Safety and Security Manual For Safety Manager SC

Safety and Security Manual for Safety Manager SC
EP-SMSC-MAN-7054-210A C October 2020

R210
Honeywell Process Solutions

Copyright December 2020. Honeywell Measurex (Ireland) Limited. All rights reserved.
This document contains Honeywell proprietary information. Information contained herein is to

be used solely for the purpose submitted, and no part of this document or its contents shall be
reproduced, published, or disclosed to a third party without the express permission of
Honeywell Measurex (Ireland) Limited.
While this information is presented in good faith and believed to be accurate, Honeywell
disclaims the implied warranties of merchantability and fitness for a purpose and makes no
express warranties except as may be stated in its written agreement with and for its customer.
In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The
information and specifications in this document are subject to change without notice.
Honeywell Measurex (Ireland) Limited.
1 Safety Manual 2
1.1 Content of Safety Manual 3
1.1.1 References 4
1.2 Basic skills and knowledge 5
1.2.1 Prerequisite skills 6
1.2.2 Training 7
1.3 Safety standards for Process & Equipment Under Control (PUC,
EUC) 8
1.3.1 Safety Integrity Level (SIL) 9
1.3.2 Safety layers of protection 10
1.3.3 Equipment Under Control (EUC) 11
CONTENTS
1.3.4 Process Under Control (PUC) 12
1.3.5 Application design conform IEC 61131-3 13
1.3.6 The IEC 61508 and IEC 61511 standards 14
2 Safety Manager SC functions architectures and standards 17

2.1 Safety Manager SC functions 18
2.2 Safety Manager SC basic architectures 19
2.2.1 Dual Modular Redundant (DMR) architecture 20
2.2.2 Quadruple Modular Redundant (QMR) architecture 21
2.3 Certification 22
2.4 Standards compliance 24
3 Configuring secure communications for Safety Manager SC
Controller 29
3.1 Secure Communication Planning Overview 30
3.1.1 Secure Communication System Planning 32
3.1.2 Advanced Technical Information 33
3.1.3 Certificate Management 34
3.1.4 Secure Communications using IPSec 35
3.1.5 Secure Communications Using TLS (Transport Layer Security) 36
3.1.6 Secure Boot 37
4 Safety Manager SC fault detection and fault reaction 39

4.1 Introduction 39
4.1.1 Diagnostic Test Interval 40
4.1.2 Controller configurations and states 41
4.1.3 Shutdown by application or manual intervention 43
4.2 Fault detection and fault reaction of the system 44
4.2.1 Safety Manager SC 45
4.2.2 Safety Manager SC ART+ 46
4.3 Safety Manager SC Controller faults 47
4.3.1 SM SC Controller faults 48
4.3.2 SC Communication module faults 50
4.3.3 Redundant SM SC Controller Key Switch faults 51
4.3.4 SM SC Communication Link faults 52
4.4 Safety Manager SC Universal Safety IO module faults 54
4.5 Safety Manager SC Universal Safety IO faults 56
4.5.1 Universal Safety IO Digital input faults 57
4.5.2 Universal Safety IO Analog input faults 58
4.5.3 Universal Safety IO Digital output faults 59
4.5.4 Universal Safety IO Analog Output Faults 60
4.6 Behavior of the ESD input on Universal Safety IO 61
4.7 Compare error handling 62
4.7.1 Safety Manager SC IO compare errors and system response 63
4.7.2 Compare error detection and synchronization in Safety Manager
SC 64
4.8 Detecting and Preventing Calculation errors in Safety Manager
SC 65
5 Safety Manager SC special functions 67
5.1 Online modification 68
CONTENTS
5.2 SafeNet communication 70
5.2.1 Networks 71
5.2.2 Protocol versus response time 72
5.3 Reset 74
5.3.1 System response towards a safety related reset 75
6 Security recommendations and best practices 77

7 General guidelines for TÜV approved applications 83
7.1 General 84
7.2 F&G applications 87
8 List of abbreviations 90
9 Notices 93
9.1 Notice 93
9.2 Honeywell trademarks 93
9.3 Other trademarks 93
9.4 Documentation feedback 94
9.5 How to report a security vulnerability 95
9.6 Support 96
9.7 Training classes 97
Honeywell | 1
1 Safety Manual
1 SAFETY MANUAL
The Safety Manual for Safety Manager SC is a reference guide that provides detailed information
regarding safety aspects for Safety Manager SC.
Honeywell | 2
1 Safety Manual
1.1 CONTENT OF SAFETY MANUAL

The Safety Manual for Safety Manager SC provides the specifications and references of the safety
functions in Safety Manager SC (SM SC). These may be used to support a safety function of a safety-
related system or functions in a subsystem or element.
A reference guide is a Safety Manager SC related guide and does not describe tasks in terms of how to
perform the task in terms of steps to follow. A reference guide can provide input to support decisions
required to achieve a certain objective.
Guide subjects
l Safety Manager SC functions architectures

and standards
l Safety Manager SC fault detection and
reaction
Safety and Security Manual for Safety Manager
l Safety Manager SC special functions
SC
l Configuring a Secure Connection for
Experion Integration
l General guidelines for TÜV approved
applications
Honeywell | 3
1 Safety Manual
1.1.1 REFERENCES
The following guides may be required as reference materials:
Guide Description
This guide describes the general knowledge required, the basic functions of,
Overview Guide
and the tasks related to Safety Manager or Safety Manager SC.
Planning and Design This guide describes the tasks related to planning and designing a Safety
Guide Manager or Safety Manager SC project.
This guide describes the tasks related to installing, replacing and upgrading
Installation and Upgrade
hardware and software as part of a Safety Manager or Safety Manager SC
Guide
project.
Troubleshooting and This guide describes the tasks related to troubleshooting and maintaining
Maintenance Guide Safety Manager or Safety Manager SC.
System Administration This guide describes the task related to administrating the computer
Guide systems used in Safety Manager or Safety Manager SC.
This guide specifies the hardware components that build a Safety Manager
Hardware Reference
or Safety Manager SC project.
Universal Safety Cabinet This guide specifies the hardware components to build a Safety Manager
Planning, Installation SC project with a 1.2 meter cabinet that conforms to Fire and Gas safety
and Service Guide requirements.
This guide specifies the software functions that build a Safety Manager and
Software Reference
Safety Manager SC project and contains guidelines on how to operate them.
This guide describes the theory, steps and tasks related to upgrading Safety
Online Modification
Builder and embedded software and modifying an application online in a
Guide
redundant Safety or Safety Manager SC.
Honeywell | 4
1 Safety Manual
1.2 BASIC SKILLS AND KNOWLEDGE

Before performing tasks related to Safety Manager SC you need to:
l Understand basic Safety Manager SC concepts as explained in the Overview Guide and the
Glossary.
l Have a thorough understanding of the Safety and Security Manual.
l Have had appropriate training related to Safety Manager SC that certifies you for your tasks
(see the Planning and Design Guide).
More related information can be found in Prerequisite skills and Training.
Honeywell | 5
1 Safety Manual
1.2.1 PREREQUISITE SKILLS
When you perform tasks related to Safety Manager SC, it is assumed that you have appropriate
knowledge of:
l Site procedures
l The hardware and software you are working with. These may i.e. be: computers, printers, network
components, Controller and Station software.
l Microsoft Windows operating systems.
l Programmable logic controllers (PLCs).
l Applicable safety standards for Process & Equipment Under Control (EUC).
l Application design conform IEC 61131-3.
l The IEC 61508 and IEC 61511 standards.
This guide assumes that you have a basic familiarity with the process(es) connected to the equipment
under control and that you have a complete understanding of the hazard and risk analysis.
More related information can be found in Training.
Honeywell | 6
1 Safety Manual
1.2.2 TRAINING
Most of the skills mentioned above can be achieved by appropriate training. For more information,
contact your Honeywell representative or see:
l http://www.automationcollege.com.
Honeywell | 7
1 Safety Manual
1.3 SAFETY STANDARDS FOR PROCESS & EQUIPMENT UNDER CONTROL (PUC, EUC)
Safety Manager SC Controller (SM SC Controller) is the logic solver of a Safety Instrumented System (SIS)
performing specific Safety Instrumented Functions (SIF) to ensure that risks are kept at or below
predefined levels.
A SIS measures, independently from the Basic Process Control System (BPCS), relevant process signals
like temperature, pressure, level in a tank or the flow through a pipe. The values of these signals are
compared with the predefined safe values, preprogrammed control sequences and interlocks are applied,
and, if needed, the SIS gives an alarm or takes action. In such cases the SIS controls the safety of the
process and lowers the chance of an unsafe situation.
The logic in Safety Manager SC defines the response to process parameters.
In this context the following terms are explained in this section:
l Safety Integrity Level (SIL)
l Safety layers of protection
l Equipment Under Control (EUC)
l Process Under Control (PUC)
l Application design conform IEC 61131-3
l The IEC 61508 and IEC 61511 standards
Honeywell | 8
1 Safety Manual
1.3.1 SAFETY INTEGRITY LEVEL (SIL)

The IEC 61508 standard specifies 4 levels of safety performance for safety functions. These are called
safety integrity levels. Safety integrity level 1 (SIL1) is the lowest level of safety integrity, and safety
integrity level 4 (SIL4) the highest level. If the level is below SIL1, the IEC 61508 and IEC 61511 do not
apply.
Safety Manager SC can be used for processing multiple SIFs simultaneously demanding a SIL1 up to and
including SIL3.
To achieve the required safety integrity level for the E/E/PE safety-related systems, an overall safety life
cycle is adopted as the technical framework (as defined in IEC 61508).
For more information see also:
l 1.3.3 IEC 61508 and IEC 61511 Standards
Honeywell | 9
1 Safety Manual
1.3.2 SAFETY LAYERS OF PROTECTION

The below figure shows the typical risk reduction methods or safety protection layers used in modern
process plants.
Safety Instrumented Systems (SIS) are designed to operate in the prevention and mitigation layers to:
l Prevent a process from entering a dangerous state.
l Mitigate the consequences of entering a dangerous state.
Figure 1-1: The concept of layers of protection

Honeywell | 10
1 Safety Manual
1.3.3 EQUIPMENT UNDER CONTROL (EUC)

Safety-related systems, such as Safety Manager SC, are designed to prevent the EUC from entering a
dangerous state and to mitigate any EUC that has gone into a dangerous state.
For these functions a safety related system can be split in:
l Emergency shutdown systems, operating in the prevention layer of Figure 1.
l Fire and gas detection and control systems, operating in the mitigation layer of Figure 1.
Honeywell | 11
1 Safety Manual
1.3.4 PROCESS UNDER CONTROL (PUC)

PUC is EUC expanded with regulations to prevent the process from running out of control or to mitigate
the consequences when it does run out of control.
Where PUC is concerned, Safety Manager SC monitors the process for abnormal situations. Safety
Manager SC is able to initiate safety actions and process alarms.
Such actions and alarms can be caused by abnormal situations in the:
l Process
l Safety loops
l Safety system itself.
For more information see also
Honeywell | 12
1 Safety Manual
1.3.5 APPLICATION DESIGN CONFORM IEC 61131-3

The IEC 61131 standard defines, as a minimum set, the basic programming elements, syntactic and
semantic rules for the most commonly used programming languages, including graphical languages of:
l Ladder Diagram,
l Functional Block Diagram and,
l Textual languages of Instruction List and structured Text;
For more information see the IEC web site: http://www.iec.ch
The below figure shows how Safety Manager SC uses the graphical programming method, based on
Functional Block Diagram as defined by the IEC 61131-3.
Figure 1-2: Example FLD layout
Honeywell | 13
1 Safety Manual
1.3.6 THE IEC 61508 AND IEC 61511 STANDARDS

SISs have been used for many years to perform safety instrumented functions e.g. in chemical,
petrochemical and gas plants. In order for instrumentation to be effectively used for safety instrumented
functions, it is essential that the instrumentation meets certain minimum standards and performance
levels.
To define the characteristics, main concepts and required performance levels, standards IEC 61508 and
IEC 61511 have been developed. The introduction of Safety Integrity level (SIL) is one of the results of
these standards.
This brief provides a short explanation of each standard. Detailed information regarding IEC 61508 and
61511 can be found on the IEC web site http://www.iec.org.
What standard to use?
Tip:
You can use the IEC 61508 as standalone standard for those sectors where a sector specific
standard does not exist.
l If you are in the process sector and you are an owner/user, it is strongly recommended that you
pay attention to the IEC 61511 (ANSI/ISA 84.00.01). For details see IEC 61511, the standard for
the process industry.
l If you are in the process sector and you are a manufacturer, it is strongly recommended that
you pay attention to the IEC 61508. For details see IEC 61508, the standard for all E/E/PE
safety-related systems.
l If you are in another sector, it is strongly recommended that you look for, and use, your sector
specific IEC standard for functional safety (if there is one). If none exists, you can use the IEC
61508 instead. For details see IEC 61508, the standard for all E/E/PE safety-related systems
IEC 61508 and IEC 61511 terminology

This guide contains both IEC 61508 and IEC 61511 related terminology.
As the IEC 61511 sits within the framework of IEC 61508 most of the terminology used may be
interchanged. The below provides an overview of the most common interchangeable terminology.
Table 1-3: IEC 61508 versus IEC 61511 terminology
IEC 61508 terminology IEC 61511 terminology
safety function safety instrumented function
electrical/electronic/programmable
safety instrumented system (SIS)
electronic (E/E/PE) safety-related system
IEC 61508, the standard for all E/E/PE safety-related systems

The IEC 61508 is called “Functional safety of electrical/electronic/programmable electronic safety-related
systems”
IEC 61508 covers all safety-related systems that are electrotechnical in nature (i.e. Electrical, Electronic
and Programmable Electronic systems (E/E/PE) ).
Generic standard
Honeywell | 14
1 Safety Manual
The standard is generic and is intended to provide guidance on how to develop E/E/PE safety related
devices as used in Safety Instrumented Systems (SIS).
The IEC 61508:
l serves as a basis for the development of sector standards (e.g. for the machinery sector, the
process sector, the nuclear sector, etc.).
l can serve as stand-alone standard for those sectors where a sector specific standard does not
exist.
SIL
IEC 61508 details the design requirements for achieving the required Safety Integrity Level (SIL).
The safety integrity requirements for each individual safety function may differ. The safety function and
SIL requirements are derived from the hazard analysis and the risk assessment.
The higher the level of adapted safety integrity, the lower the likelihood of dangerous failure of the SIS.
This standard also addresses the safety-related sensors and final elements regardless of the technology
used.
IEC 61511, the standard for the process industry

The IEC 61511 is called “Functional safety - Safety instrumented systems for the process industry sector”.
It is also referred to as the ANSI/ISA 84.00.01.
This standard addresses the application of SISs for the process industries. It requires a process hazard
and risk assessment to be carried out, to enable the specification for SISs to be derived. In this standard
a SIS includes all components and subsystems necessary to carry out the safety instrumented function
from sensor(s) to final element(s).
The standard is intended to lead to a high level of consistency in underlying principles, terminology and
information within the process industries. This should have both safety and economic benefits.
The IEC 61511 sits within the framework of IEC 61508.
Need to know more?
For more information regarding, or help on, implementing or determining, the applied safety standards
for your plant/process please contact your Honeywell affiliate. Our Safety Consultants can help you to
e.g.:
l perform a hazard risk analysis
l determine the SIL requirements
l design the Safety Instrumented System
l validate and verify the design
l train your local safety staff
Honeywell | 15
Honeywell | 16
2 Safety Manager SC functions architectures and standards
2 SAFETY MANAGER SC FUNCTIONS ARCHITECTURES AND STANDARDS

Safety Manager SC can be configured for a number of architectures, each with its own characteristics
and typical Safety Instrumented Functions.
Honeywell | 17
2.1 SAFETY MANAGER SC FUNCTIONS

Safety Manager SC is the logic solver inside a Safety Instrumented System (SIS) and can be used in a
number of different basic architectures (see Safety Manager SC basic architectures). Irrespective of the
chosen architecture, Safety Manager SC meets the requirements of the relevant international standards.
By design Safety Manager SC operates at a very high level of dependency.
The functions of Safety Manager SC depends on the Controller configuration that is applied. In the below
table these functions are described.
Table 2-1: Safety Manager SC functions
Controller
Function
architecture
Non-
redundant Logic solving within a SIS in order to provide freedom from unacceptable risks, and thus
safeguarding the equipment and processes under control.
(DMR)
Redundant Logic solving within a SIS in order to provide freedom from unacceptable risks, and thus
safeguarding the equipment and processes under control while maintaining a high level
(QMR) of availability.
Honeywell | 18
2.2 SAFETY MANAGER SC BASIC ARCHITECTURES

Safety Manager SC can be configured for a number of architectures. Each has its own characteristics and
typical Safety Instrumented Functions. The below table provides an overview of the available
architectures.
Table 2-2: Safety Manager SC architectures
Controller
Reference IO configuration Remarks
architecture
DMR architecture; Supports SIF for SIL1, SIL2 and

DMR Non-redundant Non-redundant
SIL3 applications.
QMR architecture; Supports SIF for SIL1, SIL2 and

QMR Redundant Redundant
SIL3 applications.
Honeywell | 19
2.2.1 DUAL MODULAR REDUNDANT (DMR) ARCHITECTURE

Typical applications of a DMR architecture are:
l Burner Management System
l Batch processing
l Machine protection
The DMR architecture provides 1oo2 voting in a non-redundant system. The DMR architecture with 1oo2
voting is based on dual- processor technology, and is characterized by a high level of self tests,
diagnostics and fault tolerance. The DMR architecture is realized with a non-redundant SM SC Controller.
A non- redundant architecture contains only one controller, which contains redundant processors and
memory with 1oo2 voting between the processors and memory.
In IO configurations, each path is controlled by the SM SC Controller and the IO modules. (see the below
figure).
Figure 2-3: Functional diagram: DMR architecture
Honeywell | 20
2.2.2 QUADRUPLE MODULAR REDUNDANT (QMR) ARCHITECTURE

Typical applications of a QMR architecture are:
l process safeguarding applications for which continuous operation is essential.
The Quadruple Modular Redundant (QMR) architecture is based on 2oo4D voting, dual- processor
technology in each controller. This means that it is characterized by an ultimate level of self diagnostics
and fault tolerance.
The QMR architecture is realized with a redundant Controller. This redundant architecture contains two
controllers, which results in quadruple redundancy, making it fault tolerant for higher availability.
The 2oo4D voting is realized by combining 1oo2D voting of both CPUs and memory in each controller,
and 1oo2D voting between the two controllers. Voting takes place on two levels: on a module level and
between the controllers.
In redundant IO configurations, each path is controlled by one of the SM SC Controllers (see the below
figure).
Furthermore, one SM SC Controller is able to switch off the output channels of the redundant SM SC
Controller.
Figure 2-4: Functional diagram: QMR architecture
Honeywell | 21
2.3 CERTIFICATION
Complying with standards has many advantages:
l International standards force companies to evaluate and develop their products and processes
according a consistent and uniform way.
l Products certified conform these international standards guarantee a certain degree of quality
and product reliability that other products lack.
Since functional safety is the core of the Safety Manager SC design, the system has been certified for use
in safety applications all around the world. Safety Manager SC has been developed specifically to comply
with the IEC61508 functional safety standards, and has been certified by TUV for use in SIL1, SIL 2 and
SIL3 applications.
Safety Manager SC has also obtained certification in the United States for the ANSI/ISA S84.01 standard.
Honeywell process control and safety systems, including Safety Manager SC, offer multi- layer
cybersecurity protection and can be designed to meet individual customer architecture requirements. The
SM SC Controller module can support a variety of communication networks/protocols and has built-in
firewall protection against cybersecurity threats. For details regarding Safety Manager SC security
protection and cybersecurity certifications, contact your Honeywell project team or account
representative.
For a full list of all these and other certifications see below.
Certification
Safety Manager SC has been certified to comply with the following standards:
International Electrotechnical Commission (IEC) - The design and development of Safety Manager SC are
compliant with IEC 61508 (as certified by TUV).
International Society of Automation (ISA) - Certified to fulfill the requirements laid down in ANSI/ISA
S84.01.
CE compliance - Complies with CE directives 2014/35/EU relating to electrical equipment designed for
use within certain voltage limits, 2014/30/EU for Electromagnetic Compatibility, and 2011/65/EU RoHS
Directive.
Honeywell | 22
TUV (Germany) - Certified to fulfill the requirements of SIL1, 2 and 3 safety equipment as defined in the
following documents: IEC61508, IEC60664-3, EN50156, EN 54-2, EN50178, IEC 60068, IEC 61131-2, IEC
61131-3, IEC60204.
Canadian Standards Association (CSA) - Complies with the requirements of the following standards:
l CSA Standard C22.2 No. 0-M982 General Requirements – Canadian Electrical Code, Part II;
l CSA Standard C22.2 No. 142- M1987 for Process Control Equipment, including general
Instructions up to No. 4 dated February 1989 (Reaffirmed 2004).
Honeywell | 23
2.4 STANDARDS COMPLIANCE

This sub section provides a list of the standards Safety Manager SC complies with.
Standard Title Remarks
IEC 61508, Part

1-7 Functional safety of electrical/electronic/ Values such as PFD, PFH,
programmable electronic (E/E/PE) safety-related SFF can be provided upon
(2010) systems. request
(S84.01)
IEC 61511-1 Functional safety - Safety instrumented systems

for the process industry sector - Part 1:
(2017)
Framework, definitions, system, hardware and
(S84) software requirements
EN 62061 Safety of machinery - Functional safety of safety-

related electrical, electronic and programmable
(2015) electronic control systems
ISO 13849-1 Safety of machinery - Safety related parts of

(2008) control systems. General principles for design
EN 54 part 2 Components of automatic fire detection systems,

(2006) Introduction.
Electromagnetic compatibility - Immunity for

EN 50130-4 (2014) requirements for components of fire, intruder and
social alarm systems.
EN 50156-1 (2015) Electrical equipment of furnaces.
EN 60204-1 Safety of machinery - Electrical equipment of

(2009) machines - Part 1: General requirements
IEC 61000-6-2 Electromagnetic compatibility – Generic immunity

(2005) standard: Industrial environment.
IEC 61010-1 Safety Requirements for Electrical Equipment for

Measurement, Control and Laboratory Use, Part 1:
(2010) General Requirements.
IEC 61131-2 Programmable controllers. Part 2: Equipment

(2007) requirements and tests.
IEC 61326-3-1
Immunity requirements for safety related systems.
(2008)
NFPA 72
National Fire Alarm Code Handbook
(2010)
Honeywell | 24
NFPA 85
Boiler and Combustions Systems Hazards Code
(2011)
NFPA 86
Standard for Ovens and Furnaces
(2011)
ANSI/ISA 71.04 Environmental Conditions for Process

Measurement and Control Systems: Airborne
(2013) Contaminants G3 level: harsh environments
UL 508 Industrial control equipment, seventeenth edition. Underwriters Laboratories.
UL 508A (2001) UL Standard for Safety Industrial Control Panels Underwriters Laboratories.
Canadian Standards
CSA C22.2 Process control equipment. Industrial products.
Association No. 142.
IEC 60068-1
Basic environmental testing procedures.
(2004)
Safety Manager SC; -5°C

(23°F)
SM Universal Safety IO
module;
-40°C (-40°F)
IEC 60068-2-1 Cold test. (undervoltage)
16 hours; system in
operation; reduced power
supply voltage:
(– 15%): U=20.4 Vdc or (–

10%): U=198 Vac.
Safety Manager SC; - 10°C

(14°F)
SM Universal Safety IO
IEC 60068-2-1 Cold test. (nominal)
module; -45°C (-49°F)
16 hours; system in
operation.
up to 70°C (158°F)
16 hours; system in
operation; increased power
IEC 60068-2-2 Dry heat test.
supply voltage:
(+30%): U=31.2 Vdc or

(+10%): U=253 Vac.
Honeywell | 25
21 days at +40°C (104°F),

93%
IEC 60068-2-3 Test Ca: damp heat, steady state.
relative humidity; function
test after cooling.
96 hours at +40°C (104°F),

93%
IEC 60068-2-3 Test Ca: damp heat, steady state.
relative humidity; system in
operation.
– 25°C– +55°C (– 13°F–

+131°F), 12 hours, 95%
IEC 60068-2-14 Test Na: change of temperature – withstand test.
relative humidity, recovery
time: max. 2 hours.
+25°C - +55°C (+77°F -

+131°F), 7days, 80-100%
IEC 60068-2-30 Test Db variant 2: cyclic damp heat test.
relative humidity, recovery
time: 1 - 2 hours.
Excitation: sine-shaped with

Environmental testing – Part 2: Tests – Test.
sliding frequency;
Safety Manager SC
Frequency range: 10 - 150

Hz. Loads:
l 10 - 57 Hz; 0.075
IEC 60068-2-6 mm.
Fc: vibration (sinusoidal). l 57 - 150 Hz; 1 G.
Duration: 10 cycles (20

sweeps) per axis.
No. of axes: 3 (x, y, z).
Traverse rate: 1 oct/min in

operation.
Honeywell | 26
Half sine shock.

6 shocks per 3 axes (18 in
total).
Environmental testing – Part 2: Tests – Test. Maximum acceleration: 15
IEC 60068-2-27
Ea: shock. G.
Shock duration: 11 ms.
Safety Manager SC in
operation.
Honeywell | 27
Honeywell | 28
3 Configuring secure communications for Safety Manager SC Controller
3 CONFIGURING SECURE COMMUNICATIONS FOR SAFETY MANAGER SC

CONTROLLER
This guide provides an overview of how to configure secure communications.
Specific procedures for configuring the SM SC controller for secure communications can be found in the
Installation and Upgrade Guide.
This section identifies specific topics to ensure secure communication connections, so that a third party
cannot eavesdrop or interfere.
This product is on the Level 1 network and is isolated from the Level 3 network.
Only authorized personnel may use the product maintenance tool.
Caution:
Program Key switch, Force Enable, Force Clear, Fault reset, ESD - wireable switches are to be
physically protected.
Honeywell | 29
3.1 SECURE COMMUNICATION PLANNING OVERVIEW

Secure communications is required when two entities are communicating and do not want a third party to
listen in (i.e. avoid man in the middle attacks). For that they need to communicate in a way not
susceptible to eavesdropping or interception. Honeywell Safety Manager SC Controller secures its
communications using IPsec and X.509 standards compliant certificates.
This chapter is the first user assistance that all customers, system integrators and planners need to read
before installation, configuration and setup of Secure Communications for an SM SC Controller or a
system including a SM SC Controller with the intent to deploy Honeywell Secure Communications.
For detailed steps about obtaining and installing secure communications software using IPsec, see the
Installation and Upgrade Guide.
The solution described allows users to select which node-to-node communication paths will be secured.
Most communication paths to the SM SC Controller, both encrypted and unencrypted, must be explicitly
configured. You will need a single CA (Certificate Authority) Server per trust zone, which is recommended
to be a single FTE community. As such you will need to install and configure your CA Server only once per
zone. After that it is a matter of using the Certificate Manager Configuration Console (CMCC) to
configure your SM SC Controller(s), and then configure IPsec on the Windows nodes. This will include
generating the required certificates for these as the instructions dictate.
Note: CMCC should be installed on Windows 10 and above operating system.
For SM SC Controllers
All communication paths to all external nodes, whether or not on the FTE network, must be configured.
Therefore policies must be created for the each of the following:
o Encrypted communications to other nodes (Windows nodes or peer controller nodes such as
other SM SC Controllers) on the FTE network
o Cleartext communications to other nodes on the network
For Windows nodes
For each SM SC Controller that will be operating in secure communications mode:
l Encrypted communications to the SM SC Controller must be explicitly configured
l Certain protocols/services must be explicitly configured as cleartext (aka exceptions)
No explicit configuration is required to communicate with nodes that are not using secure
communications.
Phases of SM SC Controller Set-up
There are four main phases in the set-up of each SM SC Controller before IPsec can be enabled. Some of
the configuration data is included in the synchronization from Primary to Secondary modules and some
is not.
l Setting Enrollment Information
l Enrolling for TLS communication (required for the next step)
Honeywell | 30
l Enrolling for IPsec communication (uses TLS)

l Setting and activating security policies
This chapter details how to create a standalone root CA which can be used to issue certificates for
Experion PKS Servers and console stations, as well as for SM SC Controller. It also details how to request
certificates from this CA for two different purposes:
l Internet Protocol Security (IPsec) – for use with secure communications between the Experion
PKS R500 Server, and any other Windows nodes that communicate with the SM SC Controller
l Certificate Manager Configuration Console (CMCC) – to facilitate a secure connection when
configuring the SM SC Controller
In addition this chapter will provide details on how to install the certificate on each Experion PKS Server
and then how to enable IPsec policy to secure communications between the Experion PKS Server and the
SM SC Controller. To support secure communications between the Experion PKS R500 Server/Console,
the SM SC Controller and redundant SM SC Controller, network layer security provided by IPsec policies
will be employed. To achieve this, SM SC Controller and the Server node need a certificate issued by a
certification authority (CA) trusted by both. This type of secure communication is not provided for
communication between Safety Manager SC and C300.
Points to note
l Accurate system time and time synchronization are essential to the operation of secure
communications. All certificates created during the set-up process are time-stamped at the time
of creation. Therefore all nodes times must be accurate and in sync from the very beginning,
even at the time the Certificate Authority is installed.
l IP address configuration should be completed before secure communications have been set-up.
Changes to the system, especially to IP addresses, after secure communications has been set-
up may cause significant re-work. For example:
l Using a Certificate Authority at a different IP address will invalidate all certificates
that have been created with the original CA. All set-up steps, including enrollment, on
the SM SC Controllers will have to be backed out and re-done.
l Changing the primary IP address of a module will require that all of the steps to set-
up the module for secure communications be backed out and re-done. This includes
the case where index switches are changed from their original setting.
l Changing any IP address referenced in a IPSec security policy will require the
modification and reapplication of the relevant security policies. Enrollment will not
have to be redone in this case.
l There are certain important restrictions to how the Certificate Authority is deployed:
l Cannot be installed on domain controllers.
l Must be installed only when logged in as the Administrator account (Ensure that you
log in as the user "Administrator", not just a user with administrator privileges.)
l Node time must be set or synchronized correctly when the CA is installed.
l IP address must be set correctly when the CA is installed.
l Will not work across split uplink subnets. Each network requires its own Certificate
Authority.
Honeywell | 31
3.1.1 SECURE COMMUNICATION SYSTEM PLANNING

As a first step to using Honeywell secure communications, the objective of this planning step is to define
the nodes involved and the level of secure communications desired. The output of this planning session
is a systems communication diagram. The figure below is an illustrative example of a systems
communication diagram for SM SC Controller.
System Communication Diagram

There are two windows nodes and two SM SC Controllers deployed at this site. Windows node 1 is
participating with the SM SC Controllers (at 192.168.0.3 and 192.168.0.5) in Secure Communications.
Windows node 2 is excluded from this due to its network placement or interoperability reasons from this
setup. Additionally, the diagram depicts the level of secure communication expected (annotated as
Cleartext and Encrypted). Refer to the following sections for further technical information on
implementation of Honeywell Secure Communications solution.
Honeywell | 32
3.1.2 ADVANCED TECHNICAL INFORMATION

This section will provide a reader with advanced technical information about the underlying technology
used to ensure Secure Communications for Honeywell Safety Manager SC Controller.
Secure communication protocols provide a way to authenticate clients and servers and protect the
integrity and confidentiality of communication between clients and servers.
Protocol Secure Communications Technology

Builder Communication IPSec
Safenet IPSec
Cleartext IPSec
Certificate Authority HTTP
IPSec Configuration App TLS
Honeywell | 33
3.1.3 CERTIFICATE MANAGEMENT

Trust is established between nodes by presenting and verifying X.509 (v3) certificates. Below are the
characteristics of these certificates as they are distributed:
l ECDSA P-256 signatures
l Use of standard protocol SCEP (Simple Certificate Enrollment Protocol) for distribution, renewal
and CRL retrieval capabilities
Honeywell | 34
3.1.4 SECURE COMMUNICATIONS USING IPSEC

IPSec is the selected method for communication between nodes within the same subnet. As such, IKE
protocol, defined under IPSec, is used during initial negotiation to authenticate a partner endpoint and
agree upon algorithms for subsequent attempts to secure communication. Below are the default security
constructs and algorithms selected for all nodes using IPSec:
l Use of main mode IKEv1 and IKEv2 when supported by peer
l SHA-256 message authentication
l AES-CBC 128-bit encryption
l ECDH P-256 Key algorithm
Subsequent to establishing trust, IPSec security constructs selected for securing communication are
l Deny all communication unless explicitly granted
l ESP mode only, no AH • AES-GCM 128 bit message authentication, NULL encryption
l AES-GCM 128 bit message authentication and encryption
The above security constructs apply to a “security area”, a structural grouping of nodes used to establish
Secure Communications relationships. The below policies are options for all nodes that form a security
area:
l No Communication: to prevent explicit communication
l Cleartext Communication: no security measures intended for interoperability scenarios
l Authentication and Encryption (Message Integrity and Data Confidentiality): Full encryption
that helps preserve confidentiality
Data Sync: This step must be performed separately on each module, as this data is not synchronized
between the modules. Furthermore if the two modules are not fully enrolled then synchronization will be
disabled.
Honeywell | 35
3.1.5 SECURE COMMUNICATIONS USING TLS (TRANSPORT LAYER SECURITY)

TLS is the selected method to secure communications for the IPSec configuration tool. In this scenario
version 1.2 or higher is primarily selected with the below security constructs and characteristics:
l SHA256/SHA384 hashing
l ECDHE (Forward secrecy, Ephemeral DH keys)
l AES-GCM 128 bit encryption
Enroll for TLS communication
This step prepares the module to retrieve the IPSec certificate from the CA over a secure channel.
Data Sync: This step must be performed separately on each module, as this data is not synchronized
between the modules. Furthermore if the two modules are not fully enrolled then synchronization will be
disabled.
Honeywell | 36
3.1.6 SECURE BOOT

SM SC Controller firmware is signed to ensure authenticity. Firmware signing uses the following security
construct:
l RSA-2048
Honeywell | 37
Honeywell | 38
4 Safety Manager SC fault detection and fault reaction
4 SAFETY MANAGER SC FAULT DETECTION AND FAULT REACTION

4.1 INTRODUCTION
The goal of fault detection and fault reaction is to detect and isolate faults that affect the safety of the
process under control, within a time frame that is acceptable for the process.
Note:
There is always a diagnostic alarm available upon detection of a fault.
Fault detection and fault reaction occurs at different levels. These levels are:
l system level,
l module level,
l channel level.
System level
Combinations of modules and IO faults are controlled at system level. Depending on the hardware and
configuration of a system, the fault reaction to such combinations will be different. Distinction is made
between these systems:
l Safety Manager SC,
For further details see:
l Fault detection and fault reaction of the system
Module level
Faults at module level are controlled at controller level. Depending on the hardware and configuration of
a system, the fault reaction is determined by the SM SC Controller and/or IO module(s).
For further details see the fault reaction table(s) in:
l Safety Manager SC Controller faults
l Safety Manager SC Universal Safety IO module faults
Channel level
Faults at channel level are controlled at IO module level. Depending on the hardware and configuration of
a system, the fault reaction is determined by the SM SC Controller and/or universal module(s).
For further details see the fault reaction table(s) in:
l Safety Manager SC Universal Safety IO module faults
Honeywell | 39
4.1.1 DIAGNOSTIC TEST INTERVAL

The Diagnostic Test interval (DTI) is the time in which detection and isolation of faults takes place. The
DTI must be set to a value that is acceptable for the process, such as the Process Safety Time (PST).
These values can be obtained from hazard analysis reports.
Honeywell | 40
4.1.2 CONTROLLER CONFIGURATIONS AND STATES

Controller configurations
Distinction is made between Non redundant Controllers and Redundant Controllers . A Non redundant
Controller has one FC-SCNT01; the response of the SM SC Controller is automatically the response of the
controller. A Redundant Controller has two FC- SCNT01s; the response of one of FC- SCNT01 does not
necessarily affect the safety related functioning of the controller.
Note:
Safety Manager SC can have both non redundant controllers and redundant controllers.
Safety Manager SC Controller states

A Safety Manager SC Controller has predefined states. For fault detection and fault reaction the following
states are relevant.
Attention:
The states described below are presented on the display of the relevant controller.
l STOP SM SC Controller is not idle and not running.

l IDLE SM SC Controller is not safeguarding the process / SM SC Controller has no safety
application.
l OK SM SC Controller is safeguarding the process.
l ALIV SM SC Controller is functional.
In this state, the diagnostic message “Backup firmware running” is also indicated in the actual
diagnostics screen. User should load the controller again to resolve this situation.
l SPSC This state typically resolves on its own within a minute.
If it does not, then power must be cycled to CP2. Once CP2 powers up again, if SPSC is still
displayed for more than a minute, then power must be cycled to CP1.
l -np- No Partner - one module is removed or powered off. It could also indicate an issue with
redundancy communication. It is also displayed for a non-redundant configuration.
The applicable SM SC Controller state can be read from the User Interface Display located on each SM
SC Controller and from the diagnostic screens available on Experion™ and Safety Stations.
Fault Reaction and IO states
The Fault Reaction (FR) state of each IO point is the predetermined state or action the point assumes in
case of faults.
l For normally energized safety related applications, like ESD applications, the predefined safe
fault reaction state is de-energized or Low.
l For normally de- energized safety related applications, like FGS applications, the safe fault
reaction state for inputs is energized or High / Top Scale.
Fault reaction and IO states are explained below:
Fault reaction
The reaction to faults in the Controller, application and/or IO.
Honeywell | 41
l The fault reaction towards Controller and/or application faults is fixed.

l The fault reaction to IO faults can be configured on a point or module level; it should be
customized to the application for which Safety Manager SC is used.
Input states
From a system point of view, input states can have either the healthy state or the fault reaction state.
l When healthy, the Input is active and provides the application value.
l When faulty, the Input responds according to a predefined fault condition (fault reaction).
l When forced, the force value is applied.
Output states
From a system point of view, output states can have either the healthy state, the de-energized state or
the fault reaction state.
l When healthy, the IO is active and has the application value applied.
l When faulty, the IO is de-activated (as if no power was supplied).
l When the fault reaction state is applied, the IO responds according to a predefined fault
condition (fault reaction).
l When forced, the force value is applied.
Repair timer
Note:
The repair timer setting must be based on a hardware reliability analysis which includes MTTR
figures.
All configurations of Safety Manager SC are at least single fault tolerant to faults that affect safety. By
applying a secondary means Safety Manager SC is able to bring a process to a safe state, regardless the
fault.
By default, Safety Manager SC is configured to isolate the faulty part of a subsystem to guarantee
continued safe operation of the EUC. In systems with a redundant SM SC Controller, a fault in a
subsystem of one of the SM SC Controllers has no effect on the safeguarded process. Continuous
safeguarding and availability is maintained.
A configurable repair timer is started for the relevant SM SC Controller on certain fault conditions. Within
the remaining time the faulty part can be repaired. If the timer is allowed to reach zero, or another fault
that affects safety occurs, that SM SC Controller halts.
It is strongly advised to apply this feature of Safety Manager SC to meet the requirements of applicable
standards. However, the user can choose to configure Safety Manager SC differently to meet his own
specific requirements.
Honeywell | 42
4.1.3 SHUTDOWN BY APPLICATION OR MANUAL INTERVENTION

By design, Safety Manager SC is configured to meet the requirements of applicable international
standards. In case local and/or customer requirements demand an even more stringent system response,
Safety Manager SC offers two additional features for such situations. These features are:
l A shutdown via the application software; to achieve this Safety Manager SC alarm markers can
be applied.
l A manual shutdown can be realized via the shutdown (SD) input of the SM SC Controller and
the IO modules. With aid of the SD input a tested, hard wired connection can be used. Please
refer to the Hardware Reference guide for details how to connect the SD to a module.
Attention:
1. Breaking the SD loop of the SM SC Controller will cause Safety Manager SC to idle!
2. Breaking the SD loop of the IO module will cause the IO module to idle!
Honeywell | 43
4.2 FAULT DETECTION AND FAULT REACTION OF THE SYSTEM

This section describes the fault detection and reaction of the system. Full module redundancy is provided
to warrant process availability.
Honeywell | 44
4.2.1 SAFETY MANAGER SC

The below figure shows the reliability block diagram for a redundant Safety Manager SC.
Figure 4-1: SM SC Reliability block diagram
The architecture of Safety Manager SC shows redundant control paths that principally function
independent from each other. The execution is synchronized at the FC-SCNT01s. The system performs
continuous diagnostics on all critical parts of the system.
When the system detects a fault, the diagnostic will be reported and the corresponding action is
performed, isolating the faulty part of the system. In principle the equipment under control will continue
to be safeguarded as the safeguarding function will be performed by the healthy partner.
Below the system responses of safety related modules are explained:
SM SC Controller
The SM SC Controller performs diagnostic tests on all critical parts of the module like memory,
processors, address lines etc. When a safety related fault is detected, the module will be directed to the
safe state. The EUC will continue to be safeguarded due to the redundancy.
Safety related inputs
Inputs are scanned and diagnosed every execution cycle by their FC- SCNT01 and IO Modules. For a
redundant SM SC Controller all input values are compared before executing the application logic.
Discrepancies will be diagnosed. When a fault is detected both processors will use the value from the
healthy module and perform the output actions as directed by the configured logic.
Safety related outputs
Outputs are written and diagnosed every execution cycle by their FC-SCNT01 and IO Modules. When a
fault is detected it will be reported and the module will be directed to the safe state while the EUC
continues to be safeguarded by its redundant partner.
Honeywell | 45
4.2.2 SAFETY MANAGER SC ART+

In Safety Manager SC, redundant physical links allow single fault tolerance, but the addition of two
cables enables ART+ architecture with Multi- Fault Tolerance. Dual processor technology for each SC
Controller set up as ART+ means that for redundant IO configurations, both paths can be controlled by
each SC Controller. By enabling cross-communications between redundant paths, customers can be sure
that losing a switch doesn’t mean losing communication with IO. Typical applications of ART+
architecture include process safeguarding applications, for which continuous operation is essential.
In releases R210 and later, attaching cables for an ART+ configuration prompts the SC Controller to
recognize ART+ architecture and display relevant live status messages on the Controller Management
System Information screen. For more information about Safety Builder Remote IO messages, see the
Software Reference.
Safety Manager SC ART+ configurations can be found in the Communication Best Practices Guide.
Honeywell | 46
4.3 SAFETY MANAGER SC CONTROLLER FAULTS

The topics that follow provide an overview of detected SM SC Controller faults and the SM SC Controller
reaction to these faults.
Honeywell | 47
4.3.1 SM SC CONTROLLER FAULTS

The below table provides an overview of faults that the SM SC Controller detects related to the SM SC
Controller and the reaction to these faults. The table refers to SM SC Controller as SM-SC.
Table 4-2: Controller reaction to faults

Controller faults Non-redundant Redundant Controller reaction
Controller SM-SCY (not
related to diagnostics report includes reaction SM-SCX( faulty )
faulty)
high alarm or low alarm none-continue none-continue
none-
high-high alarm or low-low alarm idle SM-SC idle SM-SC
continue
Temperature
Monitoring 1 sensor faulty and temp. more
(set points user than 3 degrees from shutdown none-continue none-continue
configurable) limits
1 sensor faulty and temp. less

none-
than 3 degrees from shutdown idle SM-SC idle SM-SC
continue
limits
none-
Memory controller memory idle SM-SC idle SM-SC
continue
execution time-out or range / none-

idle SM-SC
Execution failure idle SM-SC continue
error on logical sheet idle SM-SC
none-
output shorted idle SM-SC idle SM-SC
continue
none-
Watchdog de-energized watchdog line idle SM-SC idle SM-SC
continue
none-
faulty idle SM-SC idle SM-SC
continue
none-
Internal Link faulty none-continue idle SM-SC
continue
Controller none-
faulty idle SM-SC idle SM-SC
Module continue
(User
expired idle SM-SC idle SM-SC
Configurable)
none-
Software corrupted idle Controller idle SM-SC
continue
Intervention position idle SM-SC idle SM-SC none-
Honeywell | 48
Controller faults Non-redundant Redundant Controller reaction

Controller SM-SCY (not
related to diagnostics report includes reaction SM-SCX( faulty )
faulty)
continue
spurious watchdog interrupt
assertions spurious spurious

watchdog watchdog
SD input de-energized interrupt interrupt
Spurious spurious
Watchdog synchronization watchdog
Interrupt interrupt
idled SM-SC
system software does not
start
application
idle SM-SC timers and idle SM-SC
counters
Application IO compare
Timers and IO compare error none-continue apply FR state
error
Counters
source switch to
time sync (user configurable)
unavailable other source
internal communication
redundant
Controller non-redundant Controller
controller controller faults
Faults reaction
reaction
Temperature temperature
Monitoring monitoring
(Set Points high alarm or low alarm none-continue none-continue (set points
User user
Configurable) configurable)
Honeywell | 49
4.3.2 SC COMMUNICATION MODULE FAULTS

The below table provides an overview of detected faults in relation to the SM SC Controller
communication and the response to these faults. The table refers to SM SC Controller as SCC.
Table 4-3: Controller response to communication faults

Controller communication
Redundant Controller response
faults
Non redundant Controller
diagnostics response SCCY (not
related to report SCCX( faulty )
faulty)
includes
Controller
Memory
module
Controller
Execution module
use values from SCCY
Controller for affected COM, FSC
communication
module apply FR state to affected COM, &
none
FSC & Universal Safety IO points.
Controller Universal Safety IO
module faulty
module points1
system
synchronization
software
software corrupted
1. If values are not available via SCC Y apply FR state to affected COM, FSC & Universal Safety IO
points.
Honeywell | 50
4.3.3 REDUNDANT SM SC CONTROLLER KEY SWITCH FAULTS

The below table provides an overview of faults that can be detected in relation to the SM SC
Controller key switch and the response to these faults. In case of a compare error the safe value will be
used.
Table 4-4: Controller response to SM SC Controller Key Switch faults

Controller Key Switch faults
Redundant controller response
Related to Diagnostics report includes
input compare error (fault reset key switch) fault reset: no reset
input compare error (force enable key switch) force enable: not enabled
Key switch
input compare error (program enable key switch) program enable: not enabled
input compare error (force clear key switch) force clear: not cleared
Honeywell | 51
4.3.4 SM SC COMMUNICATION LINK FAULTS
Note:
Please note that a fault in the communication links may be caused by SM SC Controller
communication.
The below table provides an overview of faults that can be detected in relation to communication and the
response to these faults. The table refers to SM SC Controller as SCC.
Table 4-5: Controller response to communication faults

Non redundant communication or Redundant
SM SC Controller communication
“shared Safety Manager SC communication Controller
faults
Controller” response
Diagnostic
SCCY(not
Related to message Controller response¹ SCCX(faulty)
faulty)
reports
broken link apply FR state to affected COM, FSC

continue
& Universal Safety IO points of that
wrong protocol communication communication none -
channel if channel belongs to active
assigned fault² via healthy continue
clock source, switch to other clock
link³
time-out source
Too many
too many data requests is
no effect n.a.
requests only a warning
with no effect.
data mismatch
between inputs
compare error n.a. apply FR state
(safety related
communication)
data mismatch
between inputs
values received by SCC2
(non-safety n.a. n.a.
will be used.
related
communication)
1. If the Controller is redundant, both SCC channels respond the same.

2. If no healthy link remains, apply FR state to the affected COM, FSC & Universal Safety IO points
allocated to that channel and/or switch to other clock source.
3. If values are not available via SCCy, apply FR state to affected COM, FSC & Universal Safety IO
points.
4. Inputs as in communication inputs of this Safety Manager SC Controller.
Communication time-out
If no communication with the external device is established within a predefined time frame a
communication time-out is generated.
Honeywell | 52
A communication time-out always results in a communication failure. Communication time-outs can be

configured by the user.
If a device is connected to Safety Manager SC via a redundant communication link, the fault detection
applies to each link separately resulting in fault tolerant communication.
Honeywell | 53
4.4 SAFETY MANAGER SC UNIVERSAL SAFETY IO MODULE FAULTS

The topics that follow provide an overview of detected Safety Manager SC Universal Safety IO module
faults and the Safety Manager SC Universal Safety IO module reaction to these faults.
Table 1 describes module-level faults.
Note:
The table below uses the term USIO. This covers the types of Safety Manager SC Universal Safety IO
modules the table applies to. These types are:
l Universal Safe IO (USIO), which includes FC-PDIO01 and FC-PUIO01
Table 4-6: USIO response to module faults

USIO faults Redundant USIO response
Non redundant
USIO response CPy (not
related to diagnostics report includes CPx( faulty)
faulty)
high alarm or low alarm none -continue none -continue
none -
Temperature high-high alarm or low-low alarm halt USIO halt USIO CPx
continue
monitoring
(set points user 1 sensor faulty and temp. more than 3
none -continue none -continue
configurable) degrees from shutdown limits
1 sensor faulty and temp. less than 3 none -

halt USIO halt USIO CPx
degrees from shutdown limits continue
none -
Memory USIO memory halt USIO halt USIO CPx
continue
none -
Execution execution time-out or range / failure halt USIO halt USIO CPx
continue
Watchdog none -
faulty none -continue halt USIO CPx
Internal link continue
Repair timer running none -continue none -continue

(user none -
configurable) expired halt USIO halt USIO CPx
continue
none -
Software corrupted halt USIO halt USIO CPx
continue
spurious watchdog interrupt none -

halt USIO CPx
Intervention assertions halt USIO continue
SD input de-energized halt USIO
Honeywell | 54
USIO faults Redundant USIO response

Non redundant
USIO response CPy (not
related to diagnostics report includes CPx( faulty)
faulty)
none -
USIO halt USIO CPx
continue
halted USIO CP none -

Synchronization system software n.a.
does not start continue
none -
base timer halt USIO CPx
continue
Honeywell | 55
4.5 SAFETY MANAGER SC UNIVERSAL SAFETY IO FAULTS

This section provides information about hardware-related, channel-level IO faults that are detected in
Safety Manager SC Universal Safety IO (including FC-RUSIO-3224, FC-PDIO01 and FC-PUIO01 modules).
The topics that follow provide an overview of detected faults and the SM SC Controller reaction to these
faults.
Module Types of Faults

FC-PDIO01 DI, DO,
FC-RUSIO-3224 DI, DO, AI, AO
FC-PUIO01 DI, DO, AI, AO
Honeywell | 56
4.5.1 UNIVERSAL SAFETY IO DIGITAL INPUT FAULTS

The below table provides an overview of faults that can be detected in relation to Universal Safety IO
digital inputs and the reaction to these faults.
Table 4-7: SM SC Controller response to universal digital input faults
Redundant input, SM
Digital input faults
SC Controller response
Repair Non redundant input SM SC
Diagnostic Timer CP X CP Y
starts Controller response1
Related to message (faulty (healthy
reports input) input)
digital input loop2 lead breakage No apply FR state to affected

apply FR state
(line monitored) short circuit No inputs
apply FR state to affected use values none -

channel module faulty No
input of faulty channel from CPY2 continue
apply FR state to affected use values none -

module module faulty No
input of faulty channel(s) from CPY2 continue
1. If the SM SC Controller is redundant, both CPs respond the same.

2. This fault is usually caused by an anomaly in the field, not by a defect of an input module.
Honeywell | 57
4.5.2 UNIVERSAL SAFETY IO ANALOG INPUT FAULTS
Note:
The table below covers the types of Safety Manager SC Universal Safety IO modules. These types are:
l FC-RUSIO-3224
l FC-PUIO01
Table 4-8: SM SC Controller response to universal analog input faults

Redundant input, SM SC
Analog input faults Non redundant input
Controller response
Repair Timer
Diagnostic starts
Related SM SC Controller CPX(faulty CPY (healthy
message
to response¹ input) input)
reports
none continue for none-continue for 0-20mA, 0-

below low
0-20mA, 0-10V 10V
transmitter
No
alarm level bottom scale for
analog bottom scale for 4-20mA, 2-
per range
input 4-20mA, 2-10V 10V
value
above high
transmitter
No none-continue none-continue
alarm level all
ranges
use values
channel module faulty No apply FR state none-continue
from CPY2
use values
module module faulty No apply FR state none-continue
from CPY2

2. If values are not available via CPY apply FR state to affected inputs.
Honeywell | 58
4.5.3 UNIVERSAL SAFETY IO DIGITAL OUTPUT FAULTS

The below table provides an overview of faults that can be detected in relation to remote digital outputs
and the reaction to these faults.
Table 4-9: SM SC Controller response to universal digital output faults
Redundant output,
Digital output faults Non SM SC Controller
Repair redundant response
Timer output SM
Diagnostic starts SC Controller CPx CPy
Related to message response1 (faulty (healthy
reports output) output)
digital output
none -
loop2 (line open loop No none-continue
continue
monitored)
de-energize
digital output short circuit de-energize shorted
No shorted
loop2 detected output(s).
output(s)
apply
apply FR FR
state to state to
module affected affected none-
channel fault Yes
faulty output of output continue
faulty of
channel faulty
channel
apply
FR
apply FR
state to
state to
affected
module affected none-
module fault Yes output
faulty output of continue
of
faulty
faulty
channel(s)
channel
(s)

2. This fault is usually caused by an anomaly in the field, not by a defect of an
output module.
Honeywell | 59
4.5.4 UNIVERSAL SAFETY IO ANALOG OUTPUT FAULTS

The below table provides an overview of faults that can be detected in relation to remote analog outputs
and the reaction to these faults.
Note:
The table below uses the term USIO to cover the types of Safety Manager SC Universal Safety IO
modules These types are:
l FC-RUSIO-3224
l FC-PUIO01
Table 4-10: SM SC Controller response to universal analog output faults

Redundant output, SM SC Controller
Analog output faults
response
Repair Nonredundant output SM
Diagnostic Timer CP Y
Related starts SC Controller response1
message CPX (faulty output) (healthy
to
reports output)
analog calculation
No halt USIO halt USIO
output overflow
analog
output open loop No none -continue none -continue
loop
channel module Apply FR state to affected Apply FR state to affected none -

Yes
fault faulty output of faulty channel output of faulty channel continue
Apply FR state to affected Apply FR state to affected

module module none -
Yes output of faulty channel output of faulty channel
fault faulty continue
(s) (s)
Honeywell | 60
4.6 BEHAVIOR OF THE ESD INPUT ON UNIVERSAL SAFETY IO

This section summarizes the behavior of the ESD input on Universal Safety IO modules (including FC-
RUSIO.-3224, FC-PDIO01 and FC-PUIO01).
l ESD input has diagnostics on its input loop.
l Fault reaction for this channel is Low.
l Short circuit will result in ESD input in FLDs to go Low . However, the Universal Safety IO
module keeps running as input closed is the operational state of the ESD input. This input
therefore can be used as alarm to indicate that there is something wrong with the ESD input.
l Open circuit will result in shutdown of the Universal Safety IO, as this directly trips the
watchdog of the Universal Safety IO module independent of the software as this is the non-
operational state of the ESD input.
l If a hardware fault is detected in the ESD input circuit or an incorrect setting of the ESD enable
(different from the configuration) the software will shutdown the Universal Safety IO module.
Honeywell | 61
4.7 COMPARE ERROR HANDLING

This section provides information about compare errors and how they are handled by the system.
Compare errors are software-related faults. The topics that follow describe how the system deals with:
l IO compare errors and system response, and
l Compare error detection and synchronization
Honeywell | 62
4.7.1 SAFETY MANAGER SC IO COMPARE ERRORS AND SYSTEM RESPONSE
Note:
Because of the high level of self- testing and fault- handling by Safety Manager SC, the actual
occurrence of a compare error is very unlikely.
An IO compare error is generated as soon as the Controller detects a difference between IO values of both
Controllers or Redundant FC-RUSIO-3224, Redundant FC-PDIO01 or Redundant FC-PUIO01 values.
The Controller responds towards IO compare errors by applying the fault reaction state to the faulty IO.
l The reaction to a compare error between redundant CPs is to force CP2 to the safe state while
CP1 continues safeguarding the process.
l The reaction to a compare error between the SC Controller and IO is to apply the FR state to the
faulty channel(s).
The below table shows the relation between Input and output compare faults, alarm markers and
Controller reaction.
Table 4-11: Controller reaction to IO compare errors
IO Compare Error Controller reaction
Non
redundant Redundant IO
Occurs when detecting IO
3oo4 voting, 2oo3

digital a difference in the input values persists for more than 3 apply FR
inputs voting, apply FR
application cycles state
state
digital a difference in the output values of a redundant Safety apply FR apply

outputs Manager SC Controller, FC-RUSIO-3224 OR FC-PUIO01 state FR state
3oo4 voting, 2oo3

analog deviation of >2% in the input values persists for more apply FR
voting, apply FR
inputs than 3 application cycles state
state
analog apply FR
apply FR state
outputs state
Honeywell | 63
4.7.2 COMPARE ERROR DETECTION AND SYNCHRONIZATION IN SAFETY MANAGER SC

Input compare errors
Input compare error detection applies to all hardware inputs.
Differences in the input status read should be momentary. Persisting differences could be the result of
detected hardware faults. In that case, the faulty input channel is reported in the diagnostics, and both
SM SC Controllers use the process value read from the healthy input channel.
A persisting difference in status of an input while no faults are detected at the accessory hardware
channels leads to an input compare error. The resulting input is the result of voting (in case of Safety
Manager SC Universal Safety IO, FC-PDIO01 and FC-PUIO01) or by applying the FR state (if majority
voting is not possible).
Output compare errors
An output compare error applies to all hardware outputs.
In configurations with a redundant Controller, both SM SC Controllers will continuously have an identical
application status, resulting in identical process outputs.
An output compare error is detected if there is a difference between the SM SC Controllers or two paired
Safety Manager SC Universal Safety IO modules, redundant FC-PDIO01 or FC-PUIO01 with respect to:
l the calculated application output values for hardware outputs (DO) or communication outputs
(DO, BO) to another Safety Manager SC SC.
l the actual application values sent to hardware outputs (DO) or communication outputs (DO,
BO) to another Safety Manager SC SC.
If outputs are no longer synchronized an Output Compare error is generated.
Digital input synchronization
A digital input compare error is detected if the inputs of both SM SC Controllers or two paired IO modules
are stable but may be unequal (for example SM SC Controller 1 continuously ‘0’, SM SC Controller 2
continuously ‘1’), for the longest of 3 cycle times.
The input compare error detection algorithm puts the following demands on the dynamic nature of the
digital process inputs:
l If an input state changes, it must become stable again within two application cycles.
l The frequency of continuously changing inputs must be less than two application cycles.
Analog input synchronization
For analog inputs, the synchronized value is the mean value of the input values. An input compare error is
detected if the input values differ more than 2% of the full scale for the duration of three application
cycles.
The input compare error detection algorithm puts the following demands on the dynamic nature of the
analog process inputs:
l For inputs allocated to a Safety Manager SC Universal Safety IO module the slope steepness
must be less than 700 mA/s.
l AI input compare errors may occur when calibrating the smart AI devices.
Honeywell | 64
4.8 DETECTING AND PREVENTING CALCULATION ERRORS IN SAFETY MANAGER SC
Caution:
In case a calculation error occurs, Safety Manager SC will go to its idle state.
Calculation errors may occur in the application program.

Calculation errors occur if:
l The calculated value of an analog output is outside the specified range.
l The square root of a negative number is taken.
l A logarithm function is loaded with a negative value or zero
l A divide-by-zero occurs.
l An overflow occurs during a calculation.
l The value for a counter or (variable) timer is outside the specified range.
Calculation errors reflect an incorrect design of the application program for the intended function. Once a
calculation error occurs for a specific process point, a correct result of successive calculations based on
this point cannot be guaranteed.
Preventing calculation errors
Calculation errors can be prevented as follows:
l Overall process design.
l Inclusion of Safety Manager SC diagnostic data.
l Validation of signals in the Functional Logic Diagrams (FLDs).
l Exception handling during the actual calculation.
Prevention by design
In line with good engineering practice for safety applications - as promoted by IEC 61508 - calculation
errors should be avoided by design. This means that an application should be designed in such a way
that the operands of a symbol in the FLDs can never get an invalid value. The design approach starts
with making sure that input values as obtained from the process remain within a predefined range. This
approach ensures that the derived values are also valid for successive operations.
Honeywell | 65
Honeywell | 66
5 Safety Manager SC special functions
5 SAFETY MANAGER SC SPECIAL FUNCTIONS
Honeywell | 67
5.1 ONLINE MODIFICATION
Tip:
Detailed information about On-line modification can be found in The On-line Modification Guide.
Introduction
On-line modification (OLM) is a Safety Manager SC option which allows you to modify the application
software, embedded system software and the Safety Manager SC hardware configuration of systems with
a redundant Controller while the system remains operational.
During the firmware upgrade, which can only be performed with a redundant Safety Manager SC
Controller, both CPs will upgrade and reboot sequentially, with the result that systems connected to those
CPs will report loss of communication during reboot. During the online modification one CP will always
be up and running to maintain control and view. Communication with the CP loaded first will restore
automatically after reboot. After that, the second CP will upgrade to the new firmware and reboot. The
firmware upgrade is fully automated; once the Start button on the Safety Builder Load Controller screen is
pressed, the download and online modification sequence will run unattended to completion.
During the application online modification, which can be performed on a redundant or a non-redundant
Safety Manager SCController, the loading is done in the background. When the download is complete and
the new application has passed all checks, the online modification report is created. This report provides
an overview of all important differences and must be studied carefully to assure no unexpected changes
have been loaded to the SC Controller. Shortly after the online modification report has been made
available, the Continue will be enabled on the Safety Builder Load Controller screen:
l If the Continue button is pressed, both SC Controller Control Processors will switch from the old
application to the new application simultaneously while maintaining control and view
l If the Restore button is pressed, the SC Controller will continue with the active application and
delete the just loaded application.
During the entire online modification process, the Fault Reset remains available to recover from alarms
or faults. The Fault Reset has no effect on the online modification procedure.
The engineer executing the OLM is guided through the OLM procedure step by step by Controller
Management which is integrated in the Safety Builder.
Compatibility check
During the modification, Safety Manager SC performs a compatibility check of the application-related
data, to guarantee a safe changeover from the existing configuration to the new configuration. The
system reports all application changes in a detailed report in the Extended Diagnostics.
The user is expected to verify each reported change before starting up the system.
When modifications are implemented in an application, only a functional logic test of the modified
functions is required by, for example, TÜV. This must be done when the final verification of the
implemented changes is obtained via the built- in sheet difference report in Controller Management
diagnostics.
SafeNet networks
If a system has been integrated into a SafeNet communication network, it performs a compatibility check
for all connected systems.
Honeywell | 68
If it detects inconsistencies or if the check of a specific system cannot be completed for some reason, an
error message is generated in the extended diagnostics. In case such an error occurs, no data will be
exchanged with that system. The communication can only be established after a successful completion
of the compatibility check by any of the connected Safety Manager SCs for which the compatibility check
failed, initiated by a reset of the Controller.
Honeywell | 69
5.2 SAFENET COMMUNICATION

Safety Manager SCs can be connected together to form safety-related networks. The protocol used for
this network is called SafeNet.
SafeNet is available to Safety Manager SCs for:
l Distributed processing
l Sharing safe data for joint SIS related tasks
l SIL3, TUV approved, communication
Honeywell | 70
5.2.1 NETWORKS
Data that is transferred between Safety Controllers is represented in function logic diagrams as IO
symbols with the location FSC.
For input logical connections the location is FSC. For SafeNet, the output logical connection can be
configured on any type of point and any location.
For DI and BI with location FSC, the input logical connection is SafeNet. If location is not FSC, it is not
possible to make an input logical connection to the SafeNet link.
For all points (DI, BI, DO, BO, AI, AO), you can assign to an output logical connection at SafeNet links.
Honeywell | 71
5.2.2 PROTOCOL VERSUS RESPONSE TIME

The response time and the time-out between Node ID and logical Peer ID depends on:
l the application program cycle time of the Node ID and Peer ID system in the logical link.
l the delay caused by the transport protocol of the physical links.
l the cyclic time period via which data is scheduled to be exchanged between each node-pair of a
logical link.
Response time and time-out time are related.
The time-out time that is used must be larger than the maximum response time.
The maximum response time equals the sum of:
l the application cycle time of the Node ID plus
l the application cycle time of the Peer ID plus
l the expected communication delay.
The Node ID periodically sends data to the Peer ID systems and initiates a request for data from the Peer
IDs. A correct answer must be provided for within the time-out period; when not received in time, the link
is regarded faulty.
A new data transmission and request for a Peer ID are initiated after the Peer ID reply to the previous
request has been received. This could be equal to the time-out time, but usually it is shorter.
For more information see SafeNet time-out time and Ethernet communication below:
SafeNet time-out time

All systems within the network monitor the operation of a communication link by means of a time-out.
The time-out can be set for each individual logical link and must be chosen such that it stays within the
Process Safety Time (PST) for the Safety Instrumented Functions (SIFs) involved.
Note the following conditions:
l If FTE redundancy is required to maximize the availability of the SafeNet connection, then the
SafeNet time-out must be configured to equal at least the FTE fail-over time of 3 seconds. If
this SafeNet connection is used to exchange safety related data, then the SafeNet time- out
setting must be lower than or equal to the process safety time for the SIF involved.
l The FTE fail-over time can be ignored if the FTE redundancy is not required; for example, in the
case that the SafeNet link redundancy provided with the controller redundancy is sufficient. Be
aware that in such a configuration a single FTE cable fault may lead to a single SafeNet link
fault.
Ethernet communication
When communicating via Ethernet you should be aware of Ethernet communication risks and Ethernet
bandwidth and response time calculation.
Ethernet communication risks

When devices communicate via an Ethernet based local area network (LAN), their information is
contained and sent in packets. This is no different when using SafeNet through Ethernet. However,
Ethernet has far less timing restrictions and, when sending SafeNet packets together with other
application packets, some packets may suffer critical delay or get lost if a network gets congested.
Honeywell | 72
Packet losses and network congestion may occur if e.g.:

l several devices start transmitting packets at the same time and/or,
l a single device generates a peak in network traffic,
Attention:
1. Risks are involved when using SafeNet on an insecure, open or shared Ethernet, where
downtime, delays, loss and/or access to packets can be caused by other devices on the LAN.
Such risks can be caused by office computers, network printers, servers and open access points
(such as wifi access points, WAN routers, etc.)
2. Viruses and applications such as Instant Messaging Application may affect SafeNet reliability
when active on the same Ethernet.
When the Ethernet is dedicated to a single Safenet, issues do not take place:
l No single SafeNet configuration can cause a 100MB Ethernet to operate at its maximum
capacity (Safety Builder checks this in the configuration stage).
Packets are vulnerable to modifications or alterations when accessed by external systems: Applications
running on these systems could (deliberately or via a virus infection) intercept, delay and/or alter
packets.
Honeywell | 73
5.3 RESET
The reset function is a means to allow Safety Manager SC to recover from an abnormal state. (Running
without faults is the normal operating state.)
Safety related resets allow the recovery from all fault types whereas non safety related resets allow the
recovery of non safety related faults only.
Safety related resets can be given via the reset key switch, via the Remote Reset button in Safety Builder
(after enabling in the configuration).
Honeywell | 74
5.3.1 SYSTEM RESPONSE TOWARDS A SAFETY RELATED RESET

The response to a safety related reset action depends on the state of the SC Controller. The SC Controller
states that make the SC Controller respond to a reset are listed.
SC Controller CP Status
in Safety SC Controller details Effect(s) of a reset
Display Builder
The SC Controller is
No effect on the Safety Manager SC
running without
Controller state.
faults.
OK 1. The faults logged in the actual fault
Running
database are moved to the historical
The SC Controller is fault database.
running with faults.
2. The actual faults database is cleared.
3. The reset is logged.
RDY or IDLE
Both SC Controllers
(after startup or CPReady The application will be started in the ready
or Idle contain the same
after recovering SC Controller.
application.
from a fault)
1. Actual Diagnostics is cleared.

2. A new diagnostic cycle is run.
3. The results are logged in Actual
Diagnostics.
A error caused an SC
Not After the diagnostic cycle is finished, the SC
STOP running Controller(s)
shutdown. Controller:
l remains in Stop state if fault
causes SC Controller to shut down;
otherwise SC Controller will enter
Idle;
Honeywell | 75
Honeywell | 76
6 Security recommendations and best practices
6 SECURITY RECOMMENDATIONS AND BEST PRACTICES

This sections provides information on security recommendations and best practices for using Safety
Manager SC Controller.
A detailed description of all SM SC Controller key switches, loading of software and forcing is available in
the Safety Manager SC Installation and Upgrade Guide.
Note: Universal Safety IO modules include FC-PDIO01, an SM SC Safety Digital IO module and FC-
PUIO01, an SM SC Safety Universal IO module.
General
The SM SC Controller uses a “defense in depth” security strategy. Implementation of defense in depth
requires not only device and system security measures, but also physical and organizational security
measures to be taken. The SM SC Controller is well-tested for security robustness. Network protection is
addressed by communication filters and storm protective communication handling is incorporated in the
uplink networking firewall protecting ports A and B, as well as the networking firewall protecting port C
and port D. System designers must always maintain an awareness of security vulnerabilities that might
arise when setting up network connections and must always follow Honeywell’s recommended security
best practices. Security considerations relative to using third party purchased equipment is the user's
responsibility.
Organizational Security
Organizational security considerations include site security guidelines, and security awareness training,
as well as SM SC Controller software version audits.
Physical Security
Physical security includes controlling the accessibility of all spaces relevant to placement of SM SC
Controller and Universal Safety IO modules (such as FC-PDIO01 and FC-PUIO01). This includes securing
access to control rooms, control and IO cabinets, field mounted control and IO devices, system
infrastructure integration equipment, wires /cables, and other support equipment. Whenever possible, SM
SC Controller devices and Universal Safety IO modules must be placed in secure locations, preferably in
locked cabinets, with site control over personnel who are given access privileges. All networking
equipment that the SM SC Controller communicates through, including, for example, FTE switches, must
also be placed in secure locations. Consideration must still be given to physical security for installations
where the SM SC Controller or Universal Safety IO module is to be placed in a location remote from a
central control room or from main equipment rooms. Placement within a secure, patrolled zone is
preferable. Switches with available ports to which rogue devices could be connected must be locked into
end point cabinets. Considerations with respect to physical security apply equally to an SM SC
Controller's uplink network (FTE), downlink, and redundancy networks. One of the most prevalent threats
to a computer system’s security comes from within the user’s organization. If end users do not remain
vigilant or become complacent regarding physical security, the SM SC Controller may become vulnerable
to security attacks. Periodic inspection and validation of the networks and equipment attached to the SM
SC Controller and Universal Safety IO module is a security focus end-users need to consider.
Communication Hardening
The SM SC Controller hardens communication access by blocking all unused communication ports, by
applying protocol-specific input validation checks, and disabling unused services.
Securing Connection to Uplink Network
Honeywell | 77
The SM SC Controller provides a built- in firewalls for ports A,B and C that reject traffic outside the
parameters required to fulfill its mission. The SM SC Controller processes correctly formed messages that
originate from operational displays, control configuration tools and system configuration tools. To
ensure that only authorized personnel can initiate such communications, the SM SC Controller delegates
authorization and role based access responsibilities to the control system. The SM SC Controller also
initiates and receives communications with Honeywell peer controllers, such as peer SM SC Controllers.
The complement of peer communications involving a particular Safety Manager SC is determined by the
control and system configuration. Experion systems define recommended practices with regard to user
accounts and access privileges. In addition, due diligence must be applied to the deployment of all
networking equipment. For example, switch configuration must disable unused ports. Excessively high
traffic on an SM SC Controller uplink network could be an indication of a Denial of Service (DOS) attack.
Honeywell recommends the use of Honeywell Risk Manager or Solar Winds to detect unintended and
excess network traffic
Securing Connection to Downlink Network
The SM SC Controller and Universal Safety IO modules communicate over the Universal Safety IO Link
with an Ethernet based timed protocol for the safe exchange of IO data. For communication robustness,
the SM SC Controller and Universal Safety IO modules perform validation on the packets, and when
redundant, compare packets between Ethernet legs. Ethernet packets are vulnerable to interception, delay,
modification or alteration. Physical security of the downlink and switches is necessary to avoid attacks
such as man in the middle and the intentional or unintentional disruption of downlink communications.
Maintenance, Configuration and Operation
Access to the tools used to maintain, configure and operate SM SC Controller and Universal Safety IO
modules must be limited to trusted and competent personnel. This applies to the tools used at level 2 and
above.
Third Party Firmware Files
Care must be taken to assure that authentic and unaltered firmware files are being used when new code
versions are loaded to mission critical devices. In the case of the SM SC Controller, built-in services that
recognize and prevent execution of counterfeit firmware are provided.
Safety IO modules receive firmware download from the SM SC Controller but does not have counterfeit
detection services. Recommendations regarding Physical Security and Maintenance, Configuration and
Operation should be followed to reduce the risk of alterations to Safety IO module firmware.
Patch Management
Integrity of firmware versions and updates is secured by a Secure Boot capability. Version visibility is
available for human interface display access.
Backup/Recovery Capability
The SM SC Controller provides a recovery capability using Safety Builder saved configuration
information. This supports disaster recovery.
Force Enable Key Switch
It is strongly recommended to keep the Force Enable key switch in the disabled position whenever adding
forces is not required. Leaving the Force Enable key in the enabled position will make the SM SC
Controller more vulnerable to abuse.
Program Enable Key Switch
Honeywell | 78
It is strongly recommended to keep the Program Enable key switch in the disabled position whenever
programming the SM SC Controller is not required. Leaving the Program Enable key in the enabled
position will make the SM SC Controller more vulnerable to abuse.
Force Clear Key Switch
This Key Switch removes all applied forces from the SM SC Controller. Implementing this switch as
spring-return is advised.
Fault Reset Key Switch
The Fault Reset key switch is a physical key to reset the SM SC Controller.
Force Enable Configuration
It is strongly recommended to leave a point's Force Enable to the default 'No' (disabled) when it is not
necessary to force this point or to modify a HART field device parameter during maintenance. Configuring
a point with Force Enable will make the SM SC Controller user application more vulnerable to abuse.
Write Enable Configuration
It is recommended to leave a point's Write Enable to the default 'No' (Disabled) when it is not necessary
to write this point during maintenance. It is strongly discouraged to use a write enabled point as part of a
SIF. Configuring a point with Write Enable will make the SM SC Controller user application more
vulnerable to abuse.
Write Lock System Points
To prevent unauthorized writes to COM points, it is recommended to use the property "Write Lock." This
property is attached to a system point automatically created with a new logical connection. For
information on how to use write lock system points, see the Software Reference.
Remote Reset Configuration
It is recommended to leave this setting in the 'Disabled' position when it is not a necessity to reset or
startup a SM SC Controller remotely via the Safety Builder. Configuring Remote Reset will make the SM
SC Controller more vulnerable to abuse. The Fault Reset key switch mounted in the SM SC Controller
cabinet is the preferred secure alternative.
Remote Load Configuration
It is recommended to leave this setting in the 'Disabled' position when it is not a necessity to shutdown a
SM SC Controller remotely via the Safety Builder prior to a download. Configuring Remote Load will make
the SM SC Controller more vulnerable to abuse. The Program Enable key switch is the preferred secure
alternative.
Sequence of Events
An event is permanently removed from a SM SC Controller after the event was successfully read from the
controller. To prevent events being lost, it is recommended to block connections other than the configured
SOE collector.
SafeNet
SafeNet will drop a connection when communication is lost for the configured time-out or more. It is
recommended to configure the shortest time-out possible as this reduces the window for tampering. It is
recommended to validate network integrity before (re-)starting SafeNet communication after any
unexpected loss of communication.
Network Clock
Honeywell | 79
Safety Manager SC uses the network clock to timestamp diagnostic messages and events. An incorrect
timestamp cannot result in unsafe operation. It can however confuse operators and maintenance
engineers and it can lead to misinterpretation of the sequence of events. It is recommended to configure
the clock source time- out as short as possible as this reduces the window for tampering. It is
recommended to validate network integrity before (re-)starting a clock after any unexpected loss of
communication. NTP devices have a user configured IP address known to the SM SC Controller. NTP is
therefore more secure compared to PTP.
Denial of Service (DoS)
Safety Manager SC uses separate hardware for Safety and Communication control. The Communication
control has built-in overload detection and overload protection. To minimize the loss of functionality,
each of the communication ports on the modules can be switched off temporarily. This protection is
especially effective against network storm and DoS attacks as only the communication on that one port
will be temporary dropped. Activation of the overload protection will generate a diagnostic message. It is
strongly recommended to validate network integrity as overload can be caused by malware on a
connected device or by an attack on the SM SC Controller.
SM SC Controller Redundancy
With proper redundant communication configuration the temporary drop of communication does not
have to result in DoS for the controller. Refer to the Safety Manager SC Overview Guide and Software
Reference manual for more information about redundant communication configurations.
Safety Builder
Safety Builder provides an extensive on-line toolset. In a well configured system none of these on-line
actions can result in unsafe operation. Unauthorized access can however cause confusion and upset if
the SM SC Controller is configured with one or more remote operation options enabled, it is therefore
strongly recommended to (physically) block all unused Ethernet ports on the Safety Builder network.
Security Guidelines for (pre-) installing Safety Manager SC
A detailed description of all Safety Builder privilege levels, password protections and version control is
provided in the Safety Manager SC System Administration Guide.
Installation
It is strongly recommended to install and maintain Safety Builder and SM SC Controller separated from
the Office Domain.
Additional protection against misuse of Modbus TCP
To protect Safety Manager SC against misuse of Modbus TCP ports, it is advised to use the Honeywell
Modbus Read- only Firewall. This is a fixed configuration firewall based on “deep packet inspection”
technology. This technology scans every network message, only allowing a very limited set of valid
Modbus “Read-only” commands through to the safety system. These are safe commands that cannot be
used by malware to change the functionality of the safety system. The firewall’s fixed rule sets remove
the possibility of tampering or mis- configuration and significantly reduces the effort required by the
plant to maintain the firewall.
Virus and Patch management
The applications listed below can be installed and run on the same platform:
l Safety Builder
l Application Server
Honeywell | 80
l Virus and Patch Management.

l Honeywell supports two antivirus packages, McAfee and Norton. Which package and
associated patch server is used is determined by the customer when the network architecture of
the total system is designed. It is highly recommended to update the Safety stations on a
regular base with operating system and office application (if applicable) updates (Microsoft). It
is also highly recommended to install Honeywell certified antivirus and computer security
solutions; these also will need to be updated on a regular basis. The usage of a centralized virus
and patch management server may be considered. Management of these services will need to be
done by competent engineers.
l Honeywell recommends Carbon black and McAfee Whitelisting tools to avoid unwanted
installations on the safety builder.
Security Guidelines for product administration
To help prevent an unauthorized access to the Safety Manager SC Build it is recommended that
permissions for the folder containing the access database are currently locked down to individual users
that need access to the database. This will reduce the number of users that have access to the database.
If you would like more protection and you are using Experion for monitoring the status of the Safety
Manager SC instead of the Safety Manager SC builder, backup the access database to a controlled file
storage and remove it from the client.
Honeywell | 81
Honeywell | 82
7 General guidelines for TÜV approved applications
7 GENERAL GUIDELINES FOR TÜV APPROVED APPLICATIONS
Honeywell | 83
7.1 GENERAL
Safety Manager SC can be used for processes which require, amongst others, TÜV approval. The
requirements for the safety applications are the following:
1. The maximum application cycle time is half the Process Safety Time. For example, the accepted
Process Safety Time for a burner control system in accordance with TRD-411 for boilers > 30 kW
(July 1985) TRD-412 (July 1985) Table 1 and DIN 4788 (June 1977) Part 2 Chapter 3.2.3.2 1 is 1
second.
This implies that the application cycle time must be 0.5 second or less. The application cycle time
is monitored by the SM SC Controller and can be seen on the System Information screen of
Controller Management.
The application cycle time is limited to 2.3 seconds by the watchdog, resulting in a maximum
typical cycle time of 2 seconds. The typical application cycle time can be calculated by the Safety
Manager SC MTBF and Cycle time calculation tool. This tool is available via Honeywell SMS and
includes:
l cycle time estimation based upon amount of IO, DTI, application complexity and
communication parameters,
l MTBF calculation
2. If a Universal IO module detects a fault in output hardware that is configured with Fault Reaction
Low or 0mA, it will de-energize the faulty output channels, and the repair timer will start. The de-
energization of faulty output channels is fully implemented in the software and cannot be
influenced by the user (see also item 3).
l The faulty IO module can be replaced without affecting the status of the SM SC
Controller, and the SM SC Controller resets before the repair timer expires. This stops the
repair timer.
l If the repair timer expires, then all outputs of that IO module are de-energized via the
watchdog functionality.
3. If Safety Manager SC detects a fault in its input hardware (configured with Fault Reaction Low,
High, Bottom scale, Top scale), the faulty input is set to its configured Fault Reaction state.
4. Input points with location COM may only be used for non safety-related functions.
5. In case Safety Manager SC Universal Safety IO modules are used in an ESD application:
l safety- related digital inputs must be configured as line- monitored (i.e. the Loop
monitoring enable check box in Point Properties is selected), and
l the 0V line must be connected to earth or an ELD module.
6. In case Safety Manager SC Universal Safety IO modules are used in an F&G application:
l safety- related digital inputs must be configured as line- monitored (i.e. the Loop
monitoring enable check box in Point Properties is selected), and
l an ELD module.
7. The watchdog functionality of SM SC Controller and Universal IO modules contains a shutdown
(SD) input. (See the Hardware Reference for connection details).
8. For more details on IO wiring details, termination of IO signals and power supply distribution see
Honeywell | 84
the Hardware Reference..

9. The Diagnostic Test Interval (DTI, the time in which all IO diagnostics are executed) can be set for
each SM SC Controller in the Controller Properties in the Network Configurator.
10. The repair timer can be set for each SM SC Controller in the Controller Properties in the Hardware
Configurator.
11. Grounding of the power supplies of Safety Manager SC is only permitted for the 0 Vdc. Grounding
of the +24 Vdc is not allowed because an earth fault results in an unsafe situation.
12. In case the floating ground principle is not preferred, the design of the Safety Manager SC
Universal Safety IO module supports the grounding of the 0VDC level. Digital inputs must be
configured as line monitored to ensure the integrity of the input signal. Dedicated resistor networks
are documented in the Hardware Reference.
13. Do not use radio frequency transmitting equipment within a radius of 1 m (3 ft) of the system
cabinet when the doors are opened.
14. When it is necessary to make configuration changes to intelligent transmitters (e.g. HART) through
Field Device Manager - or a local programming device - you can do so by one of the following
ways.
l Force the analog input channel. After the configuration changes have been completed, the
intelligent device must be tested before it is taken into operation again (i.e. before the
force is removed).
l Enable the Write enable feature. This feature prevents the unavailability of the channels,
for example, during a Partial Valve Stroke Testing.
15. When the HART devices are connected using a second programming devices such as an hand-held
communicator, the Safety Manager SC Universal Safety IO detects the presence of the hand-held
devices. However, it does not disturb the HART communication between the HART device and the
hand-held device. Similarly, the Safety Manager SC Universal Safety IO is not affected by the HART
hand-held devices.
l When hand- held devices are connected, these might interfere with the diagnostic self-
tests and could lead to reporting of false alarms on the IO channel tests. Only if the force
enable key-switch is enabled, the diagnostic self-tests are disabled as soon as a hand-
held device is connected. In case an hand-held device is connected for over 8 hours, a
diagnostic message is reported. In such scenarios, you must remove the hand-held device
and issue a Fault Reset.
16. If Safety Manager SC operates without operator surveillance, some measures have to be taken.
During the design and implementation stages of the safety system a reliability calculation analysis
(the maximum time period in which inspection has to take place) has to be performed. Without
operator surveillance the following measures have to be taken to comply with the safety integrity
requirements:
l Inspection of Safety Manager SC status if the Safety Manager SC application is running
without faults, at least once per determined time period.
l Alarm indication of Safety Manager SC if a fault is detected and subsequent inspection of
the Safety Manager SC status within the safety determined time period.
17. The operating conditions of Safety Manager SC shall not exceed its design specifications.
Honeywell | 85
For details about the Safety Manager SC SC operating conditions refer to Safety Manager SC
operating conditions.
The operating temperature is measured in Safety Manager SC . This temperature is higher than the
temperature outside the cabinet, which results in a lower ambient temperature for the cabinet.
Depending on the internal dissipation in the cabinet and the ventilation, a temperature difference
of 25°C (77°F) is allowed, which results in a maximum ambient temperature of 45°C (113°F). To
minimize the temperature difference, forced ventilation with one or more fans may be required. By
using the temperature pre-alarm setpoints, an alarm can be given if the internal temperature is too
high.
18. The storage conditions of the Safety Manager SC hardware modules shall not exceed the following
ranges:
Storage temperature: -40 to +85°C (-40 to 185°F).
19. Most modifications made to the application programs require the application program to be
loaded into the SM SC Controller. Some modifications, such as renaming tag numbers, can be
completed without loading.
20. It is mandatory that, after verification and approval of any type of application modification, proper
configuration management is applied to make sure that all that all stations and backup systems
that may have an instance of this application program get updated to the modified version.
Honeywell | 86
7.2 F&G APPLICATIONS

Fire and Gas (F&G) applications have the following additional requirements:
1. Each visual indication (alarm, override or test, failure) shall have its own dedicated digital output.
This digital output may be a hardware output or a communication output, e.g. to a DCS system.
Override and test status may be combined in one visual indication. Alphanumeric displays are not
supported.
2. Redundant power supplies must be connected to Safety Manager SC in such a way that the
redundant power supplies do not fail at the same time, e.g. by using different primary power
sources (e.g. 220 Vac mains and a 24 Vdc from a battery backup). Detection of power supply failure
(e.g. via a voltage-monitoring module) shall be part of the system design.
3. Faults in the Fire & Gas detection system are indicated visually. This indication must also be active
if the Fire & Gas detection system has been switched off. This can be set up as shown in the above
figure, using a normally de-energized relay, or via a visual indication in a DCS display which is
activated if the communication to the Fire & Gas detection system fails. The protected side of the
fuses are connected to a voltage-monitoring device to detect blown fuses.
4. The field instruments, including panel instruments such as (key) switches, which are used in
conjunction with Safety Manager SC, must meet the requirements of the applicable parts of the
EN-54 standard. Visual and audible indications shall comply with the applicable parts of EN-54
part 2.
5. Field inputs must have loop- monitoring to detect short- circuits and open loops. Input module
types that can be used are Safety Manager SC Universal Safety IO inputs. Field outputs must also
have loop-monitoring. Output module type that can be used: SDOL-0424 and Safety Manager SC
Universal Safety IO line monitored outputs.
6. The Fire & Gas detection system shall have earth leakage monitoring/detection facilities.
7. Remote display of alarms, failures etc. may only be given via interconnection of Safety Manager SC
systems using the communication option between Safety Manager SC systems or via hard wired
outputs with loop- monitoring via the Safety Manager SC Universal Safety IO outputs.
Communication and loop monitoring failures must be alarmed.
8. Safety Manager SC is only the basis for an EN-54 compliant application. The responsibility for a
full EN- 54 compliant application lies with the person (s) responsible for configuring and
application programming of Safety Manager SC.
9. For details on the requirements of the mechanical construction (cabinet, indications, horns) refer to
“EN-54 part 2.”
Honeywell | 87
Figure 7-1: Power supply
Honeywell | 88
Honeywell | 89
8 List of abbreviations
8 LIST OF ABBREVIATIONS
AI Analog Input
AO Analog Output
DCS Distributed Control System
DI Digital Input
DO Digital Output
DTI Diagnostic Test Interval
E/E/PES Electrical/Electronic/Programmable Electronic System
EMC Electromagnetic Compatibility
l ElectroStatic Discharge
ESD
l Emergency ShutDown system
EUC Equipment Under Control
F&G Fire and Gas
FGS Fire and Gas System
FLD Functional Logic Diagram
FSC Fail Safe Communication
HSMS Honeywell Safety Management Systems
IO Input/Output
l Internet Protocol
IP
l Intellectual Property
LAN Local Area Network
LED Light-Emitting Diode
MTBF Mean Time Between Failure
MTTF Mean Time To Failure
MTTR Mean Time To Repair
NTP Network Time Protocol
OLM On-line Modification
P&ID Piping and Instrumentation Diagram
PCDI Peer Control Data Interface
FC-PDIO01 SC Safety Digital IO module (32 channels, 24 Vdc)
Honeywell | 90
8 List of abbreviations
FC-PUIO01 SC Safety Universal IO module (32 channels, 24 Vdc)
PLC Programmable Logic Controller
PST Process Safety Time
PTP Precision Time Protocol
PUC Process Under Control
QMR Quadruple Modular Redundant
RFI Radio Frequency Interference
SCC Safety Manager SC Controller
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
SOE Sequence Of Events
TLS Transport Layer Security
USIO Universal Safety Input Output
WAN Wide Area Network
Honeywell | 91
Honeywell | 92
9 Notices
9 NOTICES
9.1 NOTICE
This document contains Honeywell proprietary information. Information contained herein is to be used
solely for the purpose submitted, and no part of this document or its contents shall be reproduced,
published, or disclosed to a third party without the express permission of Honeywell Measurex (Ireland)
Limited.
While this information is presented in good faith and believed to be accurate, Honeywell disclaims the
implied warranties of merchantability and fitness for a purpose and makes no express warranties except
as may be stated in its written agreement with and for its customer.
In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The
information and specifications in this document are subject to change without notice.
Specific products described in this document are covered by U.S. Patent Nos. D514075, D518003,
D508469, D516047, D519470, D518450, D518452, D519087 and any foreign patent equivalents.
Copyright 2018 – Honeywell Measurex (Ireland) Limited
9.2 HONEYWELL TRADEMARKS

Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered trademarks of Honeywell
International, Inc.
ControlEdge™ is a trademark of Honeywell International, Inc.
OneWireless™ is a trademark of Honeywell International, Inc.
Matrikon® and MatrikonOPC™ are trademarks of Matrikon International. Matrikon International is a
business unit of Honeywell International, Inc.
Movilizer® is a registered trademark of Movilizer GmbH. Movilizer GmbH is a business unit of Honeywell
International, Inc.
9.3 OTHER TRADEMARKS

Microsoft and SQL Server are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Trademarks that appear in this document are used only to the benefit of the trademark owner, with no
intention of trademark infringement.
Honeywell | 93
9 Notices
9.4 DOCUMENTATION FEEDBACK

If you have comments about Honeywell Safety Manager documentation; send your feedback to Honeywell
SMS at:
l Send your feedback to Honeywell HPSCustomerSupport@Honeywell.com
l You can also write to;
Safety Manager user documentation
Honeywell Process Solutions, Safety Management Systems
Burgemeester Burgerslaan 40
5245 NH Rosmalen (‘s-Hertogenbosch)
The Netherlands
Honeywell | 94
9 Notices
9.5 HOW TO REPORT A SECURITY VULNERABILITY

For the purpose of submission, a security vulnerability is defined as a software defect or weakness that
can be exploited to reduce the operational or security capabilities of the software.
Honeywell investigates all reports of security vulnerabilities affecting Honeywell products and services.
To report a potential security vulnerability against any Honeywell product, please follow the instructions
at:
https://honeywell.com/pages/vulnerabilityreporting.aspx
Submit the requested information to Honeywell using one of the following methods:
l Send an email to security@honeywell.com
or
l Contact your local Honeywell Technical Assistance Center (TAC) listed in the “Support” section
of this document.
Honeywell | 95
9 Notices
9.6 SUPPORT
For support, contact your local Honeywell Process Solutions Customer Contact Center (CCC). To find your
local CCC visit the website, https://www.honeywellprocess.com/en- US/contact- us/customer- support-
contacts/Pages/default.aspx.
For support:
1) Try our Knowledge Base
2) Create a Support Request online
3) Monitor your cases @Request Help.
or all other support queries, please contact our Customer Contact Center.
Note: Login to access dedicated support material for contract customers and employees.
Honeywell | 96
9 Notices
9.7 TRAINING CLASSES

Honeywell holds technical training classes on Safety Manager. These classes are taught by experts in the
field of process control systems. For more information about these classes, contact your Honeywell
representative, or see http://www.automationcollege.com.
Honeywell | 97

Safety and Security Manual For Safety Manager SC

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safety and Security Manual For Safety Manager SC

Uploaded by

Copyright:

Available Formats

Safety and Security Manual for Safety Manager SC

EP-SMSC-MAN-7054-210A C October 2020

Honeywell Process Solutions

This document contains Honeywell proprietary information. Information contained herein is to

2 Safety Manager SC functions architectures and standards 17

4 Safety Manager SC fault detection and fault reaction 39

6 Security recommendations and best practices 77

1.1 CONTENT OF SAFETY MANUAL

l Safety Manager SC functions architectures

1.2 BASIC SKILLS AND KNOWLEDGE

1.2.1 PREREQUISITE SKILLS

1.3.1 SAFETY INTEGRITY LEVEL (SIL)

1.3.2 SAFETY LAYERS OF PROTECTION

Figure 1-1: The concept of layers of protection

For more information see also:

1.3.3 EQUIPMENT UNDER CONTROL (EUC)

1.3.4 PROCESS UNDER CONTROL (PUC)

1.3.5 APPLICATION DESIGN CONFORM IEC 61131-3

Figure 1-2: Example FLD layout

1.3.6 THE IEC 61508 AND IEC 61511 STANDARDS

IEC 61508 and IEC 61511 terminology

safety function safety instrumented function

IEC 61508, the standard for all E/E/PE safety-related systems

IEC 61511, the standard for the process industry

2 SAFETY MANAGER SC FUNCTIONS ARCHITECTURES AND STANDARDS

2.1 SAFETY MANAGER SC FUNCTIONS

2.2 SAFETY MANAGER SC BASIC ARCHITECTURES

DMR architecture; Supports SIF for SIL1, SIL2 and

QMR architecture; Supports SIF for SIL1, SIL2 and

2.2.1 DUAL MODULAR REDUNDANT (DMR) ARCHITECTURE

Figure 2-3: Functional diagram: DMR architecture

2.2.2 QUADRUPLE MODULAR REDUNDANT (QMR) ARCHITECTURE

Figure 2-4: Functional diagram: QMR architecture

2.4 STANDARDS COMPLIANCE

Standard Title Remarks

IEC 61508, Part

IEC 61511-1 Functional safety - Safety instrumented systems

EN 62061 Safety of machinery - Functional safety of safety-

ISO 13849-1 Safety of machinery - Safety related parts of

EN 54 part 2 Components of automatic fire detection systems,

Electromagnetic compatibility - Immunity for

EN 50156-1 (2015) Electrical equipment of furnaces.

EN 60204-1 Safety of machinery - Electrical equipment of

IEC 61000-6-2 Electromagnetic compatibility – Generic immunity

IEC 61010-1 Safety Requirements for Electrical Equipment for

IEC 61131-2 Programmable controllers. Part 2: Equipment

Standard Title Remarks

ANSI/ISA 71.04 Environmental Conditions for Process

UL 508 Industrial control equipment, seventeenth edition. Underwriters Laboratories.

Safety Manager SC; -5°C

(– 15%): U=20.4 Vdc or (–

Safety Manager SC; - 10°C

(+30%): U=31.2 Vdc or

Standard Title Remarks

21 days at +40°C (104°F),

96 hours at +40°C (104°F),

– 25°C– +55°C (– 13°F–

+25°C - +55°C (+77°F -

Excitation: sine-shaped with

Frequency range: 10 - 150

Fc: vibration (sinusoidal). l 57 - 150 Hz; 1 G.

Duration: 10 cycles (20

No. of axes: 3 (x, y, z).