of human errors during the application design. Use the extended function of the import: “Rename of IO Point tagnumber” to change tagnumbers of IO points on newly imported FLDs. Bulk delete: Safety Builder supports bulk delete of Safety Manager Controller applications from any plant. This allows for easy bulk deleting of tagnumbers in a Safety Manager Controller database and limits the possibility of human errors during the application design. Use the extended function of the import: “Rename of IO Point tagnumber” to delete tagnumbers.

Safety Manager Simulation mode

Safety Manager Simulation mode is an unique feature allowing to load any Safety Manager application, independent from its hardware configuration, in a Safety Manager controller. The actual controller is not required; any controller will be suitable but typically a Safety Manager demo box is used. This means that most of the required validation and training can be done from behind a desk. While having a controller operational in simulation mode the following items can easily be checked and validated:

Validate correct functioning of the safety application Develop, validate and practice On Line Modification and application

behavior before and after the modification. Validate and test communication to external devices like:

o Experion o other Safety Managers (using Safenet) o DCS using Modbus (RTU an TCP/IP) o Universal Safety IO o Safety Historian


Safety Manager Simulation mode is also ideal for training purposes; maintenance, operations and engineering may use Safety Manager simulation mode to

Get familiar with Safety Manager Practice and learn Safety Manager system behavior Learn the integration between Safety Manager and Experion Simulate process and safety conditions Learn how to handle in case of process upsets.

Configuration is easy as can be seen below in Figure 35, just set the controller to simulation and the application can be loaded in any controller.

Figure 35 — Safety Manager Simulation mode configuration


Safety Manager Diagnostics

Safety Manager continuous self-tests enable the system to collect valuable information on the diagnostic status of its own hardware and the field equipment. The system uses this information to ensure uninterrupted functional safety of the plant. In addition, the system provides the diagnostic information to the user, via the diagnostic displays of Safety Builder. Through its diagnostics, Safety Manager supports maintenance engineers in allocating and resolving failures effectively, thus reducing the Mean Time To Repair (MTTR) and minimizing the risk of a plant trip.

On-Line Modification

On-Line Modification (OLM) is a TÜV-approved Safety Manager option that is supported by Safety Manager configurations with redundant Controller. It enables modification of the application software, system software and Safety Manager hardware configuration, while maintaining the system's critical control function for the operational plant. This means that the system can be upgraded without the need of a plant shutdown. It also allows to migrate Safety Manager to the latest software version enabling latest functions and features without disturbing the process or the need of a plant shutdown. During an on-line modification, the changes are carried out in one Control Processor at a time. Meanwhile, the other Control Processor continues to monitor the process. Safety Manager will always perform a compatibility check across the control programs in order to guarantee a safe changeover from the old control function to the new one. A report will be generated with details about all the safety critical changes that have been implemented. It will also report the numbers of the functional logic diagrams (FLDs) that have been changed, which complies with the 'verification requirements' of IEC 61508 / IEC 61511 and ANSI/ISA S84.01. Also when a Safety Manager is carrying out an OLM, Safety Manager remains SIL1, SIL2 or SIL3, with no restrictions or limitations.

Power System

Reliability of process data depends on the reliability of all related hardware of the process loop, i.e. sensing device, IO wiring, IO channel hardware and the required power supply voltages. Where possible, Safety Manager provides the supply power to the electronics of the entire loop, including the field instrumentation. The result is a fully integrated solution for reliable (safety) data gathering and related safeguarding actions, with the following advanced features: Electronically short-circuit proof, Loop-monitoring for short-circuiting and lead breakage, and Checking of the operational band of analog transmitters.


Where other systems require linkage of several externally mounted parts to establish the entire data collection chain, Safety Manager solution offers the fully integrated and tested loop approach as demanded by IEC 61508 / IEC 61511 and ANSI/ISA S84.01.

Write Protection (Firewall)

To maintain safe, reliable and secure operation of Safety Manager, the system does not allow direct write access to its hardwired IO via communication links. A hardware firewall has been embedded such that write requests, which are received via the Universal Safety Interface (USI) are passed on to the Safety Manager control program via dedicated Boolean and numerical inputs. The inputs appear in the input area of the Functional Logic Diagrams, where the conditions for write access have been defined. This functionality is part of our cyber security architecture and verified during cyber security certifications.

IO Signal Forcing

For maintenance reasons, it may be desirable to force an input or an output signal to a certain fixed state, e.g. when exchanging a defective input sensor. This allows the sensor to be exchanged without affecting the continuation of the production. During the exchange, the applicable input is forced to its normal operational state. While being desirable in some situations, forcing a signal to a specific, fixed value may also create a potentially hazardous condition. Safety Manager provides a force function which supports maintenance personnel in applying forces consciously. It only allows forcing of signals that were specifically selected during the system design. During operation, the system is protected against unauthorized forces via a key switch. Forcing of Safety Manager signals is only possible via Safety Builder, using a password-protected software function. All forcing actions are included in Safety Manager event reports for trace ability purposes.


Experion PKS Integration

Advanced Experion integration. By using the CDA (Control Data Access) mechanism, fast and reliable data exchange between Safety Manager and Experion PKS is established. The advanced Experion integration also enables detailed Safety Manager System status, configuration information, application data and Alarm & Events integration without the need of additional engineering. Advanced Experion Integration does include: Single point of data entry Detailed point configuration is done only once. By using the Safety Builder, point configuration details like engineering units, SOE/Alarm limits and many other parameters (see Figure 36 below) are entered once and then published to Experion without the need of any further configuration or engineering within Experion.

Figure 36 — Point configuration including Experion integration


IEC61508 approved Point publishing and integration methodology. The unique publishing and integration method keeps strict segregation between the Safety Manager and Experion point databases (See Figure 37 below). It keeps the safety and process environment strictly separated providing an additional security layer without losing operational integration. The architecture is such that only those points defined by the safety engineer will be accessible by Experion. While doing application development or maintenance, the safety engineer will automatically be informed when publication is required.

Figure 37 — Safety Manager Experion Point publishing

Safety Manager acting as an FTE NODE within the Experion architecture. As Safety Manager acts as an Fault Tolerant Ethernet (FTE) Node within the Experion communication architecture, maximum integration availability is guaranteed. Also being part of the FTE environment, detailed Safety Manager node properties and diagnostics are available via the Experion FTE Status Display. See Figure 38 below

Figure 38 — Node status display showing Safety Manager as an FTE node


Peer-to-peer communication between Safety Manager and Experion nodes. The Safety Manager Experion integration provides seamless peer to peer integration into C300, ACE and SIM C300 see Figure 39. This will allow for reliable and cost effective data exchange between the process safety controllers and different process control environments within a broad field of applications.

Figure 39 — Safety Manager Integration architecture As an example sharing data between Safety Manager and Experion controllers supports the following scenarios:

Make Safety Manager point data instantly available at the process control level: This allows the use of field sensor data originating from the safety layer in the process control layer. This reduces costs by reducing the installed field sensor equipment by 30%, thus saving over US$750,000.00 on an average process unit. Reducing the installed field equipment will further reduce maintenance cost.

A Safety Manager-managed process upset allows for a “soft landing” of

the downstream process with the C300 Controller. This avoids the downstream ESD demand manages the downstream process shutdown and supports provides an easier process restart after an process upset

The “soft landing” principle will increase the process-uptime, and decrease the consequence of a process trip. This can result in a cost reduction of US$100,000 a year for a process unit.

Automatic process interlock from shutdown valve to control valves. This will avoid the PID from winding-up and the control valve ramping wide open and will prevent a surge when the shutdown valve is subsequently opened.

Automatically bypassing a low flow or pressure trip on a pump discharge based on the running status of the pump.

Automatic suppression of alarms in either the C300 Controller or Safety Manager when some process units are out of service


or a trip is in bypass. For example, when Safety Manager trips a pump, it will suppress any process control system un-commanded change alarms.

Automatic opening and closing of shutdown valve’s during a compressor purge sequence.

Integrated Alarm & Events (notifications) Safety Manager Experion integration provides integrated Alarm & Events within the Experion infrastructure. It will allow to see relevant notifications for both process and safety statuses within one window. Being integrated into general Experion System Alarm displays, analysis and decision making has never been easier, safer and faster. Integrated Sequence of Events (SOE) Safety Manager integrates the sequence-of-event (SOE) features as supported by Safety Manager into the Experion server. Safety Manager supports SOE for digital inputs and outputs, analog inputs and outputs and marker points. Each tag name that has been “SOE-enabled” is time-stamped by the Safety Manager Controller and reported to the Experion Server, where it is incorporated into the standard Experion Server SOE list which allows for detailed search, filter and automated archive functionality. Standard SOE displays are available to view the events as they are reported.

Detailed Safety Manager system statuses and diagnostic information Without the need of additional engineering or configuration, the Safety Manager Experion integration provides detailed information related to system status and detailed diagnostic information. These include: Figure 40 shows detailed Safety Manager Controller information as available

within Experion including Controller status, node number, temperature, force count and more relevant details.

Figure 40 — Detailed Safety Manager information via Experion


Figure 41 and Figure 42 show the Safety Manager IO configuration point details as available within Experion. These standard displays are automatically available for every configured IO module including Chassis IO, Safety Manager Universal Safety IO and Safety Manager Universal Safety Logic Solver modules. Configuration, application and status details for every IO module and allocated points provide relevant information enabling reduction of engineering and maintenance cost over the lifetime of the solution.

Figure 41 — Safety Manager Analog input module status available via Experion

Figure 42 — Safety Manager Analog input module configuration details via Experion


Communication with Basic Process Computer Systems

Safety Manager supports the exchange of control program data with basic process control systems (BPCS) through serial communication links, using the non-proprietary Modbus RTU communication protocol or Ethernet based communications through Modbus TCP. The following information can be exchanged:

- analog process data as scanned by the Safety Manager Controller through its input interfaces,

- trip settings, - trip status, - the Safety Manager Controller alarm status, and - Time synchronization.

Data written to the Safety Manager Controller is available in the Safety Manager application via digital and numerical input variables, which allow the user to define the conditions of use in the control strategy. To maintain safe, reliable and secure operation of Safety Manager, the system does not allow direct write access to its hardwired IO via communication links. A hardware firewall has been embedded such that write requests, which are received via the Universal Safety Interface (USI) are passed on to the Safety Manager control program via dedicated Boolean and numerical inputs. The inputs appear in the input area of the Functional Logic Diagrams, where the conditions for write access have been defined. This functionality is part of our cyber security architecture and verified during cyber security certifications.


Field Device Manager (FDM) integration

Safety Manager supports smart field devices equipped with HART (Highway Addressable Remote Transducer) technology. HART enabled devices provide detailed diagnostics and allow for cost saving maintenance solutions like e.g. PVST (Partial Valve Stoke testing) In general HART provides:

Device Diagnostics Device Troubleshooting Device Health and Status Device Configuration or re-configuration Additional measurement values provided by the device

All HART enabled devices, connected to Safety Manager, will be able to provide detailed device information to the Honeywell Field Device Manager (FDM) Honeywell FDM is a centralized asset management system for remote configuration and maintenance of smart field devices. Honeywell FDM simplifies maintenance tasks, saves time and provides the flexibility and scalability to perform complete device configuration and management tasks in the plant environment through smart plant instrumentation Both Safety Manager Chassis IO and Safety Manager Universal Safety IO do support HART technology. For Safety Manager Chassis IO, HART supported FTA’s (Field terminal Assemblies) are available to enable the HART functionality. Safety Manager Universal Safety IO modules support HART pass through. HART enabled field devices connect directly to the Safety Manager Universal Safety IO field terminals and use the standard system network infrastructure into Honeywell’s Field Device Manager (FDM) without the need for any additional infrastructure, engineering or application configuration. When integrated into Experion, HART device alerts are supported via Experion MUX monitoring The pass through FDM integration is supported independent from the chosen Experion integration and can also be used in a standalone configuration.


Safety Manager Universal Safety IO HART pass through functionality Safety Manager Universal Safety IO supports HART pass through directly into Field Device Manager (FDM) The high performance interaction between Safety Manager and FDM is transparent, easy to maintain and cost effective, Figure 42 shows the architecture as used between the intelligent Field Device and the Field Device Manager showing the actual device HART information. Device configuration can be done via unmodified use of both Device Description (DD) and Device Type Manager (DTM) technologies as provided by the device vendors

Figure 43 — HART information from the field to the Field Device Manager


Safety Manager Field Device Manager integration Configuring an FDM server within the Safety Builder Network Configurator enables the HART pass through functionality. HART enabled devices connected to Safety Manager Universal Safety IO can now be used to interface with FDM (see Figure 44 below)

Figure 44 — FDM server configuration

Safety Builder provides an automatically generated configuration file for Field Device Manager (FDM). This configuration file contains:

The network topology as defined in Safety Manager, Safety Manager Universal Safety IO topology details, HART connected devices including Tag details

Safety Builder provides version management for the FDM integration, the user will be notified when Safety builder HART configuration has been changed and a new import into FDM is required. No additional engineering within FDM is required, all required configuration will automatically be done by simply importing the Safety Builder configuration file. See Figure 45 below.

Figure 45 — Safety builder HART configuration import into FDM


Field Device Manager Safety Lock FDM prevent disruptions caused by unauthorized access or human error with a Safety Lock preventing write access to HART enabled field devices. By using Safety Builder, customized safety maintenance procedures can define to which HART enabled field devices write access is authorized. Figure 46 below shows the Safety Lock on Safety Manager connected devices. FDM’s powerful audit trail capability logs all device changes with the date and time, the identification of the person who made the change and the reason for the change.

Figure 46 — Safety Lock on Safety Manager connected devices


Safety Manager Physical Characteristics Safety Manager consists of: SM controller, SM IO, and Field interface Safety Manager Universal Safety IO Safety Manager Universal Safety logic Solver

Figure 47 shows the different components of Safety Manager.

Figure 47 — Safety Manager Components For more details about Safety Manager Components please refer to the Safety Manager part List SM.PL.6803


Safety Manager Controller components

The SM Controller consists of: Controller chassis Control Processor (one or two) Battery & Key switch Module

Controller chassis

The Safety Manager controller is placed in the CP chassis (CPCHAS). The CP backplane (CPB), which is integrated into the CP chassis, has the following functions: A 32 bit Redundant System Bus between the Control Processors, 5 Vdc and WD distribution to the IO chassis, IO bus connections, Communication connections, Incoming 24Vdc power for both Control Processors, ESD input, and Three common system inputs. Figure 48 shows that the CP chassis is covered at the back.

Figure 48 — Front and rear view of the CP chassis

Control Processor

The Control Processor (CP) is the heart of the Safety Manager controller. It is a modular microprocessor system specifically designed for safety-critical applications and can be tailored to the requirements of many applications. The main Control Processor modules are:


Quad Processor Pack (QPP) Universal Safety Interface (USI) Power Supply Unit (PSU) The Control Processor modules are constructed on a European standard size instrument card. The height of the front panel of the modules is 4 HE (4U), their width is 8 TE (8 HP) (USI, SMM, PSU and BKM module), and the QPP module is 16 TE wide. The Control Processor modules are placed in the CP Chassis (19" chassis), which are generally located in the top section of the cabinet.

Figure 49 — Control Processor modules

Quad Processor Pack (QPP) The QPP reads the process inputs and executes the application program created with the Application Editor. The results of the control program are transmitted to the output interfaces. In Safety Manager configurations with a redundant Controller, both QPPs synchronize their operation through a dedicated redundant communication channel, integrated in the Controller backplane. Through continuous testing of Safety Manager hardware and software integrity, the QPP ensures safe operation as well as extensive diagnostics. The QPP contains a watchdog circuit. It automatically monitors the correct functioning and the operating conditions of the QPP safety processors. The watchdog circuits include the following functions: A unique feature of the Safety Manager watchdog is that it verifies if the

processor executes its tasks within the defined cycle time. The monitored operating conditions include the data integrity check of the

processor memory and the voltage range check of the supply power (under voltage and over voltage).

Deactivate the safety-critical outputs of Safety Manager, regardless of the QPP status, whenever required.

The QPP is also equipped with the following items: 4 bus drivers to drive the IO chassis A status LED Display to show time, date, system information, system status and

diagnostics Key switch


Universal Safety Interface (USI) USI is a communication module with universal safety interfaces. Safety Manager uses the USI to exchange information with other equipment. The USI is equipped with 2 Ethernet interfaces and 2 serial interfaces, for either RS232 or RS485 (configurable). A Control Processor can accommodate two USI modules with a maximum of eight external communication links.

Table 10 — Safety Manager Communication Interfaces Equipment Physical Interface Protocol

Experion

Ethernet FTE Experion

Ethernet FTE CDA

Ethernet FTE PCDI

Safety Station RS-232, RS-485, HSE Proprietary

HMI, DCS RS232, RS485 Modbus RTU Slave

Ethernet Modbus TCP Slave

Other Safety Manager Ethernet, RS-485, Fiber Optic SafeNet

Safety Historian Ethernet Proprietary

All communication interfaces are galvanically isolated. If the Safety Manager configuration contains redundant Control Processors, the system supports redundant communication. Each Control Processor then has its dedicated connection to the communication peer system. Power Supply Unit (PSU) The PSU is galvanically isolated and supplies 5Vdc power to the SM controller, SM IO and communication FTA.

Battery & Key switch Module (BKM)

The Battery and Key switch Module (BKM) contains: a redundant backup battery, to retain a number of system parameters during

power outage, Reset and Force Enable key switches with redundant contacts. Only one BKM is required in a Controller chassis. It serves both redundant and non-redundant configurations.

SM IO components Note: SM IO stands for Safety Manager IO. This type of IO is always chassis-mounted within a Safety Manager cabinet. This type of IO is also called ‘Chassis IO’. Safety Manager IO consists of: IO chassis IO bus IO modules


IO chassis The IO chassis (IOCHAS) is one mechanical housing, which contains the horizontal IOBus back plane, the IO module housing, the IO backplane, a cable tray, and is covered at the back. The local IO chassis contains 18 IO slots. It also contains an IO backplane, IO extenders and IO busses. IO chassis are available for redundant and non-redundant IO. The IO backplane (IOB) consists of a multi-layer PCB, with one layer being an earth plane to improve EMC/RFI immunity. The front side of the IO backplane contains the Eurocard connectors to install the IO modules and the IO extender module(s). At the back, the IO backplane provides female connectors for the system interconnection cables (SICs), which also connect to the FTA modules. The backside also provides programming connectors, which allow the IO interfaces to be tailored to the specific signal characteristics of the field equipment, e.g. digital line-monitored output impedance. Integrated in the IO backplane is the internal and external power distribution to the IO modules.

Back view without cover Side view

Figure 50 — Back and side view Safety Manager IO chassis


IO bus The Control Processor controls IO (located in the IO chassis) via an IO-bus. An IO extender (located in the IO chassis) communicates with the individual IO modules via a horizontal IO bus. The Control Processor interfaces with the IO system through an IO bus, which is a flatcable that runs vertically in the cabinet. The IO-bus is controlled by the IO Bus Driver function, which is part of the QPP module.

Figure 51 — Back view of typical Safety Manager with redundant

Controller and an IO chassis Each of the IO chassis contains an IO extender module, which connects to the IO-bus. The IO extender module drives the Horizontal IO Bus, which relays the signals from the IO-bus to the IO modules via a flatcable. The Horizontal IO bus back plane is located on top of each IO chassis. The horizontal IO bus and the flatcables of the IO modules are covered with a sheet steel cover which provides optimum EMC/RFI immunity. The cover plate contains a paper strip which holds the relevant process tagging for signal identification.


IO modules Chassis IO modules The Chassis IO modules are constructed on a standard-size instrument card. The height of the front panel of the modules is 3 HE (3U), their width is 4 TE (4 HP). A total of 18 IO modules can be placed per IO chassis. All IO modules are equipped with standard 32-pin DIN 41612F connectors. All IO chassis are provided with an IO backplane, which contains matching 32-pin connectors with key coding to prevent faulty insertion of the IO modules.

Figure 52 — Example of the high density SAI-1620m module

Safety Manager provides an extensive selection of digital and analog input and output interfaces, with different characteristics, to meet the demands of a wide range of field equipment. Table 11 on the next page lists the input and output interfaces available with Safety Manager.


Table 11 — Safety Manager input and output interfaces

Interface Properties

Digital Input 24 Vdc, 48 Vdc and 110 Vdc 24 Vdc (loop-monitored) 120-230 Vac Class I, Division 2, Groups ABCD; Class II, Division 2, Groups FG Class [Eex ia] IIC intrinsically safe (Through external devices)

Digital Output 24 Vdc, 48 Vdc, 60 Vdc and 110 Vdc 24 Vdc, 48 Vdc (loop-monitored) 120-230 Vac Dry contact outputs Class [Eex ia] IIC intrinsically safe (Through external devices)

Analog Input 0-20 mA, 4-20 mA, 0-25mA 0-20 mA and 4-20 mA with HART support (Through external devices) 0-5 V, 1-5 V, 0-10 V and 2-10 V Class I, Division 2, Groups ABCD; Class II, Division 2, Groups FG Resistance Temperature Device (RTD) (Through external devices)

Thermocouple, types E, J, K and T (Through external devices)

Analog Output 0-20 mA and 4-20 mA Class I, Division 2, Groups ABCD; Class II, Division 2, Groups FG

All Safety Manager Chassis IO modules are galvanically or optically isolated between external and internal power supply. Safe IO modules can be used for safety loops for SIL1, SIL2 or SIL3. Safe modules can also be used for control applications, offering the benefits of Safety Manager diagnostic and fault-reporting functions with or without automatically isolating faults. (Automatic isolation of faults is configurable.) All Chassis IO modules are available in redundant and non-redundant arrangements


Field Interface

Safety Manager uses Field Terminal Assemblies (FTA) and internal cabling to connect IO and communication channels to field terminals. IO FTA An FTA module for IO converts input field signals to values appropriate for the Safety Manager input module that is used, or Safety Manager output module signals to values that can be used in the field. To enable this conversion, FTAs can be used in combination with input converter modules or output converter modules. FTA modules are 70 mm (2.76 in) or 109 mm (4.29in) wide, and their length varies between 90 mm and 300 mm (3.54 and 11.81 in), depending on the FTA type. The modules are mounted on standard DIN EN rails (TS32 or TS35 x 7.5). An FTA may contain electronic circuitry to convert standard Safety Manager signals to specific signals with characteristics required by field equipment. For the connection to the Safety Manager IO modules a standard system interconnection cable FS-SIC-0001 is used for all FTAs. The field cables are connected to terminals. (See Figure 53).

Figure 53 — Overview of some terminal type FTA’s


Communication FTA An FTA for communication purposes is wired to a channel of the Universal Safety Interface (USI). Two types of communication FTAs exist: Ethernet FTA, providing:

100Mb Ethernet, switch interface General purpose FTA, providing:

RS232 RS485

Cabling System Interconnection Cables (SIC) connect field signals to IO modules. Depending on the type of SIC cable, an FTA is required to establish the connection.


Safety Manager Universal Safety IO

Safety Manager Universal Safety IO supports 2 module types: FC-RUSIO-3224 Universal Safety IO FC-RUSLS-3224 Universal Safety Logic Solver

Both module types enable maximum architectural flexibility when safety is required at local and remote locations. They have the unique feature that each channel can be configured individually to be AI, DI, DO or AO. Every module has a capacity of 32 freely configurable channels.

Figure 54 — Safety Manager Universal Safety IO Module By applying the proven in use Quadruple Modular Redundancy (QMR) technology, uninterrupted process operation is guaranteed, even during on-process modifications or upgrades, the safeguarded process continues to operate at the highest safety level and maximum process availability. The Universal Safety IO modules support universal 2 wire termination and are certified to be used in TUV SIL1, SIL2 and SIL3 applications. The robust design makes them suitable for harsh conditions and extreme temperature ranges allowing a broad field of application. Safety Manager Universal Safety IO modules are available in redundant and non-redundant configurations allowing adaption to safety and availability requirements. Interfacing into Safety Manager is established via the SIL3 certified SM RIO link infrastructure. A maximum of 28 modules (Redundant and/or Non-Redundant) may be configured in one network. Both module types can be used within the same network fully adapting the specific safety requirements. Universal Safety IO modules are compatible with existing Safety Manager configurations which easily can be extended with Universal Safety IO technology. Safety Manager Universal Safety IO modules do support the TÜV certified On Line Modification methodology. Application configuration changes, channel configuration changes, network topology modifications and addition or removal of Safety Manager Universal Safety IO modules can be done on line without disturbing the process. Safety Manager Universal Safety IO supports HART pass through. HART enabled field devices connect directly to the module field terminals. Without the need of any additional infrastructure the detailed HART diagnostic information will be


available within Honeywell’s Field Device Manager (FDM) enabling cost effective maintenance and maximized process uptime. Local time stamping is supported via Low Latency SOE. It enables time stamping with high accuracy. All SOE within the safety solution is gathered via Safety Manager and made available via Experion SOE event log. All relevant process and system diagnostics details related to Safety Manager Universal Safety IO modules are available within Safety Manager and will be visualized via Safety Builder and Experion. Safety Manager Universal Safety IO modules may also be used and configured in a Safety Manager Advanced Redundancy Technique (A.R.T) architecture. FC-RUSIO-3224, Universal Safety IO Being an integrated part of the Safety Manager architecture, all Universal Safety IO (FC-RUSIO-3224, Figure 55) configured channels will be interfaced to Safety Manager. This means a transparent safety application allowing tag’s allocated to the Safety Manager Universal Safety IO to be used on Functional Logic Diagrams (FLD). These tags will be executed within Safety Managers’ Quad Processor Pack (QPP) execution environment.

Figure 55 — FC-RUSIO-3224 Universal Safety IO Safety Manager Universal Safety IO works independent yet integrated from Safety Manager, this means that failure’s on Universal Safety IO modules or the RIO link network will not influence the availability of Safety Manager. As Safety Manager Universal Safety IO executes it’s own diagnostic algorithms, it will go to a predefined safety state even when the communication to Safety manager is lost.


FC-RUSLS-3224, Universal Safety Logic Solver The Universal Safety Logic Solver module ((FC-RUSLS-3224, Figure 56) provides it’s own execution environment and has the capacity to execute Functional Logic Diagrams (FLD’s) locally.

Figure 56 — FC-RUSLS-3224 Universal Safety Logic Solver As the execution environment of the Safety Manager Universal Safety Logic Solver works independent from Safety Manager it allows the Safety Manager Universal Safety Logic Solver to remain operational even when the communication to Safety Manager is disturbed or when Safety Manager is in shutdown. The locally safeguarded process continues to operate at the highest safety level and maximum process availability. Safety Manager Universal Safety Logic Solver supports all functions and features of Universal Safety IO (FC-RUSIO-3224)


Communication with Safety Manager Universal Safety IO Safety Manager Universal Safety IO integrate to Safety Manager via SM RIO Link, a SIL3 propriety protocol specifically designed for Universal Safety IO type modules to achieve maximum safety & reliability for local and remote locations. It supports localized and distributed safety solutions or a mix of these. Up to 28 redundant Universal Safety IO modules may be connected to a Safety Manager. This allows for approximately 900 freely configurable IO channels as an addition to conventional Safety Manager Chassis IO channels. A maximum of six certified switch levels can be used between Safety Manager and any Universal Safety IO module, the maximum distance is 100 km. The universality of the channels, the capability to be installed on remote locations and the robust design allowing it to be used in harsh conditions makes these modules ideal for wellhead, offshore and pipeline applications. Safety Manager Universal Safety IO can be used for safety solutions which are localized, distributed or a mix of both. Figure 57 shows a typical layout of a safety solution using both Chassis IO and Safety Manager Universal Safety IO for a local and remote locations.

Figure 57 — Example of a Safety Manager Universal Safety IO communication layout


Safety Manager Universal Safety IO components

The Safety Manager Universal Safety IO solution consists out of different components: Mounting Carrier, IO termination Assembly, Universal Safety IO modules Redundant Power supply Assembly Assembled together it forms a 32 channel Universal Safety IO solution (see Figure 58)

Figure 58 — Safety Manager Universal Safety IO assembly Mounting Carrier The standard Mounting Carrier (MCAR) is a carrier that can be screwed on any flat surface. It is suitable to carry one assembly. The MCAR consists of: a metal profile a plastic cover plate a ground rail with 16 ground connection screws two power rails with M5 holes (+24V and 0V) stacking option for multiple MCARs (per 3 ft) four mounting holes (6.35 mm diameter)

MCAR

IOTA


Redundant IO Termination Assembly The Redundant IO Termination Assembly (IOTA) allows the use of a redundant set of Safety Manager Universal Safety IO modules. (See also Figure 58) An IOTA provides for: • Connectors for two (redundant) Universal Safety IO modules. • 32 (universal) IO channel connections (CN1 and CN2). • Two power switches to switch off the Universal Safety IO modules. • Enable / Disable SM RIO ESD function for CH32. • 4 (identical) V+ connections (CN3), for active AI devices. • Two RJ45 connectors for RIO Link A and RIO Link B. • Node Address jumper • 24V power connection screws to the carrier power rails. Non-Redundant IO Termination Assembly The Non-Redundant IO Termination Assembly (IOTA) allows the use of a Safety Manager Universal Safety IO module. An IOTA provides for: • Connectors for a single Universal Safety IO module. • 32 (universal) IO channel connections (CN1 and CN2). • a power switch to switch off the Universal Safety IO modules. • Enable / Disable SM RIO ESD function for CH32. • 4 (identical) V+ connections (CN3), for active AI devices. • Two RJ45 connectors for RIO Link A and RIO Link B. • Node Address jumper • 24V power connection screws to the carrier power rails. Safety Manager Universal Safety IO The Safety Manager Universal Safety IO module is a series-C form factor IO module for Safety applications. It interfaces via a Safety Manager and is suitable for SIL1, SIL2 and SIL3 safety applications. The device functions as a Universal Safety IO module within the Safety Manager architecture. It executes: the input scan of the process variables, all functional tests of its hardware, data exchange with its partner module, update the outputs and thus the process, data exchange via the SM RIO link with the SM Controller that executes the

application logics (FC-RUSIO-3224 Universal Safety IO), data exchange via the SM RIO link with the SM Controller that acts as the

gateway (FC-RUSLS-3224 Universal Safety Logic Solver),


Safety Manager Universal Safety IO modules do provide for: 32 Universal Safety IO channels with configurable channel function All channels are powered out of the 24Vdc supply. Supports two (redundant) SIL3 SM RIO Links to communicate with a SM

Controller. Each channel can be configured as: Digital input (DI) (with or without loop monitoring) Digital output (DO) (with or without loop monitoring) Analog input (AI) (0-20mA or 4-20mA active) Analog output (AO) (0-20mA or 4-20mA active) Smoke/Heat detector As a standard solution Safety Manager Universal Safety IO is suitable to be used in:

Class 1 Div 2 environments ATEX Zone 2 environments

Redundant Power Supply Assembly For standard Safety Manager Universal Safety IO solutions, a Redundant Power Supply assembly is available. (See Figure 59) The power supply assembly provides: - Redundant 25Vdc, 12 A power, - Embedded Power distribution, - Certified for SIL1, SIL2 and SIL3 safety applications, - Wide temperature range (-40 to +70C,-40 to +158F) One Power supply carrier has: - two AC power input connectors for redundant feeders. - one 25 Vdc power output connector to connect the MCAR. - four fused 25Vdc output connectors to connect auxiliary equipment. - one fault output connector. - two power supply units

Power in: 102-132 Vac, 196-253 Vac, 47-63Hz Power out: 25Vdc, 12A

Figure 59 — Universal Safety IO Redundant Power Supply


Safety Manager Universal Safety IO special features

Line Monitoring As a default all available IO configurations are equipped with line monitoring functionality. This allows for both lead breakage and short circuit detection for all channels configured without the need for special and/or dedicated hardware. High current outputs For some applications High Load Outputs may be required, for these applications the Safety Manager Universal Safety IO output channels can be combined to drive higher currents to the field. Safety Manager Universal Safety IO allows to combine up to 4 output channels enabling a 2 A output. Configuration is simply done via application software and physically via a 4 pins fork (see Figure 60). This allows for a easy and flexible configurations of 500mA (standard), 1A and 2A output channels.

Figure 60 — Universal Safety IO High current output configuration ESD input Safety Manager Universal Safety IO is equipped with a special configurable ESD (Emergency Shut Down) input allowing to switch off al the configured Digital Outputs in case of an unwanted situation in the process unit controlled by this Safety Manager Universal Safety IO module. This concept allows for controlled emergency shutdowns only to those areas affected.


Safety Manager Universal Safety IO Field Terminal Assemblies

Safety Manager Universal Safety IO supports universal 2 wire termination and allows for a direct connection of field devices to the terminals located on the IOTA. To support application specific requirements, a suite of Field Terminal Assemblies (FTA) are available for Safety Manager Universal Safety IO solutions. These FTA’s will enable the support of 3 wire field devices, high power output requirements (Fire and Gas) and high voltage IO support. FC-TSKUNI-1624 SM RIO Safe FTA Knife, 24Vdc,16ch FC-TSPKUNI-1624 SM RIO Safe FTA Knife, 3-wire,24Vdc,16ch FC-TSDI-16115U SM RIO Safe act./pass. DI FTA 115V, 16ch FC-TDOL-0724U SM RIO DO FTA, loop mon, 2A, 24VDc, 7ch FC-TSRO-0824 DO(relay) FTA for SIL3 appl. 8ch CC FC-TSRO-08UNI DO(relay) FTA SIL3 common power 8ch CC These FTA’s do require special System Interconnection Cables (SIC), please refer to the Safety Manager Part list (SM.PL.6803) to get more detail


Standard Safety Manager Universal Safety IO Solutions

Within the Safety Manager Product portfolio, standard Field Device Units are defined. These standard solutions contain certified components and are developed to be used under certain environmental conditions. The Standard Universal Safety IO solutions may be equipped with both types: FC-RUSIO-3224 Universal Safety IO FC-RUSLS-3224 Universal Safety Logic Solver Depending on the requirements, the architecture can be redundant, non- redundant or a mix of these. Standard Field Device Unit for normal operational conditions The Standard Field Device Unit for normal operational conditions (Figure 61) is a small field device unit which is a fully self supporting remote IO unit with 32 IO channels, embedded redundant field power and redundant SM RIO Link fiber optic connections, it contains:

- Safety Manager Universal Safety IO system with 32 freely configurable IO Channels

- Steel cabinet, - Communication via Fiber 100Km , - Earth Leakage Detection, - Temperature range -5°C to +60°C (+23°F to +140°F)

Standard Field Device Unit for extreme operational conditions The Standard Field Device Unit for extreme operational conditions is a small field device unit which is a fully self supporting remote IO unit with 32 IO channels, embedded redundant field power and redundant SM RIO Link fiber optic connections, it contains:

- Safety Manager Universal Safety IO system with 32 freely configurable IO Channels

- Stainless Steel (ANSI 316L) cabinet, - Communication via Fiber 100Km , - Temperature range -40°C to +70°C (-40°F to +158°F)

Figure 61 — Standard Field Device Unit


Standard Rittal TS8 SM RIO Cabinet The SM RIO full size Rittal TS8 (Figure 62) cabinet is based on the Rittal TS8808 cabinet. Typical used when more than 96 channels of Safety Manager Universal Safety IO is needed on remote locations. It contains:

- Safety Manager Universal Safety IO modules only - Default 800x800x2000mm, Steel, - Front and rear access - Maximum 14 redundant SM RIO modules (448 channels). - Communication via Fiber 100Km - Standard power supplies - Earth Leakage Detection - Temperature range -5°C to +60°C (-23°F to +140°F)

Figure 62 — TS8 SM RIO Cabinet


Safety Manager Universal Safety IO Zone 1 Solution.

For Safety Manager Universal Safety IO Zone 1 requirements a standard EEx d box is defined The EEx d box as shown in Figure 63, contains a redundant Universal Safety IO module, Redundant SM RIO link communication infrastructure and a redundant Power supply assembly. The Safety Manager Universal Safety IO Zone 1 solution supports 32 Universal Safety IO channels and it includes certification. Depending on the requirements the Safety Manager Universal Safety IO Zone 1 box may be equipped with: FC-RUSIO-3224 Universal Safety IO FC-RUSLS-3224 Universal Safety Logic Solver Additional to this, the required isolators on interface boards and/or field termination assemblies are located within the box. Three solution variations are available, depending on application requirements and connected devices: Type 01/04 for all field devices with no Ex d housing => Exi signals Type 02/05 for a combination (50/50) of field devices with and without Ex d

housing.=> Ex d signals and Exi signals Type 03/06 for all field devices with Ex d housing => Ex d signals

Figure 63 — Safety Manager Universal Safety IO Zone 1 EEx d box


For the Exi signals Pepperl+Fuchs isolators and the integration board FC-GPCS-RIO16-PF are used. On this integration board any combination of the following type of P+F isolators can be placed: Digital input SIL2: HIC2831R2, Digital Input SIL3: HIC2853R2, Analog input SIL2: HIC2025, Digital output 24Vdc SIL3: HIC2871, or Analog output SIL2: HIC2031 The Safety Manager Universal Safety IO Zone 1 box has the following certifications: ATEX II 2GD Exd [ia] IIBT6 or ATEX II 2GD Exd IIBT6 IP66 Certificate INERIS 10ATEX0035X Ambient temperature -20C /+60C Two types of materials are available for the boxes: Enclosure type SS: Material finish: Stainless Steel 316 L Ingress protection (acc. EN 60529): IP66 Dimensions (WxHxD): 920x670x300mm Gross weight (without IO modules): 221 kg 2x Eyebolt M14 on top of enclosure 1x VDR14 1/4" SS drain valve( in short bottom side) 1x Welded coupling with threaded hole 1/8’’ISO for VDR14 24x Welded coupling with threaded hole M32x1,5 in bottom side 13x Welded coupling with threaded hole M32x1,5 in right hand low side Enclosure type AL: Material finish: Aluminum Alloy Ingress protection (acc. EN 60529): IP66 Dimensions (WxHxD): 915x670x310mm Gross weight (without IO modules): 132 kg 2x Eyebolt M14 on top of enclosure 1x VDR14 1/4" SS drain valve( in short bottom side) 1x Welded coupling with threaded hole 1/8’’ISO for VDR14 24x Welded coupling with threaded hole M32x1,5 in bottom side 13x Welded coupling with threaded hole M32x1,5 in right hand low side


Safety Manager Field Device Unit (SM-FDU)

The Safety Manager Field Device Unit (FDU) is a combination of Safety Manager and Safety Manager Universal Safety IO into a compact unit (see Figure 64 below) that meets safety standards for Safety Level SIL1, SIL2 or SIL3 out of the box, reducing start-up and lifecycle costs for smaller applications.

Figure 64 — Safety Manager Field Device Unit (SM-FDU)

The Safety Manager FDU system is designed to allow process manufacturers to more easily implement small, standalone safety applications in their facilities. The offering integrates Honeywell’s widely used Safety Manager Safety instrumented System (SIS) platform and the Universal Safety IO modules into a single, space-friendly unit that arrives SIL3 certified out of the box.

The FDU module’s small size makes it ideal for plants that need to quickly implement integrated safety measures for applications such as burner or boiler management systems. This is critical due to increasingly stringent safety regulations and compliance standards, which often times force manufacturers to upgrade or even replace existing safety equipment. For example, an outdated, non-compliant panel in a boiler management system could be replaced with the FDU in the limited space close to the boiler. The Safety Manager FDU’s flexibility enables plants to implement better fitting solutions into their existing environments, even if they don’t require complete safety offerings.


Safety Services System Services

Safety Manager based safety solutions are supported from Honeywell locations worldwide. To guarantee optimum system operation and performance throughout the system lifecycle, a comprehensive services portfolio is available that helps users optimize their safety strategy. Users can choose between various support options and service contracts, which enable them to customize their service requirements: Software Enhancement & Support Program (SESP), Site Support Services, Spare Parts Management, Safety System audits, Emergency Technical Assistance, and Software Updates. Safety Manager service contracts are more than just emergency backups — they add value to the safety solution, and enhance the performance and reliability of the safeguarded process: Guaranteed fast response to service requests, Reduced hourly rates for on-site servicing, Expert assistance during all stages of the system lifecycle, Support from locations around the world, Continuous availability of the latest software, and Compliance with IEC 61508 / IEC 615511and ANSI/ISA S84.01.

Training

Various training programs are available which enable users to become familiar with Safety Manager. The training courses can be given at Honeywell locations, but they can also be organized on site, if required. In addition to the standard programs below, there is also the option of having a training course tailored to the customer's specific needs. This allows extra options to be added to the training, or it can be used to focus on specific segments. The following standard training courses are available: Managers Overview Course, Introduction to IEC 61508, Safety Manager Implementation Course, Safety Manager Maintenance Course Safety Manager On-Line Modification Course Safety Manager Total Package Course


Safety Consultancy

In addition to a services and training portfolio, a full range of safety consultancy services that help customers manage all their safety and risk management needs also backs Safety Manager based solutions. The Honeywell safety experts have the expertise and experience to guide and assist end users in the implementation of new international safety standards such as IEC 61508, IEC 61511 and ANSI/ISA S84.01. Honeywell can help customers: Formulate and manage their safety lifecycle model, Carry out hazard and risk analysis and definition of safety functions, Define safety requirements, Provide expertise on failure rate assessments, Perform safety and availability calculations, and Provide advice on optimal proof test intervals.


Standards Compliance Since functional safety is at the core of the Safety Manager design, the system will be certified for use in safety applications all around the world. The predecessor of Safety Manager, Fail Safe Controller (FSC) was developed specifically to comply with the strict German DIN/VDE functional safety standards, and has been certified by TÜV for use in AK 1 to 6 applications. FSC was also the first safety system to obtain certification in the United States for the UL 1998 and ANSI/ISA S84.01 standards. FSC based and Safety Manager based safety solutions and related Honeywell services can also help you comply with the new ANSI/ISA S84.01 standard for safety-instrumented systems up to and including Safety Integrity Level (SIL) 1,2 and 3, as well as the new international standard IEC 61508 for functional safety. These new standards address the management of safety throughout the entire life cycle of your plant. Certifications and Compliance with International Standards and Safety Codes

TÜV Bayern (Germany) — Certified to fulfill the requirements of "Class 6" (AK6) safety equipment as defined in the following documents: IEC61508, IEC61511, IEC 62061, EN 13849, DIN V VDE 19250, DIN V VDE 0801 incl. amendment A1, DIN VDE 0110, DIN VDE 0116, DIN VDE 0160 incl. amendment A1, DIN EN 54-2, DIN VDE 0883-1, DIN IEC 68, IEC 61131-2.

Instrument Society of America (ISA) — Certified to fulfill the requirements laid down in ANSI/ISA S84.01.

Canadian Standards Association (CSA) — Complies with the requirements of the following standards: CSA Standard C22.2 No. 0-M982 General Requirements – Canadian Electrical Code, Part II; CSA Standard C22.2 No. 142-M1987 for Process Control Equipment.

Underwriters Laboratories (UL) — Certified to fulfill the requirements of: UL 508, UL 991, UL 1998 and ANSI/ISA S84.01.

Factory Mutual (FM) — Certified to fulfill the requirements of FM 3611 (non-incendive field wiring circuits for selected modules).FM 3011 (Fire Alarms and Protective equipment Supervision)

Safety Manager Functional Logic Diagrams for Control Program design are compliant with IEC 61131-3.

The design and development of Safety Manager are compliant with IEC 61508:1999, Parts 1-7 (as certified by TÜV).

CE compliance — Complies with CE directives 89/336/EEC (EMC) and 73/23/EEC (Low Voltage).


Specifications The following specifications apply to Safety Manager systems and modules mounted in a standard Safety Manager cabinet : Safety Manager SFF values

SFF (Safe Failure Fraction) 99%

Safety Manager Environmental Conditions

Operating Temperature Safety Manager –5°C to 70°C (14°F to 158°F), ambient (1)

Universal Safety IO (2) –40°C to 70°C (-40°F to 158°F), ambient (1)

Storage Temperature: Safety Manager –25°C to +80°C (–13°F to +176°F) Universal Safety IO –40°C to +85°C (–40°F to +185°F)

Relative Humidity: Safety Manager 5% to 95%, non-condensing Universal Safety IO 10% to 95%, non-condensing

Vibration, Sinusoidal: IEC 60068-2-6; 1 G at 57 Hz to 150 Hz; 10 Hz to 57 Hz: 0.075mm

Shock: IEC 60068-2-27; 15 G for 11 ms, 3 axes

Electrostatic Discharge: IEC 61000-4-2, Level 4 (15 kV)

Conducted Susceptibility: IEC 61000-4-4, Level 3, Fast Transient/Burst IEC 61000-4-5, Level 3, Surge Withstand IEC 61000-4-6, Level 3, Conducted Field

Rated Susceptibility: IEC 61000-4-3, Level 3

Conducted Emissions: Measured per CISPR 11 & CISPR 22

Rated Emissions: Measured per CISPR 11 & CISPR 22

(1) "Ambient" refers to the air temperature measured in the Safety Manager Control Processor chassis (CPCHAS-0001).

(2) Applicable for FC-RUSFDU-02


Safety Manager Mechanical Specifications

Safety Manager cabinet dimensions (Rittal, model TS 8):

2000 x 800 x 800 mm (H x W x D) 78¾ x 31½ x 31½ in (H x W x D)

Remote IO Field Device Units 600 x 600 x 210 mm (H x W x D) 23.6 x 23.6 x 8.3 in (H x W x D)

Chassis size (incl. horizontal bus): height: 4 HE (4U), width: 84 TE (84 HP)

Module sizes:

IO modules height and width height: 3 HE (4U), width: 4 TE (4 HP)

QPP module height: 4 HE (3U), width: 16 TE (16 HP)

USI, SMM, BKM, PSU modules height: 4 HE (3U), width: 8 TE (8 HP)

Eurocard dimensions 100 x 160 mm (3.94 x 6.30 in)

Universal Safety IO Carrier (MCAR) 18 in Carrier 478 x 145.6 x 32 mm (L x W x H) 18.8 x 5.7 x 1.3 in (L x W x H) 36 in Carrier 918.7 x 170 x 80 mm (L x W x H) 36.2 x 6.7 x 3.1 in (L x W x H)

Universal Safety IO termination assembly (IOTA)

443.2 x 120.7 x 64 mm (L x W x H) 17.4 x 4.8 x 2.5 in (L x W x H)

Universal Safety IO Module 165.1 x 72.4 x 145 mm (L x W x H) 65 x 2.9 x 5.7 in (L x W x H)

Safety Manager Electrical Specifications

Supply voltages: 24 Vdc: +30% / –15% 48 Vdc: +15% / –15% 110 Vdc: +25% / –15% 220 Vdc: +10% / –15%


Model Numbers An overview of all Safety Manager Model numbers can be found in the Safety Manager Part list (SM.PL.6803).

safety manager r151 specification and technical … infi90 documentation...01/2013 fs75-15x safety...

Documents