You are on page 1of 30

Fail Safe Control (FSC ) Specification and Technical Data for FSC Releases 51x and 52x

FS75-510 11/99

FS75-510 Page 2

11/99

Table of Contents
Introduction.............................................. 3 Features.................................................... 3 Functional Description............................ 4
Functional Overview..............................................4 Central Part ...........................................................5 Input / Output Interfaces........................................6 I/O Redundancy ....................................................7 Multiple-Sensor and Transmitter Configurations...8

System Features ...................................... 8


FSC System Configurations ..................................8 FSC 1oo2D concept ..............................................9 FSC Navigator.....................................................10 Control Implementation .......................................11 FSC Diagnostics..................................................14 Flash-Memory Operation.....................................14 Application Verification ........................................14 Power System .....................................................15 Write Protection...................................................15

Physical Characteristics ....................... 16 Options ................................................... 18


TPS Integration ...................................................18 PlantScape Integration ........................................18 Sequence-Of-Event Recording ...........................19 FSCSOE..............................................................20 Alarm Functions ..................................................20 On-Line Modification ...........................................20 Safety Checker....................................................21 I/O Signal Forcing................................................21 Serial Communication with Process Computer Systems...............................................................22 FSC Networking ..................................................22 Simulation............................................................23

Figure 1 FSC System Cabinet

Specifications ........................................ 24 References ............................................. 26 Model Numbers...................................... 27

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 3

Introduction
The Honeywell Fail Safe Control (FSC ) system is a highly reliable, high-integrity safety system for safety-critical control applications. As part of Honeywell's TotalPlant Solution (TPS) system, integrated into PlantScape, or in stand-alone applications, the FSC system forms the basis for functional safety, thus providing protection of persons, plant equipment and the environment combined with optimum availability for plant operation. The FSC system is a user-programmable, modular, microprocessor-based safety system which can perform a wide range of high-integrity process control and safety functions, including: high-integrity process control, burner/boiler management systems, process safeguarding and emergency shutdown, turbine and compressor safeguarding, fire and gas detection systems, and pipeline monitoring. The design of the FSC system is based on both qualitative and quantitative safety system technologies. From a qualitative perspective, the system continuously monitors the correct operation of its hardware, thus ensuring that it is able to respond accurately to any defined process demand. The system is also able to detect faults in field loops and field equipment. The extensive system and field diagnostics support plant operators in assessing the consequences of faults for process operation, and aid maintenance engineers in allocating and resolving detected problems efficiently and effectively. High quantitative rating (optimal Mean Time Between Failure) is accomplished through a redundant system architecture and the use of high-quality electronic components and design methods.

Features
Extensive system and field loop diagnostics Redundant architecture for optimum process availability Small footprint resulting in high number of I/O interfaces per floor space unit Fully integrated power supply concept including transmitter power supply On-line modification of control program Integrated event recording and alarming Distributed safeguarding through FSC networks Graphical engineering tool for application program design Automatic application program documentation.

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 4

11/99

The FSC system can easily be integrated into Honeywell's TPS system through the FSC Safety Manager Module (FSC-SMM). The result is a powerful TPS safety solution providing integrated operations and control, with a true TPS-based operator window into the FSC system. For detailed information on the FSC Safety Manager refer to the FSC-SM Specification and Technical Data (FS03-500). In addition to the TPS system, the FSC system can also be integrated directly into the PlantScape system, Honeywell's scaleable hybrid process control system. A dedicated FSC interface module enables FSC-related information to be exchanged between FSC and PlantScape, thus allowing information to be shared and made available on the PlantScape server displays.

Functional Description
Functional Overview Figure 2 shows the basic architecture of the FSC system. Two major system parts can be distinguished: the Central Part, and the Input/Output interfaces.

FSCTM
Central Part
To Redundant Central Part To Process Computer Systems, Printers and the FSC User Station

Communication Processor
Communication Interfaces & Protocols

Control Procesor
I/O Access Safety Interlock User Programming Self-diagnostics

Watchdog
Monitor Control Processor Operation and Operating Conditions

Input / Output interfaces


Digital Input 24 Vdc - 60 Vdc 120 Vac [EEx ia] IIC Analog Input 0 (4) - 20 mA 0 (1) - 5 Vdc 0 (2) - 10 Vdc Digital Output 24 Vdc - 220 Vdc 120 Vac [EEx ia] IIC Analog Output 0 (4) - 20 mA

Figure 2 FSC Basic Architecture

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 5

Central Part The Central Part (CP) is the heart of the FSC system. It is a modular microprocessor system specifically designed for safety-critical applications which can be tailored to the needs of any application. The most important Central Part modules are: the Control Processor module, the Watchdog module, and the Communication Processor module. The Control Processor (Central Processor Unit) reads the process inputs and executes the control program as created by the user in graphical Functional Logic Diagrams (FLDs). The results of the control program are then transmitted to the output interfaces. In FSC configurations with redundant Central Parts, the Control Processors synchronize their operation through a dedicated communication link. Continuous testing of the FSC hardware by the Control Processor ensures safe control of the process and extensive system and process equipment diagnostics. The Watchdog monitors the operation and the operating conditions of the Control Processor. The operation of the processor is monitored by verifying if the processor executes all its tasks within a precalculated time frame, which depends on the configuration. The operating conditions monitored include the data integrity of the processor memory and the voltage range of the supply power (both undervoltage and overvoltage). If the Watchdog detects a fault in the operation of the Control Processor or its operating conditions, it will deactivate the safety-critical output interfaces of the FSC system, independent of the Control Processor status. The Communication Processor allows the FSC system to exchange information with other computer equipment via serial communication links. Each Central Part can accommodate up to four communication modules, providing a maximum of eight communication links per Central Part. Dedicated modules are available which provide communication capabilities with other systems: the FSC Safety Manager Module (FSC-SMM), which integrates the FSC system into the Universal Control Network (UCN) of Honeywell's TotalPlant Solution (TPS) system, and the PlantScape Ethernet interface module, which integrates the FSC system into Honeywell's PlantScape system. Table 1 on the next page lists the equipment that the FSC system can communicate with as well as the available physical interfaces and communication protocols. All communication interfaces are galvanically or optically isolated. If the FSC configuration contains redundant Control Processors, the system supports redundant communication. Each Central Part then has its dedicated connection to the communication peer system.

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 6

11/99

Table 1 FSC Serial Communication Interfaces Equipment Physical Interface RS-232, RS-485, Current Loop Process Computers UCN PlantScape Printers FSC User Station FSC System and FSC Safety Manager
(1)

Protocol Modbus, RKE3964R UCN Token Bus Ethernet FSC-DS FSC

RS-232, Current Loop RS-232, RS-485 RS-485, Fiber Optic

(1) requires FSC Release 520 or higher.

Input / Output Interfaces The FSC system provides a wide range of digital and analog input and output interfaces, each with different characteristics to meet the demands of a wide range of field equipment. Table 2 lists the input and output interfaces that are available in the FSC system.
Table 2 FSC Input and Output Interfaces Digital Input 24 Vdc, 48 Vdc, 60 Vdc and 110 Vdc 24 Vdc (loop-monitored) 120-230 Vac Class I, Division 2, Groups ABCD; Class II, Division 2, Groups FG Class [Eex ia] IIC intrinsically safe Digital Output
(1)

24 Vdc, 48 Vdc, 60 Vdc and 110 Vdc 24 Vdc, 48 Vdc and 220 Vdc (loop-monitored) 120-230 Vac Class [Eex ia] IIC intrinsically safe
(1)

Analog Input

0-20 mA and 4-20 mA 0-5 V, 1-5 V, 0-10 V and 2-10 V Class I, Division 2, Groups ABCD; Class II, Division 2, Groups FG Resistance Temperature Device (RTD) Thermocouple, types E, J, K and T
(1) (1)

Analog Output

0-20 mA and 4-20 mA Class I, Division 2, Groups ABCD; Class II, Division 2, Groups FG

(1) through external devices.

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 7

All FSC I/O modules contain galvanic or optical isolation between the input and output circuitry and the FSC-internal supply power. The fail-safe I/O modules support the diagnostic capabilities of the FSC system and can be used for safety-critical monitoring and control functions. When used for such applications, the system may be configured to respond automatically if it detects a fault in its own hardware or in the field equipment. The fail-safe modules may also be used for non safety-critical applications, which will then benefit from FSC's diagnostic functions and fault-reporting capabilities. I/O Redundancy The input and output interfaces of the FSC system can be implemented in redundant or non-redundant (single) configurations. Redundant I/O configurations can be used in FSC systems with redundant Central Parts. In this fully redundant configuration, each Central Part has its own I/O system to which it has exclusive access. The result is a highly reliable fault-tolerant system. Every program cycle, each Central Part reads its own input interfaces. After input matching, both Central Parts execute the user-defined control program and update their output interfaces according to the results. In addition, the Central Parts compare the calculated output results to ensure identical operation. Redundant I/O configurations are typically used for critical control and safety functions in combination with the high reliability offered by this concept. Non-redundant (single) I/O configurations can be used in systems with a non-redundant Central Part as well as in systems with redundant Central Parts. Fully non-redundant systems are typically used for safety applications where redundancy is present in the process. In FSC systems with redundant Central Parts, both Central Parts alternately assume responsibility for the non-redundant I/O interfaces. This ensures that both Central Parts can always access the I/O interfaces correctly. FSC configurations with redundant Central Parts and non-redundant I/O interfaces are typically used for critical control applications with medium demands for system availability, e.g. because of redundancy in plant equipment. An FSC system configuration may also comprise redundant Central Parts with a combination of redundant and non-redundant I/O interfaces. Such configurations are extremely powerful, with process control functions that demand high reliability being controlled through the redundant I/O interfaces and less demanding control functions through the non-redundant I/O interfaces. The FSC system (both redundant and single I/O configurations) has been TV-approved for AK6 applications, and is suitable for use in SIL 3 safety loops.

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 8

11/99

Multiple-Sensor and Transmitter Configurations Unlike previous safety standards, the new IEC 61508 international standard does not only focus on the safety system (called "logic solver", e.g. the FSC system), but also demands compliance of the field equipment to the Safety Integrity Level (SIL) of the control loop. This may not always be possible. The control loop, for example, may be rated SIL3 whereas a transmitter that measures one of the loop input variables is only suited for levels SIL1 and SIL2. In such cases, the required level of safety can be realized by using multiple sensors or transmitters. The FSC system supports multiple input configurations for digital and analog input signals. The multiple-input function allows the use of two or three sensors or transmitters to measure the same process quantity. The resulting process value is fed to the control program on the basis of one of the available standard matching algorithms, e.g. 2-out-of-3 (2oo3). The FSC system monitors if discrepancies occur between the values obtained from the independent sensors or transmitters, and reports any detected faults through its diagnostics. The diagnostic status is also available to the control program.

System Features
FSC System Configurations The FSC system is available in several configurations to suit virtually every process control requirement. Table 3 lists the FSC system configurations that are available, together with their main characteristics.
Table 3 FSC System Configurations Type Single Control Processor Non-redundant Redundant Redundant I/O Interface Non-redundant Non-redundant Redundant Redundant & Non-redundant Typical Application Critical process control with redundancy in field equipment Critical process control with redundancy in field equipment Critical process control Burner/Boiler Management System with FSC-controlled alarm panel Fire & Gas

Redundant

Combined

Redundant

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 9

FSC 1oo2D concept The redundant FSC configuration with both redundant Central Part and I/O interfaces conforms to the 1oo2D system architecture as described in the IEC 61508 standard (see Figure 3 below). The 1oo2D concept combines a high level of availability with a high level of safety which is realized through the quad-voter output circuitry and system self-diagnostics. The 1oo2D architecture consists of two parallel paths driving the final element. Each path is primarily controlled by one of the Central Parts, including an independent switch which is controlled by the Central Part's Watchdog module. Furthermore, each Central Part is able to switch off the output channels of the other Central Part through dedicated SMOD (Secondary Means Of De-energization) hardware circuitry which is located on the FSC fail-safe output modules. The actual output control is determined on the basis of the high-coverage system self-diagnostics. Each detected failure leads to controlled isolation of the faulty part while ensuring optimum availability for continued plant operation.

ESD

WD
O M
I M
OC

IC

Main Processor

Sensor
xx yyy

SMOD
Quad-voter Input modules

SMOD
IC

I M

Main Processor

O M
OC

WD

Output modules

Final element

Figure 3 FSC 1oo2D concept

The FSC 1oo2D concept is in full conformance with the quantitative analysis methods as described in IEC 61508, and as such provides superior results when compared to other system architectures. Studies have shown that the 1oo2D voting scheme can realize a higher safety level than 2oo3 voting, thus achieving a significantly better safety performance.

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 10

11/99

FSC Navigator FSC Navigator is a powerful software package that runs on IBM-compatible PCs with the Microsoft Windows 95 or 98 operating system. It provides a Windowsbased user interface with the FSC system and supports the user in performing a number of design and maintenance tasks (see Figure 4 below).

Figure 4 FSC Navigator

FSC Navigator's design and implementation features include: intelligent user interface, presenting menu items only when applicable, database import and export, automatic control program documentation, FLD revision control, application verification, to ensure that the FSC configuration and control program are in accordance with user definition, verification of safety consistency of FSC application (optional feature in FSC R510 and higher), and easy loading of system software and control program into flash memory (requires FSC R510 or higher).

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 11

FSC Navigator's maintenance support features include: live viewing of FLD execution, detailed monitoring of process signal behavior, collection of diagnostics of FSC systems, automatically or on user demand, diagnostic message storage, with user-definable browsing functions, and forcing of FSC input and output interfaces. Control Implementation The FSC system's safety-critical control functions (contained in the control program) are determined by the safety functions assigned to the system for the specific application. The FSC user software supports the design of the control program by the user. The control functions are defined via graphical Functional Logic Diagrams (IEC 61131-3: Continuous Function Charts). Figure 5 below shows an example of a Functional Logic Diagram (FLD).
M 53HS-101 C LAMPTEST P "TEST" C 53PT-920.H O MAIN LINE = 110 BAR M Signal type: W 3 1 1 1 2 A 40003 > 1 >1 _ 3 53PT-920.H 11 HIGH ALARM 5 "ALARM" M C P

53PT-920 MAIN LINE PRESSURE

3 5 1

A D

D A 102 103 1

5 53PRA-920 1 MAIN LINE PRESSURE 1 MAIN LINE PRESSURE Signal type: F 3 53PT-920.L 11 LOW ALARM 6 "ALARM" M C P

C 53PT-920.L O MAIN LINE = 75 BAR M Signal type: W 53TT-900 MAIN LINE TEMP

1 2 A 3 5 2

40004

>

>1 _

A D

D A 102 103 2

5 53TR-900 1 2 MAIN LINE TEMP MAIN LINE TEMP Signal type: F

C 53FT-700.H O MAIN LINE = 75% M Signal type: W

1 2 A

40001 S > R t=30 S 0 t 1 > _1 3 53FT-700.H 11 HIGH ALARM 1 "ALARM" M C P

MAIN LINE FLOW Signal type: F

101 102 1 S 0 t=30 S t 1 R > > _1

C 53FT-700.L O MAIN LINE = 30% M Signal type: W E D C B A O


Rev

1 2 A

40002

3 53FT-700.L 11 HIGH ALARM 2 "ALARM"

M C P

Customer Principal : Plant :

Honeywell NL33 HSMS Product Marketing

FUNCTIONAL LOGIC DIAGRAMS UNIT 5300

Branderijstraat 6 5223 AS 's-Hertogenbosch

Honeywell SMS BV

Tel +31 73-6273273 Fax +31 73-6219125 P.O. Box 116 5201 AC 's-Hertogenbosch

Date

30-5-1997

By:

PM NL33

Drawing number: DEMO_1 Serial Code Project Unit Code

30-5-1997 Date

FIRST ISSUE Description Chk'd

Req/Ordernr :

SPEC & TECH

102
Sheet

103
Cnt'd

Figure 5 Functional Logic Diagram (FLD)

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 12

11/99

An FLD is split into four main areas: the information area (bottom) (on printouts only), the input area (left), the control function area (center), and the output area (right). The FLD information area, at the bottom of the FLD, is included on printouts, and provides information to identify the Functional Logic Diagram, including revision data. The FLD input area, on the left-hand side of the FLD, contains all the variables that serve as the input to the control function. Input variables may originate from the field equipment or from other computer equipment (process computer, FSC). Special input functions are provided for: the diagnostic status of the FSC I/O interfaces, the status of field loops, and system alarm summary, e.g. temperature pre-alarm or device communication failure. Data can be exchanged between FLDs via sheet transfer functions. This allows a structured design of complex functions across multiple diagrams. Table 4 below lists the input functions that are available in FSC functional logic diagrams, together with their source.
Table 4 FLD Input Functions Input Type Analog Input Boolean Input Numerical Input Diagnostic Input Loop Status Input System Alarm Input Sheet Transfer Source Field Equipment Field Equipment, Process Computer, FSC, FSC Safety Manager Field Equipment, Process Computer, FSC, FSC Safety Manager Diagnostic status of FSC fail-safe I/O interfaces Field loop status of FSC I/O interfaces with loop monitoring FSC Control Processor Other FLDs

The FLD control function area, which is the central area of the FLD, contains the actual implementation of the control function. The function is realized by interconnecting predefined symbols which provide a variety of functions including logical, numerical and time-related functions.

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 13

Apart from these standard functions, user-definable blocks are supported: Function Blocks standard FLDs for repetitive use within the control program, and Equation Blocks for tabular definition of complex functions, e.g. non-linear equations. Table 5 lists the control functions that are available in FSC functional logic diagrams.
Table 5 FLD Control Functions Data type conversion functions INT SINT DINT INT, SINT REAL DINT, INT, SINT Boolean functions Boolean Constant, AND, OR, XOR, NOT, NAND, NOR, XNOR, flip-flop set and reset dominant Numerical Constant, AND filter, ADD, SUB, MUL, DIV, SQR, SQRT EQ, NEQ, GT, GTE, LT, LTE PID Pulse, Pulse-retriggerable, Delayed-ON, Delayed-OFF, Delayed-ON memorize Counter, Register Equation Block Function Block

Arithmetical functions Comparison functions Regulatory control functions Timer functions (with constant or variable time value) Count & storage functions User-definable blocks

The supported data types are: boolean, integer (-232...232-1), real (-1038...1038) and BCD (0...108-1, for interface functions). The FLD output area, on the right-hand side of the FLD, contains the results of the control function. These variables may be used to drive the field equipment or may be transferred to other computer equipment, e.g. a process computer or another FSC system. Table 6 lists the output functions that are available in FSC functional logic diagrams, together with their destination.
Table 6 FLD Output Functions Output Type Analog Output Boolean Output Numerical Output Sheet Transfer Destination Field Equipment Field Equipment, Process Computer, FSC, FSC Safety Manager Field Equipment, Process Computer, FSC, FSC Safety Manager Other FLDs

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 14

11/99

FSC Diagnostics FSC's continuous self-tests enable the system to collect valuable information on the diagnostic status of its own hardware and the field equipment. The system uses this information to ensure uninterrupted functional safety of the plant. In addition, the system provides the diagnostic information to the user, via the diagnostic displays of FSC Navigator. Through its diagnostics, the FSC system supports maintenance engineers in allocating and resolving failures effectively, thus reducing the Mean Time To Repair (MTTR) and minimizing the risk of a plant trip. If the FSC system is integrated into the TPS system, the FSC diagnostics are also available at the TPS operator stations (US, UXS, GUS). Flash-Memory Operation FSC Releases 510 and higher support the use of flash memory to store all system-related software. This feature combines the flexibility of RAM with the data integrity of EPROM. It allows direct downloading of the system firmware, system software, application software and system configuration from the FSC user station to the FSC system. This eliminates the need of making new EPROMs and exchanging them with EPROMs on modules in the running cabinet, which is a laborious procedure. This functionality is in full accordance with TV approvals, and is protected against unauthorized use by a password and key-lock protection mechanism. Another advantage of flash-memory operation is that it reduces the time to do an on-line modification (OLM). After the first full download, only the changes will be loaded after a modification. This should not be confused with the 'download changes' option that other vendors are offering. The FSC system allows you to download unlimited changes, even in a running installation while continuing plant operation in a safe manner. Flash-memory operation requires special hardware modules that support this feature. Existing systems can be upgraded to support flash-memory operation. This can be done on-line for FSC Releases 400 and higher. Application Verification FSC Navigator has a powerful feature that allows the user to compare the control program in the FSC system with the application databases on the FSC user station. This feature can be used in two ways: as a project verification tool, or as a revision control tool. If used as a project verification tool, the verification option will confirm that no translation or transfer faults have occurred to the control program. FSC Navigator

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 15

will then compare the translated control program as it is present in the FSC system with the FSC databases and functional logic diagrams (FLDs) that are stored on the FSC user station. This allows the user to verify that the defined control program has been loaded correctly. This verification process is part of the safety lifecycle as laid down in IEC 61508 and ISA S84. As a revision control tool, the verification option is used to compare different versions of the control programs in the FSC system and the FSC user station (management of change). This option is typically used to list all the differences (modifications) between the 'old' version, which is stored in the FSC system, and the 'new' version, which is stored on the FSC user station. This method can be used to check if all modifications have been implemented correctly. All differences found between the control program in the FSC system and on the FSC user station are recorded in a verification log file, which can be viewed on screen, printed or saved to disk for further analysis. Power System Reliability of process data depends on the reliability of all related hardware of the process loop, i.e. sensing device, I/O wiring, I/O channel hardware and the required power supply voltages. Where possible, the FSC system provides the supply power to the electronics of the entire loop, including the field instrumentation. The result is a fully integrated solution for reliable (safety) data gathering and related safeguarding actions, with the following advanced features: electronically short-circuit proof, loop-monitoring for short-circuiting and lead breakage, and checking of the operational band of analog transmitters. Where other systems require linkage of several externally mounted parts to establish the entire data collection chain, the FSC solution offers the fully integrated and tested loop approach as demanded by IEC 61508. Write Protection To maintain safe and reliable operation of the FSC system, the system does not allow direct write access to its hardwired I/O via communication links. Write requests, which are received via the serial communication links or the FSC Safety Manager Module, are passed on to the FSC control program via dedicated boolean and numerical inputs. The inputs appear in the input area of the Functional Logic Diagrams, where the conditions for write access have been defined.

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 16

11/99

Physical Characteristics
The hardware modules of the FSC system can be split into three basic groups: Central Part modules, I/O modules, and Field Termination Assembly (FTA) modules. The Central Part modules are constructed on a European standard size instrument card. The height of the front panel of the modules is 3 HE (3U), their width is 4 TE (4 HP). (COM, DBM and PSU modules are 8 TE wide.) The Central Part modules are placed in standard 19" racks which are generally located in the top section of the cabinet. The Central Part interfaces with the I/O system through a Vertical Bus (V-bus), which is a flatcable that runs vertically in the FSC cabinet. The V-bus is controlled by the Vertical Bus Driver (VBD) module, which is located in the Central Part rack.

Central Part 1

RESET C P U

. .
S M M C O M W D V B D V B D DBM P S D P S U

ENABLE

Central Part 2

. .
C P U S M M C O M W D V B D V B D DBM P S D P S U

Redundant I/O

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . . . . . . . . . .

. . . .
H B D H B D

Non-redundant I/O

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

H B D

Redundant V-bus Non-redundant V-bus

Figure 6 Front View of Typical FSC System with Redundant Central Parts and both Redundant and Non-Redundant I/O

Each of the I/O racks contains a Horizontal Bus Driver (HBD) module, which connects to the V-bus. The HBD module drives the Horizontal Bus (H-bus), which relays the signals from the V-bus to the I/O modules via a flatcable. The H-bus module is located on top of each I/O rack. The horizontal bus and the flatcables are

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 17

covered with a sheet steel cover which provides optimum EMC/RFI immunity. The cover plate contains a paper strip which holds the relevant process tagging for signal identification. The I/O modules are constructed on a European standard-size instrument card. The height of the front panel of the modules is 3 HE (3U), their width is 4 TE (4 HP). A total of 18 I/O modules can be placed per I/O rack. All I/O modules are equipped with standard 32-pin DIN 41612F connectors. All I/O racks are provided with an I/O backplane which contains matching 32-pin connectors with key-coding to prevent misinsertion of the I/O modules. The I/O backplane consists of a multilayer PCB, with one layer being an earth plane to improve EMC/RFI immunity. The front side of the I/O backplane contains the Eurocard connectors to install the I/O modules and the HBD module(s). At the back, the I/O backplane provides female connectors for the system interconnection cables (SICs), which also connect to the FTA modules. The back side also provides programming connectors which allow the I/O interfaces to be tailored to the specific signal characteristics of the field equipment, e.g. Analog Input, 2-10 Vdc. Field Termination Assemblies (FTAs) are used to connect the field wiring to the FSC input and output interfaces. FTA modules are 70 mm (2.76 in) wide, and their length varies between 110 mm and 200 mm (4.33 and 7.87 in), depending on the FTA type. The modules are mounted on standard DIN EN rails (TS32 or TS35 x 7.5). An FTA may contain electronic circuitry to convert standard FSC signals to specific signals with characteristics required by field equipment. Two types of FTAs are available, which allows the field cables to be connected in two different ways: via Elco connectors or via terminals (see Figure 7).
Elco-type FTA Terminal-type FTA
1 2 3

Figure 7 Example of Elco and terminal FTA types

Fail Safe Control (FSC ) Specification and Technical Data

4 5 6 7 8 9 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49

FS75-510 Page 18

11/99

Options
TPS Integration The FSC system may be integrated into the Honeywell TotalPlant Solution (TPS) system. The integration is realized through the FSC Safety Manager Module (FSC-SMM) interface card, which is placed in the Central Part of the FSC system. The FSC-SMM provides a bridge between the FSC control processors and the TPS system to exchange information, which integrates FSC's critical control program into the advanced control strategies of the TPS system. The FSC-SMM supports the following TPS point types: DI, DO, Digital Composite (DC), AI, AO, Logic, Flag, Numeric and Timer. As a member of the Universal Control Network (UCN) it shares important features with its UCN peers, including: direct peer-to-peer communication with other UCN nodes, e.g. PM, APM, HPM and FSC-SM, communication with operators, engineers and maintenance personnel at the TPS operator stations, support of higher-level control strategies through communication with Application Modules and host computers on the Local Control Network, FSC-SMM database restoration from the History Module, and Digital Input sequence of event. For detailed information on the FSC Safety Manager refer to the FSC-SM Specification and Technical Data (FS03-500). PlantScape Integration FSC Release 520 introduces the integration of FSC into PlantScape, which combines Honeywell's field-proven safety controller with its equally reliable hybrid control system. The integration is realized through the FSC-PlantScape Ethernet interface module, which is placed in the Central Part of the FSC system. This dedicated interface module makes FSC an integrated part of the PlantScape system architecture, which means that FSC-related information can easily be exchanged between FSC and PlantScape. This allows information to be shared and made available on the PlantScape server displays. FSC R520 integrates the sequence-of-event (SOE) features as supported by the FSC controller into the PlantScape system. FSC supports SOE for digital inputs and outputs, analog inputs and outputs, and marker points. Each tag name that has been "SOE-enabled" is time-stamped by the FSC controller and reported to the PlantScape server, where it is incorporated into the standard PlantScape SOE table. Standard SOE displays are available to view the events as they are reported. FSC integration into PlantScape requires PlantScape release 300 or higher.

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 19

Sequence-Of-Event Recording The FSC system contains an integrated sequence-of-event recording (SER) function, which allows the system to detect and record events that indicate or may cause deviations from normal process operation. Examples of such events are: change of state of a valve limit switch, steam pressure becoming too high, maintenance override effected by a maintenance engineer, faults in the field (e.g. open transmitter loop), and faults in FSC input/output interfaces. Once per program scan, the FSC system inspects all defined process quantities, both digital and analog, for a change of state, in line with the execution of the control program. An event is logged for any changed process quantity, in an event buffer that resides within the system. Events that result from operator interaction or from detected faults are logged as soon as they are handled by the system. The integrated list of the detected exceptions thus provides excellent information for post-mortem analysis of abnormal process behavior, in line with the 'traceability requirements' of IEC 61508. The logged events are reported to event management systems through the FSC system's communication interfaces. Events may be reported to: a line printer or matrix printer for direct reporting on paper, or a process computer for incorporation of the events into an overall event journal, or a personal computer running Honeywell's dedicated FSCSOE event management software package, which allows users to view and analyze (anomalous) process events. Until events have been successfully reported, the FSC system maintains the logged events in its internal event buffer, which may contain at least 448 events. If the number of detected events exceeds the buffer capacity, all subsequent events are ignored. This will ensure that the start of a plant upset is preserved for post-mortem analysis. If the FSC event buffer overflows as a result of communication failures with the event management system, the FSC system will start overwriting events older than four hours. Advanced features of the FSC sequence-of-event recording function include: centralized event reporting in distributed safety networks, and event reporting to redundant event management systems.

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 20

11/99

FSCSOE FSCSOE is a Windows-based application that records and logs process events detected by Event Detecting Devices (EDDs). Events can be viewed on-line, while being retrieved from the connected FSC system(s), or post-mortem from disk. This allows easy analysis of anomalous process events. Events are displayed on screen in user-defined formats, and they can also be printed at any printing device supported by Microsoft Windows. FSCSOE retrieves the events from the FSC system(s) via serial communication links. A maximum of four independent links are supported simultaneously. FSCSOE allows on-line modification of the network/variable configuration while event recording continues. It can also send event data to, or receive data from, various Distributed Control Systems (DCSs). Alarm Functions The FSC system contains a number of integrated standard alarm functions, which comply with the ISA S18.1 standard for annunciator sequences: first-up (TFS) with single or dual flash frequency, basic flashing (AF), manual lamp reset (AM), flasher reset (FR), flasher / lamp reset (FRM), ringback (AR), double audible ringback (ARR). The first-up alarm function may be split into two parts: an alarm-detecting part and an alarm-display part. The two parts may be implemented in different FSC systems which are interconnected in a distributed safety network. This allows the integration of alarms that are detected by independent FSC systems to be combined in the same first-up alarm group. The alarm-detecting part or the alarm-display part may also be located in a process computer. The two parts are then connected through data exchange via the communication link between the FSC system and the process computer. On-Line Modification On-line modification (OLM) is a TV-approved FSC system option that is supported by FSC configurations with redundant Central Parts. It enables modification of the application software, system software and FSC hardware configuration, while maintaining the system's critical control function for the operational plant. This means that the system can be upgraded without the need of a

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 21

plant shutdown. During on-line modification, the changes are carried out in one Central Part at a time. Meanwhile, the other Central Part continues to monitor the process. The system will always perform a compatibility check across the control program in order to guarantee a safe changeover from the old control function to the new one. It will also report the numbers of the functional logic diagrams (FLDs) that have been changed, which complies with the 'verification requirements' of the IEC 61508 standard. Safety Checker FSC Release 510 introduces the optional Safety Checker tool, which helps engineers verify the safety consistency of an FSC application. If the Safety Checker detects any inconsistencies in the application that affect its safety integrity, it will report them on screen and store them in a log file. This allows engineers to correct safetyrelated design errors at an early stage, and verify that the safety application suits its projected purpose. The Safety Checker supports the verification process that is part of the safety lifecycle as laid down in IEC 61508 and ISA S84.01. An FSC application can be considered safe if all its outputs are safety-related and the logic path leading to the outputs is safety-related as well. An inconsistent configuration can lead to hazardous situations. The Safety Checker will alert the programmer to these inconsistencies. If, for example, an analog input for a pressure trip has been configured as safety-related, but the output that drives the shutdown valve has not been configured safety-related, an inconsistency is detected in the loop and the programmer is alerted. An additional function of the Safety Checker highlights any off-sheet references to a destination FLD with a lower number than the source FLD, which might be design errors. I/O Signal Forcing For maintenance reasons, it may be desirable to force an input or an output signal to a certain fixed state, e.g. when exchanging a defective input sensor. This allows the sensor to be exchanged without affecting the continuation of the production. During the exchange, the applicable input is forced to its normal operational state. While being desirable in some situations, forcing a signal to a specific, fixed value may also create a potentially hazardous condition. The FSC system provides a force function which supports maintenance personnel in applying forces consciously. It only allows forcing of signals that were specifically selected during the system design. During operation, the system is protected against unauthorized forces via a key switch. Forcing of FSC signals is only possible via the FSC Navigator software using a password-protected software function. All forcing actions are included in the FSC event reports for traceability purposes.

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 22

11/99

Serial Communication with Process Computer Systems The FSC system supports the exchange of control program data with process computers via serial communication links, using the non-proprietary Modbus RTU and RKE3964R communication protocols. The following information can be exchanged: analog process data as scanned by FSC through its input interfaces, trip settings, trip status, and FSC alarm status. Data written to the FSC system is available in the FSC control program via digital and numerical input variables, which allow the user to define the conditions of use in the control strategy. If the Modbus protocol is used, a number of additional information exchange functions are supported: downloading of events (SER) detected by the FSC system, downloading of the value of FSC's real-time clock, and uploading a real-time clock value to the FSC system. FSC Networking The FSC system supports Distributed Safety Solutions (DSS) through its extensive networking capabilities. FSC networks provide the means to decentralize process safeguarding with central process monitoring and control capabilities. In a DSS network, multiple FSC systems are interconnected via dedicated serial communication links. Both point-to-point and multidrop networks are supported. For optimum availability of the communication, the redundant FSC system configurations require the use of redundant communication links as well. The communication is based on the Honeywell proprietary, TV-approved FSC communication protocol. This protocol includes a high level of error detection and recovery, which makes it suitable for exchanging safety-related information while maintaining optimum availability. The network is also used to route sequence-ofevent (SOE) data and diagnostic data to central operator stations and maintenance workstations. Communication within FSC networks is based on the master-slave concept. In this concept, the master system is responsible for all communication activities. It initiates requests for data from the slave systems, and sends data to the slaves. FSC networks also support one level of communication server systems. These are FSC systems that are interconnected between the communicating master and slave system(s). Their task is to route the data that is exchanged between master and slave(s).

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 23

The DSS concept supports safety solutions in line with the plant design, with every independent process unit being safeguarded by a separate FSC system. This minimizes the risk of nuisance plant trips during unit maintenance. Simulation The FSC simulation option allows any FSC application to be loaded into the standard FSC training units. In simulation mode, the FSC Control Processor executes the control program using the serial interface with the FSC user station as its field interface. The actual defined Central Part hardware is ignored and "mapped" to the hardware of the simulation/training units. Input values are applied by the user via the FSC Navigator software, using the input signal force feature. The output values can be monitored through various displays at the FSC user station. In combination with the standard "live" FLD viewing feature of FSC Navigator, the simulation option provides an excellent means for design engineers to validate the FSC control program prior to initial installation and to verify modifications before an on-line upgrade. The interfaces with TPS (FSC-SMM) and PlantScape are also supported in simulation mode, which allows an integrated validation of the entire safety application.

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 24

11/99

Specifications
The following specifications apply to the FSC modules mounted in a standard FSC cabinet:
FSC Environmental Conditions Operating Temperature: Storage Temperature: Relative Humidity: Vibration, Sinusoidal: Shock: Electrostatic Discharge: Conducted Susceptibility: 0C to 60C (32F to 140F), ambient 25C to +80C (13F to +176F) 5% to 95%, non-condensing IEC 60068-2-6; 1 G at 57 Hz to 150 Hz; 10 Hz to 57 Hz: 0.075mm IEC 60068-2-27; 15 G for 11 ms, 3 axes IEC 61000-4-2, Level 4 (15 kV) IEC 61000-4-4, Level 3, Fast Transient/Burst IEC 61000-4-5, Level 3, Surge Withstand IEC 61000-4-6, Level 3, Conducted Field IEC 61000-4-3, Level 3 Measured per CISPR 11 & CISPR 22 Measured per CISPR 11 & CISPR 22
(1)

Rated Susceptibility: Conducted Emissions: Rated Emissions:


(1)

"Ambient" refers to the air temperature measured in the FSC system cabinet.

FSC Certifications and Compliance with International Standards and Safety Codes TV Bayern (Germany) Certified to fulfill the requirements of "Class 6" (AK6) safety equipment as defined in the following documents: DIN V VDE 19250, DIN V VDE 0801 incl. amendment A1, DIN VDE 0110, DIN VDE 0116, DIN VDE 0160 incl. amendment A1, DIN EN 54-2, DIN VDE 0883-1, DIN IEC 68, IEC 61131-2 Canadian Standards Association (CSA) Compliant with the requirements of the following standards: CSA Standard C22.2 No. 0-M982 General Requirements Canadian Electrical Code, Part II; CSA Standard C22.2 No. 142-M1987 for Process Control Equipment. Underwriters Laboratories (UL) Certified to fulfill the requirements of: UL 508, UL 991, UL 1998 and ISA S84.01. Factory Mutual (FM) Certified to fulfill the requirements of FM 3611 (selected modules). FSC Functional Logic Diagrams for Control Program design are compliant with IEC 61131-3. The design and development of the FSC system are compliant with IEC 61508:1999, Parts 1-7 (as certified by TV). CE compliance: Complies with CE directives 89/336/EEC (EMC) and 73/23/EEC (Low Voltage).

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 25

FSC Mechanical Specifications FSC cabinet dimensions (Rittal, model PS 4808): Rack size (incl. horizontal bus): Module sizes: typical height and width COM, DBM and PSU modules Eurocard dimensions FSC Electrical Specifications Supply voltages: 24 Vdc: +30% / 15% 48 Vdc: +15% / 15% 60 Vdc: +15% / 15% 110 Vdc: +25% / 15% 220 Vdc: +10% / 15% height: 3 HE (4U), width: 4 TE (4 HP) height: 3 HE (3U), width: 8 TE (8 HP) 100 x 160 mm (3.94 x 6.30 in) 2000 x 800 x 800 mm (H x W x D) 78 x 31 x 31 in (H x W x D) height: 4 HE (4U), width: 84 TE (84 HP)

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 26

11/99

References
For further reading please refer to the following documents:
Publication Title FSC Safety Manual R510 FSC Software Manual R510 FSC Hardware Manual FSC User Documentation Update for FSC R511 FSC User Documentation Update for FSC R520
(1) (1)

Reference FS90-510 FS80-510 FS02-500 FS80-511 FS80-520 TPS 3076 FS03-500 FS75-510

FSC Safety Manager (FSC-SM) Documentation Set FSC Safety Manager (FSC-SM) Specification and Technical Data FSC Specification and Technical Data for FSC Release 51x/52x
(1)

Included on FSC Navigator distribution CD-ROM.

The FSC user documentation is also available on CD-ROM:


CD-ROM Title FSC Hardware Manual Rev. 03 (06/99) FSC User Documentation R510 (06/99)
(1)

HSMS Part Number 3400916


(1)

3400917

Includes FSC Software Manual R510, FSC Safety Manual R510, FSC Hardware Manual Rev. 03 (06/99) and FSC Safety Manager documentation set (binder TPS 3076). The FSC Navigator software distribution CD-ROM includes user documentation updates.

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 27

Model Numbers
Power Supply Modules Description 24 Vdc Power Supply Unit, 45 A, input: 100-264 Vac, 230-340 Vdc 24 Vdc Power Supply Unit, 12 A, input: 110-240 Vac 24 Vdc Power Supply Unit, 20 A, input: 110-240 Vac 48 Vdc Power Supply Unit, 10 A, input: 110-240 Vac 60 Vdc Power Supply Unit, 5 A, input: 110-240 Vac 24 Vdc to 5 Vdc DC/DC converter, 12 A Central Part Modules Description Vertical Bus Driver module (VBD) for control of I/O interfaces in the I/O racks Central Processing Unit (CPU) Central Processing Unit (CPU) with flash memory Communication module (COM) Communication module (COM) with flash memory Watchdog module (WD) Diagnostic and Battery Module (DBM) Diagnostic and Battery Module with DCF-77 atomic clock receiver Single Bus Driver module (SBD) for control of I/O in the Central Part rack FSC Safety Manager Module (FSC-SMM) FSC Safety Manager Module (FSC-SMM) with flash memory FSC to PlantScape communication interface module
1) Requires FSC Release 510 or higher. 2) Requires FSC Release 520 or higher.
2) 1) 1) 1)

Model Number 1200 S 24 P067 M24-12HE M24-20HE M48-10HE M60-5HE 10300/1/1

Model Number 10001/R/1 10002/1/2 10012/1/2 10004// 10014// 10005/1/1 10006/2/1 10006/2/2 10007/1/1 10008/2/U 10018/2/U 10018/E/E, 10018/E/1

Analog Input Modules Description Fail-safe analog input module (4 channels) Fail-safe high-density analog input module (24 Vdc, 16 channels) Analog Input Field Termination Assemblies (FTAs) Description Fail-safe input FTA (24/48/60 Vdc, 24 channels) Fail-safe 0(4)-20 mA analog input FTA (16 channels) Model Number FTA-T-02 FTA-T-14 Model Number 10102/2/1 10105/2/1

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 28

11/99

Analog Output Modules Description Fail-safe analog output module (0(4)-20 mA, 2 channels) Analog Output Field Termination Assemblies (FTAs) Description Fail-safe output FTA (24/48/60 Vdc, 24 channels) Digital Input Modules Description Fail-safe digital input module (24 Vdc, 16 channels) Fail-safe digital input module (60 Vdc, 16 channels) Fail-safe digital input module (48 Vdc, 16 channels) Intrinsically safe input module (4 channels) Digital input module (24 Vdc, 16 channels) Fail-safe line-monitored digital input module with earth fault monitor (16 ch.) Digital Input Field Termination Assemblies (FTAs) Description Fail-safe input FTA (24/48/60 Vdc, 24 channels) Fail-safe passive digital input FTA (115 Vac/dc, 8 channels) Isolated passive digital input FTA (8 channels) Fail-safe active digital input FTA with line-monitoring (16 channels) Fail-safe digital input FTA (24/48/60 Vdc, NAMUR, 16 channels) Current-limited digital input FTA (24 Vdc, 16 channels) Digital Output Modules Description Fail-safe digital output module (24 Vdc, 550 mA, 8 channels) Digital output module (24 Vdc, 550 mA, 12 channels) Relay output module (contacts, 10 channels) Digital output module (24 Vdc, 100 mA, 16 channels) Fail-safe digital output module (110 Vdc, 325 mA, 4 channels) Fail-safe digital output module (60 Vdc, 675 mA, 4 channels) Fail-safe digital output module (48 Vdc, 750 mA, 4 channels) Fail-safe digital output module (220 Vdc, 250 mA, 3 channels) Fail-safe digital output module (24 Vdc, 2 A, 4 channels) Fail-safe loop-monitored digital output module (24 Vdc, 1 A, 4 ch.) Fail-safe loop-monitored digital output module (48 Vdc, 0.5 A, 4 ch.) Model Number 10201/2/1 10206/2/1 10208/2/1 10209/2/1 10213/2/1 10213/2/2 10213/2/3 10214/1/2 10215/2/1 10216/2/1 10216/2/3 Model Number FTA-T-02 FTA-T-09 FTA-T-12 FTA-T-16 FTA-T-21 FTA-T-23 Model Number 10101/2/1 10101/2/2 10101/2/3 10103/1/1 10104/2/1 10106/2/1 Model Number FTA-T-02 Model Number 10205/2/1

Fail Safe Control (FSC ) Specification and Technical Data

11/99

FS75-510 Page 29

Digital Output Field Termination Assemblies (FTAs) Description Fail-safe output FTA (24/48/60 Vdc, 24 channels) Digital output FTA (24 Vdc, 24 channels) Digital output (relay contact) FTA (25 channels) Fail-safe digital output FTA (24 Vdc, 12 channels) Fail-safe digital output (relay contact) FTA (250 Vac / 150 Vdc, 4 ch.) Fail-safe digital output FTA (110 Vdc, 8 channels) Digital output (relay) FTA for AK5/6 applications (250 Vac / 250 Vdc, 4 channels) Digital output (relay contact) FTA (8 channels, NO/NC) Model Number FTA-T-02 FTA-T-03 FTA-T-04 FTA-T-05 FTA-T-08 FTA-T-11 FTA-T-17 FTA-T-20

Fail Safe Control (FSC ) Specification and Technical Data

FS75-510 Page 30

11/99

Copyright, Trademarks, and Notices


1999 Honeywell Safety Management Systems B.V., The Netherlands. While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a particular purpose and makes no express warranties except as may be stated in its written agreement with and for its customer. In no event is Honeywell liable to anyone for any indirect, special or consequential damages. The information and specifications in this document are subject to change without notice. Honeywell, TotalPlant, and TDC 3000 are U.S. registered trademarks of Honeywell Inc. FSC is a trademark of Honeywell Safety Management Systems B.V. Other brand or product names are trademarks of their respective owners.

Fail Safe Control (FSC ) Specification and Technical Data