Honeywell FSC

8/15/2019 Honeywell FSC

1/30

Fail Safe Control (FSC )

Specification and Technical Data

for FSC Releases 51x and 52x

FS75-510

11/99


2/30

FS75-510

Page 2 11/99



Table of Contents

Introduction.............................................. 3

Features.................................................... 3

Functional Description............................ 4Functional Overview..............................................4Central Part ...........................................................5

Input / Output Interfaces........................................6

I/O Redundancy ....................................................7

Multiple-Sensor and Transmitter Configurations...8

System Features...................................... 8FSC System Configurations..................................8

FSC 1oo2D concept..............................................9

FSC Navigator.....................................................10

Control Implementation .......................................11

FSC Diagnostics..................................................14

Flash-Memory Operation.....................................14 Application Verification........................................14

Power System .....................................................15

Write Protection...................................................15

Physical Characteristics ....................... 16

Options ................................................... 18TPS Integration ...................................................18

PlantScape Integration........................................18Sequence-Of-Event Recording ...........................19

FSCSOE..............................................................20

Alarm Functions ..................................................20

On-Line Modification ...........................................20

Safety Checker....................................................21

I/O Signal Forcing................................................21

Serial Communication with Process Computer Systems...............................................................22

FSC Networking ..................................................22

Simulation............................................................23

Specifications ........................................ 24

References ............................................. 26

Model Numbers...................................... 27

Figure 1 — FSC System Cabinet


3/30

FS75-510

11/99 Page 3



Introduction

The Honeywell Fail Safe Control (FSC ) system is a highly reliable, high-integrity

safety system for safety-critical control applications. As part of Honeywell'sTotalPlant Solution (TPS) system, integrated into PlantScape, or in stand-aloneapplications, the FSC system forms the basis for functional safety, thus providing

protection of persons, plant equipment and the environment combined withoptimum availability for plant operation.

The FSC system is a user-programmable, modular, microprocessor-based safetysystem which can perform a wide range of high-integrity process control and safetyfunctions, including:

• high-integrity process control,•

burner/boiler management systems,• process safeguarding and emergency shutdown,• turbine and compressor safeguarding,• fire and gas detection systems, and• pipeline monitoring.

The design of the FSC system is based on both qualitative and quantitative safetysystem technologies.From a qualitative perspective, the system continuously monitors the correctoperation of its hardware, thus ensuring that it is able to respond accurately to any

defined process demand. The system is also able to detect faults in field loops andfield equipment. The extensive system and field diagnostics support plant operatorsin assessing the consequences of faults for process operation, and aid maintenanceengineers in allocating and resolving detected problems efficiently and effectively.High quantitative rating (optimal Mean Time Between Failure) is accomplishedthrough a redundant system architecture and the use of high-quality electroniccomponents and design methods.

Features

• Extensive system and field loop diagnostics• Redundant architecture for optimum process availability

• Small footprint resulting in high number of I/O interfaces per floor space unit

• Fully integrated power supply concept including transmitter power supply

• On-line modification of control program

• Integrated event recording and alarming

• Distributed safeguarding through FSC networks

• Graphical engineering tool for application program design

• Automatic application program documentation.


4/30

FS75-510

Page 4 11/99



The FSC system can easily be integrated into Honeywell's TPS system through theFSC Safety Manager Module (FSC-SMM). The result is a powerful TPS safetysolution providing integrated operations and control, with a true TPS-based operator

window into the FSC system.For detailed information on the FSC Safety Manager refer to the FSC-SMSpecification and Technical Data (FS03-500).

In addition to the TPS system, the FSC system can also be integrated directly intothe PlantScape system, Honeywell's scaleable hybrid process control system. Adedicated FSC interface module enables FSC-related information to be exchanged

between FSC and PlantScape, thus allowing information to be shared and madeavailable on the PlantScape server displays.

Functional Description

Functional Overview

Figure 2 shows the basic architecture of the FSC system. Two major system partscan be distinguished:

• the Central Part, and

• the Input/Output interfaces.

Control Procesor

I/O AccessSafety Interlock

User ProgrammingSelf-diagnostics

FSC TM

Input / Output interfaces

Watchdog

Monitor Control Processor

Operation andOperating Conditions

To Process Computer Systems, Printers andthe FSC User Station

CommunicationProcessor

CommunicationInterfaces & Protocols

Digital Input

24 Vdc - 60 Vdc120 Vac

[EEx ia] IIC

Analog Input

0 (4) - 20 mA0 (1) - 5 Vdc0 (2) - 10 Vdc

Digital Output

24 Vdc - 220 Vdc120 Vac

[EEx ia] IIC

Analog Output

0 (4) - 20 mA

Central Part

To RedundantCentral Part

Figure 2 — FSC Basic Architecture


5/30

FS75-510

11/99 Page 5



Central Part

The Central Part (CP) is the heart of the FSC system. It is a modular microprocessor

system specifically designed for safety-critical applications which can be tailored tothe needs of any application. The most important Central Part modules are:

• the Control Processor module,

• the Watchdog module, and

• the Communication Processor module.

The Control Processor (Central Processor Unit) reads the process inputs andexecutes the control program as created by the user in graphical Functional LogicDiagrams (FLDs). The results of the control program are then transmitted to theoutput interfaces. In FSC configurations with redundant Central Parts, the Control

Processors synchronize their operation through a dedicated communication link.Continuous testing of the FSC hardware by the Control Processor ensures safecontrol of the process and extensive system and process equipment diagnostics.

The Watchdog monitors the operation and the operating conditions of the ControlProcessor. The operation of the processor is monitored by verifying if the processor executes all its tasks within a precalculated time frame, which depends on theconfiguration. The operating conditions monitored include the data integrity of the

processor memory and the voltage range of the supply power (both undervoltageand overvoltage). If the Watchdog detects a fault in the operation of the Control

Processor or its operating conditions, it will deactivate the safety-critical outputinterfaces of the FSC system, independent of the Control Processor status.

The Communication Processor allows the FSC system to exchange informationwith other computer equipment via serial communication links. Each Central Partcan accommodate up to four communication modules, providing a maximum of eight communication links per Central Part. Dedicated modules are available which

provide communication capabilities with other systems:

• the FSC Safety Manager Module (FSC-SMM), which integrates the FSC systeminto the Universal Control Network (UCN) of Honeywell's TotalPlant Solution(TPS) system, and

• the PlantScape Ethernet interface module, which integrates the FSC system intoHoneywell's PlantScape system.

Table 1 on the next page lists the equipment that the FSC system can communicatewith as well as the available physical interfaces and communication protocols.

All communication interfaces are galvanically or optically isolated.If the FSC configuration contains redundant Control Processors, the system supportsredundant communication. Each Central Part then has its dedicated connection tothe communication peer system.


6/30

FS75-510

Page 6 11/99



Table 1 — FSC Serial Communication Interfaces

Equipment Physical Interface Protocol

RS-232, RS-485, Current LoopModbus,RKE3964R

UCN UCN Token BusProcess Computers

PlantScape (1) Ethernet

Printers RS-232, Current Loop

FSC User Station RS-232, RS-485 FSC-DS

FSC System andFSC Safety Manager

RS-485, Fiber Optic FSC

(1) requires FSC Release 520 or higher.

Input / Output Interfaces

The FSC system provides a wide range of digital and analog input and outputinterfaces, each with different characteristics to meet the demands of a wide rangeof field equipment. Table 2 lists the input and output interfaces that are available inthe FSC system.

Table 2 — FSC Input and Output Interfaces

Digital Input 24 Vdc, 48 Vdc, 60 Vdc and 110 Vdc

24 Vdc (loop-monitored)

120-230 VacClass I, Division 2, Groups ABCD;Class II, Division 2, Groups FG

Class [Eex ia] IIC intrinsically safe (1)

Digital Output 24 Vdc, 48 Vdc, 60 Vdc and 110 Vdc

24 Vdc, 48 Vdc and 220 Vdc (loop-monitored)

120-230 Vac

Class [Eex ia] IIC intrinsically safe (1)

Analog Input 0-20 mA and 4-20 mA

0-5 V, 1-5 V, 0-10 V and 2-10 V

Class I, Division 2, Groups ABCD;Class II, Division 2, Groups FG

Resistance Temperature Device (RTD) (1)

Thermocouple, types E, J, K and T (1)

Analog Output 0-20 mA and 4-20 mA

Class I, Division 2, Groups ABCD;Class II, Division 2, Groups FG

(1) through external devices.


7/30

FS75-510

11/99 Page 7



All FSC I/O modules contain galvanic or optical isolation between the input andoutput circuitry and the FSC-internal supply power.The fail-safe I/O modules support the diagnostic capabilities of the FSC system and

can be used for safety-critical monitoring and control functions. When used for suchapplications, the system may be configured to respond automatically if it detects afault in its own hardware or in the field equipment. The fail-safe modules may also

be used for non safety-critical applications, which will then benefit from FSC'sdiagnostic functions and fault-reporting capabilities.

I/O Redundancy

The input and output interfaces of the FSC system can be implemented in redundantor non-redundant (single) configurations.

Redundant I/O configurations can be used in FSC systems with redundant CentralParts. In this fully redundant configuration, each Central Part has its own I/O systemto which it has exclusive access. The result is a highly reliable fault-tolerant system.Every program cycle, each Central Part reads its own input interfaces. After inputmatching, both Central Parts execute the user-defined control program and updatetheir output interfaces according to the results. In addition, the Central Partscompare the calculated output results to ensure identical operation. Redundant I/Oconfigurations are typically used for critical control and safety functions incombination with the high reliability offered by this concept.

Non-redundant (single) I/O configurations can be used in systems with anon-redundant Central Part as well as in systems with redundant Central Parts.Fully non-redundant systems are typically used for safety applications whereredundancy is present in the process.In FSC systems with redundant Central Parts, both Central Parts alternately assumeresponsibility for the non-redundant I/O interfaces. This ensures that both CentralParts can always access the I/O interfaces correctly. FSC configurations withredundant Central Parts and non-redundant I/O interfaces are typically used for critical control applications with medium demands for system availability, e.g.

because of redundancy in plant equipment.

An FSC system configuration may also comprise redundant Central Parts with acombination of redundant and non-redundant I/O interfaces. Such configurations areextremely powerful, with process control functions that demand high reliability

being controlled through the redundant I/O interfaces and less demanding controlfunctions through the non-redundant I/O interfaces.

The FSC system (both redundant and single I/O configurations) has beenTÜV-approved for AK6 applications, and is suitable for use in SIL 3 safety loops.


8/30

FS75-510

Page 8 11/99



Multiple-Sensor and Transmitter Configurations

Unlike previous safety standards, the new IEC 61508 international standard does not

only focus on the safety system (called "logic solver", e.g. the FSC system), but alsodemands compliance of the field equipment to the Safety Integrity Level (SIL) of the control loop. This may not always be possible. The control loop, for example,may be rated SIL3 whereas a transmitter that measures one of the loop inputvariables is only suited for levels SIL1 and SIL2. In such cases, the required level of safety can be realized by using multiple sensors or transmitters.

The FSC system supports multiple input configurations for digital and analog inputsignals. The multiple-input function allows the use of two or three sensors or transmitters to measure the same process quantity. The resulting process value is fedto the control program on the basis of one of the available standard matchingalgorithms, e.g. 2-out-of-3 (2oo3). The FSC system monitors if discrepancies occur

between the values obtained from the independent sensors or transmitters, andreports any detected faults through its diagnostics. The diagnostic status is alsoavailable to the control program.

System Features

FSC System Configurations

The FSC system is available in several configurations to suit virtually every processcontrol requirement. Table 3 lists the FSC system configurations that are available,together with their main characteristics.

Table 3 — FSC System Configurations

Type Control Processor I/O Interface Typical Application

Single Non-redundant Non-redundantCritical process control withredundancy in field equipment

Redundant Non-redundantCritical process control withredundancy in field equipmentRedundant

Redundant Redundant Critical process control

Combined RedundantRedundant &Non-redundant

Burner/Boiler ManagementSystem with FSC-controlledalarm panel

Fire & Gas


9/30

FS75-510

11/99 Page 9



FSC 1oo2D concept

The redundant FSC configuration with both redundant Central Part and I/O

interfaces conforms to the 1oo2D system architecture as described in the IEC 61508standard (see Figure 3 below).

The 1oo2D concept combines a high level of availability with a high level of safetywhich is realized through the quad-voter output circuitry and systemself-diagnostics. The 1oo2D architecture consists of two parallel paths driving thefinal element. Each path is primarily controlled by one of the Central Parts,including an independent switch which is controlled by the Central Part's Watchdogmodule. Furthermore, each Central Part is able to switch off the output channels of the other Central Part through dedicated SMOD (Secondary Means Of De-energization) hardware circuitry which is located on the FSC fail-safe output

modules.

The actual output control is determined on the basis of the high-coverage systemself-diagnostics. Each detected failure leads to controlled isolation of the faulty partwhile ensuring optimum availability for continued plant operation.

WD

Input modules

M

I

MainProcessor

MainProcessor

WD

IC

IC

M

I

Sensor

xxyyy

ESD

Quad-voter

Final element

Output modules

SMOD

OCM

O

OCM

O

SMOD

Figure 3 — FSC 1oo2D concept

The FSC 1oo2D concept is in full conformance with the quantitative analysismethods as described in IEC 61508, and as such provides superior results whencompared to other system architectures. Studies have shown that the 1oo2D votingscheme can realize a higher safety level than 2oo3 voting, thus achieving asignificantly better safety performance.


10/30

FS75-510

Page 10 11/99



FSC Navigator

FSC Navigator is a powerful software package that runs on IBM-compatible PCs

with the Microsoft Windows 95 or 98 operating system. It provides a Windows- based user interface with the FSC system and supports the user in performing anumber of design and maintenance tasks (see Figure 4 below).

Figure 4 — FSC Navigator

FSC Navigator's design and implementation features include:

• intelligent user interface, presenting menu items only when applicable,

•

database import and export,• automatic control program documentation,

• FLD revision control,

• application verification, to ensure that the FSC configuration and control program are in accordance with user definition,

• verification of safety consistency of FSC application (optional feature inFSC R510 and higher), and

• easy loading of system software and control program into flash memory(requires FSC R510 or higher).


11/30

FS75-510

11/99 Page 11



FSC Navigator's maintenance support features include:

• live viewing of FLD execution,

• detailed monitoring of process signal behavior,

• collection of diagnostics of FSC systems, automatically or on user demand,

• diagnostic message storage, with user-definable browsing functions, and

• forcing of FSC input and output interfaces.

Control Implementation

The FSC system's safety-critical control functions (contained in the control program) are determined by the safety functions assigned to the system for thespecific application. The FSC user software supports the design of the control

program by the user.The control functions are defined via graphical Functional Logic Diagrams(IEC 61131-3: Continuous Function Charts). Figure 5 below shows an example of aFunctional Logic Diagram (FLD).

SerialCode

UnitCodeProject Sheet Cnt'd

Date

Date

By:

Rev Description Chk'd

Tel +31 73-6273273

Fax +31 73-6219125

P.O. Box 116

5201 AC

's-Hertogenbosch

Drawing number:Honeywell SMS BVHoneywell SMS BVHoneywell SMS BV

Honeywell NL33

HSMS Product Marketing

Branderijstraat 6

5223 AS 's-Hertogenbosch

SPEC & TECHO ABCDE

30-5-1997 FIRST ISSUE

30-5-1997 PM NL33

FUNCTIONAL LOGIC DIAGRAMS

UNIT 5300

103102DEMO_1

Customer :

Principal :

Plant :

Req/Ordernr :

t=30 S

0 tS

R

t=30 S

0 tS

R

53HS-101LAMPTEST"TEST"

311

MCP

53PT-920MAIN LINE PRESSURE

351

A

D

53PT-920.HMAIN LINE = 110 BARSignal type: W

COM

12A

40003

53TT-900MAIN LINE TEMP

352

A

D

53FT-700.HMAIN LINE = 75%Signal type: W

COM

12A

40001

53FT-700.LMAIN LINE = 30%Signal type: W

COM

12A

40002

53PT-920.LMAIN LINE = 75 BARSignal type: W

COM

12A

40004

MAIN LINE FLOWSignal type: F

101102 1

MAIN LINE PRESSURESignal type: F

102

103 1

MAIN LINE TEMPSignal type: F

102103 2

53PRA-920MAIN LINE PRESSURE

511

D

A

53PT-920.HHIGH ALARM"ALARM"

MCP

3115

53PT-920.LLOW ALARM"ALARM"

MCP

3116

53TR-900MAIN LINE TEMP

512

D

A

53FT-700.HHIGH ALARM"ALARM"

MCP

3111

53FT-700.LHIGH ALARM"ALARM"

MCP

3112

> 1 _ >

> 1 _ >

1

1

>> 1 _

1

>> 1 _

1

Figure 5 — Functional Logic Diagram (FLD)


12/30

FS75-510

Page 12 11/99



An FLD is split into four main areas:

• the information area (bottom) (on printouts only),• the input area (left),

• the control function area (center), and• the output area (right).

The FLD information area, at the bottom of the FLD, is included on printouts, and provides information to identify the Functional Logic Diagram, including revisiondata.

The FLD input area, on the left-hand side of the FLD, contains all the variablesthat serve as the input to the control function. Input variables may originate from thefield equipment or from other computer equipment (process computer, FSC).

Special input functions are provided for:• the diagnostic status of the FSC I/O interfaces,• the status of field loops, and• system alarm summary, e.g. temperature pre-alarm or device communication

failure.

Data can be exchanged between FLDs via sheet transfer functions. This allows astructured design of complex functions across multiple diagrams.

Table 4 below lists the input functions that are available in FSC functional logic

diagrams, together with their source.

Table 4 — FLD Input Functions

Input Type Source

Analog Input Field Equipment

Boolean Input Field Equipment, Process Computer, FSC,FSC Safety Manager

Numerical Input Field Equipment, Process Computer, FSC,FSC Safety Manager

Diagnostic Input Diagnostic status of FSC fail-safe I/O interfaces

Loop Status Input Field loop status of FSC I/O interfaces with loopmonitoring

System Alarm Input FSC Control Processor

Sheet Transfer Other FLDs

The FLD control function area, which is the central area of the FLD, contains theactual implementation of the control function. The function is realized byinterconnecting predefined symbols which provide a variety of functions includinglogical, numerical and time-related functions.


13/30

FS75-510

11/99 Page 13



Apart from these standard functions, user-definable blocks are supported:• Function Blocks — standard FLDs for repetitive use within the control program,

and

• Equation Blocks — for tabular definition of complex functions, e.g. non-linear equations.

Table 5 lists the control functions that are available in FSC functional logicdiagrams.

Table 5 — FLD Control Functions

Data type conversion functions INT → SINT

DINT → INT, SINT

REAL → DINT, INT, SINT

Boolean functions Boolean Constant, AND, OR, XOR, NOT,NAND, NOR, XNOR, flip-flop set and resetdominant

Arithmetical functions Numerical Constant, AND filter, ADD, SUB, MUL, DIV, SQR, SQRT

Comparison functions EQ, NEQ, GT, GTE, LT, LTE

Regulatory control functions PID

Timer functions (with constantor variable time value)

Pulse, Pulse-retriggerable, Delayed-ON,Delayed-OFF, Delayed-ON memorize

Count & storage functions Counter, Register

User-definable blocks Equation BlockFunction Block

The supported data types are: boolean, integer (-232...232-1), real (-1038...1038) andBCD (0...108-1, for interface functions).

The FLD output area, on the right-hand side of the FLD, contains the results of thecontrol function. These variables may be used to drive the field equipment or may

be transferred to other computer equipment, e.g. a process computer or another FSCsystem.

Table 6 lists the output functions that are available in FSC functional logic

diagrams, together with their destination.

Table 6 — FLD Output Functions

Output Type Destination

Analog Output Field Equipment

Boolean Output Field Equipment, Process Computer, FSC,FSC Safety Manager

Numerical Output Field Equipment, Process Computer, FSC,FSC Safety Manager

Sheet Transfer Other FLDs


14/30

FS75-510

Page 14 11/99



FSC Diagnostics

FSC's continuous self-tests enable the system to collect valuable information on the

diagnostic status of its own hardware and the field equipment. The system uses thisinformation to ensure uninterrupted functional safety of the plant. In addition, thesystem provides the diagnostic information to the user, via the diagnostic displays of FSC Navigator. Through its diagnostics, the FSC system supports maintenanceengineers in allocating and resolving failures effectively, thus reducing the MeanTime To Repair (MTTR) and minimizing the risk of a plant trip.

If the FSC system is integrated into the TPS system, the FSC diagnostics are alsoavailable at the TPS operator stations (US, UXS, GUS).

Flash-Memory Operation

FSC Releases 510 and higher support the use of flash memory to store allsystem-related software. This feature combines the flexibility of RAM with the dataintegrity of EPROM. It allows direct downloading of the system firmware, systemsoftware, application software and system configuration from the FSC user stationto the FSC system. This eliminates the need of making new EPROMs andexchanging them with EPROMs on modules in the running cabinet, which is alaborious procedure. This functionality is in full accordance with TÜV approvals,and is protected against unauthorized use by a password and key-lock protectionmechanism.

Another advantage of flash-memory operation is that it reduces the time to do anon-line modification (OLM). After the first full download, only the changes will beloaded after a modification. This should not be confused with the 'downloadchanges' option that other vendors are offering. The FSC system allows you todownload unlimited changes, even in a running installation while continuing plantoperation in a safe manner.

Flash-memory operation requires special hardware modules that support thisfeature. Existing systems can be upgraded to support flash-memory operation. Thiscan be done on-line for FSC Releases 400 and higher.

Application Verification

FSC Navigator has a powerful feature that allows the user to compare the control program in the FSC system with the application databases on the FSC user station.This feature can be used in two ways: as a project verification tool, or as a revisioncontrol tool.

If used as a project verification tool, the verification option will confirm that notranslation or transfer faults have occurred to the control program. FSC Navigator


15/30

FS75-510

11/99 Page 15



will then compare the translated control program as it is present in the FSC systemwith the FSC databases and functional logic diagrams (FLDs) that are stored on theFSC user station. This allows the user to verify that the defined control program has

been loaded correctly. This verification process is part of the safety lifecycle as laiddown in IEC 61508 and ISA S84.

As a revision control tool, the verification option is used to compare differentversions of the control programs in the FSC system and the FSC user station(management of change). This option is typically used to list all the differences(modifications) between the 'old' version, which is stored in the FSC system, and the'new' version, which is stored on the FSC user station. This method can be used tocheck if all modifications have been implemented correctly.

All differences found between the control program in the FSC system and on theFSC user station are recorded in a verification log file, which can be viewed onscreen, printed or saved to disk for further analysis.

Power System

Reliability of process data depends on the reliability of al l related hardware of the process loop, i.e. sensing device, I/O wiring, I/O channel hardware and the required power supply voltages. Where possible, the FSC system provides the supply power to the electronics of the entire loop, including the field instrumentation. The result isa fully integrated solution for reliable (safety) data gathering and related

safeguarding actions, with the following advanced features:• electronically short-circuit proof,• loop-monitoring for short-circuiting and lead breakage, and• checking of the operational band of analog transmitters.

Where other systems require linkage of several externally mounted parts to establishthe entire data collection chain, the FSC solution offers the fully integrated andtested loop approach as demanded by IEC 61508.

Write Protection

To maintain safe and reliable operation of the FSC system, the system does notallow direct write access to its hardwired I/O via communication links. Writerequests, which are received via the serial communication links or the FSC SafetyManager Module, are passed on to the FSC control program via dedicated booleanand numerical inputs. The inputs appear in the input area of the Functional LogicDiagrams, where the conditions for write access have been defined.


16/30

FS75-510

Page 16 11/99



Physical Characteristics

The hardware modules of the FSC system can be split into three basic groups:

• Central Part modules,• I/O modules, and

• Field Termination Assembly (FTA) modules.

The Central Part modules are constructed on a European standard size instrumentcard. The height of the front panel of the modules is 3 HE (3U), their width is 4 TE(4 HP). (COM, DBM and PSU modules are 8 TE wide.) The Central Part modulesare placed in standard 19" racks which are generally located in the top section of thecabinet.The Central Part interfaces with the I/O system through a Vertical Bus (V-bus),

which is a flatcable that runs vertically in the FSC cabinet. The V-bus is controlled by the Vertical Bus Driver (VBD) module, which is located in the Central Partrack.

RESET

ENABLE

CPU

COM

WD

VBD

VBD

PSD

PSU

CPU

COM

WD

VBD

VBD

PSD

PSUDBM

DBM

................

................

................

................

................

................

.... ....

................

................

................

................

................

................

................

................

Central Part 1

Central Part 2

Redundant I/O

Non-redundant I/O

Non-redundant

V-bus

RedundantV-bus

HB

D

HB

D

HBD

....SMM

....SMM

Figure 6 — Front View of Typical FSC System with Redundant Central Parts

and both Redundant and Non-Redundant I/O

Each of the I/O racks contains a Horizontal Bus Driver (HBD) module, whichconnects to the V-bus. The HBD module drives the Horizontal Bus (H-bus), whichrelays the signals from the V-bus to the I/O modules via a flatcable. The H-busmodule is located on top of each I/O rack. The horizontal bus and the flatcables are


17/30

FS75-510

11/99 Page 17



covered with a sheet steel cover which provides optimum EMC/RFI immunity. Thecover plate contains a paper strip which holds the relevant process tagging for signalidentification.

The I/O modules are constructed on a European standard-size instrument card. Theheight of the front panel of the modules is 3 HE (3U), their width is 4 TE (4 HP). Atotal of 18 I/O modules can be placed per I/O rack. All I/O modules are equippedwith standard 32-pin DIN 41612F connectors. All I/O racks are provided with anI/O backplane which contains matching 32-pin connectors with key-coding to

prevent misinsertion of the I/O modules.

The I/O backplane consists of a multilayer PCB, with one layer being an earth plane to improve EMC/RFI immunity. The front side of the I/O backplane containsthe Eurocard connectors to install the I/O modules and the HBD module(s). At the

back, the I/O backplane provides female connectors for the system interconnectioncables (SICs), which also connect to the FTA modules. The back side also provides

programming connectors which allow the I/O interfaces to be tailored to the specificsignal characteristics of the field equipment, e.g. Analog Input, 2-10 Vdc.

Field Termination Assemblies (FTAs) are used to connect the field wiring to theFSC input and output interfaces. FTA modules are 70 mm (2.76 in) wide, and their length varies between 110 mm and 200 mm (4.33 and 7.87 in), depending on theFTA type. The modules are mounted on standard DIN EN rails (TS32 or TS35 x7.5).

An FTA may contain electronic circuitry to convert standard FSC signals to specificsignals with characteristics required by field equipment. Two types of FTAs areavailable, which allows the field cables to be connected in two different ways: viaElco connectors or via terminals (see Figure 7).

Elco-type FTA Terminal-type FTA

2

4

6

8

1 0

1 2

1 4

1 6

1 8

2 0

2 2

2 4

2 6

2 8

3 0

3 2

3 4

3 6

3 8

4 0

4 2

4 4

4 6

4 8

5 0

1

3

5

7

9

1 1

1

3

1 5

1 7

1 9

2 1

2 3

2 5

2 7

2 9

3 1

3 3

3 5

3 7

3 9

4 1

4 3

4 5

4 7

4 9

Figure 7 — Example of Elco and terminal FTA types


18/30

FS75-510

Page 18 11/99



Options

TPS Integration

The FSC system may be integrated into the Honeywell TotalPlant Solution (TPS)system. The integration is realized through the FSC Safety Manager Module(FSC-SMM) interface card, which is placed in the Central Part of the FSC system.The FSC-SMM provides a bridge between the FSC control processors and the TPSsystem to exchange information, which integrates FSC's critical control programinto the advanced control strategies of the TPS system.

The FSC-SMM supports the following TPS point types: DI, DO, Digital Composite(DC), AI, AO, Logic, Flag, Numeric and Timer. As a member of the UniversalControl Network (UCN) it shares important features with its UCN peers, including:• direct peer-to-peer communication with other UCN nodes, e.g. PM, APM, HPM

and FSC-SM,• communication with operators, engineers and maintenance personnel at the TPS

operator stations,• support of higher-level control strategies through communication with

Application Modules and host computers on the Local Control Network,• FSC-SMM database restoration from the History Module, and• Digital Input sequence of event.

For detailed information on the FSC Safety Manager refer to the FSC-SM

Specification and Technical Data (FS03-500).

PlantScape Integration

FSC Release 520 introduces the integration of FSC into PlantScape, whichcombines Honeywell's field-proven safety controller with its equally reliable hybridcontrol system. The integration is realized through the FSC-PlantScape Ethernetinterface module, which is placed in the Central Part of the FSC system. Thisdedicated interface module makes FSC an integrated part of the PlantScape systemarchitecture, which means that FSC-related information can easily be exchanged

between FSC and PlantScape. This allows information to be shared and madeavailable on the PlantScape server displays.

FSC R520 integrates the sequence-of-event (SOE) features as supported by the FSCcontroller into the PlantScape system. FSC supports SOE for digital inputs andoutputs, analog inputs and outputs, and marker points. Each tag name that has been"SOE-enabled" is time-stamped by the FSC controller and reported to thePlantScape server, where it is incorporated into the standard PlantScape SOE table.Standard SOE displays are available to view the events as they are reported.FSC integration into PlantScape requires PlantScape release 300 or higher.


19/30

FS75-510

11/99 Page 19



Sequence-Of-Event Recording

The FSC system contains an integrated sequence-of-event recording (SER) function,

which allows the system to detect and record events that indicate or may causedeviations from normal process operation. Examples of such events are:

• change of state of a valve limit switch,

• steam pressure becoming too high,

• maintenance override effected by a maintenance engineer,

• faults in the field (e.g. open transmitter loop), and

• faults in FSC input/output interfaces.

Once per program scan, the FSC system inspects all defined process quantities, bothdigital and analog, for a change of state, in line with the execution of the control

program. An event is logged for any changed process quantity, in an event buffer that resides within the system. Events that result from operator interaction or fromdetected faults are logged as soon as they are handled by the system. The integratedlist of the detected exceptions thus provides excellent information for post-mortemanalysis of abnormal process behavior, in line with the 'traceability requirements' of IEC 61508.

The logged events are reported to event management systems through the FSCsystem's communication interfaces. Events may be reported to:

• a line printer or matrix printer for direct reporting on paper, or

• a process computer for incorporation of the events into an overall event journal,or

• a personal computer running Honeywell's dedicated FSCSOE event managementsoftware package, which allows users to view and analyze (anomalous) processevents.

Until events have been successfully reported, the FSC system maintains the loggedevents in its internal event buffer, which may contain at least 448 events. If thenumber of detected events exceeds the buffer capacity, all subsequent events areignored. This will ensure that the start of a plant upset is preserved for post-mortem

analysis. If the FSC event buffer overflows as a result of communication failureswith the event management system, the FSC system will start overwriting eventsolder than four hours.

Advanced features of the FSC sequence-of-event recording function include:

• centralized event reporting in distributed safety networks, and

• event reporting to redundant event management systems.


20/30

FS75-510

Page 20 11/99



FSCSOE

FSCSOE is a Windows-based application that records and logs process events

detected by Event Detecting Devices (EDDs). Events can be viewed on-line, while being retrieved from the connected FSC system(s), or post-mortem from disk. Thisallows easy analysis of anomalous process events.

Events are displayed on screen in user-defined formats, and they can also be printedat any printing device supported by Microsoft Windows. FSCSOE retrieves theevents from the FSC system(s) via serial communication links. A maximum of four independent links are supported simultaneously.

FSCSOE allows on-line modification of the network/variable configuration whileevent recording continues. It can also send event data to, or receive data from,various Distributed Control Systems (DCSs).

Alarm Functions

The FSC system contains a number of integrated standard alarm functions, whichcomply with the ISA S18.1 standard for annunciator sequences:

• first-up (TFS) with single or dual flash frequency,

• basic flashing (AF),

• manual lamp reset (AM),

• flasher reset (FR),• flasher / lamp reset (FRM),

• ringback (AR),

• double audible ringback (ARR).

The first-up alarm function may be split into two parts: an alarm-detecting part andan alarm-display part. The two parts may be implemented in different FSC systemswhich are interconnected in a distributed safety network. This allows the integrationof alarms that are detected by independent FSC systems to be combined in the samefirst-up alarm group.

The alarm-detecting part or the alarm-display part may also be located in a processcomputer. The two parts are then connected through data exchange via thecommunication link between the FSC system and the process computer.

On-Line Modification

On-line modification (OLM) is a TÜV-approved FSC system option that issupported by FSC configurations with redundant Central Parts. It enablesmodification of the application software, system software and FSC hardwareconfiguration, while maintaining the system's critical control function for theoperational plant. This means that the system can be upgraded without the need of a


21/30

FS75-510

11/99 Page 21



plant shutdown. During on-line modification, the changes are carried out in oneCentral Part at a time. Meanwhile, the other Central Part continues to monitor the

process. The system will always perform a compatibility check across the control

program in order to guarantee a safe changeover from the old control function to thenew one. It will also report the numbers of the functional logic diagrams (FLDs) thathave been changed, which complies with the 'verification requirements' of theIEC 61508 standard.

Safety Checker

FSC Release 510 introduces the optional Safety Checker tool, which helps engineersverify the safety consistency of an FSC application. If the Safety Checker detectsany inconsistencies in the application that affect its safety integrity, it will reportthem on screen and store them in a log file. This allows engineers to correct safety-related design errors at an early stage, and verify that the safety application suits its

projected purpose. The Safety Checker supports the verification process that is partof the safety lifecycle as laid down in IEC 61508 and ISA S84.01.

An FSC application can be considered safe if all its outputs are safety-related andthe logic path leading to the outputs is safety-related as well. An inconsistentconfiguration can lead to hazardous situations. The Safety Checker will alert the

programmer to these inconsistencies. If, for example, an analog input for a pressuretrip has been configured as safety-related, but the output that drives the shutdownvalve has not been configured safety-related, an inconsistency is detected in the loop

and the programmer is alerted.

An additional function of the Safety Checker highlights any off-sheet references to adestination FLD with a lower number than the source FLD, which might be designerrors.

I/O Signal Forcing

For maintenance reasons, it may be desirable to force an input or an output signal toa certain fixed state, e.g. when exchanging a defective input sensor. This allows thesensor to be exchanged without affecting the continuation of the production. Duringthe exchange, the applicable input is forced to its normal operational state. While

being desirable in some situations, forcing a signal to a specific, fixed value mayalso create a potentially hazardous condition.

The FSC system provides a force function which supports maintenance personnel inapplying forces consciously. It only allows forcing of signals that were specificallyselected during the system design. During operation, the system is protected againstunauthorized forces via a key switch. Forcing of FSC signals is only possible via theFSC Navigator software using a password-protected software function. All forcingactions are included in the FSC event reports for traceability purposes.


22/30

FS75-510

Page 22 11/99



Serial Communication with Process Computer Systems

The FSC system supports the exchange of control program data with process

computers via serial communication links, using the non-proprietary Modbus RTUand RKE3964R communication protocols. The following information can beexchanged:

• analog process data as scanned by FSC through its input interfaces,• trip settings,• trip status, and• FSC alarm status.

Data written to the FSC system is available in the FSC control program via digitaland numerical input variables, which allow the user to define the conditions of use

in the control strategy.

If the Modbus protocol is used, a number of additional information exchangefunctions are supported:

• downloading of events (SER) detected by the FSC system,• downloading of the value of FSC's real-time clock, and• uploading a real-time clock value to the FSC system.

FSC Networking

The FSC system supports Distributed Safety Solutions (DSS) through its extensivenetworking capabilities. FSC networks provide the means to decentralize processsafeguarding with central process monitoring and control capabilities.In a DSS network, multiple FSC systems are interconnected via dedicated serialcommunication links. Both point-to-point and multidrop networks are supported.For optimum availability of the communication, the redundant FSC systemconfigurations require the use of redundant communication links as well.

The communication is based on the Honeywell proprietary, TÜV-approved FSCcommunication protocol. This protocol includes a high level of error detection andrecovery, which makes it suitable for exchanging safety-related information while

maintaining optimum availability. The network is also used to route sequence-of-event (SOE) data and diagnostic data to central operator stations and maintenanceworkstations.

Communication within FSC networks is based on the master-slave concept. In thisconcept, the master system is responsible for all communication activities. Itinitiates requests for data from the slave systems, and sends data to the slaves.FSC networks also support one level of communication server systems. These areFSC systems that are interconnected between the communicating master and slavesystem(s). Their task is to route the data that is exchanged between master andslave(s).


23/30

FS75-510

11/99 Page 23



The DSS concept supports safety solutions in line with the plant design, with everyindependent process unit being safeguarded by a separate FSC system. Thisminimizes the risk of nuisance plant trips during unit maintenance.

Simulation

The FSC simulation option allows any FSC application to be loaded into thestandard FSC training units. In simulation mode, the FSC Control Processor executes the control program using the serial interface with the FSC user station asits field interface. The actual defined Central Part hardware is ignored and "mapped"to the hardware of the simulation/training units.Input values are applied by the user via the FSC Navigator software, using the inputsignal force feature. The output values can be monitored through various displays atthe FSC user station.

In combination with the standard "live" FLD viewing feature of FSC Navigator, thesimulation option provides an excellent means for design engineers to validate theFSC control program prior to initial installation and to verify modifications beforean on-line upgrade. The interfaces with TPS (FSC-SMM) and PlantScape are alsosupported in simulation mode, which allows an integrated validation of the entiresafety application.


24/30

FS75-510

Page 24 11/99



Specifications

The following specifications apply to the FSC modules mounted in a standard FSC

cabinet:

FSC Environmental Conditions

Operating Temperature: 0°C to 60°C (32°F to 140°F), ambient (1)

Storage Temperature: –25°C to +80°C (–13°F to +176°F)

Relative Humidity: 5% to 95%, non-condensing

Vibration, Sinusoidal: IEC 60068-2-6; 1 G at 57 Hz to 150 Hz;10 Hz to 57 Hz: 0.075mm

Shock: IEC 60068-2-27; 15 G for 11 ms, 3 axes

Electrostatic Discharge: IEC 61000-4-2, Level 4 (15 kV)

Conducted Susceptibility: IEC 61000-4-4, Level 3, Fast Transient/BurstIEC 61000-4-5, Level 3, Surge WithstandIEC 61000-4-6, Level 3, Conducted Field

Rated Susceptibility: IEC 61000-4-3, Level 3

Conducted Emissions: Measured per CISPR 11 & CISPR 22

Rated Emissions: Measured per CISPR 11 & CISPR 22

(1) "Ambient" refers to the air temperature measured in the FSC system cabinet.

FSC Certifications and Compliance with International Standards and Safety Codes

TÜV Bayern (Germany) – Certified to fulfill the requirements of "Class 6" (AK6) safetyequipment as defined in the following documents:DIN V VDE 19250, DIN V VDE 0801 incl. amendment A1, DIN VDE 0110, DIN VDE 0116,DIN VDE 0160 incl. amendment A1, DIN EN 54-2, DIN VDE 0883-1, DIN IEC 68,IEC 61131-2

Canadian Standards Association (CSA) – Compliant with the requirements of the followingstandards:CSA Standard C22.2 No. 0-M982 General Requirements – Canadian Electrical Code,Part II;CSA Standard C22.2 No. 142-M1987 for Process Control Equipment.

Underwriters Laboratories (UL) – Certified to fulfill the requirements of:

UL 508, UL 991, UL 1998 and ISA S84.01.

Factory Mutual (FM) – Certified to fulfill the requirements of FM 3611 (selected modules).

FSC Functional Logic Diagrams for Control Program design are compliant withIEC 61131-3.

The design and development of the FSC system are compliant with IEC 61508:1999,Parts 1-7 (as certified by TÜV).

CE compliance:Complies with CE directives 89/336/EEC (EMC) and 73/23/EEC (Low Voltage).


25/30

FS75-510

11/99 Page 25



FSC Mechanical Specifications

FSC cabinet dimensions(Rittal, model PS 4808):

2000 x 800 x 800 mm (H x W x D)78¾ x 31½ x 31½ in (H x W x D)

Rack size (incl. horizontal bus): height: 4 HE (4U), width: 84 TE (84 HP)

Module sizes:

− typical height and width height: 3 HE (4U), width: 4 TE (4 HP)

− COM, DBM and PSU modules height: 3 HE (3U), width: 8 TE (8 HP)

− Eurocard dimensions 100 x 160 mm (3.94 x 6.30 in)

FSC Electrical Specifications

Supply voltages: 24 Vdc: +30% / –15%48 Vdc: +15% / –15%

60 Vdc: +15% / –15%

110 Vdc: +25% / –15%

220 Vdc: +10% / –15%


26/30

FS75-510

Page 26 11/99



References

For further reading please refer to the following documents:

Publication TitleReference

FSC Safety Manual R510 FS90-510

FSC Software Manual R510 FS80-510

FSC Hardware Manual FS02-500

FSC User Documentation Update for FSC R511 (1) FS80-511

FSC User Documentation Update for FSC R520 (1) FS80-520

FSC Safety Manager (FSC-SM) Documentation Set TPS 3076

FSC Safety Manager (FSC-SM) Specification and Technical Data FS03-500FSC Specification and Technical Data for FSC Release 51x/52x FS75-510(1)

Included on FSC Navigator distribution CD-ROM.

The FSC user documentation is also available on CD-ROM:

CD-ROM TitleHSMS

Part Number

FSC Hardware Manual Rev. 03 (06/99) 3400916

FSC User Documentation R510 (06/99) (1) 3400917(1)

Includes FSC Software Manual R510, FSC Safety Manual R510, FSC Hardware Manual Rev. 03 (06/99) andFSC Safety Manager documentation set (binder TPS 3076).The FSC Navigator software distribution CD-ROM includes user documentation updates.


27/30

FS75-510

11/99 Page 27



Model Numbers

Power Supply Modules

Description Model Number

24 Vdc Power Supply Unit, 45 A, input: 100-264 Vac, 230-340 Vdc 1200 S 24 P067

24 Vdc Power Supply Unit, 12 A, input: 110-240 Vac M24-12HE




24 Vdc to 5 Vdc DC/DC converter, 12 A 10300/1/1

Central Part Modules


Vertical Bus Driver module (VBD) for control of I/O interfaces inthe I/O racks

10001/R/1

Central Processing Unit (CPU) 10002/1/2

Central Processing Unit (CPU) with flash memory 1) 10012/1/2

Communication module (COM) 10004/·/·

Communication module (COM) with flash memory 1) 10014/·/·

Watchdog module (WD) 10005/1/1

Diagnostic and Battery Module (DBM) 10006/2/1

Diagnostic and Battery Module with DCF-77 atomic clock receiver 10006/2/2

Single Bus Driver module (SBD) for control of I/O in the Central Part rack 10007/1/1

FSC Safety Manager Module (FSC-SMM) 10008/2/U

FSC Safety Manager Module (FSC-SMM) with flash memory 1) 10018/2/U

FSC to PlantScape communication interface module 2) 10018/E/E,10018/E/1

1) Requires FSC Release 510 or higher.2) Requires FSC Release 520 or higher.

Analog Input Modules


Fail-safe analog input module (4 channels) 10102/2/1

Fail-safe high-density analog input module (24 Vdc, 16 channels) 10105/2/1

Analog Input Field Termination Assemblies (FTAs)


Fail-safe input FTA (24/48/60 Vdc, 24 channels) FTA-T-02

Fail-safe 0(4)-20 mA analog input FTA (16 channels) FTA-T-14


28/30

FS75-510

Page 28 11/99



Analog Output Modules

Description Model Number Fail-safe analog output module (0(4)-20 mA, 2 channels) 10205/2/1

Analog Output Field Termination Assemblies (FTAs)


Fail-safe output FTA (24/48/60 Vdc, 24 channels) FTA-T-02

Digital Input Modules


Fail-safe digital input module (24 Vdc, 16 channels) 10101/2/1



Intrinsically safe input module (4 channels) 10103/1/1

Digital input module (24 Vdc, 16 channels) 10104/2/1

Fail-safe line-monitored digital input module with earth fault monitor (16 ch.) 10106/2/1

Digital Input Field Termination Assemblies (FTAs)


Fail-safe input FTA (24/48/60 Vdc, 24 channels) FTA-T-02

Fail-safe passive digital input FTA (115 Vac/dc, 8 channels) FTA-T-09Isolated passive digital input FTA (8 channels) FTA-T-12

Fail-safe active digital input FTA with line-monitoring (16 channels) FTA-T-16

Fail-safe digital input FTA (24/48/60 Vdc, NAMUR, 16 channels) FTA-T-21

Current-limited digital input FTA (24 Vdc, 16 channels) FTA-T-23

Digital Output Modules


Fail-safe digital output module (24 Vdc, 550 mA, 8 channels) 10201/2/1

Digital output module (24 Vdc, 550 mA, 12 channels) 10206/2/1Relay output module (contacts, 10 channels) 10208/2/1

Digital output module (24 Vdc, 100 mA, 16 channels) 10209/2/1





Fail-safe digital output module (24 Vdc, 2 A, 4 channels) 10215/2/1

Fail-safe loop-monitored digital output module (24 Vdc, 1 A, 4 ch.) 10216/2/1

Fail-safe loop-monitored digital output module (48 Vdc, 0.5 A, 4 ch.) 10216/2/3


29/30

FS75-510

11/99 Page 29



Digital Output Field Termination Assemblies (FTAs)


Fail-safe output FTA (24/48/60 Vdc, 24 channels) FTA-T-02

Digital output FTA (24 Vdc, 24 channels) FTA-T-03

Digital output (relay contact) FTA (25 channels) FTA-T-04

Fail-safe digital output FTA (24 Vdc, 12 channels) FTA-T-05

Fail-safe digital output (relay contact) FTA (250 Vac / 150 Vdc, 4 ch.) FTA-T-08

Fail-safe digital output FTA (110 Vdc, 8 channels) FTA-T-11

Digital output (relay) FTA for AK5/6 applications (250 Vac / 250 Vdc,4 channels) FTA-T-17

Digital output (relay contact) FTA (8 channels, NO/NC) FTA-T-20


30/30

FS75-510

Page 30 11/99

Copyright, Trademarks, and Notices

© 1999 — Honeywell Safety Management Systems B.V., The Netherlands.

While this information is presented in good faith and believed to be accurate, Honeywelldisclaims the implied warranties of merchantability and fitness for a particular purpose andmakes no express warranties except as may be stated in its written agreement with and for itscustomer.

In no event is Honeywell liable to anyone for any indirect, special or consequential damages.The information and specifications in this document are subject to change without notice.

Honeywell, TotalPlant, and TDC 3000 are U.S. registered trademarks of Honeywell Inc.FSC is a trademark of Honeywell Safety Management Systems B.V.

Other brand or product names are trademarks of their respective owners.

Documents

Honeywell FSC