Safety Manager Safety Manual
|
|
- Duane Bryan
- 5 years ago
- Views:
Transcription
1 Safety Manager Safety Manual EP-SM.MAN.6283 June 2016 Release 160
2 Document Release Issue Date EP-SM.MAN June 2016 Disclaimer This document contains Honeywell proprietary information. Information contained herein is to be used solely for the purpose submitted, and no part of this document or its contents shall be reproduced, published, or disclosed to a third party without the express permission of Honeywell Measurex (Ireland) Limited. While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a purpose and makes no express warranties except as may be stated in its written agreement with and for its customer. In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The information and specifications in this document are subject to change without notice. Copyright Honeywell Measurex (Ireland) Limited 2
3 Contents 1 Safety Manual Content of Safety Manual References Basic skills and knowledge Prerequisite skills Training Safety standards for Process & Equipment Under Control (PUC, EUC) Safety Integrity Level (SIL) Application design conform IEC The IEC and IEC standards Safety Manager functions architectures and standards Safety Manager functions Safety Manager basic architectures Dual Modular Redundant (DMR) architecture Quadruple Modular Redundant (QMR) architecture Watchdog architecture in mixed IO configurations - QMR architecture Safety Manager A.R.T Certification Standards compliance Security recommendations and best practices Safety Manager fault detection and reaction Introduction Diagnostic Test Interval Controller configurations and states Shutdown by application or manual intervention Fault detection and reaction of the system Safety Manager Safety Manager A.R.T Safety Manager Controller faults QPP faults USI faults BKM faults PSU faults Communication faults Safety Manager universal IO module faults SM Universal IO module faults Safety Manager chassis IO faults Digital input faults (chassis based) Analog input faults (chassis based) Digital output faults (chassis based) Analog output faults (chassis based) Safety Manager universal IO channel faults Digital input faults (remote) Analog input faults (remote) Digital output faults (remote)
4 CONTENTS Analog output faults (remote) Behavior of the ESD input on USIO/USLS Compare error handling IO compare errors and system response Compare error detection and synchronization Calculation errors Safety Manager special functions Online modification SafeNet communication Networks Protocol versus response time Reset System response towards a safety related reset Simulation mode General guidelines for TÜV approved applications General F&G applications Fail Safe Controller to Safety Manager migration Planning for migration Migration checklist Migration audit On-site audit Phased migrations Extending an FSC FSC network FSC migration license Preparing for migration Migrate FSC application Load the application Verify the application Execute the migration List of abbreviations Notices Documentation feedback How to report a security vulnerability Support Training classes
5 1 Safety Manual The Safety Manual is a reference guide providing detailed information regarding safety aspects in Safety Manager. Related topics Content of Safety Manual on page 6 Basic skills and knowledge on page 7 Safety standards for Process & Equipment Under Control (PUC, EUC) on page 8 5
6 1 SAFETY MANUAL 1.1 Content of Safety Manual The Safety Manual is a reference guide providing detailed information regarding safety aspects in Safety Manager. A reference guide is a Safety Manager related guide and does not describe tasks in terms of how to perform the task in terms of steps to follow. A reference guide can provide input to support decisions required to achieve a certain objective. Guide subjects Safety Manual Safety Manager functions architectures and standards on page 11 Safety Manager fault detection and reaction on page 27 Safety Manager special functions on page 49 General guidelines for TÜV approved applications on page References The following guides may be required as reference materials: Guide The Overview Guide The Planning and Design Guide The Installation and Upgrade Guide The Troubleshooting and Maintenance Guide The System Administration Guide The Hardware Reference The Withdrawn Hardware Reference The Software Reference The On-line Modification Guide Description This guide describes the general knowledge required, the basic functions of, and the tasks related to Safety Manager. This guide describes the tasks related to planning and designing a Safety Manager project. This guide describes the tasks related to installing, replacing and upgrading hardware and software as part of a Safety Manager project. This guide describes the tasks related to troubleshooting and maintaining Safety Manager. This guide describes the task related to administrating the computer systems used in a Safety Manager project. This guide specifies the hardware components that build a Safety Manager project. This guide specifies all withdrawn hardware components and identifies alternatives for maintaining Safety Manager projects containing withdrawn hardware. This guide specifies the software functions that build a Safety Manager project and contains guidelines on how to operate them. This guide describes the theory, steps and tasks related to upgrading Safety Builder and embedded software and modifying an application online in a redundant Safety Manager. 6
7 1 SAFETY MANUAL 1.2 Basic skills and knowledge Before performing tasks related to Safety Manager you need to: Understand basic Safety Manager concepts as explained in the Overview Guide and the Glossary. Have a thorough understanding of the Safety Manual. Have had appropriate training related to Safety Manager that certifies you for your tasks (see the Planning and Design Guide). More related information can be found in Prerequisite skills and Training Prerequisite skills When you perform tasks related to Safety Manager, it is assumed that you have appropriate knowledge of: Site procedures The hardware and software you are working with. These may i.e. be: computers, printers, network components, Controller and Station software. Microsoft Windows operating systems. Programmable logic controllers (PLCs). Applicable safety standards for Process & Equipment Under Control. Application design conform IEC The IEC and IEC standards. This guide assumes that you have a basic familiarity with the process(es) connected to the equipment under control and that you have a complete understanding of the hazard and risk analysis. More related information can be found in Training Training Most of the skills mentioned above can be achieved by appropriate training. For more information, contact your Honeywell SMS representative or see: More related information can be found in Prerequisite skills. 7
8 1 SAFETY MANUAL 1.3 Safety standards for Process & Equipment Under Control (PUC, EUC) Safety Manager is the logic solver of a Safety Instrumented System (SIS) performing specific Safety Instrumented Functions (SIF) to ensure that risks are kept at predefined levels. A SIS measures, independently from the Basic Process Control System (BPCS), a couple of relevant process signals like temperature, pressure, level in a tank or the flow through a pipe. The values of these signals are compared with the predefined safe values and, if needed, the SIS gives an alarm or takes action. In such cases the SIS controls the safety of the process and lowers the chance of an unsafe situation. The logic in Safety Manager defines the response to process parameters. In this context the following terms are explained in this section: Safety Integrity Level (SIL) on page 8 Safety layers of protection Equipment Under Control (EUC) Process Under Control (PUC) Safety Integrity Level (SIL) The IEC standard specifies 4 levels of safety performance for safety functions. These are called safety integrity levels. Safety integrity level 1 (SIL1) is the lowest level of safety integrity, and safety integrity level 4 (SIL4) the highest level. If the level is below SIL1, the IEC and IEC do not apply. Safety Manager can be used for processing multiple SIFs simultaneously demanding a SIL1 up to and including SIL3. To achieve the required safety integrity level for the E/E/PE safety-related systems, an overall safety life cycle is adopted as the technical framework (as defined in IEC 61508). For more information see also: Safety layers of protection Equipment Under Control (EUC) Process Under Control (PUC) Application design conform IEC The IEC standard defines, as a minimum set, the basic programming elements, syntactic and semantic rules for the most commonly used programming languages, including graphical languages of: Ladder Diagram, Functional Block Diagram and, Textual languages of Instruction List and structured Text; For more information see the IEC web site. The below figure shows how Safety Manager uses the graphical programming method, based on Functional Block Diagram as defined by the IEC
9 1 SAFETY MANUAL Figure 1: Example FLD layout The IEC and IEC standards SISs have been used for many years to perform safety instrumented functions e.g. in chemical, petrochemical and gas plants. In order for instrumentation to be effectively used for safety instrumented functions, it is essential that the instrumentation meets certain minimum standards and performance levels. To define the characteristics, main concepts and required performance levels, standards IEC and IEC have been developed. The introduction of Safety Integrity level (SIL) is one of the results of these standards. This brief provides a short explanation of each standard. Detailed information regarding IEC and can be found on the IEC web site What standard to use? Tip You can use the IEC as stand-alone standard for those sectors where a sector specific standard does not exist. If you are in the process sector and you are an owner/user, it is strongly recommended that you pay attention to the IEC (ANSI/ISA ). For details see IEC 61511, the standard for the process industry. If you are in the process sector and you are a manufacturer, it is strongly recommended that you pay attention to the IEC For details see IEC 61508, the standard for all E/E/PE safety-related systems. If you are in another sector, it is strongly recommended that you look for, and use, your sector specific IEC standard for functional safety (if there is one). If none exists, you can use the IEC instead. For details see IEC 61508, the standard for all E/E/PE safety-related systems IEC and IEC terminology This guide contains both IEC and IEC related terminology. As the IEC sits within the framework of IEC most of the terminology used may be interchanged. The below provides an overview of the most common interchangeable terminology. 9
10 1 SAFETY MANUAL Table 1: IEC versus IEC terminology IEC terminology safety function electrical/electronic/programmable electronic (E/E/PE) safety-related system IEC terminology safety instrumented function safety instrumented system (SIS) IEC 61508, the standard for all E/E/PE safety-related systems The IEC is called Functional safety of electrical/electronic/programmable electronic safety-related systems IEC covers all safety-related systems that are electrotechnical in nature (i.e. Electrical, Electronic and Programmable Electronic systems (E/E/PE) ). Generic standard The standard is generic and is intended to provide guidance on how to develop E/E/PE safety related devices as used in Safety Instrumented Systems (SIS). The IEC 61508: serves as a basis for the development of sector standards (e.g. for the machinery sector, the process sector, the nuclear sector, etc.). can serve as stand-alone standard for those sectors where a sector specific standard does not exist. SIL IEC details the design requirements for achieving the required Safety Integrity Level (SIL). The safety integrity requirements for each individual safety function may differ. The safety function and SIL requirements are derived from the hazard analysis and the risk assessment. The higher the level of adapted safety integrity, the lower the likelihood of dangerous failure of the SIS. This standard also addresses the safety-related sensors and final elements regardless of the technology used. IEC 61511, the standard for the process industry The IEC is called Functional safety - Safety instrumented systems for the process industry sector. It is also referred to as the ANSI/ISA This standard addresses the application of SISs for the process industries. It requires a process hazard and risk assessment to be carried out, to enable the specification for SISs to be derived. In this standard a SIS includes all components and subsystems necessary to carry out the safety instrumented function from sensor(s) to final element(s). The standard is intended to lead to a high level of consistency in underlying principles, terminology and information within the process industries. This should have both safety and economic benefits. The IEC sits within the framework of IEC Need to know more? For more information regarding, or help on, implementing or determining, the applied safety standards for your plant/process please contact your Honeywell affiliate. Our Safety Consultants can help you to e.g.: perform a hazard risk analysis determine the SIL requirements design the Safety Instrumented System validate and verify the design train your local safety staff 10
11 2 Safety Manager functions architectures and standards Safety Manager can be configured for a number of architectures, each with its own characteristics and typical Safety Instrumented Functions. Related topics Safety Manager functions on page 12 Safety Manager basic architectures on page 13 Certification on page 17 Standards compliance on page 19 11
12 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS 2.1 Safety Manager functions Safety Manager is the logic solver inside a Safety Instrumented System (SIS) and can be used in a number of different basic architectures (see Safety Manager basic architectures on page 13). Irrespective of the chosen architecture, Safety Manager meets the requirements of the relevant international standards. By design Safety Manager operates at a very high level of dependency. The functions of Safety Manager depends on the Controller configuration that is applied. In the below table these functions are described. Table 2: Safety Manager functions Controller architecture Non-redundant (DMR) Redundant (QMR) Redundant A.R.T. (Safety Manager A.R.T.) Function Logic solving within a SIS in order to provide freedom from unacceptable risks, and thus safeguarding the equipment and processes under control. Logic solving within a SIS in order to provide freedom from unacceptable risks, and thus safeguarding the equipment and processes under control while maintaining a high level of availability. Logic solving within a SIS in order to provide freedom from unacceptable risks, and thus safeguarding the equipment and processes under control while maintaining an extended level of availability. 12
13 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS 2.2 Safety Manager basic architectures Safety Manager can be configured for a number of architectures. Each has its own characteristics and typical Safety Instrumented Functions. The below table provides an overview of the available architectures. Table 3: Safety Manager architectures Controller architecture IO configuration Remarks Non-redundant (DMR) Redundant (QMR) Redundant A.R.T. (Safety Manager A.R.T.) Non-redundant Non-redundant Redundant Redundant and non-redundant Non-redundant Redundant DMR architecture; Supports SIF for SIL1, SIL2 and SIL3 applications. QMR architecture; Supports SIF for SIL1, SIL2 and SIL3 applications. A.R.T. architecture; Supports SIF for SIL1, SIL2 and SIL3 applications Dual Modular Redundant (DMR) architecture Typical applications of a DMR architecture are: Burner Management System Batch processing Machine protection The DMR architecture provides 1oo2 voting in a non-redundant system. The DMR architecture with 1oo2 voting is based on dual-processor technology, and is characterized by a high level of self tests, diagnostics and fault tolerance. The DMR architecture is realized with a non-redundant Controller. A non-redundant architecture contains only one QPP, which contains redundant processors and memory with 1oo2 voting between the processors and memory. In IO configurations, each path is primarily controlled by the Control Processor and an independent watchdog signal (see the below figure). ESD input Watchdog signal Sensor xx yyy Input Module QPP Control Processor Output Module + Final Element Figure 2: Functional diagram: DMR architecture 13
14 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS Quadruple Modular Redundant (QMR) architecture Typical applications of a QMR architecture are: process safeguarding applications for which continuous operation is essential. The Quadruple Modular Redundant (QMR) architecture is based on 2oo4D voting, dual-processor technology in each QPP. This means that it is characterized by an ultimate level of self diagnostics and fault tolerance. The QMR architecture is realized with a redundant Controller. This redundant architecture contains two QPPs, which results in quadruple redundancy making it fault tolerant for safety. The 2oo4D voting is realized by combining 1oo2 voting of both CPUs and memory in each QPP, and 1oo2D voting between the two QPPs. Voting takes place on two levels: on a module level and between the QPPs. In redundant IO configurations, each path is controlled by one of the Control Processors and an independent watchdog signal, which is controlled by the diagnostic software (see the below figure). Furthermore, each Control Processor is able to switch off the output channels of the other Control Processor. ESD input Watchdog signal Input Module QPP Control Processor 1 Output Module + Sensor xx yyy Input Module QPP Control Processor 2 Output Module Final Element Universal IO module n1 Universal IO module n2 Figure 3: Functional diagram: QMR architecture Watchdog architecture in mixed IO configurations - QMR architecture In a system with combined redundant and non redundant IO, three (3) watchdog lines are active: WD1: this is the Watchdog line dedicated for Control Processor 1. De-energizes upon a safety related fault in Control Processor 1. When de-energized, Control Processor 1 and the related outputs are halted. WD2: this is the Watchdog line dedicated for Control Processor 2.. De-energizes upon a safety related fault in Control Processor 2. When de-energized, Control Processor 2 and the related outputs are halted. 14
15 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS WD3: this is the Watchdog line dedicated for Control Processor 3. De-energizes upon a safety related fault in hardware that controls the non-redundant IO. When de-energized, the non-redundant outputs are de-energized, but the redundant outputs and the Control Processors remain operational. ESD input Watchdog signal Input Module QPP Control Processor 1 Output Module + Sensor xx yyy Input Module QPP Control Processor 2 Output Module Final Element Sensor xx yyy Input Module Output Module + Final Element Figure 4: Functional diagram: redundant Controller with redundant and non-redundant IO Safety Manager A.R.T Typical applications of the Safety Manager A.R.T. architecture are: process safeguarding applications for which continuous operation is essential. The Safety Manager A.R.T. architecture is based on 2oo4D voting, dual-processor technology in each QPP. This means that it is characterized by a ultimate level of self diagnostics and fault tolerance. The Safety Manager A.R.T. architecture is only supported with a redundant Controller. This redundant architecture contains two QPPs, which results in quadruple redundancy making it fault tolerant for safety. The 2oo4D voting is realized by combining 1oo2 voting of both CPUs and memory in each QPP, and 1oo2D voting between the two QPPs. Voting takes place on two levels: on a module level and between the QPPs. In redundant IO configurations, both paths can be controlled by each Control Processor. The watchdog function for the output modules is controlled at chassis based IO level. This is done by the main watchdogs and additional control by the software. The result of Safety Manager A.R.T. architecture is a more granular reaction to output module faults. 15
16 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS ESD input Watchdog signal Input Module QPP Control Processor 1 Output Module + Sensor xx yyy Input Module QPP Control Processor 2 Output Module Final Element Universal IO module n1 Universal IO module n2 Figure 5: Functional diagram: QMR architecture Related topic(s): Fault detection and reaction of the system on page
17 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS 2.3 Certification The advantage of applying and complying to standards is obvious: International standards force companies to evaluate and develop their products and processes according a consistent and uniform way. Products certified conform these international standards guarantee a certain degree of quality and product reliability that other products lack. Since functional safety is the core of the Safety Manager design, the system has been certified for use in safety applications all around the world. Safety Manager has been developed specifically to comply with the IEC61508 functional safety standards, and has been certified by TUV for use in SIL1 to SIL3 applications. Safety Manager has also obtained certification in the United States for the ANSI/ISA S84.01 standard. For a full list of all these and other certifications see Certification. Certification Safety Manager has been certified to comply with the following standards: Lloyd s Register - Safety Manager is certified for offshore and floating production facilities application use in environmental categories ENV1, ENV2 as per LR Type Approval System, Test Specification # 1, 2002 LInternational Electrotechnical Commission (IEC) - The design and development of Safety Manager are compliant with IEC (as certified by TUV). Instrument Society of America (ISA) - Certified to fulfill the requirements laid down in ANSI/ISA S CE compliance - Complies with CE directives 2004/108/EEC (EMC) and 2006/95/EEC (Low Voltage), 2006/42/EEC (Machine Safety) European Committee for Standardization - CEN, CENELEC 17
18 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS TUV (Germany) - Certified to fulfill the requirements of SIL1, 2 and 3 safety equipment as defined in the following documents: IEC61508, IEC , EN50156, EN 54-2, EN50178, IEC 60068, IEC , IEC , IEC Canadian Standards Association (CSA) - Complies with the requirements of the following standards: CSA Standard C22.2 No. 0-M982 General Requirements Canadian Electrical Code, Part II; CSA Standard C22.2 No. 142-M1987 for Process Control Equipment, including general Instructions up to No. 4 dated February 1989 (Reaffirmed 2004). Underwriters Laboratories (UL) - Certified to fulfill the requirements of UL 508, UL 508A and ANSI/ISA S Factory Mutual (FM) - Certified to fulfill the requirements of FM 3611 and FM3600 (non-incentive field wiring circuits for selected modules and installation in Class 1 Div 2 environments). 18
19 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS 2.4 Standards compliance This sub section provides a list of the standards Safety Manager complies with. Table 4: Safety Manager compliance to standards Standard Title Remarks IEC 61508, Part 1-7 (2001) (S84.01) IEC (2004) (S84) IEC (2005) ISO (2008) EN 54 part 2 (2006) EN (1996) EN (2003) EN (2004) EN (2009) IEC (2005) IEC (2010) IEC (2007) IEC (2008) NFPA 72 (2010) Functional safety of electrical/ electronic/ programmable electronic (E/E/PE) safety-related systems. Functional safety - Safety instrumented systems for the process industry sector - Part 1: Framework, definitions, system, hardware and software requirements Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems Safety of machinery - Safety related parts of control systems. General principles for design Components of automatic fire detection systems, Introduction. Safety of Machinery - Safety Related Parts of Control Systems - Part 1. General Principles for Design Electromagnetic compatibility - Immunity for requirements for components of fire, intruder and social alarm systems. Electrical equipment of furnaces. Safety of machinery - Electrical equipment of machines - Part 1: General requirements Electromagnetic compatibility Generic immunity standard: Industrial environment. Safety Requirements for Electrical Equipment for Measurement, Control and Laboratory Use, Part 1: General Requirements. Programmable controllers. Part 2: Equipment requirements and tests. Immunity requirements for safety related systems. National Fire Alarm Code Handbook SFF can be provided uponvalues such as Prequest.FD, PFH and 19
20 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS Standard Title Remarks NFPA 85 (2011) NFPA 86 (2011) ANSI/ISA (2013) UL 508 UL 508A (2001) FM3600, FM 3611 Class I, Division 2, Groups A, B, C & D Class II, Division 2, Groups F & G CSA C22.2 IEC (2004) Boiler and Combustions Systems Hazards Code Standard for Ovens and Furnaces Environmental Conditions for Process Measurement and Control Systems: Airborne Contaminants G3 level: harsh environments Industrial control equipment, seventeenth edition. UL Standard for Safety Industrial Control Panels Electrical equipment for use in Class I, Division 2, Class II, Division 2, and Class III, Division 1 and 2, hazardous locations. Process control equipment. Industrial products. Basic environmental testing procedures. Underwriters Laboratories. Underwriters Laboratories. Factory Mutual Research. Applies to the field wiring circuits of the following modules: SDI-1624, SAI-0410, SAI-1620m, SDIL-1608, and SAO-0220m, and installation of the Controller in these environments. Canadian Standards Association No IEC Cold test. (undervoltage) Safety Manager; -5 C (23 F) SM universal IO module; -40 C (-40 F) 16 hours; system in operation; reduced power supply voltage: ( 15%): U=20.4 Vdc or ( 10%): U=198 Vac. IEC Cold test. (nominal) Safety Manager; -10 C (14 F) SM universal IO module; -45 C (-49 F) 16 hours; system in operation. IEC Dry heat test. up to 70 C (158 F) 16 hours; system in operation; increased power supply voltage: (+30%): U=31.2 Vdc or (+10%): U=253 Vac. IEC Test Ca: damp heat, steady state. 21 days at +40 C (104 F), 93% relative humidity; function test after cooling. IEC Test Ca: damp heat, steady state. 96 hours at +40 C (104 F), 93% IEC Test Na: change of temperature withstand test. relative humidity; system in operation. 25 C +55 C ( 13 F +131 F), 12 hours, 95% relative humidity, recovery time: max. 2 hours. IEC Test Db variant 2: cyclic damp heat test. +25 C C (+77 F F), 7days, % relative humidity, recovery time: 1-2 hours. 20
21 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS Standard Title Remarks IEC Environmental testing Part 2: Tests Test. Fc: vibration (sinusoidal). IEC Environmental testing Part 2: Tests Test. Ea: shock. Excitation: sine-shaped with sliding frequency; Safety Manager: Frequency range: Hz. Loads: Hz; mm Hz; 1 G. Duration: 10 cycles (20 sweeps) per axis. No. of axes: 3 (x, y, z). Traverse rate: 1 oct/min in operation. Half sine shock. 6 shocks per 3 axes (18 in total). Maximum acceleration: 15 G. Shock duration: 11 ms. Safety Manager in operation. 21
22 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS 22
23 3 Security recommendations and best practices This sections provides information on security recommendations and best practices for using Safety Manager controller. A detailed description of all Safety Controller key switches, loading of software and forcing is available in the Safety Manager Installation and Upgrade Guide. Force Enable Key Switch It is strongly recommended to keep the Force Enable key switch in the disabled position whenever forcing is not required. Leaving the Force Enable key in the enabled position will make the Safety Controller more vulnerable to abuse. Store the CPU keyswitches in a safe location, so that even with physical access to controllers in a remote location (for example, pipelines) the controller application cannot be changed. Fault Reset Key Switch The Fault Reset key switch is a physical key to reset the Safety Manager Controller. This is also required to start a loaded application. Force Enable Configuration It is strongly recommended to leave a point's Force Enable to the default 'No' when it is not necessary to force this point or to modify a HART field device parameter during maintenance. Configuring a point with Force Enable will make the Safety Controller user application more vulnerable to abuse. Write Enable Configuration It is recommended to leave a point's Write Enable to the default 'No' (Disabled) when it is not necessary to write this point during maintenance. It is strongly discouraged to use a write enabled point as part of a SIF. Configuring a point with Write Enable will make the Safety Controller user application more vulnerable to abuse. Remote Reset Configuration It is recommended to leave this setting in the 'Disabled' position when it is not a necessity to reset or startup a Safety Controller remotely via the Safety Builder. Configuring Remote Reset will make the Safety Controller more vulnerable to abuse. The Fault Reset key switch mounted in the Safety Controller cabinet is the preferred secure alternative. Remote Load Configuration It is recommended to leave this setting in the 'Disabled' position when it is not a necessity to shutdown a Safety Controller remotely via the Safety Builder prior to a download. Configuring Remote Load will make the Safety Controller more vulnerable to abuse. The Safety Processor (QPP) key switch is the preferred secure alternative. 23
24 3 SECURITY RECOMMENDATIONS AND BEST PRACTICES Sequence of Events An event is permanently removed from a Safety Controller after the event was successfully read from the controller. To prevent events being lost, it is recommended to block connections other than the configured SOE collector. SafeNet SafeNet will drop a connection when communication is lost for the configured time-out or more. It is recommended to configure the shortest time-out possible as this reduces the window for tampering. It is recommended to validate network integrity before (re-)starting SafeNet communication after any unexpected loss of communication. Network Clock Safety Manager uses the network clock to timestamp diagnostic messages and events. An incorrect timestamp cannot result in unsafe operation. It can however confuse operators and maintenance engineers and it can lead to misinterpretation of the sequence of events. It is recommended to configure the clock source time-out as short as possible as this reduces the window for tampering. It is recommended to validate network integrity before (re-)starting a clock after any unexpected loss of communication. NTP devices have a user configured IP address known to the Safety Controller. NTP is therefore more secure compared to PTP. Denial of Service (DoS) Safety Manager Communication modules have a built-in overload detection and overload protection. To avoid loss of functionality each of the four communication ports on the modules can be switched off temporarily. This protection is especially effective against network storm and DoS attacks as only the communication on that one port will be temporary dropped. Activation of the overload protection will generate a diagnostic message. It is strongly recommended to validate network integrity as overload can be caused by malware on a connected device or by an attack on the Safety Controller. Safety Controller Redundancy With properly redundant communication configuration the temporary drop of communication does not have to result in DoS for the controller. Refer to the Safety Manager Overview Guide and Software Reference manual for more information about redundant communication configurations. Safety Builder Safety Builder provides an extensive on-line toolset and it is important to understand that connecting to any Safety Controller is possible even without the actual project databases. In a well configured system none of these on-line actions can result in unsafe operation. Unauthorized access can however cause confusion and upset if the Safety Controller is configured with one or more remote operation options enabled, it is therefore strongly recommended to (physically) block all unused Ethernet ports on the Safety Builder network. Security Guidelines for (pre-) installing Safety Manager A detailed description of all Safety Builder privilege levels, password protections and version control is provided in the Safety Manager System Administration Guide. Installation It is strongly recommended to install and maintain Safety Builder and Safety Controller separated from the Office Domain. Additional protection against misuse of Modbus TCP To protect Safety Manager against misuse of Modbus TCP ports, it is advised to use the Honeywell Modbus Read-only Firewall. This is a fixed configuration firewall based on deep packet inspection technology. This technology scans every network message, only allowing a very limited set of valid Modbus Read-only commands through to the safety system. These are safe commands that cannot be used by malware to change 24
25 3 SECURITY RECOMMENDATIONS AND BEST PRACTICES the functionality of the safety system. The firewall s fixed rule sets remove the possibility of tampering or misconfiguration and significantly reduces the effort required by the plant to maintain the firewall. Virus and Patch management The applications listed below can be installed and run on the same platform: Safety Builder Application Server Virus and Patch Management. Honeywell supports two anti-virus packages, McAfee and Norton. Which package and associated patch server is used is determined by the customer when the network architecture of the total system is designed. It is highly recommended to update the Safety stations on a regular base with operating system and office application (if applicable) updates (Microsoft). It is also highly recommended to install Honeywell certified antivirus and computer security solutions; these also will need to be updated on a regular basis. The usage of a centralized virus and patch management server may be considered. Management of these services will need to be done by competent engineers. Security Guidelines for product administration To help prevent an unauthorized access to the Safety Manager Build it is recommended that permissions for the folder containing the access database are currently locked down to individual users that need access to the database. This will reduce the number of users that have access to the database. If you would like more protection and you are using Experion for monitoring the status of the Safety Manager instead of the Safety Manager builder, backup the access database to a controlled file storage and remove it from the client. 25
26 3 SECURITY RECOMMENDATIONS AND BEST PRACTICES 26
27 4 Safety Manager fault detection and reaction Related topics Introduction on page 28 Fault detection and reaction of the system on page 31 Safety Manager Controller faults on page 34 Safety Manager universal IO module faults on page 38 Safety Manager chassis IO faults on page 39 Safety Manager universal IO channel faults on page 42 Behavior of the ESD input on USIO/USLS on page 44 Compare error handling on page 45 Calculation errors on page 48 27
28 4 SAFETY MANAGER FAULT DETECTION AND REACTION 4.1 Introduction The goal of fault detection and reaction is to detect and isolate faults that affect the safety of the process under control, within a time frame that is acceptable for the process. Note There is always a diagnostic alarm available upon detection of a fault. Fault detection and reaction occurs at different levels. These levels are: system level, module level, channel level. System level Combinations of modules and IO faults are controlled at system level. Depending on the hardware and configuration of a system, the fault reaction to such combinations will be different. Distinction is made between these systems: Safety Manager, Safety Manager A.R.T. For further details see: Fault detection and reaction of the system on page 31 Module level Faults at module level are controlled at controller level. Depending on the hardware and configuration of a system, the fault reaction is determined by the Control Processor and/or universal module(s). For further details see the fault reaction table(s) in: Safety Manager Controller faults on page 34 Safety Manager universal IO module faults on page 38 Channel level Faults at channel level are controlled at controller level. Depending on the hardware and configuration of a system, the fault reaction is determined by the Control Processor and/or universal module(s). For further details see the fault reaction table(s) in: Safety Manager chassis IO faults on page 39 Safety Manager universal IO module faults on page Diagnostic Test Interval The Diagnostic Test interval (DTI) is the time in which detection and isolation of faults takes place. The DTI must be set to a value that is acceptable for the process, such as the Process Safety Time (PST). These values can be obtained from hazard analysis reports Controller configurations and states Controller configurations Distinction is made between Non redundant Controllers and Redundant Controllers. A Non redundant Controller has one Control Processor (CP); the response of the CP is automatically the response of the 28
29 4 SAFETY MANAGER FAULT DETECTION AND REACTION controller. A Redundant Controller has two CPs; the response of one of the CPs does not necessarily affect the safety related functioning of the controller. Note Safety Manager can have both non redundant controllers and redundant controllers. Safety Manager A.R.T. only has redundant controllers. Control Processor states A Control Processor (CP) can have many states. For fault detection and reaction the following states are relevant. Attention The states described below are presented on the display of the relevant QPP, while the key switch of that QPP is in the RUN position. Running (without faults); CP is fully functional and executes the application. Running with Flt (with faults); CP executes the application but the controller detected one or more faults (e.g. open loop or a hardware fault). Halt; CP does not execute the application. The applicable CP state can be read from the User Interface Display located on each Control Processor and from the diagnostic screens available on Experion and Safety Stations. Fault Reaction and IO states The Fault Reaction (FR) state of each IO point is the predetermined state or action the point assumes in case of faults. For normally energized safety related applications, like ESD applications, the predefined safe fault reaction state is de-energized or Low. For normally de-energized safety related applications, like FGS applications, the safe fault reaction state for inputs is energized or High / Top Scale. Fault reaction and IO states are explained below: Fault reaction The reaction to faults in the Controller, application and/or IO. The fault reaction towards Controller and/or application faults is fixed. The fault reaction to IO faults can be configured on a point or module level; it should be customized to the application for which Safety Manager is used. IO states From a system point of view, IO can have either the healthy state, the de-energized state or the fault reaction state. When healthy, the IO is active and has the application value applied. When de-energized, the IO is de-activated (as if no power was supplied). When the fault reaction state is applied, the IO responds according to a predefined fault condition (fault reaction). When forced, the force value is applied. Repair timer Note The repair timer setting must be based on a hardware reliability analysis which includes MTTR figures. 29
30 4 SAFETY MANAGER FAULT DETECTION AND REACTION All configurations of Safety Manager are single fault tolerant to faults that affect safety. By applying a secondary means Safety Manager is able to bring a process to a safe state, regardless the fault. By default, Safety Manager is configured to isolate the faulty part of a subsystem to guarantee continued safe operation of the EUC. In systems with a redundant Control Processor (CP) a fault in a susbsytem of one of the CPs has no effect on the safeguarded process. Continuous safeguarding and availability is maintained. A configurable repair timer is started for the relevant CP on certain fault conditions. Within the remaining time the faulty part can be repaired. If the timer is allowed to reach zero, or another fault that affects safety occurs, that Control Processor halts. It is strongly advised to apply this feature of Safety Manager to meet the requirements of applicable standards. However, the user can choose to configure Safety Manager differently to meet his own specific requirements Shutdown by application or manual intervention By design, Safety Manager is configured to meet the requirements of applicable international standards. In case local and/or customer requirements demand an even more stringent system response, Safety Manager offers two additional features for such situations. These features are: A shutdown via the application software; to achieve this Safety Manager alarm markers can be applied. A manual shutdown can be realized via the shutdown (SD) input of the Safety Manager Controller or the Safety Manager universal IO modules. With aid of the SD input a tested, hard wired connection can be used. The SD input is accessible via the SD loop connector at the back of the CP chassis or channel 32 of the Safety Manager universal IO module. Attention 1. Breaking the SD loop of the CP will cause Safety Manager to stop! 2. Breaking the SD loop of the Safety Manager universal IO module will cause the Safety Manager universal IO module to stop! 30
31 4 SAFETY MANAGER FAULT DETECTION AND REACTION 4.2 Fault detection and reaction of the system This section decribes the fault detection and reaction of the system. Full module and IO bus redundancy is provided to warrant process availability. Distinction is made between the architectures of these systems: Safety Manager, Safety Manager A.R.T Safety Manager The below figure shows the reliability block diagram for Safety Manager. Figure 6: Reliability block diagram - Safety Manager The architecture of Safety Manager shows redundant control paths that principally function independent from each other. The execution is synchronized at the Control Processors. The system performs continuous diagnostics on all critical parts of the system. All SIF related diagnostics are executed every execution cycle. Certain generic diagnostics are executed over multiple execution cycles however, but all system diagnostics are completed within the user configurable Diagnostic Time Interval. When the system detects a fault, the diagnostic will be reported and the corresponding action is performed, isolating the faulty part of the system. In principle the equipment under control will continue to be safeguarded as the safeguarding function will be performed by the healthy partner. Below the system responses of safety related modules are explained: Processor module The processor module performs diagnostic tests on all critical parts of the module like memory, processors, address lines etc. When a fault is detected the corresponding IO modules will be directed to a safe state by the watchdog. The EUC will continue to be safeguarded due to the redundancy. Safety related input modules Input modules are scanned and diagnosed every execution cycle by their processor module. The processor modules compare the input table before executing the application logic. Discrepancies will be diagnosed. When a fault is detected both processors will use the value from the healthy module and perform the output actions as directed by the configured logic. Safety related output modules Output modules are written and diagnosed every execution cycle by their processor module. When a fault is detected it will be reported and the module will be directed to the safe state while the EUC continues to be safeguarded by its redundant partner. 31
32 4 SAFETY MANAGER FAULT DETECTION AND REACTION IO bus The IO bus is diagnosed every execution cycle. Upon the detection of a fault the fault is reported and the corresponding output modules will be directed to the safe state while the EUC continues to be safe guarded by its redundant partner. Attention When the control processors are running, the IO bus cables should not be removed from the control processor chassis. Doing so may result in control processor shutdown Safety Manager A.R.T The below figure shows the reliability block diagram for Safety Manager A.R.T. Figure 7: Reliability block diagram - Safety Manager A.R.T. The architecture of Safety Manager A.R.T. shows redundant control paths that also function independent from each other. Here however, additional alternative processing routes are available for the Control Processors. The system performs continuous diagnostics on all critical parts of the system. All SIF related diagnostics are executed every execution cycle. Certain generic diagnostics are executed over multiple execution cycles however, but all system diagnostics are completed within the user configurable Diagnostic Time Interval. When the system detects a fault, the diagnostic will be reported and the corresponding action is performed, isolating the faulty part of the system. In principle the equipment under control will continue to be safeguarded as the safeguarding function will be performed by the healthy partner. Below the system responses of safety related modules are explained: Processor module The processor module performs diagnostic tests on all critical parts of the module like memory, processors, address lines etc. When a fault is detected the processor module will go to a safe state. The EUC will continue to be safeguarded due to the redundancy. Safety related input modules Input modules are scanned and diagnosed every execution cycle by their processor module. The processor modules compare the input table before executing the application logic. Discrepancies will be diagnosed. When a fault is detected both processors will use the value from the healthy module and perform the output actions as directed by the configured logic. Safety related output modules Output modules are written and diagnosed every execution cycle by their processor module. When a fault is detected it will be reported and the module will be directed to the safe state while the EUC continues to be safeguarded by its redundant partner. 32
33 4 SAFETY MANAGER FAULT DETECTION AND REACTION IO bus The IO bus of the A.R.T. system is multi fault tolerant, allowing multiple faults at the same time while continuing the safeguarding of the equipment under control. The IO bus is diagnosed every execution cycle. Upon detection of a fault the fault is reported and the module is directed to the safe state. The corresponding processor module will use the remaining healthy module. Attention When the control processors are running, the IO bus cables should not be removed from the control processor chassis. Doing so may result in control processor shutdown. 33
34 4 SAFETY MANAGER FAULT DETECTION AND REACTION 4.3 Safety Manager Controller faults The topics that follow provide an overview of detected Controller faults and the Controller reaction to these faults QPP faults The below table provides an overview of faults that the Controller detects related to the QPP and the reaction to these faults. Table 5: Controller reaction to QPP faults QPP faults Non-redundant Redundant Controller reaction Controller reaction related to diagnostics report includes CP X( faulty) CP Y (not faulty) temperature monitoring (set points user configurable) high alarm or low alarm none -continue none -continue high-high alarm or low-low alarm 1 sensor faulty and temp. more than 3 degrees from shutdown limits 1 sensor faulty and temp. less than 3 degrees from shutdown limits halt Controller halt CP none -continue none -continue none -continue halt Controller halt CP none -continue Memory QPP memory halt Controller halt CP none -continue Execution execution time-out or range / failure error on logical sheet halt Controller halt CP none -continue halt Controller Watchdog output shorted halt Controller halt CP none -continue de-energized watchdog line for redundant outputs de-energized watchdog line for non-redundant outputs halt Controller halt CP none -continue halt Controller de-energize non redundant outputs, continue operation on redundant outputs faulty halt Controller halt CP none -continue Watchdog Repeater faulty Set inputs to fault reaction state Bus drivers IO extenders (Safety Manager) IO extenders (Safety Manager A.R.T.) De-energize all outputs halt CP none -continue faulty halt Controller halt CP none -continue faulty n.a. de-energize IO extender CPX, use IO extender CPY none -continue Internal link faulty halt Controller halt CP none -continue QPP module faulty halt Controller halt CP none -continue secondary switch-off faulty halt Controller halt CP none -continue repair timer running none -continue none -continue 34
Honeywell Safety Manager
Honeywell Safety Manager Safety Manual EP-SM.MAN.6283 Issue 1.0 May 2017 Release 153.4 Honeywell Process Solution Safety Management Systems Burgemeester Burgerslaan 40 5245 NH Rosmalen ( s-hertogenbosch)
More informationSafety Manager. Safety Manual. EP-SM.MAN.6283 Issue February Release 151
Safety Manager Safety Manual EP-SM.MAN.6283 Issue 1.0 20 February 2013 Release 151 Document Release Issue Date EP-SM.MAN.6283 151 1.0 February 2013 Notice This document contains Honeywell proprietary information.
More informationSafety Manager. Safety Manual. EP-SM.MAN.6283 Issue June Release 145
Safety Manager Safety Manual EP-SM.MAN.6283 Issue 5.3 30 June 2011 Release 145 Document Release Issue Date EP-SM.MAN.6283 145 5.3 June 2011 Notice This document contains Honeywell proprietary information.
More informationExperion LX Safety Manager Integration Guide
Experion LX Safety Manager Integration Guide EXDOC-X119-en-110A February 2014 Release 110 Document Release Issue Date EXDOC-X119-en-1 0A 0 February 2014 Disclaimer This document contains Honeywell proprietary
More information2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems 07/2000
2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems 07/2000 Copyright, Notices and Trademarks 2000 Honeywell Safety Management Systems B.V. Revision 01 July 2000 While this information
More informationRemoval of Hardware ESD, Independent of Safety Logic Solver
Removal of Hardware ESD, Independent of Safety Logic Solver by Sam Roy Executive summary This is a discussion to remove independent hardware based Emergency Shutdown for Logic Solver as identified in ANSI/ISA-84.00.01-2004,
More informationDeltaV SIS TM. Logic Solver. DeltaV SIS Logic Solver. Introduction. DeltaV SIS Product Data Sheet. World s first smart SIS Logic Solver
February 2016 Page 1 DeltaV SIS TM Logic Solver The DeltaV SIS platform is the world s smart SIS system to use the power of predictive intelligence for increasing the availability of the entire safety
More informationReport. Certificate Z SIMATIC S7 F/FH Systems
Report to the Certificate Z10 16 06 20080 004 Safety-Related Programmable Systems SIMATIC S7 F/FH Systems Manufacturer: Siemens AG PD PA AE R&D Östliche Rheinbrückenstr. 50 D-76187 Karlsruhe Report no.
More informationT72 - Process Safety and Safety Instrumented Systems
T72 - Process Safety and Safety Instrumented Systems Comprehensive Solutions Portfolio for Fail-Safe to TMR Safety Applications PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 1 Agenda
More informationReport. Certificate Z Rev. 00. SIMATIC Safety System
Report to the Certificate Z10 067803 0020 Rev. 00 Safety-Related Programmable System SIMATIC Safety System Manufacturer: Siemens AG Gleiwitzer Str. 555 D-90475 Nürnberg Revision 1.1 dated 2019-02-07 Testing
More informationProduct Specifications
Product Specifications VIBROCONTROL 6000 Monitoring System Description of Functionality Overview The VIBROCONTROL 6000 Monitoring System is used for both stand-alone machine protection and condition monitoring
More informationType 9160 / Transmitter supply unit / Isolating repeater. Safety manual
Type 9160 / 9163 Transmitter supply unit / Isolating repeater Safety manual Safety manual English Content 1 General information... 3 1.1 Manufacturer... 3 1.2 Information regarding the Safety Manual...
More informationT57 - Process Safety and Critical Control What Solution Best Meets Your Needs?
PUBLIC - 5058-CO900H T57 - Process Safety and Critical Control What Solution Best Meets Your Needs? PUBLIC PUBLIC Agenda Introduction To Process Safety Process Safety and Machine Safety Things to Consider
More informationFSO Webnair FSO Safety Functions Module. ABB Group February 11, 2015 Slide 1
FSO Webnair FSO Safety Functions Module February 11, 2015 Slide 1 Competence Requirements for ABB Commissioner / Service Engineer of ACS880 Drives with FSO The integrated Safety Function Module (FSO; option
More informationMobrey Hydratect 2462
Mobrey Hydratect 2462 Functional Safety Manual Functional Safety Manual Functional Safety Manual Table of Contents Contents 1Section 1: Introduction 1.1 Scope and purpose of the safety manual..................................
More informationDeltaV SX Controller. DeltaV SX Controller. Introduction. DeltaV Product Data Sheet. Scalable controllers. Quick Assembly.
August 2010 Page 1 The and the DeltaV I/O subsystem make rapid installation easy Scalable controllers Quick Assembly Easy to use Field Proven architecture Designed for Digital Marshalling Advanced Controls
More informationDeltaV SD Plus Controller
August 2010 Page 1 The and the DeltaV I/O subsystem make rapid installation easy Scalable controllers Quick Assembly Easy to use Field Proven architecture Designed for Digital Marshalling Advanced Controls
More informationED17: Architectures for Process Safety Applications
ED17: Architectures for Process Safety Applications Name Pete Skipp Title Process Safety Architect Date November 5 th & 6 th 2012 Copyright 2012 Rockwell Automation, Inc. All rights reserved. Agenda An
More informationMicroNet TMR Control System
Product Specification 03363 (Rev. C) MicroNet TMR Control System Applications The MicroNet TMR (triple modular redundant) controller is a state-of-the-art digital control platform designed to reliably
More informationIntroduction. Delivers four ports to provide increased input/ output per card. Takes advantage of all smart device capabilities
DeltaV Distributed Control System M-series Foundation TM Fieldbus Product Data Sheet Series 2 Plus I/O Use DeltaV state-of-the-art Foundation Fieldbus Series 2 Plus redundant I/O for your process control
More informationEH-RIO IP67 Profibus-DP I/O modules
Installation Instructions EH-RIO IP67 Profibus-DP I/O modules (RIO-PBXDP8M12, -PBXDP8M8, -PBYTP8M12, -PBYTP8M8, -PBXYP8M12, -PBXYP8M8) M12 Style Connectors M8 Style Connectors 43819 The EH-RIO IP67 Profibus-DP
More information5504 Thermocouple Analog Input Module
550 Thermocouple Analog Input Installation, Operation and Maintenance Setup Manual 5/9/0 Safety Information The information provided in this documentation contains general descriptions and/or technical
More informationType Switching repeater. Safety manual
Type 9170 Switching repeater Safety manual Safety manual English Content 1 General information... 3 1.1 Manufacturer... 3 1.2 Information regarding the Safety Manual... 3 1.3 Area of application... 3 1.4
More informationControlLogix SIL2 System Configuration
ControlLogix SIL2 System Configuration Using RSLogix 5000 Subroutines Application Technique (Catalog Numbers 1756 and 1492) Important User Information 8 / 2011 Solid state equipment has operational characteristics
More informationSystem 800xA Safety AC 800M High Integrity Safety Manual
System 800xA Safety AC 800M High Integrity Safety Manual System Version 5.1 Power and productivity for a better world TM System 800xA Safety AC 800M High Integrity Safety Manual System Version 5.1 NOTICE
More informationM-series Foundation Fieldbus I/O
DeltaV Distributed Control System Product Data Sheet M-series Foundation Fieldbus I/O Use DeltaV state-of-the-art FOUNDATION Fieldbus redundant I/O for your process control system. Increases input/output
More informationM-series DC to DC Power Supply
February 2016 Page 1 M-series DC to DC Power Supply Enhanced The DeltaV M-series Enhanced DC/DC system power supplies are modular, easy to install, and secure Easy to use Flexible and cost-effective Secure
More informationSafety Management Systems SAFETY MANAGER COMMUNICATION BEST PRACTICE GUIDE
Safety Management Systems SAFETY MANAGER COMMUNICATION BEST PRACTICE GUIDE EP-SM.MAN.6844 ISSUE #2 JANUARY, 2018 Document ID Release Issue Date EP-SM.MAN.6844 Issue #2 January, 2018 DISCLAIMER This document
More informationICS Regent. Relay Output Modules. Low Power and High Power (T3446L and T3446H) PD-6017
ICS Regent PD-6017 Relay Output Modules Low Power and High Power (T3446L and T3446H) Issue 1, March, 06 Relay output modules provide control of eight user output loads. Two types of relay output modules
More informationPower Meter PowerMonitor 500
ROCKWELL AUTOMATION PROCUREMENT SPECIFICATION PROCUREMENT SPECIFICATION PowerMonitor 500 NOTICE: The specification guidelines in this document are intended to aid in the specification of products. Specific
More informationUsing smart field devices to improve safety system performance
Using smart field devices to improve safety system performance Safety monitoring software can use data from smart field devices to improve safety system performance and operation By Guillermo Pacanins,
More informationDeltaV SX Controller. Introduction. Benefits. Scalable controllers. Quick assembly. Easy to use. Field proven architecture
DeltaV Distributed Control System Product Data Sheet January 2018 DeltaV SX Controller Scalable controllers Quick assembly Easy to use Field proven architecture Designed for Electronic Marshalling Advanced
More informationS-series Serial Interface
January 2013 Page 1 The DeltaV provides a connection between the DeltaV system and other devices Provides seamless information interface Plug-and-play easy to use Extends the life of existing equipment
More informationS-series Horizontal Carriers
January 2013 Page 1 The DeltaV modular I/O subsystem is easy to install and maintain Modular design allows flexible installation Allows you to expand online Integrated power distribution Snap in assembly
More informationOriginal operating instructions Fail-safe inductive sensor GF711S / / 2013
Original operating instructions Fail-safe inductive sensor GF7S 8528 / 5 / 23 Contents Preliminary note...3. Explanation of symbols...3 2 Safety instructions...4 2. Safety-related requirements regarding
More informationDeltaV PK Controller. Benefits. Introduction. Powerful Standalone. Easily Integrated. Fast process control applications
DeltaV Distributed Control System Product Data Sheet February 2018 DeltaV PK Controller Powerful Standalone. Easily Integrated. Fast process control applications Designed for use with any DeltaV I/O family
More informationS-series Sequence of Events Card
March 2013 Page 1 DeltaV Sequence of Events delivers high-resolution data capture for your easy analysis. Captures process upset events close to the source for precise recording Provides increased resolution
More informationICS Regent. Monitored Digital Input Modules 24 VDC (T3411) PD-6031
ICS Regent PD-6031 Monitored Digital Input Modules 24 VDC (T3411) Issue 1, March, 06 Monitored digital input modules provide input sensing for 16 field input devices. With a line monitor device installed
More informationMAINTENANCE MANUAL. EDACS REDUNDANT POWER SUPPLY SYSTEM 350A1441P1 and P2 POWER MODULE CHASSIS 350A1441P3, P4, AND P5 POWER MODULES TABLE OF CONTENTS
MAINTENANCE MANUAL EDACS REDUNDANT POWER SUPPLY SYSTEM 350A1441P1 and P2 POWER MODULE CHASSIS 350A1441P3, P4, AND P5 POWER MODULES TABLE OF CONTENTS SPECIFICATIONS*... 2 INTRODUCTION... 3 DESCRIPTION...
More informationOriginal operating instructions Fail-safe inductive sensor GI711S / / 2010
Original operating instructions Fail-safe inductive sensor GI7S 704583 / 0 06 / 200 Contents Preliminary note 3. Explanation of symbols 3 2 Safety instructions 4 2. Safety-related requirements regarding
More informationProline Prowirl 72, 73
Functional Safety Manual Vortex flow measuring system with 4 20 ma output signal Application Monitoring of maximum and/or minimum flow in systems which are required to comply with particular safety system
More informationFailure Modes, Effects and Diagnostic Analysis
Failure Modes, Effects and Diagnostic Analysis Project: Solenoid Drivers IM72-11Ex/L and IM72-22Ex/L Customer: Hans Turck GmbH & Co. KG Mühlheim Germany Contract No.: TURCK 04/10-20 Report No.: TURCK 04/10-20
More informationHART Temperature Transmitter for up to SIL 2 applications
HART Temperature Transmitter for up to SIL 2 applications Inor Process AB 04/2010 86B520S001 R1.0 1 Introduction... 3 1.1 Field of application... 3 1.2 User benefits... 3 1.3 Manufacturer s safety instructions...
More informationCompactBlock Guard I/O EtherNet/IP Safety Modules
Installation Instructions CompactBlock Guard I/O EtherNet/IP Safety Modules Catalog Numbers 1791ES-IB8XOBV4, 1791ES-IB16 Topic Page Important User Information 2 North American Hazardous Location Approval
More informationS-series Foundation Fieldbus I/O
DeltaV Distributed Control System Product Data Sheet S-series Foundation Fieldbus I/O Use DeltaV state-of-the-art S-series FOUNDATION fieldbus I/O for your process control system. Increase I/O capacity
More informationModicon Quantum /2013. Modicon Quantum. Quantum Safety PLC Safety Reference Manual 04/
Modicon Quantum 33003879 04/2013 Modicon Quantum Quantum Safety PLC Safety Reference Manual 04/2013 33003879.05 www.schneider-electric.com The information provided in this documentation contains general
More informationPoint Level Transmitters. Pointek CLS200 (Standard) Functional Safety Manual 02/2015. Milltronics
Point Level Transmitters Pointek CLS200 (Standard) Functional Safety Manual 02/2015 Milltronics Introduction 1 General safety instructions 2 Pointek Level Instruments Device-specific safety instructions
More informationI/A Series HARDWARE Product Specifications
I/A Series HARDWARE Product Specifications I/A Series Station Computing Device (SCD) SCD5200 CPU OptoNet Power Supply Ethernet (COPE) Module/ SCD5200 CPU OptoNet Ethernet (COE) Module PSS 21H-8G3 B4 FEATURES
More informationMANUAL Functional Safety
PROCESS AUTOMATION MANUAL Functional Safety Switch Amplifier HiC283* ISO9001 2 With regard to the supply of products, the current issue of the following document is applicable: The General Terms of Delivery
More informationRosemount Functional Safety Manual. Manual Supplement , Rev AG March 2015
Rosemount 2130 Functional Safety Manual Manual Supplement Manual Supplement Contents Contents 1Section 1: Introduction 1.1 Scope and purpose of the safety manual.................................. 1 1.2
More informationSoliphant M with electronic insert FEM54
Functional safety manual Soliphant M with electronic insert FEM54 Level Limit Measuring System Application Overfill protection or operating maximum detection of all types of liquids in tanks to satisfy
More informationPSR-PC50. SIL 3 coupling relay for safety-related switch on. Data sheet. 1 Description
SIL 3 coupling relay for safety-related switch on Data sheet 105818_en_01 PHOENIX CONTACT 2014-08-18 1 Description The PSR-PC50 SIL coupling relay can be used for power adaptation and electrical isolation
More informationFunctional Safety Processes and SIL Requirements
Functional Safety Processes and SIL Requirements Jordi Campos Tüv Süd Process Safety Business Manager Jordi.campos@tuev-sued.es 15-07-14 Terminology Safety Instrumented Systems (SIS) Safety Integrity Level
More informationReport. Certificate M6A SIMATIC S7 Distributed Safety
Report to the Certificate M6A 17 05 67803 014 Safety-Related Programmable Systems SIMATIC S7 Distributed Safety Manufacturer: Siemens AG DF FA AS Gleiwitzer Str. 555 D-90475 Nürnberg Revision 3.1 dated
More informationS-series Sequence of Events Card
DeltaV Distributed Control Systems Product Data Sheet S-series Sequence of Events Card DeltaV Sequence of Events delivers high-resolution data capture for your easy analysis. Captures process upset events
More informationFeatures various encoder interfaces and controls multiple analog servo drives at high speeds
CK3W Axial Interface Unit CK3W-AX Features various encoder interfaces and controls multiple analog servo drives at high speeds CK3W-AX Features One CK3W-AX Unit controls up to four axes Analog input type
More informationTroubleshooting and Maintenance Guide
Safety Manager Troubleshooting and Maintenance Guide EP-SM.MAN.6282 Issue 4 28 September 2007 Release 120 Document Release Issue Date EP-SM.MAN.6282 120 4 September 2007 Notice This document contains Honeywell
More informationControlNet-to-DeviceNet Linking Device
Installation Instructions ControlNet-to-DeviceNet Linking Device Catalog Number 1788-CN2DN Topic Page Important User Information 2 About the CN2DN Linking Device 7 Parts List 8 Required System Components
More informationSIMATIC. Process Control System PCS 7 PCS 7 Documentation (V8.1) Options for Accessing Documentation 1. Documentation for the Planning Phase 2
Options for Accessing Documentation 1 Documentation for the Planning Phase 2 SIMATIC Process Control System PCS 7 Documentation for the Realization Phase 3 Documentation on commissioning, operation, diagnostics
More informationReport. Certificate M6A SIMATIC Safety System
Report to the Certificate M6A 067803 0019 Safety-Related Programmable Systems SIMATIC Safety System Manufacturer: Siemens AG Gleiwitzer Str. 555 D-90475 Nürnberg Revision 2.1 dated 2018-09-25 Testing Body:
More informationS-series H1 I/O Card with Integrated Power
January 2013 Page 1 S-series H1 I/O Card with Integrated Power Use DeltaV state-of-the-art for your process control system. Increase I/O capacity while reducing wiring Maximize smart device capabilities
More informationSafety manual. This safety manual is valid for the following product versions: Version No. V1R0
Safety manual HART TRANSPARENT driver 9107 This safety manual is valid for the following product versions: 9107-002 Version No. V1R0 0. CONTENTS 1. Observed standards... 2 2. Acronyms and abbreviations...
More informationISO INTERNATIONAL STANDARD. Safety of machinery Safety-related parts of control systems Part 1: General principles for design
INTERNATIONAL STANDARD ISO 13849-1 Second edition 2006-11-01 Safety of machinery Safety-related parts of control systems Part 1: General principles for design Sécurité des machines Parties des systèmes
More informationDeltaV SQ Controller. Introduction. Benefits. Scalable controllers. Quick assembly. Easy-to-use. Field proven architecture
DeltaV Distributed Control System Product Data Sheet January 2018 DeltaV SQ Controller Scalable controllers Quick assembly Easy-to-use Field proven architecture Designed for Electronic Marshalling Advanced
More informationDigital ac/dc (24V) Input Module
Installation Instructions Digital ac/dc (24V) Input Module Catalog Number 1771-IND, Series C Topic Page Important User Information 2 Before You Begin 3 Power Requirements 3 Prevent Electrostatic Discharge
More informationM-series MQ Controller
DeltaV Distributed Control System Product Data Sheet M-series MQ Controller Increases productivity Easy to use Has the flexibility to meet your needs Introduction The MQ Controller provides communication
More informationFailure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA
Failure Modes, Effects and Diagnostic Analysis Project: 8732C Magnetic Flow Transmitter Customer: Rosemount Inc. Chanhassen, MN USA Contract No.: Ros 03/07-26 Report No.: Ros 03/07-26 R001 Version V1,
More informationS-series Horizontal Carriers
DeltaV Distributed Control Systems Product Data Sheet S-series Horizontal Carriers The DeltaV modular I/O subsystem is easy to install and maintain Modular design allows flexible installation Allows you
More informationOvation Ethernet Link Controller Module Data Sheet
Ovation Ethernet Link Controller Module Features: Provides native Ethernet connectivity capability at the I/O level Enables faster, more efficient integration of robust data from third-party devices Dedicated
More informationAS-i Safety Relay Output Module with Diagnostic Slave
AS-i Safety Relay Output Module with Diagnostic Slave User Manual Revision date: 2013-01-30...supports the requirements for AS-i Safety up to SIL3 Subject to modifications without notice. Generally, this
More informationICS Regent. AC Guarded Digital Output Module 110 VAC (T3464) PD-6021
ICS Regent PD-6021 AC Guarded Digital Output Module 110 VAC (T3464) Issue 1, March, 06 AC Guarded digital output modules provide guarded switching of user-supplied 110 AC voltages to a maximum of sixteen
More informationMANUAL Functional Safety
PROCESS AUTOMATION MANUAL Functional Safety Repeater KFD0-CS-(Ex)*.54*, KFD0-CS-(Ex)*.56* ISO9001 2 With regard to the supply of products, the current issue of the following document is applicable: The
More informationFunctional Safety and Safety Standards: Challenges and Comparison of Solutions AA309
June 25th, 2007 Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309 Christopher Temple Automotive Systems Technology Manager Overview Functional Safety Basics Functional
More informationHART Temperature Transmitter for up to SIL 2 applications
HART Temperature Transmitter for up to SIL 2 applications Inor Process AB 05/2014 86B520S001 R1.3 1 Introduction... 3 1.1 Field of application... 3 1.2 User benefits... 3 1.3 Manufacturer s safety instructions...
More informationFunctional safety manual RB223
SD00011R/09/EN/13.13 71238251 Products Solutions Services Functional safety manual RB223 Passive barrier Application Galvanic isolation of active 0/4 to 20 ma signals from transmitters, valves and adjusters,
More informationAn Urgent Bulletin from CSA Group
An Urgent Bulletin from CSA Group Photovoltaic Equipment No. 5 Date: September 21, 2015 See Attachment 1 for Effective Dates. See Attachment 1 for Application Due Dates Announcing: Publication of List
More informationGuardLogix Controller Systems
GuardLogix Controller Systems (Catalog Numbers 1756-L61S, 1756-L62S, 1756-LSP) Safety Reference Manual Important User Information Solid state equipment has operational characteristics differing from those
More informationQuickPanel View & QuickPanel Control
GE Fanuc Automation Operator Interface Products QuickPanel View & QuickPanel Control PCMCIA Adapter IC754PCMCIA001-A Hardware User s Guide, GFK-2368 June 2005 GFK-2368 PCMCIA Host Adapter GFL-002 Warnings,
More informationM-series MX Controller
DeltaV Distributed Control System Product Data Sheet June 2017 M-series MX Controller Right-sized controllers Easy to use Has the flexibility to meet your needs Designed to support legacy migration Introduction
More informationKS 108 easy Compact automation unit for industrial control and process technology
PMA KS 108 easy Compact automation unit for industrial control and process technology Combines control, sequencing, and operation Comprehensive function library with integrated operator dialogs BlueDesign
More informationGE Intelligent Platforms PAC8000 RTU
GE Intelligent Platforms PAC8000 RTU A ruggedized, reliable RTU PAC8000 Remote Terminal Unit (RTU) thrives in the desert heat of the Arabian Peninsula and the arctic cold of Siberian oil fields delivering
More information1756 ControlLogix Chassis Specifications
Technical Data 1756 ControlLogix Chassis Specifications Standard Catalog Numbers 1756-A4, 1756-A7, 1756-A10, 1756-A13, 1756-A17 ControlLogix-XT Catalog Numbers 1756-A5XT, 1756-A7LXT Topic Page 1756 Standard
More informationOriginal operating instructions Safety relay with relay outputs with and without delay G1502S / / 2016
Original operating instructions Safety relay with relay outputs with and without delay UK G50S 803638 / 00 0 / 06 Contents Preliminary note...4. Symbols used...4 Safety instructions...5 3 Items supplied...6
More information1756 ControlLogix Chassis Specifications
Technical Data 1756 ControlLogix Chassis Specifications Catalog Numbers 1756-A4/B, 1756-A7/B, 1756-A10/B, 1756-A13/B, 1756-A17/B, 1756-A4LXT, 1756-A5XT, 1756-A7LXT, 1756-A7XT Topic Page Standard ControlLogix
More informationEnhanced Programmable Logic Controller Gateway Specification and Technical Data
L Enhanced Logic Gateway Specification and Technical Data EP03-500 R500 3/96 detergant coffee chocolate Page 2 TDC 3000X Enhanced Logic Gateway Specification and Technical Data Introduction This publication
More informationOriginal operating instructions Safety relay with relay outputs G1501S / / 2016
Original operating instructions Safety relay with relay outputs G50S UK 8023637 / 00 02 / 206 Contents Preliminary note...4. Symbols used...4 2 Safety instructions...5 3 Items supplied...6 4 Functions
More informationContents. HP E1586A Rack Mount Terminal Panel User s Manual
Contents HP E1586A Rack Mount Terminal Panel User s Manual Description... 5 Connecting to VXIbus Instruments... 5 Interconnect Cables... 5 Terminal Block Connections... 6 Using the Terminal Panel for Reference
More informationName No. of I/O points Model Safety inputs: 12, test outputs: 4
Safety I/O s DST1 Series CSM_DST1 Series_DS_E_7_3 Distributed Safety s That Reduce Wiring. Lineup includes four models to accommodate various I/O types and number of I/O points. Monitor the safety system
More informationCompactLogix Power Supplies Specifications
Technical Data CompactLogix Power Supplies Specifications 1768 CompactLogix Power Supplies Catalog Numbers 1768-PA3, 1768-PB3 1769 Compact I/O Power Supplies Catalog Numbers 1769-PA2, 1769-PB2, 1769-PA4,
More informationNJ-Series Power Supply Unit NJ-PA/PD
NJ-Series Power Supply Unit CSM_NJ-PA_PD_DS_E_1_2 Powerful power supply unit to supply stable power to the NJ-series controller. Stable power supply is available from the NJ-series CPU Unit to each I/O
More informationto 12a Added Standard and Electrical requirements for UL table 1.1
Document changes and version status C-DIAS SAFETY DIGITAL INPUT MODULE CSDI 162 Change date Affected page(s) Changes/expansions/corrections Version 19.12.2013 12 to 12a Added Standard and Electrical requirements
More informationHardware Safety Integrity. Hardware Safety Design Life-Cycle
Hardware Safety Integrity Architecture esign and Safety Assessment of Safety Instrumented Systems Budapest University of Technology and Economics epartment of Measurement and Information Systems Hardware
More informationFailure Modes, Effects and Diagnostic Analysis
Failure Modes, Effects and Diagnostic Analysis Project: Surge Protective Devices D9024S Customer: G.M. International s.r.l Villasanta Italy Contract No.: GM 16/02-055 Report No.: GM 16/02-055 R006 Version
More informationS-series DeviceNet Interface Card
January 2013 Page 1 The DeltaV provides the solution for interfacing to discrete actuators and sensors. Offers freedom to choose appropriate bus for application Supports standard device-level busses Reduces
More informationXPSMF40. Main. Safety module name. Monitoring safety detection discrete input Monitoring safety dialogue discrete output
Product datasheet Characteristics XPSMF4000 Preventa safety PLC compact - Safe Ethernet Main Range of product Product or component type Safety module name Safety module application Preventa Safety automation
More informationSafety Instrumented Systems: Can They Be Integrated But Separate?
Safety Instrumented Systems: Can They Be Integrated But Separate? Written by Merry Kuchle and Trevor MacDougall of Spartan Controls. For questions, please contact Robert Smith. Keywords Safety Instrumented
More informationDeltaV SIS Conditioning Components
DeltaV SIS Process Safety System DeltaV SIS Conditioning Components The DeltaV SIS conditioning components allow you to use the DeltaV SIS system with a variety of different field signal requirements.
More informationDeltaV MQ Controller. Introduction. Benefits. Increases productivity. Easy to use. Has the flexibility to meet your needs. Increases productivity
DeltaV Distributed Control System Product Data Sheet October 2017 DeltaV MQ Controller Increases productivity Easy to use Has the flexibility to meet your needs Introduction The MQ Controller provides
More informationTF501, TF521 Terminal Bases
Ordering Data DATA SHEET TF501, TF521 Terminal Bases 1 Ordering Data Part No. Scope of delivery Product life cycle status 1SAP 117 000 R0271 1SAP 317 000 R0271 1SAP 117 200 R0271 1SAP 317 200 R0271 TF501-CMS,
More informationSafety Standards. Model Number:
040APS Highlights & Features Compliant to IEC 60601-1 3rd edition IT and medical safety approvals Low earth leakage Current (
More information