Fail Safe Control (FSC Specification and Technical Data For FSC Releases 51x and 52x

Fail Safe Control (FSC  )
Specification and Technical Data

for FSC Releases 51x and 52x
FS75-510
11/99
FS75-510
Page 2 11/99
Table of Contents
Introduction.............................................. 3
Features.................................................... 3
Functional Description............................ 4
Functional Overview..............................................4
Central Part ...........................................................5
Input / Output Interfaces........................................6
I/O Redundancy ....................................................7
Multiple-Sensor and Transmitter Configurations...8
System Features ...................................... 8

FSC System Configurations ..................................8
FSC 1oo2D concept ..............................................9
FSC Navigator.....................................................10
Control Implementation .......................................11
FSC Diagnostics..................................................14
Flash-Memory Operation.....................................14
Application Verification ........................................14
Power System .....................................................15
Write Protection...................................................15
Physical Characteristics ....................... 16

Options ................................................... 18
TPS Integration ...................................................18
PlantScape Integration ........................................18
Sequence-Of-Event Recording ...........................19
FSCSOE..............................................................20
Alarm Functions ..................................................20
On-Line Modification ...........................................20
Safety Checker....................................................21
I/O Signal Forcing................................................21
Serial Communication with Process Computer
Systems...............................................................22
FSC Networking ..................................................22
Simulation............................................................23
Figure 1 — FSC System Cabinet
Specifications ........................................ 24
References ............................................. 26
Model Numbers...................................... 27

FS75-510
11/99 Page 3
Introduction
The Honeywell Fail Safe Control (FSC  ) system is a highly reliable, high-integrity
safety system for safety-critical control applications. As part of Honeywell's
TotalPlant Solution (TPS) system, integrated into PlantScape, or in stand-alone
applications, the FSC system forms the basis for functional safety, thus providing
protection of persons, plant equipment and the environment combined with
optimum availability for plant operation.
The FSC system is a user-programmable, modular, microprocessor-based safety

system which can perform a wide range of high-integrity process control and safety
functions, including:
• high-integrity process control,
• burner/boiler management systems,
• process safeguarding and emergency shutdown,
• turbine and compressor safeguarding,
• fire and gas detection systems, and
• pipeline monitoring.
The design of the FSC system is based on both qualitative and quantitative safety
system technologies.
From a qualitative perspective, the system continuously monitors the correct
operation of its hardware, thus ensuring that it is able to respond accurately to any
defined process demand. The system is also able to detect faults in field loops and
field equipment. The extensive system and field diagnostics support plant operators
in assessing the consequences of faults for process operation, and aid maintenance
engineers in allocating and resolving detected problems efficiently and effectively.
High quantitative rating (optimal Mean Time Between Failure) is accomplished
through a redundant system architecture and the use of high-quality electronic
components and design methods.
Features
• Extensive system and field loop diagnostics
• Redundant architecture for optimum process availability
• Small footprint resulting in high number of I/O interfaces per floor space unit
• Fully integrated power supply concept including transmitter power supply
• On-line modification of control program
• Integrated event recording and alarming
• Distributed safeguarding through FSC networks
• Graphical engineering tool for application program design
• Automatic application program documentation.

FS75-510
Page 4 11/99
The FSC system can easily be integrated into Honeywell's TPS system through the
FSC Safety Manager Module (FSC-SMM). The result is a powerful TPS safety
solution providing integrated operations and control, with a true TPS-based operator
window into the FSC system.
For detailed information on the FSC Safety Manager refer to the FSC-SM
Specification and Technical Data (FS03-500).
In addition to the TPS system, the FSC system can also be integrated directly into
the PlantScape system, Honeywell's scaleable hybrid process control system. A
dedicated FSC interface module enables FSC-related information to be exchanged
between FSC and PlantScape, thus allowing information to be shared and made
available on the PlantScape server displays.
Functional Description
Functional Overview
Figure 2 shows the basic architecture of the FSC system. Two major system parts
can be distinguished:
• the Central Part, and
• the Input/Output interfaces.
FSCTM
Central Part
Communication Control Procesor Watchdog

To Redundant Processor
Central Part
I/O Access Monitor
Communication Safety Interlock Control Processor
Interfaces & Protocols
To Process Computer User Programming Operation and
Self-diagnostics Operating Conditions
Systems, Printers and
the FSC User Station
Input / Output interfaces
Digital Input Analog Input Digital Output Analog Output
24 Vdc - 60 Vdc 0 (4) - 20 mA 24 Vdc - 220 Vdc 0 (4) - 20 mA

120 Vac 0 (1) - 5 Vdc 120 Vac
[EEx ia] IIC 0 (2) - 10 Vdc [EEx ia] IIC
Figure 2 — FSC Basic Architecture

FS75-510
11/99 Page 5
Central Part
The Central Part (CP) is the heart of the FSC system. It is a modular microprocessor
system specifically designed for safety-critical applications which can be tailored to
the needs of any application. The most important Central Part modules are:
• the Control Processor module,
• the Watchdog module, and
• the Communication Processor module.
The Control Processor (Central Processor Unit) reads the process inputs and
executes the control program as created by the user in graphical Functional Logic
Diagrams (FLDs). The results of the control program are then transmitted to the
output interfaces. In FSC configurations with redundant Central Parts, the Control
Processors synchronize their operation through a dedicated communication link.
Continuous testing of the FSC hardware by the Control Processor ensures safe
control of the process and extensive system and process equipment diagnostics.
The Watchdog monitors the operation and the operating conditions of the Control
Processor. The operation of the processor is monitored by verifying if the processor
executes all its tasks within a precalculated time frame, which depends on the
configuration. The operating conditions monitored include the data integrity of the
processor memory and the voltage range of the supply power (both undervoltage
and overvoltage). If the Watchdog detects a fault in the operation of the Control
Processor or its operating conditions, it will deactivate the safety-critical output
interfaces of the FSC system, independent of the Control Processor status.
The Communication Processor allows the FSC system to exchange information

with other computer equipment via serial communication links. Each Central Part
can accommodate up to four communication modules, providing a maximum of
eight communication links per Central Part. Dedicated modules are available which
provide communication capabilities with other systems:
• the FSC Safety Manager Module (FSC-SMM), which integrates the FSC system
into the Universal Control Network (UCN) of Honeywell's TotalPlant Solution
(TPS) system, and
• the PlantScape Ethernet interface module, which integrates the FSC system into
Honeywell's PlantScape system.
Table 1 on the next page lists the equipment that the FSC system can communicate
with as well as the available physical interfaces and communication protocols.
All communication interfaces are galvanically or optically isolated.

If the FSC configuration contains redundant Control Processors, the system supports
redundant communication. Each Central Part then has its dedicated connection to
the communication peer system.

FS75-510
Page 6 11/99
Table 1 — FSC Serial Communication Interfaces

Equipment Physical Interface Protocol
Modbus,
RS-232, RS-485, Current Loop
RKE3964R
Process Computers
UCN UCN Token Bus
(1)
PlantScape Ethernet
Printers RS-232, Current Loop
FSC User Station RS-232, RS-485 FSC-DS
FSC System and
RS-485, Fiber Optic FSC
FSC Safety Manager
(1) requires FSC Release 520 or higher.
Input / Output Interfaces

The FSC system provides a wide range of digital and analog input and output
interfaces, each with different characteristics to meet the demands of a wide range
of field equipment. Table 2 lists the input and output interfaces that are available in
the FSC system.
Table 2 — FSC Input and Output Interfaces

Digital Input 24 Vdc, 48 Vdc, 60 Vdc and 110 Vdc
24 Vdc (loop-monitored)
120-230 Vac
Class I, Division 2, Groups ABCD;
Class II, Division 2, Groups FG
(1)
Class [Eex ia] IIC intrinsically safe
Digital Output 24 Vdc, 48 Vdc, 60 Vdc and 110 Vdc
24 Vdc, 48 Vdc and 220 Vdc (loop-monitored)
120-230 Vac
(1)
Class [Eex ia] IIC intrinsically safe
Analog Input 0-20 mA and 4-20 mA
0-5 V, 1-5 V, 0-10 V and 2-10 V
(1)
Resistance Temperature Device (RTD)
(1)
Thermocouple, types E, J, K and T
Analog Output 0-20 mA and 4-20 mA
(1) through external devices.

FS75-510
11/99 Page 7
All FSC I/O modules contain galvanic or optical isolation between the input and
output circuitry and the FSC-internal supply power.
The fail-safe I/O modules support the diagnostic capabilities of the FSC system and
can be used for safety-critical monitoring and control functions. When used for such
applications, the system may be configured to respond automatically if it detects a
fault in its own hardware or in the field equipment. The fail-safe modules may also
be used for non safety-critical applications, which will then benefit from FSC's
diagnostic functions and fault-reporting capabilities.
I/O Redundancy
The input and output interfaces of the FSC system can be implemented in redundant
or non-redundant (single) configurations.
Redundant I/O configurations can be used in FSC systems with redundant Central
Parts. In this fully redundant configuration, each Central Part has its own I/O system
to which it has exclusive access. The result is a highly reliable fault-tolerant system.
Every program cycle, each Central Part reads its own input interfaces. After input
matching, both Central Parts execute the user-defined control program and update
their output interfaces according to the results. In addition, the Central Parts
compare the calculated output results to ensure identical operation. Redundant I/O
configurations are typically used for critical control and safety functions in
combination with the high reliability offered by this concept.
Non-redundant (single) I/O configurations can be used in systems with a

non-redundant Central Part as well as in systems with redundant Central Parts.
Fully non-redundant systems are typically used for safety applications where
redundancy is present in the process.
In FSC systems with redundant Central Parts, both Central Parts alternately assume
responsibility for the non-redundant I/O interfaces. This ensures that both Central
Parts can always access the I/O interfaces correctly. FSC configurations with
redundant Central Parts and non-redundant I/O interfaces are typically used for
critical control applications with medium demands for system availability, e.g.
because of redundancy in plant equipment.
An FSC system configuration may also comprise redundant Central Parts with a
combination of redundant and non-redundant I/O interfaces. Such configurations are
extremely powerful, with process control functions that demand high reliability
being controlled through the redundant I/O interfaces and less demanding control
functions through the non-redundant I/O interfaces.
The FSC system (both redundant and single I/O configurations) has been
TÜV-approved for AK6 applications, and is suitable for use in SIL 3 safety loops.

FS75-510
Page 8 11/99
Multiple-Sensor and Transmitter Configurations

Unlike previous safety standards, the new IEC 61508 international standard does not
only focus on the safety system (called "logic solver", e.g. the FSC system), but also
demands compliance of the field equipment to the Safety Integrity Level (SIL) of
the control loop. This may not always be possible. The control loop, for example,
may be rated SIL3 whereas a transmitter that measures one of the loop input
variables is only suited for levels SIL1 and SIL2. In such cases, the required level of
safety can be realized by using multiple sensors or transmitters.
The FSC system supports multiple input configurations for digital and analog input
signals. The multiple-input function allows the use of two or three sensors or
transmitters to measure the same process quantity. The resulting process value is fed
to the control program on the basis of one of the available standard matching
algorithms, e.g. 2-out-of-3 (2oo3). The FSC system monitors if discrepancies occur
between the values obtained from the independent sensors or transmitters, and
reports any detected faults through its diagnostics. The diagnostic status is also
available to the control program.
System Features
FSC System Configurations
The FSC system is available in several configurations to suit virtually every process
control requirement. Table 3 lists the FSC system configurations that are available,
together with their main characteristics.
Table 3 — FSC System Configurations

Type Control Processor I/O Interface Typical Application
Critical process control with
Single Non-redundant Non-redundant
redundancy in field equipment
Critical process control with
Redundant Non-redundant
Redundant redundancy in field equipment
Redundant Redundant Critical process control
Burner/Boiler Management
Redundant & System with FSC-controlled
Combined Redundant alarm panel
Non-redundant
Fire & Gas

FS75-510
11/99 Page 9
FSC 1oo2D concept

The redundant FSC configuration with both redundant Central Part and I/O
interfaces conforms to the 1oo2D system architecture as described in the IEC 61508
standard (see Figure 3 below).
The 1oo2D concept combines a high level of availability with a high level of safety
which is realized through the quad-voter output circuitry and system
self-diagnostics. The 1oo2D architecture consists of two parallel paths driving the
final element. Each path is primarily controlled by one of the Central Parts,
including an independent switch which is controlled by the Central Part's Watchdog
module. Furthermore, each Central Part is able to switch off the output channels of
the other Central Part through dedicated SMOD (Secondary Means Of
De-energization) hardware circuitry which is located on the FSC fail-safe output
modules.
The actual output control is determined on the basis of the high-coverage system
self-diagnostics. Each detected failure leads to controlled isolation of the faulty part
while ensuring optimum availability for continued plant operation.
ESD
WD
O
M OC
I
M Main
IC
Processor
Sensor SMOD
Quad-voter
xx Input modules
yyy
SMOD
I
M Main
IC
Processor O
M OC
WD Output modules
Final element
Figure 3 — FSC 1oo2D concept
The FSC 1oo2D concept is in full conformance with the quantitative analysis
methods as described in IEC 61508, and as such provides superior results when
compared to other system architectures. Studies have shown that the 1oo2D voting
scheme can realize a higher safety level than 2oo3 voting, thus achieving a
significantly better safety performance.

FS75-510
Page 10 11/99
FSC Navigator
FSC Navigator is a powerful software package that runs on IBM-compatible PCs
with the Microsoft Windows 95 or 98 operating system. It provides a Windows-
based user interface with the FSC system and supports the user in performing a
number of design and maintenance tasks (see Figure 4 below).
Figure 4 — FSC Navigator
FSC Navigator's design and implementation features include:

• intelligent user interface, presenting menu items only when applicable,
• database import and export,
• automatic control program documentation,
• FLD revision control,
• application verification, to ensure that the FSC configuration and control
program are in accordance with user definition,
• verification of safety consistency of FSC application (optional feature in
FSC R510 and higher), and
• easy loading of system software and control program into flash memory
(requires FSC R510 or higher).

FS75-510
11/99 Page 11
FSC Navigator's maintenance support features include:

• live viewing of FLD execution,
• detailed monitoring of process signal behavior,
• collection of diagnostics of FSC systems, automatically or on user demand,
• diagnostic message storage, with user-definable browsing functions, and
• forcing of FSC input and output interfaces.
Control Implementation
The FSC system's safety-critical control functions (contained in the control
program) are determined by the safety functions assigned to the system for the
specific application. The FSC user software supports the design of the control
program by the user.
The control functions are defined via graphical Functional Logic Diagrams
(IEC 61131-3: Continuous Function Charts). Figure 5 below shows an example of a
Functional Logic Diagram (FLD).
M 53HS-101 3
C LAMPTEST 1
P "TEST" 1
C 53PT-920.H 1 40003
O MAIN LINE = 110 BAR 2 3 53PT-920.H M
M Signal type: W A >1
_ 11 HIGH ALARM C
> 1 5 "ALARM" P
53PT-920 3 A D 5 53PRA-920
5 1
MAIN LINE PRESSURE D A MAIN LINE PRESSURE
1 1
102 MAIN LINE PRESSURE

103 1 Signal type: F
3 53PT-920.L M
>1
_ 11 LOW ALARM C
> 1 6 "ALARM" P
C 53PT-920.L 1 40004
O MAIN LINE = 75 BAR 2
M Signal type: W A
53TT-900 3 A D 5 53TR-900
5 1
MAIN LINE TEMP D A 2 MAIN LINE TEMP
2
102 MAIN LINE TEMP

103 2 Signal type: F
C 53FT-700.H 1 40001
O MAIN LINE = 75% 2 3 53FT-700.H M
S
M Signal type: W A 0 t >
_1 11 HIGH ALARM C
> 1 1 "ALARM" P
t=30 S
R
MAIN LINE FLOW 101
Signal type: F 102 1
S 3 53FT-700.L M
0 t >
_1 11 HIGH ALARM C
> 1 2 "ALARM" P
C 53FT-700.L 1 40002 t=30 S
O MAIN LINE = 30% 2 R
M Signal type: W A
E Customer : Honeywell NL33

FUNCTIONAL LOGIC DIAGRAMS
D Principal : HSMS Product Marketing
C UNIT 5300
Plant : Branderijstraat 6
B Tel +31 73-6273273 Date 30-5-1997 By: PM NL33
A 5223 AS 's-Hertogenbosch
Honeywell SMS BV Fax +31 73-6219125
P.O. Box 116
Drawing number:
O 30-5-1997 FIRST ISSUE Req/Ordernr : SPEC & TECH

5201 AC
DEMO_1 102 103
Serial Unit
Rev Date Description Chk'd 's-Hertogenbosch Project Sheet Cnt'd
Code Code
Figure 5 — Functional Logic Diagram (FLD)

FS75-510
Page 12 11/99
An FLD is split into four main areas:

• the information area (bottom) (on printouts only),
• the input area (left),
• the control function area (center), and
• the output area (right).
The FLD information area, at the bottom of the FLD, is included on printouts, and
provides information to identify the Functional Logic Diagram, including revision
data.
The FLD input area, on the left-hand side of the FLD, contains all the variables
that serve as the input to the control function. Input variables may originate from the
field equipment or from other computer equipment (process computer, FSC).
Special input functions are provided for:

• the diagnostic status of the FSC I/O interfaces,
• the status of field loops, and
• system alarm summary, e.g. temperature pre-alarm or device communication
failure.
Data can be exchanged between FLDs via sheet transfer functions. This allows a
structured design of complex functions across multiple diagrams.
Table 4 below lists the input functions that are available in FSC functional logic
diagrams, together with their source.
Table 4 — FLD Input Functions

Input Type Source
Analog Input Field Equipment
Boolean Input Field Equipment, Process Computer, FSC,
FSC Safety Manager
Numerical Input Field Equipment, Process Computer, FSC,
FSC Safety Manager
Diagnostic Input Diagnostic status of FSC fail-safe I/O interfaces
Loop Status Input Field loop status of FSC I/O interfaces with loop
monitoring
System Alarm Input FSC Control Processor
Sheet Transfer Other FLDs
The FLD control function area, which is the central area of the FLD, contains the
actual implementation of the control function. The function is realized by
interconnecting predefined symbols which provide a variety of functions including
logical, numerical and time-related functions.

FS75-510
11/99 Page 13
Apart from these standard functions, user-definable blocks are supported:

• Function Blocks — standard FLDs for repetitive use within the control program,
and
• Equation Blocks — for tabular definition of complex functions, e.g. non-linear
equations.
Table 5 lists the control functions that are available in FSC functional logic
diagrams.
Table 5 — FLD Control Functions

Data type conversion functions INT → SINT
DINT → INT, SINT
REAL → DINT, INT, SINT
Boolean functions Boolean Constant, AND, OR, XOR, NOT,
NAND, NOR, XNOR, flip-flop set and reset
dominant
Arithmetical functions Numerical Constant, AND filter,
ADD, SUB, MUL, DIV, SQR, SQRT
Comparison functions EQ, NEQ, GT, GTE, LT, LTE
Regulatory control functions PID
Timer functions (with constant Pulse, Pulse-retriggerable, Delayed-ON,
or variable time value) Delayed-OFF, Delayed-ON memorize
Count & storage functions Counter, Register
User-definable blocks Equation Block
Function Block
The supported data types are: boolean, integer (-232...232-1), real (-1038...1038) and
BCD (0...108-1, for interface functions).
The FLD output area, on the right-hand side of the FLD, contains the results of the
control function. These variables may be used to drive the field equipment or may
be transferred to other computer equipment, e.g. a process computer or another FSC
system.
Table 6 lists the output functions that are available in FSC functional logic
diagrams, together with their destination.
Table 6 — FLD Output Functions

Output Type Destination
Analog Output Field Equipment
Boolean Output Field Equipment, Process Computer, FSC,
FSC Safety Manager
Numerical Output Field Equipment, Process Computer, FSC,
FSC Safety Manager
Sheet Transfer Other FLDs

FS75-510
Page 14 11/99
FSC Diagnostics
FSC's continuous self-tests enable the system to collect valuable information on the
diagnostic status of its own hardware and the field equipment. The system uses this
information to ensure uninterrupted functional safety of the plant. In addition, the
system provides the diagnostic information to the user, via the diagnostic displays of
FSC Navigator. Through its diagnostics, the FSC system supports maintenance
engineers in allocating and resolving failures effectively, thus reducing the Mean
Time To Repair (MTTR) and minimizing the risk of a plant trip.
If the FSC system is integrated into the TPS system, the FSC diagnostics are also
available at the TPS operator stations (US, UXS, GUS).
Flash-Memory Operation
FSC Releases 510 and higher support the use of flash memory to store all
system-related software. This feature combines the flexibility of RAM with the data
integrity of EPROM. It allows direct downloading of the system firmware, system
software, application software and system configuration from the FSC user station
to the FSC system. This eliminates the need of making new EPROMs and
exchanging them with EPROMs on modules in the running cabinet, which is a
laborious procedure. This functionality is in full accordance with TÜV approvals,
and is protected against unauthorized use by a password and key-lock protection
mechanism.
Another advantage of flash-memory operation is that it reduces the time to do an

on-line modification (OLM). After the first full download, only the changes will be
loaded after a modification. This should not be confused with the 'download
changes' option that other vendors are offering. The FSC system allows you to
download unlimited changes, even in a running installation while continuing plant
operation in a safe manner.
Flash-memory operation requires special hardware modules that support this

feature. Existing systems can be upgraded to support flash-memory operation. This
can be done on-line for FSC Releases 400 and higher.
Application Verification
FSC Navigator has a powerful feature that allows the user to compare the control
program in the FSC system with the application databases on the FSC user station.
This feature can be used in two ways: as a project verification tool, or as a revision
control tool.
If used as a project verification tool, the verification option will confirm that no
translation or transfer faults have occurred to the control program. FSC Navigator

FS75-510
11/99 Page 15
will then compare the translated control program as it is present in the FSC system
with the FSC databases and functional logic diagrams (FLDs) that are stored on the
FSC user station. This allows the user to verify that the defined control program has
been loaded correctly. This verification process is part of the safety lifecycle as laid
down in IEC 61508 and ISA S84.
As a revision control tool, the verification option is used to compare different

versions of the control programs in the FSC system and the FSC user station
(management of change). This option is typically used to list all the differences
(modifications) between the 'old' version, which is stored in the FSC system, and the
'new' version, which is stored on the FSC user station. This method can be used to
check if all modifications have been implemented correctly.
All differences found between the control program in the FSC system and on the
FSC user station are recorded in a verification log file, which can be viewed on
screen, printed or saved to disk for further analysis.
Power System
Reliability of process data depends on the reliability of all related hardware of the
process loop, i.e. sensing device, I/O wiring, I/O channel hardware and the required
power supply voltages. Where possible, the FSC system provides the supply power
to the electronics of the entire loop, including the field instrumentation. The result is
a fully integrated solution for reliable (safety) data gathering and related
safeguarding actions, with the following advanced features:
• electronically short-circuit proof,
• loop-monitoring for short-circuiting and lead breakage, and
• checking of the operational band of analog transmitters.
Where other systems require linkage of several externally mounted parts to establish
the entire data collection chain, the FSC solution offers the fully integrated and
tested loop approach as demanded by IEC 61508.
Write Protection
To maintain safe and reliable operation of the FSC system, the system does not
allow direct write access to its hardwired I/O via communication links. Write
requests, which are received via the serial communication links or the FSC Safety
Manager Module, are passed on to the FSC control program via dedicated boolean
and numerical inputs. The inputs appear in the input area of the Functional Logic
Diagrams, where the conditions for write access have been defined.

FS75-510
Page 16 11/99
Physical Characteristics
The hardware modules of the FSC system can be split into three basic groups:
• Central Part modules,
• I/O modules, and
• Field Termination Assembly (FTA) modules.
The Central Part modules are constructed on a European standard size instrument
card. The height of the front panel of the modules is 3 HE (3U), their width is 4 TE
(4 HP). (COM, DBM and PSU modules are 8 TE wide.) The Central Part modules
are placed in standard 19" racks which are generally located in the top section of the
cabinet.
The Central Part interfaces with the I/O system through a Vertical Bus (V-bus),
which is a flatcable that runs vertically in the FSC cabinet. The V-bus is controlled
by the Vertical Bus Driver (VBD) module, which is located in the Central Part
rack.
Central Part 1
RESET
..
C S C V V P P
P M O W B B S S
U M M D D D DBM D U
ENABLE
Central Part 2
..
C S C V V P P
P M O W B B S S
U M M D D D DBM D U
Redundant I/O
.. .. .. .. .. .. .. .. .. ..
.. .. .. .. .. .. .. ..
.. .. .. .. H H
.. .. .. .. B
D
B
D
Non-redundant I/O
.. .. .. .. .. .. .. ..
.. .. .. .. .. .. .. ..
.. .. .. .. .. .. .. .. H
.. .. .. .. .. .. .. .. B
D
Redundant
V-bus
Non-redundant
V-bus
Figure 6 — Front View of Typical FSC System with Redundant Central Parts
and both Redundant and Non-Redundant I/O
Each of the I/O racks contains a Horizontal Bus Driver (HBD) module, which
connects to the V-bus. The HBD module drives the Horizontal Bus (H-bus), which
relays the signals from the V-bus to the I/O modules via a flatcable. The H-bus
module is located on top of each I/O rack. The horizontal bus and the flatcables are

FS75-510
11/99 Page 17
covered with a sheet steel cover which provides optimum EMC/RFI immunity. The
cover plate contains a paper strip which holds the relevant process tagging for signal
identification.
The I/O modules are constructed on a European standard-size instrument card. The
height of the front panel of the modules is 3 HE (3U), their width is 4 TE (4 HP). A
total of 18 I/O modules can be placed per I/O rack. All I/O modules are equipped
with standard 32-pin DIN 41612F connectors. All I/O racks are provided with an
I/O backplane which contains matching 32-pin connectors with key-coding to
prevent misinsertion of the I/O modules.
The I/O backplane consists of a multilayer PCB, with one layer being an earth
plane to improve EMC/RFI immunity. The front side of the I/O backplane contains
the Eurocard connectors to install the I/O modules and the HBD module(s). At the
back, the I/O backplane provides female connectors for the system interconnection
cables (SICs), which also connect to the FTA modules. The back side also provides
programming connectors which allow the I/O interfaces to be tailored to the specific
signal characteristics of the field equipment, e.g. Analog Input, 2-10 Vdc.
Field Termination Assemblies (FTAs) are used to connect the field wiring to the
FSC input and output interfaces. FTA modules are 70 mm (2.76 in) wide, and their
length varies between 110 mm and 200 mm (4.33 and 7.87 in), depending on the
FTA type. The modules are mounted on standard DIN EN rails (TS32 or TS35 x
7.5).
An FTA may contain electronic circuitry to convert standard FSC signals to specific
signals with characteristics required by field equipment. Two types of FTAs are
available, which allows the field cables to be connected in two different ways: via
Elco connectors or via terminals (see Figure 7).
Elco-type FTA Terminal-type FTA

1
2
3
4
5
6
7
8
9
10 12 14
11 13 15 17 19 21
16 18 20 22
23
24
25
26
27 29 31 33 35 37 39 41 43 45
28 30 32 34 36 38 40 42 44 46
47
48
49
50
Figure 7 — Example of Elco and terminal FTA types

FS75-510
Page 18 11/99
Options
TPS Integration
The FSC system may be integrated into the Honeywell TotalPlant Solution (TPS)
system. The integration is realized through the FSC Safety Manager Module
(FSC-SMM) interface card, which is placed in the Central Part of the FSC system.
The FSC-SMM provides a bridge between the FSC control processors and the TPS
system to exchange information, which integrates FSC's critical control program
into the advanced control strategies of the TPS system.
The FSC-SMM supports the following TPS point types: DI, DO, Digital Composite
(DC), AI, AO, Logic, Flag, Numeric and Timer. As a member of the Universal
Control Network (UCN) it shares important features with its UCN peers, including:
• direct peer-to-peer communication with other UCN nodes, e.g. PM, APM, HPM
and FSC-SM,
• communication with operators, engineers and maintenance personnel at the TPS
operator stations,
• support of higher-level control strategies through communication with
Application Modules and host computers on the Local Control Network,
• FSC-SMM database restoration from the History Module, and
• Digital Input sequence of event.
For detailed information on the FSC Safety Manager refer to the FSC-SM
Specification and Technical Data (FS03-500).
PlantScape Integration
FSC Release 520 introduces the integration of FSC into PlantScape, which
combines Honeywell's field-proven safety controller with its equally reliable hybrid
control system. The integration is realized through the FSC-PlantScape Ethernet
interface module, which is placed in the Central Part of the FSC system. This
dedicated interface module makes FSC an integrated part of the PlantScape system
architecture, which means that FSC-related information can easily be exchanged
between FSC and PlantScape. This allows information to be shared and made
available on the PlantScape server displays.
FSC R520 integrates the sequence-of-event (SOE) features as supported by the FSC
controller into the PlantScape system. FSC supports SOE for digital inputs and
outputs, analog inputs and outputs, and marker points. Each tag name that has been
"SOE-enabled" is time-stamped by the FSC controller and reported to the
PlantScape server, where it is incorporated into the standard PlantScape SOE table.
Standard SOE displays are available to view the events as they are reported.
FSC integration into PlantScape requires PlantScape release 300 or higher.

FS75-510
11/99 Page 19
Sequence-Of-Event Recording
The FSC system contains an integrated sequence-of-event recording (SER) function,
which allows the system to detect and record events that indicate or may cause
deviations from normal process operation. Examples of such events are:
• change of state of a valve limit switch,
• steam pressure becoming too high,
• maintenance override effected by a maintenance engineer,
• faults in the field (e.g. open transmitter loop), and
• faults in FSC input/output interfaces.
Once per program scan, the FSC system inspects all defined process quantities, both
digital and analog, for a change of state, in line with the execution of the control
program. An event is logged for any changed process quantity, in an event buffer
that resides within the system. Events that result from operator interaction or from
detected faults are logged as soon as they are handled by the system. The integrated
list of the detected exceptions thus provides excellent information for post-mortem
analysis of abnormal process behavior, in line with the 'traceability requirements' of
IEC 61508.
The logged events are reported to event management systems through the FSC
system's communication interfaces. Events may be reported to:
• a line printer or matrix printer for direct reporting on paper, or
• a process computer for incorporation of the events into an overall event journal,
or
• a personal computer running Honeywell's dedicated FSCSOE event management
software package, which allows users to view and analyze (anomalous) process
events.
Until events have been successfully reported, the FSC system maintains the logged
events in its internal event buffer, which may contain at least 448 events. If the
number of detected events exceeds the buffer capacity, all subsequent events are
ignored. This will ensure that the start of a plant upset is preserved for post-mortem
analysis. If the FSC event buffer overflows as a result of communication failures
with the event management system, the FSC system will start overwriting events
older than four hours.
Advanced features of the FSC sequence-of-event recording function include:

• centralized event reporting in distributed safety networks, and
• event reporting to redundant event management systems.

FS75-510
Page 20 11/99
FSCSOE
FSCSOE is a Windows-based application that records and logs process events
detected by Event Detecting Devices (EDDs). Events can be viewed on-line, while
being retrieved from the connected FSC system(s), or post-mortem from disk. This
allows easy analysis of anomalous process events.
Events are displayed on screen in user-defined formats, and they can also be printed
at any printing device supported by Microsoft Windows. FSCSOE retrieves the
events from the FSC system(s) via serial communication links. A maximum of four
independent links are supported simultaneously.
FSCSOE allows on-line modification of the network/variable configuration while

event recording continues. It can also send event data to, or receive data from,
various Distributed Control Systems (DCSs).
Alarm Functions
The FSC system contains a number of integrated standard alarm functions, which
comply with the ISA S18.1 standard for annunciator sequences:
• first-up (TFS) with single or dual flash frequency,
• basic flashing (AF),
• manual lamp reset (AM),
• flasher reset (FR),
• flasher / lamp reset (FRM),
• ringback (AR),
• double audible ringback (ARR).
The first-up alarm function may be split into two parts: an alarm-detecting part and
an alarm-display part. The two parts may be implemented in different FSC systems
which are interconnected in a distributed safety network. This allows the integration
of alarms that are detected by independent FSC systems to be combined in the same
first-up alarm group.
The alarm-detecting part or the alarm-display part may also be located in a process
computer. The two parts are then connected through data exchange via the
communication link between the FSC system and the process computer.
On-Line Modification
On-line modification (OLM) is a TÜV-approved FSC system option that is
supported by FSC configurations with redundant Central Parts. It enables
modification of the application software, system software and FSC hardware
configuration, while maintaining the system's critical control function for the
operational plant. This means that the system can be upgraded without the need of a

FS75-510
11/99 Page 21
plant shutdown. During on-line modification, the changes are carried out in one
Central Part at a time. Meanwhile, the other Central Part continues to monitor the
process. The system will always perform a compatibility check across the control
program in order to guarantee a safe changeover from the old control function to the
new one. It will also report the numbers of the functional logic diagrams (FLDs) that
have been changed, which complies with the 'verification requirements' of the
IEC 61508 standard.
Safety Checker
FSC Release 510 introduces the optional Safety Checker tool, which helps engineers
verify the safety consistency of an FSC application. If the Safety Checker detects
any inconsistencies in the application that affect its safety integrity, it will report
them on screen and store them in a log file. This allows engineers to correct safety-
related design errors at an early stage, and verify that the safety application suits its
projected purpose. The Safety Checker supports the verification process that is part
of the safety lifecycle as laid down in IEC 61508 and ISA S84.01.
An FSC application can be considered safe if all its outputs are safety-related and
the logic path leading to the outputs is safety-related as well. An inconsistent
configuration can lead to hazardous situations. The Safety Checker will alert the
programmer to these inconsistencies. If, for example, an analog input for a pressure
trip has been configured as safety-related, but the output that drives the shutdown
valve has not been configured safety-related, an inconsistency is detected in the loop
and the programmer is alerted.
An additional function of the Safety Checker highlights any off-sheet references to a

destination FLD with a lower number than the source FLD, which might be design
errors.
I/O Signal Forcing

For maintenance reasons, it may be desirable to force an input or an output signal to
a certain fixed state, e.g. when exchanging a defective input sensor. This allows the
sensor to be exchanged without affecting the continuation of the production. During
the exchange, the applicable input is forced to its normal operational state. While
being desirable in some situations, forcing a signal to a specific, fixed value may
also create a potentially hazardous condition.
The FSC system provides a force function which supports maintenance personnel in
applying forces consciously. It only allows forcing of signals that were specifically
selected during the system design. During operation, the system is protected against
unauthorized forces via a key switch. Forcing of FSC signals is only possible via the
FSC Navigator software using a password-protected software function. All forcing
actions are included in the FSC event reports for traceability purposes.

FS75-510
Page 22 11/99
Serial Communication with Process Computer Systems

The FSC system supports the exchange of control program data with process
computers via serial communication links, using the non-proprietary Modbus RTU
and RKE3964R communication protocols. The following information can be
exchanged:
• analog process data as scanned by FSC through its input interfaces,
• trip settings,
• trip status, and
• FSC alarm status.
Data written to the FSC system is available in the FSC control program via digital
and numerical input variables, which allow the user to define the conditions of use
in the control strategy.
If the Modbus protocol is used, a number of additional information exchange

functions are supported:
• downloading of events (SER) detected by the FSC system,
• downloading of the value of FSC's real-time clock, and
• uploading a real-time clock value to the FSC system.
FSC Networking
The FSC system supports Distributed Safety Solutions (DSS) through its extensive
networking capabilities. FSC networks provide the means to decentralize process
safeguarding with central process monitoring and control capabilities.
In a DSS network, multiple FSC systems are interconnected via dedicated serial
communication links. Both point-to-point and multidrop networks are supported.
For optimum availability of the communication, the redundant FSC system
configurations require the use of redundant communication links as well.
The communication is based on the Honeywell proprietary, TÜV-approved FSC

communication protocol. This protocol includes a high level of error detection and
recovery, which makes it suitable for exchanging safety-related information while
maintaining optimum availability. The network is also used to route sequence-of-
event (SOE) data and diagnostic data to central operator stations and maintenance
workstations.
Communication within FSC networks is based on the master-slave concept. In this

concept, the master system is responsible for all communication activities. It
initiates requests for data from the slave systems, and sends data to the slaves.
FSC networks also support one level of communication server systems. These are
FSC systems that are interconnected between the communicating master and slave
system(s). Their task is to route the data that is exchanged between master and
slave(s).

FS75-510
11/99 Page 23
The DSS concept supports safety solutions in line with the plant design, with every
independent process unit being safeguarded by a separate FSC system. This
minimizes the risk of nuisance plant trips during unit maintenance.
Simulation
The FSC simulation option allows any FSC application to be loaded into the
standard FSC training units. In simulation mode, the FSC Control Processor
executes the control program using the serial interface with the FSC user station as
its field interface. The actual defined Central Part hardware is ignored and "mapped"
to the hardware of the simulation/training units.
Input values are applied by the user via the FSC Navigator software, using the input
signal force feature. The output values can be monitored through various displays at
the FSC user station.
In combination with the standard "live" FLD viewing feature of FSC Navigator, the
simulation option provides an excellent means for design engineers to validate the
FSC control program prior to initial installation and to verify modifications before
an on-line upgrade. The interfaces with TPS (FSC-SMM) and PlantScape are also
supported in simulation mode, which allows an integrated validation of the entire
safety application.

FS75-510
Page 24 11/99
Specifications
The following specifications apply to the FSC modules mounted in a standard FSC
cabinet:
FSC Environmental Conditions

(1)
Operating Temperature: 0°C to 60°C (32°F to 140°F), ambient
Storage Temperature: –25°C to +80°C (–13°F to +176°F)
Relative Humidity: 5% to 95%, non-condensing
Vibration, Sinusoidal: IEC 60068-2-6; 1 G at 57 Hz to 150 Hz;
10 Hz to 57 Hz: 0.075mm
Shock: IEC 60068-2-27; 15 G for 11 ms, 3 axes
Electrostatic Discharge: IEC 61000-4-2, Level 4 (15 kV)
Conducted Susceptibility: IEC 61000-4-4, Level 3, Fast Transient/Burst
IEC 61000-4-5, Level 3, Surge Withstand
IEC 61000-4-6, Level 3, Conducted Field
Rated Susceptibility: IEC 61000-4-3, Level 3
Conducted Emissions: Measured per CISPR 11 & CISPR 22
Rated Emissions: Measured per CISPR 11 & CISPR 22
(1)
"Ambient" refers to the air temperature measured in the FSC system cabinet.
FSC Certifications and Compliance with International Standards and Safety Codes
TÜV Bayern (Germany) – Certified to fulfill the requirements of "Class 6" (AK6) safety
equipment as defined in the following documents:
DIN V VDE 19250, DIN V VDE 0801 incl. amendment A1, DIN VDE 0110, DIN VDE 0116,
DIN VDE 0160 incl. amendment A1, DIN EN 54-2, DIN VDE 0883-1, DIN IEC 68,
IEC 61131-2
Canadian Standards Association (CSA) – Compliant with the requirements of the following
standards:
CSA Standard C22.2 No. 0-M982 General Requirements – Canadian Electrical Code,
Part II;
CSA Standard C22.2 No. 142-M1987 for Process Control Equipment.
Underwriters Laboratories (UL) – Certified to fulfill the requirements of:

UL 508, UL 991, UL 1998 and ISA S84.01.
Factory Mutual (FM) – Certified to fulfill the requirements of FM 3611 (selected modules).
FSC Functional Logic Diagrams for Control Program design are compliant with
IEC 61131-3.
The design and development of the FSC system are compliant with IEC 61508:1999,
Parts 1-7 (as certified by TÜV).
CE compliance:
Complies with CE directives 89/336/EEC (EMC) and 73/23/EEC (Low Voltage).

FS75-510
11/99 Page 25
FSC Mechanical Specifications
FSC cabinet dimensions 2000 x 800 x 800 mm (H x W x D)

(Rittal, model PS 4808): 78¾ x 31½ x 31½ in (H x W x D)
Rack size (incl. horizontal bus): height: 4 HE (4U), width: 84 TE (84 HP)
Module sizes:
− typical height and width height: 3 HE (4U), width: 4 TE (4 HP)
− COM, DBM and PSU modules height: 3 HE (3U), width: 8 TE (8 HP)
− Eurocard dimensions 100 x 160 mm (3.94 x 6.30 in)
FSC Electrical Specifications
Supply voltages: 24 Vdc: +30% / –15%

48 Vdc: +15% / –15%
60 Vdc: +15% / –15%
110 Vdc: +25% / –15%
220 Vdc: +10% / –15%

FS75-510
Page 26 11/99
References
For further reading please refer to the following documents:
Reference
Publication Title
FSC Safety Manual R510 FS90-510
FSC Software Manual R510 FS80-510
FSC Hardware Manual FS02-500
(1)
FSC User Documentation Update for FSC R511 FS80-511
(1)
FSC User Documentation Update for FSC R520 FS80-520
FSC Safety Manager (FSC-SM) Documentation Set TPS 3076
FSC Safety Manager (FSC-SM) Specification and Technical Data FS03-500

FSC Specification and Technical Data for FSC Release 51x/52x FS75-510
(1)
Included on FSC Navigator distribution CD-ROM.
The FSC user documentation is also available on CD-ROM:
HSMS
CD-ROM Title Part Number
FSC Hardware Manual Rev. 03 (06/99) 3400916
(1)
FSC User Documentation R510 (06/99) 3400917
(1)
Includes FSC Software Manual R510, FSC Safety Manual R510, FSC Hardware Manual Rev. 03 (06/99) and
FSC Safety Manager documentation set (binder TPS 3076).
The FSC Navigator software distribution CD-ROM includes user documentation updates.

FS75-510
11/99 Page 27
Model Numbers
Power Supply Modules
Description Model Number

24 Vdc Power Supply Unit, 45 A, input: 100-264 Vac, 230-340 Vdc 1200 S 24 P067
24 Vdc Power Supply Unit, 12 A, input: 110-240 Vac M24-12HE
24 Vdc to 5 Vdc DC/DC converter, 12 A 10300/1/1
Central Part Modules

Vertical Bus Driver module (VBD) for control of I/O interfaces in 10001/R/1
the I/O racks
Central Processing Unit (CPU) 10002/1/2
1)
Central Processing Unit (CPU) with flash memory 10012/1/2
Communication module (COM) 10004/·/·
1)
Communication module (COM) with flash memory 10014/·/·
Watchdog module (WD) 10005/1/1
Diagnostic and Battery Module (DBM) 10006/2/1
Diagnostic and Battery Module with DCF-77 atomic clock receiver 10006/2/2
Single Bus Driver module (SBD) for control of I/O in the Central Part rack 10007/1/1
FSC Safety Manager Module (FSC-SMM) 10008/2/U
1)
FSC Safety Manager Module (FSC-SMM) with flash memory 10018/2/U
2)
FSC to PlantScape communication interface module 10018/E/E,
10018/E/1
1) Requires FSC Release 510 or higher.
2) Requires FSC Release 520 or higher.
Analog Input Modules

Fail-safe analog input module (4 channels) 10102/2/1
Fail-safe high-density analog input module (24 Vdc, 16 channels) 10105/2/1
Analog Input Field Termination Assemblies (FTAs)

Fail-safe input FTA (24/48/60 Vdc, 24 channels) FTA-T-02
Fail-safe 0(4)-20 mA analog input FTA (16 channels) FTA-T-14

FS75-510
Page 28 11/99
Analog Output Modules

Fail-safe analog output module (0(4)-20 mA, 2 channels) 10205/2/1
Analog Output Field Termination Assemblies (FTAs)

Fail-safe output FTA (24/48/60 Vdc, 24 channels) FTA-T-02
Digital Input Modules

Fail-safe digital input module (24 Vdc, 16 channels) 10101/2/1
Intrinsically safe input module (4 channels) 10103/1/1
Digital input module (24 Vdc, 16 channels) 10104/2/1
Fail-safe line-monitored digital input module with earth fault monitor (16 ch.) 10106/2/1
Digital Input Field Termination Assemblies (FTAs)

Fail-safe input FTA (24/48/60 Vdc, 24 channels) FTA-T-02
Fail-safe passive digital input FTA (115 Vac/dc, 8 channels) FTA-T-09
Isolated passive digital input FTA (8 channels) FTA-T-12
Fail-safe active digital input FTA with line-monitoring (16 channels) FTA-T-16
Fail-safe digital input FTA (24/48/60 Vdc, NAMUR, 16 channels) FTA-T-21
Current-limited digital input FTA (24 Vdc, 16 channels) FTA-T-23
Digital Output Modules

Fail-safe digital output module (24 Vdc, 550 mA, 8 channels) 10201/2/1
Digital output module (24 Vdc, 550 mA, 12 channels) 10206/2/1
Relay output module (contacts, 10 channels) 10208/2/1
Digital output module (24 Vdc, 100 mA, 16 channels) 10209/2/1
Fail-safe digital output module (24 Vdc, 2 A, 4 channels) 10215/2/1
Fail-safe loop-monitored digital output module (24 Vdc, 1 A, 4 ch.) 10216/2/1
Fail-safe loop-monitored digital output module (48 Vdc, 0.5 A, 4 ch.) 10216/2/3

FS75-510
11/99 Page 29
Digital Output Field Termination Assemblies (FTAs)

Fail-safe output FTA (24/48/60 Vdc, 24 channels) FTA-T-02
Digital output FTA (24 Vdc, 24 channels) FTA-T-03
Digital output (relay contact) FTA (25 channels) FTA-T-04
Fail-safe digital output FTA (24 Vdc, 12 channels) FTA-T-05
Fail-safe digital output (relay contact) FTA (250 Vac / 150 Vdc, 4 ch.) FTA-T-08
Fail-safe digital output FTA (110 Vdc, 8 channels) FTA-T-11
Digital output (relay) FTA for AK5/6 applications (250 Vac / 250 Vdc,
4 channels) FTA-T-17
Digital output (relay contact) FTA (8 channels, NO/NC) FTA-T-20

FS75-510
Page 30 11/99
Copyright, Trademarks, and Notices

© 1999 — Honeywell Safety Management Systems B.V., The Netherlands.
While this information is presented in good faith and believed to be accurate, Honeywell
disclaims the implied warranties of merchantability and fitness for a particular purpose and
makes no express warranties except as may be stated in its written agreement with and for its
customer.
In no event is Honeywell liable to anyone for any indirect, special or consequential damages.
The information and specifications in this document are subject to change without notice.
Honeywell, TotalPlant, and TDC 3000 are U.S. registered trademarks of Honeywell Inc.
FSC is a trademark of Honeywell Safety Management Systems B.V.
Other brand or product names are trademarks of their respective owners.


Fail Safe Control (FSC Specification and Technical Data For FSC Releases 51x and 52x

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fail Safe Control (FSC Specification and Technical Data For FSC Releases 51x and 52x

Uploaded by

Copyright:

Available Formats

Fail Safe Control (FSC  )

Specification and Technical Data

System Features ...................................... 8

Physical Characteristics ....................... 16