Fail Safe Control

Safety Manual
Release 531
Revision 01 (03/2001)

FS90-531

Copyright, Notices and Trademarks
© 2001 – Honeywell Safety Management Systems B.V.

Release 531 Revision 01 (03/2001)

While this information is presented in good faith and believed to be accurate, Honeywell Safety Management Systems B.V. disclaims the implied warranties of merchantability and fitness for a particular purpose and makes no express warranties except as may be stated in its written agreement with and for its customer. In no event is Honeywell Safety Management Systems B.V. liable to anyone for any indirect, special or consequential damages. The information and specifications in this document are subject to change without notice.

TotalPlant, TDC 3000 and Universal Control Network are U.S. registered trademarks of Honeywell International Inc. PlantScape is a trademark of Honeywell International Inc. FSC, DSS and QMR are trademarks of Honeywell Safety Management Systems B.V. QuadPM an QPM are pending trademarks of Honeywell Safety Management Systems B.V. Other brands or product names are trademarks of their respective holders.

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Honeywell Safety Management Systems B.V.

TABLE OF CONTENTS
Section 1 – Introduction
1.1 1.2 1.3 1.4 System Overview ................................................................................................................... 1 Certification ............................................................................................................................ 2 Standards Compliance ........................................................................................................... 4 Definitions............................................................................................................................. 10

Section 2 – FSC Configurations
2.1 2.2 2.3 2.4 2.5 2.6 2.7 Section Overview ................................................................................................................. 17 Introduction........................................................................................................................... 18 Single Central Part and Single I/O ....................................................................................... 19 Redundant Central Parts and Single I/O.............................................................................. 20 Redundant Central Parts and Redundant I/O ...................................................................... 22 Redundant Central Parts with Redundant and Single I/O.................................................... 24 Quadruple Modular Redundant (QMR™) Architecture ........................................................ 26

Section 3 – Design Phases for an E/E/PE Safety-Related System
3.1 3.2 3.3 3.4 3.5 3.6 Section Overview ................................................................................................................. 29 Overall Safety Lifecycle........................................................................................................ 30 Specification of the Safety Class of the Process ................................................................. 36 Specification of the Instrumentation Related to the Safety System ..................................... 37 Specification of the Functionality of the Safety System ....................................................... 40 Approval of Specification...................................................................................................... 42

Section 4 – Implementation Phases of FSC as a Safety-Related System
4.1 4.2 4.3 4.4 4.5 4.6 4.7 Overview............................................................................................................................... 43 FSC Project Configuration.................................................................................................... 44 System Configuration Parameters ....................................................................................... 46 Specification of Input and Output Signals ............................................................................ 49 Implementation of the Application Software......................................................................... 50 Verification of an Application ................................................................................................ 51 Verifying an Application in the FSC System ........................................................................ 53

FSC Safety Manual Table of Contents

i

...................................... 68 Safety-Related Non Fail-Safe inputs ............... 63 On-Line Modification ........... 61 FSC Networks .............................................................................3 7....6 6................................ 111 Section 9 – Fire and Gas Application Example... 125 FSC Safety Manual ii Table of Contents .............................................................................................................................................. 87 Central Part Fault Detection ..........................3 5... 70 Section 6 – FSC System Fault Detection and Response 6..8 6....................................4...................5 Section Overview..........................................................................................4.......................................... 93 FSC-FSC Communication Fault Detection ...................................................3 6................................................. 83 Output Fault Detection .......................................................................................1 6...................TABLE OF CONTENTS (continued) Section 5 – Special Functions in the FSC System 5..............................................................9 6.......... 92 Internal Communication Error ....................... 75 FSC Diagnostic Inputs................................................................. 81 Transmitter Fault Detection ...........4................... 79 Input Fault Detection ................................4..............................4.......1 6...............2 6.................................10 6......4................................................................................5 Section Overview.............................................................................................................. 101 Applications of Alarm Markers and Diagnostic Inputs..2 6........................................................................................................... 104 Diagnostic Status Exchange with DCS ................................................. 109 Section 8 – Wiring and 1oo2D Output Voting in AK5 and AK6 Applications .......1 5................... 95 Temperature Alarm ..... 73 Voting .. 94 Device Communication Fault Detection ...............................................................................................................................................................................................................................................................................................4 6.....4............................................................... 115 Section 10 – Special Requirements for TÜV-Approved Applications ...........................................4......4 6............................................. 97 Section 7 – Using the FSC Alarm Markers and Diagnostic Inputs 7.....5 6..............................................................4 5.............2 7....................................3 6.................................................................................................................... 96 Calculation Errors ............................... 57 Forcing of I/O Signals...............2 5.....6 Overview......4..................................................... 84 I/O Compare Error Detection...............................................1 7.....5 5............................7 6........... 82 Redundant Input Fault Detection...................................................................... 102 Shutdown at Assertion of FSC Alarm Markers................... 58 Communication with Process Control Systems (DCS / ICS) ........................................................................................... 77 FSC Alarm Markers.........................4 7........4................... 103 Unit Shutdown .............................................................................................................

...... 13 Single Central Part............. 68 Configuration of a redundant input........................................................................ 41 Main screen of FSC Navigator........................................................................................................................ 11 Programmable electronic system (PES): structure and terminology .... 64 Redundant FSC communication link........................................................ 44 Basic functions of FSC project configuration .............................................................................................................................................. 63 FSC master/slave interconnection ................................................................ 45 Verification of the application software ............. 70 Example of functionality of a redundant digital input function...... redundant I/O ........................................................................................................................................................................................................... 80 Intended square-root function .. 66 Sheet differences .............. 26 Overall safety lifecycle .................................................................... 99 Diagram to shut down system in case of output compare error ................................................................................................... 116 Input loop 1 (FLD 100) ..................... 7 Failure model ......................................................................................................... 32 Software safety lifecycle (in realization phase) ........................................ 112 System alarm (FLD 50) ........................ 23 Redundant Central Parts with redundant and single I/O configuration.................................................................................................Figures Figure 1-1 Figure 1-2 Figure 1-3 Figure 2-1 Figure 2-2 Figure 2-3 Figure 2-4 Figure 2-5 Figure 2-6 Figure 2-7 Figure 2-8 Figure 2-9 Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 4-1 Figure 4-2 Figure 4-3 Figure 4-4 Figure 4-5 Figure 5-1 Figure 5-2 Figure 5-3 Figure 5-4 Figure 5-5 Figure 5-6 Figure 5-7 Figure 5-8 Figure 5-9 Figure 6-1 Figure 6-2 Figure 6-3 Figure 6-4 Figure 7-1 Figure 7-2 Figure 7-3 Figure 7-4 Figure 7-5 Figure 7-6 Figure 8-1 Figure 9-1 Figure 9-2 Figure 9-3 Figure 9-4 Figure 9-5 CE mark .................. 31 E/E/PES safety lifecycle (in realization phase) ................. 38 Example of hardware specification of analog input for FSC system .......... 103 Wiring diagram for unit shutdown ............................................................................................ 107 Functional logic diagram of unit shutdown........... 105 Configuration of the process outputs ................. 119 FSC Safety Manual Table of Contents iii .......................... 98 Square-root function with validity check in function block ........................................................... 39 Example of functional logic diagram (FLD) ..................... 61 Examples of FSC communication networks .......... redundant I/O configuration...................... 33 Specification of I/O signals for the FSC system............................................................................................................................................................................... 108 FSC system information to DCS ......................... 118 Control of the failure alarm horn (FLD 501) .............................. 116 Control of the alarm horn (FLD 500) ..................................................... 119 Control of the override alarm horn (FLD 502) ........... single I/O configuration ................................................... 64 Response time in network with multiple masters................................................................ 58 Example of a printout of engineering documents ..................................................... 71 Input failure alarm marker function .................................................................. 19 Functional diagram: single Central Part............................................. 21 Redundant Central Parts......................................................... 109 Redundant I/O wiring in AK6 and non-surveiled AK5 applications...................................................................................................................................... 104 Configuration of the unit shutdown output ................. 25 Functional diagram: QMR™ architecture........................................................................................................................................................................................................ 53 Sample verification report ................... 55 Forcing sequence............................................................................................................... 24 Functional diagram: redundant Central Parts with redundant and single I/O ............................................................................................................................................................................................................................................................................... 20 Functional diagram: redundant Central Parts...................................................................................... 22 Functional diagram: redundant Central Parts................................................................... single I/O configuration ........ single I/O .................................... 19 Redundant Central Parts............ 52 Verification log file ........................................................ 32 Relationship of overall safety lifecycle to E/E/PES and software safety lifecycles ....... single I/O.............................................................. 98 Square-root function with validated input value .........

.............................................. 130 Tables Table 1-1 Table 1-2 Table 1-3 FSC compliance to standards ................................................................................................................................ 90 System response in case of digital output compare error.................... 79 System response in case of digital hardware input compare error........................................................ 65 FSC-FSC communication timeout ............................... 59 Performance factors................................................................................ 121 Control of the common test indication (FLD 520) ............................................................... 75 Voting schemes for redundant components ..................................................... 18 Overall safety lifecycle overview .................................................... 122 Control of the common override indication (FLD 540) ................................. 122 Control of the common failure alarm indication (FLD 530) ...................................................................................... 124 System parameters ........................................................................ allocated to an E/E/PE safety-related system operating in low demand mode of operation......................................... 36 Memory types......................................... 14 FSC configurations...............................................................................................Figures (continued) Figure 9-6 Figure 9-7 Figure 9-8 Figure 9-9 Figure 9-10 Figure 9-11 Figure 9-12 Figure 9-13 Figure 10-1 Figure 10-2 Control of the test alarm horn (FLD 503) ........................................................................................................................................................ 78 FSC alarm markers ................................. 47 Procedure to enable the force enable flag ...................... alarm reset and lamp test function block (FLD 905) ................ 91 Table 2-1 Table 3-1 Table 3-2 Table 4-1 Table 5-1 Table 5-2 Table 5-3 Table 5-4 Table 6-1 Table 6-2 Table 6-3 Table 6-4 Table 6-5 Table 6-6 Table 6-7 Table 6-8 Table 6-9 FSC Safety Manual iv Table of Contents ............ 76 Diagnostic inputs (channel status) ............................... according to DIN V 19250 ............................................................................................................................................................................................................................................................................................................. 127 Power supply...... 33 Relation between FSC configurations and requirement classes AK1-6....... allocated to an E/E/PE safety-related system operating in high demand or continuous mode of operation ........................................... 77 Diagnostic inputs (loop status) ................... 58 Procedure to force a variable .............................................................................................................................................. 123 Alarm sequence function block (FLD FB-900) ................ 124 Alarm latching.................................................................................................................... 4 Safety integrity levels: target failure measures for a safety function........................................................................................... 75 Explanation of redundancy voting schemes ..................................................................... 89 System response in case of analog input compare error ........................ 14 Safety integrity levels: target failure measures for a safety function.... 67 Voting schemes for single FSC components ........................................ 120 Control and acknowledge of the alarm horns (FLD 505) .............. 121 Control of the common alarm indication (FLD 510) ........................................................

.......................................................................................................................................................................................................... Analog input AK .....................................................................................................................................................................................................................................................................................................................................................................................................................................Output channel OLM ............................................................................................................... Anforderungsklasse (requirement class) AO ..................................................................................Enhanced Processor Module EPROM ...........Deutscher Industrienorm (German industrial standard) DO................................... European Economic Area EEC...................................................................................................... Factory acceptance test FB..............................................................................................................................................................................................................................................................Fail Safe Control Development System H&B...............................................................................................................................................................................................Canadian Standards Association DBM ................................................................................... Factory Mutual FMEA ............................................................................................................................................................................................................................................. Non fail-safe O ..............................................................................................................................................................................................................................................................................................................................Input channel ICS .......................................................................................................................... Input/output IC.............. Electrical/Electronic/Programmable electronic system EEA ........................................................................................................................................................................................ Horizontal bus driver HSMS.....................................................................................Distributed control system DMR .. Functional logic diagram FM .................... Digital input DIN ............................................................................................................................................................................................................................................................................................................................................... Analog output BI.................................................................................................................................................................................. Central part CPU........................ Dual Modular Redundant ECM ............Multiple output CE ............................................................................................................... Function block FLD ............................................................................................................................................................................................................................................................................................................................................... Central processing unit CSA.....................................................................................................................................................Integrated control system IM .........................................Direct current DI............................................................................................................................................................ Diagnostic and battery module DC ................................................................................... Enhanced Communication Module E/E/PES ........................................................................................................................ Input module NFS ................................................................................................................................................................................................................................... On-line modification OM .....................................................................................................Output OC.................................................................. Erasable programmable read-only memory ESD..................................... Hartmann & Braun H-bus................................................................................ Digital output DCS............................................................................... Failure mode effect analysis FS............................................................................................................................................. European Economic Community EMC ...........................................................................................................................................................................................................Conformité Européenne CP .................................................................................................................... Multiple input BO ........................................................................Abbreviations AC .......................................................................Alternating current AI.............. European Union EUC............................. Honeywell Safety Management Systems I ............ Fail-safe FSC .............................................Emergency shutdown EU ........................................................................................................................................................................................................................................................................................ Horizontal bus HBD....................................................................................Electromagnetic compatibility EPM ........................................................................................................................................................... Fire & Gas FAT .................................. Fail Safe Control FSC-DS........................................................................................................................................................................................................... Input I/O ...............................................................................................................................................................................Output module FSC Safety Manual Table of Contents v .......................... Equipment under control F&G...........................................................

............................................................................Process safety time PSU............................................................................................... Random-access memory SER.....................Sequence-of-event recording SIL........................................................Abbreviations (continued) PC ................................................ Sequence of events TPS .............................................................................TotalPlant Solution TÜV .......................................................................................................................................................................................Underwriters Laboratories V-bus................................................................................................................................. Programmable electronic system PST ..........................................................Technischer Überwachungsverein UL........................................................... Vertical bus VBD..................................................................................................................................................................... Secondary means of de-energization SOE..............................................................................................................................................................................Power supply unit QMR.................................................................................................................................................................................................................................................................................................................................Quadruple Modular Redundant RAM .........................................................................Safety integrity level SMOD ...............................................Personal computer PES ....................... Vertical bus driver WD ................................................................................................................................................................................................................................................................................................... Watchdog FSC Safety Manual vi Table of Contents ............................................................................................

etc. the manuals for FSCSOE R130 are referred to as FS50-130. FSC-SM Documentation: Publication Title FSC Safety Manager Installation Guide FSC Safety Manager Implementation Guidelines FSC Safety Manager Control Functions FSC Safety Manager Parameter Reference Dictionary FSC Safety Manager Configuration Forms FSC Safety Manager Service Manual Publication Number FS20-500 FS11-500 FS09-500 FS09-550 FS88-500 FS13-500 FSC Safety Manual Table of Contents vii . For example. FS51-130.REFERENCES FSC Documentation: Publication Title FSC Safety Manual R530 FSC Software Manual R530 FSC Hardware Manual FSC Obsolete Modules FSC Service Manual Publication Number FS90-530 FS80-530 FS02-500 FS02-501 FS99-504 FSCSOE Documentation: Publication Title FSCSOE – Basic Version FSCSOE – Network Option FSCSOE – Foxboro I/A Interface Option FSCSOE – Yokogawa CS Interface Option FSCSOE – Ronan Interface Option Publication Number FS50-xxx* FS51-xxx* FS52-xxx* FS53-xxx* FS55-xxx* * 'xxx' is the release number.

FSC Safety Manual viii Table of Contents .

..... It covers the following topics: Topic See page Section Subsection 1........... as well as a glossary of terms.......................Section 1 – Introduction 1... This also means that field signals can be handled in multiple voting schemes (1oo1..... FSC Safety Manual Section 1: Introduction 1 ...................... Additional software routines are included to guarantee proper execution of the software............................. 1oo2D.................. 3 Standards Compliance................. 1 Certification ...............................1 System Overview This section provides general information on the FSC system and its compliance to standards.... 5 Definitions .......... one gets not only safety but also availability: proven availability.................1 1............ The system can be configured in a number of different basic architectures (1oo1D. 11 System overview The Fail Safe Control (FSC) system is a microprocessor-based control system for safety applications......... These features maintain fail-safe operation of the FSC system even in the single-channel configurations. This design includes facilities for self-testing of all FSC modules through software and specialized hardware based on a failure mode effect analysis (FMEA) for each module............... QMR) depending on the requirement class of the process................................ the availability required and the FSC hardware modules used......................... This approach can be classified as software diversity.....................4 System Overview ..........3 1............................................2 1....... 2oo4D) as described in section 6..... The safety of the FSC system is obtained through its specific design for these applications... 1oo2.. 1oo2D.. 1oo1D.. By placing these single-channel versions in parallel.........................

severe injuries or loss of production may result. This Safety Manual also covers the applications which must comply with IEC 61508.The FSC system and the FSC user station (with the FSC Navigator software) from Honeywell Safety Management Systems B.V. To achieve these goals. provide the means to guarantee optimum safety and availability. FSC Safety Manual 2 Section 1: Introduction . If it is operated by unauthorized or unqualified persons. This Safety Manual covers the applications of the FSC system for requirement classes (German: Anforderungsklassen) AK1 to AK6 in accordance with DIN V 19250 of May 1994. it is essential that the system is operated and maintained by authorized and qualified staff.

DIN VDE 0160 incl. Part II. FSC was developed specifically to comply with the strict German DIN/VDE functional safety standards.01.01 standard for safetyinstrumented systems up to Safety Integrity Level (SIL) 3. DIN VDE 0883-1. and ANSI/ISA S84. Standards compliance Certification Canadian Standards Association (CSA) — Complies with the requirements of the following standards: CSA Standard C22. amendment A1. FSC-based safety solutions and related Honeywell services can help you comply with the new ANSI/ISA S84. DIN VDE 0116. and has been certified by TÜV for use in AK 1 to 6 applications. CE compliance — Complies with CE directives 89/336/EEC (EMC) and 73/23/EEC (Low Voltage).01.01 standards.2 No. as well as the new international standard IEC 61508 for functional safety.1. DIN VDE 0110.2 No. FSC Safety Manual Section 1: Introduction 3 . 142-M1987 for Process Control Equipment. the system has been certified for use in safety applications all around the world. CSA Standard C22. UL 991. 0-M982 General Requirements – Canadian Electrical Code. UL 1998. Underwriters Laboratories (UL) — Certified to fulfill the requirements of UL 508. FSC has also obtained certification in the United States for the UL 1998 and ANSI/ISA S84. IEC 61131-2. amendment A1. These new standards address the management of functional safety throughout the entire life cycle of your plant. DIN EN 54-2. Instrument Society of America (ISA) — Certified to fulfill the requirements laid down in ANSI/ISA S84. DIN IEC 68. DIN V VDE 0801 incl.2 Certification Since functional safety is at the core of the FSC design. FSC has been certified to comply with the following standards: TÜV Bayern (Germany) — Certified to fulfill the requirements of "Class 6" (AK6) safety equipment as defined in the following documents: DIN V VDE 19250.

Factory Mutual (FM) — Certified to fulfill the requirements of FM 3611 (nonincendive field wiring circuits for selected modules). The FSC functional logic diagrams (FLDs) are compliant with IEC 61131-3. The design and development of the FSC system are compliant with IEC 61508:1999, Parts 1-7 (as certified by TÜV).

FSC Safety Manual

4

Section 1: Introduction

1.3

Standards Compliance
This subsection lists the standards that FSC complies with, and also provides some background information on CE marking (EMC directive and Low Voltage directive). Table 1-1 FSC compliance to standards

Standards

Standard DIN V 19250 (1/89, 5/94)

Title Measurement and control. Fundamental safety aspects to be considered for safety-related measurement and control equipment. (German title: Leittechnik. Grundlegende Sicherheitsbetrachtungen für MRSSchutzeinrichtungen) Principles for computers in safetyrelated systems. (German title: Grundsätze für Rechner in Systemen mit Sicherheitsaufgaben) Electrical equipment of furnaces. (German title: Elektrische Ausrüstung von Feuerungsanlagen) Components of automatic fire detection systems, Introduction (German title: Bestandteile automatischer Brandmeldeanlagen) Electromagnetic compatibility – Generic emission standard, Part 2: Industrial environment Electromagnetic compatibility – Generic immunity standard, Part 2: Industrial environment Safety Requirements for Electrical Equipment for Measurement, Control and Laboratory Use, Part 1: General Requirements Programmable controllers. Part 2: Equipment requirements and tests Safety-related software, first edition Industrial control equipment, sixteenth edition

Remarks Safety applications up to safety class AK 8

DIN V 0801 (1/90) and Amendment A (10/94) VDE 0116 (10/89)

Microprocessor-based safety systems

EN 54 part 2 (01/90)

EN 50081-2-1994

EN 50082-2-1995

IEC 61010-1-1993

IEC 61131-2-1994 UL 1998 UL 508

Underwriters Laboratories Underwriters Laboratories

FSC Safety Manual Section 1: Introduction

5

Table 1-1 FSC compliance to standards (continued)
Standard UL 991 Title Test for safety-related controls employing solid-state devices, second edition Electrical equipment for use in Class I, Division 2, Class II, Division 2, and Class III, Division 1 and 2, hazardous locations Remarks Underwriters Laboratories

FM 3611 Class I, Division 2, Groups A, B, C & D Class II, Division 2, Groups F & G CSA C22.2 IEC 60068-1 IEC 60068-2-1

Factory Mutual Research Applies to the field wiring circuits of the following modules: 10101/2/1, 10102/2/1, 10105/2/1, 10106/2/1 and 10205/2/1. Canadian Standards Association No. 142 (R1993)

Process control equipment. Industrial products. Basic environmental testing procedures Cold test

0°C (32°F); 16 hours; system in operation; reduced power supply voltage (-15%) U=20.4 Vdc or (-10%); U=198 Vac –10°C (14°F); 16 hours; system in operation up to 65°C (149°F); 16 hours; system in operation; increased power supply voltage (+15%): U=27.6 Vdc or (+10%): U=242 Vac 21 days at +40°C (104°F), 93% relative humidity; function test after cooling 96 hours at +40°C (104°F), 93% relative humidity; system in operation –25°C to +55°C (–13°F to +131°F), 12 hours, 95% relative humidity, recovery time: max. 2 hours +25°C to +55°C (+77°F to +131°F), 48 hours, 80-100% relative humidity, recovery time: 1-2 hours

IEC 60068-2-1 IEC 60068-2-2

Cold test Dry heat test

IEC 60068-2-3

Test Ca: damp heat, steady state

IEC 60068-2-3

Test Ca: damp heat, steady state

IEC 60068-2-14

Test Na: change of temperature — withstand test

IEC 60068-2-30

Test Db variant 2: cyclic damp heat test

FSC Safety Manual

6

Section 1: Introduction

075 mm 57-150 Hz.Table 1-1 FSC compliance to standards (continued) Standard IEC 60068-2-6 Title Environmental testing – Part 2: Tests – Test Fc: vibration (sinusoidal) Remarks Excitation: sine-shaped with sliding frequence. Frequency range: 10-150 Hz Loads: 10-57 Hz. y. z) Traverse rate: 1 oct/min System in operation Half sinus shock 2 shocks per 3 axes (6 in total) Maximum acceleration: 15 G Shock duration: 11 ms System in operation IEC 60068-2-27 Environmental testing – Part 2: Tests – Test Ea: shock FSC Safety Manual Section 1: Introduction 7 . of axes: 3 (x. 0. 1 G Duration: 10 cycles (20 sweeps) per axis No.

their property and of animals. Italy. EU directives are documents issued on the authority of the Council of the European Union. The FSC product is compliant with two of these: the Electromagnetic Compatibility (EMC) Directive (89/336/EEC) and the Low Voltage Directive (73/23/EEC). Norway. Figure 1-1 CE mark For control products like FSC. Liechtenstein. Each is discussed in more detail below. Finland. Luxembourg. Ireland.CE marking The CE mark (see Figure 1-1) is a compliance symbol which indicates that a product meets the requirements of the EU directives that apply to that product. Spain. and • protection of the environment. a number of EU directives apply. which is made up of Austria. • safety of persons. Iceland. Germany. They set out requirements and regulations for certain categories of products or problem areas. The directives have the following key objectives: • free movement of goods within the EU/EEA geographical regions through harmonization of standards and elimination of trade barriers. FSC Safety Manual 8 Section 1: Introduction . France. Greece. CE (Conformité Européenne) marking is a prerequisite to marketing FSC systems in the European Union. Portugal. Denmark. the Netherlands. Sweden and the United Kingdom. The directives apply not only to the member countries of the European Union but to the whole European Economic Area (EEA). Belgium.

All electronic products may now only be marketed in the European Union if they meet the requirements laid down in the EMC directive. which states that an apparatus must be constructed so that: (a) the electromagnetic disturbance it generates does not exceed a level allowing radio and telecommunications equipment and other apparatus to operate as intended. or Council Directive 89/336/EEC of 3 May 1989 on the approximation of the laws of the Member States relating to electromagnetic compatibility as it is officially called. 1989. There are two sides to electromagnetic compatibility: emission and immunity. 1996 compliance with the EMC directive became mandatory (a legal requirement). a manufacturer can choose to meet existing national laws (of the country of installation) or comply with the EMC directive (demonstrated by the CE marking and Declaration of Conformity). The EMC directive defines protection requirements and inspection procedures relating to electromagnetic compatibility for a wide range of electric and electronic items. This also applies to FSC system cabinets. 'Electromagnetic compatibility' is the ability of a device. 'Electromagnetic disturbance' means any electromagnetic phenomenon which may degrade the performance of a device. The directive became effective on January 1. 1995. 'apparatus' means all electrical and electronic appliances together with equipment and installations containing electrical and/or electronic components. unit of equipment or system to function satisfactorily in its electromagnetic environment without introducing intolerable electromagnetic disturbances to anything in that environment. which meant that as of January 1. During the transitional period. 1992.EMC directive (89/336/EEC) One of the EU directives that FSC complies with is the EMC directive. The EMC directive was originally published in the Official Journal of the European Communities on May 23. (b) the apparatus has an adequate level of intrinsic immunity of electromagnetic disturbance to enable it to operate as intended. An electromagnetic disturbance may be electromagnetic noise. These two essential requirements are set forth in Article 4. It "applies to apparatus liable to cause electromagnetic disturbance or the performance of which is liable to be affected by such disturbance" (Article 2). with a four-year transitional period. unit of equipment or system. The transitional period ended on December 31. Within the context of the EMC directive. an unwanted signal or a change in the propagation medium itself. FSC Safety Manual Section 1: Introduction 9 .

The low voltage directive was originally published in the Official Journal of the European Communities on March 26. with a two-year transitional period. or Council Directive 73/23/EEC of 19 February 1973 on the harmonization of the laws of the Member States relating to electrical equipment designed for use within certain voltage limits as it is officially called. having been constructed in accordance with good engineering practice in safety matters in force in the Community. During the transitional period. a manufacturer can choose to meet existing national laws (of the country of installation) or comply with the low voltage directive (demonstrated by the CE marking and Declaration of Conformity).Low voltage directive (73/23/EEC) The FSC product also complies with the low voltage directive. which meant that as of January 1. which became effective on January 1.500 V for direct current (DC). 1995. The low voltage directive defines a number of principal safety objectives that electrical equipment must meet in order to be considered "safe". domestic animals or property when properly installed and maintained and used in applications for which it was made" (Article 2). 1973. It was amended by Council Directive 93/68/EEC. FSC Safety Manual 10 Section 1: Introduction .000 V for alternating current (AC) and between 75 and 1. 1996. 1997 compliance with the low voltage directive became mandatory (a legal requirement). it does not endanger the safety of persons. 'electrical equipment' means any equipment designed for use with a voltage rating of between 50 and 1. All electronic products may now only be marketed in the European Union if they meet the requirements laid down in the low voltage directive. The transitional period ended on December 31. Within the context of the low voltage directive. It states that "electrical equipment may be placed on the market only if. This also applies to FSC system cabinets.

The occurrence of such behaviour is a failure. Risk arising from the EUC or its interaction with the EUC control system. the capability of a functional unit to perform a required function NOTE: IEV 191-05-01 defines "fault" as a state characterized by the inability to perform a required function. All definitions have been taken from IEC 61508-4 (FDIS version. FSC Safety Manual Section 1: Introduction 11 . The termination of the ability of a functional unit to perform a required function. Failure which has the potential to put the safety-related system in a hazardous or fail-to-function state. NOTE: Whether or not the potential is realized may depend on the channel architecture of the system. both in IEC 61508 and IEV 191. NOTE 2: See Figure 1-2 for the relationship between faults and failures. February '98). NOTE 1: The definition in IEV 191-04-01 is the same. other technology safety-related systems and external risk reduction facilities.1. NOTE 4: Failures are either random (in hardware) or systematic (in hardware or software). EUC risk Failure Fault Abnormal condition that may cause a reduction in. or loss of. Error Definitions Dangerous failure Discrepancy between a computed. and some functions may be specified in terms of behaviour to be avoided. a dangerous hardware failure is less likely to lead to the overall dangerous or fail-to-function state. excluding the inability during preventative maintenance or other planned actions. specified or theoretically correct value or condition. NOTE 3: Performance of required functions necessarily excludes certain behaviour. Functional safety Part of the overall safety relating to the EUC and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems. with additional notes. in systems with multiple channels to improve safety. observed or measured value or condition and the true.4 Definitions This section provides a list of essential safety terms that apply to the FSC system. or due to lack of external resources.

Figure 1-2 Failure model Functional safety assessment Investigation. Human action or inaction that produces an unintended result. a "cause" may manifest itself as an error (a deviation from the correct value or state) within this level (i) functional unit. Likewise. NOTE 2 In this cause and effect chain. which emphasises its state aspect as illustrated in d). based on evidence. This "Entity X" combines the concept of "fault" in IEC 1508 and ISO/IEC 2382-14. The "F" state is called fault in IEC 50(191). to judge the functional safety achieved by one or more E/E/PE safety-related systems. other technology safety-related systems or external risk reduction facilities. Human error FSC Safety Manual 12 Section 1: Introduction . and also as the cause of the level (i-1) functional unit. if not corrected or circumvented. whereas it is not defined in IEC 1508 and ISO/IEC 2382-14. may cause a failure of this functional unit. a fault (in both vocabularies) may exist without a prior failure. rather than by an internal fault. and. and that of "fault" in IEC 50(191). a failure may be caused by an external event such as lightning or electrostatic noise. Mistake. i = 1. each of which can in turn be called a functional unit. 2. 3 etc.L (i-1) FU L (i) FU L (i+1) FU L (i+1) FU L (i) FU L (i+1) FU L (i+1) FU Level (i) Level (i-1) "F" state failure "Entity X" L (i+1) FU L (i+1) FU L (i+1) FU L (i+1) FU "F" state failure cause cause (L = level. as a result of which it falls into an "F" state where it is no longer able to perform a required function (see b)). if not corrected or circumvented. This "F" state of the level (i) functional unit may in turn manifest itself as an error in the level (i-1) functional unit and. a functional unit can be viewed as a hierarchical composition of multiple levels. may cause a failure of this level (i-1) functional unit. which emphasises its cause aspect as illustrated in c). the same thing ("Entity X") can be viewed as a state ("F" state) of the level (i) functional unit into which it has fallen as a result of its failure. NOTE 3 In some cases. FU = functional unit) a) Configuration of a functional unit b) Generalised view Level (i) Level (i-1) Level (i) Level (i-1) failure "Entity X" failure fault fault failure "Entity X" fault failure failure cause fault failure cause c) IEC 1508's and ISO/IEC 2382-14's view d) IEC 50(191)'s view NOTE 1 As shown in a). An example of such a fault is a design fault. In level (i).

including all elements of the system such as power supplies.e. minutes to hours where the proof test interval is a month).Hardware safety integrity Part of the safety integrity of the safety related systems relating to random hardware failures in a dangerous mode of failure NOTE: The term relates to failures in a dangerous mode. the frequency of demands on the safety-related system is hundreds of times the proof test frequency (i. the frequency of demands on the safetyrelated system is the same order of magnitude as the proof test frequency (i. but with a single sensor and a single actuator. months to years where the proof test interval is a year). The former reliability parameter is used when it is necessary to maintain continuous control in order to maintain safety. those failures of a safety-related system that would impair its safety integrity. Figure 1-3 c) illustrates a PES with two discrete units of programmable electronics. or − high demand or continuous mode . The two parameters that are relevant in this context are the overall dangerous failure rate and the probability of failure to operate on demand. but the programmable electronics could exist at several places in the PES. Programmable electronic system (PES) System for control. Figure 1-3 d) illustrates a PES with dual programmable electronics (i. Figure 1-3 b) illustrates the way in which a PES is represented in IEC 61508. with the programmable electronics shown as a unit distinct from sensors and actuators on the EUC and their interfaces. That is. sensors and other input devices. NOTE: The structure of a PES is shown in Figure 1-3 a).e. While typically for high demand or continuous mode.e.where the frequency of demands for operation made on a safety-related system is significantly greater than the proof check frequency NOTE: Typically for low demand mode. which may be either: − low demand mode . Mode of operation Way in which a safety-related system is intended to be used.where the frequency of demands for operation made on a safety-related system is not significantly greater than the proof check frequency. protection or monitoring based on one or more programmable electronic devices. two channel). and actuators and other output devices (see Figure 1-3). FSC Safety Manual Section 1: Introduction 13 . data highways and other communication paths. with respect to the frequency of demands made upon it in relation to the proof check frequency. the latter reliability parameter is used in the context of safety-related protection systems.

NOTE 1: The target failure measures for the safety integrity levels are specified in Table 1-2 and Table 1-3. Figure 1-3 Programmable electronic system (PES): structure and terminology Risk Combination of the probability of occurrence of harm and the severity of that harm. NOTE: Whether or not the potential is realized may depend on the channel architecture of the system. Failure which does not have the potential to put the safety-related system in a hazardous or fail-to-function state. where safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest. Discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PE safety-related systems. FSC Safety Manual 14 Section 1: Introduction . in systems with multiple channels to improve safety.extent of PES input interfaces A-D converters communications output interfaces D-A converters programmable electronics (see note) input devices (eg sensors) output devices/final elements (eg actuators) a) Basic PES structure PE 1 PE PE PE 1 PE 2 PE 2 b) Single PES with single programmable electronic device (ie one PES comprised of a single channel of programmable electronics) c) Single PES with dual programmable electronic devices linked in a serial manner (eg intelligent sensor and programmable controller) d) Single PES with dual programmable electronic devices but with shared sensors and final elements (ie one PES comprised of two channels of programmable electronics) NOTE The programmable electronics are shown centrally located but could exist at several places in the PES. a safe hardware failure is less likely to result in an erroneous shutdown. Safe failure Safety Safety integrity level (SIL) Freedom from unacceptable risk.

These are specified as the lower limits for safety integrity level 4 (i. probability of a dangerous failure per hour. NOTE 5: The target failure measures that can be claimed when two or more E/E/PE safety-related systems are used may be better than those indicated in Table 1-2 and Table 1-3 providing that adequate levels of independence are achieved. It may be possible to achieve designs of safety-related systems with lower values for the target failure measures for non-complex systems. FSC Safety Manual Section 1: Introduction 15 . NOTE 4: This document sets a lower limit on the target failure measures. allocated to an E/E/PE safety-related system operating in high demand or continuous mode of operation Safety integrity level High demand or continuous mode of operation (probability of a dangerous failure per hour) ≥ 10 to < 10 -9 -8 -7 -6 -8 -7 -6 -5 4 3 2 1 ≥ 10 to < 10 ≥ 10 to < 10 ≥ 10 to < 10 NOTE: See notes 3 to 7 below for details on interpreting this table. is sometimes referred to as the frequency of dangerous failures.e. that can be claimed. Table 1-3 Safety integrity levels: target failure measures for a safety function. but it is considered that the figures in the table represent the limit of what can be achieved for relatively complex systems (for example programmable electronic safety-related systems) at the present time. or dangerous failure rate. NOTE 3: The parameter in Table 1-3 for high demand or continuous mode of operation. allocated to an E/E/PE safety-related system operating in low demand mode of operation Safety integrity level Low demand mode of operation (average probability of failure to perform its design function on demand) ≥ 10 to < 10 -5 -4 -3 -2 -4 -3 -2 -1 4 3 2 1 ≥ 10 to < 10 ≥ 10 to < 10 ≥ 10 to < 10 NOTE: See notes 3 to 7 below for details on interpreting this table. in units of dangerous failures per hour. in a dangerous mode of failure. an average probability of failure of 10-5 to perform its design function on demand.Table 1-2 Safety integrity levels: target failure measures for a safety function. or a probability of a dangerous failure of 109 per hour).

occurring during a period of time that starts at the concept phase of a project and finishes when all of the E/E/PE safety-related systems. other technology safety-related systems and external risk reduction facilities are no longer available for use. NOTE 7: The safety integrity requirements for each safety function shall be qualified to indicate whether each target safety integrity parameter is either: − the average probability of failure to perform its design function on demand (for a low demand mode of operation). in their own right. and − is intended to achieve. it is the safety-related systems that have been designated to achieve. Designated system that both: − implements the required safety functions necessary to achieve or maintain a safe state for the EUC. together with the external risk reduction facilities.NOTE 6: It is important to note that the failure measures for safety integrity levels 1. It is accepted that only with respect to the hardware safety integrity will it be possible to quantify and apply reliability prediction techniques in assessing whether the target failure measures have been met. Safety-related system FSC Safety Manual 16 Section 1: Introduction . 3 and 4 are target failure measures. Safety lifecycle Necessary activities involved in the implementation of safety-related systems. Although there may be other systems having safety functions. and have two modes of operation. The failure of a safety-related system would be included in the events leading to the identified hazard or hazards. the necessary safety integrity for the required safety functions NOTE 1: The term refers to those systems. Safety-related systems can broadly be divided into safety-related control systems and safety-related protection systems. the necessary risk reduction in order to meet the required tolerable risk. That is. other technology safety-related systems or external risk reduction facilities. on its own or with other E/E/PE safety-related systems. or − the probability of a dangerous failure per hour (for a high demand or continuous mode of operation). designated as safety-related systems. the required tolerable risk. the required safety integrity level may be achieved by implementing the safety functions in the EUC control system (and possibly by additional separate and independent systems as well) or the safety functions may be implemented by separate and independent systems dedicated to safety. that are intended to achieve. Qualitative techniques and judgements have to be made with respect to the precautions necessary to meet the target failure measures with respect to the systematic safety integrity. 2. NOTE 3: Safety-related systems may be an integral part of the EUC control system or may interface with the EUC by sensors and/or actuators. NOTE 2: The safety-related systems are designed to prevent the EUC from going into a dangerous state by taking appropriate action on receipt of commands.

hydraulic and pneumatic. FSC Safety Manual Section 1: Introduction 17 . NOTE 5: A person can be part of a safety-related system. other input devices. The key factor here is the ensuring that the safety-related systems perform their functions with the degree of certainty required (for example. NOTE 7: A safety-related system may be based on a wide range of technologies including electrical. For example. that the average probability of failure should not be greater than 10-4 to perform its design function on demand). As for a). Systematic safety integrity Part of the safety integrity of safety-related systems relating to systematic failures in a dangerous mode of failure NOTE: Systematic safety integrity cannot usually be quantified (as distinct from hardware safety integrity which usually can). for the specified functions. if the safety-related systems perform their safety functions then no hazard arises). final elements (actuators) and other output devices are therefore included in the safety-related system). b) be designed to mitigate the effects of the hazardous event.NOTE 4: A safety-related system may: a) be designed to prevent the hazardous event (i. or perform a safety task through a programmable electronic device. a person could receive information from a programmable electronic device and perform a safety task based on this information.e. thereby reducing the risk by reducing the consequences. electronic. c) be designed to achieve a combination of a) and b). NOTE 6: The term includes all the hardware. software and supporting services (e. the probability of failure on demand for the specified functions (or other appropriate statistical measure) should be met. programmable electronic.g. power supplies) necessary to carry out the specified safety function (sensors. Validation Confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled.

.................... processors) ............3 2. It covers the following topics: Topic See page Section Subsection 2......1 2... processors) ......1 Section Overview This section provides information on the various FSC architectures.......................... 17 Introduction ..................................................................................... 19 Redundant Central Parts and Single I/O (100x2/.......4 2....2 2.../........... 24 Quadruple Modular Redundant (QMR™) Architecture (10020/................................................ DMR)..../1 processors) ..... 22 Redundant Central Parts with Redundant and Single I/O (100x2/...../..../.................. 20 Redundant Central Parts and Redundant I/O (100x2/.............7 Section Overview ......................... 18 Single Central Part and Single I/O (1oo1D..... processors)...............6 2..5 2............................................................................ 26 FSC Safety Manual Section 2: FSC Architectures 17 ............................Section 2 – FSC Architectures 2.....................

Table 2-1 below provides an overview of the available architectures. Applications up to AK4 See section 2.5.3 to 2.2. FSC Safety Manual 18 Section 2: FSC Architectures . 2. Applications up to AK6 2. 2. The FSC architectures defined in Table 2-1 are discussed in more detail in subsections 2. Applications up to AK6 QMR™ architecture.2 Introduction The Fail Safe Controller can be supplied in a number of architectures. Applications up to AK6 1oo2D architecture. each with its own characteristics and typical applications.6 Remarks 1oo1D architecture.3 2. The preferred architecture depends on the availability requirements.7 DMR = Dual Modular Redundant QMR = Quadruple Modular Redundant All FSC architectures can be used for safety applications.3 Basic architectures Redundant Single.7.4. single and redundant 2. Table 2-1 FSC architectures Central Part configuration I/O configuration CPU type 10002/1/2 or 10012/1/2 Single Single 10020/1/1 (QPM) 10002/1/2 or 10012/1/2 10020/1/1 (QPM) DMR architecture. redundant.

single I/O configuration ESD Watchdog Module SMOD Sensor xx yyy Input Module Processor Output Module Input Interfaces Central Part Output Interfaces Final Element Figure 2-2 Functional diagram: single Central Part.3 Single Central Part and Single I/O (1oo1D. The I/O modules are controlled via the Vertical Bus Driver (VBD). which is located in the Central Part. which controls up to 10 I/O racks./.2. DMR) This FSC architecture has a single Central Part and single input and output (I/O) modules (see Figure 2-1). System Bus CENTRAL PART CPU COM WD PSU DBM VBD Up to 14 VBD V-Bus H-Bus FS NFS FS NFS HBD Up to 10 HBD INPUTS OUTPUTS Figure 2-1 Single Central Part. type 100x2/. 10020/1/1). In case of a Quad Processor Module (QPM. the system is suitable for applications up to AK4 (1oo1D architecture). single I/O FSC Safety Manual Section 2: FSC Architectures 19 . No redundancy is present except as built into those modules where redundancy is required for safety (memory and watchdog). If the Central Part contains a processor module. and the Vertical bus (V-Bus).. Each I/O rack is controlled via the Horizontal Bus Driver (HBD). the system is suitable for applications up to AK6 (SIL 3) (DMR architecture).

QuadPM processor module.7.) System Bus CENTRAL PART 1 CPU COM WD PSU DBM VBD CENTRAL PART 2 CPU COM WD PSU DBM VBD H-Bus FS NFS OR FS NFS V-Bus HBD INPUTS OUTPUTS Figure 2-3 Redundant Central Parts. Each I/O rack is controlled via the HBD.01. Even though there is a bumpless transfer between Central Parts if the first failure occurs. is to allow continued operation for 72 hours. which controls up to 10 I/O racks. which are located in each Central Part. the remaining risk must be limited within a certain time. which allows continuous operation and bumpless (zero-delay) transfer in case of a Central Part failure. and the V-Bus./.5. The processor is fully redundant. leaving sufficient fault tolerance time (FTT) for the organization to act upon the failure annunciation.2. A more pragmatic approach. (For details on the second fault timer refer to section 4. single I/O configuration FSC Safety Manual 20 Section 2: FSC Architectures . For the 10020/. see section 2.4 Redundant Central Parts and Single I/O (100x2/. which is actually recommended by TÜV Product Services. This time can be derived in a quantitative manner through the Markov modeling techniques using the mathematics defined in IEC 61508 and ANSI/ISA S84.8 of this manual./1 processors) This FSC architecture has redundant Central Parts and single input and output (I/O) modules (see Figure 2-3 and Figure 2-4). The I/O modules are controlled via the VBDs.

single I/O FSC Safety Manual Section 2: FSC Architectures 21 .Central Part1 ESD Watchdog Module V+ Processor Sensor xx yyy SMOD Input Module Output Module Processor Final Element Watchdog Module Input Interfaces Central Part2 Output Interfaces Figure 2-4 Functional diagram: redundant Central Parts.

The I/O modules are controlled via the VBDs. leaving sufficient fault tolerance time (FTT) for the organization to act upon the failure annunciation.01.8 of this manual. Each I/O rack is controlled via the HBD.5. redundant I/O configuration FSC Safety Manual 22 Section 2: FSC Architectures . (For details on the second fault timer refer to section 4. For the 10020/.) CENTRAL PART 1 CPU COM WD DBM PSU VBD CENTRAL PART 2 CPU COM WD PSU DBM VBD OUTPUTS NFS NFS FS FS HBD HBD INPUTS FS FS NFS NFS HBD HBD Figure 2-5 Redundant Central Parts. see section 2. This time can be derived in a quantitative manner through the Markov modeling techniques using the mathematics defined in IEC 61508 and ANSI/ISA S84. processors) This FSC architecture has redundant Central Parts and redundant input and output (I/O) modules (OR function on outputs) (see Figure 2-5 and Figure 2-6). which are located in each Central Part and the V-Bus. is to allow continued operation for 72 hours. The processor and I/O are fully redundant./. Even though there is a bumpless transfer between Central Parts if the first failure occurs. which allows continuous operation and bumpless (zero-delay) transfer in case of a Central Part or I/O failure.2. A more pragmatic approach./. QuadPM processor module.7.5 Redundant Central Parts and Redundant I/O (100x2/. which is actually recommended by TÜV Product Services. which controls up to 10 I/O racks. the remaining risk must be limited within a certain time.

redundant I/O FSC Safety Manual Section 2: FSC Architectures 23 .Central Part 1 ESD Watchdog Module Output Module Input Module Processor SMOD Sensor xx yyy Quad Voter SMOD Input Module Processor Output Module Watchdog Module Input Interfaces Central Part 2 Output Interfaces Final Element Figure 2-6 Functional diagram: redundant Central Parts.

The processor and I/O are fully redundant.6 Redundant Central Parts with Redundant and Single I/O (100x2/. and the V-Bus. processors) This FSC architecture has redundant Central Parts and redundant input and output (I/O) modules (OR function on outputs) combined with single input and output modules (see Figure 2-7 and Figure 2-8). leaving sufficient fault tolerance time (FTT) for the organization to act upon the failure annunciation. Even though there is a bumpless transfer between Central Parts if the first failure occurs. CENTRAL PART 1 CPU COM WD PSU DBM VBD VBD CENTRAL PART 2 CPU COM WD PSU DBM VBD VBD FS NFS WDR FS NFS HBD INPUTS / OUTPUTS NFS NFS FS FS HBD HBD FS FS NFS NFS HBD HBD Figure 2-7 Redundant Central Parts with redundant and single I/O configuration FSC Safety Manual 24 Section 2: FSC Architectures . which allows continuous operation and bumpless (zero-delay) transfer in case of a Central Part or I/O failure of the redundant I/O modules. Each I/O rack is controlled via the HBD. which controls up to 10 I/O racks. A more pragmatic approach./. is to allow continued operation for 72 hours. The I/O modules are controlled via the VBDs. This time can be derived in a quantitative manner through the Markov modeling techniques using the mathematics defined in IEC 61508 and ANSI/ISA S84.2. the remaining risk must be limited within a certain time.01. which is actually recommended by TÜV Product Services. which are located in each Central Part.

/.) Central Part 1 ESD Watchdog Module Watchdog Repeater Output Module Input Module Processor V+ SMOD Sensor xx yyy SMOD Input Module Output Module SMOD Quad Voter Input Module Processor Output Module Watchdog Module Input Interfaces Central Part 2 Output Interfaces Final Element Figure 2-8 Functional diagram: redundant Central Parts with redundant and single I/O FSC Safety Manual Section 2: FSC Architectures 25 .8 of this manual.For the 10020/.5. QuadPM processor module. see section 2. (For details on the second fault timer refer to section 4.7.

and 1oo2D voting between the two Central Parts. combined with 2oo4D voting. processors) The Quadruple Modular Redundant (QMR™) architecture with 2oo4D voting is an evolution of the proven 1oo2D concept. and is characterized by a high level of diagnostics and fault tolerance. FSC Safety Manual 26 Section 2: FSC Architectures .2. The QMR™ architecture with 2oo4D voting is based on dual-processor technology.7 Quadruple Modular Redundant (QMR™) Architecture (10020/. which results in quadruple redundancy and. Redundant Central Parts each contain two main processors and memory (see Figure 2-9 below)./. boosts the overall safety performance of the system. The QMR™ architecture is used in conjunction with the 10020/1/1 Quad Processor Module (QPM). Voting is therefore applied on two levels: on a module level and between the Central Parts. Central Part 1 ESD QMR™ architecture Watchdog Module CPU Processor Input Module Output Module Processor Sensor xx yyy SMOD Quad Voter CPU Processor Input Module SMOD Processor Output Module Watchdog Module Input Interfaces Central Part 2 Output Interfaces Final Element Figure 2-9 Functional diagram: QMR™ architecture The 2oo4D voting is realized by combining 1oo2 voting for both main processors and memory on one Quad processor module.

each path is primarily controlled by one of the Central Parts.With redundant I/O configurations. Furthermore. each Central Part is able to switch off the output channels of the other Central Part through dedicated SMOD (Secondary Means Of Deenergization) hardware circuitry which is located on the FSC fail-safe output modules. FSC Safety Manual Section 2: FSC Architectures 27 . including an independent switch which is controlled by the Central Part's Watchdog module. There are no second fault timer (SFT) restrictions if one of the Central Parts is down.

FSC Safety Manual 28 Section 2: FSC Architectures .Left blank intentionally.

.........5 3.......... 30 Specification of the Safety Class of the Process ........ 36 Specification of the Instrumentation Related to the Safety System...........6 Section Overview ........Section 3 – Design Phases for an E/E/PE Safety-Related System 3.....3 3.............. 40 Approval of Specification......... 42 FSC Safety Manual Section 3: Design Phases for an E/E/PE Safety-Related System 29 ..........................4 3............................ It covers the following topics: Topic See page Subsection 3..2 3.............................................................................................................................................................................. 37 Specification of the Functionality of the Safety System ..............1 3....... 29 Overall Safety Lifecycle..............1 Section Overview Section This section describes the design phases for an E/E/PE safety-related system....................

E/E/PES and software safety lifecycles. an overall safety lifecycle is adopted as the technical framework (as defined in IEC 61508) (see Figure 3-1). is an essential and vital part of development through the overall. E/E/PES and software safety lifecycle figures (Figure 3-1. however. The software safety lifecycle is shown in Figure 3-3. and • external risk reduction facilities. Figure 3-2 and Figure 3-3) are simplified views of reality and as such do not show all the iterations relating to specific phases or between phases.2 Overall Safety Lifecycle Safety lifecycle In order to deal in a systematic manner with all the activities necessary to achieve the required safety integrity level for the E/E/PE safety-related systems. The overall safety lifecycle encompasses the following risk reduction measures: • E/E/PE safety-related systems. The relationship of the overall safety lifecycle to the E/E/PES and software safety lifecycles for safety-related systems is shown in Figure 3-4. The overall.3. FSC Safety Manual 30 Section 3: Design Phases for an E/E/PE Safety-Related System . The portion of the overall safety lifecycle dealing with E/E/PE safetyrelated systems is expanded and shown in Figure 3-2. • other technology safety-related systems. The iterative process.

NOTE 2 The phases represented by boxes 10 and 11 are outside the scope of this standard. where relevant.1 Concept 2 Overall scope definition 3 Hazard and risk analysis 4 Overall safety requirements 5 Safety requirements allocation 9 Overall planning OveralI 6 operation and 7 maintenance planning Overall safety validation planning Safety-related systems: E/E/PES 10 8 OveralI installation and 8 commissioning planning Safety-related systems: other technology 11 External risk reduction facilities Realisation (see E/E/PES safety lifecycle) Realisation Realisation 12 Overall installation and commissioning 13 Overall safety validation Back to appropriate overall safety lifecycle phase 14 maintenance and repair 16 Decommissioning or disposal Overall operation. 14 and 15. Figure 3-1 Overall safety lifecycle FSC Safety Manual Section 3: Design Phases for an E/E/PE Safety-Related System 31 . E/E/PES and software safety lifecycle phases. with the programmable electronic (hardware and software) aspects of boxes 13. management of functional safety and functional safety assessment are not shown for reasons of clarity but are relevent to all overall. 15 Overall modification and retrofit NOTE 1 Activities relating to verification. NOTE 3 Parts 2 and 3 deal with box 9 (realisation) but they also deal.

1 Software safety requirements specification Safety integrity requirements specification E/E/PES safety lifecycle (see figure 3-1) 9.1.2 9.1 Realisation E/E/PES safety requirements specification Safety integrity requirements specification Safety functions 9.5 E/E/PES operation and maintenance procedures 9.1 specification 9.6 Software safety validation To box 14 in figure 3-1 To box 12 in figure 3-1 Figure 3-3 Software safety lifecycle (in realization phase) FSC Safety Manual 32 Section 3: Design Phases for an E/E/PE Safety-Related System .2 requirements specification Software safety validation planning 9.1.2 E/E/PES safety validation planning 9.4 E/E/PES integration 9.2 requirements 9.4 PE integration (hardware/software) 9.6 One E/E/PES safety lifecycle for each E/E/PE safety-related system E/E/PES safety validation To box 14 in figure 3-1 To box 12 in figure 3-1 Figure 3-2 E/E/PES safety lifecycle (in realization phase) Software safety lifecycle 9.1 Safety functions 9.3 E/E/PES design and development 9.1 9.3 Software design and development 9.1.5 Software operation and modification procedures 9.1.Box 9 in figure 3-1 E/E/PES safety lifecycle 9 Safety-related systems: E/E/PES 9.1.

Box 9 of overall safety lifecycle (see figure 3-1) Safety-related systems: E/E/PES Realisation 9 E/E/PES safety lifecycle (see figure 3-2) Software safety lifecycle (see figure 3-3) Figure 3-4 Relationship of overall safety lifecycle to E/E/PES and software safety lifecycles Objectives Table 3-1 indicates the objectives to be achieved for all phases of the overall safety lifecycle (Figure 3-2). To identify the event sequences leading to the hazardous events identified. To determine the EUC risks associated with the hazardous events identified.) sufficient to enable the other safety lifecycle activities to be satisfactorily carried out. environmental hazards. Table 3-1 Overall safety lifecycle overview Phase Objective Figure 3-1 box number 1 Concept To develop a level of understanding of the EUC and its environment (physical. To identify the hazards and hazardous events of the EUC and the EUC control system (in all modes of operation). Overall scope definition 2 Hazard and risk analysis 3 FSC Safety Manual Section 3: Design Phases for an E/E/PE Safety-Related System 33 .). etc. legislative etc. To define the scope of the hazard and risk analysis (for example process hazards. for all reasonably foreseeable circumstances including fault conditions and misuse. To determine the boundary of the EUC and the EUC control system.

To install the E/E/PE safety-related systems. To allocate a safety integrity level to each safety function. To create E/E/PE safety-related systems conforming to the specification for the E/E/PES safety requirements (comprising the specification for the E/E/PES safety functions requirements and the specification for the E/E/PES safety integrity requirements). contained in the specification for the overall safety requirements (both the safety functions requirements and the safety integrity requirements). Safety requirements allocation 5 Overall operation and maintenance planning 6 Overall safety validation planning Overall installation and commissioning planning 7 8 E/E/PE safety-related systems: realization 9 Other technology safety-related systems: realization External risk reduction facilities: realization Overall installation and commissioning 10 11 12 FSC Safety Manual 34 Section 3: Design Phases for an E/E/PE Safety-Related System . To develop a plan for the commissioning of the E/E/PE safety-related systems in a controlled manner. in terms of the safety functions requirements and safety integrity requirements. To commission the E/E/PE safety-related systems. To create other technology safety-related systems to meet the safety functions requirements and safety integrity requirements specified for such systems. to ensure the required functional safety is achieved. in order to achieve the required functional safety. To develop a plan to facilitate the overall safety validation of the E/E/PE safety-related systems. to ensure that the required functional safety is maintained during operation and maintenance. To allocate the safety functions. To create external risk reduction facilities to meet the safety functions requirements and safety integrity requirements specified for such facilities. To develop a plan for the installation of the E/E/PE safetyrelated systems in a controlled manner.Table 3-1 Overall safety lifecycle overview (continued) Title Objective Figure 3-1 box number 4 Overall safety requirements To develop the specification for the overall safety requirements. to the designated E/E/PE safety-related systems. to ensure the required functional safety is achieved. other technology safety-related systems and external risk reduction facilities. To develop a plan for operating and maintaining the E/E/PE safety-related systems. for the E/E/PE safety-related systems. other technology safetyrelated systems and external risk reduction facilities.

and this requires a system that can be designed and modified in a flexible way. The safety-related system connects to the process units. the specification of the safety-related system is made late in the project. FSC Safety Manual Section 3: Design Phases for an E/E/PE Safety-Related System 35 . To ensure that the functional safety for the E/E/PE safetyrelated systems is appropriate in the circumstances during and after the process of decommissioning or disposing of the EUC. both during and after modification and retrofit activities have taken place. To ensure that the functional safety for the E/E/PE safety-related systems is appropriate. However. and if possible is self-documenting. The most important item with respect to the FSC system is the sequence of phases for the safety-related system. To operate. The FSC safety system can be programmed during manufacturing and modified on site via the specification of the safety function (the functional logic diagrams or FLDs). Overall operation. the first system that is required during start-up and commissioning is the safety system to ensure the safe commissioning of the total plant. The application program and updated application documentation are generated automatically and are available in a very short period of time. Consequently. taking into account the safety requirements allocation for the E/E/PE safety-related systems.Table 3-1 Overall safety lifecycle overview (continued) Title Objective Figure 3-1 box number 13 Overall safety validation To validate that the E/E/PE safety-related systems meet the specification for the overall safety requirements in terms of the overall safety functions requirements and the overall safety integrity requirements. the control system and the operator interface. The result is always a very tight schedule for the detailed design and production of the safety-related system. maintenance and repair Overall modification and retrofit Decommissioning or disposal 14 15 16 Sequence of phases The overall safety lifecycle should be used as a basis. maintain and repair the E/E/PE safety-related systems in order that the required functional safety is maintained. Section 4 details the design phases with regard to the safety system (FSC system).

3.3

Specification of the Safety Class of the Process

Requirement classes

Each production process must be classified with regard to safety. In Germany this classification must be done by the safety department of the company. Some applications require TÜV approval (TÜV = Technischer Überwachungsverein). The FSC system can be used in several architectures depending on the demands with respect to safety and availability. The table below shows the relation between FSC architectures and requirement classes and availability degrees, respectively. Table 3-2 Relation between FSC architectures and requirement classes AK1-6, according to DIN V 19250
INCREASED SAFETY Maximum requirement class (AK) FSC architectures AK4 (= SIL 2) = = = AK5 (= SIL 3) = * = = AK6 (= SIL 3) = * = =

INCREASED AVAILABILITY

single Central Part + single I/O (1oo1D, DMR) redundant Central Parts + single I/O (1oo2D, QMR) redundant Central Parts + redundant & single I/O (1oo2D, QMR) redundant Central Parts + redundant I/O (1oo2D, QMR)

=

=

=

* Only possible if a 10020/1/1 Quad Processor Module (QPM) is used.

For more information on voting refer to Section 6.

FSC Safety Manual

36

Section 3: Design Phases for an E/E/PE Safety-Related System

3.4

Specification of the Instrumentation Related to the Safety System

Instrumentation related to safety system

The field instruments related to the safety system consist of valves, limit switches, high-level and low-level pressure switches, temperature switches, flow switches, manual switches, etc. Inputs and outputs used for safety applications are primarily digital. There is, however, a strong tendency towards analog I/O. The instrumentation index generally contains: • Tag number, • Description, • Make, • Supplier, and • Setting.

FSC Safety Manual Section 3: Design Phases for an E/E/PE Safety-Related System

37

Connections to safety system

The connection to the safety system is specified in the form of a tag number with a description and termination details. The description (Service) provides additional information on the tag number and very often includes information for the signal's "health situation" (Qualification).
Date: 08-31-2000 Time: 13:39 Page: 2

Configuration documents of application: DEMO_1 Input signal specification Type Tag number I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I 53HS-101 53_HS_101 91XA-651A ACK-PUSHBUTTON ACKNOWLEDGE AF_Audible AF_Common_Alarm ALARM-1 ALARM-2 AUDIBLE Ack_PushButton CENTR.PART-FAULT CLOCK-SYNC COMMON DEVICE-COM.FLT EARTH-LEAKAGE ENABLE EXT.COMMUNIC.FLT FIRSTUP-ALARM-1 FIRSTUP-ALARM-2 FIRSTUP-RESET FLASHER-0.5Hz FLASHER-1Hz FLASHER-2Hz FSC-SYSTEM-FAULT INPUT-FAILURE INT.COMMUNIC.FLT IO-COMPARE IO-FORCED LAMPTEST OUTPUT-FAILURE PSU-1 PSU-2 RED.INPUT-FAULT RESET RESET-ALARM RESET-PUSHBUTTON SENSOR-1 SENSOR-A1 SENSOR-A2 SENSOR-B1 SENSOR-B2 SENSOR-B3 SENSOR-CP1 SENSOR-CP2 SENSOR1 SENSOR2 SENSOR3 SENSOR_2 Service LAMPTEST LAMPTEST Door switch

Qualification TEST "TEST" Close

Location MCP MCP AH PNL DCS ANN ANN DCS DCS ANN PNL SYS SYS ANN SYS CAB SYS SYS DCS DCS DCS SYS SYS SYS SYS SYS SYS SYS SYS PNL SYS CAB CAB SYS SYS CAB PNL

Unit

Subunit

Sheet Safety Force En. Write En. SER En. SER seq. no. 102 104 0 107 106 105 105 107 107 107 105 0 0 107 0 123 0 0 107 107 106 107 107 105 123 122 0 120 0 123 0 123 123 0 121 123 107 109 111 111 112 112 112 113 113 110 110 110 109 Yes Yes Yes Yes Yes No No Yes Yes No Yes Yes No No Yes Yes Yes Yes Yes Yes Yes No No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes No No Yes Yes No Yes No No No No Yes No No Yes Yes Yes No No No No No No No No Yes No Yes Yes No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No -

5000

91UZ-650

ALARM STATUS ALARM STATUS

System marker FSC-CLOCK-SYNCHRON. CLOCK-SYNC System marker EARTH LEAKAGE PSU'S FORCE-ENABLE System marker SUBLOCAION-FSC SUBLOCATION-FSC System marker System marker System marker System marker System marker System marker System marker System marker LAMPTEST System marker PSU-1 24VDC PSU-2 24VDC System marker FSC-FAULT-RESET RESET ALARM

NO FAILURE ENABLE FIRSTUP FLAG FIRSTUP FLAG

TEST NO FAILURE NO FAILURE RESET RESET

Figure 3-5 Specification of I/O signals for the FSC system

FSC Safety Manual

38

Section 3: Design Phases for an E/E/PE Safety-Related System

Process interface

The first phase of the safety system specification is the inventory of the input and output signals, i.e. the process interface. During this specification stage, certain parameters of the I/O module must be determined by the design engineer, e.g. type of signal (digital or analog), safety relevance, fail-safe sensors, type of analog signal, scaling, etc.

Figure 3-6 Example of hardware specification of analog input for FSC system The setting of the I/O parameters determine how the FSC system will treat the inputs and the outputs. The design engineer specifies the functionality required. In this way the engineer preferably delegates the safety control aspects to the main processor of the FSC system.

FSC Safety Manual Section 3: Design Phases for an E/E/PE Safety-Related System

39

etc.g. OR and NOT. calculations. In order to allow certain process conditions to occur or to continue. communication. the above basic functions have been extended to include a number of other functions that allow more complex functions such as counters. delayed on. In the FSC system. This is also specified in this phase of the overall design. time functions are required within the safety system (e. pulse time). A communication link to a supervisory control system may be required for management purposes. The input and the output signals of a safety system are a mixture of both digital and analog signals.5 Specification of the Functionality of the Safety System Basic function of safety system The basic function of the safety system is to control the outputs (process) according to the predefined logic sequence based on the current status of the process received via the inputs. the relation between input and output can be established with logical functions including AND. FSC Safety Manual 40 Section 3: Design Phases for an E/E/PE Safety-Related System . For digital signals. This is also possible with analog signals after they have been verified to be below or above a defined setpoint.3. delayed off.

H O MAIN LINE = 75% M Signal type: W 1 2 A 40001 S > R t=30 S 0 t 1 >1 _ 3 53FT-700. M 53HS-101 C LAMPTEST P "TEST" C 53PT-920.H 11 HIGH ALARM 5 "ALARM" M C P 53PT-920 MAIN LINE PRESSURE 3 5 1 A D D A 102 103 5 53PRA-920 1 MAIN LINE PRESSURE 1 MAIN LINE PRESSURE Signal type: F 3 53PT-920. The functional logic diagrams are created using the 'Design FLDs' option of FSC Navigator.L 11 HIGH ALARM 2 "ALARM" M C P Customer Principal : Plant : : Honeywell NL33 HSMS Product Marketing FUNCTIONAL LOGIC DIAGRAMS UNIT 5300 Branderijstraat 6 5223 AS 's-Hertogenbosch Honeywell SMS BV Tel +31 73-6273273 Fax +31 73-6219125 P.H O MAIN LINE = 110 BAR M Signal type: W 3 1 1 1 2 A 40003 > 1 >1 _ 3 53PT-920. Box 116 5201 AC 's-Hertogenbosch Date 30-5-1997 By: PM NL33 Drawing number: DEMO_1 Serial Code Project Unit Code 30-5-1997 Date FIRST ISSUE Description Chk'd Req/Ordernr : SPEC & TECH 102 Sheet 103 Cnt'd Figure 3-7 Example of functional logic diagram (FLD) FSC Safety Manual Section 3: Design Phases for an E/E/PE Safety-Related System 41 .L O MAIN LINE = 75 BAR M Signal type: W 53TT-900 MAIN LINE TEMP 1 2 A 3 5 2 40004 > 1 >1 _ A D D A 102 103 5 53TR-900 1 2 MAIN LINE TEMP MAIN LINE TEMP Signal type: F 2 C 53FT-700.O.L O MAIN LINE = 30% M Signal type: W E D C B A O Rev 1 2 A 40002 3 53FT-700. and to ensure that the process will be directed into predefined "non-operational safe status" if an unhealthy process (input) condition occurs.H 11 HIGH ALARM 1 "ALARM" M C P MAIN LINE FLOW Signal type: F 101 102 1 S 0 t=30 S t 1 R > >1 _ C 53FT-700.L 11 LOW ALARM 6 "ALARM" M C P 1 C 53PT-920.Relations between inputs and outputs The second phase of the safety system specification is the detailing of the relations between inputs and outputs in order to ensure that during healthy conditions of the input signals the process stays in the predefined "operational safe status". The relations are determined via functional logic diagrams (see Figure 3-7).

5.5 are usually performed by the customer or an engineering consultant acting on behalf of the customer.g.V.3. The phases that follow will normally be performed by the supplier of the safety system (e.6 Approval of Specification Approval The last step before acceptance of the safety system is the approval of the specifications made during the phases as described in subsections 3. for an FSC safety system). The approved specification is the basis for the use of the safety system.3 to 3.3 to 3. Honeywell Safety Management Systems B. Since the time for the specification preparation is generally too short and since the safety system influences all process units. FSC Safety Manual 42 Section 3: Design Phases for an E/E/PE Safety-Related System . The phases as described in subsections 3. a large number of revisions (function and termination details) to the specification may be required.

............................ 46 Specification of Input and Output Signals .........7 Topic Overview ......................... 50 Verification of an Application................2 4...................6 4.............. 44 System Configuration Parameters .......... 51 Verifying an Application in the FSC System .. 49 Implementation of the Application Software.....................................3 4............5 4...................1 4...1 Overview This section describes the implementation phases of FSC as a safety-related system............. 43 FSC Project Configuration ...Section 4 – Implementation Phases of FSC as a Safety-Related System 4................................................................................................................. It covers the following topics: See page Section overview Subsection 4..................................................................................................4 4........................................ 53 FSC Safety Manual Section 4: Implementation Phases of FSC as a Safety-Related System 43 ...............................

• generate application documentation. FSC Navigator Figure 4-1 Main screen of FSC Navigator FSC Navigator provides a Windows-based user interface with the FSC system. FSC Safety Manual 44 Section 4: Implementation Phases of FSC as a Safety-Related System .4. and • monitor the FSC system.3 to 3.5. the design engineer is supported by FSC Navigator (see Figure 4-1). FSC Navigator can be used to: • configure the FSC system. • design the application program.2 FSC Project Configuration During the specification phases as described in subsections 3. Installation database The specification of the hardware module configuration and certain system parameters are stored in the installation database. It is a powerful tool which supports the user in performing a number of design and maintenance tasks.

INS) Functional Logic Diagrams (FLDs) I/O database (. The basic functions of FSC Navigator's project configuration features are presented in Figure 4-2. etc. The functional logic diagrams (FLDs) define the relationship between the inputs and the outputs of the safety system (see Figure 2-14). .DAT. The I/O database is the basis for the design of the functionality of the safety system using functional logic diagrams (FLDs). is stored in the input/output (I/O) database. The use of a database that contains information on the I/O signals to produce a number of different documents has the advantage that the basic information needs to be updated at one place only. which is created and maintained using the 'System Configuration' function of FSC Navigator. n Installation (.IXP) FLD no. 1 Print Project Configuration Print Functional Logic Diagrams Translate Application Hardware Configuration Listing Functional Logic Diagrams FSC Application Program Figure 4-2 Basic functions of FSC project configuration programs FSC Safety Manual Section 4: Implementation Phases of FSC as a Safety-Related System 45 .I/O database The specification of the tag numbers with description. Furthermore. . hardware configuration.IXT. it allows documentation to be updated in a very short period of time. FSC Navigator also checks the consistency of the information if the engineer uses tag numbers that have not been specified in the I/O database. dBASE III / IV Symbol library Functional logic diagrams (FLDs) System Configuration Design Functional Logic Diagrams FLD no. The variable-related information entered into the I/O database is added automatically in the functional logic.

• Central Part architecture. The most important parameters are: • Requirement class. and • Power-on mode. Therefore. If a fault is detected during self-testing. the Central Part shuts down. the larger this risk becomes. Failures of certain failure types can be isolated.4. • Memory type. the Central Part will report the failure and take action to guarantee a safe operational result. may lead to unsafe operation. there is a certain risk that such an additional correlating fault occurs. but safe operation can then only be guaranteed as long as no additional faults occur. • Interval time between faults. If possible. in correlation with the first failure. It must be set to the requirement classification of the process parts (loops) with the highest safety demand. In order to keep the risk within acceptable limits. a time FSC Safety Manual Process safety time Interval time between faults 46 Section 4: Implementation Phases of FSC as a Safety-Related System . The process safety time (= fault tolerant time of the process) is the time that a fault may be present in the safety system. each Central Part of the FSC system performs self-tests and also tests the allocated I/O modules. If continuation of the fail-safe operation cannot be guaranteed. without possible danger for an installation or an environment. Each of these parameters is described in more detail below. During operation. when continuing operation. the failure will be isolated and Central Part operation continues. One of the basic functions of the FSC system architectures is selected in accordance with the demanded safety and availability (see Table 32) by selecting the architecture of the Central Parts.3 System Configuration Parameters The first step in the FSC system configuration stage is the determination of the FSC system configuration parameters. which. • Process safety time. In the FSC system it specifies the period in which a self-test will be executed. The longer the Central Part operates. General Requirement class according to DIN V 19250 Central Part architecture This parameter specifies the safety requirement class for the overall system.

Power-on mode The power-on mode provides the conditions for the start-up of the FSC system. There are three memory types: • EPROM. The memory type determines how the FSC-related software is transferred to the FSC system as shown in the table below: Table 4-1 Memory types EPROM COM software CPU software (system) CPU software (application) EPROMs EPROMs EPROMs RAM EPROMs EPROMs download* FLASH download** download** download** * To on-board RAM or additional 1-Mb or 4-Mb memory boards. the Central Part will shut down. or • FLASH. which reflects the maximum period of time that the Central Part is allowed to operate after the first failure has occurred. • Warm start A warm-start power-on means that the FSC system starts up with the values of the variables set to their last process values. • RAM. The interval time between faults can be defined between 0 minutes and 22 days. There are two power-on modes: • Cold start A cold-start power-on means that the FSC system starts up with the values of the variables being reset to their power-on values as laid down in the variable database. in requirement classes AK5 and AK6. or it can be completely deactivated. ** To flash memory (requires suitable hardware modules). In the last case. FSC Safety Manual Section 4: Implementation Phases of FSC as a Safety-Related System 47 . organizational measures must be defined to ensure correct action on FSC system failure reports.interval must be defined: the interval time between faults. Memory type The memory type specifies the memory type that is used in the FSC system. When the interval time between faults expires. The interval time between faults also defines the maximum time period allowed for a redundant system to run in single Central Part mode.

a cold start is performed. 2.Notes: 1. Important! Using the warm start option in combination with on-line modification of the application program may result in spurious diagnostic messages and Central Part shutdown. regardless of the defined power-on mode. If the FSC system starts up for the first time. If the FSC system is started up after a shutdown that was caused by a fault. FSC Safety Manual 48 Section 4: Implementation Phases of FSC as a Safety-Related System . there will always be a cold start.

The FSC Navigator offers a number of criteria to assist in allocating the I/O signals in the safety system. and • the channel number on an input or output module. • location in the plant. This information can be sorted and presented to the user in several ways using the 'Print Project Configuration' option of FSC Navigator. For example. • type of signal. the system configuration function of FSC Navigator does not allow multiple allocation or connection of safety-related signals to non safety-related (untested) modules. and • personal preference. • process units. • the position in the rack. The information entered in that stage does not contain any information on the physical allocation of the I/O signal in the safety system. FSC Safety Manual Section 4: Implementation Phases of FSC as a Safety-Related System 49 . The physical allocation can be described as: • the number of the rack in the cabinet(s). Input/output signals Physical allocation The physical allocation in the FSC system can be related to a number of criteria including: • subsystems.4 Safety Specification of Input and Output Signals Extensive guidance in respect of safety is provided by FSC Navigator to ensure that the decisions taken by the engineer are correct.4. The specification of input and output signals is partly done during the specification stage.

This method does not require any modules to be removed from the rack. it is transferred to the FSC system. the I/O database and the installation database.5 Implementation of the Application Software The 'Translate Application' option of FSC Navigator (the compiler) generates the application software based on the functional logic diagrams (FLDs). Not all module types support downloading to (flash) memory. After the application software has been generated. Some require EPROMs to be used. Translate Implementation FSC Safety Manual 50 Section 4: Implementation Phases of FSC as a Safety-Related System . The loading method that can be used depends on the CPU and COM module types in the FSC system. • Programming EPROMs.4. There are basically two ways to do this: • Downloading it directly to random access memory (RAM) or flash memory on the CPU and/or COM module(s) in the FSC cabinet. This method requires modules to be removed from the rack and re-installed. For details on loading software into the FSC system refer to Section 10 of the FSC Software Manual ("Loading Software"). which are subsequently placed on the CPU and/or COM module(s) in the FSC cabinet.

e. e. FSC Safety Manual Section 4: Implementation Phases of FSC as a Safety-Related System 51 . several verification steps must be accomplished to guarantee that the final application software in the FSC system meets the safety requirements of the process. and • operation of the FSC user station hardware.4. • operation of the 'System Configuration' option of FSC Navigator. hardware allocation and power-on value. the I/O signal configuration may need to be approved by an independent certification body. TÜV. the functional logic diagrams may need to be approved by an independent certification body. e. TÜV. Depending on local legislation. Depending on local legislation.g. This activity covers the following aspects: • data entry by the design engineer. signal safety-related.6 Verification of an Application Throughout the design of the application. The activity covers the following aspects: • data entry by the design engineer. • operation of the 'Design FLDs' option of FSC Navigator. This review may be concentrated on the safety-related configuration items. and • operation of the user station hardware. Introduction I/O signal configuration Functional logic diagrams (FLDs) The Print option of FSC Navigator also allows the user to create hardcopy of the functional logic diagrams as stored in the application database. The hardcopy must be reviewed to verify that the signal configuration represents the originally defined configuration.g.g. The Print option of FSC Navigator allows the user to create hardcopy of the I/O signal configuration as stored in the application database. The hardcopy must be reviewed to verify that the functional logic diagrams represent the intended application program. force enable.

DAT. the customer will verify the correct operation of the application software via a functional test which is carried out during the Factory Acceptance Test (FAT). .IXP) Verify + Compare FSC Navigator RS-232C RS-485 FSC System CPU. the assessor may carry out a sample functional test with respect to the safety-related functions in the application software. and • operation of the 'Program EPROMs' option and/or the 'Download Application' option of FSC Navigator. Installation (.Application software After the application has been successfully translated and the application software has been transferred to the FSC system. . Finally.IXT. FSC Navigator uploads the application software from the FSC system and verifies if it is "identical" to the information contained in the application database on the hard disk of the FSC user station (Figure 4-3). The following aspects are covered: • operation of the 'Translate Application' option of FSC Navigator. the system configuration and the functional logic diagrams.INS) I/O database (. the start-up and commissioning stage. COM COM module Functional Logic Diagrams (FLDs) Figure 4-3 Verification of the application software FSC Safety Manual 52 Section 4: Implementation Phases of FSC as a Safety-Related System . Subsection 4. The customer then verifies if the original requirements have been correctly implemented in the I/O signal configuration. The major part of this step is carried out using the 'Verify Application' option of FSC Navigator.7 describes this step in more detail.

Both steps will be described briefly. Verification of the functional logic diagrams. Any differences between the FSC database and the FSC application software are reported on screen and in the log file. Introduction FSC database The 'Verify Application' option of FSC Navigator compares the information in the FSC database (as stored on the FSC user station) with the application software in the FSC system. For more information.4. The log file can be inspected using the 'View Log' option of FSC Navigator (see Figure 4-4) Figure 4-4 Verification log file FSC Safety Manual Section 4: Implementation Phases of FSC as a Safety-Related System 53 .7 Verifying an Application in the FSC System The 'Verify Application' option of FSC Navigator performs the verification in two main steps: 1. and 2. refer to Section 11 of the FSC Software Manual ("Verifying an Application"). Verification of the FSC databases.

Verification of the FSC database is performed once for every Central Part of the FSC configuration. these differences will then be recognized and logged. When the application software is generated by the compiler. This is normal behavior. even though no modifications were implemented. etc.RECORD may differ with respect to the indicated addresses contained in the database and the FSC system. Note: If you perform an on-line upgrade to FSC Release 530 from a release prior to R510. when you decide to correct the difference and verify the application for a second time. FSC Release 510 and higher use a different internal addressing scheme than previous releases. the address field of the test variable VRF. The test data is automatically generated whenever a new application is created or when an old application is converted to a newer FSC release. It must always be verified that the expected differences are actually present in the log file. this field is reported.If any differences are detected in a field that affects related information.TEST. Test data Due to the importance of the results of the verifications. This is realized by including test data in each application. This log file can be shown on screen or printed (see the sample report on the next page). Note: In the error report. FSC Navigator also verifies the functional logic diagrams (FLDs) that make up the application.). The actual addresses depend on the application. During verification. additional differences may be reported. That is why the verification log file will always report a number of differences. the test data is modified. PIDs and/or equation blocks. which causes the above sheet differences to be reported. Any differences found will be displayed on screen and recorded into the log file. baud rate. interface. if differences are detected in the characteristics of a specific communication channel (protocol. FSC Safety Manual 54 Section 4: Implementation Phases of FSC as a Safety-Related System . Functional logic diagrams (FLDs) After having verified the contents of the FSC databases. correct execution of the 'Verify Application' option of FSC Navigator must be guaranteed. For this reason. For example. only the protocol is reported. sheet differences will be reported for all functional logic diagrams (FLDs) that contain mathematical routines.

For details refer to the FSC Safety Manual.RECORD VRF.TEST. These differences must be reported in order to prove the integrity of the FSC user station hardware during verification of the functional logics. >>> CENTRAL PART 1 <<< ERROR: Mismatching field(s) in regenerated variables database: Type / Tag number M M M M M VRF.TEST. a total of 5 differences should be reported with regard to marker variable VRF.RECORD VRF.RECORD and with regard to the functional logic on FLD 0 are reported to ensure data integrity of the FSC user station.RECORD VRF.RECORD.RECORD VRF.TEST. Number of errors during verification of functional logics in CP 1 : 4 ================================================================================ TOTALS ================================================================================ Total number of errors found during verification : 9 NOTE: All differences with regard to marker variable VRF. a total of 4 differences should be reported with regard to the functional logic on FLD 0. >>> CENTRAL PART 1 <<< ERROR: Regenerated symbol INVERTER not found on FLD 0 ERROR: Regenerated symbol OR GATE not found on FLD 0 ERROR: Symbol AND GATE on FLD 0 has not been regenerated.TEST.TEST.TEST.RECORD Field Safety related Force enable Write enable Power up status Address Database Yes No No On 16 FSC system No Yes Yes Off 17 Number of errors during verification of FSC database in CP 1 : 5 ================================================================================ VERIFICATION OF FUNCTIONAL LOGICS IN FSC SYSTEM ================================================================================ Start of functional logic diagram verification: Date: 08-30-2000 Time: 19:10 NOTE: For all central parts.Verification log file: DEMO_1 Date: 08-30-2000 Time: 19:10 CRC-32 of application software on CPU in CP 1 : $05E669D6 ================================================================================ VERIFICATION OF FSC DATABASE IN FSC SYSTEM ================================================================================ Start of FSC database verification: Date: 08-30-2000 Time: 19:10 NOTE: For all central parts. Verification of application completed. These differences must be reported in order to prove the integrity of the FSC user station hardware during verification of the FSC database. Date: 08-30-2000 Time: 19:10 Figure 4-5 Sample verification report FSC Safety Manual Section 4: Implementation Phases of FSC as a Safety-Related System 55 . ERROR: Symbol INVERTER on FLD 0 has not been regenerated.TEST.

Left blank intentionally.

FSC Safety Manual

56

Section 4: Implementation Phases of FSC as a Safety-Related System

Section 5 – Special Functions in the FSC System
5.1 Overview
This section describes the special functions in the FSC system. It covers the following topics:
Topic See page

Section

Subsection 5.1 5.2 5.3 5.4 5.5 5.6

Overview ......................................................................................................... 57 Forcing of I/O Signals...................................................................................... 58 Communication with Process Control Systems (DCS / ICS) .......................... 61 FSC Networks ................................................................................................. 63 On-Line Modification ....................................................................................... 69 Safety-Related Non Fail-Safe inputs............................................................... 71

Summary

The FSC system is a safety system which has a number of special functions. These functions are: • Forcing of I/O signals (maintenance override), • Communication with process control systems, • Safety-related communication between FSC systems, • On-line modification, and • Safety-related non fail-safe inputs. Each of these functions is described in more detail below.

FSC Safety Manual Section 5: Special Functions in the FSC System

57

5.2

Forcing of I/O Signals
For maintenance or test reasons, it may be required to force an input or an output to a certain fixed state, e.g. when exchanging a defective input sensor. This allows the sensor to be replaced without affecting the continuity of production. While repairing the sensor, the respective input can be forced to its operational state. Forcing introduces a potentially dangerous situation as the corresponding process variable could go to the unsafe state while the force is active.
Force enable input

General

COM module

CPU module

Input

A
I/O database (.DAT, .IXT, .IXP) user station with FSC Navigator

B

Force enable table

Output

Figure 5-1 Forcing sequence Enabling Table 5-1 shows the procedure to include forcing in the FSC system (See also Figure 5-1): Table 5-1 Procedure to enable forcing
Step 1 2 3 4 Action Define the signals that possibly require forcing during operation. Use the 'System Configuration' option of FSC Navigator to set the force enable flag to 'Yes'. Define the tag number and hardware allocation for the Force Enable key switch. Translate, program EPROMs or download, test, etc.

FSC Safety Manual

58

Section 5: Special Functions in the FSC System

FSC Safety Manual Section 5: Special Functions in the FSC System 59 . FSC Navigator checks if the Force Enable key switch is activated. The FSC system checks if the force enable flag in the application tables is set to 'Yes'. 2. The FSC system checks if the Force Enable key switch is activated. Use the 'Monitor System' option of FSC Navigator to select the variable that needs to be forced. FSC Navigator checks if the force enable flag in the application database is set to 'Yes'.Setting I/O signals can only be forced using the Process Status Monitoring and I/O Signal Status features of FSC Navigator. Table 5-2 shows the procedure of how to use forcing. Table 5-2 Procedure to force a variable Step 1 2 3 Action Activate the Force Enable key switch after approval by the responsible maintenance manager. 3. Forces may be set high. 2. All force actions are included in the SER report for review/historical purposes. Checks FSC Navigator and the FSC system carry out the following checks before the force is actually executed: 1. 3. FSC Navigator checks if the password is activated. For details on forcing signals refer to Section 12 of the FSC Software Manual ("On-Line Environment"). 5. all forces are cleared. low or on a specific value as required. Select the status or value that the variable should be forced to and activate the force. Forcing is only allowed if the correct password is entered when selecting the force option. If the Force Enable key switch is deactivated. This has been done in such a way that a change of the force enable flag in the I/O database after translation does not allow forcing of the corresponding variable without reloading the application software. 4. Notes: 1. The status of the force enable flag is also stored in the application tables in the FSC system.

the system variable IO-FORCED is cleared. IO-FORCED becomes high again.V. and TÜV Rheinland entitled Maintenance override. fax: +31 73-6219125. References Specific TÜV requirements with the regard to forcing are described in a document by TÜV Bayern Sachsen e. On any subsequent force. All FSC architectures meet the requirements specified in the above document.com). please contact the HSMS Support department (tel. which can be used as an alarm/indication to operation. the IO-FORCED marker will become high for one application program cycle and then become low again. IO-FORCED system variable If a force command is accepted for an input or an output. FSC Safety Manual 60 Section 5: Special Functions in the FSC System . This document is available on request. e-mail: sms-info@honeywell.The FSC system continuously checks the Force Enable key switch and clears all forces immediately as soon as the Force Enable key switch is deactivated. When all forces are cleared. If one or more forces are activated. the IO-FORCED system marker is reset (see Section 6).: +31 73-6273273.

SER seq. Write En.5Hz FLASHER-1Hz FLASHER-2Hz FSC-SYSTEM-FAULT INPUT-FAILURE INT.COMMUNIC. This data is represented in the functional logic diagrams (FLDs) as I/O symbols with location 'COM'. The 'System Configuration' option of FSC Navigator sets the safety relation flag of these signals to 'No' (FALSE) and does not allow this flag to be changed.COMMUNIC.FLT FIRSTUP-ALARM-1 FIRSTUP-ALARM-2 FIRSTUP-RESET FLASHER-0. SER En.3 Communication with Process Control Systems (DCS / ICS) The FSC system can be used to exchange process data with a process control system or a man machine interface (PC).5. no.INPUT-FAULT RESET RESET-ALARM RESET-PUSHBUTTON SENSOR-1 SENSOR-A1 SENSOR-A2 SENSOR-B1 SENSOR-B2 SENSOR-B3 SENSOR-CP1 SENSOR-CP2 SENSOR1 SENSOR2 SENSOR3 SENSOR_2 Service LAMPTEST LAMPTEST Door switch Qualification TEST "TEST" Close Location MCP MCP AH PNL DCS ANN ANN DCS DCS ANN PNL SYS SYS ANN SYS CAB SYS SYS DCS DCS DCS SYS SYS SYS SYS SYS SYS SYS SYS PNL SYS CAB CAB SYS SYS CAB PNL Unit Subunit Sheet Safety Force En. The variables with location 'COM' may only be used for non safety-related functions. CLOCK-SYNC System marker EARTH LEAKAGE PSU'S FORCE-ENABLE System marker SUBLOCAION-FSC SUBLOCATION-FSC System marker System marker System marker System marker System marker System marker System marker System marker LAMPTEST System marker PSU-1 24VDC PSU-2 24VDC System marker FSC-FAULT-RESET RESET ALARM NO FAILURE ENABLE FIRSTUP FLAG FIRSTUP FLAG TEST NO FAILURE NO FAILURE RESET RESET Figure 5-2 Example of a printout of engineering documents FSC Safety Manual Section 5: Special Functions in the FSC System 61 .FLT IO-COMPARE IO-FORCED LAMPTEST OUTPUT-FAILURE PSU-1 PSU-2 RED. 102 104 0 107 106 105 105 107 107 107 105 0 0 107 0 123 0 0 107 107 106 107 107 105 123 122 0 120 0 123 0 123 123 0 121 123 107 109 111 111 112 112 112 113 113 110 110 110 109 Yes Yes Yes Yes Yes No No Yes Yes No Yes Yes No No Yes Yes Yes Yes Yes Yes Yes No No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes No No Yes Yes No Yes No No No No Yes No No Yes Yes Yes No No No No No No No No Yes No Yes Yes No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No - 5000 91UZ-650 ALARM STATUS ALARM STATUS System marker FSC-CLOCK-SYNCHRON. The safety relation of variables can be checked using the listing that is produced with the 'Print Project Configuration' option of FSC Navigator.FLT EARTH-LEAKAGE ENABLE EXT. Date: 08-31-2000 Time: 13:39 Page: 2 Exchanging process data Configuration documents of application: DEMO_1 Input signal specification Type Tag number I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I 53HS-101 53_HS_101 91XA-651A ACK-PUSHBUTTON ACKNOWLEDGE AF_Audible AF_Common_Alarm ALARM-1 ALARM-2 AUDIBLE Ack_PushButton CENTR. Figure 5-2 below shows an example of such an input signal specification.PART-FAULT CLOCK-SYNC COMMON DEVICE-COM.

Protocols The following communication protocols are used for communication with process control systems and computer equipment running visualization programs: • TPS network protocol. • Modbus RTU and Modbus H&B protocol. FSC Safety Manual 62 Section 5: Special Functions in the FSC System . • RKE3964R protocol. • PlantScape protocol. For details on these communication protocols refer to Appendix F of the FSC Software Manual ("Communication"). and • FSC-DS protocol.

FSC Safety Manual Section 5: Special Functions in the FSC System 63 . Data integrity is ensured by using the same protocol and surveillance mechanisms as used for communication between Central Parts in redundant FSC architectures. left). The master sends data to the slave and initiates a request for data from the slave. or multiple systems may be connected to the same link (multidrop) (see Figure 5-3.4 FSC Networks FSC systems may be interconnected to form a safety-related communication network (see Figure 5-3). systems may be connected in pairs (point-to-point) (see Figure 5-3. one FSC system operates as a master and the other systems operate as a slave. Another possibility is gathering of sequence-of-event (SOE) data of multiple FSC systems at a single point in the network. FSC system 1 Networks FSC system 1 FSC system 2 FSC system 3 FSC system 2 FSC system 3 FSC system 4 Point to point (PtP) Multidrop (MD) Figure 5-3 Examples of FSC communication networks FSC networks can be used to allow multiple FSC systems to exchange data in order to perform a joint task. right). Master/slave Within the network. The slave sends data after receipt of the data request from the master. For every communication link.5.

Redundant CP + Redundant I/O CP1 CP2 CP2 Figure 5-5 Redundant FSC communication link FSC Safety Manual 64 Section 5: Special Functions in the FSC System .g. One slave may have multiple masters (see Figure 5-4). This results in a single-fault-tolerant communication network. redundant FSC links must be used (see Figure 5-5). Variables with location 'FSC' can be of type I.g. All FSC systems within the FSC network must have a unique system number. and may be configured for both safety-related and non safety-related functions. Redundant CP + Redundant I/O CP1 FSC system 2 e. FSC system 1 e.More than one slave may be connected to one master. MASTER FSC system 1 MASTER FSC system 2 SLAVE FSC system 3 SLAVE FSC system 4 SLAVE FSC system 5 SLAVE FSC system 6 SLAVE FSC system 7 Figure 5-4 FSC master/slave interconnection Data that is used for communication between FSC systems is represented in the function logic diagrams as I/O symbols with the location 'FSC'. BI or BO (registers). Redundant communication For redundant systems. O (markers).

F2. Note: Point-to-point links running at baud rates lower than 125 kbaud are treated as multidrop links.4 F2 = 25 F3 = 9. depending on the baud rate (see table below) Table 5-3 Performance factors Baud rate 9K6: 19K2: 38K4: 50K / 57K6: 115K2 / 125K: 1M: 2M: S=1 F1 = 80 F1 = 43 F1 = 25 F1 = 21 F1 = 15 F1 = 9 F1 = 8 Performance factors F2 = 80 F3 = 37 F2 = 43 F3 = 18. This is represented in the following formula: Tresp = Tam + Tas Where: Tam = Master application program cycle time.2 F2 = 21 F3 = 7 F2 = 14 F3 = 3 F2 = 15 F3 = 0 F2 = 11 F3 = 0 FSC Safety Manual Section 5: Special Functions in the FSC System 65 . Tas = Slave application program cycle time. F1. = Transmission delay in the physical communication network (0 for direct cable connections < 1 km). = Slave application program cycle time. The result will always be less than 1 second. This is represented in the following formula: 63 Tresp = Tam + Tas + Σ 2∗(F1 + 2∗Tr) + (F2 + 8∗Tr) (Mbs + Rbs + 1) + F3 ∗ (Mcs + Rcs) + (F2 + 2∗Tr) Where: Tam Tas Tr = Master application program cycle time. F3 = Performance factors (in ms).Response time The response time depends on the application program cycle time of the systems and the type of the communication link. Point-to-point Multidrop The maximum response time is the sum of the application program cycle times of the master and the slave system plus the total communication time needed to serve all systems connected to the multidrop network. The response time is the sum of the application program cycle times of the master and slave system.

FSC Safety Manual 66 Section 5: Special Functions in the FSC System .

an extra block must be allocated. F2 and F3 are 0 if the system number is not used as a system number for a slave system. A slave sends 48 bytes of marker data and 400 bytes of register data to the master system. A master sends 256 bytes of marker data to the slave system. In this situation. Rbs = The number of data blocks to be sent. Mcs. There is a multidrop connection from the communication server to five slaves. If the number of bytes is not an exact multiple of 256 bytes. for example: 1. Mbs. a typical value of F1. 2. If the number of bytes is not an exact multiple of 16 bytes. F1. Mbs (Rbs) is the number of 256-byte blocks configured for transfer of Marker (Register) data from the slave system to the master system or vice versa. Mbs = 1 and Rbs = 0. Multiple masters in FSC network Consider the network configuration as shown in Figure 5-6 below. For each slave. Rcs = The number of data bytes to be sent. Mcs (Rcs) is the number of 16-byte blocks configured for transfer of Marker (Register) data from the slave system to the master system or vice versa. an extra block must be allocated. No register data is sent. In this situation. 2) Tr. F2 and F3 is half the maximum value. and acts as a slave to each of them. Mbs = 1 and Rbs = 2. Master 1 Master 2 Master 3 Point to point Comm server Multidrop Slave 1 Slave 2 Slave 3 Slave 4 Slave 5 Figure 5-6 Response time in network with multiple masters FSC Safety Manual Section 5: Special Functions in the FSC System 67 . A communication server has been connected point-to-point to three masters. a connection has been configured to each master.Notes: 1) With both redundant links operational.

In situations like these. you may need to increase the FSC-FSC communication timeout in order to be able to communicate all information (especially at baud rates lower than 1 Mbaud). the safety-related variables I and BI of location 'FSC' that are allocated to the system connected to the link are set to 0. The timeout depends on the system function and the type of the communication link (see Table 5-4). this means that you need to multiply the response time of each slave by 3 (providing all communication blocks are equal). In Figure 5-6 above.To calculate the response time in such a network configuration. Table 5-4 FSC-FSC communication timeout Link type System Timeout Point to point Master Slave Master Response of the slave is expected within the same application program cycle. Multidrop Slave Note: If communication fails via all links. you need to add the response times of all slaves for all masters. Timeout time All systems within the network monitor the operation of the communication link by means of timeouts. 1 second Configured communication timeout (refer to Section 4 of the FSC Software Manual). FSC Safety Manual 68 Section 5: Special Functions in the FSC System . The non safety-related variables are frozen at their last received state. 2x configured communication timeout time (refer to Section 4 of the FSC Software Manual).

system software and the FSC hardware configuration of redundant systems while the system remains operational. the other Central Part can continue safeguarding the process. During the upgrade. the changes are upgraded in one Central Part at a time. the FSC system performs a compatibility check across the application-related data. This allows easy verification of the implemented modifications.5 On-Line Modification On-line modification (OLM) is an FSC system option which allows you to modify the application software. During on-line modification. Introduction Compatibility check Figure 5-7 Sheet differences FSC Safety Manual Section 5: Special Functions in the FSC System 69 . Meanwhile. in order to guarantee a safe changeover from the old software to the new software. The system reports the FLD numbers of the functional logic diagrams that have changed (see Figure 5-7).5.

If a function block is changed. a difference will be reported for all functional logic diagrams that use this function block. an error message is generated in the extended diagnostics. During on-line modification. when the final verification of the implemented changes is obtained via the sheet difference report of the FSC system and the 'Verify Application' option of FSC Navigator. When modifications in the application are implemented. initiated via a CPU reset. refer to Section 11 of the FSC Software Manual ("Verifying an Application"). the FSC system architecture and the system software can be implemented in the system without the need for a plant shutdown. In case of such an error.Using the on-line modification option of the FSC system. the 'Verify Application' option of FSC Navigator may be used to log all revision information. For details on on-line modification. PIDs and/or equation blocks. 2. sheet differences will be reported for all functional logic diagrams (FLDs) that contain mathematical routines. For more information. no data will be exchanged with the system after start-up. changes in the functional logic diagrams (FLDs). which causes the above sheet differences to be reported. FSC Safety Manual 70 Section 5: Special Functions in the FSC System . refer to Appendix D of the FSC Software Manual ("On-Line Modification"). FSC networks If a system has been integrated into an FSC communication network. even though no modifications were implemented. If inconsistencies are detected or if the check for a specific system cannot be completed for any other reason. This is normal behavior. it performs a compatibility check for all connected systems. The communication can only be re-established after successful completion of the compatibility check by any of the systems that communicate with each other. FSC R510 and higher use a different internal addressing scheme than previous releases. If you perform an on-line upgrade to FSC Release 530 from a release prior to R510. only a functional logic test of the modified functions is required by. TÜV. for example. Notes: 1.

sensors. Depending on the number of sensors and the FSC architecture applied. the system offers a variety of "sensor redundancy configurations". 10101/2/1 for digital inputs and 10105/2/1 for analog inputs). switches and transmitters).g. Figure 5-8 shows an example of redundancy type 2o2.5. In addition. then redundant sensors (transmitters) and redundant inputs are required. If the input device is not fail-safe. which can be used for VBD functions with redundant I/O.g. Introduction Figure 5-8 Configuration of a redundant input FSC Safety Manual Section 5: Special Functions in the FSC System 71 .6 Safety-Related Non Fail-Safe inputs Safety-related inputs require the use of fail-safe input module (e. it is also required that fail-safe input devices are used (e.

a redundant input fault (system alarm marker) and a sensor fault alarm are generated. which can be set in the range of 1 second to 2047 minutes. If the maximum on timer or the maximum discrepancy timer expires.Digital inputs To check the safety capability of the sensors. an extra timer is added: the maximum discrepancy timer. they must switch within a certain time interval specified in the configured maximum on time. Note: The maximum on time may also be deactivated. If the maximum on-time is exceeded. To detect if all inputs execute the switch-defined function. the resulting sensor status is executed as 'unhealthy'. In that case organizational procedures must exist that ensure periodical testing of the sensors. SENSOR-1 3 3 12 3 3 11 & S R t t=6 min 0 & 4 SENSOR15 STATUS 6 SENSOR_2 Maximum On time S =1 R t t=10 s 0 >1 _ 4 SENSOR_ 15 FAULT 5 "NO FAULT" Maximum discrepancy time Figure 5-9 Example of functionality of a redundant digital input function FSC Safety Manual 72 Section 5: Special Functions in the FSC System .

The safety-related redundant input configurations are described in detail in Appendix C of the FSC Software Manual ("Safety-Related Inputs with Non Fail-Safe Sensors"). FSC Safety Manual Section 5: Special Functions in the FSC System 73 . If the difference between the transmitter values exceeds the maximum value.Analog inputs For analog inputs. the system monitors if the difference between the transmitter values does not exceed a predefined value. The maximum allowable difference is specified in the maximum discrepancy value. a redundant input fault (system alarm marker) and transmitter fault alarm are generated.

.......................................... As the system is able to locate faults accurately...........4 6...........................................................4..........................................4......4............1 Section Overview This section describes how the FSC detects system faults and how it responds to them...................................................8 6..4..6 6............................4.... As a result.....................3 6........ FSC Safety Manual 74 Section 6: FSC System Fault Detection and Response ........... the FSC system fault detection and response strategy also provides optimum availability. the faulty part can be isolated from the process to obtain a safe process state while minimizing the effect on the remaining process parts........................5 Topic Section Overview ........................... 84 Output Fault Detection ................................ 80 Input Fault Detection .. It covers the following topics: See page Section overview Subsection 6..1 6......................................................... 76 FSC Diagnostic Inputs .. 95 Device Communication Fault Detection........9 6...................................................... 96 Temperature Alarm ................. Apart from safety.................. 74 Voting ......7 6....................................... 88 Central Part Fault Detection.............................3 6..................... 85 I/O Compare Error Detection ............................................................................2 6................ 83 Redundant Input Fault Detection .4..........................4......................................4 6........................................ 97 Calculation Errors........................................ 94 Internal Communication Error ................................................................................. 98 Introduction Progressive test software and the use of dedicated hardware allow the FSC system to detect a number of faults in the field instrumentation and all predefined faults according to the FMEA model applied within the FSC system itself. and to provide adequate diagnostics on any detected fault................... 82 Transmitter Fault Detection............ 94 FSC-FSC Communication Fault Detection .....................2 6.....................4.................10 6..........................................4.................... the system is able to respond as a failsafe system in accordance with its specifications as projected during the safety specification stage............................1 6.......... 78 FSC Alarm Markers........Section 6 – FSC System Fault Detection and Response 6......4...........................................................5 6......................

to generate an operator alarm or to be passed to a control system for further processing. FSC Safety Manual Section 6: FSC System Fault Detection and Response 75 . via channel-specific diagnostic markers and via system alarm markers.Detected faults are reported via extended diagnostics of the FSC system. The diagnostic and alarm markers can be used in the application software. e. This section describes the behavior of the FSC system in case of faults and how alarms can be used within the application.g.

The table below lists the various options. which allows the users to optimize the system response to his safety needs. depending on the hardware that is being used and on the primary action in case a fault is detected: switch-off or continue. non-operational) state. 10101/./.e. FSC Safety Manual 76 Section 6: FSC System Fault Detection and Response . switch-off incorrect operation or switch-off Single components The default voting scheme for single Central Parts is 1oo1D for processor modules 100x2/. Table 6-2 and Table 6-3 on the next page list the various options./.2 Voting Voting The FSC system is available in single and redundant mode. Redundant components Redundant components have more voting schemes to choose from. If the Central Part and I/O are operating in single architectures... diagnostics capabilities (e. it is obvious what will happen in case a fault is detected: the Central Part or I/O will go to the safe (i.g. For all single components in the FSC system. in several combinations. For details on the various FSC architectures refer to Section 2.. For redundant Central Parts and/or I/O.. and users may want to define the system response in case a fault is detected in one part of the redundant components. digital input modules) without diagnostic capabilities (e. 10206/. this is less obvious. This is the reason that voting has been incorporated into the system.g./. and DMR for process modules 10020/. two voting schemes are available depending on the hardware that is being used../. both for Central Part and I/O. digital output modules) Fault results in. Table 6-1 Voting schemes for single FSC components Voting scheme 1oo1D 1oo1 Used for hardware modules.6.

.g. 10206/. safety (switch-off) Response to faults The first fault may result in switch-off as the faulty module may overrule the correct one. digital output modules) without diagnostics capabilities (e./. operation continues as desired../. For detected faults. A fault that cannot be detected by the diagnostics (probability = 1 – diagnostic coverage) may result in incorrect operation as the faulty module may overrule the correct one. digital input modules) availability (continue) 2oo4D with diagnostics capabilities (e././. 2oo2 availability (continue) 1oo2D safety (switch-off) 2oo2D with diagnostics capabilities (e.g./. and 2oo4D (QMR) for processor modules 10020/.g. operation continues as desired. digital input with line monitoring or safety-related digital output modules). analog input modules or 10106/. 10105/./. digital output modules) with diagnostics capabilities (e. The first fault that cannot be detected by the diagnostics (probability = 1 – diagnostics coverage of single leg) will result in safe operation due to the 1oo2 voting.. For detected faults and the first fault.g. digital input modules) Primary action directed at. 10206/. without diagnostics capabilities (e. A fault that cannot be detected by the diagnostics (probability = 1 – diagnostic coverage) may result in switch-off as the faulty module may overrule the correct one./. Table 6-3 Explanation of redundancy voting schemes Voting scheme 1oo2 Used for hardware modules.g.. 10101/.. operation continues as desired./. safety + availability FSC Safety Manual Section 6: FSC System Fault Detection and Response 77 . For detected faults. The first fault may result in incorrect operation as the faulty module may overrule the correct one. 10101/.Table 6-2 Voting schemes for redundant components Hardware Primary action at fault Safety (switch-off) Availability (continue) Fail-safe 1oo2D/ 2oo4D 2oo2D Non fail-safe 1oo2 2oo2 The default voting scheme for redundant Central Parts is 1oo2D for processor modules 100x2/.

10201/2/1. a variety of diagnostic inputs are available. 10213/2/2. 10216/1/1. 10215/1/1. 10213/2/3. 10214/1/2. 10213/2/1. 10216/1/1. These indicate the diagnostic status of a process loop in the field (see Table 6-5). These indicate the diagnostic status of a specific I/O channel allocated to an FSC fail-safe I/O module (see Table 6-4). 10213/1/2. 10102/2/1.. The status of the diagnostic inputs does not depend on the safety relation of the channel. General Diagnostic inputs (channel status) Table 6-4 below provides an overview of the available channel status diagnostic inputs and the I/O modules for which they exist.3 FSC Diagnostic Inputs Apart from the alarm markers. its diagnostic input is high. 10216/2/3 10102/1/1. 10215/2/1. 10216/2/1. 10213/1/3. 10216/2/1. If the channel status is healthy. 10213/2/3. 10213/2/2. 10101/2/1. Table 6-4 Diagnostic inputs (channel status) Type I/O type I I/O type O I/O module 10101/1/1. 10213/1/1. 10212/1/1. The diagnostic inputs can be used in the functional logic diagrams. 10101/1/3. • Diagnostic inputs related to loop status.. 10213/1/3. 10201/2/1. 10214/1/2. 10105/2/1 10205/1/1. 10102/1/2. There are basically two types of diagnostic inputs: • Diagnostic inputs related to channel status./. 10101/2/3. 10205/2/1 10201/1/1. The markers of the variables that are allocated to the affected module channel are set to faulty when either Central Part detects a channel fault. 10212/1/1. 10215/1/1. 10101/1/2.6. FSC Safety Manual 78 Section 6: FSC System Fault Detection and Response . 10215/2/1. If a fault is detected for the channel.. 10213/2/1. 10106/2/1 10201/1/1. 10213/1/1. the diagnostic input becomes low. 10216/2/3 I/O type AI I/O type AO WD . 10213/1/2. 10101/2/2./.

10216/2/3 loop status System response The system response is as follows: • SensAI: Redundant I/O: The SensAI marker is set to faulty when both Central Parts detect the sensor as faulty.Diagnostic inputs (loop status) Table 6-5 below provides an overview of the available loop status diagnostic inputs and the I/O modules for which they exist. • LoopI: Redundant I/O: The LoopI marker is set to faulty when both Central Parts detect the sensor as faulty. 10216/1/1. 10102/1/2. 10102/2/1. Table 6-5 Diagnostic inputs (loop status) Type SensAI LoopI LoopO I/O module 10102/1/1. 10105/2/1 transmitter status 10106/2/1 loop status 10214/1/2. Single I/O: The LoopI marker is set to faulty when both Central Parts detect the sensor as faulty. • LoopO: Redundant I/O: The LoopO marker is set to faulty when both Central Parts detect the loop as faulty. 10216/2/1. FSC Safety Manual Section 6: FSC System Fault Detection and Response 79 . Single I/O: The LoopO marker is set to faulty when both Central Parts detect the loop as faulty. Single I/O: The SensAI marker is set to faulty when both Central Parts detect the sensor as faulty.

Fault detected for an output channel or output module. the associated alarm marker changes to '0'.PRE-ALARM Description Fault detected within a Central Part. A sensor of a safety-related input with non fail-safe sensors is faulty.FLT IO-COMPARE OUTPUT-FAILURE RED. Fault detected for an input channel or input module.2).FLT FSC-SYSTEM-FAULT INPUT-FAILURE INT.4 FSC Alarm Markers The FSC system uses a number of alarm markers to indicate the occurrence of abnormal system situations. a DCS) is faulty.-FAULT IO-FORCED The normal state of the markers (no fault present) is '1'. any fault exists. If the first fault occurs.FLT EXT.COMMUNIC. An analog transmitter gives a value outside its specified range.INPUT-FAULT TEMP. Communication with a connected FSC system is faulty./. Communication with a connected device (e. One or more variables are forced (see subsection 5. (For details refer to the data sheet of the 10006/. Function of alarm markers TRANSMIT.PART-FAULT DEVICE-COM. Communication between Central Parts faulty. FSC Safety Manual 80 Section 6: FSC System Fault Detection and Response . Any subsequent fault of the same type will cause the alarm marker to be pulsed to '1' for one application program cycle (see Figure 6-1).6. The temperature within the FSC system exceeds the pre-alarm setting. diagnostic and battery module).g. I/O value discrepancy between Central Parts. Overall alarm marker. The following alarm markers are used: Table 6-6 FSC alarm markers Alarm marker CENTR.COMMUNIC.

to generate an alarm. FSC Safety Manual Section 6: FSC System Fault Detection and Response 81 .g. e.1 INPUT FAILURE FSC SYSTEM FAULT 2 3 4 1 2 3 4 No faults present in FSC system First input fault Second input fault Faults corrected and acknowledged via fault reset Figure 6-1 Input failure alarm marker function The FSC alarm markers are available in the application program.

and • all channels of an input module. regardless of the value present at the input channel. For analog inputs. • a group of input channels at the same input module. Hardware inputs can be configured to be safety-related or not. Tested modules Input fault detection applies to hardware inputs allocated to the following fail-safe input modules: • 10101/1/1. 10102/1/2.4. Non safety-related inputs Fault alarm FSC Safety Manual 82 Section 6: FSC System Fault Detection and Response . tested input modules. a '0' value is applied to the application. and • 10106/2/1. the faulty input is isolated from the application. The input value is applied to the application program as read from the input channel. Safety-related inputs If a fault affects an input configured for a safety-related signal connected to a tested input module. • 10102/1/1. 10101/1/2. 10102/2/1. Occurrence of an input fault is indicated in the INPUT-FAILURE alarm marker. 10101/2/1. the fault is only alarmed. If a fault affects an input configured for a non safety-related signal connected to a tested input module. 10101/1/3. and • correlation between inputs. 10101/2/3. • 10105/2/1. The tests include detection of faults affecting: • a single input channel. 10101/2/2. the application value is clamped to the configured bottom scale. as well as the associated diagnostic input(s) and/or diagnostic loop-monitoring input (10106/2/1).6.1 Input Fault Detection Input fault detection Input fault detection applies to hardware inputs that are allocated to fail-safe. Possible faults Possible faults are: • inability to represent both the '0' and the '1' state. For digital inputs.

If an underrange fault is detected. 10102/2/1. 10102/1/2. Tested modules Transmitter fault detection applies to inputs allocated to the following fail-safe analog input modules: • 10102/1/1. 6.5 V or 25 mA. 12. it is clamped to max. the application value is clamped to the configured bottom scale.4.2 Transmitter Fault Detection Transmitter fault detection A transmitter fault is detected if the value obtained from a transmitter.-FAULT alarm marker and the associated sensor diagnostic input. If an overrange is detected. depending on the selected range. via an analog input. FSC Safety Manual Section 6: FSC System Fault Detection and Response 83 . is outside its configured range.6. and • 10105/2/1 Fault alarm Occurrence of a transmitter fault is indicated in the TRANSMIT.25 V.

3 Redundant Input Fault Detection Redundant input fault detection Digital inputs Redundant input fault detection applies to fail-safe inputs with redundant non fail-safe sensors. a fault is detected if: • the input value is 'ON' for a longer time period than specified in the maximum on timer. a fault is detected if the transmitter values differ more than the specified maximum discrepancy value. Occurrence of a redundant input fault is indicated in the RED.6. or • the input values of the redundant sensors differ for a longer time period than specified in the maximum discrepancy time. Fault alarm FSC Safety Manual 84 Section 6: FSC System Fault Detection and Response . Analog inputs For analog inputs.4. If a fault is detected. If a fault is detected.INPUT-FAULT alarm marker. For digital inputs. the configured bottom scale is applied to the application. a '0' value is applied to the application.

e. FSC Safety Manual Section 6: FSC System Fault Detection and Response 85 . and • inability to represent the "0" and "1" state of the secondary means of de-energization. • inability to represent the correct value. • a group of output channels at the same output module. 10216/1/1. Possible faults Possible faults are: • inability to represent the '0' state. 10205/2/1. bottom value.4. and • the secondary means of de-energization. 10216/2/1. • correlation between outputs. i. • arc-suppressing diode faulty (for digital outputs). 10214/1/2.4 Output Fault Detection Output fault detection Output fault detection applies to hardware outputs that are allocated to tested output modules. • all channels of an output module. The tests include detection of faults affecting: • a single output channel. 10216/2/3). • output short circuit. • open circuit in the output loop (for outputs with loop monitoring. top value and variations of the current value (for analog outputs).6. • inability to represent the '1' state (for digital outputs with loop monitoring). 10205/1/1. • external power supply voltage below the minimum operating voltage.

Safety-related outputs If a fault affects an output configured for a safety-related signal. that channel is forced to '0'. If a short-circuit is detected for one output channel. No additional corrective actions will be taken.e. Therefore.-rel. The '0' value is applied to the process. If any other fault is detected for an output channel. In case of a fault within a channel.) − 10213/1/1 and 10213/2/1: Group 1: channels 1 to 4 − 10213/1/2 and 10213/2/2: Group 1: channels 1 to 4 − 10213/1/3 and 10213/2/3: Group 1: channels 1 to 4 − 10214/1/2: Group 1: channels 1 to 3 − 10215/1/1 and 10215/2/1: Group 1: channels 1 and 2 Group 2: channels 3 and 4 − 10216/1/1 and 10216/2/1: Group 1: channels 1 to 4 − 10216/2/3: Group 1: channels 1 to 4 Note: The channels of the 10203/1/2 module are single fault tolerant. Hardware outputs can be configured to be safety-related or not. regardless of the value calculated by the application program. all channels of the entire group are forced to '0'. − 10212/1/1 Group 1: channels 1 to 4 Group 2: channels 5 to 8 (non saf. '0'). the entire group is regarded faulty and all channels of the group are forced to '0'. FSC Safety Manual 86 Section 6: FSC System Fault Detection and Response . Depending on the predefined effects of the fault. If a short-circuit is detected for two or more channels within a single output group. the faulty output is forced to the safe state (i. a group of channels or all channels of an entire module are forced to '0'. any first channel fault is only reported. a single channel.Tested modules Output fault detection applies to the following fail-safe output modules: Module Group specification − 10201/1/1 and 10201/2/1: Group 1: channels 1 to 4 Group 2: channels 5 to 8 − 10203/1/2 (see note below): Group 1: channels 1 to 4 − 10205/1/1 and 10205/2/1: Each channel is a separate group. full output control is still guaranteed.

The output value that is applied to the process is calculated by the application program combined with the result of the faulty module. which does not cause a trip of the Central Part that controls the output module. If an entire safety-related output module is regarded faulty. External power failure Fault alarm FSC Safety Manual Section 6: FSC System Fault Detection and Response 87 . the Central Part that controls the affected output module will trip. the second fault timer is started. the fault is only reported. Non-safety-related outputs If a fault affects an output configured for a non safety-related signal. the entire module is regarded faulty. as well as the associated output diagnostic input(s) and/or diagnostic loop-monitoring input.If an entire group of safety-related output channels is regarded faulty. External power failure is an exceptional fault. If all groups at the same output module are faulty. the entire FSC system will trip. If the module is located in a single I/O section. Occurrence of an output fault is indicated in the OUTPUT-FAILURE alarm marker. even if safety-related output signals are allocated to the module.

Input and output compare faults are discussed in more detail below.5 I/O Compare Error Detection I/O compare error detection The FSC system includes two high-level safety check functions which are active in redundant FSC configurations: 1. Tested modules Input compare error detection applies to all hardware inputs. BO) with location 'FSC'. and 2. the EXT. compare errors will be very rare.g. TÜV) during the acceptance of the plant.COMMUNIC. Input compare. the INPUT-FAILURE alarm marker is also asserted. If the error concerns an output with location 'FSC'. Occurrence of an input compare error is indicated in the IO-COMPARE alarm marker. For AK6 an automatic shutdown will occur.6. If the FSC system is used for surveillance of processes which are classified in requirement class 5 (AK5) and which must meet the requirements of DIN V VDE 0801-A1 in its full extent.4. Output compare error detection applies to all digital hardware outputs and to communication outputs (O. Because of the high level of self-testing by the FSC system. the IO-COMPARE alarm marker should be used to initiate a system shutdown if an I/O compare error is detected in the outputs (see programming example in Figure 7-1). Output compare. Fault alarm FSC Safety Manual 88 Section 6: FSC System Fault Detection and Response . Occurrence of an output compare error is indicated in the IO-COMPARE alarm marker. The final decision whether automatic shutdown must be programmed lies with the approval authority (e. As the fault applies to inputs.FLT alarm marker is also asserted because communication will halt to the affected FSC system. Compare errors occur when a different status for inputs or outputs between the Central Parts is detected which cannot unambiguously be allocated to faults in the field or within the FSC system hardware.

In that case. For details on voting refer to subsection 6. If an input changes of state. CP2 continuously '1'). The frequency of continuously changing inputs must be less than 1/PST. However. if an input value changes. There is no problem if the process inputs are stable. an identical input value in the Central Parts is obtained via input synchronization. both Central Parts must have an identical application status at all time. In such cases. Table 6-7 below specifies the system response to a digital input compare error. the process inputs are scanned every application program cycle by both Central Parts. It is therefore essential that they use identical values for the process inputs. FSC Safety Manual Section 6: FSC System Fault Detection and Response 89 . Different synchronization algorithms are used for digital and analog inputs. the faulty input channel is reported in the diagnostics. for the duration of the configured Process Safety Time (PST). For proper operation of the system. For details on the available voting schemes for the FSC input modules refer to Section 4 of the FSC Software Manual ("System Configuration"). Persisting differences could be the result of hardware faults.g. 2. both Central Parts could read a different value. Differences in the input status read should be momentary. Digital input synchronization A digital input compare error is detected if the inputs of both Central Parts are stable but different (e. and both Central Parts use the process value read from the healthy input channel. CP1 continuously '0'. A persisting difference in status of an input while no faults are detected at the accessory hardware channels leads to an input compare error.Input compare In redundant FSC configurations. The synchronization algorithm for digital inputs (I and BI) depends on the voting scheme that has been configured for the affected module. with dual Central Parts. it must become stable again within the configured Process Safety Time. Each Central Part executes the application program independently of the other Central Part. The input compare error detection algorithm puts the following demands on the dynamic nature of the digital process inputs: 1.2.

FSC Safety Manual 90 Section 6: FSC System Fault Detection and Response . and 10105/2/1). 4) For programming a system shutdown in case of an I/O compare error refer to section 7.. 3) 2oo4D voting is not shown in this table as the 1oo2 voting for the applicable modules is fully transparent to the user. high. 2. For inputs located at modules within a redundant I/O section (10102/1/2. THEN. low.. 2) 2oo2D voting for inputs that must satisfy safety requirement class higher than AK4 are not allowed. de-energized 1 = true.. the slope steepness must be less than 20 mA/s. Analog input synchronization For analog inputs./. An input compare error is detected if the input values differ more than 2% of the full scale for the duration of the configured process safety time.Table 6-7 System response in case of digital hardware input compare error IF INPUT COMPARE ERROR AND. The input compare error detection algorithm puts the following demands on the dynamic nature of the analog process inputs: 1. System markers AK class Voting Safetyrelated IO-COMPARE FSC-SYSTEM-FAULT INPUT-FAILURE Digital input Applied state Channel diagnostic input System shutdown 1-6 1-6 1-6 1-6 1-6 1oo2D 1oo1D 1oo2D 1oo1D 1oo1 2oo2 2oo2D 2oo2D Yes No No Yes No 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 1 1 0 0 0 0 0 No No No No No 0 = false. the slope steepness must be less than 125 mA/s.. energized Notes: 1) 1oo1D voting is treated as 1oo2D as the voting of redundant Central Parts is 1oo2D by default. the synchronized value is the mean value of the input values. FSC Navigator does NOT check for this. 10102/2/1 and 10105/2/1).3. For inputs located at modules within a single I/O section (10102/.

for example. occur when calibrating smart transmitters using hand-held terminals. Refer to the project maintenance manual for details on calibrating smart transmitters that are connected to FSC analog inputs. FSC Safety Manual Section 6: FSC System Fault Detection and Response 91 .Note: Analog input compare errors may.

3. Output compare As a result of the synchronization algorithms within the FSC system. BO) with location 'FSC'. Table 6-8 below specifies the system response to an analog input compare error. System markers AK class Voting Safetyrelated IO-COMPARE FSC-SYSTEM-FAULT INPUT-FAILURE Analog input Applied state Channel diagnostic input System shutdown 1-6 1-6 1-6 1-6 1oo2D 1oo1D 1oo2D 1oo1D 2oo2D 2oo2D Yes No Yes No 0 0 0 0 0 0 0 0 0 0 1 1 bottom scale last healthy value last healthy value last healthy value 0 0 0 0 No No No No 0 = false. 2) 2oo2D voting for inputs that must satisfy safety requirement class higher than AK4 are not allowed.. both Central Parts will continuously have an identical application status. FSC Safety Manual 92 Section 6: FSC System Fault Detection and Response .. THEN. 4) For programming a system shutdown in case of an I/O compare error refer to section 7. low. de-energized 1 = true. FSC Navigator does NOT check for this. Table 6-9 below specifies the system response to a digital output compare error. Table 6-8 System response in case of analog input compare error IF INPUT COMPARE ERROR AND. energized Notes: 1) 1oo1D voting is treated as 1oo2D as the voting of redundant Central Parts is 1oo2D by default... BO) depends on the voting scheme that has been configured for the affected module. The synchronization algorithm for digital outputs (O. high. An output compare error is detected if there is a difference between the Central Parts with regard to the status of digital outputs (O. BO) or communication outputs (O. which results in identical process outputs. 3) 2oo4D voting is not shown in this table as the 1oo2 voting for the applicable modules is fully transparent to the user.The synchronization algorithm for analog inputs (AI) depends on the voting scheme that has been configured for the affected module.

de-energized 1 = true. communication with the system that the outputs are allocated to is halted.. THEN. 2) 2oo2D voting for outputs that must satisfy safety requirement class higher than AK4 are not allowed.. FSC Navigator does NOT check for this.3) FSC Safety Manual Section 6: FSC System Fault Detection and Response 93 . 3) 2oo4D voting is not shown in this table as the 1oo2 voting for the applicable modules is fully transparent to the user. If an output compare error is detected for outputs with location 'FSC'.. low. System markers AK class Voting Safetyrelated IO-COMPARE FSC-SYSTEM-FAULT OUTPUTFAILURE Digital output Applied state Channel diagnostic input System shutdown 1-5 1-5 1-5 1-5 6 6 6 6 1oo2D 1oo1D 1oo2D 1oo1D 2oo2D 2oo2D 1oo2D 1oo1D 1oo2D 1oo1D 2oo2D 2oo2D Yes No Yes No Yes No Yes No 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 No No No No Yes Yes Yes Yes 0 = false. 4) For programming a system shutdown in case of an I/O compare error refer to section 7.. energized Notes: 1) 1oo1D voting is treated as 1oo2D as the voting of redundant Central Parts is 1oo2D by default. high.Note: Table 6-9 does not apply for outputs with location 'FSC'. Table 6-9 System response in case of digital output compare error IF OUTPUT COMPARE ERROR AND.

e.. 10012/1/2./1.. H-bus.6.7 Internal Communication Error Internal communication error An internal communication error is detected if communication between the Central Parts in a redundant FSC architecture fails. If an error is detected. 10006/. 10004/./. • 10100/1/1. In fully redundant architectures (without single I/O sections)./. the faulty part will be isolated. • System bus./. 10002/1/2. In systems with a single I/O section. 10024/. 10007/1/1./. One of the Central Parts will trip. 6../. 10018/. 10008/. which may result in the Central Part trip. Exceptions are faults detected at non-safety-related HBD modules (10100/1/1. 10100/2/1) and some faults on the Diagnostic and Battery Module (10006/.. Tested modules Fault alarm Occurrence of a Central Part fault is indicated in the CENTR./.4.4. An internal communication error is always reported by the running Central Part.). if the battery fuse is open. one of the Central Parts will trip. and • V-bus. depending on the internal status of the system. 10100/2/1. 10005/1/1.PART-FAULT alarm marker.g./. Central Part 2 will trip. 10014/. horizontal bus driver modules (HBD) and system internal buses. 10020/1/1. FSC Safety Manual 94 Section 6: FSC System Fault Detection and Response .. Central Part fault detection applies to the following FSC modules: • 10001/.6 Central Part Fault Detection Central Part fault detection Central Part fault detection applies to Central Part modules.

FSC Safety Manual Section 6: FSC System Fault Detection and Response 95 . The outputs are not affected.FLT alarm marker. Fault alarm Occurrence of an FSC-FSC communication fault is indicated in the EXT. These will be handled by the other FSC system as there they come in as inputs.COMMUNIC. Inputs and outputs allocated for communication with a connected FSC system (location 'FSC') can be configured to be safety-related or not. a fault is detected if communication with the connected FSC system fails. the safety-related inputs that are received from the connected system are forced to the safe state (i. If the systems are interconnected via redundant communication links.e.4. The non safety-related inputs are frozen to the state that was last received from the connected system. '0'). fault detection applies to each link separately resulting in single fault tolerance overall.8 FSC-FSC Communication Fault Detection FSC-FSC communication fault detection For communication with a connected FSC system.6. If all links to a connected system are faulty.

It can be set to any value between 1. A communication fault for SOE collecting devices is detected if the device is off-line for more than 1 minute. continuous communication is expected.0 and 25.6. If all links to the DCS are faulty. Inputs and outputs that are allocated to the distributed control system (location 'COM') are always non-safety-related.9 Device Communication Fault Detection Device communication fault detection Distributed control system The FSC system monitors for several device types if the communication link with the device is operating correctly. the fault detection applies to each link separately resulting in single-faulttolerant communication. the device communication timeout must be set to a multiple of 3 seconds (which is the default value). If no communication is established within a predefined timeout period (the "device communication timeout"). If any other value is specified.FLT alarm marker. The device communication timeout for the RKE3964R protocol can also be configured using the 'System Configuration' option of FSC Navigator.0 seconds. If the RKE3964R protocol is used for communication between FSC and a DCS. Occurrence of a device communication fault is indicated in the DEVICE-COM. The device communication timeout for the Modbus protocol can be configured using the 'System Configuration' option of FSC Navigator. It can be set to any value between 1 and 90 seconds.4. If the device is connected to the FSC system via a redundant communication link. The outputs are not affected. the inputs remain frozen at the state that was last received from the DCS. RKE communication between FSC systems is assumed. For distributed control systems (DCS) that communicate with the FSC system via the Modbus or RKE3964R protocol. Modbus device communication timeout RKE3964R device communication timeout SOE collecting devices Fault alarm FSC Safety Manual 96 Section 6: FSC System Fault Detection and Response . or it can be deactivated altogether. the link to the device is regarded faulty.

Temperature prealarm values can also be configured. Fault alarm FSC Safety Manual Section 6: FSC System Fault Detection and Response 97 .).10 Temperature Alarm Temperature alarm During configuration of the FSC system. If the temperature exceeds the alarm settings.6.4. If the temperature exceeds the configured operating boundaries.PRE-ALARM alarm marker. a fault will be reported./. the user may define the temperature range within which the FSC system must operate. If the temperature of the running system exceeds the alarm settings. the Central Part will shut down. this is indicated in the TEMP. Tested modules Temperature alarms apply to the operational temperature within the Central Part as measured at the Diagnostic and Battery module (10006/.

• a timer is loaded with a value > 2047. and subsequently ensuring that the derived values are valid for successive operations. Calculation errors reflect incorrect design of the application program for the intended function. and • exception handling during the actual calculation. multiplication and division functions occurs. or • a counter is loaded with a value > 8191. This means that an application should be designed in such a way that the operands of a symbol in the FLDs can never get an invalid value. • an overflow of the result of addition. • a divide-by-zero occurs.6. Prevention by design In line with good software engineering practice. The FSC system will therefore trip if a calculation error occurs. General Preventing calculation errors Calculation errors can be prevented in a number of ways: • prevention from occurrence through overall process design. • validation of signals when entering the Functional Logic Diagrams (FLDs). • the square root of a negative number is taken.5 Calculation Errors Calculation errors result from the application program and occur if: • the calculated value for an analog value is outside the specified range of the analog output. calculation errors should be avoided by design. The design approach starts with the ensurance that input values as obtained from the process remain within a deterministic range. as promoted by IEC 61508. Guidelines on how to avoid calculation errors in the FSC application program are presented below. FSC Safety Manual 98 Section 6: FSC System Fault Detection and Response . subtraction. Once a calculation error occurs for a specific process variable. the result of successive calculations based on this variable cannot be ensured and escalation of the anomaly needs to be prohibited. • inclusion of FSC diagnostic data.

it is necessary to implement range checking in the application program itself. validated input value transmitter ≥ 0 & x alarm / annunciation Figure 6-3 Square-root function with validated input value If diagnostics are not available (e. a signal derived from a reverse-acting. A comparison function can be used as an indicator that the transmitter value has left its normal operational band and that the calculation should not be done. non-linear 4-20 mA transmitter which has been configured for a zero top scale in the application domain could become negative if the transmitter fails and delivers a signal beyond 20 mA. For example. transmitter x Figure 6-2 Intended square-root function Preventive measures If a valid input value cannot be guaranteed. it cannot be guaranteed that an input value remains within a deterministic area which is valid for all functions.Sometimes. a system trip will occur (square root of negative number). FSC Safety Manual Section 6: FSC System Fault Detection and Response 99 . preventive measures must be built into the design. however. If the signal is then linearized through a square-root function.g. for 0-20 mA transmitters). The alarm signal is used to implement corrective action and to indicate the exception to the operator (see Figure 6-3). The result of the boundary check is again used for implementation of corrective actions.

Common function block A last option is to create a common function block. The function block validates the operand(s) and only performs the intended function if the operands are valid. An additional function block output should be provided which indicates if the calculation result is valid or not. This allows the implementation of effective correction strategies which only apply to the affected part of the process. which is used for all such calculations. This output signal can then again be used for implementation of corrective actions in the application program (see Figure 6-4). function block transmitter 0 ≥ & x alarm / annunciation Figure 6-4 Square-root function with validity check in function block FSC Safety Manual 100 Section 6: FSC System Fault Detection and Response . the deviating input can be exactly identified. Furthermore. Otherwise a predefined value is returned. e.g.An important advantage of input validation is that it can be implemented on input values for which a valid range cannot be guaranteed. square root.

......................... 101 Applications of Alarm Markers and Diagnostic Inputs .2 7.................................5 Topic Section Overview ...........1 7............. 104 Diagnostic Status Exchange with DCS ...............................................................4 7............................................................. It covers the following topics: See page Section overview Subsection 7..............................3 7.......................... 103 Unit Shutdown........ 102 Shutdown at Assertion of FSC Alarm Markers ..........1 Section Overview This section describes how FSC alarm markers and diagnostic inputs are used.Section 7 – Using the FSC Alarm Markers and Diagnostic Inputs 7.................................. 109 FSC Safety Manual Section 7: Using the FSC Alarm Markers and Diagnostic Inputs 101 .............

(See subsection 7.2 Applications of Alarm Markers and Diagnostic Inputs FSC alarm markers and diagnostic inputs can be used within the functional logic diagrams (FLDs) to respond to abnormalities or to initiate an alarm.) Applications FSC Safety Manual 102 Section 7: Using the FSC Alarm Markers and Diagnostic Inputs . (See subsection 7. • Shutdown at assertion of FSC alarm markers This example shows how to program a shutdown in case of assertion of FSC alarm markers. This kind of programming could be used if the system is intended to run in AK5 without operator surveillance.7. This is illustrated in three examples below.) • Diagnostic status exchange with DCS This example discusses the functional logic which can be used to report the status of alarm markers and diagnostic inputs to a distributed control system (DCS).3.4.) • Unit shutdown This example shows how diagnostic inputs of type I/O-TYPE O can be used to realize independent safeguarding of process units including only unit shutdown in case of defects.5. (See subsection 7.

which allows the secondary means of de-energization of all outputs to be activated.3 Shutdown at Assertion of FSC Alarm Markers If it is not sufficient to initiate an alarm in case the FSC system detects a fault. An additional manual shutdown hardware input is provided which the operator can use to initiate a shutdown by hand. and direct system response is required. FSC Safety Manual Section 7: Using the FSC Alarm Markers and Diagnostic Inputs 103 . S IO-COMPARE Y System marker S SHUTDOWN MANUAL SHUTDOWN "1=HEALTHY" 3 1 10 B 1 & B 1 120 101 1 DUMMY Signal type: B Figure 7-1 Diagram to shut down system in case of output compare error If an I/O compare error is detected or a manual shutdown is initiated. a divide-by-zero is initiated and the FSC system will shut down. the FSC alarm markers can be used to shut down the system via the application program. This module enables the use of a tested solid-state hardwired connection.7. Note: A manual shutdown can also be realized via the ESD input of the watchdog module (10005/1/1). Other alarm markers can be used in a similar way. This unique feature allows an ESD pushbutton chain to be connected to the FSC system which can then be used to initiate an emergency shutdown (ESD). fully independently of the central processor. Figure 7-1 shows an example of how to shut down the system in case of an I/O compare error.

Process units Configuration of unit shutdown Central Part CPU MEM WDG or COM Reset Watchdog signal Unit shutdown outputs 10201/.7. which results in a shutdown of the unit. while the remaining parts of the process are not affected. in case a fault is detected within the hardware of a process unit. This subsection discusses the configuration. This relay is controlled via an output of the FSC system: the unit shutdown output./1 Safety = No WD 10201/./1 Safety = No Figure 7-2 Wiring diagram for unit shutdown For each unit. If a fault is detected within a process unit. a relay is used to connect the watchdog input signal of the unit output to the output of the FSC watchdog module (10005/1/1)./1 Safety = No WD 10201/. Thus./1 Safety = No WD 10201/.4 Unit Shutdown If a process can be divided into independent process units./1 Safety = No WD 10201/. the corresponding relay is deactivated. the overall process availability can be increased by separate shutdown of the units within the FSC system. application programming and wiring required to achieve shutdown per process unit. Figure 7-2 shows a standard wiring diagram to realize unit shutdown for three separate process units. FSC Safety Manual 104 Section 7: Using the FSC Alarm Markers and Diagnostic Inputs . all relays are activated. In normal operation./1 Safety = Yes Process outputs WD 10201/./1 Safety = No WD 10201/. only the affected unit needs to be shut down.

/1 or 10216/.4. For optimum availability it is recommended that the unit shutdown outputs are allocated to redundant output modules.7. to allow correct start-up of the FSC system with activated unit relays (see Figure 7-3).5 and 8.) at 0.The unit relays must meet the requirements of DIN VDE 0116.7. fuses.g. b) Contacts protected (e.6 of October 1989. series resistors. c) Electrical reliability > 2./1 module). 5 6 Unit shutdown outputs The unit shutdown outputs must be safety-related (e. allocated to a 10201/.4.g.6 ∗ nominal contact current. part 8. This will guarantee that the FSC system will direct the process to its safe state if a fault occurs which affects this output.5 ∗ 10 switches. i. Figure 7-3 Configuration of the unit shutdown output FSC Safety Manual Section 7: Using the FSC Alarm Markers and Diagnostic Inputs 105 . etc.: a) Mechanical reliability > 3.10 switches. The power-up status of the output must be on.e.

2 A. 0. 2 channels) Digital output module − 10212/1/1 (24 Vdc. 0.67 A. 8 channels) Fail-safe output module with double switch-off − 10203/1/2 (24 Vdc.32 A. 0. 0. 4 channels) Fail-safe loop-monitored digital output module − 10216/2/3 (48 Vdc. 1 A. 8 channels) Fail-safe digital output module − 10201/2/1 (24 Vdc. 4 channels) Fail-safe loop-monitored digital output module − 10216/2/1 (24 Vdc. 4 channels) Fail-safe analog output module − 10205/1/1 (0(4)-20 mA. 2 channels) Fail-safe analog output module − 10205/2/1 (0(4)-20 mA. 0.5 A.9 A.32 A. 0.75 A. 16 channels) Fail-safe digital output module − 10213/1/1 (110 Vdc. 0. 0.9 A. 4 channels) Fail-safe digital output module − 10214/1/2 (220 Vdc. 0.67 A. 1 A. 0. 4 channels) Fail-safe digital output module − 10213/1/2 (60 Vdc. 4 channels) Fail-safe digital output module − 10213/2/2 (60 Vdc. 4 channels) Fail-safe digital output module − 10215/2/1 (24 Vdc. 2 A. 4 channels) Fail-safe digital output module − 10213/2/3 (48 Vdc.75 A.Process outputs (safety-related) The process outputs must be allocated to an FSC fail-safe output module: Fail-safe digital output module − 10201/1/1 (24 Vdc.25 A. 4 channels) FSC Safety Manual 106 Section 7: Using the FSC Alarm Markers and Diagnostic Inputs . 0. 4 channels) Fail-safe loop-monitored digital output module − 10216/1/1 (24 Vdc.55 A. 3 channels) Fail-safe digital output module − 10215/1/1 (24 Vdc. 0.55 A. 4 channels) Fail-safe digital output module − 10213/2/1 (110 Vdc. 4 channels) Fail-safe digital output module − 10213/1/3 (48 Vdc.

the diagnostic inputs will be high. which allows programming of the response via the application. If one diagnostic input of an output channel within the unit becomes 'not healthy'. The output signal of the AND gate is connected to the unit shutdown output (see Figure 7-5). As long as all the diagnostic inputs are healthy. the corresponding unit shutdown output becomes low and the unit relay is deactivated (relay contact open).The safety relation for the outputs must be set to 'No' (see Figure 7-4). Figure 7-4 Configuration of the process outputs Application programming To realize the unit shutdown in the functional logic diagrams. FSC Safety Manual Section 7: Using the FSC Alarm Markers and Diagnostic Inputs 107 . This will suppress the automatic response of the FSC system if faults occur at safety-related output modules. the unit shutdown output will be high and the unit relay is activated (relay contact closed). all diagnostic inputs ('SYS' internal markers related to output modules available in the database) of one process unit are connected to an AND gate.

that unit may be restarted using the FSC-FAULT-RESET alarm marker. After an error is detected and repaired in one unit. The FSC-FAULT-RESET alarm marker is connected to all unit shutdown outputs via an OR gate. The minimum and maximum time the unit output is enabled by the FSC-FAULT-RESET is limited to ensure that the FSC-FAULT-RESET is detected by the output. the calculated application output should be applied to the output channel via an AND gate with the channel diagnostic input. FSC Safety Manual 108 Section 7: Using the FSC Alarm Markers and Diagnostic Inputs .H S "Not faulty" S I/O type: O Y 53FT-700.L S "Not faulty" 3 11 7 3 11 7 & >1 _ 3 UNIT2 13 SHUTDOWN UNIT2 5 "HIGH=OK" & APPLICATION OUTPUT "CALCULATED" 103 121 1 3 53PT-930.S RESET Y FSC-FAULT-RESET S "RESET" 3 1 16 S R t=800ms N S I/O type: O Y 53FT-700.L 11 LOW ALARM 7 ""ALARM"" M C P Figure 7-5 Functional logic diagram of unit shutdown In order to realize a switch-off of a defective output channel in accordance with the normal FSC response for safety-related signals. The pulse length may not exceed the process safety time (timer typically set at 800 ms).L S "Not faulty" S I/O type: O Y 53PT-930.L S "Not faulty" 3 11 1 3 11 2 & >1 _ 3 UNIT1 11 SHUTDOWN UNIT1 8 "HIGH=OK" S I/O type: O Y 53PT-930.

7. the value of the markers is high. Normally. to generate an operator alarm or to initiate corrective action within the DCS. Behavior of alarm markers The behavior of the alarm markers is quasi-static. the timer value must be larger than the DCS scan time. which are allocated to the communication channel that the DCS is connected to. To ensure detection by the DCS. If a fault is detected. Distributed control systems (DCS) S INPUT-FAILURE Y System marker S S R 0 t=800ms t INPUT-FAILURE C O M S I/O type: AI Y MAINLINE S "Not faulty" 3 5 4 5001 1 MAINLINE 2 DIAGNOSTIC STATUS A "1=HEALTHY" C O M Figure 7-6 FSC system information to DCS The status of both variables is transferred to the DCS via outputs with location 'COM'.g. If the scan cycle of the DCS is larger than the FSC application program cycle. FSC Safety Manual Section 7: Using the FSC Alarm Markers and Diagnostic Inputs 109 . On subsequent faults the alarm marker will become high during one application program cycle of the FSC system (e. Figure 7-6 shows the functional logic diagram to report the occurrence of an input fault (INPUT-FAILURE alarm marker) and the use of a diagnostic input (I/O type AI) to report the status of an analog input channel to a DCS system.g. the corresponding alarm marker will become low. Thus. if no fault is present.2). a pulse on the alarm marker is extended to the configured timer value. it is possible that any subsequent faults are not detected by the DCS. The FSC alarm marker is therefore connected to the output of the DCS via a delayed off timer. 300 ms) and then low again (see subsection 6.5 Diagnostic Status Exchange with DCS FSC alarm markers and the diagnostic inputs can be transferred to distributed control systems (DCSs). e.

The diagnostic input can therefore be connected directly to the output to the DCS. Normally. FSC Safety Manual 110 Section 7: Using the FSC Alarm Markers and Diagnostic Inputs . an I/O channel is healthy and the value of the corresponding diagnostic input is high. It remains low until the fault is repaired and a fault reset has been given. the diagnostic input will be low.Behavior of diagnostic inputs The behavior of the diagnostic inputs is static. If the I/O channel becomes faulty.

In applications of requirement class AK5. i. This section provides an example of how the outputs of an FSC configuration with redundant Central Parts and redundant I/O can be wired for non-surveiled applications in AK5 and for all applications in AK6 using the 100x2/. all AK6 applications with 100x2/. independent of the status of the other Central Part. Using special wiring If the system is intended for safeguarding a non-surveiled process. processor modules. Single Central Part operation Single Central Part operation in AK5 and AK6 is only allowed for a limited time (if a 10002/x/x or 10012/x/x CPU module is used). In applications up to AK4. If a 10020/1/1 Quad Processor Module (QPM) with dual processors is used. Example FSC Safety Manual Section 8: Wiring and 1oo2D Output Voting in AK5 and AK6 Applications 111 .e. if the operator: • is able to monitor the process././. This requires specific wiring of the outputs of the FSC system. processor modules. and • is able to respond to achieve the safe process state within acceptable time. Using standard wiring The FSC architecture with redundant Central Parts and redundant I/O is a versatile configuration which may be used in applications of requirement classes AK1 up to AK6. standard redundant I/O wiring is used. Furthermore. processor modules require independent Central Part shutdown capability./. there are no restrictions.Section 8 – Wiring and 1oo2D Output Voting in AK5 and AK6 Applications Note This section is only applicable for FSC architectures using the 100x2/. standard wiring can be used if the process runs under continuous operator surveillance. DIN V VDE 0801-A1 requires that each Central Part by itself is able to shut down the process. For this purpose a pushbutton can be provided which the operator can use to shut down the FSC system connected to the ESD input of the watchdog module (10005/1/1).

Figure 8-1 shows the wiring principle./1 Safety = No WD 10201/. The name 'secondary switch-off' refers to the capability to switch off the outputs of the other Central Part via the secondary means of de-energization.5 and 8. is used to realize the ESD function is a dedicated system output.6 of October 1989 (see subsection 7./1 Safety = Yes WD 10201/. FSC Safety Manual 112 Section 8: Wiring and 1oo2D Output Voting in AK5 and AK6 Applications ./1 Safety = Yes CP1 I/O SECTION CP2 I/O SECTION Figure 8-1 Redundant I/O wiring in AK6 and non-surveiled AK5 applications Secondary switch-off The output which./1 Safety = Yes WD 10201/.SWITCH-OFF CP2 + 24 V NC ESD 24 Vdc Watchdog signal Watchdog signal +5V WD 10201/. The figure shows cross-wiring of an output channel which each Central Part can use to de-energize the output channels of the other Central Part via the 24 Vdc emergency shutdown input of the watchdog module (10005/1/1). The relay must meet the requirements of DIN VDE 0116 part 8.7.7.SWITCH-OFF CP1 + 24 V NC ESD 24 Vdc Central part 1 CPU COM WDG Central part 2 CPU COM WDG SEC. The 24 Vdc ESD input is switched via a normally closed relay contact.4.SWITCH-OFF). SEC./1 Safety = No +5V WD 10201/. the 'secondary switch-off' (tag number: SEC.4.4)./1 Safety = Yes WD 10201/.

FSC Safety Manual Section 8: Wiring and 1oo2D Output Voting in AK5 and AK6 Applications 113 .SWITCH-OFF output may not be used in the application program to initiate a shutdown at a user-specified condition.Important! The SEC.

If a condition occurs which. and an emergency shutdown is effected on the watchdog module of Central Part 1. Contrary to normal redundant I/O wiring. The Central Part must be able to activate the SEC. but also while in shutdown. A fail-safe output module is used to benefit from the FSC self-tests. the SEC.During normal operation. Central Part 1 is able to deenergize the outputs of Central Part 2. requires Central Part 2 to deactivate the outputs of Central Part 1. which provide diagnostic information if faults are detected at the module. During the test. The remaining channels of the output module may be used to drive non-safety-related process output signals. The outputs of Central Part 1 are de-energized via the watchdog output signal. To enable activation of the output while in shutdown. the safety relation of the output module must be configured at 'No' and the watchdog input signal of this module must be connected to +5 V. not only when running. for example. Similarly./1) in the I/O section of the Central Part.SWITCH-OFF output is low and the relay contact is closed. the relay contact is opened.SWITCH-OFF output is set to high. the SEC. the switch-on capability of the output is also verified.SWITCH-OFF output. the outputs controlling the relays may not be wired in parallel. The SEC. FSC Safety Manual 114 Section 8: Wiring and 1oo2D Output Voting in AK5 and AK6 Applications .SWITCH-OFF output is allocated to a channel of a fail-safe output module (10201/.

This response time for automatic fire detectors resulting in the required outputs is 1 second [EN-54 part 2. For details on configuring the FSC-FSC communication refer to Section 4 of the FSC Software Manual ("System Configuration").2. so this option of EN-54 part 2 is not shown here.5].3].3. which means that they are used in the same application program cycle in order to get the best possible response time. the indication for an earth leakage alarm [EN-54 part 2. FSC Safety Manual Section 9: Fire and Gas Application Example 115 . Where applicable.4. references to the EN-54 part 2 standard are shown in italics in square brackets.8]. and communicate the status via the FSC-FSC communication link [EN-54 part 2. Function Block (FB) 912 handles the latching function for the alarm status.2. The FSC system does not support alphanumeric displays.1]. with the OVERRIDE and TEST options installed.3.3. The failures in the F&G detectors are handled on other FLDs.1.7] and the common failure alarm which is set in case of a failure of any component in the Fire & Gas detection system.2].1. Within the complete example this is accomplished by the use of hardwired digital I/O signals which can drive LEDs or lamps. Failure of the communication link must be alarmed [EN-54 part 2.3. 2. Please note that the sheet references in the functional logic diagrams must point to a higher FLD number.2. 2.2. 2. Functional logic diagrams (FLDs) The system alarm FLD (see Figure 9-1) covers the status indication for the redundant power supplies (PSU 1 and 2) [EN-54 part 2. the alarm reset function and the lamp test function. Another option is to have the display on a remote location.Section 9 – Fire and Gas Application Example Application example This section describes an application program for a Fire & Gas (F&G) application which is designed according to the requirements of EN-54 part 2. 2. The figures in this section are identified by a descriptive text and the functional logic diagram (FLD) number which is used in the sheet references.11]. including failures in the F&G detectors.2.3. in this example in the FLD for each input loop as shown in Figure 9-2 [EN-54 part 2.2. 2. 2.13.3.2. 2. 2.10. 2.3. The status of the installation which is monitored and the status of the FSC system must be uniquely displayed [EN-54 part 2.4. 2. 2.6.

P LAMPTEST N LAMPTEST L "TEST" C PSU-1 A PSU-1 24VDC B "NO FAILURE" 3 1 6 3 1 5 50 1 LAMPTEST "TEST" To 510.520.540 3 PSU-1 9 PSU-1 24VDC 4 "NO FAILURE" P N L 1 A FB 912 B 1 >1 _ 50 501 2 PSU-1 24VDC "NO FAILURE" 3 PSU-2 9 PSU-2 24VDC 3 "NO FAILURE" P N L C PSU-2 A PSU-2 24VDC B "NO FAILURE" 3 1 4 1 A FB 912 B 1 >1 _ 50 501 3 PSU-2 24VDC "NO FAILURE" 3 EARTH-LEAKAGE 9 EARTH LEAKAGE PSU'S 2 "FAILURE" P N L C EARTH-LEAKAGE A EARTH LEAKAGE PSU'S B "NO FAILURE" 3 1 2 1 A FB 912 B >1 _ 50 501 4 FAILURE LOOP 1 "COMMON ALARM" FAILURE LOOP 2 "COMMON ALARM" FAILURE LOOP 3 "COMMON ALARM" FAILURE LOOP 4 "COMMON ALARM" S FSC-SYSTEM-FAULT Y System marker S P RESET-ALARM N RESET ALARM L "RESET" E 3 1 3 100 50 150 50 200 50 250 50 EARTH LEAKAGE PSU'S "NO FAILURE" 3 >1 _ 1 1 1 A FB 912 B >1 _ 3 COMMON-FAILURE 9 COMMON FAILURE 1 "NO FAILURE" P N L 50 505 50 912 System marker 6 RESET ALARM "RESET" 5 Figure 9-1 System alarm (FLD 50) 100 510 1 ALARM LOOP 1 "COMMON ALARM" 3 ALARM-1 9 ALARM LOOP 1 13 "ALARM" P N L 100 500 L LOOP-1 P 1 FIRE LOOP 3 5 1 A A D F G S I/O type: AI Y LOOP-1 S "Not faulty" 3 5 1 H B E 2 ALARM LOOP 1 "ALARM HORN" 100 50 3 FAILURE LOOP 1 "COMMON ALARM" FB 911 C I J K L M 100 501 4 100 502 100 540 3 FAILURE-1 9 FAILURE LOOP 1 12 "FAILURE" FAILURE LOOP 1 "ALARM HORN" P N L P OVERRIDE-1 N OVERRIDE LOOP 1 L "OVERRIDE" 3 1 10 P TEST-1 N TEST LOOP 1 L "TEST" 3 1 9 N D O 6 OVERRIDE LOOP 1 "ALARM HORN" OVERRIDE LOOP 1 "COMMON ALARM" 3 OVERRIDE-1 9 OVERRIDE LOOP 1 11 "OVERRIDE" P N L 5 100 0 100 0 7 ???? ???? TEST LOOP 1 "ALARM HORN" 8 E Figure 9-2 Input loop 1 (FLD 100) FSC Safety Manual 116 Section 9: Fire and Gas Application Example .

2. In this example the failure indication and the override indication is done using separate digital outputs.3. The Fire & Gas detectors are connected using analog input modules.2.1]. • Loop status (open loop.3]. All states are also transferred to other FLDs via sheet transfers to generate the common status indication and to drive the audible indications (horn) [EN-54 part 2.Input loops The example presented here has four input loops which could come from Fire & Gas detectors (the other FLD numbers are 150. 2. 2.2.11].3]. • Override for the input loop [EN-54 part 2. failure status.2. 2. 2. The output of the detectors can be a digital contact with loop-monitoring or an analog signal. short-circuit) as determined via the system software of the FSC system [EN-54 part 2. 2.2. 200.5. these settings are set per input loop.3. These functions are: • Setting of alarm levels (in this example they are identical for all loops. 2. 2. override status and test status) is indicated on panel indications with an indication per status [EN-54 part 2.3.2]. Loop status The loop status (operational status. 2. • Test function for the input loop [EN-54 part 2.5.4. Failure indication and override indication Test function FSC Safety Manual Section 9: Fire and Gas Application Example 117 .1. The function block 911 (FB-911) handles all functions that can be executed on an input loop [EN-54 part 2. 250 but they are not shown here as they are identical to FLD 100).3.5].1.4. 2. The test function on one input loop may not override or prohibit detection of a fire or gas alarm on another input loop which is not in test or override [EN-54 part 2. The test function is implemented per input loop.12].1. 2.2]. In general.8.2. which means that the alarm levels detection part of the FB must to be transferred to the FLD of the input loop) [EN-54 part 2. It is possible to use the same digital output per channel but with different common outputs in order to distinguish uniquely between failure and override [EN-54 part 2.4].

as well as a cycle pulse and entry to the bottom NOR gate. are monitored for a failure status. The example FLD in Figure 9-3 creates a common signal of the alarm status in order to activate the horn. FSC Safety Manual 118 Section 9: Fire and Gas Application Example . Failures which must be covered are power supply failures and earth leakage failures. The example FLD in Figure 9-4 creates a common signal of the failure status in order to activate the failure horn. If an alarm status occurs.2].2. an entry to the top OR gate is required as well as a cycle pulse and entry to the bottom NOR gate. If more than one alarm group is used in one Fire & Gas detection system. an audible alarm (horn) must also be activated [EN-54 part 2. ALARM LOOP 1 "ALARM HORN" ALARM LOOP 2 "ALARM HORN" ALARM LOOP 3 "ALARM HORN" ALARM LOOP 4 "ALARM HORN" 100 500 150 500 200 500 2 2 >1 _ 2 500 505 ALARM COMMON "ALARM HORN" 250 500 2 & 1 >1 _ Figure 9-3 Control of the alarm horn (FLD 500) Monitoring for failure status All components of the Fire & Gas system. The cycle pulse logic for each loop combined in the NOR gate is required to activate the horn for every subsequent failure in a failure group [EN-54 part 2. If a failure occurs.1.1. If more than one failure group is used in one Fire & Gas detection system.9].Monitoring for alarm status The input loops are monitored for an alarm status. other internal failures of the FSC system can also be covered by the common failure alarm. an audible alarm (horn) must also be activated which has a different frequency than the Fire & Gas audible alarm. logic as shown in the diagram below is required for each alarm group. Depending on the application.2.3. logic as shown in the diagram below is required for each failure group. 2. An entry to the top OR gate is required for each failure in a failure group.1. The cycle pulse logic for each loop combined in the NOR gate is required to activate the horn for every subsequent alarm in the same alarm group. 2. including the input loops and output loops. For each alarm in an alarm group. 2.

Although not required by the EN-54 part 2 standard. If more than one alarm group is used in one Fire & Gas detection system. The override function is also visually indicated on the operator panel. logic as shown in the diagram below is required for each alarm group. as well as a cycle pulse and entry to the bottom NOR gate. it is necessary to have an override function. An entry to the top OR gate is required for each override in an alarm group. it is possible to generate an override audible alarm as indicated in the FLD shown in Figure 9-5. The cycle pulse logic for each loop combined in the NOR gate is required to activate the horn for every subsequent override in the same alarm group. To allow exchanging of a faulty input sensor without a constant Fire or Gas alarm.FAILURE LOOP 1 "ALARM HORN" 100 501 4 100 501 FAILURE LOOP 1 "ALARM HORN" FAILURE LOOP 2 "ALARM HORN" FAILURE LOOP 3 "ALARM HORN" FAILURE LOOP 4 "ALARM HORN" PSU-2 24VDC "NO FAILURE" PSU-1 24VDC "NO FAILURE" EARTH LEAKAGE PSU'S "NO FAILURE" 4 150 501 1 200 501 1 >1 _ 250 501 1 50 501 3 50 501 2 50 501 4 & 501 505 1 FAILURE COMMON "ALARM HORN" >1 _ Figure 9-4 Control of the failure alarm horn (FLD 501) Override function Input sensors can go faulty during operation. 100 502 150 502 OVERRIDE LOOP 1 "ALARM HORN" OVERRIDE LOOP 2 "ALARM HORN" OVERRIDE LOOP 3 "ALARM HORN" OVERRIDE LOOP 4 "ALARM HORN" 6 2 >1 _ 200 502 3 250 502 502 505 OVERRIDE COMMON "ALARM HORN" 3 & 1 >1 _ Figure 9-5 Control of the override alarm horn (FLD 502) FSC Safety Manual Section 9: Fire and Gas Application Example 119 .

An entry to the top OR gate is required for each test in an alarm group. The test function is also visually indicated on the operator panel. FSC Safety Manual 120 Section 9: Fire and Gas Application Example .3. Although not required by the EN-54 part 2 standard. A cycle pulse must be used for each individual alarm group. If multiple alarm groups are used in a Fire & Gas detection system.1.3. In order to test the functionality of the sensors. a test function must be implemented which overrides the audible alarms. logic as shown in the diagram below is required for each alarm group [EN-54 part 2. If more than one alarm group is used in one Fire & Gas detection system. 2.5. A simulation of fire or gas at the input sensor will generate the alarm indication but will block the audible indication. The horn flip-flops can be reset via a horn reset digital input signal [EN-54 part 2.1 (alarm).2].1 (failure)] (see Figure 9-7). 2.2.Simulation Fire & Gas sensors can go faulty during normal operation. 2. as well as a cycle pulse and entry to the bottom NOR gate. these can be combined via an OR gate between the cycle pulse and the flip-flop. The cycle pulse logic for each loop combined in the NOR gate is required to activate the horn for every subsequent test operation in the same alarm group.2. TEST LOOP 1 "ALARM HORN" TEST LOOP 2 "ALARM HORN" TEST LOOP 3 "ALARM HORN" TEST LOOP 4 "ALARM HORN" 100 503 150 503 200 503 7 2 >1 _ 4 503 505 TEST COMMON "ALARM HORN" 250 503 3 & 1 >1 _ Figure 9-6 Control of the test alarm horn (FLD 503) Cycle pulse The signals controlling the horn are used to set the horn flip-flop via a cycle pulse [EN-54 part 2. 2.8]. it is possible to generate an test audible alarm as indicated in the FLD shown in Figure 9-6.

2.L HORN_BY_HAND P 5 3 1 8 & S R >1 _ 3 HORN-1 9 ALARM HORN 9 "ALARM" P N L COMMON ALARM 510 505 1 ALARM COMMON "ALARM HORN" 500 505 S 1 R P RESET-HORN N RESET HORN L "RESET" 3 1 7 FAILURE COMMON "ALARM HORN" 501 505 1 OVERRIDE COMMON "ALARM HORN" 502 505 1 >1 _ S R 3 HORN-2 9 FAILURE HORN 8 "ALARM" P N L TEST COMMON "ALARM HORN" 503 505 1 S FSC-SYSTEM-FAULT Y System marker S 50 505 6 Figure 9-7 Control and acknowledge of the alarm horns (FLD 505) Common alarm The alarm indications for Fire or Gas alarm must be combined into a common alarm according to the EN-54 part 2.2.2.19. This combination is shown in Figure 9-8 as a number of signals combined in an OR gate.1.2.3. The common alarm indication is combined with the lamp test function in order to test this visual indication too.1. The combination of Fire and Gas alarms into a common alarm must be done for each individual alarm group. P LAMPTEST N LAMPTEST L "TEST" ALARM LOOP 1 "COMMON ALARM" ALARM LOOP 2 "COMMON ALARM" ALARM LOOP 3 "COMMON ALARM" ALARM LOOP 4 "COMMON ALARM" 3 1 6 50 510 100 510 150 510 200 510 250 510 1 >1 _ 3 ALARM-COMMON 9 ALARM COMMON 7 "ALARM" P N L 1 2 >1 _ 510 505 COMMON ALARM 1 3 4 Figure 9-8 Control of the common alarm indication (FLD 510) FSC Safety Manual Section 9: Fire and Gas Application Example 121 . 2.2. 2.

Common test indication The indications that tests are executed for Fire or Gas detectors must be combined into a common test indication according to EN-54 part 2. 2. The combination of Fire and Gas detector test indications into a common test indication must be done for each individual alarm group.1.3. 3 1 6 P LAMPTEST N LAMPTEST L "TEST" TEST LOOP 1 "COMMON ALARM" TEST LOOP 2 "COMMON ALARM" TEST LOOP 3 "COMMON ALARM" P LAMPTEST N LAMPTEST L "TEST" 50 520 5 100 520 4 150 520 3 200 520 2 3 1 6 50 520 >1 _ 3 TEST-COMMON 9 COMMON TEST 10 "TEST" P N L >1 _ 1 Figure 9-9 Control of the common test indication (FLD 520) Common failure indication The indications that failures have been detected in Fire or Gas detectors must be combined into a common failure indication according to EN-54 part 2. 2.2. This combination is shown in Figure 9-9 as a number of signals combined in an OR gate. 2.2.2. The common failure indication is combined with the lamp test function in order to test also this visual indication. This combination is shown in Figure 9-10 as a number of signals combined in an OR gate.5.3. The common test indication is combined with the lamp test function in order to test also this visual indication. The combination of Fire and Gas detector failure indications into a common failure indication must be done for each individual alarm group. P LAMPTEST N LAMPTEST L "TEST" FAILURE LOOP 1 "COMMON ALARM" FAILURE LOOP 2 "COMMON ALARM" FAILURE LOOP 3 "COMMON ALARM" FAILURE LOOP 4 "COMMON ALARM" 3 1 6 50 530 5 100 530 150 530 4 >1 _ 3 FAILURE-COMMON 9 FAILURE COMMON 5 "FAILURE" P N L 3 >1 _ 200 530 2 250 530 1 Figure 9-10 Control of the common failure alarm indication (FLD 530) FSC Safety Manual 122 Section 9: Fire and Gas Application Example .

1.4. all alarm settings are identical so the determination of the alarm levels is included in this function block.4. If the alarm levels are not the same for all input loops.3.4. but they may differ depending on the fire & gas detector (see Figure 9-12).3.2.Common override indication The indications that overrides have been made active for Fire or Gas detectors must be combined into a common override indication according to EN-54 part 2. 2.4.2]. 2.4]. 2. the alarm detection should be included on the FLDs where this function block is called.4.3. 2. P LAMPTEST N LAMPTEST L "TEST" OVERRIDE LOOP 1 "COMMON ALARM" OVERRIDE LOOP 2 "COMMON ALARM" OVERRIDE LOOP 3 "ALARM HORN" P LAMPTEST N LAMPTEST L "TEST" S IO-FORCED Y System marker S 3 1 6 50 540 5 100 540 150 540 5 >1 _ 3 OVERRIDE-COMMON 9 COMMON OVERRIDE 6 "OVERRIDE" P N L 2 >1 _ 200 540 3 3 1 6 50 540 1 Figure 9-11 Control of the common override indication (FLD 540) Alarm sequence function block The alarm sequence function block handles the control of all visual and audible indications associated with an input loop [EN-54 part 2. The display of the common override signal can be done remotely using the FSC-FSC communication [EN-54 part 2. 2.3.2. 2. FSC Safety Manual Section 9: Fire and Gas Application Example 123 .1.2.3] or via hardwired outputs using a digital output with loop-monitoring [EN-54 part 2. The combination of Fire and Gas override indications into a common override indication must be done for each individual alarm group [EN-54 part 2.1. The common override indication is combined with the lamp test function in order to test also this visual indication.1]. For the example application.1. This combination is shown in Figure 9-11 as a number of signals combined in an OR gate. 2.

K OVERRIDE/TEST ALARM LAMP A FB 912 >1 _ B N TEST ALARM COM. (EN-54 part 2.2. ALARM SIGNAL A S R & P LAMPTEST N LAMPTEST L "TEST" C RESET-ALARM A RESET ALARM B "RESET" 3 1 8 3 1 4 S 123 912 123 912 1 R 0 t=1 s t >1 _ B ALARM LAMP 2 Figure 9-13 Alarm latching.2.3.S LOOP SIGNAL Signal type: F R > _ F 18 0 t=1 s t S R t t=10 s 0 & A G FIRE ALARM COM. alarm reset and lamp test function block (FLD 912) Function Block 912 (FB-912) controls the indication status of lamps. It contains a latching function for each status that needs to be indicated until a manually initiated reset (key switch) occurs [EN-54 part 2. 2. If the indication status is still active. FIRE ALARM LAMP A FB 912 B E & > _ F 12 & < _ F 6 & >1 _ A & F FIRE ALARM HORN H FAILURE ALARM COM. 2. FAILURE ALARM LAMP FB 912 B I J FAILURE ALARM HORN. the time in the diagram above is 1 second. TEST SIGNAL D O TEST ALARM HORN Figure 9-12 Alarm sequence function block (FLD FB-900) The control of the indication is described via Function Block 912 (see Figure 9-13).10.6]. it will return to the On status after a defined period.10 defines < 20 seconds. This function handles the control of the indications and the control of the horn in case of the test function (alarms are passed but the horn is suppressed) and the override function (alarms and horn are suppressed).) FSC Safety Manual 124 Section 9: Fire and Gas Application Example . 2. FAILURE SIGNAL B OVERRIDE SIGNAL C L M OVERRIDE ALARM HORN OVERRIDE ALARM COM.

The de-energization of process parts or all outputs is fully implemented in the system software and cannot be influenced by the user (see also item 3). 10205/2/1 FSC Safety Manual Section 10: Special Requirements for TÜV-Approved Applications 125 .LOG) produced by the compiler. 8 channels) De-energization per group of output channels: Group 1: outputs 1.5 second or less. The maximum application program cycle time is half the process safety time. Fail-safe analog output module (0(4)-20 mA.3. 7. The de-energization depends on the output module type: − 10201/1/1. If the FSC system detects a fault in its safety-related output hardware it is possible to de-energize part of the process instead of de-energizing all outputs. − 10205/1/1.2. For example. which means that the FSC system can be used without checking of the execution time for those applications that have a process safety time of 1 second or more. the process safety time of a burner control system is 1 second in accordance with TRD-411 for boilers > 30 kW (July 1985) Table 1. 2 channels) De-energization per channel. This implies that the application program cycle time must be 0. 2. TRD-412 (July 1985) Table 1 and DIN 4788 (June 1977) Part 2 Chapter 3.5 seconds by hardware on the watchdog module. 4. 2. The application program cycle time is calculated by the compiler.Section 10 – Special Requirements for TÜV-Approved Applications Requirements for TÜV approval The FSC system can be used for those processes that require TÜV approval.55 A. It is listed in the log file (. The requirements for the safety applications are the following: 1. 0. and also shown on screen during translation. Group 2: outputs 5. 8. 10201/2/1 Fail-safe digital output module (24 Vdc. 3. 6. The application program execution time is limited to 0.2 1.

a timer is started. 4.− 10212/1/1 − 10213/1/1 10213/2/1 − 10213/1/2 10213/2/2 − 10213/1/3 10213/2/3 − 10214/1/2 − 10215/1/1 10215/2/1 − 10216/1/1 10216/2/1 − 10216/2/3 Digital output module (24 Vdc. When this timer expires. 2. 4 channels) De-energization of group 1: outputs 1 to 4.75 A. 3. Fail-safe digital output module (220 Vdc. The timer is not started so an output fault may be present in the system without further action. 2 De-energization of group 2: outputs 3. This timer can be set to the following values: − Not used. Fail-safe loop-monitored digital output module (48 Vdc.67 A. 0. 3 channels) De-energization of group 1: outputs 1. 4 channels) De-energization of group 1: outputs 1.5 A. 4 channels) De-energization of group 1: outputs 1 to 4. 0. 1 A.9 A. Fail-safe digital output module (60 Vdc. all outputs are de-energized via the watchdog module (10005/1/1). Fail-safe digital output module (24 Vdc. all outputs of the FSC system are de-energized. 0.4 channels) De-energization of group 1: outputs 1. 16 channels) De-energization of group 1: outputs 1. − 1 minute to 22 days. 3. Fail-safe loop-monitored digital output module (24 Vdc. 3. 2 A. 2. De-energization is only effected if safety-related outputs are configured to the faulty module. 2. 4 (these are the 4 fail-safe outputs). 0. 4 channels) De-energization of group 1: outputs 1.25 A. 0. − 0 minutes. Fail-safe digital output module (110 Vdc. If the FSC system detects a fault in its safety-related output hardware (see item 2 above). all outputs connected to the Central Part that controls the output module are de-energized via the watchdog module (10005/1/1) of that Central Part.32 A. If the output is located in a non-redundant I/O section. 2. 4. 3. 4 channels) Fail-safe digital output module (48 Vdc. This represents the interval time between the fault occurring and automatic system shutdown. If a complete safety-related module is detected faulty. 3. 0. 4. This results in immediate de-energization of all outputs in case of an output fault. FSC Safety Manual 126 Section 10: Special Requirements for TÜV-Approved Applications .

the faulty input is set to low (off) for digital inputs and to bottom scale for the analog inputs. For normal operation.The "interval time between faults" can be set using the 'System Configuration' option of FSC Navigator (Install \ Configuration). independent of the CPU. a Central Part shutdown and de-energization of the outputs are initiated. If the input is forced to 0 V. The watchdog module (10005/1/1) contains an emergency shutdown (ESD) input. If the FSC system detects a fault in its safety-related input hardware. Figure 10-1 System parameters FSC Safety Manual Section 10: Special Requirements for TÜV-Approved Applications 127 . For further details on I/O wiring details. 4. the ESD input must be 24 Vdc. For analog signals this means that special configuration is required for reversed transmitters. termination of I/O signals and power supply distribution refer to the FSC Hardware Manual 7. This represents the safe status for both digital and analog inputs. 6. The setting of the watchdog and the safety time (the time in which all I/O tests are executed once) and the time between faults can be checked using the 'Monitor System' option of FSC Navigator (FSC system \ Sys info \ Parameters) (see Figure 10-1). 5.

horizontal bus rack and flaps. The 24 Vdc to 5 Vdc DC/DC converter (PSU: 10300/1/1) has limited capacity.) must be grounded properly. the wiring of these voltage levels must be physically separated. swing frames. FSC Safety Manual 128 Section 10: Special Requirements for TÜV-Approved Applications . all major metal parts (cabinet side walls. Grounding of the +24 Vdc / +48 Vdc / +60 Vdc / +110 Vdc / +220 Vdc is NOT allowed as an earth fault will result in an unsafe situation. 16. If these power supply units are used.8. Note: The 1200 S 24 P067 power supply does not require a watchdog repeater module. 10. In that case. 15. 12. Do not use radio transmitting equipment within a radius of 1 m (3 ft) of the system cabinet when the doors are opened. Grounding of the power supplies of the FSC system is only permitted for the 0 Vdc. a watchdog repeater module must be placed to monitor the 24 Vdc voltage. each additional PSU requires a watchdog repeater module (10302/1/1 or 10302/2/1) to monitor the 5 Vdc of the PSU which controls the WD input of all fail-safe output modules connected to that PSU. All power supply inputs (except 110/230 Vac) require a power supply filter to be fitted immediately after the power supply input terminals. To maintain the separation between the external power supply (24 Vdc) and the internal power supply (5 Vdc). 11. To reduce the influence of disturbances on the power supply lines. This can be obtained by using separate ducts and a separate power supply distribution. doors. For details on power supply distribution and watchdog wiring (especially FSC architecures with redundant Central Parts and both redundant and single I/O) refer to the FSC Hardware Manual. The value of the voltage monitor analog input channels of the 10105/2/1 modules must be checked in the application software for the correct transmitter power supply range for the transmitters connected to that analog input module. 9. etc. 19-inch racks. 14. Larger FSC systems may require the use of more than one power supply unit (PSU). 13. The M24-20 HE and M24-12 HE power supply units provide 24 Vdc as output voltage. This watchdog repeater may also be used to monitor the 5 Vdc of a second PSU (see item 8).

runs without operator surveillance. 20.5 G (10-55-10 Hz) Shock: 15 G (11 ms.. 21. 10101/2/3./. The maximum discrepancy time specifies the maximum time that redundant inputs may have different values before the system regards the input as faulty. redundant sensors (transmitters) must be used. 10102/1/1. 3 axes. 10101/1/3. This location has a higher temperature than outside the cabinet. 19. If the FSC system with processor modules 100x2/. which results in a lower ambient temperature for the cabinet. − Alarm indication of the FSC system (e. Depending on the internal dissipation in the cabinet and the ventilation provided. a maximum discrepancy value must be configured. If non fail-safe transmitters are used to realize safety-related analog inputs (see Appendix C of the FSC Software Manual). 10102/2/. non-condensing Vibration: 2. 18. or 10106/2/1) and fail-safe input sensors (transmitters). The operating conditions of the FSC system shall not exceed the following ranges: Operating temperature: 0 to 60°C (32 to 140°F) Relative humidity: 5% to 95%. a FSC Safety Manual Section 10: Special Requirements for TÜV-Approved Applications 129 . 10101/2/1. a maximum on time and a maximum discrepancy time must be configured. 10105/2/1. If the input sensors (transmitters) are not fail-safe. Safety-related inputs require the use of fail-safe input modules (10101/1/1. If non fail-safe sensors/transmitters are used to realize safety-related inputs (see Appendix C of the FSC Software Manual). via DCS) if a fault is detected and subsequent inspection of the FSC system status within 72 hours after generation of the fault report. The value specifies the tolerable difference between the value of the transmitters before the system will regard the input as faulty.17. 10102/1/2. Refer to Appendix C of the FSC Software Manual ("Safety-related inputs with non fail-safe sensors") for further details. both directions of the axe) The operating temperature is measured on the diagnostic and battery module (DBM) in the Central Part rack. The maximum on time specifies the time that a signal can remain high before the system will regard the input as faulty.g. Both the maximum on time and maximum discrepancy time should be configured according to the dynamic behavior of the input signal. one of the following measures shall be taken: − Inspection of the FSC system status if the FSC system application is fault free. 10101/2/2. 10101/1/2. at least once per 72 hours.

via a voltage-monitoring module) shall be part of the system design.g. failure) shall have its own dedicated digital output. For further details on the DBM refer to Section 4 of the FSC Software Manual ("System Configuration").g. override or test. 22. to a DCS system. This digital output may be a hardware output or a communication output. By using the temperature pre-alarm system variable. No support for alphanumeric displays is available. forced ventilation with one or more fans can be applied. Override and test status may be combined in one visual indication.temperature difference of 20°C (39°F) is possible. Redundant power supplies must be connected to the FSC system in such a way that the redundant power supplies do not fail at the same time. by using diverse primary power sources (e. The storage conditions of the FSC hardware modules shall not exceed the following ranges: Storage temperature: –25 to +80°C (–13 to 176°F) F&G applications Fire and Gas (F&G) applications have the following additional requirements: 1.g.g. which results in a maximum ambient temperature of 40°C (104°F). Power Supply 1 e. To minimize the temperature difference. an alarm can be given if the internal temperature rises too high. 24 Vac 220 Vac / 24 Vdc Voltage Monitoring System Fault FSCTM 0 Vdc Figure 10-2 Power supply FSC Safety Manual 130 Section 10: Special Requirements for TÜV-Approved Applications . Detection of power supply failure (e. e. Each visual indication (alarm.g. 220 Vac mains and a 24 Vdc from a battery backup). e. 220 Vac Power Supply 2 e.g. 2.

Communication and loop monitoring failures must be alarmed. 10102/2/1. The number of 10216/1/1. must meet the requirements of the applicable parts of the EN-54 standard. Field outputs must have loop-monitoring (short-circuiting and open loop). 7. including panel instruments such as (key) switches. 4. The requirements of EN-54 which must be covered in the application program can be FSC Safety Manual Section 10: Special Requirements for TÜV-Approved Applications 131 . 10216/2/3 and 10214/1/2 modules in redundant I/O sections shall not exceed the number (5 ∗ 100 seconds) divided by the 2 ∗ Process Safety Time. This can be realized as shown in Figure 10-2 above. 10216/2/1. The field instruments. 10216/2/3 and 10214/1/2 digital output modules.2 of EN-54 part 2. 10216/2/3 and 10214/1/2 modules in an FSC configuration for Fire & Gas applications. 10216/2/1. Input module types that can be used are: 10102/1/1. 10216/2/3 and 10214/1/2. Output module types that can be used are: 10216/1/1. The test interval for each module shall not exceed 100 seconds. 6. 10102/1/2. 8. 5. in a non-redundant I/O section. 9. The protected side of the fuses are connected to the voltage-monitoring device in order to detect blown fuses. 10216/2/1. The number of 10216/1/1. may only be executed via interconnection of FSC systems using the FSC-FSC communication option or via hardwired outputs with loopmonitoring via the 10216/1/1. The FSC system is only the basis for an EN-54 compliant application. which are used in conjunction with the FSC system. or via a visual indication on a DCS display which is activated if the communication to the Fire & Gas detection system fails. Any faults in the Fire & Gas detection system shall be indicated visually.3. 10216/2/1. The Fire & Gas detection system shall have earth leakage monitoring/detection facilities. 10216/2/1. Remote display of alarms. The responsibility for a full EN-54 compliant application lies with the person(s) responsible for configuring and application programming of the FSC system. This indication shall also be active if the Fire & Gas detection system has been switched off. using a normally de-energized relay. failures etc. The FSC system performs loop testing of output channels allocated to 10216/1/1. shall therefore not exceed the number (5 ∗ 100 seconds) divided by the Process Safety Time. 10216/2/3 or 10214/1/2 modules in groups of five modules per user-defined Process Safety Time. 10105/2/1 and 10106/2/1. Visual and audible indications shall be as per paragraph 3. Field inputs must have loop-monitoring (short-circuiting and open loop).

2. horns) refer to EN-54 part 2 paragraph 3. 10.found in section 9. which references the requirements that must be fulfilled in the application program. indications. FSC Safety Manual 132 Section 10: Special Requirements for TÜV-Approved Applications . For details on the mechanical construction requirements (cabinet.

121 Common failure indication. 92 Channel status diagnostic inputs.01. 61 Compare errors. 96 TRANSMIT.PART-FAULT. 92 Tested modules. 79. 123 Allocation of I/O signals. 1 Availability degrees. 19 Connections to safety system.INPUT-FAULT. 79. 77 Checks Before forcing. 45. 54 AK class. 7 FSC Safety Manual Index 133 . 123 Common test indication. 125 Application software. 65. 79 Central Part configuration. 79 IO-COMPARE. 79. 87 Compatibility check during on-line modification. 79. 83 Synchronization.COMMUNIC. 3. 42 Audible alarm. 122 Communication Redundancy. 82 Alarm sequence function block. 87. 49 Analog input compare errors. 89 System response to digital output ~. 79. 52 Approval of specification. 118. 38 Continuous mode of operation. 26 Redundant Central Parts and redundant I/O. 122 Common override indication. 24 Single Central Part and single I/O. 83 TEMP.Index A Address field of test variable. 86 RED.-FAULT. 2 CE marking. 69 Compliance to standards. 125 B Baud rates In networks. 79. 51. 90 Analog inputs. 79 INPUT-FAILURE.FLT. 79. 67 Communication networks. 59 Cold start. 94 FSC-FAULT-RESET. 4 Configurations of FSC system. 108 FSC-SYSTEM-FAULT. 22 Redundant Central Parts and single I/O. 20 Redundant Central Parts with redundant and single I/O. 50. 98 Canadian Standards Association (CSA). 79.FLT. 109 INT. 87 IO-FORCED. 65.COMMUNIC. 64 Communication links. 65 C Calculation errors. 103 Application. 67 Communication with process control systems (DCS/ICS). 79. 79 OUTPUT-FAILURE.PART-FAULT alarm marker. 87 System response to analog input ~. 40 Timeout. 109 CENTR. 97 Cycle pulse. 53 Application program cycle time. See: Requirement class (AK) Alarm markers. 92 DEVICE-COM. 120 Cycle time. 79. 74. 68. 81. 62 Communication timeout FSC-FSC. 87. 72 Analog inputs (AI) And redundant input faults. 97. 102 Behavior. 90 System response to digital input ~. 97 Prevention. 87. 14 Counters (C) And calculation errors. 89 ANSI/ISA S84. 18 Quadruple Modular Redundant (QMR) architecture. 2 Application database. See: Networks Communication protocols. 79 Normal state. 92 Fault alarm. 120 Availability. 47 Common alarm. 46 Central Part faults. 12. 103 Fault alarm. 79. 91 Tested modules. 50. 2. 95 EXT.PRE-ALARM.FLT. 36 CENTR.

Index (continued) D Dangerous failure. 50 E Earth leakage monitoring/detection. 78 LoopI. 9 European Union Systems to be delivered in ~. See: Emergency shutdown (ESD) EU directives. 77 Loop status. 7. 9 EUC risk.FLT alarm marker. 10 Human ~. 79 Extended diagnostics. 110 Channel status. 47 EPROMs. See: Electromagnetic compatibility (EMC) EMC directive (89/336/EEC). 10 Fault alarm Central Part faults. 95 RKE3964R. 102 Behavior. 131 Electromagnetic compatibility (EMC). 83 Temperature alarm. 7 EMC directive (89/336/EEC). 69. 54. 78 LoopO.FLT alarm marker. 78 Diagnostic markers. 74 And calculation errors. 10 Databases. 9 Exchanging process data. 109 Diagnostics. 95 DEVICE-COM. 44 DCS. 10 Design phases for a safety or ESD system. 79 Diagnostic inputs. 127 EPROM mode. 103 Emergency shutdown (ESD) input. 53 I/O database. 8. 95 Device communication timeout Modbus. 45 Installation database. 78 SensAI. 10 Dangerous ~. 8. 56 ESD. 11 Error report after verification. 83 Synchronization. 97 Downloading software. 109 And device communication faults. 94 I/O compare errors. 96 Transmitter faults. See: Distributed control systems (DCS) De-energization. 67 Definition of safety terms. 50 Error. 7. 86 Redundant input faults. 9 Distributed control systems (DCS). 117 Failure status. 81 Output faults. 50. 52 Failure. 13 Failure indication. 82 FSC Safety Manual 134 Index . 7 EMC directive (89/336/EEC). 61. 91 Directives. 10 European Economic Area (EEA) Systems to be delivered in ~. 107 Application. 95 FSC-FSC communication faults. 74 External power failure. 86 F Factory acceptance test (FAT). 98 Digital input compare errors. 8 Emergency shutdown (ESD). 10 Safe ~. 88 Digital output compare errors. 33. 92 Device communication faults. 126 Default FSC-FSC communication timeout. 118 Fault. 8 Low voltage directive (73/23/EEC). 35 Device communication faults Distributed control systems (DCS). 87 Input fault. 125. 89 Digital inputs (I). 102. 8 Low voltage directive (73/23/EEC). 71 And redundant input faults. 95 Fault alarm. 95 SOE collecting devices.COMMUNIC. 74 Diagnostic status exchange with DCS. 8 EMC. 61 EXT. 95 Divide by zero.

120 Common alarm. 58 Checks. 120 Test function. 92 Device communication faults. 123 Common test indication. 59 Force Enable key switch. 89 Digital output compare errors. 117 Fault indication. 26 Redundant Central Parts and redundant I/O. 94 I/O compare errors. 47 Force enable flag. 95 FSC-FSC communication faults. 118 Monitoring of failure status. 59 Enabling. 87 Input faults. 18 Overview. 83 Temperature alarm.Index (continued) Fault detection and response. 131 Faults Calculation errors. 57 Standards compliance. 58 Setting. 117 Loop testing. 90 Behavior of alarm markers. 131 Example. 128 Fire & Gas (F&G) applications Alarm sequence function block. 81 Output faults. 96 Transmitter. 119 Override indication. 59 FSC configurations Overview. 122 Cycle pulse. 131 Field instruments. 20 Redundant Central Parts with redundant and single I/O. 22 Redundant Central Parts and single I/O. 52. 122 Common override indication. 131 Input loops. 131 Requirements. 76 Fault indication for Fire & Gas detection systems. 44 Basic functions. 131 Loop-monitoring. 1 Quadruple Modular Redundant (QMR) architecture. 118 Override function. 18 Quadruple Modular Redundant (QMR) architecture. 82 Transmitter faults. 19 Special functions. 45 Checks prior to forcing. 120 Earth leakage monitoring/detection. 94 I/O compare errors. 130 Remote display. 84 Redundant input faults. 35 Single Central Part and single I/O. 92 Device communication faults. 81 Output faults. 95 Digital input compare errors. 84 Temperature alarm. 82 Voting schemes. 117. 91 FSC-FSC communication faults. 53 FSC networks. 96 Transmitter faults. 47 FLASH mode. 118. 87 Input faults. 121 Common failure indication. 22 Redundant Central Parts and single I/O. 79 Central Part faults. 117 Input sensors. 74 Analog input compare errors. 4 FSC Safety Manual Index 135 . 19 FSC Navigator. See: Networks FSC system Configurations. 59 Forcing of inputs and outputs. 20 Redundant Central Parts with redundant and single I/O. 131 Filters. 2. 120 Flash memory. 26 Redundant Central Parts and redundant I/O. 97 Central Part faults. 82 Field instruments. 59 Verification of application. 24 Relation between ~ and requirement classes (AK). 119 Loop status. 115 Failure indication. 24 Sequence of phases for safety-related system. 36 Single Central Part and single I/O. 73. 123 Audible alarms. 131 Fire & Gas (F&G) applications (continued) Monitoring for alarm status. 130 Simulation. 117 Redundant power supplies.

128 Input loops (in F&G applications). 87. 51 Hardware safety integrity. 50 Programming EPROMs. 127 IO-COMPARE alarm marker. 117 Diagnostic inputs.Index (continued) FSC-FSC communication. 78 Loop-monitoring. 41. 11 Functional test. 119 Input synchronization Analog inputs. 49 INPUT-FAILURE alarm marker. 78 Loop testing. 81 Input filters. 12. 60 ISA S84. 45. 79 Function blocks. 117. 69. 37 Instrumentation related to safety system. 87 I/O database. 87 System response to analog ~. 50 Log files Verification log file. 51. 88 Input/output signals Physical allocation. 54 Logical functions (in FLDs). 10 Functional safety assessment. 81. 14 Low voltage directive (73/23/EEC). 50.FLT alarm marker. 131 LoopO diagnostic input. 40 Functional logic diagrams (FLDs). 63. 12 High demand mode of operation. 79 Installation database. 37 INT. 64 FSC-FSC communication faults. 89 Digital inputs. 87 Tested modules. 83 Fault alarm. 14 Human error. 81 Non safety-related inputs. 94 Fault alarm. 102. 87. 52 G Grounding. 53 I/O signal configuration. 67 FSC-FSC communication timeout. 123 And calculation errors. 46 L Loading software Downloading to memory. 81 Tested modules.COMMUNIC. 94 FSC-FSC communication protocol Timeout. 2 Implementation of application software. 67 FSC-SYSTEM-FAULT alarm marker. 50. 46. 128 H Hardcopy Functional logic diagrams (FLDs). 88 Input compare errors Fault alarm. 9 I I/O compare errors. 2 Isolation of failures.01. 117 Input sensors. 131 LoopI diagnostic input. 12. 103 Fault alarm. 79 IO-FORCED alarm marker. 44 Instrumentation index. 53. 89 FSC Safety Manual 136 Index . 79 Interval time between faults. 51 IEC 61131-3. 99 Function of safety system. 45. 90 System response to digital ~. 50 Input compare. 3 IEC 61508. 11 Input faults. 49 Specification. 51 I/O signal configuration. 115 Functional safety. 40 Loop status. 54. 78 Low demand mode of operation. 81 Safety-related inputs. 79 IO-FORCED system variable.

95 Mode of operation. 85 Safety-related outputs. 65 Master. 117 N Networks. 79 Overflow. See also: DCS Process interface. 69 Operating conditions. 63. 97. 90 Output compare errors Fault alarm. 66 On-line modification. 12. 67 Non fail-safe inputs. 128 Redundancy. 51 I/O signal configuration. 67 Maximum discrepancy time. 64 Timeout time. 128 Power supply units (PSU). 64 Multidrop. 129 Operating temperature. 54. 129 Memory type. 103 Master. 119 Override indication. 65. 125 Process units. 68. 63. 48 At first system start-up. 47 Preventing calculation errors. 87. 98 Printing Functional logic diagrams (FLDs). 65 Power supply failure. 63. 50 Project configuration. 71. 49 Point-to-point networks. 70 Non fail-safe sensors/transmitters. 84 Fault alarm. 63. 48 Compatibility check. 97 Override function. 129 Output compare. 118 Monitoring of failure status. 66. 47 Warm start. 44 O Objectives of overall safety lifecycle. 130 Power supply filters. 64 Multiple ∼s in FSC networks. 63. 87 System response to digital ~. 84 OUTPUT-FAILURE alarm marker. 64 Slave. 39 Process outputs (in unit shutdown). 65. 67 Multiple masters. 66 Timeout in FSC networks. 46. 67 Response time. 111. 68 And warm start. 81 Non safety-related outputs And output faults. 67 Response time. 66 Single fault-tolerant. 69 Point to point. 63 Baud rate. See: Programmable electronic system (PES) Phases of overall safety lifecycle. 12 Programming EPROMs. 69 Verification of application. 86 Non safety-related outputs. 65. 85 P PES. 118 Multidrop networks. 35 Physical allocation in FSC system. 85 Tested modules. 91 Output faults. 69 Function blocks. 66 Operator surveillance. 63. 63. 130 Power-on mode After shutdown caused by fault. 106 Process safety time (PST). 48 Cold start. 129 Non safety-related inputs And input faults. 69 In FSC networks. 33. 47 Modbus device communication timeout. 71. 67 Response time. 33 On-line modification (OLM). 129 Maximum on time.Index (continued) M Manual shutdown. 64 System numbers. 51 Process control systems (DCS/ICS). 104 Programmable electronic system (PES). 129 FSC Safety Manual Index 137 . 14 Monitoring for alarm status. 65.

103 Unit ~. 70 Redundant Central Parts and redundant I/O. 107 Safety relation of variables. 83 Analog inputs. 15. 13 Functional ~. 105. 32 Objectives. 104. 4 Safety system Basic function. 33. 30 E/E/PES. 38 Functional logic diagrams (FLDs). 2. 79 Redundancy Analog inputs. 33 Overall. 76 Redundant input faults. 72 Digital inputs. 102. 130 Sensors/transmitters. 40 Connections to ~. 37 Process interface. 107 Shutdown at assertion of FSC alarm markers. 85 Safety-related system. 125 Response time. 13 Risk reduction measures. 41 Remote display. 46 AK5 and AK6 applications. 61 Safety standards. 46 SensAI diagnostic input. 33. 78 Sensor redundancy. 65 Multidrop networks. 41 Safety time. 129 And input faults. 15 Secondary switch-off. 10 Terminology. 16 Safety integrity level (SIL). 106. 64 Redundant FSC components Voting schemes for ~. 13 Safety lifecycle. 31 Phases. 24 Redundant communication. 65 Risk. 10 Safety classification. 38 Safety integrity Hardware ~. 83 Digital inputs. 30 RKE3964R device communication timeout. 95 S Safe failure. 36 FSC Safety Manual 138 Index . 35 Sequence of phases. 127 Safety-related inputs. 39 Safety system specification Approval of specification. 22 Redundant Central Parts and single I/O. 1. 40. 128 Sequence of phases of overall safety lifecycle. 41 Functionality.Index (continued) Q QMR. 35 Service. See: Quadruple Modular Redundant (QMR) Quadruple Modular Redundant (QMR) architecture. 32 Safety or ESD system Design phases. 35 Safety relation. 13 Safety. 40 Inventory of I/O signals. 40. 71 Power supplies. 65. 36. 26 Qualification. 38 Shutdown Emergency ~ (ESD). 70 Separation of voltage levels. 112 Self-tests. 38 Instrumentation related to ~. 70 Safety-related outputs And output faults. 39 Relations between inputs and outputs. 42 Connections. 111 Relation between ~ and FSC configurations. 20 Redundant Central Parts with redundant and single I/O. 12 Systematic ~. 103 Manual ~. 128 RAM mode. 35 Software. 83 Relations between inputs and outputs. 83 Fault alarm. 131 Requirement class (AK). 103 R Radio interference. 66 Point-to-point networks. 47 RED. 36 Requirements for TÜV approval. 75.INPUT-FAULT alarm marker. 81 Safety-related non fail-safe inputs.

75 Slave. 54 Verification test report. 16 Test variable.SWITCH-OFF.PRE-ALARM alarm marker. 19 Single Central Part operation in AK5 and AK6. 46 Interval time between faults. 107 Unit shutdown outputs. 96 Fault alarm. 97 Standards. 106 Safety relation of outputs. 2. 46 System markers. 126 Timers (T) And calculation errors. 107 Configuration. 107 Process outputs (safety-related). 82 TÜV. 56 Voltage-monitoring. 57 Forcing of I/O signals. 88 System alarm FLD. 53 Application software. 64 System overview. 64 Timeout in FSC networks. 95 Special functions in FSC system. 130 Synchronization Analog inputs. 58 Specification of input and output signals. 1 System variables IO-FORCED. 130 FSC Safety Manual Index 139 . 51 On-line modification. 67 Timer in case of fault. See: Alarm markers System numbers in FSC networks. 69 T Tag numbers. 97 TRANSMIT. 2 TÜV approval. 104 Diagnostic inputs. 4 Storage conditions. 46 Requirement class. 47 Process safety time. See: Safety integrity level (SIL) Simulation. 47 Power-on mode. 89 Digital inputs. 67 SOE collecting devices And device communication faults. 115 System configuration parameters. 54 Verification of application. 105 Unit shutdown outputs. 105 Upgrading to latest version. 60 Systematic safety integrity. 96 Tested modules. 82 Fault alarm. 54 Time functions (in FLDs). 49 Square root of negative number. 54. 54. 96 Terminology Safety-related. 120 V Validation. 63. 2 Underwriters Laboratories (UL). 112 TEMP. 40 Timeouts FSC-FSC communication ∼. 105 Unit shutdown.Index (continued) SIL. 16 Verification log file. 128. 51. 46 Memory type. 69 Test data. 67 Multidrop communication link (master). 51. 67 Multidrop communication link (slave). 2 Unit relays. 67 Point-to-point communication link (master). 52 FSC database. 67 Networks. 54. 125 U UL 1998. 38 SEC. 64 Single FSC components Voting schemes for ~. 120 Single Central Part and single I/O. 102. 53 Functional logic diagrams (FLDs). 67 Point-to-point communication link (slave). 54 I/O signal configuration. 54 Test function. 4 Standards compliance. 117. 111 Single fault-tolerant communication network. 10 Test data during verification. 53. 79 Transmitter faults.-FAULT alarm marker. 82 Tested modules. 79 Temperature alarm. 104 Application programming.

111 FSC Safety Manual 140 Index . 88. 76 Single components. 75. 90 1oo1. 76 Default ~ for redundant Central Parts.Index (continued) W Voting. 75 1oo2. 76 2oo4D. 76 Voting schemes. 127 Watchdog repeater (WDR). 75 Redundant components. 76 1oo2D. 47 On-line modification (OLM). 111 Fault detection and response. 75 Warm start. 75 1oo1D. 75 Default ~ for single Central Parts. 75. 48 Watchdog (WD). 76 2oo2D. 76 1oo2D output ~ in AK5 and AK6 applications. 76 2oo2. 128 Wiring and 1oo2D output voting in AK5 and AK6 applications.

P.Honeywell Safety Management Systems B.O. Box 116 5201 AC 's-Hertogenbosch The Netherlands .V.

Attn.com BY MAIL: Use this form and mail to us at: Honeywell Safety Management Systems B.V.READER COMMENTS Honeywell Safety Management Systems welcomes your comments and suggestions to improve future editions of this and other documents. Marketing Department P. We would like to acknowledge your comments — please include your complete name.O. You can communicate your thoughts to us by fax or mail using this form. or by sending an e-mail message. Worldwide Marketing dept. 00 FS90-531 Issue Date: 03/2001 Document Number: Writer: HSMS Worldwide Marketing COMMENTS: RECOMMENDATIONS: Name: Position: Company: Address: Date: Country: Telephone: E-mail address: Fax: . address and telephone number. BY FAX: Use this form and fax to us at +31 (0)73-6219125 (attn. Box 116 5201 AC 's-Hertogenbosch The Netherlands Title of Document: Fail Safe Control Safety Manual Release 531 Rev.) BY E-MAIL: Send an e-mail message to sms-info@honeywell.

. .

. .

Box 116 5201 AC 's-Hertogenbosch The Netherlands .V. P.O.Honeywell Safety Management Systems B.

Sign up to vote on this title
UsefulNot useful