Safety Manager Safety Manual

Transcription

1 Safety Manager Safety Manual EP-SM.MAN.6283 June 2016 Release 160

2 Document Release Issue Date EP-SM.MAN June 2016 Disclaimer This document contains Honeywell proprietary information. Information contained herein is to be used solely for the purpose submitted, and no part of this document or its contents shall be reproduced, published, or disclosed to a third party without the express permission of Honeywell Measurex (Ireland) Limited. While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a purpose and makes no express warranties except as may be stated in its written agreement with and for its customer. In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The information and specifications in this document are subject to change without notice. Copyright Honeywell Measurex (Ireland) Limited 2

3 Contents 1 Safety Manual Content of Safety Manual References Basic skills and knowledge Prerequisite skills Training Safety standards for Process & Equipment Under Control (PUC, EUC) Safety Integrity Level (SIL) Application design conform IEC The IEC and IEC standards Safety Manager functions architectures and standards Safety Manager functions Safety Manager basic architectures Dual Modular Redundant (DMR) architecture Quadruple Modular Redundant (QMR) architecture Watchdog architecture in mixed IO configurations - QMR architecture Safety Manager A.R.T Certification Standards compliance Security recommendations and best practices Safety Manager fault detection and reaction Introduction Diagnostic Test Interval Controller configurations and states Shutdown by application or manual intervention Fault detection and reaction of the system Safety Manager Safety Manager A.R.T Safety Manager Controller faults QPP faults USI faults BKM faults PSU faults Communication faults Safety Manager universal IO module faults SM Universal IO module faults Safety Manager chassis IO faults Digital input faults (chassis based) Analog input faults (chassis based) Digital output faults (chassis based) Analog output faults (chassis based) Safety Manager universal IO channel faults Digital input faults (remote) Analog input faults (remote) Digital output faults (remote)

4 CONTENTS Analog output faults (remote) Behavior of the ESD input on USIO/USLS Compare error handling IO compare errors and system response Compare error detection and synchronization Calculation errors Safety Manager special functions Online modification SafeNet communication Networks Protocol versus response time Reset System response towards a safety related reset Simulation mode General guidelines for TÜV approved applications General F&G applications Fail Safe Controller to Safety Manager migration Planning for migration Migration checklist Migration audit On-site audit Phased migrations Extending an FSC FSC network FSC migration license Preparing for migration Migrate FSC application Load the application Verify the application Execute the migration List of abbreviations Notices Documentation feedback How to report a security vulnerability Support Training classes

5 1 Safety Manual The Safety Manual is a reference guide providing detailed information regarding safety aspects in Safety Manager. Related topics Content of Safety Manual on page 6 Basic skills and knowledge on page 7 Safety standards for Process & Equipment Under Control (PUC, EUC) on page 8 5

6 1 SAFETY MANUAL 1.1 Content of Safety Manual The Safety Manual is a reference guide providing detailed information regarding safety aspects in Safety Manager. A reference guide is a Safety Manager related guide and does not describe tasks in terms of how to perform the task in terms of steps to follow. A reference guide can provide input to support decisions required to achieve a certain objective. Guide subjects Safety Manual Safety Manager functions architectures and standards on page 11 Safety Manager fault detection and reaction on page 27 Safety Manager special functions on page 49 General guidelines for TÜV approved applications on page References The following guides may be required as reference materials: Guide The Overview Guide The Planning and Design Guide The Installation and Upgrade Guide The Troubleshooting and Maintenance Guide The System Administration Guide The Hardware Reference The Withdrawn Hardware Reference The Software Reference The On-line Modification Guide Description This guide describes the general knowledge required, the basic functions of, and the tasks related to Safety Manager. This guide describes the tasks related to planning and designing a Safety Manager project. This guide describes the tasks related to installing, replacing and upgrading hardware and software as part of a Safety Manager project. This guide describes the tasks related to troubleshooting and maintaining Safety Manager. This guide describes the task related to administrating the computer systems used in a Safety Manager project. This guide specifies the hardware components that build a Safety Manager project. This guide specifies all withdrawn hardware components and identifies alternatives for maintaining Safety Manager projects containing withdrawn hardware. This guide specifies the software functions that build a Safety Manager project and contains guidelines on how to operate them. This guide describes the theory, steps and tasks related to upgrading Safety Builder and embedded software and modifying an application online in a redundant Safety Manager. 6

7 1 SAFETY MANUAL 1.2 Basic skills and knowledge Before performing tasks related to Safety Manager you need to: Understand basic Safety Manager concepts as explained in the Overview Guide and the Glossary. Have a thorough understanding of the Safety Manual. Have had appropriate training related to Safety Manager that certifies you for your tasks (see the Planning and Design Guide). More related information can be found in Prerequisite skills and Training Prerequisite skills When you perform tasks related to Safety Manager, it is assumed that you have appropriate knowledge of: Site procedures The hardware and software you are working with. These may i.e. be: computers, printers, network components, Controller and Station software. Microsoft Windows operating systems. Programmable logic controllers (PLCs). Applicable safety standards for Process & Equipment Under Control. Application design conform IEC The IEC and IEC standards. This guide assumes that you have a basic familiarity with the process(es) connected to the equipment under control and that you have a complete understanding of the hazard and risk analysis. More related information can be found in Training Training Most of the skills mentioned above can be achieved by appropriate training. For more information, contact your Honeywell SMS representative or see: More related information can be found in Prerequisite skills. 7

8 1 SAFETY MANUAL 1.3 Safety standards for Process & Equipment Under Control (PUC, EUC) Safety Manager is the logic solver of a Safety Instrumented System (SIS) performing specific Safety Instrumented Functions (SIF) to ensure that risks are kept at predefined levels. A SIS measures, independently from the Basic Process Control System (BPCS), a couple of relevant process signals like temperature, pressure, level in a tank or the flow through a pipe. The values of these signals are compared with the predefined safe values and, if needed, the SIS gives an alarm or takes action. In such cases the SIS controls the safety of the process and lowers the chance of an unsafe situation. The logic in Safety Manager defines the response to process parameters. In this context the following terms are explained in this section: Safety Integrity Level (SIL) on page 8 Safety layers of protection Equipment Under Control (EUC) Process Under Control (PUC) Safety Integrity Level (SIL) The IEC standard specifies 4 levels of safety performance for safety functions. These are called safety integrity levels. Safety integrity level 1 (SIL1) is the lowest level of safety integrity, and safety integrity level 4 (SIL4) the highest level. If the level is below SIL1, the IEC and IEC do not apply. Safety Manager can be used for processing multiple SIFs simultaneously demanding a SIL1 up to and including SIL3. To achieve the required safety integrity level for the E/E/PE safety-related systems, an overall safety life cycle is adopted as the technical framework (as defined in IEC 61508). For more information see also: Safety layers of protection Equipment Under Control (EUC) Process Under Control (PUC) Application design conform IEC The IEC standard defines, as a minimum set, the basic programming elements, syntactic and semantic rules for the most commonly used programming languages, including graphical languages of: Ladder Diagram, Functional Block Diagram and, Textual languages of Instruction List and structured Text; For more information see the IEC web site. The below figure shows how Safety Manager uses the graphical programming method, based on Functional Block Diagram as defined by the IEC

9 1 SAFETY MANUAL Figure 1: Example FLD layout The IEC and IEC standards SISs have been used for many years to perform safety instrumented functions e.g. in chemical, petrochemical and gas plants. In order for instrumentation to be effectively used for safety instrumented functions, it is essential that the instrumentation meets certain minimum standards and performance levels. To define the characteristics, main concepts and required performance levels, standards IEC and IEC have been developed. The introduction of Safety Integrity level (SIL) is one of the results of these standards. This brief provides a short explanation of each standard. Detailed information regarding IEC and can be found on the IEC web site What standard to use? Tip You can use the IEC as stand-alone standard for those sectors where a sector specific standard does not exist. If you are in the process sector and you are an owner/user, it is strongly recommended that you pay attention to the IEC (ANSI/ISA ). For details see IEC 61511, the standard for the process industry. If you are in the process sector and you are a manufacturer, it is strongly recommended that you pay attention to the IEC For details see IEC 61508, the standard for all E/E/PE safety-related systems. If you are in another sector, it is strongly recommended that you look for, and use, your sector specific IEC standard for functional safety (if there is one). If none exists, you can use the IEC instead. For details see IEC 61508, the standard for all E/E/PE safety-related systems IEC and IEC terminology This guide contains both IEC and IEC related terminology. As the IEC sits within the framework of IEC most of the terminology used may be interchanged. The below provides an overview of the most common interchangeable terminology. 9

10 1 SAFETY MANUAL Table 1: IEC versus IEC terminology IEC terminology safety function electrical/electronic/programmable electronic (E/E/PE) safety-related system IEC terminology safety instrumented function safety instrumented system (SIS) IEC 61508, the standard for all E/E/PE safety-related systems The IEC is called Functional safety of electrical/electronic/programmable electronic safety-related systems IEC covers all safety-related systems that are electrotechnical in nature (i.e. Electrical, Electronic and Programmable Electronic systems (E/E/PE) ). Generic standard The standard is generic and is intended to provide guidance on how to develop E/E/PE safety related devices as used in Safety Instrumented Systems (SIS). The IEC 61508: serves as a basis for the development of sector standards (e.g. for the machinery sector, the process sector, the nuclear sector, etc.). can serve as stand-alone standard for those sectors where a sector specific standard does not exist. SIL IEC details the design requirements for achieving the required Safety Integrity Level (SIL). The safety integrity requirements for each individual safety function may differ. The safety function and SIL requirements are derived from the hazard analysis and the risk assessment. The higher the level of adapted safety integrity, the lower the likelihood of dangerous failure of the SIS. This standard also addresses the safety-related sensors and final elements regardless of the technology used. IEC 61511, the standard for the process industry The IEC is called Functional safety - Safety instrumented systems for the process industry sector. It is also referred to as the ANSI/ISA This standard addresses the application of SISs for the process industries. It requires a process hazard and risk assessment to be carried out, to enable the specification for SISs to be derived. In this standard a SIS includes all components and subsystems necessary to carry out the safety instrumented function from sensor(s) to final element(s). The standard is intended to lead to a high level of consistency in underlying principles, terminology and information within the process industries. This should have both safety and economic benefits. The IEC sits within the framework of IEC Need to know more? For more information regarding, or help on, implementing or determining, the applied safety standards for your plant/process please contact your Honeywell affiliate. Our Safety Consultants can help you to e.g.: perform a hazard risk analysis determine the SIL requirements design the Safety Instrumented System validate and verify the design train your local safety staff 10

11 2 Safety Manager functions architectures and standards Safety Manager can be configured for a number of architectures, each with its own characteristics and typical Safety Instrumented Functions. Related topics Safety Manager functions on page 12 Safety Manager basic architectures on page 13 Certification on page 17 Standards compliance on page 19 11

12 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS 2.1 Safety Manager functions Safety Manager is the logic solver inside a Safety Instrumented System (SIS) and can be used in a number of different basic architectures (see Safety Manager basic architectures on page 13). Irrespective of the chosen architecture, Safety Manager meets the requirements of the relevant international standards. By design Safety Manager operates at a very high level of dependency. The functions of Safety Manager depends on the Controller configuration that is applied. In the below table these functions are described. Table 2: Safety Manager functions Controller architecture Non-redundant (DMR) Redundant (QMR) Redundant A.R.T. (Safety Manager A.R.T.) Function Logic solving within a SIS in order to provide freedom from unacceptable risks, and thus safeguarding the equipment and processes under control. Logic solving within a SIS in order to provide freedom from unacceptable risks, and thus safeguarding the equipment and processes under control while maintaining a high level of availability. Logic solving within a SIS in order to provide freedom from unacceptable risks, and thus safeguarding the equipment and processes under control while maintaining an extended level of availability. 12

13 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS 2.2 Safety Manager basic architectures Safety Manager can be configured for a number of architectures. Each has its own characteristics and typical Safety Instrumented Functions. The below table provides an overview of the available architectures. Table 3: Safety Manager architectures Controller architecture IO configuration Remarks Non-redundant (DMR) Redundant (QMR) Redundant A.R.T. (Safety Manager A.R.T.) Non-redundant Non-redundant Redundant Redundant and non-redundant Non-redundant Redundant DMR architecture; Supports SIF for SIL1, SIL2 and SIL3 applications. QMR architecture; Supports SIF for SIL1, SIL2 and SIL3 applications. A.R.T. architecture; Supports SIF for SIL1, SIL2 and SIL3 applications Dual Modular Redundant (DMR) architecture Typical applications of a DMR architecture are: Burner Management System Batch processing Machine protection The DMR architecture provides 1oo2 voting in a non-redundant system. The DMR architecture with 1oo2 voting is based on dual-processor technology, and is characterized by a high level of self tests, diagnostics and fault tolerance. The DMR architecture is realized with a non-redundant Controller. A non-redundant architecture contains only one QPP, which contains redundant processors and memory with 1oo2 voting between the processors and memory. In IO configurations, each path is primarily controlled by the Control Processor and an independent watchdog signal (see the below figure). ESD input Watchdog signal Sensor xx yyy Input Module QPP Control Processor Output Module + Final Element Figure 2: Functional diagram: DMR architecture 13

14 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS Quadruple Modular Redundant (QMR) architecture Typical applications of a QMR architecture are: process safeguarding applications for which continuous operation is essential. The Quadruple Modular Redundant (QMR) architecture is based on 2oo4D voting, dual-processor technology in each QPP. This means that it is characterized by an ultimate level of self diagnostics and fault tolerance. The QMR architecture is realized with a redundant Controller. This redundant architecture contains two QPPs, which results in quadruple redundancy making it fault tolerant for safety. The 2oo4D voting is realized by combining 1oo2 voting of both CPUs and memory in each QPP, and 1oo2D voting between the two QPPs. Voting takes place on two levels: on a module level and between the QPPs. In redundant IO configurations, each path is controlled by one of the Control Processors and an independent watchdog signal, which is controlled by the diagnostic software (see the below figure). Furthermore, each Control Processor is able to switch off the output channels of the other Control Processor. ESD input Watchdog signal Input Module QPP Control Processor 1 Output Module + Sensor xx yyy Input Module QPP Control Processor 2 Output Module Final Element Universal IO module n1 Universal IO module n2 Figure 3: Functional diagram: QMR architecture Watchdog architecture in mixed IO configurations - QMR architecture In a system with combined redundant and non redundant IO, three (3) watchdog lines are active: WD1: this is the Watchdog line dedicated for Control Processor 1. De-energizes upon a safety related fault in Control Processor 1. When de-energized, Control Processor 1 and the related outputs are halted. WD2: this is the Watchdog line dedicated for Control Processor 2.. De-energizes upon a safety related fault in Control Processor 2. When de-energized, Control Processor 2 and the related outputs are halted. 14

15 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS WD3: this is the Watchdog line dedicated for Control Processor 3. De-energizes upon a safety related fault in hardware that controls the non-redundant IO. When de-energized, the non-redundant outputs are de-energized, but the redundant outputs and the Control Processors remain operational. ESD input Watchdog signal Input Module QPP Control Processor 1 Output Module + Sensor xx yyy Input Module QPP Control Processor 2 Output Module Final Element Sensor xx yyy Input Module Output Module + Final Element Figure 4: Functional diagram: redundant Controller with redundant and non-redundant IO Safety Manager A.R.T Typical applications of the Safety Manager A.R.T. architecture are: process safeguarding applications for which continuous operation is essential. The Safety Manager A.R.T. architecture is based on 2oo4D voting, dual-processor technology in each QPP. This means that it is characterized by a ultimate level of self diagnostics and fault tolerance. The Safety Manager A.R.T. architecture is only supported with a redundant Controller. This redundant architecture contains two QPPs, which results in quadruple redundancy making it fault tolerant for safety. The 2oo4D voting is realized by combining 1oo2 voting of both CPUs and memory in each QPP, and 1oo2D voting between the two QPPs. Voting takes place on two levels: on a module level and between the QPPs. In redundant IO configurations, both paths can be controlled by each Control Processor. The watchdog function for the output modules is controlled at chassis based IO level. This is done by the main watchdogs and additional control by the software. The result of Safety Manager A.R.T. architecture is a more granular reaction to output module faults. 15

16 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS ESD input Watchdog signal Input Module QPP Control Processor 1 Output Module + Sensor xx yyy Input Module QPP Control Processor 2 Output Module Final Element Universal IO module n1 Universal IO module n2 Figure 5: Functional diagram: QMR architecture Related topic(s): Fault detection and reaction of the system on page

17 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS 2.3 Certification The advantage of applying and complying to standards is obvious: International standards force companies to evaluate and develop their products and processes according a consistent and uniform way. Products certified conform these international standards guarantee a certain degree of quality and product reliability that other products lack. Since functional safety is the core of the Safety Manager design, the system has been certified for use in safety applications all around the world. Safety Manager has been developed specifically to comply with the IEC61508 functional safety standards, and has been certified by TUV for use in SIL1 to SIL3 applications. Safety Manager has also obtained certification in the United States for the ANSI/ISA S84.01 standard. For a full list of all these and other certifications see Certification. Certification Safety Manager has been certified to comply with the following standards: Lloyd s Register - Safety Manager is certified for offshore and floating production facilities application use in environmental categories ENV1, ENV2 as per LR Type Approval System, Test Specification # 1, 2002 LInternational Electrotechnical Commission (IEC) - The design and development of Safety Manager are compliant with IEC (as certified by TUV). Instrument Society of America (ISA) - Certified to fulfill the requirements laid down in ANSI/ISA S CE compliance - Complies with CE directives 2004/108/EEC (EMC) and 2006/95/EEC (Low Voltage), 2006/42/EEC (Machine Safety) European Committee for Standardization - CEN, CENELEC 17

18 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS TUV (Germany) - Certified to fulfill the requirements of SIL1, 2 and 3 safety equipment as defined in the following documents: IEC61508, IEC , EN50156, EN 54-2, EN50178, IEC 60068, IEC , IEC , IEC Canadian Standards Association (CSA) - Complies with the requirements of the following standards: CSA Standard C22.2 No. 0-M982 General Requirements Canadian Electrical Code, Part II; CSA Standard C22.2 No. 142-M1987 for Process Control Equipment, including general Instructions up to No. 4 dated February 1989 (Reaffirmed 2004). Underwriters Laboratories (UL) - Certified to fulfill the requirements of UL 508, UL 508A and ANSI/ISA S Factory Mutual (FM) - Certified to fulfill the requirements of FM 3611 and FM3600 (non-incentive field wiring circuits for selected modules and installation in Class 1 Div 2 environments). 18

19 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS 2.4 Standards compliance This sub section provides a list of the standards Safety Manager complies with. Table 4: Safety Manager compliance to standards Standard Title Remarks IEC 61508, Part 1-7 (2001) (S84.01) IEC (2004) (S84) IEC (2005) ISO (2008) EN 54 part 2 (2006) EN (1996) EN (2003) EN (2004) EN (2009) IEC (2005) IEC (2010) IEC (2007) IEC (2008) NFPA 72 (2010) Functional safety of electrical/ electronic/ programmable electronic (E/E/PE) safety-related systems. Functional safety - Safety instrumented systems for the process industry sector - Part 1: Framework, definitions, system, hardware and software requirements Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems Safety of machinery - Safety related parts of control systems. General principles for design Components of automatic fire detection systems, Introduction. Safety of Machinery - Safety Related Parts of Control Systems - Part 1. General Principles for Design Electromagnetic compatibility - Immunity for requirements for components of fire, intruder and social alarm systems. Electrical equipment of furnaces. Safety of machinery - Electrical equipment of machines - Part 1: General requirements Electromagnetic compatibility Generic immunity standard: Industrial environment. Safety Requirements for Electrical Equipment for Measurement, Control and Laboratory Use, Part 1: General Requirements. Programmable controllers. Part 2: Equipment requirements and tests. Immunity requirements for safety related systems. National Fire Alarm Code Handbook SFF can be provided uponvalues such as Prequest.FD, PFH and 19

20 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS Standard Title Remarks NFPA 85 (2011) NFPA 86 (2011) ANSI/ISA (2013) UL 508 UL 508A (2001) FM3600, FM 3611 Class I, Division 2, Groups A, B, C & D Class II, Division 2, Groups F & G CSA C22.2 IEC (2004) Boiler and Combustions Systems Hazards Code Standard for Ovens and Furnaces Environmental Conditions for Process Measurement and Control Systems: Airborne Contaminants G3 level: harsh environments Industrial control equipment, seventeenth edition. UL Standard for Safety Industrial Control Panels Electrical equipment for use in Class I, Division 2, Class II, Division 2, and Class III, Division 1 and 2, hazardous locations. Process control equipment. Industrial products. Basic environmental testing procedures. Underwriters Laboratories. Underwriters Laboratories. Factory Mutual Research. Applies to the field wiring circuits of the following modules: SDI-1624, SAI-0410, SAI-1620m, SDIL-1608, and SAO-0220m, and installation of the Controller in these environments. Canadian Standards Association No IEC Cold test. (undervoltage) Safety Manager; -5 C (23 F) SM universal IO module; -40 C (-40 F) 16 hours; system in operation; reduced power supply voltage: ( 15%): U=20.4 Vdc or ( 10%): U=198 Vac. IEC Cold test. (nominal) Safety Manager; -10 C (14 F) SM universal IO module; -45 C (-49 F) 16 hours; system in operation. IEC Dry heat test. up to 70 C (158 F) 16 hours; system in operation; increased power supply voltage: (+30%): U=31.2 Vdc or (+10%): U=253 Vac. IEC Test Ca: damp heat, steady state. 21 days at +40 C (104 F), 93% relative humidity; function test after cooling. IEC Test Ca: damp heat, steady state. 96 hours at +40 C (104 F), 93% IEC Test Na: change of temperature withstand test. relative humidity; system in operation. 25 C +55 C ( 13 F +131 F), 12 hours, 95% relative humidity, recovery time: max. 2 hours. IEC Test Db variant 2: cyclic damp heat test. +25 C C (+77 F F), 7days, % relative humidity, recovery time: 1-2 hours. 20

21 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS Standard Title Remarks IEC Environmental testing Part 2: Tests Test. Fc: vibration (sinusoidal). IEC Environmental testing Part 2: Tests Test. Ea: shock. Excitation: sine-shaped with sliding frequency; Safety Manager: Frequency range: Hz. Loads: Hz; mm Hz; 1 G. Duration: 10 cycles (20 sweeps) per axis. No. of axes: 3 (x, y, z). Traverse rate: 1 oct/min in operation. Half sine shock. 6 shocks per 3 axes (18 in total). Maximum acceleration: 15 G. Shock duration: 11 ms. Safety Manager in operation. 21

22 2 SAFETY MANAGER FUNCTIONS ARCHITECTURES AND STANDARDS 22

23 3 Security recommendations and best practices This sections provides information on security recommendations and best practices for using Safety Manager controller. A detailed description of all Safety Controller key switches, loading of software and forcing is available in the Safety Manager Installation and Upgrade Guide. Force Enable Key Switch It is strongly recommended to keep the Force Enable key switch in the disabled position whenever forcing is not required. Leaving the Force Enable key in the enabled position will make the Safety Controller more vulnerable to abuse. Store the CPU keyswitches in a safe location, so that even with physical access to controllers in a remote location (for example, pipelines) the controller application cannot be changed. Fault Reset Key Switch The Fault Reset key switch is a physical key to reset the Safety Manager Controller. This is also required to start a loaded application. Force Enable Configuration It is strongly recommended to leave a point's Force Enable to the default 'No' when it is not necessary to force this point or to modify a HART field device parameter during maintenance. Configuring a point with Force Enable will make the Safety Controller user application more vulnerable to abuse. Write Enable Configuration It is recommended to leave a point's Write Enable to the default 'No' (Disabled) when it is not necessary to write this point during maintenance. It is strongly discouraged to use a write enabled point as part of a SIF. Configuring a point with Write Enable will make the Safety Controller user application more vulnerable to abuse. Remote Reset Configuration It is recommended to leave this setting in the 'Disabled' position when it is not a necessity to reset or startup a Safety Controller remotely via the Safety Builder. Configuring Remote Reset will make the Safety Controller more vulnerable to abuse. The Fault Reset key switch mounted in the Safety Controller cabinet is the preferred secure alternative. Remote Load Configuration It is recommended to leave this setting in the 'Disabled' position when it is not a necessity to shutdown a Safety Controller remotely via the Safety Builder prior to a download. Configuring Remote Load will make the Safety Controller more vulnerable to abuse. The Safety Processor (QPP) key switch is the preferred secure alternative. 23

24 3 SECURITY RECOMMENDATIONS AND BEST PRACTICES Sequence of Events An event is permanently removed from a Safety Controller after the event was successfully read from the controller. To prevent events being lost, it is recommended to block connections other than the configured SOE collector. SafeNet SafeNet will drop a connection when communication is lost for the configured time-out or more. It is recommended to configure the shortest time-out possible as this reduces the window for tampering. It is recommended to validate network integrity before (re-)starting SafeNet communication after any unexpected loss of communication. Network Clock Safety Manager uses the network clock to timestamp diagnostic messages and events. An incorrect timestamp cannot result in unsafe operation. It can however confuse operators and maintenance engineers and it can lead to misinterpretation of the sequence of events. It is recommended to configure the clock source time-out as short as possible as this reduces the window for tampering. It is recommended to validate network integrity before (re-)starting a clock after any unexpected loss of communication. NTP devices have a user configured IP address known to the Safety Controller. NTP is therefore more secure compared to PTP. Denial of Service (DoS) Safety Manager Communication modules have a built-in overload detection and overload protection. To avoid loss of functionality each of the four communication ports on the modules can be switched off temporarily. This protection is especially effective against network storm and DoS attacks as only the communication on that one port will be temporary dropped. Activation of the overload protection will generate a diagnostic message. It is strongly recommended to validate network integrity as overload can be caused by malware on a connected device or by an attack on the Safety Controller. Safety Controller Redundancy With properly redundant communication configuration the temporary drop of communication does not have to result in DoS for the controller. Refer to the Safety Manager Overview Guide and Software Reference manual for more information about redundant communication configurations. Safety Builder Safety Builder provides an extensive on-line toolset and it is important to understand that connecting to any Safety Controller is possible even without the actual project databases. In a well configured system none of these on-line actions can result in unsafe operation. Unauthorized access can however cause confusion and upset if the Safety Controller is configured with one or more remote operation options enabled, it is therefore strongly recommended to (physically) block all unused Ethernet ports on the Safety Builder network. Security Guidelines for (pre-) installing Safety Manager A detailed description of all Safety Builder privilege levels, password protections and version control is provided in the Safety Manager System Administration Guide. Installation It is strongly recommended to install and maintain Safety Builder and Safety Controller separated from the Office Domain. Additional protection against misuse of Modbus TCP To protect Safety Manager against misuse of Modbus TCP ports, it is advised to use the Honeywell Modbus Read-only Firewall. This is a fixed configuration firewall based on deep packet inspection technology. This technology scans every network message, only allowing a very limited set of valid Modbus Read-only commands through to the safety system. These are safe commands that cannot be used by malware to change 24

25 3 SECURITY RECOMMENDATIONS AND BEST PRACTICES the functionality of the safety system. The firewall s fixed rule sets remove the possibility of tampering or misconfiguration and significantly reduces the effort required by the plant to maintain the firewall. Virus and Patch management The applications listed below can be installed and run on the same platform: Safety Builder Application Server Virus and Patch Management. Honeywell supports two anti-virus packages, McAfee and Norton. Which package and associated patch server is used is determined by the customer when the network architecture of the total system is designed. It is highly recommended to update the Safety stations on a regular base with operating system and office application (if applicable) updates (Microsoft). It is also highly recommended to install Honeywell certified antivirus and computer security solutions; these also will need to be updated on a regular basis. The usage of a centralized virus and patch management server may be considered. Management of these services will need to be done by competent engineers. Security Guidelines for product administration To help prevent an unauthorized access to the Safety Manager Build it is recommended that permissions for the folder containing the access database are currently locked down to individual users that need access to the database. This will reduce the number of users that have access to the database. If you would like more protection and you are using Experion for monitoring the status of the Safety Manager instead of the Safety Manager builder, backup the access database to a controlled file storage and remove it from the client. 25

26 3 SECURITY RECOMMENDATIONS AND BEST PRACTICES 26

27 4 Safety Manager fault detection and reaction Related topics Introduction on page 28 Fault detection and reaction of the system on page 31 Safety Manager Controller faults on page 34 Safety Manager universal IO module faults on page 38 Safety Manager chassis IO faults on page 39 Safety Manager universal IO channel faults on page 42 Behavior of the ESD input on USIO/USLS on page 44 Compare error handling on page 45 Calculation errors on page 48 27

28 4 SAFETY MANAGER FAULT DETECTION AND REACTION 4.1 Introduction The goal of fault detection and reaction is to detect and isolate faults that affect the safety of the process under control, within a time frame that is acceptable for the process. Note There is always a diagnostic alarm available upon detection of a fault. Fault detection and reaction occurs at different levels. These levels are: system level, module level, channel level. System level Combinations of modules and IO faults are controlled at system level. Depending on the hardware and configuration of a system, the fault reaction to such combinations will be different. Distinction is made between these systems: Safety Manager, Safety Manager A.R.T. For further details see: Fault detection and reaction of the system on page 31 Module level Faults at module level are controlled at controller level. Depending on the hardware and configuration of a system, the fault reaction is determined by the Control Processor and/or universal module(s). For further details see the fault reaction table(s) in: Safety Manager Controller faults on page 34 Safety Manager universal IO module faults on page 38 Channel level Faults at channel level are controlled at controller level. Depending on the hardware and configuration of a system, the fault reaction is determined by the Control Processor and/or universal module(s). For further details see the fault reaction table(s) in: Safety Manager chassis IO faults on page 39 Safety Manager universal IO module faults on page Diagnostic Test Interval The Diagnostic Test interval (DTI) is the time in which detection and isolation of faults takes place. The DTI must be set to a value that is acceptable for the process, such as the Process Safety Time (PST). These values can be obtained from hazard analysis reports Controller configurations and states Controller configurations Distinction is made between Non redundant Controllers and Redundant Controllers. A Non redundant Controller has one Control Processor (CP); the response of the CP is automatically the response of the 28

29 4 SAFETY MANAGER FAULT DETECTION AND REACTION controller. A Redundant Controller has two CPs; the response of one of the CPs does not necessarily affect the safety related functioning of the controller. Note Safety Manager can have both non redundant controllers and redundant controllers. Safety Manager A.R.T. only has redundant controllers. Control Processor states A Control Processor (CP) can have many states. For fault detection and reaction the following states are relevant. Attention The states described below are presented on the display of the relevant QPP, while the key switch of that QPP is in the RUN position. Running (without faults); CP is fully functional and executes the application. Running with Flt (with faults); CP executes the application but the controller detected one or more faults (e.g. open loop or a hardware fault). Halt; CP does not execute the application. The applicable CP state can be read from the User Interface Display located on each Control Processor and from the diagnostic screens available on Experion and Safety Stations. Fault Reaction and IO states The Fault Reaction (FR) state of each IO point is the predetermined state or action the point assumes in case of faults. For normally energized safety related applications, like ESD applications, the predefined safe fault reaction state is de-energized or Low. For normally de-energized safety related applications, like FGS applications, the safe fault reaction state for inputs is energized or High / Top Scale. Fault reaction and IO states are explained below: Fault reaction The reaction to faults in the Controller, application and/or IO. The fault reaction towards Controller and/or application faults is fixed. The fault reaction to IO faults can be configured on a point or module level; it should be customized to the application for which Safety Manager is used. IO states From a system point of view, IO can have either the healthy state, the de-energized state or the fault reaction state. When healthy, the IO is active and has the application value applied. When de-energized, the IO is de-activated (as if no power was supplied). When the fault reaction state is applied, the IO responds according to a predefined fault condition (fault reaction). When forced, the force value is applied. Repair timer Note The repair timer setting must be based on a hardware reliability analysis which includes MTTR figures. 29

30 4 SAFETY MANAGER FAULT DETECTION AND REACTION All configurations of Safety Manager are single fault tolerant to faults that affect safety. By applying a secondary means Safety Manager is able to bring a process to a safe state, regardless the fault. By default, Safety Manager is configured to isolate the faulty part of a subsystem to guarantee continued safe operation of the EUC. In systems with a redundant Control Processor (CP) a fault in a susbsytem of one of the CPs has no effect on the safeguarded process. Continuous safeguarding and availability is maintained. A configurable repair timer is started for the relevant CP on certain fault conditions. Within the remaining time the faulty part can be repaired. If the timer is allowed to reach zero, or another fault that affects safety occurs, that Control Processor halts. It is strongly advised to apply this feature of Safety Manager to meet the requirements of applicable standards. However, the user can choose to configure Safety Manager differently to meet his own specific requirements Shutdown by application or manual intervention By design, Safety Manager is configured to meet the requirements of applicable international standards. In case local and/or customer requirements demand an even more stringent system response, Safety Manager offers two additional features for such situations. These features are: A shutdown via the application software; to achieve this Safety Manager alarm markers can be applied. A manual shutdown can be realized via the shutdown (SD) input of the Safety Manager Controller or the Safety Manager universal IO modules. With aid of the SD input a tested, hard wired connection can be used. The SD input is accessible via the SD loop connector at the back of the CP chassis or channel 32 of the Safety Manager universal IO module. Attention 1. Breaking the SD loop of the CP will cause Safety Manager to stop! 2. Breaking the SD loop of the Safety Manager universal IO module will cause the Safety Manager universal IO module to stop! 30

31 4 SAFETY MANAGER FAULT DETECTION AND REACTION 4.2 Fault detection and reaction of the system This section decribes the fault detection and reaction of the system. Full module and IO bus redundancy is provided to warrant process availability. Distinction is made between the architectures of these systems: Safety Manager, Safety Manager A.R.T Safety Manager The below figure shows the reliability block diagram for Safety Manager. Figure 6: Reliability block diagram - Safety Manager The architecture of Safety Manager shows redundant control paths that principally function independent from each other. The execution is synchronized at the Control Processors. The system performs continuous diagnostics on all critical parts of the system. All SIF related diagnostics are executed every execution cycle. Certain generic diagnostics are executed over multiple execution cycles however, but all system diagnostics are completed within the user configurable Diagnostic Time Interval. When the system detects a fault, the diagnostic will be reported and the corresponding action is performed, isolating the faulty part of the system. In principle the equipment under control will continue to be safeguarded as the safeguarding function will be performed by the healthy partner. Below the system responses of safety related modules are explained: Processor module The processor module performs diagnostic tests on all critical parts of the module like memory, processors, address lines etc. When a fault is detected the corresponding IO modules will be directed to a safe state by the watchdog. The EUC will continue to be safeguarded due to the redundancy. Safety related input modules Input modules are scanned and diagnosed every execution cycle by their processor module. The processor modules compare the input table before executing the application logic. Discrepancies will be diagnosed. When a fault is detected both processors will use the value from the healthy module and perform the output actions as directed by the configured logic. Safety related output modules Output modules are written and diagnosed every execution cycle by their processor module. When a fault is detected it will be reported and the module will be directed to the safe state while the EUC continues to be safeguarded by its redundant partner. 31

32 4 SAFETY MANAGER FAULT DETECTION AND REACTION IO bus The IO bus is diagnosed every execution cycle. Upon the detection of a fault the fault is reported and the corresponding output modules will be directed to the safe state while the EUC continues to be safe guarded by its redundant partner. Attention When the control processors are running, the IO bus cables should not be removed from the control processor chassis. Doing so may result in control processor shutdown Safety Manager A.R.T The below figure shows the reliability block diagram for Safety Manager A.R.T. Figure 7: Reliability block diagram - Safety Manager A.R.T. The architecture of Safety Manager A.R.T. shows redundant control paths that also function independent from each other. Here however, additional alternative processing routes are available for the Control Processors. The system performs continuous diagnostics on all critical parts of the system. All SIF related diagnostics are executed every execution cycle. Certain generic diagnostics are executed over multiple execution cycles however, but all system diagnostics are completed within the user configurable Diagnostic Time Interval. When the system detects a fault, the diagnostic will be reported and the corresponding action is performed, isolating the faulty part of the system. In principle the equipment under control will continue to be safeguarded as the safeguarding function will be performed by the healthy partner. Below the system responses of safety related modules are explained: Processor module The processor module performs diagnostic tests on all critical parts of the module like memory, processors, address lines etc. When a fault is detected the processor module will go to a safe state. The EUC will continue to be safeguarded due to the redundancy. Safety related input modules Input modules are scanned and diagnosed every execution cycle by their processor module. The processor modules compare the input table before executing the application logic. Discrepancies will be diagnosed. When a fault is detected both processors will use the value from the healthy module and perform the output actions as directed by the configured logic. Safety related output modules Output modules are written and diagnosed every execution cycle by their processor module. When a fault is detected it will be reported and the module will be directed to the safe state while the EUC continues to be safeguarded by its redundant partner. 32

33 4 SAFETY MANAGER FAULT DETECTION AND REACTION IO bus The IO bus of the A.R.T. system is multi fault tolerant, allowing multiple faults at the same time while continuing the safeguarding of the equipment under control. The IO bus is diagnosed every execution cycle. Upon detection of a fault the fault is reported and the module is directed to the safe state. The corresponding processor module will use the remaining healthy module. Attention When the control processors are running, the IO bus cables should not be removed from the control processor chassis. Doing so may result in control processor shutdown. 33

34 4 SAFETY MANAGER FAULT DETECTION AND REACTION 4.3 Safety Manager Controller faults The topics that follow provide an overview of detected Controller faults and the Controller reaction to these faults QPP faults The below table provides an overview of faults that the Controller detects related to the QPP and the reaction to these faults. Table 5: Controller reaction to QPP faults QPP faults Non-redundant Redundant Controller reaction Controller reaction related to diagnostics report includes CP X( faulty) CP Y (not faulty) temperature monitoring (set points user configurable) high alarm or low alarm none -continue none -continue high-high alarm or low-low alarm 1 sensor faulty and temp. more than 3 degrees from shutdown limits 1 sensor faulty and temp. less than 3 degrees from shutdown limits halt Controller halt CP none -continue none -continue none -continue halt Controller halt CP none -continue Memory QPP memory halt Controller halt CP none -continue Execution execution time-out or range / failure error on logical sheet halt Controller halt CP none -continue halt Controller Watchdog output shorted halt Controller halt CP none -continue de-energized watchdog line for redundant outputs de-energized watchdog line for non-redundant outputs halt Controller halt CP none -continue halt Controller de-energize non redundant outputs, continue operation on redundant outputs faulty halt Controller halt CP none -continue Watchdog Repeater faulty Set inputs to fault reaction state Bus drivers IO extenders (Safety Manager) IO extenders (Safety Manager A.R.T.) De-energize all outputs halt CP none -continue faulty halt Controller halt CP none -continue faulty n.a. de-energize IO extender CPX, use IO extender CPY none -continue Internal link faulty halt Controller halt CP none -continue QPP module faulty halt Controller halt CP none -continue secondary switch-off faulty halt Controller halt CP none -continue repair timer running none -continue none -continue 34