How it Works
Honewell
Loading...
Safety Manager
User Manual
190 pgs3.43 Mb0
Table of contents
Loading...

Honewell Safety Manager User Manual

Release 100.3
Safety Manager
Safety Manual
EP-SM.MAN.6283
100.3
25 January 2005
Document Release Date
EP-SM.MAN.6283 100.3 January 2005
Notice
While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a purpose and makes no express warranties except as may be stated in its written agreement with and for its customer.
In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The information and specifications in this document are subject to change without notice.
Copyright 2004 – Honeywell Safety Management Systems, a division of Honeywell Aerospace B.V.
Honeywell trademarks
Safety Manager
Experion PKS U.S. registered trademarks of Honeywell International Inc.
is a trademark of Honeywell International Inc.
®
, PlantScape®, SafeBrowse®, TotalPlant® and TDC 3000® are
Other trademarks
Microsoft and SQL Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Trademarks that appear in this document are used only to the benefit of the trademark owner, with no intention of trademark infringement.
ii
Support and other contacts
United States and Canada
Contact: Honeywell IAC Solution Support Center
Phone: 1-800 822-7673. In Arizona: (602) 313-5558
Facsimile: (602) 313-5476
Mail: Honeywell IS TAC, MS P13
Europe
Contact: Honeywell PACE TAC
Phone: +32-2-728-2657
Facsimile: +32-2-728-2278
Mail: Honeywell PACE TAC
Calls are answered by dispatcher between 6:00 am and 4:00 pm Mountain Standard Time. Emergency calls outside normal working hours are received by an answering service and returned within one hour.
2500 West Union Hills Drive Phoenix, AZ, 85027
Avenue du Bourget, 1 B-1140 Brussels, Belgium
Pacific
Contact: Honeywell Global TAC - Pacific
Phone: 1300-300-4822 (toll free within Australia)
+61-2-9353-7255 (outside Australia)
Facsimile: +61-2-9353-8044
Mail: Honeywell Global TAC - Pacific
5 Thomas Holt Drive North Ryde, NSW, 2113, Australia
Email GTAC@honeywell.com
iii
India
Contact: Honeywell Global TAC - India
Phone: +91-20-687-5531
Facsimile: +91-20-687-9404
Mail: TATA Honeywell Ltd.
55 A8 & 9, Hadapsar Industrial Hadapsar, Pune -411 013, India
Email Global-TAC-India@honeywell.com
Korea
Contact: Honeywell Global TAC - Korea
Phone: +82-2-799-6317
+82-11-743-6016
Facsimile: +82-2-792-9015
Mail: Honeywell IAC SBE, CRC
17F, Kikje Center B/D, 191, Hangangro-2Ga Yongsan-gu, Seoul, 140-702, Korea
Email Global-TAC-Korea@honeywell.com
People’s Republic of China
Contact: Honeywell Global TAC - China
Phone: +86-10-8458-3280 ext. 361
Mail: Honeywell Tianjin Limited
17 B/F Eagle Plaza 26 Xiaoyhun Road Chaoyang District Beijing 100016, People's Republic of China
Email Global-TAC-China@honeywell.com
iv
Singapore
Contact: Honeywell Global TAC - South East Asia
Phone: +65-580-3500
Facsimile: +65-580-3501
+65-445-3033
Mail: Honeywell Private Limited
Honeywell Building 17, Changi Business Park Central 1 Singapore 486073
Email GTAC-SEA@honeywell.com
Tai wan
Contact: Honeywell Global TAC - Taiwan
Phone: +886-7-323-5900
Facsimile: +886-7-323-5895
+886-7-322-6915
Mail: Honeywell Taiwan Ltd.
10F-2/366, Po Ai First Rd. Kaohsiung, Taiwan, ROC
Email Global-TAC-Taiwan@honeywell.com
Japan
Contact: Honeywell Global TAC - Japan
Phone: +81-3-5440-1303
Facsimile: +81-3-5440-1430
Mail: Honeywell K.K
1-14-6 Shibaura Minato-Ku Tokyo 105-0023 Japan
Email Global-TAC-JapanJA25@honeywell.com
Elsewhere
Call your nearest Honeywell office.
World Wide Web
Honeywell Solution Support Online:
http://www.ssol.acs.honeywell.com
v
Training classes
Honeywell holds technical training classes on Safety Manager. These classes are taught by experts in the field of process control systems. For more information about these classes, contact your Honeywell representative, or see http://www.automationcollege.com.
Related Documentation
The following guides are available for Safety Manager.
The guide in front of you is Safety Manual.
Guide Description
The Overview Guide This guide describes the general knowledge required, the
The Safety Manual This guide describes the specifications, design guidelines,
The Planning and Design
Guide
The Installation and Upgrade Guide
The Troubleshooting and Maintenance Guide
The System Administration Guide
The Hardware Reference This guide specifies the hardware components that build a
The Software Reference This guide specifies the software functions that build a
The On-line Modification
Guide
basic functions of, and the tasks related to Safety Manager.
and safety aspects related to Safety Manager.
This guide describes the tasks related to planning and designing a Safety Manager project.
This guide describes the tasks related to installing, replacing and upgrading hardware and software as part of a Safety Manager project.
This guide describes the tasks related to troubleshooting and maintaining Safety Manager.
This guide describes the task related to administrating the computer systems used in a Safety Manager project.
Safety Manager project.
Safety Manager project and contains guidelines on how to operate them.
This guide describes the theory, steps and tasks related to upgrading Safety Builder and embedded software and modifying an application online in a redundant Safety Manager.
vi
Task-oriented guides
A task-oriented guide provides both procedural and basic knowledge. A task can inform the reader on how to perform the task in terms of steps to follow. Additionally a task can describe what important considerations to make or what options to choose from when performing a task.
A task-oriented guide lists the required skills and knowledge that people must master to qualify for the described tasks.
It is common for task oriented guides to refer to reference guides for details.
Reference guides
A reference guide provides detailed information or solutions regarding its scope. A reference guide is a Safety Manager related guide and provides background information to support tasks as described in task-oriented guides.
A reference guide does not describe tasks in terms of how to perform the task in terms of steps to follow.
Available electronic format
All guides are accessible via the Safety Manager Knowledge Builder; an Internet Explorer based viewer with extensive search and indexing options.
The Knowledge Builder contains guides stored as:
web pages
Adobe PDF guides
The information stored on the Safety Manager Knowledge Builder CD-ROM can be installed as stand-alone or merged with other Knowledge Builder booksets on a server.
Conventions
Symbols
The following symbols are used in Safety Manager documentation:
Attention
This symbol is used for information that emphasizes or supplements important points of the main text.
Tip
This symbol is used for useful, but not essential, suggestions.
vii
Note
This symbol is used to emphasize or supplement important points of the main text
Caution
This symbol warns of potential damage, such as corruption of the database.
Warning
This symbol warns of potentially hazardous situation, which, if not avoided, could result in serious injury or death.
ESD
This symbol warns for danger of an electro-static discharge to which equipment may be sensitive
Fonts
The following fonts are used in Safety Manager documentation:
Emphasis
• “... inform the reader on how to perform the task in terms of...”
• “...see the Overview Guide”
Label
“The Advanced tab of the Properties window has..”
Steps
Take the following steps:
1. Create a plant and set its properties.
2. ....
Value
Low is the fault reaction state for digital inputs and digital outputs.”
Variable
“The syntax is: filename [-s] [-p]
http://www.honeywellsms.com This font is used to identify a URL, directing
Emphasised text is used to:
• emphasise important words in the text,
• identify document titles.
This font is used to identify labels.
Labels are used for Dialog box labels, menu items, names of properties, and so on.
This font is used to identify steps.
Steps indicate the course of action that must be adhered to, to achieve a certain goal.
This font is used to indicate a value.
Value is a variable that the reader must resolve by choosing a pre-defined state.
This font is used to identify a variable.
Variables are used in syntax and code examples.
a reader to a website that can be referred to.
viii
Contents
1The Safety Manual 1
Content of Safety Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Basic skills and knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Prerequisite skills. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Safety standards for Process & Equipment Under Control (PUC, EUC) . . . . . . . . . . . . . . . . . . . 4
Safety Integrity Level (SIL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Equipment Under Control (EUC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Process Under Control (PUC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Application design conform IEC 61131-3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
The IEC 61508 and IEC 61511 standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2Introduction 9
System overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Certification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Standards compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
EU Standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CE marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
EMC directive (89/336/EEC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Low voltage directive (73/23/EEC). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Machine safety directive (89/392/EEC)). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3 Safety Manager architectures 29
Safety Manager basic architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Dual Modular Redundant (DMR) architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Quadruple Modular Redundant (QMR) architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
System architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Overall safety life cycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4 Design phases for an E/E/PE safety-related system 45
Specifying the safety integrity level of the process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Specifying the field instrumentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Specifying the safety-related system functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Approval of the specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Safety Manager Safety Manual ix
Contents
5 Design and implementation phases of Safety Manager 53
Safety Manager project configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Safety Manager configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Specification of input and output signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Implementation of the application software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Application verification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6 Safety Manager special functions 63
Forcing of IO signals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Communication with third party Control systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
On-line modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
7 Safety Manager fault detection and response 69
Principle of fault detection and response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Principle of fault detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Principle of fault response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Watchdog and redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Safety Manager alarm markers, registers and diagnostic inputs . . . . . . . . . . . . . . . . . . . . . . . . . 80
System markers and registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Alarm markers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Diagnostic inputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
SM IO faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Digital input faults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Analog input faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Digital output faults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Analog output faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
IO compare errors and system response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Compare error detection and synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
SM Controller faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
QPP faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
USI faults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
BKM faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
PSU faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Communication faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Calculation errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Rules of thumb with respect to safety and availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
IO settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
System settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
8 Using Safety Manager alarm markers and diagnostic inputs 109
Shutdown at assertion of Safety Manager alarm markers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Unit shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Diagnostic status exchange with DCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
x Release 100.3
Contents
9 Fire and gas application example 117
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
General system and Fire and Gas alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Input loops. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Loop status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Output loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Monitoring for alarm status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Monitoring for failure status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Inhibit function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
10 Special requirements for TUV-approved applications 141
List of abbreviations 147
Safety Manager Glossary 149
Safety Manager Safety Manual xi
Contents
xii Release 100.3
Figures
Figure 1 Example FLD layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 2 CE mark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 3 Failure model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 4 Programmable electronic system (PES): structure and terminology. . . . . . . . . . . . . . . . . . . 24
Figure 5 Functional diagram: DMR architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 6 Functional diagram: QMR architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure 7 Functional diagram: non-redundant Controller, non-redundant IO. . . . . . . . . . . . . . . . . . . . 33
Figure 8 Non-redundant Controller, non-redundant IO configuration . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 9 Functional diagram: redundant Controller, non-redundant IO . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 10 Redundant Controller, non-redundant IO configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 11 Functional diagram: redundant Controller, redundant IO . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 12 Redundant Controller, redundant IO configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 13 Redundant Controller with redundant and non-redundant IO configuration . . . . . . . . . . . . 37
Figure 14 Functional diagram: redundant Controller with redundant and non-redundant IO. . . . . . . . 38
Figure 15 Overall safety life cycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Figure 16 E/E/PES safety life cycle (in realization phase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Figure 17 Software safety life cycle (in realization phase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Figure 18 Relationship of overall safety life cycle to E/E/PES and software safety life cycles . . . . . . 41
Figure 19 Example of Functional Logic Diagram (FLD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Figure 20 Example of a Safety Builder configurator screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 21 Safety Builder Point Configurator main screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Figure 22 Example of Functional Logic Diagram (FLD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Figure 23 The forcing sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Figure 24 Schematic diagram of a SMOD with 4 channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Figure 25 Each watchdog has 2 outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Figure 26 Input failure alarm marker function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Figure 27 Intended square-root function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Figure 28 Square-root function with validated input value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Figure 29 Square-root function with validity check in function block . . . . . . . . . . . . . . . . . . . . . . . . 104
Figure 30 Properties of an analog output module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Figure 31 Point detail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Figure 32 Diagram to shut down system in case of output compare error . . . . . . . . . . . . . . . . . . . . . 110
Figure 33 Wiring diagram for unit shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Figure 34 Functional logic diagram of unit shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Figure 35 Safety Manager system information to DCS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Figure 36 FLD2000 system alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Safety Manager Safety Manual xiii
Figures
Figure 37 FLD2002 general fault alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Figure 38 FLD2004 general fire/gas alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Figure 39 FLD530 smoke detector input loop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Figure 40 FLD120 gas detector input loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Figure 41 FLD230 common low level alarm Area 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 42 FLD232 common F&G detector fault Area 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Figure 43 FLD240 sounders and beacons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Figure 44 FLD290 deluge valve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Figure 45 FLD162 status signals deluge valve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Figure 46 FLD160 status signals fire suppression system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Figure 47 FLD260 start firewater pump(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Figure 48 FLD262 discrepancy alarm firewater pump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Figure 49 FLD250 alarm signal to PA/GA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Figure 50 FLD680 HVAC trip signal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Figure 51 FLD690 close fire damper signals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Figure 52 FLD250 grouping of alarm signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Figure 53 FLD2004 Fire and Gas alarm lamp and buzzer on mimic panel. . . . . . . . . . . . . . . . . . . . . 134
Figure 54 FLD240 audible and visual alarm signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Figure 55 FLD232 grouping of detector fault signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Figure 56 FLD2002 general fault alarm lamp and buzzer on mimic panel. . . . . . . . . . . . . . . . . . . . . 137
Figure 57 FLD101 inhibit M-out-of-N function F&G detector devices . . . . . . . . . . . . . . . . . . . . . . . 138
Figure 58 FLD234 common F&G detector inhibited Area 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Figure 59 FLD236 common F&G outputs inhibited Area 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Figure 60 Power supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Figure 61 Multidrop link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
xiv Release 100.3
Tables
Table 1 Safety Manager compliance to standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Table 2 Safety integrity levels: target failure measures for a safety function, allocated to the E/E/PE
Safety Related System operating in low demand mode of operation . . . . . . . . . . . . . . . . . . 25
Table 3 Safety integrity levels: target failure measures for a safety function, allocated to the E/E/PE
Safety Related System operating in high demand or continuous mode of operation . . . . . . 25
Table 4 Safety Manager architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Table 5 Overall safety life cycle overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Table 6 Example specification of IO signals of Safety Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Table 7 Relation between SIL and AK Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Table 8 Example of safety relation of IO signals with location COM. . . . . . . . . . 67
Table 9 Fault Reaction settings for hardware IO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Table 10 Fault Reaction settings for communication IO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Table 11 Safety Manager system markers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Table 12 Safety Manager system registers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Table 13 Safety Manager alarm markers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Table 14 Safety Manager alarm registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Table 15 Diagnostic inputs (channel status). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Table 16 Diagnostic inputs (loop status) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Table 17 Explanation of a “Controller response to faults” table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Table 18 Controller response to digital input faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table 19 Controller response to analog input faults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 20 Controller response to digital output fault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 21 Controller response to Analog output faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 22 Explanation of a “Controller response to compare error” table . . . . . . . . . . . . . . . . . . . . . . 91
Table 23 Controller response to IO compare faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Table 24 Explanation of a “response to Controller faults” table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Table 25 Controller response to QPP faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Table 26 Controller response to USI faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Table 27 Controller response to BKM faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Table 28 Controller response to PSU faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Table 29 Controller response to communication faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Safety Manager Safety Manual xv
Tables
xvi Release 100.3

The Safety Manual

The Safety Manual is intended primarily for the people responsible for and performing tasks related to Safety Manager.
This guide provides directions as how to configure and use Safety Manager the way it is intended. It provides design guidelines, lists the boundaries of Safety Manager, and advises the best hardware for certain functions.
Typical readers are all people involved in planning and design, engineering, troubleshooting and maintenance as well as operating Safety Manager.
It is assumed that the reader masters the required skills and knowledge as described herein.
This section contains the following information about this guide:
Topic See
Content of Safety Manual page 2
Basic skills and knowledge page 3
Safety standards for Process & Equipment Under Control (PUC, EUC)
Application design conform IEC 61131-3 page 6
The IEC 61508 and IEC 61511 standards page 7
1
page 4
Note
This guide does not contain information related to other Honeywell Experion PKS systems and third-party controllers such as Allen-Bradley, Series 9000, TDC 3000, Data Hiway, UDC, and so on.
For information about these systems, see the manufacturers bookset.
Safety Manager Safety Manual 1
1 – The Safety Manual

Content of Safety Manual

The Safety Manual guide is a reference guide providing detailed information regarding how safety aspects are met in Safety Manager. A reference guide is a Safety Manager related guide and does not describe tasks in terms of how to perform the task in terms of steps to follow. A reference guide can provide input to support decisions required to achieve a certain objective.
Guide subjects
Safety Manual
• “Introduction” on page 9
• “Safety Manager architectures” on page 29
• “Design phases for an E/E/PE safety-related system” on page 45
• “Design and implementation phases of Safety Manager” on page 53
• “Safety Manager special functions” on page 63
• “Safety Manager fault detection and response” on page 69
• “Using Safety Manager alarm markers and diagnostic inputs” on page 109
• “Fire and gas application example” on page 117
• “Special requirements for TUV-approved applications” on page 141
References
The following guides may be required as reference materials:
Guide Description
The Overview Guide This guide describes the general knowledge required, the
The Planning and Design
Guide
The Troubleshooting and Maintenance Guide
The System Administration Guide
The Hardware Reference This guide specifies the hardware components that build a
The Software Reference This guide specifies the software functions that build a
2 Release 100.3
basic functions of, and the tasks related to Safety Manager.
This guide describes the tasks related to planning and designing a Safety Manager project.
This guide describes the tasks related to troubleshooting and maintaining Safety Manager.
This guide describes the task related to administrating the computer systems used in a Safety Manager project.
Safety Manager project.
Safety Manager project and contains guidelines on how to operate them.

Basic skills and knowledge

Before performing tasks related to Safety Manager you need to:
Understand basic Safety Manager concepts as explained in the Overview Guide and the Glossary.
Have a thorough understanding of the Safety Manual.
Have had appropriate training related to Safety Manager that certifies you for your tasks (see the Planning and Design Guide).

Prerequisite skills

When you perform tasks related to Safety Manager, it is assumed that you have appropriate knowledge of:
Site procedures
The hardware and software you are working with. These may i.e be: computers, printers, network components, Controller and Station software.
Microsoft Windows operating systems.
Programmable logic controllers (PLCs).
Applicable safety standards for Process & Equipment Under Control.
Application design conform IEC 61131-3.
The IEC 61508 and IEC 61511 standards.
This guide assumes that you have a basic familiarity with the process(es) connected to the equipment under control.
Basic skills and knowledge

Training

Most of the skills mentioned above can be achieved by appropriate training. For more information, contact your Honeywell SMS representative or see:
http://www.honeywellsms.com or
http://www.automationcollege.com.
Safety Manager Safety Manual 3
1 – The Safety Manual

Safety standards for Process & Equipment Under Control (PUC, EUC)

Safety Manager is a PLC based Safety Instrumented System (SIS) performing specific safety functions to ensure risks are kept at predefined levels.
A SIS measures, independently from the Basic Process Control System, a couple of relevant process signals like temperature, pressure, level in a tank or the flow through a pipe. The values of these signals are compared with the predefined safe values, and if needed, the SIS gives an alarm or takes action. In such cases the SIS controls the safety of the process and lowers the chance of an unsafe situation.
The logic in Safety Manager defines the response to process parameters.
In this context the following terms are explained in this section:
Safety Integrity Level (SIL)
Equipment Under Control (EUC)
Process Under Control (PUC)

Safety Integrity Level (SIL)

The IEC 61508 standard specifies 4 levels of safety performance for safety functions. These are called safety integrity levels. Safety integrity level 1 (SIL1) is the lowest level of safety integrity, and safety integrity level 4 (SIL4) the highest level. If the level is below SIL 1, the IEC 61508 and IEC 61511 do not apply.
Safety Manager can be used for processes requiring a SIL1, SIL2 and SIL3.
To achieve the required safety integrity level for the E/E/PE safety-related systems, an overall safety life cycle is adopted as the technical framework (as defined in IEC 61508). For more information see inside the Safety Manual.

Equipment Under Control (EUC)

EUC is the equipment controlled by Safety Manager.
Safety-related systems are designed to prevent the EUC from going into a dangerous state. Safety-related systems can broadly be divided into:
Emergency shutdown systems.
Fire and Gas detection and control systems.
Safety-related systems interface with the process through sensors and actuators. The required safety integrity level may be achieved by implementing the safety
4 Release 100.3
Safety standards for Process & Equipment Under Control (PUC, EUC)
functions in the process control system or by using separate and independent systems dedicated to safety.
During the various phases of the safety cycle different knowledge and skills are required with respect to EUC. For more information see inside the Safety Manual.

Process Under Control (PUC)

A Process Under Control is Equipment Under Control expanded with additional regulations for the process (i.e. refining).
Where EUC is concerned, the emphasis is on keeping the equipment safe.
Where PUC is concerned, the emphasis is on keeping the process safe (broader perspective).
Where PUC is concerned, Safety Manager monitors the process for abnormal situations. Safety Manager is able to initiate safety actions and process alarms. An alarm can be caused by abnormal situations in the:
Process
Safety loops
Safety system itself
Safety Manager Safety Manual 5
1 – The Safety Manual

Application design conform IEC 61131-3

The IEC 61131 standard defines, as a minimum set, the basic programming elements, syntactic and semantic rules for the most commonly used programming languages, including graphical languages of:
Ladder Diagram,
Functional Block Diagram and,
Textual languages of Instruction List and structured Text;
For more information see the IEC web site.
Figure 1 on page 6 shows how Safety Manager uses the graphical programming method, based on Functional Block Diagram as defined by the IEC 61131-3.
Figure 1 Example FLD layout
6 Release 100.3

The IEC 61508 and IEC 61511 standards

The IEC 61508 and IEC 61511 standards
SISs have been used for many years to perform safety functions e.g. in chemical, petro-chemical and gas plants. In order for instrumentation to be effectively used for safety functions, it is essential that the instrumentation meets certain minimum standards and performance levels.
To define the characteristics, main concepts and required performance levels, standards IEC 61508 and IEC 61511 have been developed. The introduction of Safety Integrity level (SIL) is one of the results of these standards.
This brief provides a short explanation of each standard. Detailed information regarding IEC 61508 and 61511 can be found on the IEC web site.
Tip
For more information regarding, or help on, implementing or determining, the applied safety standards for your plant/process please contact your Honeywell affiliate. Our Safety Consultants can help you to e.g.:
• perform a hazard risk analysis
• determine the SIL requirements
• design the Safety Instrumented System
• validate and verify the design
• train your local safety staff
IEC 61508, the standard for all safety related systems
The IEC 61508 is called “Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 61508 covers all safety-related systems that are electrotechnical in nature (i.e. electromechanical systems, solid-state electronic systems and computer-based systems).
The standard is generic and can be used directly by industry (as a “standalone” standard) and serves as a basis for the development of sector standards (e.g. for the machinery sector, the process sector the nuclear sector, etc.).
SIL
IEC 61508 details the design requirements for achieving the required Safety Integrity Level (SIL).
The safety integrity requirements for each individual safety function may differ. The safety function and SIL requirements are derived from the hazard analysis and the risk assessment.
The higher the level of adapted safety integrity, the lower the likelihood of dangerous failure of the SIS.
Safety Manager Safety Manual 7
1 – The Safety Manual
This standard also addresses the safety-related sensors and final elements regardless of the technology used.
IEC 61511, the standard for the process industry
The IEC 61511 is called “Functional safety - Safety instrumented systems for the process industry sector”.
This standard addresses the application of SISs for the process industries. It requires a process hazard and risk assessment to be carried out, to enable the specification for SISs to be derived. In this standard a SIS includes all components and subsystems necessary to carry out the safety instrumented function from sensor(s) to final element(s).
The standard is intended to lead to a high level of consistency in underlying principles, terminology and information within the process industries. This should have both safety and economic benefits.
It is strongly recommended that attention is paid to the IEC 61508 as the IEC 61511 sits within the framework of IEC 61508.
8 Release 100.3

Introduction

The Safety Manual describes the specifications, design guidelines, and safety aspects related to Safety Manager.
It is created to ensure that the required safety knowledge for designing, engineering and constructing Safety Manager is transferred to the user.
This section describes the following topics:
Topic See
System overview page 10
Certification page 11
Standards compliance page 13
Definitions page 20
2
Safety Manager Safety Manual 9
2 – Introduction

System overview

Safety Manager is a Safety Instrumented System (SIS). The SIS can be used in a number of different basic architectures (DMR, QMR) depending on the required availability level.
The safety of Safety Manager is obtained through its specific design for these applications. This design includes facilities for self-testing of all Safety Manager modules through software and specialized hardware based on a failure mode effect analysis (FMEA) for each module. Additional software diagnostic routines are included to guarantee proper execution of the hardware. This approach can be classified as software diversity. These features maintain the highest level of safety operation of Safety Manager even in the single-channel configurations. By placing these single-channel versions in parallel, one not only gets safety but also availability: proven availability.
Safety Manager and Safety Station from Honeywell SMS provide the means to guarantee optimal safety and availability. To achieve these goals, it is essential that the system is operated and maintained by authorized and qualified staff. If it is operated by unauthorized or unqualified persons, severe injuries or loss of production could be the result. This Safety Manual covers the applications of Safety Manager for Safety Integrity Levels (SIL) 1 to 3 in compliance with the international standard IEC 61508.
Tip
More overview information regarding Safety Manager can be found in the Overview Guide.
10 Release 100.3

Certification

The advantage of applying and complying to standards is obvious:
International standards force companies to evaluate and develop their
Products certified conform these international standards guarantee a certain
Since functional safety is the core of the Safety Manager design, the system has been certified for use in safety applications all around the world. Safety Manager has been developed specifically to comply with the IEC61508 functional safety standards, and has been certified by TUV for use in SIL1 to SIL3 applications.
Safety Manager has also obtained certification in the United States for the UL 1998 and ANSI/ISA S84.01 standards.
For a full list of all these and other certifications see “Certification” on page 11.
Certification
Safety Manager has been certified to comply with the following standards:
Certification
products and processes according a consistent and uniform way.
degree of quality and product reliability that other products lack.
International Electronical Commission (IEC) — The design and development of Safety Manager are compliant with IEC 61508 (as certified by TUV).
Instrument Society of America (ISA) — Certified to fulfill the requirements laid down in ANSI/ISA S84.01.
CE compliance — Complies with CE directives 89/336/EEC (EMC) and 73/23/EEC (Low Voltage), 89/392/EEC (Machine Safety)
European Committee for Standardization — CEN, CENELEC
Safety Manager Safety Manual 11
2 – Introduction
Lloyds Register of Shipping — Test specification nr 1 (LRS), 96/98/EEC (EEC Marine directive)
TUV (Germany) — Certified to fulfill the requirements of SIL3 safety equipment as defined in the following documents: IEC61508, IEC60664-3, EN50156, EN 54-2, EN50178, IEC 60068, IEC 61131-2, IEC 61131-3, IEC60204.
Canadian Standards Association (CSA) — Complies with the requirements of the following standards:
CSA Standard C22.2 No. 0-M982 General Requirements – Canadian Electrical Code, Part II;
CSA Standard C22.2 No. 142-M1987 for Process Control Equipment.
Underwriters Laboratories (UL) — Certified to fulfill the requirements of UL 508, UL 991, UL 1998, and ANSI/ISA S84.01.
12 Release 100.3
Factory Mutual (FM) — Certified to fulfill the requirements of FM 3611 and FM3600 (non-incentive field wiring circuits for selected modules and installation in Class 1 Div 2 environments).

Standards compliance

This subsection lists the standards Safety Manager complies with, and gives some background information on the relevant CE marking (EMC directive and Low Voltage directive).
Standard Title Remarks
IEC61508
(S84.01)
DIN V 0801 (1/90) and Amendment A (10/94)
VDE 0116 (10/89) Electrical equipment of furnaces.
EN 54 part 2 (01/90)
EN 50081-2-1994 Electromagnetic compatibility –
EN 50082-2-1995 Electromagnetic compatibility –
IEC 61010-1-1993 Safety Requirements for Electrical
IEC 61131-2-1994 Programmable controllers. Part 2:
UL 1998 Safety-related software, first
UL 508 Industrial control equipment,
Functional safety of electrical/electronic/ programmable electronic (E/E/PE) safety-related systems.
Principles for computers in safety-related systems.
(German title: Grundsätze für Rechner in Systemen mit Sicherheitsaufgaben)
(German title: Elektrische Ausrüstung von Feuerungsanlagen)
Components of automatic fire detection systems, Introduction.
(German title: Bestandteile automatischer Brandmeldeanlagen)
Generic emission standard, Part 2: Industrial environment.
Generic immunity standard, Part 2: Industrial environment.
Equipment for Measurement, Control and Laboratory Use, Part 1: General Requirements.
Equipment requirements and tests.
edition.
sixteenth edition.
Standards compliance
Table 1 Safety Manager compliance to standards
Microprocessor-based safety systems.
Underwriters Laboratories.
Underwriters Laboratories.
Safety Manager Safety Manual 13
2 – Introduction
Tab le 1 Safety Manager compliance to standards
Standard Title Remarks
UL 991 Test for safety-related controls
employing solid-state devices, second edition.
FM3600, FM 3611
Class I, Division 2, Groups A, B, C & D
Class II, Division 2, Groups F & G
CSA C22.2 Process control equipment.
IEC 60068-1 Basic environmental testing
IEC 60068-2-1 Cold test. 0°C (32°F); 16 hours; system in
IEC 60068-2-1 Cold test. –10°C (14°F); 16 hours; system
IEC 60068-2-2 Dry heat test. up to 65°C (149°F); 16 hours;
IEC 60068-2-3 Test Ca: damp heat, steady state. 21 days at +40°C (104°F), 93%
IEC 60068-2-3 Test Ca: damp heat, steady state. 96 hours at +40°C (104°F), 93%
IEC 60068-2-14 Test Na: change of temperature –
Electrical equipment for use in
• Class I, Division 2,
• Class II, Division 2, and
• Class III, Division 1 and 2, hazardous locations.
Industrial products.
procedures.
withstand test.
Underwriters Laboratories.
Factory Mutual Research.
Applies to the field wiring circuits of the following modules:
SDI-1624, SAI-0410, SAI-1620m, SDIL-1608 and SAO-0220m, and installation of the Controller in these environments.
Canadian Standards Association No. 142 (R1993).
operation; reduced power supply voltage:
(–15%): U=20.4 Vdc or
(–10%): U=198 Vac.
in operation.
system in operation; increased power supply voltage:
(+15%): U=27.6 Vdc or
(+10%): U=242 Vac.
relative humidity; function test after cooling.
relative humidity; system in operation.
–25°C—+55°C (–13°F—
+131°F), 12 hours, 95% relative humidity, recovery time: max. 2 hours.
14 Release 100.3
Loading...
+ 160 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use