Professional Documents
Culture Documents
1 SAFETY MANUAL
The Safety Manual for Safety Manager SC is a reference guide that provides detailed information
regarding safety aspects for Safety Manager SC.
Honeywell | 2
1 Safety Manual
Guide subjects
Honeywell | 3
1 Safety Manual
1.1.1 REFERENCES
The following guides may be required as reference materials:
Guide Description
This guide describes the general knowledge required, the basic functions of,
Overview Guide
and the tasks related to Safety Manager or Safety Manager SC.
Planning and Design This guide describes the tasks related to planning and designing a Safety
Guide Manager or Safety Manager SC project.
This guide describes the tasks related to installing, replacing and upgrading
Installation and Upgrade
hardware and software as part of a Safety Manager or Safety Manager SC
Guide
project.
Troubleshooting and This guide describes the tasks related to troubleshooting and maintaining
Maintenance Guide Safety Manager or Safety Manager SC.
System Administration This guide describes the task related to administrating the computer
Guide systems used in Safety Manager or Safety Manager SC.
This guide specifies the hardware components that build a Safety Manager
Hardware Reference
or Safety Manager SC project.
Universal Safety Cabinet This guide specifies the hardware components to build a Safety Manager
Planning, Installation SC project with a 1.2 meter cabinet that conforms to Fire and Gas safety
and Service Guide requirements.
This guide specifies the software functions that build a Safety Manager and
Software Reference
Safety Manager SC project and contains guidelines on how to operate them.
This guide describes the theory, steps and tasks related to upgrading Safety
Online Modification
Builder and embedded software and modifying an application online in a
Guide
redundant Safety or Safety Manager SC.
Honeywell | 4
1 Safety Manual
Honeywell | 5
1 Safety Manual
When you perform tasks related to Safety Manager SC, it is assumed that you have appropriate
knowledge of:
l Site procedures
l The hardware and software you are working with. These may i.e. be: computers, printers, network
components, Controller and Station software.
l Microsoft Windows operating systems.
l Programmable logic controllers (PLCs).
l Applicable safety standards for Process & Equipment Under Control (EUC).
l Application design conform IEC 61131-3.
l The IEC 61508 and IEC 61511 standards.
This guide assumes that you have a basic familiarity with the process(es) connected to the equipment
under control and that you have a complete understanding of the hazard and risk analysis.
More related information can be found in Training.
Honeywell | 6
1 Safety Manual
1.2.2 TRAINING
Most of the skills mentioned above can be achieved by appropriate training. For more information,
contact your Honeywell representative or see:
l http://www.automationcollege.com.
Honeywell | 7
1 Safety Manual
1.3 SAFETY STANDARDS FOR PROCESS & EQUIPMENT UNDER CONTROL (PUC, EUC)
Safety Manager SC Controller (SM SC Controller) is the logic solver of a Safety Instrumented System (SIS)
performing specific Safety Instrumented Functions (SIF) to ensure that risks are kept at or below
predefined levels.
A SIS measures, independently from the Basic Process Control System (BPCS), relevant process signals
like temperature, pressure, level in a tank or the flow through a pipe. The values of these signals are
compared with the predefined safe values, preprogrammed control sequences and interlocks are applied,
and, if needed, the SIS gives an alarm or takes action. In such cases the SIS controls the safety of the
process and lowers the chance of an unsafe situation.
The logic in Safety Manager SC defines the response to process parameters.
In this context the following terms are explained in this section:
l Safety Integrity Level (SIL)
l Safety layers of protection
l Equipment Under Control (EUC)
l Process Under Control (PUC)
l Application design conform IEC 61131-3
l The IEC 61508 and IEC 61511 standards
Honeywell | 8
1 Safety Manual
Honeywell | 9
1 Safety Manual
Honeywell | 10
1 Safety Manual
Honeywell | 11
1 Safety Manual
Honeywell | 12
1 Safety Manual
Honeywell | 13
1 Safety Manual
Tip:
You can use the IEC 61508 as stand- alone standard for those sectors where a sector specific
standard does not exist.
l If you are in the process sector and you are an owner/user, it is strongly recommended that you
pay attention to the IEC 61511 (ANSI/ISA 84.00.01). For details see IEC 61511, the standard for
the process industry.
l If you are in the process sector and you are a manufacturer, it is strongly recommended that
you pay attention to the IEC 61508. For details see IEC 61508, the standard for all E/E/PE
safety-related systems.
l If you are in another sector, it is strongly recommended that you look for, and use, your sector
specific IEC standard for functional safety (if there is one). If none exists, you can use the IEC
61508 instead. For details see IEC 61508, the standard for all E/E/PE safety-related systems
electrical/electronic/programmable
safety instrumented system (SIS)
electronic (E/E/PE) safety-related system
Honeywell | 14
1 Safety Manual
The standard is generic and is intended to provide guidance on how to develop E/E/PE safety related
devices as used in Safety Instrumented Systems (SIS).
The IEC 61508:
l serves as a basis for the development of sector standards (e.g. for the machinery sector, the
process sector, the nuclear sector, etc.).
l can serve as stand-alone standard for those sectors where a sector specific standard does not
exist.
SIL
IEC 61508 details the design requirements for achieving the required Safety Integrity Level (SIL).
The safety integrity requirements for each individual safety function may differ. The safety function and
SIL requirements are derived from the hazard analysis and the risk assessment.
The higher the level of adapted safety integrity, the lower the likelihood of dangerous failure of the SIS.
This standard also addresses the safety-related sensors and final elements regardless of the technology
used.
Honeywell | 15
Honeywell | 16
2 Safety Manager SC functions architectures and standards
Honeywell | 17
2 Safety Manager SC functions architectures and standards
Non-
redundant Logic solving within a SIS in order to provide freedom from unacceptable risks, and thus
safeguarding the equipment and processes under control.
(DMR)
Redundant Logic solving within a SIS in order to provide freedom from unacceptable risks, and thus
safeguarding the equipment and processes under control while maintaining a high level
(QMR) of availability.
Honeywell | 18
2 Safety Manager SC functions architectures and standards
Honeywell | 19
2 Safety Manager SC functions architectures and standards
Honeywell | 20
2 Safety Manager SC functions architectures and standards
Honeywell | 21
2 Safety Manager SC functions architectures and standards
2.3 CERTIFICATION
Complying with standards has many advantages:
l International standards force companies to evaluate and develop their products and processes
according a consistent and uniform way.
l Products certified conform these international standards guarantee a certain degree of quality
and product reliability that other products lack.
Since functional safety is the core of the Safety Manager SC design, the system has been certified for use
in safety applications all around the world. Safety Manager SC has been developed specifically to comply
with the IEC61508 functional safety standards, and has been certified by TUV for use in SIL1, SIL 2 and
SIL3 applications.
Safety Manager SC has also obtained certification in the United States for the ANSI/ISA S84.01 standard.
Honeywell process control and safety systems, including Safety Manager SC, offer multi- layer
cybersecurity protection and can be designed to meet individual customer architecture requirements. The
SM SC Controller module can support a variety of communication networks/protocols and has built-in
firewall protection against cybersecurity threats. For details regarding Safety Manager SC security
protection and cybersecurity certifications, contact your Honeywell project team or account
representative.
For a full list of all these and other certifications see below.
Certification
Safety Manager SC has been certified to comply with the following standards:
International Electrotechnical Commission (IEC) - The design and development of Safety Manager SC are
compliant with IEC 61508 (as certified by TUV).
International Society of Automation (ISA) - Certified to fulfill the requirements laid down in ANSI/ISA
S84.01.
CE compliance - Complies with CE directives 2014/35/EU relating to electrical equipment designed for
use within certain voltage limits, 2014/30/EU for Electromagnetic Compatibility, and 2011/65/EU RoHS
Directive.
Honeywell | 22
2 Safety Manager SC functions architectures and standards
TUV (Germany) - Certified to fulfill the requirements of SIL1, 2 and 3 safety equipment as defined in the
following documents: IEC61508, IEC60664-3, EN50156, EN 54-2, EN50178, IEC 60068, IEC 61131-2, IEC
61131-3, IEC60204.
Canadian Standards Association (CSA) - Complies with the requirements of the following standards:
l CSA Standard C22.2 No. 0-M982 General Requirements – Canadian Electrical Code, Part II;
l CSA Standard C22.2 No. 142- M1987 for Process Control Equipment, including general
Instructions up to No. 4 dated February 1989 (Reaffirmed 2004).
Honeywell | 23
2 Safety Manager SC functions architectures and standards
IEC 61326-3-1
Immunity requirements for safety related systems.
(2008)
NFPA 72
National Fire Alarm Code Handbook
(2010)
Honeywell | 24
2 Safety Manager SC functions architectures and standards
NFPA 85
Boiler and Combustions Systems Hazards Code
(2011)
NFPA 86
Standard for Ovens and Furnaces
(2011)
UL 508A (2001) UL Standard for Safety Industrial Control Panels Underwriters Laboratories.
Canadian Standards
CSA C22.2 Process control equipment. Industrial products.
Association No. 142.
IEC 60068-1
Basic environmental testing procedures.
(2004)
SM Universal Safety IO
module;
-40°C (-40°F)
IEC 60068-2-1 Cold test. (undervoltage)
16 hours; system in
operation; reduced power
supply voltage:
SM Universal Safety IO
IEC 60068-2-1 Cold test. (nominal)
module; -45°C (-49°F)
16 hours; system in
operation.
up to 70°C (158°F)
16 hours; system in
operation; increased power
IEC 60068-2-2 Dry heat test.
supply voltage:
Honeywell | 25
2 Safety Manager SC functions architectures and standards
Safety Manager SC
l 10 - 57 Hz; 0.075
IEC 60068-2-6 mm.
Honeywell | 26
2 Safety Manager SC functions architectures and standards
Honeywell | 27
Honeywell | 28
3 Configuring secure communications for Safety Manager SC Controller
Caution:
Program Key switch, Force Enable, Force Clear, Fault reset, ESD - wireable switches are to be
physically protected.
Honeywell | 29
3 Configuring secure communications for Safety Manager SC Controller
For SM SC Controllers
All communication paths to all external nodes, whether or not on the FTE network, must be configured.
Therefore policies must be created for the each of the following:
o Encrypted communications to other nodes (Windows nodes or peer controller nodes such as
other SM SC Controllers) on the FTE network
o Cleartext communications to other nodes on the network
For Windows nodes
For each SM SC Controller that will be operating in secure communications mode:
l Encrypted communications to the SM SC Controller must be explicitly configured
l Certain protocols/services must be explicitly configured as cleartext (aka exceptions)
No explicit configuration is required to communicate with nodes that are not using secure
communications.
Phases of SM SC Controller Set-up
There are four main phases in the set-up of each SM SC Controller before IPsec can be enabled. Some of
the configuration data is included in the synchronization from Primary to Secondary modules and some
is not.
l Setting Enrollment Information
l Enrolling for TLS communication (required for the next step)
Honeywell | 30
3 Configuring secure communications for Safety Manager SC Controller
Honeywell | 31
3 Configuring secure communications for Safety Manager SC Controller
Honeywell | 32
3 Configuring secure communications for Safety Manager SC Controller
Honeywell | 33
3 Configuring secure communications for Safety Manager SC Controller
Honeywell | 34
3 Configuring secure communications for Safety Manager SC Controller
Honeywell | 35
3 Configuring secure communications for Safety Manager SC Controller
Honeywell | 36
3 Configuring secure communications for Safety Manager SC Controller
Honeywell | 37
Honeywell | 38
4 Safety Manager SC fault detection and fault reaction
Note:
There is always a diagnostic alarm available upon detection of a fault.
Fault detection and fault reaction occurs at different levels. These levels are:
l system level,
l module level,
l channel level.
System level
Combinations of modules and IO faults are controlled at system level. Depending on the hardware and
configuration of a system, the fault reaction to such combinations will be different. Distinction is made
between these systems:
l Safety Manager SC,
For further details see:
l Fault detection and fault reaction of the system
Module level
Faults at module level are controlled at controller level. Depending on the hardware and configuration of
a system, the fault reaction is determined by the SM SC Controller and/or IO module(s).
For further details see the fault reaction table(s) in:
l Safety Manager SC Controller faults
l Safety Manager SC Universal Safety IO module faults
Channel level
Faults at channel level are controlled at IO module level. Depending on the hardware and configuration of
a system, the fault reaction is determined by the SM SC Controller and/or universal module(s).
For further details see the fault reaction table(s) in:
l Safety Manager SC Universal Safety IO module faults
Honeywell | 39
4 Safety Manager SC fault detection and fault reaction
Honeywell | 40
4 Safety Manager SC fault detection and fault reaction
Note:
Safety Manager SC can have both non redundant controllers and redundant controllers.
Attention:
The states described below are presented on the display of the relevant controller.
Honeywell | 41
4 Safety Manager SC fault detection and fault reaction
Note:
The repair timer setting must be based on a hardware reliability analysis which includes MTTR
figures.
All configurations of Safety Manager SC are at least single fault tolerant to faults that affect safety. By
applying a secondary means Safety Manager SC is able to bring a process to a safe state, regardless the
fault.
By default, Safety Manager SC is configured to isolate the faulty part of a subsystem to guarantee
continued safe operation of the EUC. In systems with a redundant SM SC Controller, a fault in a
subsystem of one of the SM SC Controllers has no effect on the safeguarded process. Continuous
safeguarding and availability is maintained.
A configurable repair timer is started for the relevant SM SC Controller on certain fault conditions. Within
the remaining time the faulty part can be repaired. If the timer is allowed to reach zero, or another fault
that affects safety occurs, that SM SC Controller halts.
It is strongly advised to apply this feature of Safety Manager SC to meet the requirements of applicable
standards. However, the user can choose to configure Safety Manager SC differently to meet his own
specific requirements.
Honeywell | 42
4 Safety Manager SC fault detection and fault reaction
Attention:
1. Breaking the SD loop of the SM SC Controller will cause Safety Manager SC to idle!
2. Breaking the SD loop of the IO module will cause the IO module to idle!
Honeywell | 43
4 Safety Manager SC fault detection and fault reaction
Honeywell | 44
4 Safety Manager SC fault detection and fault reaction
The architecture of Safety Manager SC shows redundant control paths that principally function
independent from each other. The execution is synchronized at the FC-SCNT01s. The system performs
continuous diagnostics on all critical parts of the system.
When the system detects a fault, the diagnostic will be reported and the corresponding action is
performed, isolating the faulty part of the system. In principle the equipment under control will continue
to be safeguarded as the safeguarding function will be performed by the healthy partner.
Below the system responses of safety related modules are explained:
SM SC Controller
The SM SC Controller performs diagnostic tests on all critical parts of the module like memory,
processors, address lines etc. When a safety related fault is detected, the module will be directed to the
safe state. The EUC will continue to be safeguarded due to the redundancy.
Safety related inputs
Inputs are scanned and diagnosed every execution cycle by their FC- SCNT01 and IO Modules. For a
redundant SM SC Controller all input values are compared before executing the application logic.
Discrepancies will be diagnosed. When a fault is detected both processors will use the value from the
healthy module and perform the output actions as directed by the configured logic.
Safety related outputs
Outputs are written and diagnosed every execution cycle by their FC-SCNT01 and IO Modules. When a
fault is detected it will be reported and the module will be directed to the safe state while the EUC
continues to be safeguarded by its redundant partner.
Honeywell | 45
4 Safety Manager SC fault detection and fault reaction
Honeywell | 46
4 Safety Manager SC fault detection and fault reaction
Honeywell | 47
4 Safety Manager SC fault detection and fault reaction
none-
high-high alarm or low-low alarm idle SM-SC idle SM-SC
continue
Temperature
Monitoring 1 sensor faulty and temp. more
(set points user than 3 degrees from shutdown none-continue none-continue
configurable) limits
none-
Memory controller memory idle SM-SC idle SM-SC
continue
none-
output shorted idle SM-SC idle SM-SC
continue
none-
Watchdog de-energized watchdog line idle SM-SC idle SM-SC
continue
none-
faulty idle SM-SC idle SM-SC
continue
none-
Internal Link faulty none-continue idle SM-SC
continue
Controller none-
faulty idle SM-SC idle SM-SC
Module continue
(User
expired idle SM-SC idle SM-SC
Configurable)
none-
Software corrupted idle Controller idle SM-SC
continue
Honeywell | 48
4 Safety Manager SC fault detection and fault reaction
continue
application
idle SM-SC timers and idle SM-SC
counters
Application IO compare
Timers and IO compare error none-continue apply FR state
error
Counters
source switch to
time sync (user configurable)
unavailable other source
internal communication
redundant
Controller non-redundant Controller
controller controller faults
Faults reaction
reaction
Temperature temperature
Monitoring monitoring
(Set Points high alarm or low alarm none-continue none-continue (set points
User user
Configurable) configurable)
Honeywell | 49
4 Safety Manager SC fault detection and fault reaction
Controller
Memory
module
Controller
Execution module
use values from SCCY
Controller for affected COM, FSC
communication
module apply FR state to affected COM, &
none
FSC & Universal Safety IO points.
Controller Universal Safety IO
module faulty
module points1
system
synchronization
software
software corrupted
1. If values are not available via SCC Y apply FR state to affected COM, FSC & Universal Safety IO
points.
Honeywell | 50
4 Safety Manager SC fault detection and fault reaction
Honeywell | 51
4 Safety Manager SC fault detection and fault reaction
Note:
Please note that a fault in the communication links may be caused by SM SC Controller
communication.
The below table provides an overview of faults that can be detected in relation to communication and the
response to these faults. The table refers to SM SC Controller as SCC.
Diagnostic
SCCY(not
Related to message Controller response¹ SCCX(faulty)
faulty)
reports
Too many
too many data requests is
no effect n.a.
requests only a warning
with no effect.
data mismatch
between inputs
compare error n.a. apply FR state
(safety related
communication)
data mismatch
between inputs
values received by SCC2
(non-safety n.a. n.a.
will be used.
related
communication)
Honeywell | 52
4 Safety Manager SC fault detection and fault reaction
Honeywell | 53
4 Safety Manager SC fault detection and fault reaction
Note:
The table below uses the term USIO. This covers the types of Safety Manager SC Universal Safety IO
modules the table applies to. These types are:
l Universal Safe IO (USIO), which includes FC-PDIO01 and FC-PUIO01
none -
Temperature high-high alarm or low-low alarm halt USIO halt USIO CPx
continue
monitoring
(set points user 1 sensor faulty and temp. more than 3
none -continue none -continue
configurable) degrees from shutdown limits
none -
Memory USIO memory halt USIO halt USIO CPx
continue
none -
Execution execution time-out or range / failure halt USIO halt USIO CPx
continue
Watchdog none -
faulty none -continue halt USIO CPx
Internal link continue
none -
Software corrupted halt USIO halt USIO CPx
continue
Honeywell | 54
4 Safety Manager SC fault detection and fault reaction
none -
USIO halt USIO CPx
continue
none -
base timer halt USIO CPx
continue
Honeywell | 55
4 Safety Manager SC fault detection and fault reaction
Honeywell | 56
4 Safety Manager SC fault detection and fault reaction
Honeywell | 57
4 Safety Manager SC fault detection and fault reaction
Note:
The table below covers the types of Safety Manager SC Universal Safety IO modules. These types are:
l FC-RUSIO-3224
l FC-PUIO01
use values
channel module faulty No apply FR state none-continue
from CPY2
use values
module module faulty No apply FR state none-continue
from CPY2
Honeywell | 58
4 Safety Manager SC fault detection and fault reaction
digital output
none -
loop2 (line open loop No none-continue
continue
monitored)
de-energize
digital output short circuit de-energize shorted
No shorted
loop2 detected output(s).
output(s)
apply
apply FR FR
state to state to
module affected affected none-
channel fault Yes
faulty output of output continue
faulty of
channel faulty
channel
apply
FR
apply FR
state to
state to
affected
module affected none-
module fault Yes output
faulty output of continue
of
faulty
faulty
channel(s)
channel
(s)
Honeywell | 59
4 Safety Manager SC fault detection and fault reaction
Note:
The table below uses the term USIO to cover the types of Safety Manager SC Universal Safety IO
modules These types are:
l FC-RUSIO-3224
l FC-PUIO01
analog calculation
No halt USIO halt USIO
output overflow
analog
output open loop No none -continue none -continue
loop
Honeywell | 60
4 Safety Manager SC fault detection and fault reaction
Honeywell | 61
4 Safety Manager SC fault detection and fault reaction
Honeywell | 62
4 Safety Manager SC fault detection and fault reaction
Note:
Because of the high level of self- testing and fault- handling by Safety Manager SC, the actual
occurrence of a compare error is very unlikely.
An IO compare error is generated as soon as the Controller detects a difference between IO values of both
Controllers or Redundant FC-RUSIO-3224, Redundant FC-PDIO01 or Redundant FC-PUIO01 values.
The Controller responds towards IO compare errors by applying the fault reaction state to the faulty IO.
l The reaction to a compare error between redundant CPs is to force CP2 to the safe state while
CP1 continues safeguarding the process.
l The reaction to a compare error between the SC Controller and IO is to apply the FR state to the
faulty channel(s).
The below table shows the relation between Input and output compare faults, alarm markers and
Controller reaction.
Table 4-11: Controller reaction to IO compare errors
IO Compare Error Controller reaction
Non
redundant Redundant IO
Occurs when detecting IO
Honeywell | 63
4 Safety Manager SC fault detection and fault reaction
Honeywell | 64
4 Safety Manager SC fault detection and fault reaction
Caution:
In case a calculation error occurs, Safety Manager SC will go to its idle state.
Honeywell | 65
Honeywell | 66
5 Safety Manager SC special functions
Honeywell | 67
5 Safety Manager SC special functions
Tip:
Detailed information about On-line modification can be found in The On-line Modification Guide.
Introduction
On-line modification (OLM) is a Safety Manager SC option which allows you to modify the application
software, embedded system software and the Safety Manager SC hardware configuration of systems with
a redundant Controller while the system remains operational.
During the firmware upgrade, which can only be performed with a redundant Safety Manager SC
Controller, both CPs will upgrade and reboot sequentially, with the result that systems connected to those
CPs will report loss of communication during reboot. During the online modification one CP will always
be up and running to maintain control and view. Communication with the CP loaded first will restore
automatically after reboot. After that, the second CP will upgrade to the new firmware and reboot. The
firmware upgrade is fully automated; once the Start button on the Safety Builder Load Controller screen is
pressed, the download and online modification sequence will run unattended to completion.
During the application online modification, which can be performed on a redundant or a non-redundant
Safety Manager SCController, the loading is done in the background. When the download is complete and
the new application has passed all checks, the online modification report is created. This report provides
an overview of all important differences and must be studied carefully to assure no unexpected changes
have been loaded to the SC Controller. Shortly after the online modification report has been made
available, the Continue will be enabled on the Safety Builder Load Controller screen:
l If the Continue button is pressed, both SC Controller Control Processors will switch from the old
application to the new application simultaneously while maintaining control and view
l If the Restore button is pressed, the SC Controller will continue with the active application and
delete the just loaded application.
During the entire online modification process, the Fault Reset remains available to recover from alarms
or faults. The Fault Reset has no effect on the online modification procedure.
The engineer executing the OLM is guided through the OLM procedure step by step by Controller
Management which is integrated in the Safety Builder.
Compatibility check
During the modification, Safety Manager SC performs a compatibility check of the application-related
data, to guarantee a safe changeover from the existing configuration to the new configuration. The
system reports all application changes in a detailed report in the Extended Diagnostics.
The user is expected to verify each reported change before starting up the system.
When modifications are implemented in an application, only a functional logic test of the modified
functions is required by, for example, TÜV. This must be done when the final verification of the
implemented changes is obtained via the built- in sheet difference report in Controller Management
diagnostics.
SafeNet networks
If a system has been integrated into a SafeNet communication network, it performs a compatibility check
for all connected systems.
Honeywell | 68
5 Safety Manager SC special functions
If it detects inconsistencies or if the check of a specific system cannot be completed for some reason, an
error message is generated in the extended diagnostics. In case such an error occurs, no data will be
exchanged with that system. The communication can only be established after a successful completion
of the compatibility check by any of the connected Safety Manager SCs for which the compatibility check
failed, initiated by a reset of the Controller.
Honeywell | 69
5 Safety Manager SC special functions
Honeywell | 70
5 Safety Manager SC special functions
5.2.1 NETWORKS
Data that is transferred between Safety Controllers is represented in function logic diagrams as IO
symbols with the location FSC.
For input logical connections the location is FSC. For SafeNet, the output logical connection can be
configured on any type of point and any location.
For DI and BI with location FSC, the input logical connection is SafeNet. If location is not FSC, it is not
possible to make an input logical connection to the SafeNet link.
For all points (DI, BI, DO, BO, AI, AO), you can assign to an output logical connection at SafeNet links.
Honeywell | 71
5 Safety Manager SC special functions
Ethernet communication
When communicating via Ethernet you should be aware of Ethernet communication risks and Ethernet
bandwidth and response time calculation.
Honeywell | 72
5 Safety Manager SC special functions
Attention:
1. Risks are involved when using SafeNet on an insecure, open or shared Ethernet, where
downtime, delays, loss and/or access to packets can be caused by other devices on the LAN.
Such risks can be caused by office computers, network printers, servers and open access points
(such as wifi access points, WAN routers, etc.)
2. Viruses and applications such as Instant Messaging Application may affect SafeNet reliability
when active on the same Ethernet.
When the Ethernet is dedicated to a single Safenet, issues do not take place:
l No single SafeNet configuration can cause a 100MB Ethernet to operate at its maximum
capacity (Safety Builder checks this in the configuration stage).
Packets are vulnerable to modifications or alterations when accessed by external systems: Applications
running on these systems could (deliberately or via a virus infection) intercept, delay and/or alter
packets.
Honeywell | 73
5 Safety Manager SC special functions
5.3 RESET
The reset function is a means to allow Safety Manager SC to recover from an abnormal state. (Running
without faults is the normal operating state.)
Safety related resets allow the recovery from all fault types whereas non safety related resets allow the
recovery of non safety related faults only.
Safety related resets can be given via the reset key switch, via the Remote Reset button in Safety Builder
(after enabling in the configuration).
Honeywell | 74
5 Safety Manager SC special functions
SC Controller CP Status
in Safety SC Controller details Effect(s) of a reset
Display Builder
The SC Controller is
No effect on the Safety Manager SC
running without
Controller state.
faults.
OK 1. The faults logged in the actual fault
Running
database are moved to the historical
The SC Controller is fault database.
running with faults.
2. The actual faults database is cleared.
3. The reset is logged.
RDY or IDLE
Both SC Controllers
(after startup or CPReady The application will be started in the ready
or Idle contain the same
after recovering SC Controller.
application.
from a fault)
Honeywell | 75
Honeywell | 76
6 Security recommendations and best practices
Note: Universal Safety IO modules include FC-PDIO01, an SM SC Safety Digital IO module and FC-
PUIO01, an SM SC Safety Universal IO module.
General
The SM SC Controller uses a “defense in depth” security strategy. Implementation of defense in depth
requires not only device and system security measures, but also physical and organizational security
measures to be taken. The SM SC Controller is well-tested for security robustness. Network protection is
addressed by communication filters and storm protective communication handling is incorporated in the
uplink networking firewall protecting ports A and B, as well as the networking firewall protecting port C
and port D. System designers must always maintain an awareness of security vulnerabilities that might
arise when setting up network connections and must always follow Honeywell’s recommended security
best practices. Security considerations relative to using third party purchased equipment is the user's
responsibility.
Organizational Security
Organizational security considerations include site security guidelines, and security awareness training,
as well as SM SC Controller software version audits.
Physical Security
Physical security includes controlling the accessibility of all spaces relevant to placement of SM SC
Controller and Universal Safety IO modules (such as FC-PDIO01 and FC-PUIO01). This includes securing
access to control rooms, control and IO cabinets, field mounted control and IO devices, system
infrastructure integration equipment, wires /cables, and other support equipment. Whenever possible, SM
SC Controller devices and Universal Safety IO modules must be placed in secure locations, preferably in
locked cabinets, with site control over personnel who are given access privileges. All networking
equipment that the SM SC Controller communicates through, including, for example, FTE switches, must
also be placed in secure locations. Consideration must still be given to physical security for installations
where the SM SC Controller or Universal Safety IO module is to be placed in a location remote from a
central control room or from main equipment rooms. Placement within a secure, patrolled zone is
preferable. Switches with available ports to which rogue devices could be connected must be locked into
end point cabinets. Considerations with respect to physical security apply equally to an SM SC
Controller's uplink network (FTE), downlink, and redundancy networks. One of the most prevalent threats
to a computer system’s security comes from within the user’s organization. If end users do not remain
vigilant or become complacent regarding physical security, the SM SC Controller may become vulnerable
to security attacks. Periodic inspection and validation of the networks and equipment attached to the SM
SC Controller and Universal Safety IO module is a security focus end-users need to consider.
Communication Hardening
The SM SC Controller hardens communication access by blocking all unused communication ports, by
applying protocol-specific input validation checks, and disabling unused services.
Securing Connection to Uplink Network
Honeywell | 77
6 Security recommendations and best practices
The SM SC Controller provides a built- in firewalls for ports A,B and C that reject traffic outside the
parameters required to fulfill its mission. The SM SC Controller processes correctly formed messages that
originate from operational displays, control configuration tools and system configuration tools. To
ensure that only authorized personnel can initiate such communications, the SM SC Controller delegates
authorization and role based access responsibilities to the control system. The SM SC Controller also
initiates and receives communications with Honeywell peer controllers, such as peer SM SC Controllers.
The complement of peer communications involving a particular Safety Manager SC is determined by the
control and system configuration. Experion systems define recommended practices with regard to user
accounts and access privileges. In addition, due diligence must be applied to the deployment of all
networking equipment. For example, switch configuration must disable unused ports. Excessively high
traffic on an SM SC Controller uplink network could be an indication of a Denial of Service (DOS) attack.
Honeywell recommends the use of Honeywell Risk Manager or Solar Winds to detect unintended and
excess network traffic
Securing Connection to Downlink Network
The SM SC Controller and Universal Safety IO modules communicate over the Universal Safety IO Link
with an Ethernet based timed protocol for the safe exchange of IO data. For communication robustness,
the SM SC Controller and Universal Safety IO modules perform validation on the packets, and when
redundant, compare packets between Ethernet legs. Ethernet packets are vulnerable to interception, delay,
modification or alteration. Physical security of the downlink and switches is necessary to avoid attacks
such as man in the middle and the intentional or unintentional disruption of downlink communications.
Maintenance, Configuration and Operation
Access to the tools used to maintain, configure and operate SM SC Controller and Universal Safety IO
modules must be limited to trusted and competent personnel. This applies to the tools used at level 2 and
above.
Third Party Firmware Files
Care must be taken to assure that authentic and unaltered firmware files are being used when new code
versions are loaded to mission critical devices. In the case of the SM SC Controller, built-in services that
recognize and prevent execution of counterfeit firmware are provided.
Safety IO modules receive firmware download from the SM SC Controller but does not have counterfeit
detection services. Recommendations regarding Physical Security and Maintenance, Configuration and
Operation should be followed to reduce the risk of alterations to Safety IO module firmware.
Patch Management
Integrity of firmware versions and updates is secured by a Secure Boot capability. Version visibility is
available for human interface display access.
Backup/Recovery Capability
The SM SC Controller provides a recovery capability using Safety Builder saved configuration
information. This supports disaster recovery.
Force Enable Key Switch
It is strongly recommended to keep the Force Enable key switch in the disabled position whenever adding
forces is not required. Leaving the Force Enable key in the enabled position will make the SM SC
Controller more vulnerable to abuse.
Program Enable Key Switch
Honeywell | 78
6 Security recommendations and best practices
It is strongly recommended to keep the Program Enable key switch in the disabled position whenever
programming the SM SC Controller is not required. Leaving the Program Enable key in the enabled
position will make the SM SC Controller more vulnerable to abuse.
Force Clear Key Switch
This Key Switch removes all applied forces from the SM SC Controller. Implementing this switch as
spring-return is advised.
Fault Reset Key Switch
The Fault Reset key switch is a physical key to reset the SM SC Controller.
Force Enable Configuration
It is strongly recommended to leave a point's Force Enable to the default 'No' (disabled) when it is not
necessary to force this point or to modify a HART field device parameter during maintenance. Configuring
a point with Force Enable will make the SM SC Controller user application more vulnerable to abuse.
Write Enable Configuration
It is recommended to leave a point's Write Enable to the default 'No' (Disabled) when it is not necessary
to write this point during maintenance. It is strongly discouraged to use a write enabled point as part of a
SIF. Configuring a point with Write Enable will make the SM SC Controller user application more
vulnerable to abuse.
Write Lock System Points
To prevent unauthorized writes to COM points, it is recommended to use the property "Write Lock." This
property is attached to a system point automatically created with a new logical connection. For
information on how to use write lock system points, see the Software Reference.
Remote Reset Configuration
It is recommended to leave this setting in the 'Disabled' position when it is not a necessity to reset or
startup a SM SC Controller remotely via the Safety Builder. Configuring Remote Reset will make the SM
SC Controller more vulnerable to abuse. The Fault Reset key switch mounted in the SM SC Controller
cabinet is the preferred secure alternative.
Remote Load Configuration
It is recommended to leave this setting in the 'Disabled' position when it is not a necessity to shutdown a
SM SC Controller remotely via the Safety Builder prior to a download. Configuring Remote Load will make
the SM SC Controller more vulnerable to abuse. The Program Enable key switch is the preferred secure
alternative.
Sequence of Events
An event is permanently removed from a SM SC Controller after the event was successfully read from the
controller. To prevent events being lost, it is recommended to block connections other than the configured
SOE collector.
SafeNet
SafeNet will drop a connection when communication is lost for the configured time-out or more. It is
recommended to configure the shortest time-out possible as this reduces the window for tampering. It is
recommended to validate network integrity before (re-)starting SafeNet communication after any
unexpected loss of communication.
Network Clock
Honeywell | 79
6 Security recommendations and best practices
Safety Manager SC uses the network clock to timestamp diagnostic messages and events. An incorrect
timestamp cannot result in unsafe operation. It can however confuse operators and maintenance
engineers and it can lead to misinterpretation of the sequence of events. It is recommended to configure
the clock source time- out as short as possible as this reduces the window for tampering. It is
recommended to validate network integrity before (re-)starting a clock after any unexpected loss of
communication. NTP devices have a user configured IP address known to the SM SC Controller. NTP is
therefore more secure compared to PTP.
Denial of Service (DoS)
Safety Manager SC uses separate hardware for Safety and Communication control. The Communication
control has built-in overload detection and overload protection. To minimize the loss of functionality,
each of the communication ports on the modules can be switched off temporarily. This protection is
especially effective against network storm and DoS attacks as only the communication on that one port
will be temporary dropped. Activation of the overload protection will generate a diagnostic message. It is
strongly recommended to validate network integrity as overload can be caused by malware on a
connected device or by an attack on the SM SC Controller.
SM SC Controller Redundancy
With proper redundant communication configuration the temporary drop of communication does not
have to result in DoS for the controller. Refer to the Safety Manager SC Overview Guide and Software
Reference manual for more information about redundant communication configurations.
Safety Builder
Safety Builder provides an extensive on-line toolset. In a well configured system none of these on-line
actions can result in unsafe operation. Unauthorized access can however cause confusion and upset if
the SM SC Controller is configured with one or more remote operation options enabled, it is therefore
strongly recommended to (physically) block all unused Ethernet ports on the Safety Builder network.
Security Guidelines for (pre-) installing Safety Manager SC
A detailed description of all Safety Builder privilege levels, password protections and version control is
provided in the Safety Manager SC System Administration Guide.
Installation
It is strongly recommended to install and maintain Safety Builder and SM SC Controller separated from
the Office Domain.
Additional protection against misuse of Modbus TCP
To protect Safety Manager SC against misuse of Modbus TCP ports, it is advised to use the Honeywell
Modbus Read- only Firewall. This is a fixed configuration firewall based on “deep packet inspection”
technology. This technology scans every network message, only allowing a very limited set of valid
Modbus “Read-only” commands through to the safety system. These are safe commands that cannot be
used by malware to change the functionality of the safety system. The firewall’s fixed rule sets remove
the possibility of tampering or mis- configuration and significantly reduces the effort required by the
plant to maintain the firewall.
Virus and Patch management
The applications listed below can be installed and run on the same platform:
l Safety Builder
l Application Server
Honeywell | 80
6 Security recommendations and best practices
Honeywell | 81
Honeywell | 82
7 General guidelines for TÜV approved applications
Honeywell | 83
7 General guidelines for TÜV approved applications
7.1 GENERAL
Safety Manager SC can be used for processes which require, amongst others, TÜV approval. The
requirements for the safety applications are the following:
1. The maximum application cycle time is half the Process Safety Time. For example, the accepted
Process Safety Time for a burner control system in accordance with TRD-411 for boilers > 30 kW
(July 1985) TRD-412 (July 1985) Table 1 and DIN 4788 (June 1977) Part 2 Chapter 3.2.3.2 1 is 1
second.
This implies that the application cycle time must be 0.5 second or less. The application cycle time
is monitored by the SM SC Controller and can be seen on the System Information screen of
Controller Management.
The application cycle time is limited to 2.3 seconds by the watchdog, resulting in a maximum
typical cycle time of 2 seconds. The typical application cycle time can be calculated by the Safety
Manager SC MTBF and Cycle time calculation tool. This tool is available via Honeywell SMS and
includes:
l cycle time estimation based upon amount of IO, DTI, application complexity and
communication parameters,
l MTBF calculation
2. If a Universal IO module detects a fault in output hardware that is configured with Fault Reaction
Low or 0mA, it will de-energize the faulty output channels, and the repair timer will start. The de-
energization of faulty output channels is fully implemented in the software and cannot be
influenced by the user (see also item 3).
l The faulty IO module can be replaced without affecting the status of the SM SC
Controller, and the SM SC Controller resets before the repair timer expires. This stops the
repair timer.
l If the repair timer expires, then all outputs of that IO module are de-energized via the
watchdog functionality.
3. If Safety Manager SC detects a fault in its input hardware (configured with Fault Reaction Low,
High, Bottom scale, Top scale), the faulty input is set to its configured Fault Reaction state.
4. Input points with location COM may only be used for non safety-related functions.
5. In case Safety Manager SC Universal Safety IO modules are used in an ESD application:
l safety- related digital inputs must be configured as line- monitored (i.e. the Loop
monitoring enable check box in Point Properties is selected), and
l the 0V line must be connected to earth or an ELD module.
6. In case Safety Manager SC Universal Safety IO modules are used in an F&G application:
l safety- related digital inputs must be configured as line- monitored (i.e. the Loop
monitoring enable check box in Point Properties is selected), and
l an ELD module.
7. The watchdog functionality of SM SC Controller and Universal IO modules contains a shutdown
(SD) input. (See the Hardware Reference for connection details).
8. For more details on IO wiring details, termination of IO signals and power supply distribution see
Honeywell | 84
7 General guidelines for TÜV approved applications
Honeywell | 85
7 General guidelines for TÜV approved applications
For details about the Safety Manager SC SC operating conditions refer to Safety Manager SC
operating conditions.
The operating temperature is measured in Safety Manager SC . This temperature is higher than the
temperature outside the cabinet, which results in a lower ambient temperature for the cabinet.
Depending on the internal dissipation in the cabinet and the ventilation, a temperature difference
of 25°C (77°F) is allowed, which results in a maximum ambient temperature of 45°C (113°F). To
minimize the temperature difference, forced ventilation with one or more fans may be required. By
using the temperature pre-alarm setpoints, an alarm can be given if the internal temperature is too
high.
18. The storage conditions of the Safety Manager SC hardware modules shall not exceed the following
ranges:
Storage temperature: -40 to +85°C (-40 to 185°F).
19. Most modifications made to the application programs require the application program to be
loaded into the SM SC Controller. Some modifications, such as renaming tag numbers, can be
completed without loading.
20. It is mandatory that, after verification and approval of any type of application modification, proper
configuration management is applied to make sure that all that all stations and backup systems
that may have an instance of this application program get updated to the modified version.
Honeywell | 86
7 General guidelines for TÜV approved applications
Honeywell | 87
7 General guidelines for TÜV approved applications
Honeywell | 88
Honeywell | 89
8 List of abbreviations
8 LIST OF ABBREVIATIONS
AI Analog Input
AO Analog Output
DI Digital Input
DO Digital Output
l ElectroStatic Discharge
ESD
l Emergency ShutDown system
IO Input/Output
l Internet Protocol
IP
l Intellectual Property
Honeywell | 90
8 List of abbreviations
Honeywell | 91
Honeywell | 92
9 Notices
9 NOTICES
9.1 NOTICE
This document contains Honeywell proprietary information. Information contained herein is to be used
solely for the purpose submitted, and no part of this document or its contents shall be reproduced,
published, or disclosed to a third party without the express permission of Honeywell Measurex (Ireland)
Limited.
While this information is presented in good faith and believed to be accurate, Honeywell disclaims the
implied warranties of merchantability and fitness for a purpose and makes no express warranties except
as may be stated in its written agreement with and for its customer.
In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The
information and specifications in this document are subject to change without notice.
Specific products described in this document are covered by U.S. Patent Nos. D514075, D518003,
D508469, D516047, D519470, D518450, D518452, D519087 and any foreign patent equivalents.
Copyright 2018 – Honeywell Measurex (Ireland) Limited
Honeywell | 93
9 Notices
Honeywell | 94
9 Notices
Honeywell | 95
9 Notices
9.6 SUPPORT
For support, contact your local Honeywell Process Solutions Customer Contact Center (CCC). To find your
local CCC visit the website, https://www.honeywellprocess.com/en- US/contact- us/customer- support-
contacts/Pages/default.aspx.
For support:
1) Try our Knowledge Base
2) Create a Support Request online
3) Monitor your cases @Request Help.
or all other support queries, please contact our Customer Contact Center.
Note: Login to access dedicated support material for contract customers and employees.
Honeywell | 96
9 Notices
Honeywell | 97