safety manager troubleshooting and maintenance guide infi90 documentation... · 2018-10-24 · vii...

Safety ManagerTroubleshooting and Maintenance Guide

EP-SM.MAN.6282Issue 1.0

October 2014

Release 152

ii

Notice

This document contains Honeywell proprietary information. Information contained herein is to be used solely for the purpose submitted, and no part of this document or its contents shall be reproduced, published, or disclosed to a third party without the express permission of Honeywell Safety Management Systems.

While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a purpose and makes no express warranties except as may be stated in its written agreement with and for its customer.

In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The information and specifications in this document are subject to change without notice.

Specific products described in this document are covered by U.S. Patent Nos. D514075, D518003, D508469, D516047, D519470, D518450, D518452, D519087 and any foreign patent equivalents.

Copyright 2014 – Honeywell Safety Management Systems, a division of Honeywell Aerospace B.V.

Honeywell trademarks

Experion PKS®, PlantScape®, SafeBrowse®, TotalPlant® and TDC 3000® are U.S. registered trademarks of Honeywell International Inc.

Other trademarks

Microsoft and SQL Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Trademarks that appear in this document are used only to the benefit of the trademark owner, with no intention of trademark infringement.

Document Release Issue Date

EP-SM.MAN.6282 152 1.0 October 2014

iii

Support and other contacts

United States and Canada

Europe

Pacific

Contact: Honeywell Solution Support Center

Phone: 1-800 822-7673. In Arizona: (602) 313-5558 Calls are answered by dispatcher between 6:00 am and 4:00 pm Mountain Standard Time. Emergency calls outside normal working hours are received by an answering service and returned within one hour.

Facsimile: (602) 313-3293

Mail: Honeywell IS TAC, MS P13 2500 West Union Hills Drive Phoenix, AZ, 85027

Contact: Honeywell PACE TAC

Phone: +32-2-728-2657

Facsimile: +32-2-728-2278

Mail: Honeywell TAC BE02 Hermes Plaza Hermeslaan, 1H B-1831 Diegem, Belgium

Contact: Honeywell Global TAC - Pacific

Phone: 1300-36-4822 (toll free within Australia)+61-2-9362-9559 (outside Australia)

Facsimile: +61-2-9362-9564

Mail: Honeywell Limited Australia 5 Kitchener Way Burswood 6100, Western Australia

Email [email protected]

iv

India

Korea

People’s Republic of China

Contact: Honeywell Global TAC - India

Phone: +91 20 6603 2718 / 19 and 1800 233 5051

Facsimile: +91-20-66039800

Mail: Honeywell Automation India Ltd. 56 and 57, Hadapsar Industrial Estate Hadapsar, Pune –411 013, India


Contact: Honeywell Global TAC - Korea

Phone: +82-2-799-6317 +82-11-9227-6324

Facsimile: +82-2-792-9015

Mail: Honeywell Co., Ltd 17F, Kikje Center B/D, 191, Hangangro-2Ga Yongsan-gu, Seoul, 140-702, Korea


Contact: Honeywell Global TAC - China

Phone: +86- 21-52574568

Mail: Honeywell (China) Co., Ltd 33/F, Tower A, City Center, 100 Zunyi Rd. Shanghai 200051, People’s Republic of China


v

Singapore

Taiwan

Japan

Elsewhere

Call your nearest Honeywell office.

World Wide Web

Honeywell Solution Support Online:

http://www.honeywell.com/ps.

Contact: Honeywell Global TAC - South East Asia

Phone: +65-6580-3500

Facsimile: +65-6580-3501 +65-6445-3033

Mail: Honeywell Private Limited Honeywell Building 17, Changi Business Park Central 1 Singapore 486073


Contact: Honeywell Global TAC - Taiwan

Phone: +886-7-536 2567

Facsimile: +886-7-536 2039

Mail: Honeywell Taiwan Ltd. 17F-1, No. 260, Jhongshan 2nd Road. Cianjhen District Kaohsiung, Taiwan, ROC


Contact: Honeywell Global TAC - Japan

Phone: +81-3-6730-7276

Facsimile: +81-3-6730-7228

Mail: Honeywell Japan K.K New Pier Takeshiba, South Tower Building, 20th Floor, 1-16-1 Kaigan, Minato-ku, Tokyo 105-0022, Japan


vi

Training classes

Honeywell holds technical training classes on Safety Manager. These classes are taught by experts in the field of process control systems. For more information about these classes, contact your Honeywell representative, or see http://www.automationcollege.com.

Related Documentation

The following guides are available for Safety Manager.

The guide in front of you is Troubleshooting and Maintenance Guide.

Guide Description

The Overview Guide This guide describes the general knowledge required, the basic functions of, and the tasks related to Safety Manager.

The Safety Manual This guide describes the specifications, design guidelines, and safety aspects related to Safety Manager.

The Planning and Design Guide

This guide describes the tasks related to planning and designing a Safety Manager project.

The Installation and Upgrade Guide

This guide describes the tasks related to installing, replacing and upgrading hardware and software as part of a Safety Manager project.

The Troubleshooting and Maintenance Guide

This guide describes the tasks related to troubleshooting and maintaining Safety Manager.

The System Administration Guide

This guide describes the task related to administrating the computer systems used in a Safety Manager project.

The Hardware Reference This guide specifies the hardware components that build a Safety Manager project.

The Withdrawn Hardware Reference

This guide specifies all withdrawn hardware components and identifies alternatives for maintaining Safety Manager projects containing withdrawn hardware.

The Software Reference This guide specifies the software functions that build a Safety Manager project and contains guidelines on how to operate them.

The On-line Modification Guide

This guide describes the theory, steps and tasks related to upgrading Safety Builder and embedded software and modifying an application online in a redundant Safety Manager.

vii

Task-oriented guides

A task-oriented guide provides both procedural and basic knowledge. A task can inform the reader on how to perform the task in terms of steps to follow. Additionally a task can describe what important considerations to make or what options to choose from when performing a task.

A task-oriented guide lists the required skills and knowledge that people must master to qualify for the described tasks.

It is common for task oriented guides to refer to reference guides for details.

Reference guides

A reference guide provides detailed information or solutions regarding its scope. A reference guide is a Safety Manager related guide and provides background information to support tasks as described in task-oriented guides.

A reference guide does not describe tasks in terms of how to perform the task in terms of steps to follow.

Available electronic format

All guides are available as Adobe PDF guides that can be viewed with Acrobat Reader or a compatible reader. These PDF guides are provided on the Safety Manager CD-ROM, in a separate PDF Collection folder.

Conventions

Symbols

The following symbols are used in Safety Manager documentation:

Attention

This symbol is used for information that emphasizes or supplements important points of the main text.

Tip

This symbol is used for useful, but not essential, suggestions.

Note

This symbol is used to emphasize or supplement important points of the main text.

viii

Caution

This symbol warns of potential damage, such as corruption of the database.

Warning

This symbol warns of potentially hazardous situations, which, if not avoided, could result in serious injury or death.

ESD

This symbol warns for danger of an electro-static discharge to which equipment may be sensitive.

ix

Fonts

The following fonts are used in Safety Manager documentation:

Emphasis

• “... inform the reader on how to perform the task in terms of...”

• “...see the Overview Guide”

Emphasised text is used to:• emphasise important words in the text,• identify document titles.

Label

“The Advanced tab of the Properties dialog has..”

This font is used to identify labels and titles of (popup) dialogs. Labels are used for Dialog box labels, menu items, names of properties, and so on.

Steps

Take the following steps:1. Create a plant and set its properties.

2. ....

This font is used to identify steps. Steps indicate the course of action that must be adhered to, to achieve a certain goal.

User Variable

..create the My Projects folder and store the readme.txt file here...press the Tab key.. Next press Enter to..

This font is used to:1. identify a user variable, a filename, an

object or view.2. highlight the keys the user should press on

the keyboard.User variable is a variable, an object or a view that the reader can call-up to view or to manipulate.

Value

“Low is the fault reaction state for digital inputs and digital outputs.”

This font is used to indicate a value. Value is a variable that the reader must resolve by choosing a pre-defined state.

Variable

“The syntax is: filename [-s] [-p]“This font is used to identify a variable.Variables are used in syntax and code examples.

http://www.honeywellsms.com This font is used to identify a URL, directing a reader to a website that can be referred to.

Safety Manager Troubleshooting and Maintenance Guide xi

Contents

1 The Troubleshooting and Maintenance Guide 1Content of Troubleshooting and Maintenance Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Prerequisites for Troubleshooting and Maintenance Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Generic skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Technical skills and knowledge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Safety Manager training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Basic skills and knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Prerequisite skills. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Safety standards for Process & Equipment Under Control (PUC, EUC) . . . . . . . . . . . . . . . . . . . 6Safety Integrity Level (SIL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Safety layers of protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Equipment Under Control (EUC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Process Under Control (PUC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Competencies and precautions 9Competencies of people . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Obtaining information on training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Precautions when working on Safety Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11EMC warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Electrostatic discharge (ESD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Keep the doors closed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Key switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Cabinet doors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Key switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Troubleshooting techniques 15Identify type of alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Alarm types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Identify type of alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Identify the solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Problem due to a process failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Problem due to a field failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Problem due to a Controller failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Contents

xii Release 152, Issue 1.0

Analyze the impact of a solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Field related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Safety Manager hardware related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Implement and verify the solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Field related problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Controller related problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4 Common problems 25Troubleshooting Experion anomalies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Digital points not represented correctly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Numeric points not represented correctly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Analog signals not represented correctly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Wrong diagnostic messages displayed on Experion Station . . . . . . . . . . . . . . . . . . . . . . 28

System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29System does not start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Control Processor stopped, but no message found in the diagnostics. . . . . . . . . . . . . . . 29Control Processor does not start after reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29SafeNet Peer ID does not respond to remote reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Cannot get both CPs on-line simultaneously . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Field and IO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34IO module does not fit in chassis when replacing the module . . . . . . . . . . . . . . . . . . . . 34No power to the fields, sensors and actuators are not activated . . . . . . . . . . . . . . . . . . . 34No analog value retrieved from the field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Loop fault SDIL-1608 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35SDOL-0424 loop faults line monitored outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35HART devices connected to a SM universal IO module . . . . . . . . . . . . . . . . . . . . . . . . 36

Troubleshooting communication anomalies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Solving communication anomalies – general . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38SafeNet Peer ID does not respond to remote reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Communication point values are unreliable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Diagnostic messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5 Maintenance 43Corrective maintenance precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Actions before corrective maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Actions during corrective maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Actions after corrective maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Corrective maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Preventive maintenance of Safety Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Regular preventive maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Checking for cable damage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Checking the voltages to the Control Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Checking the BKM battery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Checking the temperature in the Control Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Contents

Safety Manager Troubleshooting and Maintenance Guide xiii

Checking for airflow obstruction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Checking the operation of the fans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Checking for the status of the SM universal IO module . . . . . . . . . . . . . . . . . . . . . . . . . 55Checking for earth faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Checking the loop status of signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Checking the forced status of signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Checking for paint damage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Checking the availability of spare parts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Checking the system diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Checking the backup of the Controller file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Preventive maintenance when Safety Manager is switched off . . . . . . . . . . . . . . . . . . . . . . . . . 59Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Checking DC voltages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Checking power distribution fuses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Checking AC voltages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Checking the correct operation of the PSUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Checking for dust concentration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Replacing dust filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Checking the fasteners on the power distribution rails . . . . . . . . . . . . . . . . . . . . . . . . . . 64Checking cable clamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Checking shield connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Checking earth/ground connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Testing hardware IO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Testing the communication links to external devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

6 Checklists 71Checklist for regular maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Checklist for maintenance when Safety Manager is switched off . . . . . . . . . . . . . . . . . . . . . . . 76

7 Handling and ordering spare parts 81Handling of defective products or parts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Ordering of emergency replacements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

8 Diagnostics and other fault finding options in Safety Manager 87

APPENDIX A Safety Manager key switches 89

APPENDIX B Diagnostic information 101

APPENDIX D Safety Manager fault detection and reaction 151Digital input faults (remote) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Analog input faults (remote) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Digital output faults (remote) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Analog output faults (remote) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

List of abbreviations 185

Contents

xiv Release 152, Issue 1.0

Safety Manager Glossary 189

Safety Manager Troubleshooting and Maintenance Guide xv

Figures

Figure 1 The concept of layers of protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Figure 2 ESD Wrist Strap connected to ESD bonding point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Figure 3 the user interface display of the QPP display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Figure 4 Bonding of shielded cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Figure 5 Front view of a redundant Controller chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Figure 6 The forcing sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Figure 7 the user interface display of the QPP-0001 and the QPP-0002. . . . . . . . . . . . . . . . . . . . . . 102Figure 8 Example of diagnostic information in Safety Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Figure 9 State of input signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Figure 10 Communication Status - Communication Statistics tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Figure 11 Communication Status - Link Status Report tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Figure 12 Schematic diagram of a SMOD with 4 channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Figure 13 Watchdog function - Controller architecture: Redundant . . . . . . . . . . . . . . . . . . . . . . . . . . 161Figure 14 Watchdog function - Controller architecture: Redundant A.R.T. . . . . . . . . . . . . . . . . . . . . 162Figure 15 Intended square-root function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Figure 16 Square-root function with validated input value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Figure 17 Square-root function with validity check in function block . . . . . . . . . . . . . . . . . . . . . . . . 183Figure 18 Failure model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Figure 19 Example of a multidrop connection based on Ethernet. . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Figure 20 Programmable electronic system (PES): structure and terminology. . . . . . . . . . . . . . . . . . 207Figure 21 Schematic diagram of a SMOD with 4 channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Figures

xvi Release 152, Issue 1.0

Safety Manager Troubleshooting and Maintenance Guide xvii

Tables

Table 1 Fault reaction setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Table 2 Checklist for regular maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Table 3 Checklist for maintenance when Safety Manager is switched of f . . . . . . . . . . . . . . . . . . . . 76Table 4 Messages displayed by the User Interface Display of the QPP module . . . . . . . . . . . . . . . 103Table 5 Possible default status messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Table 6 Diagnostic messages sorted by Module ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Table 7 Fault reaction setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Table 8 Fault Reaction settings for communication IO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Table 9 Controller reaction to QPP faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Table 10 Controller response to USI faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Table 11 Controller response to BKM faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Table 12 Controller response to PSU faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Table 13 Controller response to communication faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Table 14 RUSxx response to RUSxx faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Table 15 Controller response to chassis IO digital input faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Table 16 Controller response to chassis IO analog input faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Table 17 Controller response to chassis IO digital output faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Table 18 Controller response to chassis IO analog output faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Table 19 Controller response to universal digital input faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Table 20 Controller response to universal analog input faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Table 21 Controller response to universal digital output faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Table 22 Controller response to universal analog output faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Table 23 Controller reaction to IO compare errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Table 24 Safety integrity levels: target failure measures for a safety function, allocated to the Safety

Instrumented System operating in low demand mode of operation . . . . . . . . . . . . . . . . . . 210Table 25 Safety integrity levels: target failure measures for a safety function, allocated to the Safety

Instrumented System operating in high demand or continuous mode of operation . . . . . . 210

Tables

xviii Release 152, Issue 1.0

Safety Manager Troubleshooting and Maintenance Guide 1

1The Troubleshooting and Maintenance Guide

The Troubleshooting and Maintenance Guide is intended primarily for the people responsible for and performing tasks related to Safety Manager.

This guide covers the following topics.

• Troubleshooting to identify and repair faults.

• Maintenance topics to maintain hardware and software in order to minimize the chance on faults.

The typical readers of this guide are maintenance engineers.

This guide assumes that the reader masters the required skills and knowledge as described herein.

This section contains the following information about this Guide:

Topic See

Content of Troubleshooting and Maintenance Guide page 2

Prerequisites for Troubleshooting and Maintenance Guide page 4

Basic skills and knowledge page 5

Safety standards for Process & Equipment Under Control (PUC, EUC) page 6

Note

This guide does not contain information related to other Honeywell Experion™ PKS systems and third-party controllers such as Allen-Bradley, Series 9000, TDC 3000, Data Hiway, UDC, PlantScape, and so on.For information about these systems, see the manufacturers book set.

1 – The Troubleshooting and Maintenance Guide

2 Release 152, Issue 1.0

Content of Troubleshooting and Maintenance GuideThe Troubleshooting and Maintenance Guide is a task-oriented guide which provides procedural and basic knowledge. A task informs the reader on how to perform the task in terms of steps to follow. Additionally a task describes what important considerations to make or options to choose from when performing a task.

The following subjects are discussed in this guide:

References

Guide subjects

Troubleshooting and Maintenance Guide

• “Competencies and precautions” on page 9• “Troubleshooting techniques” on page 15• “Common problems” on page 25• “Maintenance” on page 43• “Checklists” on page 71• “Handling and ordering spare parts” on page 81• “Diagnostics and other fault finding options in Safety

Manager” on page 87

Guide Description

The Overview Guide This guide describes the general knowledge required, the basic functions of, and the tasks related to Safety Manager.

The Safety Manual This guide describes the specifications, design guidelines, and safety aspects related to Safety Manager.

The Hardware Reference This guide specifies the hardware components that build a Safety Manager project.

The Withdrawn Hardware Reference

This guide specifies all withdrawn hardware components and identifies alternatives for maintaining Safety Manager projects containing withdrawn hardware.

The Software Reference This guide specifies the software functions that build a Safety Manager project and contains guidelines on how to operate them.

The On-line Modification Guide

This guide describes the theory, steps and tasks related to upgrading Safety Builder and embedded software and modifying an application online in a redundant Safety Manager.

Content of Troubleshooting and Maintenance Guide




Prerequisites for Troubleshooting and Maintenance Guide

A user shall as a minimum master the skills and knowledge as described in “Basic skills and knowledge” on page 5.

Besides those mentioned above, the following task related prerequisites are defined as a minimum for users confronted with tasks as described in the Troubleshooting and Maintenance Guide.

Generic skills• Basic communication skills in English

• Analytic skills

• Mechanical skills

Technical skills and knowledge• Electrical skills and knowledge

• Experion™ PKS ‘Bypass Override and Trip Point Management’

• Local Operator and maintenance procedures

• Understanding of Safety Manager fault detection and response mechanisms

Safety Manager trainingHoneywell offers a number of trainings related to the above mentioned prerequisites. When you request a training from Honeywell, mention the task you have to perform and make sure that the following goals are met:

• Understanding of failure and recovery modes of Safety Manager

• Understanding of Safety Manager fault detection and response mechanisms

• Call-up and interpret Safety Manager system status displays and diagnostics

Basic skills and knowledge


Basic skills and knowledgeBefore performing tasks related to Safety Manager you need to:

• Understand basic Safety Manager concepts as explained in the Overview Guide and the Glossary.

• Have a thorough understanding of the Safety Manual.

• Have had appropriate training related to Safety Manager that certifies you for your tasks (see Planning training).

More related information can be found in Prerequisite skills and Training.

Prerequisite skillsWhen you perform tasks related to Safety Manager, it is assumed that you have appropriate knowledge of:

• Site procedures

• The hardware and software you are working with. These may i.e. be: computers, printers, network components, Controller and Station software.

• Microsoft Windows operating systems.

• Programmable logic controllers (PLCs).

• Applicable safety standards for Process & Equipment Under Control.

• Application design conform IEC 61131-3.

• The IEC 61508 and IEC 61511 standards.

This guide assumes that you have a basic familiarity with the process(es) connected to the equipment under control and that you have a complete understanding of the hazard and risk analysis.

More related information can be found in Training.

TrainingMost of the skills mentioned above can be achieved by appropriate training. For more information, contact your Honeywell SMS representative or see:

• http://www.automationcollege.com.

More related information can be found in Prerequisite skills.



Safety standards for Process & Equipment Under Control (PUC, EUC)

Safety Manager is the logic solver of a Safety Instrumented System (SIS) performing specific Safety Instrumented Functions (SIF) to ensure that risks are kept at predefined levels.

A SIS measures, independently from the Basic Process Control System (BPCS), a couple of relevant process signals like temperature, pressure, level in a tank or the flow through a pipe. The values of these signals are compared with the predefined safe values and, if needed, the SIS gives an alarm or takes action. In such cases the SIS controls the safety of the process and lowers the chance of an unsafe situation.

The logic in Safety Manager defines the response to process parameters.

In this context the following terms are explained in this section:

• Safety Integrity Level (SIL)

• Safety layers of protection

• Equipment Under Control (EUC)

• Process Under Control (PUC)

Safety Integrity Level (SIL)The IEC 61508 standard specifies 4 levels of safety performance for safety functions. These are called safety integrity levels. Safety integrity level 1 (SIL1) is the lowest level of safety integrity, and safety integrity level 4 (SIL4) the highest level. If the level is below SIL1, the IEC 61508 and IEC 61511 do not apply.

Safety Manager can be used for processing multiple SIFs simultaneously demanding a SIL1 up to and including SIL3.

To achieve the required safety integrity level for the E/E/PE safety-related systems, an overall safety life cycle is adopted as the technical framework (as defined in IEC 61508).

For more information see also:




Safety standards for Process & Equipment Under Control (PUC, EUC)


Safety layers of protectionFigure 1 on page 7 shows the typical risk reduction methods or safety protection layers used in modern process plants.

Safety Instrumented Systems (SIS) are designed to operate in the prevention and mitigation layers to:

• Prevent a process from entering a dangerous state.

• Mitigate the consequences of entering a dangerous state.





Equipment Under Control (EUC)Safety-related systems, such as Safety Manager, are designed to prevent the EUC from entering a dangerous state and to mitigate any EUC that has gone into a dangerous state.

Figure 1 The concept of layers of protection

1 – Competences and precautions


For these functions a safety related system can be split in:

• Emergency shutdown systems, operating in the prevention layer of Figure 1 on page 7.

• Fire and gas detection and control systems, operating in the mitigation layer of Figure 1 on page 7.





Process Under Control (PUC)PUC is EUC expanded with regulations to prevent the process from running out of control or to mitigate the consequences when it does run out of control.

Where PUC is concerned, Safety Manager monitors the process for abnormal situations. Safety Manager is able to initiate safety actions and process alarms.

Such actions and alarms can be caused by abnormal situations in the:

• Process

• Safety loops

• Safety system itself.






2Competencies and precautions

This section provides information on the required competencies of people and precautions to be taken when working with the Safety Manager. This section covers the following topics:

Topic See

Competencies of people page 10

Precautions when working on Safety Manager page 11

Accessibility page 13

2 – Competencies and precautions


Competencies of people

TrainingPersonnel that has to perform maintenance, service or modification to a Safety Manager cabinet must have successfully completed the appropriate training required for the tasks to be performed.

For detailed information on the Safety Manager-related training courses refer to Planning training.

For information on specific Safety Manager-related skills refer to Required skills and knowledge.

Obtaining information on trainingFor detailed information on the above-mentioned training courses you can

• contact your local Honeywell affiliate or a Honeywell Regional Delivery Center (RDC)

• see http://www.automationcollege.com.

Attention

Any activity on a Safety Manager cabinet must be carried out by qualified, authorized and properly trained personnel. Failure to comply with the regulations and guidelines mentioned in this guide may cause severe damage to the equipment or serious injury to people.

Precautions when working on Safety Manager


Precautions when working on Safety ManagerImportant considerations when working on Safety Manager cabinets are:

• “EMC warning” on page 11

• “Electrostatic discharge (ESD)” on page 11

• “Keep the doors closed” on page 12

You have to obey these precautions when working on Safety Manager.

EMC warningSafety Manager has a reduced electromagnetic immunity when the cabinet doors are open. Devices such as radio transmitters must not be used near an open Safety Manager cabinet.

Electrostatic discharge (ESD)It is important that you wear a properly connected electrostatic discharge (ESD) wrist strap while removing, handling and installing electronic components (see Figure 2 on page 11).

Figure 2 ESD Wrist Strap connected to ESD bonding point



Slip the strap on your wrist like a wristwatch and connect its clip to an ESD bonding point, which is located inside the cabinet. There is no danger of receiving a shock from an approved wrist strap.

Be sure to keep electronic components stored in a static-safe carrying pouch whenever it is not in use.

An ESD kit is available through Honeywell SMS.

Keep the doors closedWhen you are not working on the Safety Manager cabinet, make sure that you keep the doors closed to:

1. prevent dust and other particles from entering the Safety Manager cabinet,

2. improve the electromagnetic immunity of Safety Manager.

Make sure that you always close the cabinet doors after an operation.

Key switches

Make sure you have access to the required keys and that the key switches lock into position as you turn them.

Attention:

If the QPP key switch is not on a fixed position, the RUN state is assumed.

Accessibility


Accessibility

Cabinet doors

To access the cabinet interior or to access the Safety Manager key switches (see “Key switches” on page 13) you need a key to unlock the cabinet door(s).

PrivilegesIf you need to start, load, repair or maintain Safety Manager make sure you have the appropriate privileges to do so:

1. Permits from management,

2. Approved schedule and planning, as laid down in Planning considerations for modifications.

3. Password for Safety Builder Supervisor or Engineer privileges, see Security.

4. Access to the Control Processor key switches, see “Key switches” on page 13.

Key switchesThe following key switches are present in each Safety Manager:

1. two QPP key switches,

2. a Reset key switch,

3. a Force Enable key switch.

For more information on key switches, see “Safety Manager key switches” on page 89.

Caution:

Make sure that you always close the cabinet doors after an operation

2 – Competencies and precautions



3Troubleshooting techniques

The troubleshooting technique to identify a fault depends on how you became aware of a fault. Follow the steps below:

Steps See

Identify type of alarm page 16

Identify the solution page 17

Analyze the impact of a solution page 19

Implement and verify the solution page 22

3 – Troubleshooting techniques


Identify type of alarm

Alarm typesIn Experion™ PKS the following alarms can occur:

• Process related alarms

• Field related alarms

• Safety Manager related alarms

Identify type of alarmTo identify the type of alarm take the following steps:

1 Verify if the alarm is process related.Most alarms are process related, however some alarms seem to be process related but the real cause comes from the field or control system.Example:If an operator receives an alarm that a temperature is too high, proceed as follows:

• Check the temperature meter on other operator displays if available. Check another (redundant) transmitter.

• If the temperature is indeed too high: the problem is process related. Proceed with “Identify the solution” on page 17.

• If the temperature is normal: verify if the problem is field or Safety Manager related (continue with next step).

2 Verify if the alarm is field or Safety Manager related: use the diagnostics to identify the problem in more detail (see “Diagnostics and other fault finding options in Safety Manager” on page 87).

• Field related alarms can be caused by a failure of cable, sensor, actuator, field power failure and so on.

• Safety Manager related alarms are caused by Safety Manager failures.Proceed with “Identify the solution” on page 17.

Identify the solution


Identify the solution

Problem due to a process failureTrue process alarms have to be solved by an operator. For these type of alarms an operator can refer to the appropriate documentation.

Problem due to a field failureDefective field equipment has to be replaced or repaired. Refer to the appropriate documentation.

Before replacing field equipment consider using the following options:

1. Maintenance override switches (MOS):It is possible to override individual signals online for a period of time. MOS is a strategy that is programmed in the application. The procedure to apply MOS depends on the strategy.

2. Force enable key switch on the Battery and Key switch module:

This switch enables the forcing of signals (if configured as force enabled) in an online situation. In the ‘ON’ position you can force these signals with Safety Builder. Forces can only be used if:

- The point configuration enables forcing.

- The Force enable key switch is in ‘ON’ position.

- The operator is authorized to force (function is password protected).

Problem due to a Controller failureThe Safety Manager diagnostics can be interpreted as follows:

1 Identify diagnostic type

• Related to hardware

• Related to software

• Related to the field

Stop:

Changing force states can be dangerous if not handled properly! Always communicate your actions when applying or removing forces.



2 Identify severity of the message. Diagnostics can contain errors, warnings, messages (for details see “Diagnostic messages” on page 105).

3 Find an explanation in “Diagnostic messages” on page 105.

4 Locate the problem (location of the hardware causing the fault and the type of fault).

5 Continue with “Analyze the impact of a solution” on page 19.

See also: “Common problems” on page 25.

Note• If a system has a non-redundant Controller it is possible that Safety Manager is no

longer controlling the process.• You can use Safety Builder to determine whether the Control Processors are fully

operational or not.• The fault finding wizard (part of Controller Management) of Safety Builder assists in

finding the cause of the fault and advises in solving the problem.

Analyze the impact of a solution


Analyze the impact of a solutionConsider the impact of the solution for field related or Safety Manager hardware related problems before implementing the solution (“Implement and verify the solution” on page 22).

Field related problemsIf a field related component causes the problem, consider using the Maintenance Override Switch (MOS) or forcing the signal.

Safety Manager hardware related problemsIf the problem is Safety Manager related, it is probably caused by a:

• Control Processor fault

• IO fault

Whether the process is affected by the fault or not, depends on the built-in redundancies and the safety relation configuration in the application.

• The Control Processor response towards SM Controller faults cannot be configured on high level. This response is primarily always “Safe”.

• The fault response of IO can basically be defined in two directions, “Safe” and “Non-Safe”.

Table 1 on page 19 shows the possible fault reaction settings for hardware IO.

Table 1 Fault reaction setting

IO “Safe” fault reaction settings1

1 If you have one of these settings, Safety Manager will test and respond to a module or channel failure.

“Non safe” fault reaction settings

Digital input High or Low Scan or Hold

Analog input Top scale or Bottom scale Scan or Hold

Digital output Low Appl

Analog output 0 mA Appl2

2 Attention: Be aware of the consequences in case this fault reaction is chosen for redundant analog output channels. When this is the case and communication to one of the redundant output modules is lost (e.g. flatcable becomes disconneced), the last output value of the disconnected module will still be applied to the field. However, the module that is still connected will double its output to compensate for the missing module. Hence, the output to the field in this situation will be higher than you may expect (approximately 150%).



When inputs go faulty

The system response towards input faults is always the same: Apply the fault reaction state as defined in Table 1 on page 19.

• most faults on an input module cause one channel to go faulty.

- In non-redundant input configurations a channel fault causes the application to process the predefined input fault reaction state.

- In redundant input configurations a channel fault on one module causes the application to process the field state of the healthy input channel.

• some input faults cause an entire module to go faulty. In that case above bullets apply to all channels of that input module.

When outputs go faulty

The system response towards output faults depends on the fault reaction set on an output module, as defined in Table 1 on page 19.

The following system responses towards output faults are acknowledged:

• System response towards Safe outputs faults

• System response towards Non-Safe outputs faults

System response towards Safe outputs faults

• as of release R131 of Safety Manager, most Safe output faults can be isolated without tripping the watchdogline (next bullet lists the exceptions).This “no need to trip” type of fault allows the Control Processor to continue operation and de-energize the affected output module instead.

- in a non-redundant output configuration this causes all outputs of the affected output module to assume the fault reaction state.

- in a redundant output configuration this has no direct effect as the field outputs continue to be driven by the redundant output module

• some output faults block all control access to the output module (e.g. when removing the flatcable from an output module which has no fault present). In such circumstances a possible fault in the output module cannot be isolated without tripping the watchdogline.

Note:

The philosophy behind the output module fault response (isolating the entire output module upon a fault instead of tripping the watchdog), is that isolation allows the maintenance engineer to replace a faulty output module without shutting down the associated IO section.

Analyze the impact of a solution


- in a non-redundant output configuration this causes all output modules to de-energize

- in a redundant output configuration this causes the corresponding Control Processor to trip. As the field continue to be driven by the redundant output module it is not affected, but availability is reduced to a minimum.

System response towards Non-Safe outputs faults

When a fault occurs in a Non-Safe output (module) the system takes no action other than reporting the fault – assuming the fault gets detected.

Replacing faulty IO

The procedure to replace a faulty IO modules depends on the architecture, the configuration and eventually applied forces on that IO module.

• For details on replacement procedures see Replace SM chassis IO modules.

• For details on forces see “Impact of MOS and forces on replacement” on page 21.

Impact of MOS and forces on replacement

The use of MOS and forces is only possible with proper knowledge of the process and the Safety Manager application. To use MOS or forces consider the following:

1. Check the configuration of the Safety Manager application to see if MOS or forces are possible.

2. Check with process operator to investigate the effect of MOS or forces.

3. Apply forces when replacing non redundant input modules; this overrides the fault reaction states generated in the application logic during the replacement.

Caution:

Do not apply forces on outputs to override Safe fault reaction states:Forcing a faulty output module results in a trip when trying to replace that module!



Implement and verify the solution

Field related problems1 Depending on the result of the identified solution, repair or replace the faulty

field cable, sensor or actuator.

2 Press the Fault reset key switch and run the diagnostics again (see “Diagnostics and other fault finding options in Safety Manager” on page 87).

3 Check if the problem has been solved. If there are still messages, return to “Identify type of alarm” on page 16.

Repairing sensors

Use for repairing sensors:

• The Maintenance override switch (MOS).

• The Force enable key switch to enable the online forcing of signals in Safety Builder.

Repairing or replacing actuators

Follow the plant procedures of the customer for repairing or replacing actuators.

Controller related problemsDepending on the result of the identified solution, solve the problem as mentioned below.

Hardware problem

1 Follow the hardware replacement procedures as described in “Hardware Replacements and Upgrades” on page 113.

2 Press the Reset key switch and run the diagnostics again (see “Diagnostics and other fault finding options in Safety Manager” on page 87).


Software problem

1 Restore a backup as described in Backup & restore:

• Verify the Controller file as described in Controller Management.

• Load the Controller file as described in Controller Management.

Implement and verify the solution


2 Press the Reset key switch and run the diagnostics again (see “Diagnostics and other fault finding options in Safety Manager” on page 87).



4Common problems

When problems occur while Safety Manager is running, they may be reported by:

• Operators

• Troubleshooting & Maintenance engineers

• System administrators

• Test engineers

Problems reported by Safety Manager must be analyzed and solved according to the procedure described in “Troubleshooting techniques” on page 15.

This section describes common problems and solutions for the following categories:

Category See

Troubleshooting Experion anomalies page 26

System page 29

Field and IO page 34

Troubleshooting communication anomalies page 38

Diagnostic messages page 41

4 – Common problems


Troubleshooting Experion anomalies

Digital points not represented correctly

Cause:

PLC addresses in Safety Manager do not match the addresses in Experion Server or the index in Process controllers.

Reading from a wrong PLC address may cause

• only a few out of all bytes that represent the point to be read. This results in an apparently random process value

• reading a completely different point (or combination of points) that happen to change when the desired point changes.

Solution:

The Experion node reads the wrong point location due to an off-set PLC address configuration.

In Control Builder check and set the PLC addresses as defined for Safety Manager and download the new properties to the Experion system.

For details see the Experion User Documentation (Experion Safety Manager Integration Guide).

Numeric points not represented correctly

Cause 1:

PLC addresses in Safety Manager do not completely match the addresses in Experion Server or the index in Process controllers.

• Reading from a wrong PLC address may cause

- only a few out of all bytes that represent the point to be read. This results in an apparently random process value

Attention:

When writing an NaN (Not a Number) or an Inf (Infinity) value, Safety Manager will respond with an Illegal value.The cause of this must be searched in the Process controller configuration.

Troubleshooting Experion anomalies


- reading a completely different point (or combination of points) that happens to change when the desired point changes.

Cause 2:

Reading or writing a numeric with a wrong algorithm causes the value to be interpreted wrongly by the receiving end.

The algorithm in Safety Manager is fixed, Experion and Process controller support e.g. several types of float representation.

Solution:

In Control Builder check and set the PLC addresses and read-out algoritms as defined for Safety Manager and download the new properties to the Experion system.


Analog signals not represented correctly

Cause 1:

The PLC addresses and/or the read–out algorithm do not match completely.

Solution 1:

See “Numeric points not represented correctly” on page 26.

Cause 2:

The values set for top and bottom scales in Experion is not correct.

Safety Manager always sends RAW values to Experion. The displayed process values in Experion and Safety Manager may differ when

• top and bottom scale for engineering values are configured differently in Safety Manager and Experion

• the RAW values for top and bottom scale are configured differently in Safety Manager and Experion:

- The bottom and top RAW values for 4—20mA analog signals must be set at 655 and 3276 respectively.

- The bottom and top RAW values for 0—20mA analog signals must be set at 0 and 3276 respectively.

Solution 2:

• In Control Builder set the RAW and engineering top and bottom scale values identical to Safety Manager and download the new values to the Experion system.



• Create a pointdatabase.pnt file with the SM2XperionConverter tool and import and download this


Wrong diagnostic messages displayed on Experion Station

Cause

The wrong Experion message files are stored on the Experion Server.

Solution

Take the following steps:

1 Use the Explorer to open the Safety Manager Safety Builder CD ROM

2 Browse to the readme.txt file in the Experion message files folder

3 Open the readme.txt file and follow the instructions inside

Note:

To get a correct Safety Manager diagnostic representation on Experion releases up to R210 the diagnostic files on Experion server need to be updated.

System


System

System does not startAll seems to be OK but you cannot get the system to start.

Solution

Follow the steps below to find the cause:

1 Check the diagnostics according to the procedure as described in Controller Management. For an overview of diagnostic options see “Diagnostics and other fault finding options in Safety Manager” on page 87.

2 Check if the 5 Vdc system voltage is present.

3 If the QPP display is on, the voltage is present. If not, switch on the PSU.

4 Check if the PSU operates correctly. For more information see “Checking the correct operation of the PSUs” on page 62.

5 Check the disconnectors of the 24 Vdc.

6 Use a volt meter to check the PSU output.

7 Check the mains power to system: use a volt meter to check the mains feeder. For more information see “Checking AC voltages” on page 62.

8 Check the fuses. For more information see “Checking power distribution fuses” on page 61.

9 If the problem still occurs, contact your local Honeywell affiliate.

Control Processor stopped, but no message found in the diagnosticsThe CP seems to have stopped for no apparent reason.

Solution

The diagnostics can be lost due to a loss of power of a Control Processor.

Restart the Control Processor and analyze diagnostics again.

Control Processor does not start after resetYou turn the Reset key switch but the QPP does not start.

The QPP display toggles: Halt with Flt.



Cause

The QPP was halted, and remains halted, because faults are still present in the system.

A QPP checks for system faults before going to the CPReady state.

System fault checks are done:

1. After power-up

2. After being (re)loaded

3. After being halted by fault detection software or watchdog

4. After QPP key switch was set to IDLE.

Solution

If a QPP display shows Halt with Flt you should:

1 Check the diagnostics to determine the fault

2 Fix the fault as described in “Controller related problems” on page 22

3 Turn the Reset key switch once to clear the fault in the diagnostic database

4 QPP display should now show CPReady:

a. If so, turn the Reset key switch again to start the QPP(s) with the CPReady state on the display.

b. If not, and you still have Halt with Flt, return to step 1.

SafeNet Peer ID does not respond to remote resetWhen performing a remote reset you cannot get the Peer ID SM Controller to respond. When you try and reset at the SM Controller locally it does respond.

Cause

Whenever you try to reset a Peer ID SM Controller remotely it runs a series of checks to determine the validity of this command.

Two of these checks are related to timing: If the command sent is older than 10 seconds, or given at intervals of 20 seconds or less, the Peer ID SM Controller will reject the remote reset command.

Solution

1. Check that the system clocks of the system sending the reset command and the receiving SM Controller are synchronized within 10 seconds.

2. Check that the reset command is not given periodically (at intervals shorter than 20 seconds).

System


Cannot get both CPs on-line simultaneouslyWhen performing an OLM you cannot get both CPs on-line simultaneously: As soon as one CP runs the other CP halts.

If you toggle the Reset key switch, nothing happens or the CPs swap status; it seems impossible to get both CPs up and running.

Solution

The diagnostics report Internal communication failure or CP degraded.

There may be several causes for this. To find the appropriate solution do the following:

1 Use System information to check the software versions in both Control Processors. (For details see System information.)

2 If the software versions differ, you are in the middle of an OLM. Go to “OLM aborted” on page 31 to resolve this issue.

3 If the software versions do not differ, you have an internal communication failure. For a solution go to “Internal communication failure” on page 32.

OLM aborted

If the software versions in the Control Processors are different, an on-line modification procedure was started and then aborted. Consequently, each time you toggle the Reset key switch the SM Controller swaps to the other software version.

Solution

Follow the steps below to resolve this issue:

1 Find out why the OLM was aborted and what software version needs to be loaded in the SM Controller. (You must either go onwards and finish the OLM or go backwards and return to the previously installed version.)

2 Load the desired software version on your Safety Builder.

Attention:

Below steps are high level steps!

For details on below steps see The On-line Modification Guide. It is recommended that you let a qualified person (who followed an OLM training course) take these actions.



3 Compare data from System information and the Compiler log to check if the Safety Builder and the running CP contain the same software version.

• If the correct version is in the other (halted) CP, toggle the Reset key switch once more to switch states between CPs (halted becomes running and visa versa) and compare again.

4 The final step is to complete the OLM procedure (onwards or backwards):

a. turn the QPP key switch of the halted CP to IDLE and

b. follow the procedures as described in Step C.2: Modify the SM Controller.

Internal communication failure

An internal communication failure is reported if, for whatever reason, one of the redundant communication links between both CPs of the SM Controller is lost.

• You can safely ignore this message when you manually created a shutdown of one Control Processor – which is the case during an OLM or when putting a QPP in IDLE.

• You have a hardware or software fault when this message is otherwise generated.

Solution

When detecting an internal communication failure the system halts the Control Processor which is expected to contain the fault.

Follow the steps below to resolve this issue:

1 Turn the QPP key switch of the halted Control Processor to STOP.

2 Wait at least 3 seconds and turn the QPP key switch back to RUN.

Tip:

See also “Internal communication failure or redundant CP degraded” on page 116.

Notes:1. It is possible that the fault resides in the running CP instead of the halted CP.2. As long as one CP remains running, the application remains running, even when it

runs in the Control Processor containing the fault.3. Swapping between CPs is still possible via the redundant internal communication link.

If both internal links should fail, swapping CPs is automatically disabled.

System


3 Wait for the QPP to synchronize and reset the SM Controller.

a. If both CPs start, the problem was related to software: You are requested to report the fault to Honeywell SMS for further investigation.

b. If the CPs swap status again, or remain unchanged, the problem is related to hardware. Proceed with the next steps to resolve the hardware problem.

4 Replace the QPP module of the halted Control Processor and reset the system conform procedures described in Replace a QPP module in a redundant Safety Manager Controller.

a. If you reset the system for the second time after replacing the QPP module, both CPs should start. If so, the replaced QPP module is faulty and you have resolved the issue.

b. However, if another swap occurs the other QPP module is faulty; the QPP module you just replaced is not faulty and can be reused to replace the faulty QPP. Reset the system for the third time to halt the faulty QPP and repeat step 4 on page 33.

5 If replacing both QPP modules did not help contact Honeywell SMS for assistance.

Attention:

It is to be expected that after the QPP replacement you experience one more swap!

Note that this is a normal response when you replace a QPP due to an internal communication failure.



Field and IO

IO module does not fit in chassis when replacing the moduleCompare the old module with the new one. If they are identical, check the connector.

If the problem still occurs, contact your local Honeywell affiliate.

No power to the fields, sensors and actuators are not activatedTake the following steps:


2 Check if the system is running: check Control Processor LEDs and QPP display.

3 Check the LED on output module if an output is activated.

4 Check the 24 Vdc power on the terminal of the SM universal IO module.

5 Check the connection of IO, SIC, FTA, SM universal IO module, MCAR and field cable.

6 Check on the TSAI-1620m FTA if it is correctly powered. The power can be checked at the output of the TPSU-2430 power converter in the cabinet with a power meter or voltage monitoring, if implemented in the application.

7 Check the jumper settings on the IO chassis backplane.

8 Check the jumper setting on the board of the SM universal IO module.

9 Check the external and internal power connectors on the IO chassis backplane.

10 Check the power on the mounting carrier (MCAR) of the SM universal IO module.


No analog value retrieved from the fieldTake the following steps:

Field and IO



2 Check the loop status with Safety Builder. For more information see Controller Management.

3 Check the 2-3 wire connection.

4 Check if the transmitter or isolator is actively or passively powered.

5 Check on the TSAI-1620m FTA if it is correctly powered. The power can be checked at the output of the TPSU-2430 power converter in the cabinet with a power meter or voltage monitoring, if implemented in the application.

6 Check how Safety Manager is configured for “active” or “passive” power delivery.

7 Check the external power.

8 Check the marshalling wiring.


Loop fault SDIL-1608Take the following steps:

1 Check the input signal configuration in Safety Builder. Check if correct type selected

2 Check the system status and diagnostics in Safety Builder.

3 ‘1’ indicates short loop

4 ‘0’ indicates open loop




SDOL-0424 loop faults line monitored outputs1. Check the load of the actuator (solenoid).

If the load range is incorrect, change sub module of the BSDOL-04UNI to the correct range.

2. Check the type of field cabling.

a. If the field cabling capacity/induction is out of the specified range. The loop test pulse is deformed or delayed.

b. Verify the maximum load inductance: 0.5 H

c. Verify the maximum load capacitance: 1 µF

d. Change the settings of the BSDOL-04UNI.

3. Check the wiring.

4. If the problem still occurs, contact your local Honeywell affiliate.

HART devices connected to a SM universal IO moduleThis topic describes the procedure for handling HART devices (e.g. HART field devices or final elements) that are:

• connected to Field Device Manager (FDM) through a SM universal IO module,

• to be serviced using a second programming device (e.g. a hand-held communicator).

Field devices are devices that are connected to input channels; final elements are devices that are connected to output channels.

Field and IO


1 In Safety Builder, force the channel of the subject field device to a value that allows the process to stay operational. Do this on the corresponding FLD.

2 In FDM, make sure the HART communication with the subject field device is disabled.

3 Connect the programming device (e.g. hand-held communicator) to the subject field device.

4 Carry out the required maintenance to the subject field device.

5 Disconnect the programming device from the subject field device.

6 In Safety Manager, carry out a fault reset.

Attention:

1. When the HART devices are connected using a second programming devices such as an hand-held communicator, the SM universal IO detects the presence of the hand-held devices. However, it does not disturb the HART communication between the HART device and the hand-held device. Similarly, the SM Universal IO is not affected by the HART hand-held devices.When hand-held devices are connected, these might interfere with the diagnostic self-tests and could lead to reporting of false alarms on the IO channel tests. To prevent this, the diagnostic self-tests are disabled as soon as an hand-held device is connected. In case an hand-held device is connected for over 8 hours, a diagnostic message is reported. In such scenarios, you must remove the hand-held device and issue a Fault Reset.

2. Honeywell SMS strongly recommends to use FDM for all analysis and maintenance tasks on HART devices that are connected through a SM universal IO module. This configuration provides the required functions and features, with optimized safety and availability.

3. Prevent manipulation (e.g. forcing) of field signals as much as possible in order to guarantee the safe operation by design of your safety solution.

4. The procedure below is written so that it can be used for both field devices and final elements. However, you must be aware that in case the output channel of a final element (e.g. a valve) is forced, safeguarding of that equipment is (temporarily) disabled. Special precautions must be taken when you apply this procedure to final elements. Always contact your plant management before you execute such tasks.

Warning:

DO NOT - under any circumstance - disconnect a final element from its channel! If you do, the final element will go to its (programmed) safe state, and thus the process under control will be affected.



7 Make sure that the channel is healthy.

a. On the corresponding FLD, validate that the actual field value is within the expected range.

b. Make sure no (loop) faults are reported; refer to the diagnostics.

8 In case the channel is not healthy:

a. Solve the problem.

b. Repeat this procedure, starting at step 3.

9 In case the channel is healthy:

a. In Safety Builder, remove the force from the channel of the subject field device. Do this on the corresponding FLD.

10 In FDM - if necessary - enable the HART communication with the subject field device.

Notes:

1. The second programming device (e.g. a hand-held communicator) can report faults while it is connected to the subject field device. These communication faults are caused because the two programming devices simultaneoulsy try to access the subject field device. You can ignore these communication faults.

2. The SM universal IO module - in fact this is the first programming device - can report faults while the second programming device is connected to the subject field device. These communication faults are caused because the two programming devices simultaneoulsy try to access the subject field device. You can ignore these communication faults.

Troubleshooting communication anomalies



Solving communication anomalies – generalCommunication problems can be as simple as a disconnected cable or as difficult as a randomly overloaded network.

Below checklists and tips provide help when trying to isolate and solve anomalies with respect to communication.

Determine whether the anomaly appears random or continues.

When anomalies are continues

When anomalies are continues try the following:

1 Make sure that the USI-0001 communication module has no errors (see “Diagnostic messages” on page 41).

2 Make sure the communication hardware at the other end has no errors.

3 Check the configuration and operation of each cable, firewall, switch and/or modem in between the two nodes

4 Temporarily bypass sections that may be suspicious.

5 Try the communication with all other devices off-line (reduced network load)

6 Try an alternative route, using different cables, switches, etc.

When anomalies occur randomly

When anomalies appear to occur randomly try the following:

1 try and align the time of occurrence with other occurrences in the surrounding area (weather, power bursts, maintenance schedules, process steps, network load, etc.).

Tips:1. Study the communication diagnostics/logs on both sides of the communication link.2. Safety Manager communication diagnostics can be found under the Communication

Status button in the Controller Management environment.3. When you appear to have random errors, check the time-out and delay settings; the

responder should have a larger time-out than the initiator of the communication.4. For more information about the Communication Status view in Controller

Management see “Communication Status” on page 362.



2 look for anomalies in data transfer. (Does the entire link fail or do you experience an increase in communication errors at times?)Note that link failure is only indicated when no communication can be established within the time-out period: A success rate of i.e. 90% is therefore not identified as link failure, but as an operable link with identified communication errors. Yet this is serious enough to investigate!In the Communication Status view in Controller Management you can:

a. detect (random) link failures by accessing the Link Status tab.Link Status shows the status per logical link, rather than the status “per communication line”. Some links are auto repair, meaning that they automatically recover when communication is re-established.A time stamp shows the last change in link status.

b. monitor the logged communication errors via the Communication Statistics tab.

3 make sure the anomalies are not caused by configuration mismatches in time-out, network delay and baud rate differences (e.g. between switch and Ethernet port).

4 verify that certified equipment is used.

SafeNet Peer ID does not respond to remote resetWhen performing a remote reset you cannot get the Peer ID SM Controller to respond. When you try and reset at the SM Controller locally it does respond.

Cause

Whenever you try to reset a Peer ID SM Controller remotely it runs a series of checks to determine the validity of this command.

Two of these checks are related to timing: If the command sent is older than 10 seconds, or given at intervals of 20 seconds or less, the Peer ID SM Controller will reject the remote reset command.

Solution

1. Check that the system clocks of the system sending the reset command and the receiving SM Controller are synchronized within 10 seconds.

2. Check that the reset command is not given periodically (at intervals shorter than 20 seconds).



Communication point values are unreliableCommunication points do come across but the values change inconsistent or erratic. The readout is unreliable.

Cause

There is an issue with the addressing, scaling or signal type configuration in either Safety Manager or the other system.

Solution

Refer to the point related sections in “Troubleshooting Experion anomalies” on page 26 for details.



Diagnostic messagesDiagnostic messages are essential when analyzing problems related to Safety Manager.

It is mandatory that you can call-up and interpret diagnostic messages. To interpret diagnostic messages you should focus on the module ID.

The module ID can be found on every diagnostic screen.

• For information about Experion Station displays, related to Safety Manager (“system information” and “diagnostics”), refer to the Experion User Documentation (Experion Safety Manager Integration Guide).

• Safety Builder provides extensive means to display and log diagnostic messages. For instructions as how to call-up a diagnostic displays using Safety Builder see Diagnostic tools.

See “Diagnostic messages” on page 105 for a detailed list of diagnostic messages and how to interpret them.


5Maintenance

This section covers the following topics:

Topic See

Corrective maintenance precautions page 44

Corrective maintenance page 48

Preventive maintenance of Safety Manager page 49

5 – Maintenance


Corrective maintenance precautions

Corrective maintenance of the Safety Manager hardware several actions and precautions may ne necessary. These are described in the following sections:

• “Actions before corrective maintenance” on page 44

• “Actions during corrective maintenance” on page 46

• “Actions after corrective maintenance” on page 47

On-line modification

On-line modification (OLM) is a TUV-approved Safety Manager option which allows you to modify the Safety Manager hardware, application software and the system software of Safety Managers with a redundant Controller, while the system remains operational.

During on-line modification, the changes are implemented in the application of the Control Processor one by one. Meanwhile the other Control Processor continues to safeguard the process.

The interference during on-line service or modification to Safety Manager increases the risk of an error which may result in an alarm or error or a stop of one or both Control Processors. This may result in a total plant stop. It is highly recommended to perform only service or modification work if it is really required and the process allows it.

For more information see The On-line Modification Guide.

Actions before corrective maintenance

Before work on the Safety Manager cabinet

Depending on the tasks to be performed on the Safety Manager cabinet, a number of actions need to be taken before corrective maintenance on the Safety Manager hardware can be carried out. These actions are required to ensure that the work on the Safety Manager cabinet is performed without problems and within the given time frame.

AttentionThe amount of human interaction during corrective maintenance in Safety Manager must be carried out with utmost care, and by authorized and qualified persons only.



These actions may include amongst others:

• Checking for the correct spare parts.

• Checking the tools.

• Contacting the operator.

• Organizing other parties (if any).

• Arranging and checking permits.

These items are discussed in more details below.

Checking spare parts

Make sure that the spare modules are of the correct type and compatible with the modules used in the installed system(s). This can be checked by verifying the module names and numbers, and the version numbers. The module name and number must match. It is recommended that the version number of the replacement module is equal to or higher than the module to be removed. If in doubt, please check the Technical Data of the relevant section of the hardware manual to check compatibility. This information can be found on the module.

If the module name and number of the spare module are not identical, remove that module from stock and order the correct module.

Checking tools

Before starting corrective maintenance on the Safety Manager cabinet, make sure that the required tools are in order. The following tools are required as a minimum:

• Safety Station (including all required software).

• Digital multimeter (voltage, current, and resistance).

• Pliers or spanners.

• Screwdriver set (both flatblade and Phillips or Torx).

• Several pairs of tongs.

Note

The above mentioned actions are recommended by Honeywell SMS. Where applicable, customer or plant procedures may override them or demand additional actions.

Note

It is essential that the availability of spare parts is regularly checked to avoid problems when they are urgently needed.



• Spanner set (10 mm, 12 mm, 13 mm, 14 mm, etc.).

Contacting the operator

Make sure that the operator is contacted before the start of corrective maintenance.

The operator will determine if it is acceptable to perform corrective maintenance at that time.

Organizing other parties

Assistance from other parties may be required during corrective maintenance on Safety Manager cabinets. Make sure that all required parties are contacted and arrangements are made.

Permits

Make sure that all permits, required to perform corrective maintenance on the Safety Manager cabinet, are available and signed by the appropriate responsible parties.

Actions during corrective maintenance

During work on the Safety Manager cabinet

Depending on the tasks to be performed on the Safety Manager cabinet, a number of actions need to be taken while corrective maintenance is being carried out on the Safety Manager cabinet. These actions are required to ensure that the work on the Safety Manager cabinet is performed without problems and within the given time frame. These actions can include:


Make sure that the operator is kept informed on the progress of the corrective maintenance.

Contacting other parties

Make sure that other parties involved are kept informed and/or report on the progress of the corrective maintenance.

Note




Actions after corrective maintenance

After work on the Safety Manager cabinet

Depending on the tasks to be performed on the Safety Manager cabinet, a number of actions need to be taken after corrective maintenance has been carried out on the Safety Manager cabinet. These actions are required to ensure that the work on the Safety Manager cabinet is performed without problems and within the given time frame. These actions can include:


Make sure that the operator is informed that the corrective maintenance has been completed.

Permits

Make sure that all permits, required to perform the corrective maintenance, are signed and returned to the appropriate responsible parties.

Repair defect items

If during corrective maintenance items of the Safety Manager cabinet have been replaced or removed, return these to Honeywell.

If items are found to be defective, they can be returned to Honeywell for further investigation of the cost of repair.

Note


5 – Maintenance


Corrective maintenanceCorrective maintenance is required if Safety Manager has generated an alarm or error message.

The steps for corrective maintenance are:

1 Safety Manager generates an alarm or error message.

2 The operator retrieves the cause of the message. See “Troubleshooting techniques” on page 15 to find a solution.

3 Depending on the reported alarm or error, certain modules may need replacement.

Attention• An alarm or error message generated by Safety Manager requires immediate attention.

An ignored alarm or error message may result in severe damage to the equipment, serious injury to people or a process shutdown.

• Replacement of equipment inside Safety Manager must be carried out with the utmost care, and by authorized and qualified persons only. If errors occur during the replacement of certain modules, Safety Manager may go to a safe state resulting in a process shutdown.

Preventive maintenance of Safety Manager


Preventive maintenance of Safety Manager

Overview

Preventive maintenance is necessary to prevent faults in Safety Manager. It focuses on the most critical elements in a Safety Manager cabinet and can be split into:

• Regular preventive maintenance (page 50).

• Preventive maintenance when Safety Manager is switched off (page 59).

Checklists

During preventive maintenance checklists can be used. Refer to “Checklists” on page 71.

5 – Maintenance


Regular preventive maintenance

Overview

Checking for cable damage

Check all cables end-to-end visually for damage.

Check that:

• end connectors are well seated

• excessive cable is tied together

• cable loops are tied together and do not obstruct access to the cabinet interior

• protective plates and covers are well seated and not polluted

• Cables and connectors are not damaged by:

Maintenance operations See

Checking for cable damage page 50

Checking the voltages to the Control Processor page 51

Checking the BKM battery page 52

Checking the temperature in the Control Processor page 53

Checking for airflow obstruction page 54

Checking the operation of the fans page 54

Checking for the status of the SM universal IO module page 55

Checking for earth faults page 55

Checking the loop status of signals page 57

Checking the forced status of signals page 57

Checking for paint damage page 58

Checking the availability of spare parts page 58

Checking the system diagnostics page 58

Checking the backup of the Controller file page 58

Warning

Do not pull cable ends or connectors to check if they are well seated, check visually!



- wear

- mechanical stress

- jamming between moving parts (doors, hinged panels etc.)

- vermin (rats, insects and such)

Checking the voltages to the Control ProcessorEach Control Processor contains a power supply unit (PSU, type PSU-240516) which converts the incoming 24 Vdc to 5 Vdc to supply the Control Processor modules and IO modules.

The Control Processors are also connected to a Battery and Key switch module (BKM). The BKM module contains non-rechargeable (lithium) batteries for the back-up power of the system memory (RAM) and the real time clock on the QPP modules.

The voltages of the Control Processor can be checked with:

• The QPP display (see Figure 3 on page 51).

• Safety Builder. See “Controller Management” on page 338.

For technical details refer to “General info about Control Processor modules” on page 238.

Checking with the QPP display

The following information can be retrieved from the QPP display:

• PSU voltage is outside its range

• BKM battery voltage is too low

Figure 3 the user interface display of the QPP display

push buttons

display

Up

Down

5 – Maintenance


PSU voltage is outside its range

The PSU voltage must be between 4.75 Vdc and 5.25 Vdc. If the voltage is out of range, the Control Processor stops.

Perform the following steps to check if the voltage of the PSU is outside its range:

1 Press the Up button on the QPP a number of times until the 5 Vdc output voltage is displayed.

2 If the PSU voltage is outside its range, the PSU requires calibration (for PSU voltage range specifications see PSU-240516).Return the PSU to Honeywell. Refer to “Handling and ordering spare parts” on page 81 for details.

The QPP display reverts automatically to the default status message after 30 seconds. For more information see “QPP display messages” on page 102.

BKM battery voltage is too low

The battery voltage must be higher than the data retention voltage which is 3.1 V. The data retention voltage is the minimum voltage at which the RAM circuits can correctly retain their content. For more information see “Checking the BKM battery” on page 52.

Perform the following steps to check the battery voltage:

1 Press the Up button on the QPP a number of times until the battery voltage is displayed.

2 If the voltage is too low, replace the batteries in the BKM.


Checking the BKM battery

Note

This check has to be done for each Control Processor in Safety Manager™ separately.

Notes:1. It is recommended to replace the BKM batteries every five years.2. The normal operating voltage of the batteries lies between 3.8–3.6V dc.

A 3.2 Vdc battery is practically drained.



The BKM-0001 module contains non-rechargeable (lithium) batteries for the back-up power of the system memory (RAM) and the real time clock on the QPP-0001 modules.

If the 24 Vdc to the Control Processor is not present, these batteries ensure that the information in the RAM is retained.

Full batteries have sufficient power to retain the data in the RAM for three months. After three month period of battery backup use, replace the batteries in the BKM.

Checking the temperature in the Control ProcessorThe Quad Processor Pack module (QPP, type QPP-0001) is equipped with temperature sensors. They monitor the temperature in the Control Processor.

The following temperature limits are set during the hardware configuration of Safety Manager:

• Low temperature alarm

• Low temperature shutdown

• High temperature alarm

• High temperature shutdown

The temperature is logged and can be printed in Safety Builder.

If the temperature goes outside the temperature alarm range, an alarm is generated.

If the temperature goes outside the temperature range, the affected Control Processor automatically stops.

The temperature in the Control Processor can be checked with:

• The QPP display (see Figure 3 on page 51).

• Safety Builder. See “Controller Management” on page 338.

For technical details refer to “General info about Control Processor modules” on page 238.

Checking with the QPP display

Perform the following steps to check the temperature in the SM Controller:

Note

This check has to be done for each Control Processor in the SM Controller separately.

5 – Maintenance


1 Press the Up button on the QPP a number of times until the temperature is displayed.

2 Check if the temperatures displayed are well within the limits specified with Safety Builder (Hardware Configurator-SM Controller properties).

3 If the temperatures are close to the defined setpoints, check the following:

• Check the operation of the air-conditioning and fans (page 54).

• Make sure that the air filters are not obstructed or dirty. (page 54)


Checking for airflow obstructionMost Safety Managers have fans in the roof and air filters in the door for a forced airflow inside the Safety Manager enclosure.

Check the following to ensure the airflow is correct:

• Check for obstruction of the fans. Obstructions can cause the fans to malfunction and lead to dangerous situations.

• Check for obstruction of the filters. In normal situations the air enters the Safety Manager enclosure via the filters. If filters are obstructed:

- false air containing dust particles may enter via other routes. The dust particles may cause the equipment to malfunction.

- Convection cooling may be reduced, causing temperature rises inside the enclosure.

Checking the operation of the fans

All fans must be operational. If a fan in Safety Manager fails, the temperature inside Safety Manager rises.

If the temperature detected by the QPP sensors goes outside the temperature shutdown range, the affected Control Processor automatically stops.

Perform the following steps to check all fans:

1 Check if all fans function properly.

2 If a fan fails, check the appropriate fuse or circuit breaker in Safety Manager.

Note:

It is recommended to replace a fan after 8 years of operation.



3 If a fuse has blown, replace it. Make sure that the new fuse has the correct dimensions and rating. If the fuse blows instantly again, there are two options:

• The fan is faulty and requires replacement.

• There is a short circuit. Use a multimeter to check the wiring.

4 If a circuit breaker has tripped, switch it back on. If the circuit breaker trips instantly again, there are three options:

• The circuit breaker is faulty and requires replacement. Make sure that the new circuit breaker has the correct rating.

• The fan is faulty and requires replacement.

• There is a short circuit. Use a multimeter to locate the short circuit in the wiring.

For details on the rating of the fuse or circuit breaker refer to the power distribution drawings (see Power concept).

For details on the exact locations of the fuses and circuit breakers refer to the cabinet layout drawings (see System cabinets).

Checking for the status of the SM universal IO moduleThe steps below apply in case your configuration consists of one or more SM universal IO modules. In case it does, carry out these steps for each cabinet that contains SM universal IO modules.

1 Check that the power supply meets the specified value.

2 Check the 24 Vdc connection with the carrier.

3 Check the ethernet connections.

4 Check for mechanical damage.

Checking for earth faultsThis test only needs to be performed if earth leakage detection (ELD) devices are present in Safety Manager.

5 – Maintenance


Analyze LED activity on ELD

An ELD has two LEDs which have the following meaning (see table below).

Test operation ELD

Verify the correct operation of the ELD by checking the auxiliary contact of the ELD. The auxiliary contact of the ELD is normally wired to a digital input module in Safety Manager or to terminals for external use. Under normal conditions (this is no earth fault detected), the digital input is high. If wired to terminals, the contact connected to these terminals is closed. This should be checked on the external device.

The correct operation of the ELD can only be tested if no earth fault is present. Perform the following steps to test the ELD:

1 Put the bottom switch on the ELD in the Test position. The red Fault LED should start flashing.

2 Put the bottom switch on the ELD in the Reset position. The red Fault LED should go off.

Check the power distribution drawings (see Power concept) to see if an ELD module has been installed.

For details on the exact location of an ELD module, refer to the cabinet layout drawings (see System cabinets).

How to solve earth faults

The procedure for tracing an earth fault is identical for both types of earth leakage detectors. The following equipment is required to trace an earth fault:

• Current clamp (for example the DCM300E digital clamp with indicator meter from AVO International).

If the clamp is placed on a cable which has no earth fault, the indicator meter stays steady. If the clamp is placed on a cable with an earth fault, the signal will pulse due to the frequency generated by the ELD. Please note that the frequency and signal value of the ELD is very small compared to, for example, a 50 Vac/50 Hz signal.

LED LED activity Meaning

Mode Flashing green ELD is operational

Fault Steady red Earth fault detectedPut the switch on the ELD in the Reset position. If the red LED remains on, the earth fault still exists and should be located.



Perform the following steps to trace the earth fault:

1 Test operation of the ELD. If the red LED remains on, proceed with next step.

2 Make sure that the top switch of the ELD is in the 1/4 Hz position.

3 Place the clamp on the cable at the top of the loom which goes from the swing frame to the rear of Safety Manager.

4 Wait for 8 seconds to see if the signal on the indicator display is pulsing.

5 If no earth fault is detected, place the clamp on the next cable loom. Repeat this step until the earth fault is detected.At this point the chassis, in which the earth fault is present, is identified. To narrow your search, proceed as follows:

6 Check each SIC cable at the rear of the IO chassis until you locate the earth fault.

7 Once you know which module is affected, locate the corresponding FTA using the termination details.

8 Check each signal pair connected to the FTA until you locate the earth fault.The cause of the earth fault is most likely located at the field device.

9 Put the bottom switch on the ELD in the Reset position.

10 Test the operation of the ELD again. If the red LED remains on, another earth fault exists.

11 Repeat the above steps until all earth faults have been corrected.

Checking the loop status of signalsCheck the loop status of points which report a loop fault with the Loop Monitoring option in Safety Builder. See Controller Management.

Checking the forced status of signals

Note

Do not remove the clamp too soon. An earth fault will not be detected if the cable clamp is removed too soon.

Note

This part contains instructions to use Application Viewer. Where this is done you can also use Point Viewer, provided that the points you want to monitor are added to one or more (user-)defined screens.

5 – Maintenance


It is important to check if forced signals in Safety Manager still need to be forced. You can check forced signals with the Application Viewer of Safety Builder. In the Application Viewer you can locate points in the Functional Logic Diagrams (FLDs) and check their properties. points marked with “F” are forced. See Application Viewer for more details.

Checking for paint damagePrevent corrosion of Safety Manager by inspecting Safety Manager regularly for paint damage. Touch up damaged spots immediately.

The standard colors are:

• RAL 7035 (light gray).Used for the cabinet enclosure.

• RAL 7022 (dark gray).Used for the plinth.

Depending on customer requirements, other colors may be used.

Checking the availability of spare partsTo avoid problems with spare parts when they are urgently needed, it is essential to check if:

• Sufficient spare parts are available to replace defective parts.

• Additional spare parts are required (for example if a new Safety Manager is delivered).

If required, Honeywell can test the spare parts. For more information please contact your local Honeywell representative.

Checking the system diagnosticsThe system diagnostics provide important information on the system status. To guarantee problem-free operation of Safety Manager, it is essential to regularly check the system diagnostics with Safety Builder. For more information see Controller Management.

Checking the backup of the Controller fileMake sure that a backup is available which comprises the most recent version of the Controller file. For making and restoring backups see Backup, restore and logging.

Preventive maintenance when Safety Manager is switched off



Overview

Checking DC voltagesThe DC voltages in Safety Manager must be within certain levels. If they are outside their range, the Control Processor stops.

The DC voltages can be split into two groups of voltages:

• Supplied externally.

• Generated by power supply units in Safety Manager.

These items are discussed in more detail below.

Maintenance operations See

Checking all items that need to be checked every three months page 50

Checking DC voltages page 59

Checking power distribution fuses page 61

Checking AC voltages page 62

Checking the correct operation of the PSUs page 62

Checking for dust concentration page 63

Replacing dust filters page 63

Checking the fasteners on the power distribution rails page 64

Checking cable clamps page 64

Checking shield connections page 65

Checking earth/ground connections page 66

Testing hardware IO page 67

Testing the communication links to external devices page 68

5 – Maintenance


Externally supplied voltages

Perform the following steps to check the externally supplied DC voltages:

1 Measure the DC voltages on the incoming fuse terminals or mains circuit breakers located in Safety Manager with a multimeter.

2 The voltages must be within the following ranges:

It is recommended that the incoming 24 Vdc voltage is adjusted to 25 Vdc (identical to the approved Delta power supply units supplied by Honeywell SMS). This compensates the voltage drop in Safety Manager so that the voltage at the modules will always be in accordance with requirements.

For details on the exact locations of the fuses and mains circuit breakers refer to the cabinet layout drawings (see System cabinets).

For details on the voltages for specific Safety Managers refer to the power distribution drawings (see Power concept).

Voltages generated by PSUs

Perform the following steps to check the DC voltages generated by power supply units (PSUs) in Safety Manager:

1 Measure the DC voltages on the bus bar or circuit breaker chassis located in Safety Manager with a multimeter.

2 The voltages must be within the ranges as defined below:

ELECTRIC SHOCK WARNING

Equipment with high voltages (for example over 60 Vdc or 75 Vac) are covered with protective plates or covers. If these voltages are present, take extra precautions when the protective plates or covers are removed.After checking the voltages, make sure that you put the protective plates or covers back into place.

Voltage Range

110 Vdc +25% / –15%

60 Vdc +15% / –15%

48 Vdc +15% / –15%

24 Vdc +30% / –15%



It is recommended that the incoming 24 Vdc voltage be adjusted to 25 Vdc (identical to the approved Delta power supply units supplied by Honeywell SMS). This compensates the voltage drop in Safety Manager so that the voltage at the modules will always be in accordance with requirements.

For details on the exact locations of the bus bars and circuit breaker chassis refer to the cabinet layout drawings (see System cabinets).

For details on the voltages for specific Safety Managers refer to the power distribution drawings (see Power concept).

Checking power distribution fusesIf separate power supply unit cabinets are used, fuses may be installed in the power distribution between Safety Managers.

Perform the following steps to check the power distribution fuses:

1 Check if a fuse has blown.

2 If a fuse has blown, replace the fuse. Make sure that the new fuse has the correct dimensions and rating.

For details on the exact locations of the fuses refer to the cabinet layout drawings (see System cabinets).

For details on the applicable fuse ratings refer to the power distribution drawings (see Power concept).

Voltage Range

110 Vdc +25% / –15%

60 Vdc +15% / –15%

48 Vdc +15% / –15%

24 Vdc +30% / –15%



5 – Maintenance


Checking AC voltagesIncoming AC voltages connected to Safety Manager via fuse terminals or circuit breakers must be within defined levels.

Perform the following steps to check the AC voltages:

1 Measure the AC voltage on the incoming side of the fuse terminals with a multimeter.

2 Measure the AC voltage on the incoming side of the mains circuit breaker with a multimeter. If the voltage of a incoming AC feeder does not meet the requirements of the PSUs specified in PSU-240516, Safety Manager and equipment may be damaged or not function properly.

For details on the exact locations of the fuse terminals and mains circuit breakers of the incoming feeders refer to the cabinet layout drawings (see System cabinets).

For details on the number of feeders and the required voltages refer to the power distribution drawings (see Power concept).

Checking the correct operation of the PSUsTo ensure correct operation of Safety Manager, the AC/DC power supply units located in Safety Manager have to be operational and functioning properly.







Perform the following steps to check the AC/DC PSUs:

1 Check whether the LED on each AC/DC power supply unit is on.

2 Check the voltage-monitoring contact of the PSUs.The voltage-monitoring contact of each PSU is wired to a digital input module in Safety Manager or to terminals for external use. (The contacts of the PSUs may be wired in series or individually, depending on the customer requirements). Under normal conditions, all digital inputs wired from the PSUs must be high. If wired to terminals, the contact connected to these terminals must be closed. This should be checked on the external device.

For details on the exact locations of the AC/DC PSUs and terminals refer to the cabinet layout drawings (see System cabinets).

For details on the wiring of the voltage-monitoring contact of the AC/DC PSUs refer to the power distribution drawings (see Power concept).

Checking for dust concentrationSafety Manager needs to be checked for dust concentration regularly.

At least the following items to be checked:

• Control Processor modules

• IO modules

• Circuit breakers

• Power supply units

• SM universal IO modules (if installed)

If excessive dust concentrations are found, remove the dust with a soft anti-static brush and clean the inside of Safety Manager with a vacuum cleaner.

Do not use pressurized air!

Replacing dust filtersEvery Safety Manager has dust filters. These filters are normally mounted in the front and rear doors. Before replacing the dust filter, make sure that sufficient new dust filters are available.

WARNING

To check for dust concentration, the Control Processor modules and IO modules have to be removed from the Controller chassis and IO chassis. To do this without risk of personal injury or equipment damage, Safety Manager must be stopped. For details see Normal operation.

5 – Maintenance


Perform the following steps to replace a dust filter:

1 Remove the cover from the filter.

2 Replace the old dust filter by a new one.

3 Place the cover back on the filter.

For details on the exact locations of filters refer to the cabinet layout drawings (see System cabinets).

Checking the fasteners on the power distribution railsIf separate power supply unit cabinets are used, power distribution rails may be present in Safety Manager and the power supply unit cabinet. The fasteners on the power distribution rails need to be checked:

1 Remove the protective plate or cover from the power distribution unit.

2 Check if the fasteners are properly connected.

3 Place the protective plate or cover back on the power distribution unit.

For details on the exact locations of the power distribution rails refer to the cabinet layout drawings (see System cabinets).

For details on the tightening torque of the fasteners refer to the data sheets of the manufacturer.

Checking cable clampsThe cables entering Safety Manager are clamped to a cable support or clamp rail. These cable clamps may be mounted in Safety Manager or below a false floor.



Caution

Be very careful during the inspection of the fasteners on the power distribution rails. A short circuit may stop Safety Manager.



If the cables are no longer clamped to the cable support or clamp rail, the weight of the cables can put tension on the connections of the cables. This may result in signal loss and eventually a shutdown of Safety Manager.

Perform the following steps to check the cable clamps:

1 Check visually if the cables are properly clamped to the cable support or clamp rail.

2 If they are not properly clamped, tighten the cable clamps or add new cable clamps.

For details on the exact locations of the cable support or clamp rails refer to the cabinet layout drawings (see System cabinets).

For details on the tightening torque of the cable clamps refer to the data sheets of the manufacturer.

Checking shield connectionsThe shields of the field and system cables that carry signals of certain modules must be connected to clamp rails (see Figure 4 on page 65). This is in accordance with CE requirements. Check if these cables are properly connected.

Figure 4 Bonding of shielded cables

Shielded cables(stripped)

Cable clamps

Cable clamp rails

5 – Maintenance


This requirement applies to signals of the following module types:

• SAI-0410 (analog input module)

• SDOL-0424 (loop-monitored digital output module)

Checking earth/ground connectionsThree different earth/ground bars may be available in Safety Manager:

• Safety earth/ground

• Instrument earth/ground (also called master reference ground, or MRG)

• Ex(i) earth/ground

A correct earth/ground connection is required to ensure proper operation of Safety Manager.

Safety earth/ground

All mechanical parts of Safety Manager are connected to the safety earth/ground bar.

An earth strap connects the structure of Safety Manager to the safety earth/ground bar. Make sure that the safety earth/ground is properly connected.

The cable of the plant safety earth/ground can be connected to the safety earth/ground bar or a safety earth/ground bolt in Safety Manager.

Instrument earth/ground

The instrument earth/ground bar is used to connect the shields of field cables and the instrument earth/ground wire of the communication modules. Make sure that the instrument earth/ground is properly connected.

The cable of the plant instrument earth/ground can be connected to the instrument earth/ground bar in Safety Manager.

Ex(i) earth/ground

The Ex(i) earth/ground bar is used for the earth connection of Ex(i) equipment. Make sure that the Ex(i) earth/ground is properly connected.

The cable of the plant Ex(i) earth/ground can be connected to the Ex(i) earth/ground bar in Safety Manager.



Testing hardware IOHardware IO can be tested when Safety Manager does not control and monitor the process (for example during a scheduled process shutdown).

Use one of the following procedures:

• Safety Manager with a redundant Controller, and redundant and non-redundant IO.

• Safety Manager with a non-redundant Controller and non-redundant IO.

Safety Manager with a redundant Controller

Perform the following steps to test the hardware IO:

1 Stop Control Processor 1 as described in. From this point onward, the hardware IO is tested while Control Processor 2 is operational.

2 Simulate the digital and analog inputs of Safety Manager.

• Simulate on the terminals of the FTAs, terminals mounted in Safety Manager, or the marshalling cabinet.

• Monitor the status of the digital and analog inputs in the Application Viewer of Safety Builder. See “Application Viewer” on page 382.

3 Simulate the digital and analog outputs of Safety Manager.

Note


Note• During this procedure one of the Control Processors is stopped.

Before starting the procedure, make sure that the other Control Processor is fully operational.

• The procedure below assumes that Safety Manager is no longer controlling the process. Contact the operators for confirmation.

• After successful completion of this procedure, the redundant operation of all hardware IO has been proved.

WARNING

Make sure that the field equipment is not connected.

5 – Maintenance


• Monitor the status of the digital and analog outputs in the Application Viewer of Safety Builder. See “Application Viewer” on page 382.

• Measure the digital and analog output terminals of the FTAs, terminals mounted in Safety Manager, or the marshalling cabinet.

4 Start Control Processor 1 as described in Starting a Control Processor.

5 Repeat steps 1 to 4 for Control Processor 2.

Safety Manager with a non-redundant Controller

Perform the following steps to test the hardware IO:

1 Simulate the digital and analog inputs of Safety Manager.

• Simulate on the terminals of the FTAs, terminals mounted in Safety Manager, or the marshalling cabinet.

• Monitor the status of the digital and analog inputs in the Application Viewer of Safety Builder. See “Application Viewer” on page 382.

2 Simulate the digital and analog outputs of Safety Manager.

• Monitor the status of the digital and analog outputs in the Application Viewer of Safety Builder. See “Application Viewer” on page 382.

• Measure the digital and analog output terminals of the FTAs or terminals mounted in Safety Manager or the marshalling cabinet.

Testing the communication links to external devicesCommunication links to external devices can be tested when Safety Manager does not control and monitor the process (for example during a scheduled process shutdown).

Use one of the following procedures:

• Safety Manager with a redundant Controller and redundant and non-redundant IO.

• Safety Manager with a non-redundant Controller and non-redundant IO.

Note

The procedure below assumes that Safety Manager is no longer controlling the process. Contact the operators for confirmation.



Safety Manager with a redundant Controller

Perform the following steps to test the communication links:

1 Stop Control Processor 1 as described in Stopping Safety Manager. From this point onward, the communication links are tested while Control Processor 2 is operational.

2 Simulate the digital and binary inputs of Safety Manager.

• Simulate via the external devices connected to Safety Manager.

• Monitor the status of the digital and binary inputs in the Application Viewer of Safety Builder. See “Application Viewer” on page 382.

3 Simulate digital and binary outputs of Safety Manager.

• Monitor the digital and binary outputs in the Application Viewer of Safety Builder. See “Application Viewer” on page 382.

• Check the connection to Safety Manager via external devices.

4 Start Control Processor 1 as described in Starting a Control Processor.

5 Repeat steps 1 to 4 for Control Processor 2.

Safety Manager with a non-redundant Controller

Note


Note• During this procedure one of the Control Processors is stopped.

Before starting the procedure, make sure that the other Control Processor is fully operational.

• The procedure below assumes that Safety Manager is no longer controlling the process. Contact the operators for confirmation.

• After successful completion of this procedure, the redundant operation of all communication links has been proved.

Note

The procedure below assumes that Safety Manager is no longer controlling the process. Contact the operators for confirmation.

5 – Maintenance


Perform the following steps to test the communication links:

1 Simulate the digital and binary inputs of Safety Manager.

• Simulate via the external devices connected to Safety Manager.

• Monitor the status of the digital and binary inputs in the Application Viewer of Safety Builder. See “Application Viewer” on page 382.

2 Simulate the digital and binary outputs of Safety Manager.

• Monitor the digital and binary outputs in the Application Viewer of Safety Builder. See “Application Viewer” on page 382.

• Check the connection to Safety Manager via external devices.


6Checklists

This section provides the following checklists for preventive maintenance of a Safety Manager cabinet as described in “Preventive maintenance of Safety Manager” on page 49.

These checklists allow you to keep a record of information if problems arise.

The checklists consist of the following sections:

Checklist See

Checklist for regular maintenance page 73

Checklist for maintenance when Safety Manager is switched off

page 76

Section Description

General information Provides general information about the customer, plant and Safety Manager cabinet on which preventive maintenance is performed.

Safety Manager configuration items

Provides information about software versions, application versions, power-on mode, and so on. This information can be retrieved with Safety Builder.For details on how to retrieve this information refer to “Preventive maintenance of Safety Manager” on page 49.

Safety Manager system information

Provides information about Control Processor voltages and temperature sensors. For details on how to retrieve this information refer to “Preventive maintenance of Safety Manager” on page 49.

Items to be checked Provides information about which items to be checked during the preventive maintenance. For details refer to “Preventive maintenance of Safety Manager” on page 49.

6 – Checklists


Conclusion/comments Contains general conclusions about the state of the Safety Manager cabinet and who is responsible for action.

Acceptance of checklist After completing of the checks, the representative of the customer and Honeywell SMS sign the completed checklist.

Section Description

Checklist for regular maintenance


Checklist for regular maintenanceTable 2 on page 73 contains a checklist, to be used for regular maintenance.

Attention

In case you use this check list for a SMremote cabinet, items A-11 and A-12 do not apply.

Table 2 Checklist for regular maintenance

General information

Customer:

Date:

Plant name:

Customer representative:

Customer reference number:

Honeywell representative:

Honeywell reference number:

Safety Manager cabinet number:

Safety Manager application name:

SM remote cabinet number:


Safety Manager software version:

Application version:

Online modification: Yes / No

Minimum execution time:

ms

Maximum execution time:

ms

6 – Checklists



Battery voltage BKM (Vb):

Vdc

Supply voltage (Vcc): CP 1: Vdc CP 2: Vdc

Temperature:(read from QPP)

CP 1: °C/°F/K CP 2: °C/°F/K

Temperature SM universal IO module:

Mod. 1: °C/°F/K Mod. 2: °C/°F/K

Items to be checked

Action item: Checked OK:

Comments/notes: Action by:

A-1: Check if Honeywell issued applicable Be-Awares and/or Product Notifications

A-2: Check the voltages of the Control Processors.

A-3: Check the temperatures in the Control Processors.

A-4: Check for airflow obstruction.

A-5: Check the correct operation of fans.

A-6: Check for earth faults (if earth leak detection is available).

A-7: Check the loop status of signals.

A-8: Check the forced status of signals.

A-9: Check for paint damage.

Table 2 Checklist for regular maintenance (continued)

Checklist for regular maintenance


A-10: Check the availability of spare parts.

A-11: Check system diagnostics.

A-12: Check the backup of the Safety Manager application files.

Conclusion / comments

Item: Conclusion / comments Action by:

Name of customer representative: Name of Honeywell representative:

Signature: Signature:

Date: Date:

Table 2 Checklist for regular maintenance (continued)

6 – Checklists



Table 3 on page 76 contains a checklist for maintenance, which is to be used when Safety Manager is switched off.

Table 3 Checklist for maintenance when Safety Manager is switched of f

General information

Customer:

Date:

Plant name:

Customer representative:

Customer reference number:

Honeywell representative:

Honeywell reference number:

Safety Manager™ cabinet number:

Safety Manager application name:


Safety Manager software version:

Application version:

Online modification: Yes / No

Minimum execution time:

ms

Maximum execution time:

ms


Control Processor 1 Control Processor 2

Battery voltage BKM:

Vdc Vdc



Supply voltage: Vdc Vdc

Temperaturesensor 1:

°C/°F/K °C/°F/K

Temperaturesensor 2:

°C/°F/K °C/°F/K

Items to be checked

Action item: Checked OK:

Comments/notes: Action by:

B-1: Check if Honeywell issued applicable Be-Awares and/or Product Notifications

B-2: Check the voltages of the Controller Processors.

B-3: Check the temperatures in the Controller Processors.

B-4: Check for airflow obstruction.

B-5: Check the correct operation of fans.

B-6: Check for earth faults (if earth leak detection is available).

B-7: Check the loop status of signals.

B-8: Check the forced status of signals.

B-9: Check for paint damage.

B-10: Check the availability of spare parts.

Table 3 Checklist for maintenance when Safety Manager is switched of (continued)f

6 – Checklists


B-11: Check system diagnostics.

B-12: Check the backup of the Safety Manager application files.

B-13: Check externally supplied DC voltages. (List the feeders with their voltage levels.)

B-14: Check DC voltages generated by PSUs in Safety Manager cabinet. (List the PSUs with their voltage levels.)

B-15: Check the fuses in power distribution wiring.

B-16: Check the AC voltages. (List the feeders with their voltage levels.)




B-17: Check the correct operation of the PSUs.

B-18: Check for dust concentration.

B-19: Replace the dust filters.

B-20: Check the fasteners on the power distribution units.

B-21: Check cable clamps.

B-22: Check shield connections.

B-23: Check earth/ground connections.

B-24: Test hardware IO.

B-25: Test the communication links with external devices.

Conclusion / comments

Item: Conclusion / comments Actionby:


6 – Checklists


Name of customer representative: Name of Honeywell representative:

Signature: Signature:

Date: Date:



7Handling and ordering spare parts

This section provides information on handling and ordering of emergency spare parts. It covers the following topics:

In these topics the following terminology is used:

Products

Products are defined as hardware or software designed, manufactured and sold by Honeywell SMS.

Parts

Parts are single components from which products are manufactured.

Defects

Defects are a non-functionality in a product or part.

Repeatable defect

Repeatable defect is a non-functionality of a product or part which originates from the design or manufacturing specification.

Emergency replacements

Emergency replacements are products or parts required for the replacement of defective products or parts during a Factory Acceptance Test (FAT) at Honeywell premises and field defects which need emergency replacement. The quantities for emergency replacements are typically small and these parts may NOT be used for expansion or modification!

Topic See

Handling of defective products or parts page 82

Ordering of emergency replacements page 84

7 – Handling and ordering spare parts


Handling of defective products or parts

Returning goods

Defective products and parts can be returned for repair to a local affiliate of Honeywell. They forward the defective products and parts to the global repair center.

Identification

The defective product or part shall be clearly identified with:

• Model number

• Serial number

• Description of the defect (for example the diagnostics)

• Shipping address

• Contact person

The product or part must be clearly marked as defect.

Analysis

The global repair center analyzes the returned product or part. On receipt the repair center verifies if the product or part:

• Is under warranty.

• Is defective.

• Can be repaired.

Repair

The product or part will be repaired only if it is economically justifiable. This depends on the cost estimate analysis:

• The sender will be notified if the repair costs are too high.

• If the costs are too high, the defective part will only be returned to sender on specific request and at the cost of the sender.

Invoices

The local affiliate will invoice the sender if the warranty period for the part has expired for:

Handling of defective products or parts


• The amount of the repair costs (these never exceed the costs of a new module).

• Shipment costs.

Repair cost estimate

Before a part is actually shipped for repair, a repair cost estimate may be requested from the local affiliate.

Repaired product or part return

Repaired parts will be returned to the sender’s address unless specific shipping instructions specify otherwise.

If the delivery address differs from the invoice address, a pro-forma invoice will be added to the delivery documents for custom clearance. A repair report is a standard component of the shipment. All deliveries are ex works Honeywell.

Time to repair

On receipt of a defective part, a receipt notification is issued to the sender which includes an estimated repair time.

The normal repair time for Safety Manager parts is four weeks after receipt at the global repair center. The repair time of non-Safety Manager parts or equipment depends on the repair times of their suppliers.

Emergency replacements

Emergency replacements can be ordered using the procedure described in the related procedure.

For details see “Ordering of emergency replacements” on page 84.



Ordering of emergency replacements

Requests

Requests for emergency replacements must go through the local affiliate of Honeywell.

Fax

Requests for emergency replacements must be submitted by means of a fax message which clearly indicates “EMERGENCY REPLACEMENT REQUEST”. The fax must at least state the following:

• Model number

• Purchase order number

• Description

• Quantity

• Originator

• Shipping address

• Warranty replacement status

• Model and serial number of the defective part if it is a warranty replacement

Shipment and documents

The shipment of the emergency replacements is accompanied for custom clearance by a pro-forma invoice and a shipping note stating that it is a repair replacement. All deliveries are ex works Honeywell.

Invoice

An invoice is sent to the requester based on the project price for the requested parts, plus the shipping cost.

Credit note

On receipt of defective items at the global repair center, a credit note of 25% of the price is submitted, if the defective item can be repaired.

Ordering of emergency replacements


Beyond repair

If it turns out that a returned product or part cannot be repaired, the requester will be informed and no credit note will be submitted.

Warranty

The local affiliate checks if the returned item is still under warranty. In that case, a credit note of 100% of the price will be submitted.

Return of defective product or part

The defective product or part must be returned to the local affiliate of Honeywell.


8Diagnostics and other fault finding options in Safety Manager

Safety Manager has several tools and different ways to assist in fault finding (see table below).

Diagnostics

Safety Manager has the following diagnostic capabilities:

Equipment Software / Hardware Tool / Display Information

Controller QPP-0001 module QPP display Diagnostics

Experion™ Station Station1

1 Based on HMIWeb technology. HMIWeb is the web-based Human Machine Interface for Experion™ PKS.

Diagnostics display DiagnosticsProcess related information

Safety Station Safety Builder Controller ManagementAudit trail

DiagnosticsLogging of user actions

Diagnostics See

QPP display messagesDiagnostic messages in the QPP display.

page 102

Diagnostic messagesDiagnostic messages that can be retrieved on a user station.

page 105

Safety Builder on-line messagesWhen Safety Manager is displayed on a user station, the error messages are also shown on this user station in the case of an invalid configuration or illegal operation.

page 143

8 – Diagnostics and other fault finding options in Safety Manager


Honey

well co

nfid

entia

l and

pro

priet

ary

Safety Manager Installation and Upgrade Guide 89

AAPPENDIX

Safety Manager key switches

This section gives an overview of the usage and location of the Safety Manager key switches.

The following topics are discussed:

Topic See

Key switches page 90

Location page 94

Forcing of IO signals page 96

Honey

well co

nfid

entia

l and

pro

priet

ary

A – Safety Manager key switches


Key switches

The following key switches are present in each Safety Manager:

1. One QPP key switch per Control Processor. For details see “QPP key switch” on page 90.

2. A Reset key switch. For details see “Reset key switch” on page 91.

3. A Force Enable key switch. For details see “Force Enable key switch” on page 92.

QPP key switchThe QPP key switch is used to set the highest possible state of a Control Processor.

Attention

Before you are going to work with Safety Manager you must know the location of each key switch and what it is responsible for.

Warning1. If the QPP key switch is not on a fixed position, the RUN state is assumed.2. Switching from IDLE to RUN may eventually bring the SM Controller on-line.3. Switching from RUN to IDLE or STOP, without a redundant Control Processor

on-line, causes the SM Controller to go offline.

Switch a QPP to RUN

If you switch a QPP to RUN you allow the SM Controller to start the currently loaded application after a reset is activated.Note that the SM Controller does not start the application by itself after you switched the QPP to RUN: The QPP remains idle.The QPP display shows:• CPready when synchronized and ready to start or • Halt with Flt when not ready For follow-up steps to get the Control Processor running see “Reset key switch” on page 91.

Honey

well co

nfid

entia

l and

pro

priet

ary

Key switches


Reset key switch

A reset of the SM Controller initiates an action which results in below mentioned:

• Clear the fault database (actual diagnostics)

• Startup halted functions in a Control Processor

• Restart a tripped or halted Control Processors.

Switch a QPP to IDLE

• If you switch a QPP from RUN to IDLE you stop the application running on that Control Processor.

• If you switch a QPP from STOP to IDLE you (re)boot that Control Processor.

On both occasions you should wait for the status LEDs on all Control Processor modules to turn green and the QPP display to show Halt.

When idle you can:• Load an application;• Extract diagnostic information.

Switch a QPP to STOP

If you switch a QPP to STOP, you stop all activities of that Control Processor. This includes:• Stopping the application executed by the Control Processor;• Stopping all communication with the Control Processor.Note:

The QPP display is blanked when the QPP is switched to STOP.

Note:

The Reset key switch is a spring return key switch, meaning that after releasing the key switch it will automatically return to the OFF position.

Tip:1. You may find it easier to perform a remote reset from Safety Builder. For details see

Remote Reset.2. You cannot trip a Control Processor by giving a reset unless you perform an OLM at

the same time!

Honey

well co

nfid

entia

l and

pro

priet

ary



• Initiate a switch-over between Control Processors during an OLM procedure. (to act on such a reset, Safe faults that may reside in the system must first be cleared.)

Force Enable key switch

The Force Enable key switch is used to:

1. Enable or disable force actions on points in a on-line SM Controller

2. remove all forces present in a SM Controller

Note:

When performing an OLM it may be required to turn the key switch twice before the system starts!

Release the Reset key switch or set it to OFF

If you release the Reset key switch it will it will automatically return to the OFF position.The OFF position is the neutral position of the Reset key switch. The key switch is inactive in this position.

Turn the Reset key switch to ON

If you turn the Reset key switch to ON you initiate a reset. For more information see “About the reset function” on page 571.

Warning1. Switching the Force Enable key switch from ON to OFF removes all forces in the

SM Controller.

Turn the Force Enable key switch to OFF

If you turn the Force Enable key switch from ON to OFF all forces are removed from the SM Controller. You cannot undo this action!The OFF position is the neutral position of the Force Enable key switch.In this position you cannot force points.

Honey

well co

nfid

entia

l and

pro

priet

ary

Key switches


Turn the Force Enable key switch to ON

In the ON position you can force points under the following conditions:2. The point is force enabled3. You force via a Safety Station connected to the SM Controller4. You have the appropriate privilege level to force

Honey

well co

nfid

entia

l and

pro

priet

ary



LocationYou will find all Safety Manager key switches at the front of the Controller chassis of the SM Controller.

• To access the Controller chassis see “Access the front of the Controller Chassis” on page 94.

• For the location of the key switches see “Location of the key switches” on page 94.

Access the front of the Controller ChassisTo access the front of the Controller Chassis you must open the cabinet front door.

Figure 5 on page 95 shows the front view including key switch location of a redundant Controller chassis.

Location of the key switches• The Reset key switch is the top key switch of the two key switches in the

middle of the Controller chassis.

• The Force Enable key switch is the bottom key switch of the two key switches in the middle of the Controller chassis.

Tip

You can easily recognize a Controller chassis:• There is only one Controller chassis per system.• It has a distinct layout, as shown in Figure 5 on page 95.• A Controller chassis has alphanumeric display(s) and 3 to 4 key switches.• Controller chassis are often located close to the top of the frame.

Honey

well co

nfid

entia

l and

pro

priet

ary

Location


• The QPP key switch of the first Control Processor is located on your left hand, just below the alphanumeric display. The QPP key switch of the redundant Control Processor is located right from the Reset and Force Enable key switches in the middle, just below the alphanumeric display.

Figure 5 Front view of a redundant Controller chassis

Honey

well co

nfid

entia

l and

pro

priet

ary



Forcing of IO signals

During FAT, on-line testing or calibration of connected devices, it may be required to force an IO point to a certain fixed state.

For example when testing a defective input sensor forcing allows the sensor to be taken off-line without affecting the continuity of production. While the sensor is being tested, the respective input can be forced to its operational state.

Enable forcing

The procedure to enable forcing of a point in Safety Manager is as follows:

1 Identify the points that may require forcing during operation and use the Point Configurator to set the force enable flag of these points to ‘Yes’.

2 Translate the application, load it into the system and start the application

Applying forces

The procedure to apply a force is as follows (see also Figure 6 on page 97):

Stop:

Forcing points can be dangerous if not handled properly! Always communicate your actions when applying or removing forces.

Note

This part contains instructions to use Application Viewer. Where this is done you can also use Point Viewer, provided that the points you want to force and/or monitor are added to one or more (user-)defined screens.

Warning

Applying forces for a prolonged period of time introduces a potentially dangerous situation as the corresponding process point could go to the unsafe state while the force is active.

Honey

well co

nfid

entia

l and

pro

priet

ary



1 Set the Force Enable key switch in the on position

2 Open the Application Viewer with a maintenance engineering user level or above (may be password protected)

3 Select the first point to be forced

4 Right click the point and select a force option from the pop-up menu.

Setting

IO signals can be forced using the Application Viewer or Point Viewer of Safety Builder. Forcing is only allowed if the correct password has been entered when selecting the force option. The status of the force enable flag is also stored in the application in Safety Manager. This has been done in such a way that a change of the force enable flag after compilation of the application does not allow forcing of the corresponding point without reloading the application software.

Forces may be set high, low or on a specific value as required. The procedure of how to use forcing is as follows:

1 Activate the Force Enable key switch on the BKM after approval by the responsible maintenance manager.

2 Use Application Viewer of Safety Builder to select the point that needs to be forced. (A password may be required.)

3 Right click the point and select the value that the point should be forced to.

4 The force will be applied immediately.

Figure 6 The forcing sequence

Forc

eE

nabl

eK

eyS

witc

h

Force EnableTable

BKMQPPCOM

Notes• All forces are cleared when the Force Enable key switch is deactivated.• All force actions are included in the SER report for review/historical purposes.• For details on forcing signals refer to Operations Guide@@Overrides & forces.

Honey

well co

nfid

entia

l and

pro

priet

ary



Checks

To make this operation single fault tolerant, both the Safety Builder and the SM Controller carry out checks before a force is executed:

1. Safety Builder checks if the password is activated.

2. Safety Builder checks if the Force Enable key switch is activated.

3. Safety Builder checks if the force enable flag for the point is set to Yes.

4. SM Controller checks if the Force Enable key switch is activated.

5. SM Controller checks if the force enable flag in the application is set to Yes.

Safety Manager continuously checks the Force Enable key switch and immediately clears all forces when the Force Enable key switch is deactivated.

Forced points

If a force command is accepted for an input or output, the ForceActive system point goes to 0, which can be used by the application to log, alarm or inform about the event.

On any subsequent force commands, the ForceActive marker pulses one application cycle.

When all forces are cleared, the ForceActive system point goes back to 1.

For more information about system points see “Safety Manager system points” on page 558.

References

Specific TUV requirements with the regard to forcing are described in a document of TUV Bayern Sachsen e.V. and TUV Rheinland: Maintenance override.

All Safety Manager architectures meet the requirements specified in this document.

Tip:

This document is available on request. Please contact your local Honeywell affiliate or e-mail to [email protected].

Honey

well co

nfid

entia

l and

pro

priet

ary



Clearing forces

To manually remove forces in Safety Manager, select the forced point as described in “Setting” on page 97, step 2 onwards.

Instead of selecting a force value, select Clear. This will clear the force instead of applying a forced value.

Listing the forced points

To see a list of all forced points in Safety Manager (analog/digital inputs, analog/digital outputs, and markers), choose one of the following options:

• click the View All Forces button from the Toolbar,

• click Configure >View All Forces from the menu bar or

• type an A while holding down the Ctrl key.

If there are no forces active in the selected Controller the window message will say so.

The View all Forces window shows the following detail of the forced points:

• Point type

• Tag number

• Actual value (for inputs this is the field value, for outputs this is the value as displayed on the FLD going to the output)

• Force value

• Engineering units

• FLD where point is used

Attention:

To immediately remove all forces:

a. turn the Force Enable key switch or

b. click the Remove All Forces button on the Application Viewer toolbar.Warning:

This action is irreversible.

Tip:

If you double-click a point in the View All forces window Safety Builder will display the online FLD where the point is allocated.

Honey

well co

nfid

entia

l and

pro

priet

ary




BAPPENDIX

Diagnostic information

This appendix describes different types of diagnostic information; each typ has a dedicated section. Each section describes how that type of diagnostic information is presented or obtained, and what it means. Where applicable information is given about how to act upon occurring messages and/or situations.

Section Content See

QPP display messages Explains how to show messages on the user interface display on the QPP module, and how to read them.

page 102

Diagnostic messages Gives information about messages that are generated by the Control Processor.

page 105

Safety Builder on-line messages Gives information about messages that are generated by Safety Builder.

page 143

Communication status Gives information to assist the user in solving communication related issues.

page 146

C – Competences and precautions


QPP display messagesThe QPP module has a user interface display that informs the user of the status of the Control Processor and all the IO related to it.

The eight-digit display shows one message at a time, and the user can scroll between messages with the use of the buttons on the right-hand side of the display (see Figure 7 on page 102).

Many messages, like diagnostic messages, are divided into sub-messages, called stages (see Table 4 on page 103). The user interface display automatically scrolls through these stages within the current message.

When left alone for 30 seconds, the user interface display returns to the default status message.

Figure 7 the user interface display of the QPP-0001 and the QPP-0002

push buttons

display

Up

Down

QPP display messages


Table 4 Messages displayed by the User Interface Display of the QPP module

Scroll Message Description

Up

Down

Fail Shows the number of diagnostic messages (N)

Frc Shows the number of forced points

IP 2BIP 2AIP 1BIP 1A

Shows the details for the selected COM port.If a COM port is configured the display shows: IP address (in two steps); Gateway; Gateway IP address (in two steps).If a COM port is not configured the display shows: Not Config.; Gateway Not Config. (in two steps).

Sys Shows the Controller node number

Vb Shows the battery voltage for this Control Processor in Volts

Vcc Shows the 5VDC PSU output voltage for this Control Processor in Volts

Tmp Shows the temperature for this Control Processor

Date Shows the actual date

Time Shows the actual time

R #version no.# Shows the software version number

Default status message1

1 When selecting another display message with the scroll buttons, the display will always return to this message after a time-out.

For details see Table 5 on page 104

Diagnostic message N Shows the diagnostic messages that apply for this Controller.If there are no messages the display shows “Fail 0”.If there are multiple messages the last 32 messages are displayed in chronological order. The last message is shown first.Select a message with the scroll buttons. When releasing a scroll button on a diagnostic message the display scrolls: • the fault location in two steps (chassis and slot),• the faulty module in the next step (module ID)• the message body in two steps (Message 1 & 2)• the error code in the next step (Error #)After completing this cycle the display returns to the default status message.

1. Chass2. Slot3. Module ID4. Message 15. Message 26. Error #

Diagnostic message N-1

1. Chass2. Slot3. Module ID4. Message 15. Message 26. Error #



Table 5 Possible default status messages

Status Message1

1 A continuously rotating bar or a flashing star on the display indicates that the QPP is operational.

Alternating with

Busy with power-on checks PowerUp

Busy synchronizing Sync

Busy loading Loading

Waiting for download to start Waiting

Waiting for download to start Waiting with Flt

Key in IDLE: CP halted Halt

Key in RUN: CP halted due to faults Halt with Flt

Key in RUN: CP ready to start CPReady

Running with faults Running with Flt

Running no faults Running

Loading other CP, or loading own USI Sending

Diagnostic messages


Diagnostic messagesThis section gives information about messages that are generated by the Control Processor. This type of messages is referred to as “diagnostic messages”.

This section has these sub-sections:

• About diagnostic messages

• Module related diagnostic messages

About diagnostic messagesThis (sub-) section has these topics:

• Presentation of diagnostic messages in Safety Builder

• Interpreting diagnostic messages

• Other diagnostic messages

Presentation of diagnostic messages in Safety Builder

Figure 8 on page 105 shows an example of how diagnostic messages are presented in Safety Builder.

Safety Builder gives below listed information:

Figure 8 Example of diagnostic information in Safety Builder

Title Specifies the ...

Module Type module type the message relates to.



Interpreting diagnostic messages

Most diagnostic error messages that are described in this section include information about the cause of the problem and how to best remedy it.

• As a minimum, always record the relevant Module type, the Error code and Timestamp of occurring diagnostic messages in case you need to contact Honeywell SMS.

• If this solution does not work try to look for related problems (they may be hard to indicate or do not appear obvious at first glance) and solve those first.

• If the problem persists contact Honeywell SMS for advice or try to solve the problem by exchanging the affected modules in the circuitry.

For information about Experion Station displays, related to Safety Manager (“system information” and “diagnostics”), refer to the Experion User Documentation (Experion Safety Manager Integration Guide).

Most diagnostic messages relate to a specific module. To interpret a diagnostic message, focus on the reported module type (or ‘ModuleFault’) and use the table below to find more information about the corresponding message.

Module Description full description of the module.

Diagnostic Description description of the diagnostic message.

Cabinet Name location details of the relevant module.

Chassis / IOTA

Slot

Error Code error code related to the specified module.

Timestamp date and time the message was created.

Category the category the message relates to.

Title Specifies the ...

Table 6 Diagnostic messages sorted by Module ID

Module type Refer to...

BKM-0001 “Battery and key switch module (BKM-0001)” on page 124

IO-0001 IO-0002

“IO extender (IO-0001 and IO-0002)” on page 125

QPP-0001 QPP-0002

“Quadruple Processor Pack modules (QPP-0001 and QPP-0002)” on page 109

DO-1224 DO-1624

“Digital output modules (DO-1624 and DO-1224)” on page 140

RO-1024 “Relay output module (RO-1024)” on page 141

Diagnostic messages


Other diagnostic messages

Other diagnostic messages, not listed in this section, are also possible. If they occur, record the message (Module type, Error code and Timestamp) and the circumstances as completely as possible.

Other diagnostic messages you may be confronted with are:

• “General communication error messages” on page 143

• “Application Viewer messages” on page 143

In case the information in those topics does not (fully) solve the problem, contact Honeywell SMS.

SAI-0410 “Analog input module (SAI-0410)” on page 134

SAI-1620m “Analog input module (SAI-1620m)” on page 134

SAO-0220m “Analog output module (SAO-0220m)” on page 141

SDI-1624 SDI-1648

“Digital input modules (SDI-1624 and SDI-1648)” on page 131

SDIL-1608 “Digital input module (SDIL-1608)” on page 132

SDO-0424 “Digital output module (SDO-0424)” on page 138

SDO-0448 SDO-04110

“Digital output modules (SDO-04110 and SDO-0448)” on page 137

SDO-0824 “Digital output module (SDO-0824)” on page 135

SDOL-0424 SDOL-0448

“Digital output modules (SDOL-0424 and SDOL-0448)” on page 139

RUSIO-3224 RUSLS-3224

“SM universal IO modules (RUSIO-3224 and RUSLS-3224)” on page 126

USI-0001 USI-0002

“Communication module (USI-0001 and USI-0002)” on page 119

Related topic(s): “Other diagnostic messages” on page 107“Module related diagnostic messages” on page 108

Table 6 Diagnostic messages sorted by Module ID (continued)

Module type Refer to...



Module related diagnostic messagesAny diagnostic message relates to a specific module. To interpret a diagnostic message, first focus on the reported Module type and use the list of topics below to find more information about the corresponding message.

Each topic contains a collection of diagnostic messages, alphabetically ordered by unique Description of the message. Any unique Description can apply to more than one (1) error code; error codes are not included in this document. Where applicable a brief explanation is given, the most likely cause of the problem and how to best remedy it.

As a minimum, always record the relevant Module type, the Error code and Timestamp, and the circumstances of occurring diagnostic messages in case you need to contact Honeywell SMS.

This sub-section has these topics:

• “Quadruple Processor Pack modules (QPP-0001 and QPP-0002)” on page 109

• “Communication module (USI-0001 and USI-0002)” on page 119

• “Battery and key switch module (BKM-0001)” on page 124

• “IO extender (IO-0001 and IO-0002)” on page 125

• “SM universal IO modules (RUSIO-3224 and RUSLS-3224)” on page 126

• “Digital input modules (SDI-1624 and SDI-1648)” on page 131

• “Digital input module (SDIL-1608)” on page 132

• “Analog input module (SAI-0410)” on page 134

• “Analog input module (SAI-1620m)” on page 134

• “Digital output module (SDO-0824)” on page 135

• “Digital output modules (SDO-04110 and SDO-0448)” on page 137

• “Digital output module (SDO-0424)” on page 138

• “Digital output modules (SDOL-0424 and SDOL-0448)” on page 139

• “Digital output modules (DO-1624 and DO-1224)” on page 140

• “Relay output module (RO-1024)” on page 141

• “Analog output module (SAO-0220m)” on page 141

Diagnostic messages


Quadruple Processor Pack modules (QPP-0001 and QPP-0002)

The following messages related to the Control Processor modules QPP-0001 and QPP-0002 are available:

• All forces cleared

• Application program corrupted

• Application programs different

• Application program invalid

• Application sheets different (OLM)

• Calculation overflow

• Check 24 VDC power supply voltage

• Check 5 VDC power supply voltage

• Check IO bus terminator

• Clock source time-out

• Communication overrun

• Configuration error

• Control Processor halt

• Controller not loaded

• Controller too complex to calculate cycle time within configured DTI

• CP-CP incompatible point allocation

• Device communication failure

• Divide by zero

• Download failed

• Embedded software corrupted

• Error code not defined

• ESD input activated

• Execution time out of range

Tip:

If a QPP appears to be faulty it is recommended to first test the QPP in a test unit before returning it conform the spare part replacement procedure.If the QPP appears to be working fine in the test unit, you are requested to contact Honeywell SMS with the original diagnostic message before sending the QPP in as a defective module.



• External communication failure

• Loop fault

• Fault Reset

• Functionality degraded

• IO extender address incorrect or an additional IO extender placed

• Idle state initiated due to on-line modification

• Illegal argument e.g. square root of -1

• Illegal counter value

• Illegal timer value

• Incompatible Safety Builder version

• Incorrect software version

• Input compare error

• Internal communication failure or redundant CP degraded

• Invalid diagnostic text reference <value>

• Key not in Run

• Keyswitch cycled from RUN to IDLE

• Measured and calculated FLD execution difference >10%

• Memory error

• Module faulty

• No differences between applications

• Power supply to field device shorted

• Program execution assertion (output sync)

• Program update failed

• Redundant input fault

• Repair timer expired

• Repair timer started

• Safe state initiated by redundant Control Processor

• Safe state initiated by software assertion

• Safe state initiated due to inaccessible output module

• SafeNet configuration check failed

• SafeNet incompatible embedded software versions

• SafeNet incompatible point allocation

Diagnostic messages


• SafeNet incompatible point configuration

• Secondary switch-off asserted

• Startup impossible, modify off-line

• System program corrupted

• Temperature pre-alarm

• Temperature sensor faulty

• Temperature shutdown

• Wrong QPP module type placed

All forces cleared

All forces are cleared via one action.

Application program corrupted

A CRC error has been detected in the application program during the start-up check.Solution: repeat the download procedure; in case the fault persists after download, replace the QPP module.

Application programs different

Differences are detected between the loaded and still running Control Processors. Details of these differences are reported in the OLM report.Solution: Assess the OLM report. Make sure that you can identify and explain each individual message. In case you cannot determine acceptable explanations, analyze and solve the suspect messages. If necessary, contact Honeywell SMS.

Application program invalid

The application has become invalid (corrupted) during compiling.Solution: compile the application again.

Application sheets different (OLM)

In a redundant system differences are found in the FLDs between the Control Processors during the on-line modification. Solution: check if the FLD numbers correspond with the changes you have made.

Calculation overflow

Calculation yields a result that is out of a specified range.Solution: check the calculation in the logic of the specified FLD.



Check 24 VDC power supply voltage

A power fluctuation was detected on a 24 VDC power line.Solution: Check the cause of the power fluctuation. Use the time stamp to detect similarities in process states of other equipment loading the same power grid.

Check 5 VDC power supply voltage

A power fluctuation was detected on a 5 VDC internal power line. Solution: Check the cause of the power fluctuation. Use the time stamp to detect similarities in process states of other equipment loading the same 24 VDC power grid.

Check IO bus terminator

The IO bus terminator on the Controller backplane is not working as expected.Solution: replace the IO bus terminator.

Clock source time-out

The external clock source failed to update the SM Controller internal clock within the specified time.Solution: Check the connection with the external clock source and the update frequency of the external clock source.

Communication overrun

Too many DI/BI points with location COM have been written to the Control Processor during an application cycle.Solution: make sure that the number of DI and BI points sent to Safety Manager does not exceed the maximum per application cycle or contact Honeywell SMS.

Configuration error

The module has been configured but could not be detected in Safety Manager.Solution: check if the module is placed; if necessary contact Honeywell SMS.

Control Processor halt

This message appears if the Key switch is cycled from RUN to IDLE. Note that in a non redundant system this action results in a system shutdown.

Controller halt

This message appears if all Control Processors of the Controller are halted.

Controller not loaded

A new or replaced QPP module does not yet contain an application.Solution: carry out the download procedure.

Diagnostic messages


Controller too complex to calculate cycle time within configured DTI

Controller configuration is too complex to be executed.Solution: reduce the application cycle time by:

- increasing the DTI

- reducing system size and/or complexity

CP-CP incompatible point allocation

The positions of the points in the memory of both Control Processors do not match.Solution: either perform off-line modification or use the old application and redo the modification with on-line modification enabled.

Device communication failure

An externally connected communication device has stopped communicating with the SM Controller.Solution: Check the external communication device, the communication cable and the communication configuration details.

Divide by zero

In a calculation a divide by zero error occurs.Solution: check the calculations in the logic of the specified FLD.

Download failed

Solutions:

- repeat the download

- switch the QPP in STOP and back to RUN

- replace the QPP and/or the communication module.

Embedded software corrupted

A CRC error has been detected in the firmware during the start-up check.Solution: repeat the download procedure; in case the fault persists after download, replace the QPP module.

Error code not defined

The error code for this diagnostic message is not defined.Solution: contact Honeywell SMS.

ESD input activated

The ESD wiring circuit connected to the Controller backplane has been broken because:

- an ESD button has been pushed or,



- there is a wiring defect.Solution: check the state of the ESD wiring circuit.

Execution time out of range

The application cycle is out of range.Solution: contact Honeywell SMS.

External communication failure

An error has been detected in the Safety Manager network check.Solution: investigate the cause of this failure and if necessary contact Honeywell SMS.

Loop fault

A fault is detected in a line monitored channel.Solution: consult the loop status to determine the faulty loop; analyze the faulty loop for field faults and resolve accordingly.

Fault Reset

The Reset key switch has been toggled or a Remote Reset has been performed.

Functionality degraded

The non redundant outputs are de-energized by the watchdog or a communication protocol failed.Solution:

- repair the output that causes the watchdog to de-energize all non redundant outputs

- reset the system to reboot and/or reload the failed communication protocol software or remove and re-insert the communication module.

- replace the communication module

IO extender address incorrect or an additional IO extender placed

The system has reported a mismatch between the configuration in Safety Builder and the corresponding hardware.Solution: check the addressing and allocation of IO extenders.

Attention:

When this message occurs the Chassis / IOTA column indicates 00.00. This indication appears in Historical Diagnostics only after a user has performed a fault reset.

Diagnostic messages


Idle state initiated due to on-line modification

This message occurs in redundant configurations, during on-line modification when the application is loaded in the other Control Processor.

Illegal argument e.g. square root of -1

In a calculation an illegal argument is used.Solution: check the calculations in the logic of the specified FLD.

Illegal counter value

In a calculation an illegal counter value is used.Solution: check the calculations in the logic of the specified FLD.

Illegal timer value

In a calculation an illegal timer value is used.Solution: check the calculations in the logic of the specified FLD.

Incompatible Safety Builder version

Application is compiled with another version of Safety Builder than the current one.Solution: use the correct version of Safety Builder.

Incorrect software version

Solutions:

- load the correct software version

- replace the QPP and/or the communication module

Input compare error

A discrepancy occurred between the status of a key switch on the BKM module as detected by Control Processor 1 and Control Processor 2.Possible causes:

- incorrect operation of the key switch (toggled too slowly or incompletely),

- a contact of the key switch is defect.Solution: carry out these steps - in the order given - as necessary;

- correctly toggle the relevant key switch,

- replace a faulty key switch,

- contact Honeywell SMS.



Internal communication failure or redundant CP degraded

An internal communication failure is detected if one of the redundant communication links between the active Control Processors has failed.Solution: when detecting an internal communication failure the system halts one Control Processor. To resolve the anomaly refer to “Cannot get both CPs on-line simultaneously” on page 31.

Invalid diagnostic text reference <value>

The generated error code is unknown.Solution: contact Honeywell SMS.

Key not in Run

Probable cause: a fault reset was activated while the key switch of the Control Processor is in IDLE.Solution: set the key switch to RUN and repeat the fault reset.

Keyswitch cycled from RUN to IDLE

The key switch is cycled manually from RUN to IDLE. Warning: in a non redundant system this action results in a system shutdown.

Measured and calculated FLD execution difference >10%

The execution time for the FLDs is calculated by the Compiler. During start up the execution time is measured. In case the difference is more than 10% this message is generated and start up is prohibited.Solution: contact Honeywell SMS.

Memory error

The memory of the QPP module has become corrupted.Solution: replace the QPP module.

Module faulty

Solution: replace the module; in case fault persists, contact Honeywell SMS.

No differences between applications

A new application version has been loaded, but no differences in the FLDs and hardware configuration have been detected.

Note:

When you manually create shutdowns of one Control Processor - such as during an OLM - you can safely ignore this message: “internal communication failure or CP degraded”. An “internal communication failure or CP degraded” message is always generated when loosing communication to the other Control Processor.

Diagnostic messages


Power supply to field device shorted

Solution: check the point or loop in the field.

Program execution assertion (output sync)

The Control Processors have received conflicting data from the same SafeNet peer controller.Solution: carry out these steps - in the order given - as necessary;

- check the SafeNet network,


Program update failed

Control Processors are unable to get their software versions synchronized.Solution: contact Honeywell SMS.

Redundant input fault

The maximum on time or the maximum discrepancy time of the displayed redundant inputs has expired.

Repair timer expired

The fault that caused the start of the repair timer has not been repaired within the configured repair time. The Control Processor with the fault stops and the other Control Processor continues.

Repair timer started

An error has occurred and the repair timer has been started. Solution: repair the error before this timer expires (otherwise a shutdown of the Control Processor or Safety Manager might take place).Causes that started the repair timer could be:

- (loop) faults on output modules with fault reaction set to Low,

- faults detected on the Force Enable key switch,

- faults detected with non-redundant IO bus extenders.

Safe state initiated by redundant Control Processor

Actual Control Processor is shutdown by other Control Processor.Solution: check diagnostics of other Control Processor and check other diagnostic messages.

Safe state initiated by software assertion

Solution: contact Honeywell SMS.



Safe state initiated due to inaccessible output module

Write actions by the Control Processor to the reported output module failed, and the watchdog function was activated.Solution: replace the faulty output module.

SafeNet configuration check failed

One these causes apllies:

- SafeNet communication between two peers is not possibleSolution: check the physical SafeNet network (e.g. peer controllers, switches, connections).

- SafeNet configuration between two peers is not consistent.Solution: check the configuration and make sure it is consistent.

SafeNet incompatible embedded software versions

This message can occur if the embedded software of the systems, communicating with each other via SafeNet, are not compatible. You will loose the communication between them if you continue.Solution: load an old version or continue and loose communication, and upgrade other system to recover communication.

SafeNet incompatible point allocation

The memory map of the systems communicating via SafeNet do not match. Communication will be lost if you continue.Solution: either perform modification and loose communication or use the old application and redo the modification with the correct memory map.

SafeNet incompatible point configuration

The properties of the SafeNet points do not match.Solution: change the properties to their correct settings.

Secondary switch-off asserted

Actual Control Processor has shutdown other Control Processor.Solution: check diagnostics of actual Control Processor and check other diagnostic messages.

Startup impossible, modify off-line

Changes have been made in the application, which cannot be modified on-line (only off-line).Solution: modify off-line or redo the modification so that it can be done on-line. Check in Safety Builder if on-line modification is set to “yes”.

Diagnostic messages


System program corrupted

A CRC error has been detected in the system program during the start-up check.Solution: repeat the download procedure; in case the fault persists after download, replace the QPP module.

Temperature pre-alarm

The temperature in Safety Manager gets critical.Solution: check the fans, airflow and environmental conditions.

Temperature sensor faulty

The specified temperature sensor is regarded faulty.Solution: replace the QPP module.

Temperature shutdown

The temperature is out of range.Solution: check the fans, airflow and environmental conditions.

Wrong QPP module type placed

A QPP-0001 module is inserted where a QPP-0002 module has been configured.

- Note that this message does not apply when inserting a QPP-0002 module where a QPP-0001 has been configured: The QPP-0002 is downwards compatible with the QPP-0001.

Solution: place the correct QPP module type.

Communication module (USI-0001 and USI-0002)

The following messages - related to the Communication module (USI-0001 and USI-0002) - are available:

• BootP response time-out

• Com module detected

• Com module removed

• Communication module faulty

• Communication module running low on resources

• Communication overrun

Attention:

When this message occurs the Chassis / IOTA column indicates 00.01. This implies that there is no valid controller file available.



• Communication program corrupted


• Download failed

• Duplicate RUSIO node address detected or RUSIO replaced


• Ethernet to Remote modules faulty


• FTE link loss

• Functionality degraded

• HART communication with device lost

• Incorrect software version


• Memory error

• Module faulty

• RUSIO module not running

• RUSIO network topology problem detected

• Too many SOE-enabled points configured

BootP response time-out

No response was received from the BootP server within the configured time-out. Most probably communication could not be established.Note: In case the communication module itself can be accessed within Safety Manager, it uses a previously received BootP response (so-called ‘retained configuration’).Solution: Verify the network connections and the status of the Experion BootP server.

Com module detected

Confirmation that a module is inserted or the Control Processor has (re)started.After insertion it takes approximately 20 seconds before the COM module communicates with the QPP.

Com module removed

Confirmation that a COM module has been removed.

Diagnostic messages


Communication module faulty

No communication possible with the communication module. This message may appear due to communication hang-ups or due to hardware failures.Solution: pull and re-insert the communication module. If this doesn’t help, replace the communication module.

Communication module running low on resources

The CPU load and/or use of memory has come above critical limits. The available CPU and/or memory resources have degraded, and may degrade even further.Solution: Investigate the cause of this behavior, and contact Honeywell.

Communication overrun

Too many DI/BI points with location COM have been written to the Control Processor during an application cycle.Solution: make sure that the number of DI and BI points sent to Safety Manager does not exceed the maximum per application cycle or contact Honeywell SMS.

Communication program corrupted

Solution: reload the Control Processor or re-insert/replace the communication module.

Configuration error

One or more errors have been detected in the configuration.Solution: investigate the details, if necessary contact Honeywell SMS.

Download failed

Loading the configuration to the SM universal IO module(s) has failed.Solutions: carry out these steps - in the order given - as necessary;

- make sure the correct type of communication module is installed,

- make sure the SM universal IO module(s) is (are) correctly connected and communication is established,

- repeat the load,


Duplicate RUSIO node address detected or RUSIO replaced

A duplicate RUSIO node address is detected or a RUSIO was replaced.Solution: check the Node Jumper Address, and take corrective actions if needed.





Ethernet to Remote modules faulty

A hardware or software problem with the Ethernet link to the SM universal IO module(s) has occurred.Solutions: carry out these steps - in the order given - as necessary;

- make sure the communication module has the correct software (version),

- make sure the SM universal IO module(s) is (are) correctly connected and communication is established,



This message can have different causes.Problems related to SM universal IO modules Communication between a Control Processor and one or more SM universal IO modules has been reported as faulty.Solution: check the network connections; in case the problem persists contact Honeywell SMS.Problems related to SafeNet Communication over SafeNet has been reported as faulty. This can be due to faulty links (hardware) or a mismatch in data calculations between Control Processor 1 and Control Processor 2 (software).Solution: check for the items listed below; in case the problem persists contact Honeywell SMS.

- bad network connections,

- bad network communication,

- inconsistencies between SafeNet master and slave controllers,

- the configuration of the application,

- Safety Builder version.

FTE link loss

The FTE node of the communication module reports a problem with (one of) its links: YELLOW and/or GREEN. More specifically: the A and B interface do not detect each other within the configured FTE time-out.Solution: in Experion, check the FTE status screen to determine the cause.

Diagnostic messages


Functionality degraded

A non-fatal software or communication error has occurred.Solution: carry out these steps - in the order given - as necessary;

- remove and re-insert the communication module,

- replace the communication module,

- reset the relevant Control Processor,


HART communication with device lost

The SM universal IO module lost communication with the (specified) HART device.Solution: check as necessary and make sure that;

- the HART device is correctly connected,

- potential sources of disturbance are eliminated (e.g. field faults, 3rd party HART handhelds),

- forcing is correctly applied as part of a maintenance procedure.

- If HART handhelds are used, ensure that the HART handheld detection is configured properly.

Incorrect software version

The Control Processor detected a mismatch between the software versions in the CP module and the communication module. More specifically: the software version of the communication module does not appear in the ‘set’ of versions that can be used.Solutions:

- load the correct software version

- replace the QPP and/or the communication module



Memory error

The memory of the communication module has become corrupted.Solution: replace the communication module.

Module faulty

Solution: replace the module.



RUSIO module not running

A SM universal IO module has stopped to function normally, while it did so before. Most likely one or more other messages occurred that are related to a SM universal IO module.Solution: carry out these steps - in the order given - as necessary;

- make sure the reported module is switched on,

- check for other messages that are related to a SM universal IO module, and record and analyze them,

- replace the reported module,


RUSIO network topology problem detected

This message can have different causes.Most probably one or more physical connections in the network have become degraded or disconnected.It is also possible that modules are not correctly inter-connected. Control Processors and SM universal IO modules and/or Ethernet switches must be inter-connected according to strict rules.Solution: carry out these steps - in the order given - as necessary;

- check the network connections for signs of degradation, if necessary replace degraded parts,

- make sure all modules are correctly inter-connected; be aware that inter-connection rules are specific to the configured controller architecture,


Too many SOE-enabled points configured

Processing the SOE events takes longer than the configured Controller application cycle time.Solution: reduce the number of SOE-enabled points until the error does not appear again.

Battery and key switch module (BKM-0001)

The following messages - related to the Battery and key switch module (BKM-0001) - are available:

• BKM removed, transport switch off or fuse blown

• Check battery


Diagnostic messages


BKM removed, transport switch off or fuse blown

This message can have different causes. Either the BKM does not contain a lithium cell, the transport switch for the battery is in the Off position, the battery voltage is too low or the battery is empty.Solution: make sure that the transport switch for the battery is in the On position and the battery is OK (see “Check battery” on page 125). If this does not help you must replace the BKM.

Check battery

The installed battery may be of the wrong type or the battery is drained. For battery details see BKM-0001.Solution: replace the battery of the BKM module with an original lithium cell. Batteries cannot be recharged.



IO extender (IO-0001 and IO-0002)

The following messages - related to the IO extender (IO-0001 and IO-0002) - are available:


• Horizontal bus faulty


• IO extender address incorrect or an additional IO extender placed

• Module faulty

Configuration error

Specific to IO-0002 The module has been configured but could not be detected in Safety Manager.Solution: make sure that:

- is the module placed,

- the jumper settings on the IO backplane are correct,

- the flatcables of the horizontal bus are connected correctly.

Horizontal bus faulty

Specific to IO-0002 The printed circuit board of the horizontal bus is faulty.



IOBUS-HB2R for redundant cabinets, IOBUS-HB2S for non-redundant cabinets.Solution: contact Honeywell SMS.



IO extender address incorrect or an additional IO extender placed

Solution: check the addressing and allocation of IO extenders.

Module faulty

Solution: replace the module.

SM universal IO modules (RUSIO-3224 and RUSLS-3224)

The following messages - related to the SM universal IO module (RUSIO-3224) - are available:

• Application program corrupted

• Calculation overflow


• Device detected on spare channel

• Divide by zero

• Embedded software corrupted


• ESD input activated

• ESD-switch at IOTA in wrong position

• Execution time out of range


• Field device value stuck at

• Illegal argument (e.g. Root of –1)

• Illegal counter value

• Illegal timer value

• Internal communication failure or redundant CP degraded


• IOTA faulty

• Measured and calculated FLD execution difference >10%

Diagnostic messages


• Memory error

• Module faulty

• Open loop(s)

• Repair timer expired

• Repair timer started

• Safe state initiated by software assertion

• Short circuit

• Short circuit in field wiring

• Shutdown due to RIO internal communication failure

• SOE buffer full

• Spurious watchdog interrupt

• Temperature pre-alarm

• Temperature sensor faulty

• Temperature shutdown

Application program corrupted

A CRC error has been detected in the application program during the start-up check.Solution: repeat the download procedure; in case the fault persists after download, power cylce the SM universal IO module. In case the fault still persists, replace the SM universal IO module.

Calculation overflow

Calculation yields a result that is out of a specified range.Solution: check the calculation in the logic of the specified FLD.

Configuration error

The system has reported a mismatch between the configuration in Safety Builder and the corresponding hardware. More specific: a RUSLS module is configured in the application but a RUSIO module is detected.Solution: make sure that the configuration in Safety Builder is correct, and if necessary replace the RUSIO module by a RUSLS module.

Device detected on spare channel

A device has been connected to a channel that is labeled as spare.Solution: depends on the nature of the action; in case the action was:

- not done on purpose, disconnect the device from the spare channel and connect it to the correct one,

- done on purpose, configure the channel for the connected device.



Divide by zero

In a calculation a divide by zero error occurs.Solution: check the calculations in the logic of the specified FLD.

Embedded software corrupted

A CRC error has been detected in the firmware during the start-up check.Solution: repeat the download procedure; in case the fault persists after download, power cylce the SM universal IO module. In case the fault still persists, replace the SM universal IO module.



ESD input activated

The module detected that the ESD input is activated.Solution:

- in case an emergency device was activated, follow plant procedures,

- in case no emergency device was activated, check the state of the ESD wiring circuit to the IOTA.

ESD-switch at IOTA in wrong position

The system has reported a mismatch between the ESD configuration in Safety Builder and the corresponding ESD position on the IOTA.Solution: make sure that the configuration in Safety Builder and the corresponding ESD position on the IOTA are correct.

Execution time out of range

The application cycle of the SM universal IO module is out of range.Solution: contact Honeywell SMS.


An error has been detected in the remote IO network.Solution: check remote IO network (hardware) and if the reported SM universal IO module is switched on.

Field device value stuck at

The travelling time of the field device is longer than specified in Safety Manager application.Solution: repair or replace the field device or modify the configuration in Safety Builder.

Diagnostic messages


Illegal argument (e.g. Root of –1)

In a calculation an illegal argument is used.Solution: check the calculations in the logic of the specified FLD.

Illegal counter value

In a calculation an illegal counter value is used.Solution: check the calculations in the logic of the specified FLD.

Illegal timer value

In a calculation an illegal timer value is used.Solution: check the calculations in the logic of the specified FLD.

Internal communication failure or redundant CP degraded

An internal communication failure is detected if one of the redundant communication links between the active SM universal IO modules has failed.Solution: when detecting an internal communication failure the system halts one Control Processor.



IOTA faulty

Sense resistors for analog input channel are faulty.Solution: Replace the faulty IOTA.

Measured and calculated FLD execution difference >10%

Specific to RUSLS-3224. The execution time for the FLDs is calculated by the Compiler. During start up the execution time is measured. In case the difference is more than 10% this message is generated and start up is prohibited.Solution: contact Honeywell SMS.

Note:

When you manually create shutdowns of one Control Processor - such as during an OLM - you can safely ignore this message: “internal communication failure or CP degraded”. An “internal communication failure or CP degraded” message is always generated when loosing communication to the other Control Processor.



Memory error

Not sufficient memory available in the SM universal IO module or the module is faulty.Solution: replace the SM universal IO module.

Module faulty

The module is reported faulty.Solution: replace the module.

Open loop(s)

One or more loop faults have been detected. The field sensor(s) may (temporarily) have been out of range or there were one or more open loops.Solution: As multiple channels may have loop faults you must check the Loop Monitoring screen to see which channels have loop faults. To find possible causes for loop faults:

- check the value of the field sensor,

- check the field wiring,

- replace the module.

Repair timer expired

The fault that caused the start of the repair timer has not been repaired within the configured repair time. The SM universal IO module with the fault stops and the other SM universal IO module continues.

Repair timer started

An error has occurred and the repair timer has been started.Cause that started the repair timer is: ESD input is faulty.Solution: replace the faulty SM universal IO module.

Safe state initiated by software assertion

Safe state initiated by software assertion.Solution: contact Honeywell SMS.

Short circuit

One or more loop faults have been detected. The field sensor(s) may (temporarily) have been out of range or there were one or more short circuits.Solution: As multiple channels may have loop faults you must check the Loop Monitoring screen to see which channels have loop faults. To find possible causes for loop faults:



Diagnostic messages



Short circuit in field wiring

A short circuit has been detected between two or more input channels on the same IOTA.Solution: check the field wiring of the reported inputs for short circuits.

Shutdown due to RIO internal communication failure

A shutdown occurred due to an internal communication failure in the SM universal IO module.Solution: contact Honeywell SMS.

SOE buffer full

An overflow of the SOE internal buffer occurred due more state changes than expected by the module.Solution: check if any SOE enabled device is changing states faster than its normal behavior.

Spurious watchdog interrupt

This shutdown can be caused by hardware faults.Solution: cycle Reset key switch, in case fault persists contact Honeywell SMS.

Temperature pre-alarm

The temperature in Safety Manager gets critical.Solution: check the fans, airflow and environmental conditions.

Temperature sensor faulty

The specified temperature sensor is regarded faulty.Solution: replace the SM universal IO module.

Temperature shutdown

The temperature is out of range.Solution: check the fans, airflow and environmental conditions.

Digital input modules (SDI-1624 and SDI-1648)

The following messages - related to the Digital input modules (SDI-1624 and SDI-1648) - are available:



• Module faulty



Input compare error

A discrepancy was detected between the inputs scanned by Control Processor 1 and Control Processor 2.Solution: check the input signal for fast transients and undefined state (see Figure 9 on page 132). A signal with a undefined state can have a random value.



Module faulty

One or more channels of the input module are faulty.Solution: replace the module.

Digital input module (SDIL-1608)

The following messages - related to the Digital input module (SDIL-1608) - are available:

• Earth fault detected

• Field device value stuck at


• Internal power-down


• Module faulty

• Open loop(s)

• Short-circuit

Earth fault detected

Solution: check the field wiring for earth faults. If no problem can be found, replace the module.

Figure 9 State of input signals

1

undefined state

0

Diagnostic messages


Field device value stuck at

The travelling time of the field device is longer than specified in Safety Manager application.Solution: repair or replace the field device or modify the configuration in Safety Builder.

Input compare error

A discrepancy has been detected between the inputs scanned by Control Processor 1 and Control Processor 2.Solution: check the input signal for fast transients and undefined state (see Figure 9 on page 132). A signal with an undefined state can have a random value.

Internal power-down

There is no internal voltage.Solution: check the power supply to the module. If no problem can be found, replace the module.



Module faulty

The hardware is defective.Solution: replace the module.

Open loop(s)





Short-circuit

Solution: check the sensor and field wiring for short circuits. If no problem can be found, replace the module.



Analog input module (SAI-0410)

The following messages - related to the Analog input module (SAI-0410) - are available:

• Analog input loop fault(s)



• Module faulty

Analog input loop fault(s)

One or more loop faults have been detected. The field sensor(s) may (temporarily) have been out of range or there is/was a (number of) open loop or short circuit(s).Solution: as multiple channels may have loop faults you must check the Loop Monitoring screen to see which channels have loop faults. To find possible causes for analog input loop faults:

- check the value of the field sensor

- check the field wiring.

Input compare error




Module faulty


Analog input module (SAI-1620m)

The following messages - related to the Analog input module (SAI-1620m) - are available:

• Analog input loop fault(s)


• Internal power-down

Diagnostic messages



• Module faulty

Analog input loop fault(s)

One or more loop faults have been detected. The field sensor(s) may (temporarily) have been out of range or there is/was a (number of) open loop or short circuit(s).Solution: as multiple channels may have loop faults you must check the Loop Monitoring screen to see which channels have loop faults. To find possible causes for analog input loop faults:

- check the value of the field sensor

- check the field wiring.

Input compare error


Internal power-down

There is no internal voltage.Solution: check the power supply to the module. If no problem can be found, replace the module.



Module faulty


Digital output module (SDO-0824)

The following messages - related to the Digital output module (SDO-0824) - are available:

• External power down complete module

• External power down group A

• External power down group B




• Module faulty

• Output compare error

• Short circuit

External power down complete module

If this message is displayed for only one module, the module is faulty.Solution: replace the module.If several modules display the same message then there is a common cause for the problem.Solution: check the fuses or circuit breakers of the external power supply, or check the watchdog signal.

External power down group A

Solution: check the fuses or circuit breakers of the external power supply to channels 1 to 4, or check the watchdog signal.

External power down group B

Solution: check the fuses or circuit breakers of the external power supply to channels 5 to 8, or check the watchdog signal.



Module faulty

A fault has been detected in the common part of the output module.Solution: replace the module.

Output compare error

Control Processor 1 and Control Processor 2 calculated different output values.Solution: contact Honeywell SMS.

Short circuit





Diagnostic messages


Digital output modules (SDO-04110 and SDO-0448)

The following messages - related to the Digital output modules (SDO-04110 and SDO-0448) - are available:

• External power-down complete module


• Module faulty


• Short circuit

External power-down complete module

If this message is displayed for only one module, the module is faulty.Solution: replace the module.If several modules display the same message then there is a common cause for the problem.Solution: check the fuses or circuit breakers of the external power supply or check the watchdog signal.



Module faulty




Short circuit







Digital output module (SDO-0424)

The following messages - related to the Digital output module (SDO-00424) - are available:


• External power down group A

• External power down group B


• Module faulty


• Short circuit



External power down group A

Solution: check the fuses or circuit breakers of the external power supply to channels 1 and 2 or check the watchdog signal.

External power down group B

Solution: check the fuses or circuit breakers of the external power supply to channels 3 and 4 or check the watchdog signal.



Module faulty




Diagnostic messages


Short circuit





Digital output modules (SDOL-0424 and SDOL-0448)

The following messages related to the Line-monitored Digital output modules (SDOL-0424 and SDOL-0448) are available:

• Module faulty, current detected in output loop



• Module faulty

• Open loop(s)


• Short circuit

Module faulty, current detected in output loop

Current has been detected in an output loop, even though the channel is switched off.Solution: check for short circuits between the channels in the field.; in case no shorts are found replace the module.







Module faulty

A fault has been detected in the output module.Solution: replace the module.

Open loop(s)




- check the lead breakage current setting (see SDOL-0424). If no problem can be found, replace the module.



Short circuit





Digital output modules (DO-1624 and DO-1224)

The following messages - related to the Digital output modules (1624 DO-1224) - are available:





Diagnostic messages




Relay output module (RO-1024)

The following messages - related to the Relay output module (RO-1024) - are available:







Analog output module (SAO-0220m)

The following messages - related to the Analog output module (SAO-0220m) - are available:


• Module faulty

• Open loop(s)




Module faulty




Open loop(s)

An open loop fault is detected in field. This is only applicable for redundant SAO modules and both CPs are running.Solution: use Loop Monitoring in Controller Management to locate the faulty loop and solve the loop fault.



Safety Builder on-line messages


Safety Builder on-line messagesThis section gives information about messages that are generated by Safety Builder.

The following topics are available:

• General communication error messages

• Application Viewer messages

General communication error messagesThe following messages - related to the General communication error messages - are available:

• Illegal command

• No connection

Illegal command

Information exchange between Safety Builder and SM Controller failed.Solution: contact Honeywell SMS.

No connection

No communication established with the SM Controller.Solution:

a. Check if the cable is plugged into the correct communication port of the Safety Station and Safety Manager.

b. Check if the communication cable is terminated correctly, has no broken wires, etc.

c. Check the Network Configurator properties (Controller properties in Physical View and Logical View) in Safety Builder.

d. Decrease the communication speed (the communication cable may be too long for the communication speed).

Application Viewer messagesApplication Viewer does a number of startup tests.

The following messages can appear when you start Application Viewer:

• Clear not successful on: <tag of point>

• Controller is not running



• Force not successful on: <tag of point>

• Point not found

• The application can not be viewed. Please check the status of the Controller

• Timeout while retrieving status of the Controller

• Unable to initialize dynamic arrays for point and line data

• Unable to initialize the status of FLD

• Unable to start Application Viewer

Clear not successful on: <tag of point>

The attempt to clear a force status of a point failed. There is a mismatch between the Safety Builder point database and the Controller point database.Solution: first try to recompile and repeat the download procedure; in case this message still exists contact Honeywell SMS.

Controller is not running

Solution: make the system running. Check the status of the Control Processor keys and toggle the Reset switch.

Force not successful on: <tag of point>

The attempt to force a point failed. There is a mismatch between the Safety Builder point database and the Controller point database.Solution: first try to recompile and repeat the download procedure; in case this message still exists contact Honeywell SMS.

Point not found


The application can not be viewed. Please check the status of the Controller

Application does not run on the Controller.Solution: check diagnostics.

The Controller is not running the version of the application as found in the database

Solution: repeat the download procedure.

Timeout while retrieving status of the Controller

Solution: check the communication with the Controller (see “No connection” on page 143).

Unable to initialize dynamic arrays for point and line data


Unable to initialize the status of FLD


Safety Builder on-line messages


Unable to start Application Viewer

The start conditions of the Controller are not correct.Solution: make the system running. First configure, then compile, load and start the Controller. Now you can start the Application Viewer.

Point Viewer messagesPoint Viewer does a number of startup tests.

The following messages can appear when you start Point Viewer:

• A screen with the name ‘Name’ already exists

• Controller is not running

• Error creating dataset for point status

• Insufficient privilege level to modify the screen

• Timeout while retrieving status of the Controller

• Unable to start Point Viewer

A screen with the name ‘Name’ already exists

Solution: choose a unique name for the screen.

Controller is not running

Solution: make the system running. Check the status of the Control Processor keys and toggle the Reset switch.

Error creating dataset for point status


Insufficient privilege level to modify the screen

Solution: configure the required privilege level (see “Security” on page 396).

The Controller is not running the version of the application as found in the database

Solution: repeat the download procedure.

Timeout while retrieving status of the Controller

Solution: check the communication with the Controller (see “No connection” on page 143).

Unable to start Point Viewer

There is no communication between the Control Processor and Point Viewer.Solution: check the communication with the Controller (see “No connection” on page 143).



Communication statusThe Communication Status button in Controller Management has tools that assist you in solving communication related issues.

Communication Status has the following status tabs:

• Communication Statistics

This tab provides a list of all physical communication channels of the selected SM Controller. It also shows the available communication statistics per channel.For more information and details see Communication Statistics – tab.

• Link Status Report

This tab provides a list of all logical communication connections of the selected SM Controller, except SafeNet and NTP/PTP connections. It also shows the actual diagnostic information that is available to the logical connections of the SM Controller.For more information and details see Link Status Report – tab.

Each physical channel can have one or more logical communication connections that are related to it.

Communication Statistics – tab

Communication Statistics provides an overview with statistics concerning various parameters per physical communication channel. An example is shown in Figure 10 on page 147.

Communication status


The following statistics are logged:

Figure 10 Communication Status - Communication Statistics tab

Note:

Communication Statistics records all occurrences since the most recent fault reset of the SM Controller.

Attention:

Statistical counters indicate the number of occurrences per type of statistic. Strongly changing counters in a relatively short period of time are an indication for instable behavior related to physical communication channels.

Module

CP

COM port

Identifies the communication module, CP and communication channel these statistics apply to.

Protocol Identifies the communication protocols active on this physical communication channel.

Interface Identifies the configured interface for this physical channel.

Response timeouts Identifies the number of low level requests.



Link Status Report – tab

Link Status Report provides additional information per logical connection. You usually check the Link Status Report for detailed information when a link fault has been reported via the diagnostics. An example is shown in Figure 11 on page 148.

Data corruption errors Identifies the number of messages with data corruption.

Procedure Errors Identifies the number of messages with procedure errors. 1

Operation Errors Identifies the number of unsupported messages. 2

Incomplete Frames Identifies the number of messages with incomplete frames.

Retries Identifies the number of retries.

1 Messages may not (fully) comply with the protocol that is used (e.g. sequence, incorrect or imcomplete fields, range checks).

2 The protocol that is used may be incorrect and/or function incorrectly (e.g. time-outs occur).

Figure 11 Communication Status - Link Status Report tab

Communication status


The following statistics are logged:

Note:

The Link Status Report is updated every second in the period that it reports changes in logical connection states.

Attention:

A time stamp indicates the most recent update of the Link Status Report. A frequently changing time stamp is an indication for an instable logical connection.

Module

COM port

Logical Connection

Protocol

The communication module, physical channel, logical connection and protocol this link status applies to.

Device Address The device address used for this logical connection: When displaying --, device addresses are not applicable.

Auto Repair Indicates the behavior of a logical connection in case the status was Faulty and becomes Healthy again:• Enabled indicates that this logical connection will be

restored automatically,• Disabled indicates that this logical connection will not

be restored automatically; a fault reset is required 1.

1 A fault reset also causes the Link Status Report to be updated.

Status CP1 2

2 Status CPx indicates if the link is still up and running (at least one CP reports Healthy) or whether the link is down (both CPs report Faulty).

The status of the link as reported by CP1

Status CP2 The status of the link as reported by CP2


DSafety Manager fault detection and reaction

A Safety Instrumented System (SIS) is responsible for maintaining the safety of a Process Under Control (PUC) or Equipment Under Control (EUC), regardless the state of the system.

Should a fault arise in the SIS, it must deal with this fault in a safe way within the defined Diagnostic Test Interval (DTI).

A SIS operating in “high demand mode of operation” must detect and safely isolate any single fault within the defined Process Safety Time (PST).

This appendix describes:

• Principles of fault detection and reaction

• Safety Manager faults,

• Safety Manager reaction to faults,

Below table details the topics described in this appendix:

Topic See

Fault detection and reaction page 152

SM Controller faults page 163

SM universal IO module faults page 168

SM chassis IO faults page 170

SM universal IO faults page 174

Compare error handling page 177

Calculation errors page 181

D – Safety Manager fault detection and reaction


Fault detection and reactionThe goal of fault detection and reaction is to detect and isolate faults that affects the safety of the process under control, within a time frame that is acceptable for the process.

This section contains the topics listed below:

Relevant definitions

Fault reaction

The reaction to faults in the Controller, application and/or IO.

• The fault reaction towards Controller and/or application faults is fixed.

• The fault reaction to IO faults can be configured on a point or module level; it should be customized to the application for which Safety Manager is used.

Process safety time (PST)

The time a process can be left running uncontrolled without loosing the ability to regain control.

Diagnostic Test Interval (DTI)

The time period used by Safety Manager to cyclically locate and isolate safety related faults within on-line system components that could otherwise cause a hazardous situation.

With Safety Manager, the default DTI is set at 3 seconds. This setting needs to be verified for each process.

Repair time

The time allowed to keep a Safety Instrumented System (SIS) running with a fault present that “may affect safety upon accumulation of multiple faults”. Repair time is introduced to extend the SIS up-time for a limited time frame, allowing system repair.

Topic See

Relevant definitions page 152

Principle of fault detection page 155

Principle of fault reaction page 156

Watchdog and redundancy page 160

Fault detection and reaction


Repair timer

A configurable count-down timer triggered upon detection of a fault that minimizes the safety availability of the system.

The default repair window is 200 hours, which is more than sufficient if spare parts are available. The repair timer can be deactivated.

Each Control Processor has its own repair timer. Once running, a repair timer shows the remaining time to repair the fault that triggered the repair timer in the Control Processor (200 hours default). If the fault is not repaired within the repair time the Control Processor containing the fault halts.

A repair timer protects the system from certain fault accumulations that may affect the safety of Safety Manager. The timer only starts on detection of:

• faults on output modules with fault reaction set to Low

• faults detected with non-redundant IO bus extenders.

Safe

A design property of an item in which the specified failure mode is predominantly in a safe direction.

Safety related

A flag to indicate that a signal is used for a safe function.

Secondary Means

A means designed to drive towards a safe state in case the primary means is unable or unreliable to do so.

An example of a secondary means is the watchdog: The watchdog is designed to drive the Control Processor and related outputs to a safe state if the Control Processor itself is unable or unreliable to do so.

Secondary Means Of De-energization (SMOD)

A SMOD is a Secondary Means designed to de-energize the output in case the primary means is unable or unreliable to do so.

Figure 12 on page 154 shows an example of a SMOD protecting 4 output channels.



Single fault tolerant

Built-in ability of a system to correctly continue its assigned function in the presence of a single fault in the hardware or software.

Single fault tolerant for safety

Built-in ability of each Safety Manager configuration to continue to maintain safety in the presence of a single fault in the hardware or software.

Control Processor states

A Control Processor (CP) can have many states. For fault detection and reaction the following states are relevant.

• Running (without faults); CP is fully functional and executes the application.

Figure 12 Schematic diagram of a SMOD with 4 channels

d8

d32,z32

Vdc int.

Vdc ext.

OUT4+

OUT-

z8,d30,z30 0 Vdc

&

OUT3+

OUT1+

OUT2+

WDGd2

CH1

CH2

CH3

CH4

SMODGroup On/Off

On/Off

On/Off

On/Off

On/Off

Group

CH4

CH3

CH1 readback

CH2 readback

readback

readback

readback

Attention:

The states described below are presented on the display of the relevant QPP, while the key switch of that QPP is in the RUN position.



• Running with Flt (with faults); CP executes the application but the controller detected one or more faults (e.g. open loop or a hardware fault).

• Halt; CP does not execute the application.

The applicable CP state can be read from the User Interface Display located on each Control Processor and from the diagnostic screens available on Experion™ and Safety Stations.

IO states

From a system point of view, IO can have either the healthy state, the de-energized state or the fault reaction state.

• When healthy, the IO is active and has the application value applied.

• When de-energized, the IO is de-activated (as if no power was supplied).

• When the fault reaction state is applied, the IO responds according to a predefined fault condition (fault reaction).

• When forced, the force value is applied.

Process states

A process can have many states. Related to fault detection and reaction in the safety loop of a process, the following process states are described:

• running without detected faults

• running with detected faults

• halted

Principle of fault detectionA Safety Instrumented System (SIS) operating in “high demand mode of operation” must detect and safely isolate any single fault within one PST.

Fault detection

Fault detection is the first step towards fault reaction.

Faults in Safety Manager are detected conform the Failure Mode and Effect Analysis (FMEA) model, which provides adequate diagnostics on any detected

Note

Fault detection and reaction is aimed at detecting and responding to faults that affect or endanger the safety of the system and the process under control.

D – Competences and precautions


fault. Test algorithms and / or test circuits are embedded in the safety related software and hardware components, such to allow the detection of these faults.

A running SM Controller continuously performs a series of extensive diagnostic checks on all safety related software and hardware components. In this way it will find faults before they can jeopardize the safety of the process and equipment under control.

Fault database

Upon detection of a fault two basic actions are initiated:

• a predefined fault reaction is applied, see “Principle of fault reaction” on page 30,

• the fault is stored for future use, e.g. as a diagnostic message or as an event.

Depending on the severity of the fault, the configuration settings, the redundancy in the Controller and other user settings, the Controller will decide what action is appropriate.

To clear a fault from the fault database, the fault must be resolved and a fault reset must be initiated (e.g. turn and release the Reset key switch on the BKM).

Principle of fault reaction

Each detected fault is reported by means of a diagnostic message, alarm markers and/or diagnostic markers.

If the nature of the fault requires the system to react, Safety Manager will isolate the faulty component from the rest of the system.

At the same time the system acts on the effect of loosing the function of that component.

Attention

Make sure that the diagnostic message is understood and the fault is resolved before initiating a fault reset! Attempting a reset without checking the nature of the fault may cause a dangerous situation and/or lead to a recurring event.

Attention

It is strongly recommended to repair faults even though a fault seems to have no effect on the system. If not repaired immediately, faults may accumulate and -combined- create an unforeseen but expectable system reaction.



That action may be:

• none, a redundant component can cover for the lost function,

• none, loosing the function has no impact on safety,

• apply the fault reaction state to the affected IO,

• start the repair timer,

• halt the affected Control Processor,

• de-energize all non-redundant outputs via the watchdog

• de-energize all outputs via the watchdog.

In the next paragraphs these items are explained in more detail.

Redundancy

When available, the redundant component in the system will continue to perform that function. This means that, when redundancy is provided, the system remains available for the process.

No impact on safety

The following examples show a number of faults that have no impact on safety:

• External power down.

• Loss of communication with a process control system.

• Failure of the Controller back-up battery.

Fault reaction state

If Safety Manager detects a fault related to the IO, this may result in the IO to go to the fault reaction state.

The fault reaction state is a safe state – programmed as the safest reaction to occurring faults that are related to IO.

The fault reaction state is user configurable on point level for SM chassis IO, SM universal IO and communication IO. However, the configuration that is set for any point of an output module (SM chassis IO) applies to all points (channels) of that output module.

The following fault reaction states exist:

Attention:

When below faults occur, the system will report the anomaly but take no action by itself. However the system can be programmed to initiate action if needed.



• High is a fault reaction state for digital inputs:Upon a detected fault the input is energized, or -in other words, the input goes high or becomes ‘1’.

• Low is a fault reaction state for digital inputs and digital outputs:Upon a detected fault the digital input or output is de-energized, or -in other words, the digital input or output goes low or becomes ‘0’.

• Top Scale is a fault reaction state for analog inputs:Upon a detected fault the input is set to the top scale of the range.

• Bottom Scale is a fault reaction state for analog inputs:Upon a detected fault the analog input is set to the bottom scale of the range.

• Scan is a fault reaction state for tested (analog or digital) inputs:Upon a detected fault the input or output continues to carry the processing value, even if this value may be incorrect.

• Hold is a fault reaction state for analog and digital inputs:Upon a detected fault the input freezes to the last known good value.

• 0 mA is a fault reaction state for analog outputs:Upon a detected fault the analog output is de-energized.

• Appl is a fault reaction state for all outputs:Upon a detected fault the output remains active, the output value may be incorrect.

• Fixed Value is a fault reaction state for numeric inputs located on a communication channel: Upon detected fault the numeric input is fixed to a predefined value (not necessary being the startup value).

• Freeze is a fault reaction state for numeric inputs located on a communication channel: Upon a detected fault the input freezes to the last known good value.

Table 7 on page 158 shows the possible fault reaction settings for hardware IO.

Table 7 Fault reaction setting

IO “Safe” fault reaction settings1 “Non safe” fault reaction settings

Digital input High or Low Scan or Hold

Analog input Top scale or Bottom scale Scan or Hold

Digital output Low Appl

Analog output 0 mA Appl2



Table 8 on page 159 shows the possible fault reaction settings for communication IO.

Repair timer

All configurations of Safety Manager are single fault tolerant to faults that affect safety. By applying a secondary means Safety Manager is able to bring a process to a safe state, regardless the fault.

By default, Safety Manager is configured to isolate the faulty part of a subsystem to guarantee continued safe operation of the EUC. In systems with a redundant Control Processor (CP) a fault in a susbsytem of one of the CPs has no effect on the safeguarded process. Continuous safeguarding and availability is maintained.

A configurable repair timer is started for the relevant CP on certain fault conditions. Within the remaining time the faulty part can be repaired. If the timer is allowed to reach zero, or another fault that affects safety occurs, that Control Processor halts.

It is strongly advised to apply this feature of Safety Manager to meet the requirements of applicable standards. However, the user can choose to configure Safety Manager differently to meet his own specific requirements.

1 If you have one of these settings, Safety Manager will test and respond to a module or channel failure.

2 Attention: Be aware of the consequences in case this fault reaction is chosen for redundant analog output channels. When this is the case and communication to one of the redundant output modules is lost (e.g. flatcable becomes disconneced), the last output value of the disconnected module will still be applied to the field. However, the module that is still connected will double its output to compensate for the missing module. Hence, the output to the field in this situation will be higher than you may expect (approximately 150%).

Table 8 Fault Reaction settings for communication IO

IO “Safe” fault reaction settings1

1 If you have one of these settings, Safety Manager will test and respond to a communication channel time-out.

“Non safe” fault reaction settings

Digital input (DI)

High or Low Freeze

Numeric inputs (BI)

Fixed Value Freeze



Control Processor halt

A Control Processor halts if:

• A fault is detected in one of its safety instrumented functions; for example: corrupted software, safety processors out of sync, watchdog fault,

• The repair timer runs out,

• The Control Processor is disabled by its own watchdog,

• The Control Processor is disabled by the watchdog of the other Control Processor.

Watchdog and redundancyThe availability of the system after responding to a fault depends on the available redundancy in the system and if -and how- the watchdog interfered.

Two examples are given here:

• Controller architecture - Redundant

• Controller architecture - Redundant A.R.T.

Controller architecture - Redundant

An example is given in Figure 13 on page 161. This example shows a system with Controller architecture: Redundant. Each Control Processor has a watchdog with two watchdog lines that can independently enable/disable the (non-) redundant outputs.

If the watchdog interferes, this can be caused by:

• A fault in the Control Processor; this will halt the related CP and disable all output controls of that CP,

• A fault in the non-redundant outputs; this will cause the watchdogs of both Control Processors to disable the non-redundant outputs,

• A fault in one of the redundant outputs; this will cause the related watchdog to halt its CP and disable all outputs controlled by that CP.



Controller architecture - Redundant A.R.T.

An example is given in Figure 14 on page 162. This example shows a system with Controller architecture: Redundant A.R.T. Each Control Processor has a watchdog line that acts as input to the IO-extenders (not shown in the figure) to enable/disable the (non-) redundant outputs.

If the watchdog interferes, this can be caused by:

• A fault in the Control Processor; this will halt the related CP; the partner CP will take over all output controls of that CP,

• A fault in a non-redundant output module; this will deactivate that specific output module only,

Figure 13 Watchdog function - Controller architecture: Redundant

Final Element

+OutputModule

InputModule

Sensor

xxyyy

Final Element

OutputModule

QPPControl

Processor 2

InputModule

+OutputModule

QPPControl

Processor 1

InputModule

Sensor

xxyyy

SMOD

SMOD

SMOD

Watchdog

Watchdog Watchdog signalESD input



• A fault in one of the redundant output modules; this will deactivate that specific output module only.

Figure 14 Watchdog function - Controller architecture: Redundant A.R.T.

Final Element

+OutputModule

InputModule

Sensor

xxyyy

Final Element

OutputModule

QPPControl

Processor 2

InputModule

+OutputModule

QPPControl

Processor 1

InputModule

Sensor

xxyyy

SMOD

SMOD

SMOD

Watchdog

WatchdogWatchdog signalESD input

Attention

It is strongly recommended to repair faults even though a fault seems to have no effect on the system. If not repaired immediately, faults may accumulate and -combined- create an unforeseen but expectable system reaction.

SM Controller faults


SM Controller faultsThe topics that follow provide an overview of detected Controller faults and the Controller reaction to these faults.

QPP faultsTable 9 on page 163 provides an overview of faults that the Controller detects related to the QPP and the reaction to these faults.

Table 9 Controller reaction to QPP faults

QPP faults Non-redundant Controller reaction

Redundant Controller reaction

related to diagnostics report includes CPX( faulty) CPY (not faulty)

temperature monitoring(set points user configurable)

high alarm or low alarm none -continue none -continue

high-high alarm or low-low alarm

halt Controller halt CP none -continue

1 sensor faulty and temp. more than 3 degrees from shutdown limits

none -continue none -continue

1 sensor faulty and temp. less than 3 degrees from shutdown limits


Memory QPP memory halt Controller halt CP none -continue

Execution execution time-out or range / failure


error on logical sheet halt Controller

Watchdog output shorted halt Controller halt CP none -continue

de-energized watchdog line for redundant outputs


de-energized watchdog line for non-redundant outputs

halt Controller de-energize non redundant outputs, continue operation on redundant outputs

faulty halt Controller halt CP none -continue

Bus drivers

IO extenders (Safety Manager)

faulty halt Controller halt CP none -continue



USI faultsTable 10 on page 165 provides an overview of detected faults in relation to the USI and the response to these faults.

A fault in the USI also means that the communication channels of that USI do not communicate anymore.

IO extenders (Safety Manager A.R.T.)

faulty n.a. de-energize IO extender CPX, use IO extender CPY

none -continue

Internal link faulty halt Controller halt CP none -continue

QPP module faulty halt Controller halt CP none -continue

secondary switch-off faulty halt Controller halt CP none -continue

repair timer (user configurable)

running none -continue none -continue

expired halt Controller halt CP none -continue

software corrupted halt Controller halt CP none -continue

intervention QPP key switch to IDLE position


Spurious watchdog interrupt

assertions

SD input de-energized halt Controller

synchronization QPP n.a. halt CP none -continue

system software halted CP does not start

none -continue

base timer halt CP none -continue

IO compare error apply FR state

time sync(user configurable)

source unavailable switch to other source

switch to other source

internal communication n.a. halt CP none -continue

Table 9 Controller reaction to QPP faults (continued)

QPP faults Non-redundant Controller reaction

Redundant Controller reaction




BKM faultsTable 11 on page 165 provides an overview of faults that can be detected in relation to the BKM and the response to these faults.

PSU faultsTable 12 on page 166 provides an overview of faults that can be detected in relation to the PSU and the response to these faults.

Table 10 Controller response to USI faults

USI faults Non redundant Controller response

Redundant Controller response

related to diagnostics report includes

CPX( faulty) CPY (not faulty)

Memory USI module apply FR state to affected COM, FSC & universal IO points.

use values from CPY for affected COM, FSC & universal IO points.1

1 If values are not available via CPY apply FR state to affected COM, FSC & universal IO points.

none

Execution

communication USI module

module faulty USI module

synchronization system software

software corrupted

Table 11 Controller response to BKM faults

BKM faults Non redundant Controller response



key switch input compare error (reset key switch)


input compare error (force key switch)

module faulty BKM module none -continue none -continue

battery faulty / low none -continue none -continue

lifetime expired

transport switch



Communication faults

Table 13 on page 166 provides an overview of faults that can be detected in relation to communication and the response to these faults.

Table 12 Controller response to PSU faults

PSU faults Non redundant Controller response



Voltage monitoring spurious watchdog interrupt halt Controller halt CP none -continue

module faulty PSU module

Note

Please note that a fault in the communication links may be caused by USI modules.

Table 13 Controller response to communication faults

communication faults Non redundant communication or “shared CP”

Controller response1

Redundant communication

Controller response

Related to Diagnostic message reports

CPX(faulty) CPY(not faulty

broken link communication fault2

apply FR state to affected COM, FSC & universal IO points of that channelif channel belongs to active clock source, switch to other clock source

continue communication via healthy link3

none -continue

wrong protocol assigned

time-out

too many data requests USI module faulty apply FR state to affected COM, FSC & universal IO points of that USI

use values from CPY for affected COM, FSC & universal IO points4

data mismatch between inputs5 (safety related communication)

compare error n.a. apply FR state



Communication time-out

If no communication with the external device is established within a predefined time frame a communication time-out is generated.

A communication time-out always results in a communication failure. Communication time-outs can be configured by the user.

If a device is connected to Safety Manager via a redundant communication link, the fault detection applies to each link separately resulting in fault tolerant communication.

data mismatch between inputs5 (non-safety related communication)

n.a. val ues received by CP2 will be used.

1 If the Controller is redundant, both CP channels respond the same.2 Points that are executed by a RUSLS are not affected, provided that points are not forced.

Forces to universal modules are cleared upon occurrence of a communication fault that affects the universal module(s).3 If no healthy link remains, apply FR state to the affected COM, FSC & universal IO points allocated to that channel

and/or switch to other clock source.4 If values are not available via CPY apply FR state to affected COM, FSC & universal IO points.5 Inputs as in communication inputs of this SM Controller.

Table 13 Controller response to communication faults (continued)

communication faults Non redundant communication or “shared CP”


Redundant communication

Controller response


CPX(faulty) CPY(not faulty



SM universal IO module faultsThe topics that follow provide an overview of detected SM universal IO module faults and the SM universal IO module reaction to these faults.

SM universal IO module faultsTable 14 on page 168 provides an overview of faults that a SM universal IO module detects and the response to these faults.

Note:

The table below uses the term RUSxx. This covers the types of SM universal IO modules the table applies to. These types are:• Remote Universal Safe IO (RUSIO)• Remote Universal Safe Logic Solver (RUSLS)

Table 14 RUSxx response to RUSxx faults

RUSxx faults Non redundant RUSxx response

Redundant RUSxx response


temperature monitoring(set points user configurable)

high alarm or low alarm none -continue none -continue

high-high alarm or low-low alarm

halt RUSxx halt RUSxx CPX none -continue

1 sensor faulty and temp. more than 3 degrees from shutdown limits


1 sensor faulty and temp. less than 3 degrees from shutdown limits


Memory RUSxx memory halt RUSxx halt RUSxx CPX none -continue

Execution execution time-out or range / failure


Watchdog faulty halt RUSxx halt RUSxx CPX none -continue

Internal link

repair timer (user configurable)

running none -continue none -continue

expired halt RUSxx halt RUSxx CPX none -continue

software corrupted halt RUSxx halt RUSxx CPX none -continue

SM universal IO module faults


intervention Spurious watchdog interrupt

halt RUSxx halt RUSxx CPX n one -continue

assertions

SD input de-energized halt RUSxx

synchronization RUSxx n.a. halt RUSxx CPX n one -continue

system software halted RUSxx CP does not start

none -continue

base timer halt RUSxx CPX n one -continue

Table 14 RUSxx response to RUSxx faults (continued)

RUSxx faults Non redundant RUSxx response

Redundant RUSxx response




SM chassis IO faultsThis section provides information about hardware-related IO faults that are detected in chassis based IO modules. The topics that follow provide an overview of detected chassis IO faults and the Controller reaction to these faults.

Digital input faults (chassis based)Table 15 on page 170 provides an overview of faults that can be detected in relation to digital inputs and the response to these faults.

Analog input faults (chassis based)Table 16 on page 171 provides an overview of faults that can be detected in relation to analog inputs and the response to these faults.

Table 15 Controller response to chassis IO digital input faults

Digital input faults Non redundant input


1 If the Controller is redundant, both CPs respond the same.

Redundant input, Controller response


CPX (faulty input) CPY (healthy input)

digital input loop2 (line monitored)

2 This fault is usually caused by an anomaly in the field, not by a defect of an input module.

lead breakage apply FR state to affected inputs

apply FR state

short circuit

loop power2 power output to sensors shorted

apply FR state to affected inputs

use values from CPY

3

3 If values are not available via CPY apply FR state to affected inputs.

none -continue

channel module faulty apply FR state to affected inputs

use values from CPY

3none -continue

module module faulty apply FR state to affected inputs

use values from CPY

3none -continue

SM chassis IO faults


Digital output faults (chassis based)Table 17 on page 171 provides an overview of faults that can be detected in relation to digital outputs and the response to these faults.

Table 16 Controller response to chassis IO analog input faults

Analog input faults Non redundant input






analog input value below low transmitter alarm level per range

none- continue for 0-20mA, 0-10V


bottom scale for 4-20mA, 2-10V


above high transmitter alarm level all ranges

none- continue none- continue

loop power (SAI-1620m)

External voltage monitoring fault


channel module faulty apply FR state use values from CPY

2


none- continue

module module faulty apply FR state use values from CPY 2

none- continue

Internal power down

Table 17 Controller response to chassis IO digital output faults

Digital output faults Non redundant output


Redundant output, Controller response


CPX (faulty output) CPY (healthy output)

digital output loop2 (line monitored) default voting

current detected apply FR state apply FR state

digital output loop2 (line monitored) 1oo2D voting

current detected de-energize shorted output(s)

de-energize shorted output(s).

digital output loop2 (line monitored)

open loop none -continue none -continue

digital output loop2 short circuit detected de-energize shorted output(s)




Analog output faults (chassis based)Table 18 on page 172 provides an overview of faults that can be detected in relation to analog outputs and the response to these faults.

loop power3 external power down none -continue none -continue

channel fault FR state = Low

module faulty de-energize outputs on module & start repair timer

de-energize outputs on module & start repair timer4

none -continue

channel fault other FR states

module faulty none -continue none -continue

module fault FR state = Low

module faulty de-energize outputs on module & start repair timer

de-energize outputs on module & start repair timer4

none -continue

module fault other FR states


remove healthy module from chassis IO5

module faulty halt CP halt CP none -continue

1 If the Controller is redundant, both CPs respond the same.2 This fault is usually caused by an anomaly in the field, not by a defect of an output module.3 When this anomaly occurs on all modules in a watchdog group or a power group, it is not a defect of the output module.4 In a Safety Manager system the fault reaction for two distinct modules is different.

For SDO-0424 and SDO-04110 modules the fault reaction is: halt CP.5 Only applies to Safety Manager systems; does not apply to Safety Manager A.R.T. systems.

Table 17 Controller response to chassis IO digital output faults (continued)






Table 18 Controller response to chassis IO analog output faults

Analog output faults Non redundant output





analog output calculation overflow halt Controller halt Controller

analog output loop open loop De-energize outputs on module & start repair timer

none -continue

channel fault FR state = 0 mA

module faulty De-energize outputs on module & start repair timer

De-energize outputs on module & start repair timer

none -continue

SM chassis IO faults


channel fault Other FR states


module fault FR state = 0 mA

module faulty De-energize outputs on module & start repair timer

De-energize outputs on module & start repair timer

none -continue

module fault Other FR states


remove healthy module from chassis IO2

module faulty halt CP halt CP none -continue

1 If the Controller is redundant, both CPs respond the same.2 Only applies to Safety Manager systems; does not apply to Safety Manager A.R.T. systems.

Table 18 Controller response to chassis IO analog output faults (continued)








SM universal IO faultsThis section provides information about hardware-related IO faults that are detected in SM universal IO modules. The topics that follow provide an overview of detected SM universal IO faults and the reaction of the Controller (or universal module) to these faults.

Digital input faults (remote)Table 139 on page 117 provides an overview of faults that can be detected in relation to remote digital inputs and the reaction to these faults.

Table 19 Controller response to universal digital input faults

Digital input faults Non redundant input






digital input loop2 (line monitored)

2 This fault is usually caused by an anomaly in the field, not by a defect of an input module.

lead breakage apply FR state to affected inputs

apply FR state

short circuit

channel module faulty apply FR state to affected inputs

use values from CPY

2none -continue

module module faulty apply FR state to affected inputs

use values from CPY

2none -continue

SM universal IO faults


Analog input faults (remote)Table 140 on page 118 provides an overview of faults that can be detected in relation to remote analog inputs and the reaction to these faults.

Digital output faults (remote)Table 141 on page 118 provides an overview of faults that can be detected in relation to remote digital outputs and the reaction to these faults.

Table 20 Controller response to universal analog input faults

Analog input faults Non redundant input






analog input value below low transmitter alarm level per range





above high transmitter alarm level all ranges


channel module faulty apply FR state use values from CPY2


none- continue

module module faulty apply FR state use values from CPY 2 none- continue

Table 21 Controller response to universal digital output faults







digital output loop2 (line monitored)

2 This fault is usually caused by an anomaly in the field, not by a defect of an output module.

open loop none -continue none -continue

digital output loop2 short circuit detected de-energize shorted output(s)


channel fault module faulty apply FR state to affected outputs

apply FR state to affected outputs

none -continue

module fault module faulty apply FR state to affected outputs

apply FR state to affected outputs

none -continue



Analog output faults (remote)Table 22 on page 176 provides an overview of faults that can be detected in relation to remote analog outputs and the reaction to these faults.

Note:


Table 22 Controller response to universal analog output faults







analog output calculation overflow halt RUSxx halt RUSxx

analog output loop open loop none -continue none -continue

channel fault module faulty Apply FR state to affected outputs

Apply FR state to affected outputs

none -continue

module fault module faulty Apply FR state to affected outputs

Apply FR state to affected outputs

none -continue

Compare error handling


Compare error handlingThis section provides information about compare errors and how they are handled by the system. Compare errors are software-related faults. The topics that follow describe how the system deals with:

• IO compare errors and system response, and

• Compare error detection and synchronization

IO compare errors and system response

For proper operation both Control Processors of a redundant system must have identical IO values at the beginning and at the end of each application cycle.

An IO compare error is generated as soon as the Controller detects a difference between the IO values of CP1 and CP2, or RUSxx1 and RUSxx2.

The Controller responds towards IO compare errors by applying the fault reaction state to the faulty IO.

Table 23 on page 178 shows the relation between Input and output compare faults, alarm markers and Controller reaction.

Note

Because of the high level of self-testing and fault-handling by Safety Manager™, the actual occurrence of a compare error is very unlikely.

Note:




Compare error detection and synchronization

Input compare errors

Input compare error detection applies to all hardware inputs.

Differences in the input status read should be momentary. Persisting differences could be the result of detected hardware faults. In that case, the faulty input channel is reported in the diagnostics, and both Control Processors use the process value read from the healthy input channel.

A persisting difference in status of an input while no faults are detected at the accessory hardware channels leads to an input compare error. The resulting input is the result of voting (in case of SM universal IO) or by applying the FR state (if majority voting is not possible).

Output compare errors

An output compare error applies to all hardware outputs.

In configurations with a redundant Controller, both Control Processors will continuously have an identical application status, resulting in identical process outputs.

An output compare error is detected if there is a difference between the Control Processors or two paired SM universal IO modules with respect to:

Table 23 Controller reaction to IO compare errors

IO compare error Controller reaction

Related to Occurs when detecting a Non redundant IO Redundant IO

digital inputs (chassis) difference in the input values persists for more than 3 application cycles

apply FR state to affected inputs

apply FR state

digital inputs (universal) 3oo4 voting, 2oo3 voting, apply FR state

analog inputs (chassis) deviation of >2% in the input values persists for more than 3 application cycles

apply FR state apply FR state

analog inputs (universal) 3oo4 voting, 2oo3 voting, apply FR state

digital outputs (chassis) difference in the output values of a redundant SM Controller or RUSxx


digital outputs (universal)

analog outputs (chassis) difference in the output values of a redundant SM Controller or RUSxx


analog outputs (universal)

Compare error handling


• the calculated application output values for hardware outputs (AO/DO) or communication outputs (DO, BO) to another Safety Manager.

• the actual application values sent to hardware outputs (AO/DO) or communication outputs (DO, BO) to another Safety Manager.

If outputs are no longer synchronized an Output Compare error is generated.

Input synchronization algorithm

In configurations with a redundant Controller, the process inputs are scanned every application program cycle by both Control Processors.

Each Control Processor executes the application cycle independently of the other. It is therefore essential that they use identical values for the process inputs.

There is no problem if the process inputs are stable. However, if an input value changes when the Control Processors read the value, both Control Processors could read a different value. In such cases, an identical input value in the Controller is obtained via input synchronization.

If inputs are no longer synchronized, the signal value freezes to the last known synchronized state and a synchronization timer -equal to three application cycles- is started.

This state is maintained until:

• a synchronized state is obtained or

• the synchronization timer runs out

If a synchronized state is not achieved within three application cycles the fault reaction is activated and an Input Compare error is generated.

If a synchronized state is achieved within two application cycles:

• the synchronization timer is reset and

• the synchronized scanner value is used

Synchronization algorithms are used for digital and analog inputs.

Digital input synchronization

A digital input compare error is detected if the inputs of both Control Processors or two paired SM universal IO modules are stable but different (for example Control Processor 1 continuously ‘0’, Control Processor 2 continuously ‘1’), for the duration of three application cycles.

The input compare error detection algorithm puts the following demands on the dynamic nature of the digital process inputs:

1. If an input state changes, it must become stable again within two application cycles.



2. The frequency of continuously changing inputs must be less than two application cycles.

Analog input synchronization

For analog inputs, the synchronized value is the mean value of the input values. An input compare error is detected if the input values differ more than 2% of the full scale for the duration of three application cycles.

The input compare error detection algorithm puts the following demands on the dynamic nature of the analog process inputs:

1. For inputs allocated on a redundant module (type SAI-0410 or SAI-1620m), the slope steepness must be less than 125 mA/s.

2. For inputs allocated on a non-redundant module (type SAI-1620m), the slope steepness must be less than 20 mA/s.

3. For inputs allocated to a SM universal IO module the slope steepness must be less than 700 mA/s.

.

Caution

Analog input compare errors may, for example, occur when calibrating smart transmitters using hand-held terminals. Refer to the Troubleshooting and Maintenance Guide for details on calibrating smart transmitters that are connected to Safety Manager analog inputs.

Calculation errors


Calculation errorsCalculation errors reflect an incorrect design of the application program for the intended function. Once a calculation error occurs for a specific process point, a correct result of successive calculations based on this point cannot be guaranteed.

Detecting calculation errorsIf a calculation error occurs a diagnostic message is listed stating the FLD number on which the calculation error occurred and Safety Manager has halted.

Calculation errors occur if:

• The calculated value of an analog output is outside the specified range.

• The square root of a negative number is taken.

• A divide-by-zero occurs.

• An overflow occurs during a calculation.

• The value for a counter is outside the specified range.

Guidelines on how to avoid calculation errors in the Safety Manager application are presented in “Preventing calculation errors” on page 181.

Preventing calculation errorsCalculation errors can be prevented as follows:

• Overall process design.

• Inclusion of Safety Manager diagnostic data.

• Validation of signals in the Functional Logic Diagrams (FLDs).

• Exception handling during the actual calculation.

Prevention by design

In line with good engineering practice for safety applications - as promoted by IEC 61508 - calculation errors should be avoided by design. This means that an application should be designed in such a way that the operands of a symbol in the FLDs can never get an invalid value. The design approach starts with making sure that input values as obtained from the process remain within a predefined range. This approach ensures that the derived values are also valid for successive operations.

Sometimes, however, it cannot be guaranteed that an input value remains within a predefined range which is valid for all functions. For example, a signal derived



from a reverse-acting, non-linear 4-20 mA transmitter which has been configured for a zero top scale in the application domain could become negative if the transmitter fails and delivers a signal beyond 20 mA. If the signal is then linearized through a square-root function, a system stop occurs (square root of negative number).

Preventive measures

If a valid input value cannot be guaranteed, preventive measures must be built into the design. A comparison function can be used as an indicator that the transmitter value has left its normal operational band and that the calculation should not be done. The alarm signal is used to implement a corrective action and to indicate the exception to the operator (see Figure 16 on page 182).

If diagnostics are not available (e.g. for 0-20 mA transmitters), it is necessary to implement range checking in the application. The result of the range check is again used for the implementation of corrective actions.

Figure 15 Intended square-root function

Transmitter

Figure 16 Square-root function with validated input value

Transmitter

Validatedinput value

Alarm/Annunciation

Process value

Tip

Range checking is also useful to define the boundaries of analog outputs 0(4)-20mA, thus preventing a system shutdown due to driving values that exceed the boundaries.

Calculation errors


An important advantage of input validation is that it can be implemented for input values of which the validity cannot be guaranteed. Furthermore, the invalid input can be exactly identified. This allows the implementation of effective correction strategies of only the affected part of the process.

Common function block

A last option is to create a common function block, e.g. square root. The function block validates the operand(s) and only performs the intended function if the operands are valid. Otherwise a predefined value is returned. An additional function block output should be provided which indicates if the calculation result is valid or not. This output signal can be used for the implementation of corrective actions in the application (see Figure 17 on page 183).

Figure 17 Square-root function with validity check in function block

Transmitter

Function block

Alarm/Annunciation

Processvalue

List of abbreviations


List of abbreviationsAI Analog Input

AO Analog Output

ASM Abnormal Situation Management

ATEX Explosive Atmosphere (in French: “ATmospheres EXplosibles”)

A.R.T. Advanced Redundancy Technique

BKM Battery and Key switch Module

BMS Burner Management System

CDA Common Data Access

CEE Control Execution Environment

CP Control Processor

DCF Digital Coded Frequency

DCS Distributed Control System

DI Digital Input

DO Digital Output

DTI Diagnostic Test Interval

E/E/PES Electrical/Electronic/Programmable Electronic System

EMC Electromagnetic Compatibility

ESD • ElectroStatic Discharge• Emergency ShutDown system

EUC Equipment Under Control

EUT Equipment Under Test

F&G Fire and Gas

FB Function Block

FDM Field Device Management

FGS Fire and Gas System

FLD Functional Logic Diagram

FSC Fail Safe Communication

FTA Field Termination Assembly

FTE Fault Tolerant Ethernet

GPS Global Positioning System

HIPS High-Integrity Protection Systems

HMI Human Machine Interface

HSE High Speed Ethernet

– List of abbreviations


HSMS Honeywell Safety Management Systems

IO Input/Output

IP • Internet Protocol• Ingress Protection

IS Intrinsically Safe

LAN Local Area Network

LED Light-Emitting Diode

MAC Media Access Control

MAP Manufacturing Automation Protocol

MOS Maintenance Override Switch

MTBF Mean Time Between Failure

MTTF Mean Time To Failure

MTTR Mean Time To Repair

NTP Network Time Protocol

OLE Object Linking and Embedding

OLM On-line Modification

OPC Object linking and embedding for Process Control

OS Operating System

P&ID Piping and Instrumentation Diagram

PCDI Peer Control Data Interface

PE Protective Earth

PES Programmable Electronic System

PFD Probability of Failure on Demand

PKS Process Knowledge System

PLC Programmable Logic Controller

PST Process Safety Time

PSU Power Supply Unit

PTP Precision Time Protocol

PUC Process Under Control

PV Process Value

QMR Quadruple Modular Redundant

QPP Quad Processor Pack

RFI Radio Frequency Interference

RO Relay Output (for descriptions use: potential free output contact)

SCADA Supervisory Control And Data Acquisition

List of abbreviations


SCN Software Change Notification (formerly addressed as Release Note)

SIC System Interconnection Cable

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System

SMOD Secondary Means Of De-energization

SOE Sequence Of Events

SRS Safety-Related System

SSC Serial Communication Channel

STP Shielded Twisted Pair

USI Universal Safety Interface

UTP Unshielded Twisted Pair

UTC Coordinated Universal Time (Universal Time Coordinated)

WAN Wide Area Network

– List of abbreviations


Safety Manager Glossary


Safety Manager GlossaryClick on one of the letters below to find a specific term.

A

Alarm

An automatic signal that serves as a warning of an event or danger.

Application

The definition of the EUC-dependent function for Safety Manager.

Application Compiler

A tool of the Safety Builder used to create a controller file.

Application Editor

A tool of the Safety Builder used to create or edit functional logic diagrams.

Application value

The value of a process point as provided to, or calculated by, the application software.

Application version

A first or subsequent version of the application that is controlled in Safety Manager. An application version can have several states (see Application version state). An application version will be consolidated – or ‘frozen’ – when the application is loaded or published. The next change to the application will increment its version.

Application version state

A defined status of the application version. Safety Manager has a limited and controlled number of application version states to:

• enforce a useful sequence of activating program functions,

• enable control and/or comparison of application versions between connected components (i.e. Safety Builder, SM Controller, Experion).

Safety Manager uses these application version states:

A B C D E F G H I

J K L M N O P Q R

S T U V W X Y Z

– Safety Manager Glossary


Application Viewer

A tool of the Safety Builder used to view functional logic diagrams on-line.

ATEX Directive

A directive which describes equipment and protective systems intended for use in potentially explosive atmospheres.

Safety Manager ATEX modules can be used for connection to hazardous locations in compliance with EN 60079-15:2005 (zone 2, sub groups IIA, IIB and IIC).

For more information see the Safety Manager TUV EExn Approval Manual (PM.MAN.8183)

Availability

• The ratio of system up time to total operating time.

• The ability of an item to perform its designated function when required for use.

state meaning

Changed (Compile and Load Application needed)

changes to the application were made that do require loading to SM Controller

Changed (Publish Application needed) changes to the application were made that do not require loading to SM Controller

Compiled the application was successfully compiled

Published (load needed) the application was compiled and subsequently published

Published (loaded) the application was either; published (without compiling) or, loaded into the SM Controller



B

Battery and Key switch Module (BKM)

A module in the SM Controller used to:

• Supply battery power to the system memory (RAM) and the real time clock of the Control Processor modules, in case of power outage.

• Enable or disable forces, by turning the Force key switch. When enabled, forcing of certain input and output signals is allowed. When disabled, all forces are removed.

• Provide a fault reset, by turning the Reset key switch. See Fault reset.

C

Communication module

See: Universal Safety Interface (USI)

Communication redundancy fail-over

The automated capability of a device to switch over to a redundant or dormant communication path upon the failure or abnormal termination of the active path.

Communication time-out

An error caused by an unacceptable large time interval during which there was no communication.

Control Processor (CP)

Core component of the SM Controller consisting of: Power Supply Unit (PSU), Quadruple Processor Pack (QPP) and 1 or 2 communication modules (USI).

Control Processor states

A Control Processor (CP) can have many states. For fault detection and reaction the following states are relevant.

Warning

Turning the Reset key switch during an On-Line Modification procedure may cause the Control Processors to swap status.

Attention:

The states described below are presented on the display of the relevant QPP, while the key switch of that QPP is in the RUN position.



• Running (without faults); CP is fully functional and executes the application.

• Running with Flt (with faults); CP executes the application but the controller detected one or more faults (e.g. open loop or a hardware fault).

• Halt; CP does not execute the application.

The applicable CP state can be read from the User Interface Display located on each Control Processor and from the diagnostic screens available on Experion™ and Safety Stations.

Controller chassis

19” chassis to slot the BKM and Control Processor modules.

Controller configurations

Distinction is made between Non redundant Controllers and Redundant Controllers. A Non redundant Controller has one Control Processor (CP); the response of the CP is automatically the response of the controller. A Redundant Controller has two CPs; the response of one of the CPs does not necessarily affect the safety related functioning of the controller.

See also: Safety Manager and Safety Manager A.R.T..

Controller Management

A tool of the Safety Builder used to perform the following functions:

• Load controller.

• View system status.

• Retrieve controller and application files.

Coordinated Universal Time (UTC)

Also referred to as “Universal Time Coordinated” and “Zulu time”.

An atomic realization of Universal Time (UT) or Greenwich Mean Time (GMT), the astronomical basis for civil time. Time zones around the world are expressed as positive and negative offsets from UT. UTC differs by an integral number of seconds from atomic time and a fractional number of seconds from UT1.

Cycle time

The time period needed to execute the application software once.

Note:

Safety Manager can have both non redundant controllers and redundant controllers.Safety Manager A.R.T. only has redundant controllers.



D

Dangerous failure

Failure which has the potential to put the safety-related system in a hazardous or fail-to-function state.

Deutsches Institut für Normung (DIN)

German Institute for Standards, which determines the standards for electrical and other equipment in Germany.

Diagnostic Test Interval (DTI)

The time period used by Safety Manager to cyclically locate and isolate safety related faults within on-line system components that could otherwise cause a hazardous situation.

With Safety Manager, the default DTI is set at 3 seconds. This setting needs to be verified for each process.

See also “Process safety time (PST)” on page 206.

Distributed Control System (DCS)

System designed to control industrial processes. A DCS receives the measured values of the process instrumentation, e.g. flow, pressure, temperature. It controls the process via analog control equipment such as control valves. In addition, a DCS may receive many digital signals for alarm and management purposes.

Dual Modular Redundant (DMR)

Safety configuration providing 1oo2 configuration. The DMR technology is used in the architecture of a non redundant QPP where on-board 1oo2D voting is based on dual-processor technology.

DMR is characterized by a high level of diagnostics and fault coverage.

E

Electrical/Electronic/Programmable Electronic (E/E/PE) device

A device based on electrical (E) and/or electronic (E) and/or programmable electronic (PE) technology.

Note

Whether or not the potential is realized may depend on the channel architecture of the system; in systems with multiple channels to improve safety, a dangerous hardware failure is less likely to lead to the overall dangerous or fail-to-function state.



Electrical/Electronic/Programmable Electronic system (E/E/PES)

A system based on one or more E/E/PE devices, connected to (and including) input devices (e.g. sensors) and/or output devices/final elements (e.g. actuators), for the purpose of control, protection or monitoring.

See also: “Programmable electronic system (PES)” on page 206.

Electromagnetic Compatibility (EMC)

The ability of a device, equipment or system to function satisfactory in its electromagnetic environment without introducing intolerable electromagnetic disturbances to anything in that environment.

ElectroStatic discharge (ESD)

The transfer of electrostatic charge between bodies of different electrostatic potential, which may cause damage to system components.

Emergency ShutDown (ESD)

Manual or automatic turning off or closing down of process equipment in case of anomalous conditions in order to prevent damage to the system or process.

EUC risk

Risk arising from the EUC or its interaction with the EUC control system.

See also “Equipment Under Control (EUC)” on page 194.

Equipment Under Control (EUC)

Equipment/machinery/apparatus/Plant used for manufacturing, process, transportation, medical or other activities for which designated safety-related systems could be used to:

• prevent hazardous events associated with the EUC from taking place; or,

• mitigate the effects of the hazardous events.

Error

Discrepancy between a computed, observed or measured value or condition and the true, specified or theoretically correct value or condition.

Note

This term is intended to cover any and all devices operating on electrical principles and would include:• electro-mechanical devices (“electrical”);• solid state non-programmable electronic devices (“electronic”);• electronic devices based on computer technology (“programmable electronic”).



Ethernet

A local area network specification developed by Xerox in 1976. The specification served as the basis for the IEEE 802.3 standard, which specifies the physical and lower software layers of the network. It uses CSMA/CD to handle simultaneous transmissions and is the most popular LAN Technology is use today.

See also: Local Area Network (LAN).

Event

• Occurrence of some programmed action within a process which can affect another process.

• Asynchronous occurrence that is detected by the control system, time and other information is recorded, e.g. process alarm.

Experion PKS

Honeywell Process Knowledge System™ for process, business and asset management.

Experion Station

Windows based station for viewing process schematics and interactions with the system. This station provides comprehensive alarm and event detection, management, reporting facilities, and history collection along with the capability of custom process graphics.

Event collection & management system

A device used to collect, log and manage sequence of events (SOE) data.

See also: Safety Historian and Sequence Of Events (SOE).

External device

A generic term for a system the SM Controller is communicating with. This may be an Experion server, a Modbus device, a Safety Station or even another SM Controller. Also known as third party device.

External risk reduction measures

Physical measures taken externally to safety-related systems to reduce or mitigate the risks. Examples would include a drain system, fire wall, etc.

F

Fail-over

See “Communication redundancy fail-over” on page 191.

Failure

The termination of the ability of a functional unit to perform a required function.



Fault

Abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit to perform a required function.

Fault reaction

The reaction to faults in the Controller, application and/or IO.

• The fault reaction towards Controller and/or application faults is fixed.

• The fault reaction to IO faults can be configured on a point or module level; it should be customized to the application for which Safety Manager is used.

See also “IO states” on page 201.

Fault reset

An action that clears the fault database and attempts a restart of tripped or halted components of the system.

Fault Tolerant Ethernet (FTE)

An Ethernet based control network of Experion PKS.

FC

Prefix used to identify conformal-coated module from non conformal coated modules. See also: FS.

• FC-SDI-1624 is a safe digital input module with conformal coating

• FS-SDI-1624 is a safe digital input module without conformal coating

Note• The definition in IEV 191-04-01 is the same, with additional notes.• See figure in “Functional Safety” for the relationship between faults and failures, both

in IEC 61508 and IEV 191.• Performance of required functions necessarily excludes certain behavior, and some

functions may be specified in terms of behavior to be avoided. The occurrence of such behavior is a failure.

• Failures are either random (in hardware) or systematic (in hardware or software).

Note

IEV 191-05-01 defines “fault” as a state characterized by the inability to perform a required function, excluding the inability during preventative maintenance or other planned actions, or due to lack of external resources.



Field Termination Assembly (FTA)

Assembly to connect field wiring to the SM chassis IO modules.

Field value

The value of a process point as present at the interface of the system with the EUC.

Fieldbus

Wiring solution and communication protocol in which multiple sensors and actuators are connected to a DCS or SIS, using a single cable.

Fire and Gas system

Independent protective system which continuously monitors certain process points (e.g. combustible gas levels) and environmental points (e.g. heat, smoke, temperature and toxic gas levels). If any of these points exceed a predetermined level, the system will raise an alarm and take automatic action to close operating valves and damper doors, activate extinguishers, cut off electrical power and vent dangerous gases.

Force

A signal override of some sort that is applied on a system level.

A force applied to an input affects the input application state as it overrides the actual field value and diagnostic state of the forced input.

A force applied to an output affects the output field state as it overrides the application value or diagnostic value with the forced value.

FS

Prefix used to identify non conformal-coated module from conformal coated modules. See also: FC.

• FS-SDI-1624 is a safe digital input module without conformal coating

• FC-SDI-1624 is a safe digital input module with conformal coating

Function block

Element in a functional logic diagram (FLD) which performs a user defined logic function. Function blocks are designed to implement & re-use complex functions via a single (user defined) element.

Caution

Forcing introduces a potentially dangerous situation as the corresponding point could go unnoticed to the unsafe state while the force is active.



Functional Logic Diagram (FLD)

Diagrammatic representation of the application (conform the IEC 61131-3 standard) which is used to program Safety Manager. FLDs are directly translated into code that can be executed by Safety Manager, thus eliminating the need for manual programming. See also: Application Editor.

Functional safety

Part of the overall safety relating to the EUC and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.

Figure 18 Failure model

A) Configuration of a Functional Unit

L (i-1) FU

L= level, i=1,2,3, etc.; FU=Functional Unit

L (i+1) FU L (i+1) FU

L (i+1) FUL (i+1) FU

L (i FUL (i+1) FU L (i+1) FU

L (i+1) FUL (i+1) FU

L (i FU

B) Generalized view

"Entity X"

Level(i) Level(i-1)

cause

failure"F" state

cause

failure"F" state

C) IEC 61508's and ISO/IEC 2382-14's view

"Entity X"

Level(i) Level(i-1)

fault

failure fault

failure

D) IEC 50(191)'s view

"Entity X"

Level(i) Level(i-1)

failure cause

failure failure cause

failure

fault

fault



Functional safety assessment

Investigation, based on evidence, to judge the functional safety achieved by one or more E/E/PE safety-related systems, other technology safety-related systems or external risk reduction facilities.

H

Hardware Configurator

A tool of the Safety Builder used to configure the hardware of Safety Manager.

Hardware safety integrity

Part of the safety integrity of the Safety Instrumented Systems (SIS) relating to random hardware failures in a dangerous mode of failure.

Notes for Figure 18 on page 198• As shown in A), a functional unit can be viewed as a hierarchical composition of

multiple levels, each of which can in turn be called a functional unit. In level (i), a “cause” may manifest itself as an error (a deviation from the correct value or state) within this level (i) functional unit, and, if not corrected or circumvented, may cause a failure of this functional unit, as a result of which it falls into an “F” state where it is no longer able to perform a required function (see B)). This “F” state of the level (i) functional unit may in turn manifest itself as an error in the level (i-1) functional unit and, if not corrected or circumvented, may cause a failure of this level (i-1) functional unit.

• In this cause and effect chain the same thing (“Entity X”) can be viewed as a state (“F” state) of the level (i) functional unit into which it has fallen as a result of its failure, and also as the cause of the level (i-1) functional unit. This “Entity X” combines the concept of “fault” in IEC 61508 and ISO/IEC 2382-14, which emphasizes its cause aspect as illustrated in C), and that of “fault” in IEC 50(191), which emphasizes its state aspect as illustrated in D). The “F” state is called fault in IEC 50(191), whereas it is not defined in IEC 61508 and ISO/IEC 2382-14.

• In some cases, a failure may be caused by an external event such as lightning or electrostatic noise, rather than by an internal fault. Likewise, a fault (in both vocabularies) may exist without a prior failure. An example of such a fault is a design fault.

Note

The term relates to failures in a dangerous mode. That is, those failures of a safety-related system that would impair its safety integrity. The two parameters that are relevant in this context are the overall dangerous failure rate and the probability of failure to operate on demand. The former reliability parameter is used when it is necessary to maintain continuous control in order to maintain safety, the latter reliability parameter is used in the context of safety-related protection systems.



Hazard

A physical situation with a potential for human injury.

High voltage

A voltage of 30VAC, 40VDC or above.

Human error

Mistake.

Human action or inaction that produces an unintended result.

I

IEC 61131-3

Part of the international standard IEC 61131, which provides a complete collection of standards on programmable controllers and their associated peripherals.

The IEC 61131-3 specifies the syntax and semantics of programming languages for programmable controllers as defined in part 1 of IEC 61131 (FLD symbols).

IEC 61508

International IEC standard on functional safety entitled “Functional safety: safety-related systems”, which sets out a generic approach for all electrically based systems that are used to perform safety functions. A major objective of this international standard is to facilitate the development of application sector standards.

Institute of Electrical and Electronic Engineers (IEEE)

An American professional organization of scientists and engineers whose purpose is the advancement of electrical engineering, electronics and allied branches of engineering and science. It also acts as a standardization body.

International Electrotechnical Commission (IEC)

An international standards development and certification group in the area of electronics and electrical engineering, including industrial process measurement, control and safety.

Note

The term includes danger to persons arising within a short time scale (e.g. fire and explosion) and also those that have a long-term effect on a persons health (e.g. release of a toxic substance).



Interval time between faults

See: Repair timer.

IO bus

A bus-structure within Safety Manager that interconnects the Control Processor with the IO.

IO bus driver

Part of the Quad Processor Pack that controls the IO bus.

IO chassis

19” chassis to slot the (redundant) IO extender(s) and SM chassis IO modules.

IO database

Database in which input, output and configuration data is stored.

IO extender

Module which controls the IO bus of the IO chassis. A maximum of ten IO extender modules can be connected to one IO bus.

IO module

An IO module is always chassis-mounted within a Safety Manager cabinet. This type of module handles input or output functions of Safety Manager. IO modules can be digital or analog.

IO states

From a system point of view, IO can have either the healthy state, the de-energized state or the fault reaction state.

• When healthy, the IO is active and has the application value applied.

• When de-energized, the IO is de-activated (as if no power was supplied).

• When the fault reaction state is applied, the IO responds according to a predefined fault condition (fault reaction).

• When forced, the force value is applied.

L

Local Area Network (LAN)

A general term to refer to the network and its components that are local to a particular set of devices.

See also: Wide area network (WAN).



M

Maintenance override

A function, which allows the user to apply an application value to an input independent of the input channel scan value.

Maintenance Override Switch (MOS)

Switch used to file a request for a maintenance override. Acknowledgement is decided by the application program. An acknowledged maintenance override allows maintenance to be performed on field sensors or field inputs without causing the safety system to shutdown the process.

Master-clock source

The source that is responsible for the time synchronization between a group of systems or within a network.

Mean Time Between Failure (MTBF)

• For a stated period in the life of a functional unit, the mean value of the length of time between consecutive failures under stated conditions.

• The expected or observed time between consecutive failures in a system or component.

MTBF is used for items which involve repair.

See also: Mean Time To Repair (MTTR), Mean Time To Failure (MTTF).

Mean Time To Failure (MTTF)

The average time the system or component of the system works without failing.

MTTF is used for items with no repair.

See also: Mean Time To Repair (MTTR), Mean Time Between Failure (MTBF).

Mean Time To Repair (MTTR)

The mean time to repair a safety-related system, or part thereof. This time is measured from the time the failure occurs to the time the repair is completed.

Media Access Control (MAC)

The lower sublayer of the data link layer (Layer 2) unique to each IEEE 802 local area network. MAC provides a mechanism by which users access (share) the network.

Modbus

A communications protocol, based on master/slave or Node ID/Peer ID architecture, originally designed by Modicon for use with PLC and SCADA systems. It has become a de facto standard communications protocol in industry,



and is now the most commonly available means of connecting industrial electronic devices.

Mode of operation

Way in which a safety-related system is intended to be used, with respect to the frequency of demands made upon it in relation to the proof check frequency, which may be either:

• Low demand mode - where the frequency of demands for operation made on a safety-related system is not significantly greater than the proof check frequency; or

• High demand or continuous mode - where the frequency of demands for operation made on a safety-related system is significantly greater than the proof check frequency.

Multidrop link

A multidrop link is a physical link that interconnects multiple systems (see Figure 19 on page 203).

N

Namur

A 2-wire proximity switch operating at a working voltage of 8.2 V and an operating current of 8mA max (CENELEC Standard). Because of the small amount of energy needed to operate NAMUR sensors, they can be used in intrinsically safe applications.

Note

Typically for low demand mode, the frequency of demands on the safety-related system is the same order of magnitude as the proof test frequency (i.e. months to years where the proof test interval is a year). While typically for high demand or continuous mode, the frequency of demands on the safety-related system is hundreds of times the proof test frequency (i.e. minutes to hours where the proof test interval is a month).

Figure 19 Example of a multidrop connection based on Ethernet



Network Configurator

A tool of the Safety Builder used to configure the communication architecture.

Network Time Protocol (NTP)

See “Time protocol” on page 216.

Node

Hardware entity connected to a network.

Node ID

• A communication initiator on an Ethernet network. Counterpart of a Peer ID (see “Peer ID” on page 205).

• The address or ID number of a node. (See “Node” on page 204).

O

Object linking and embedding for Process Control (OPC)

Technology developed originally by Microsoft, now being standardized. Microsoft technology for application interoperability. Object Linking and Embedding (OLE) is a set of services that provides a powerful means to create documents consisting of multiple sources of information from different applications. Objects can be almost any type of information, including text, bitmap images, vector graphics, voice, or video clips.

Off-line

A system is said to be “off-line” when it is not in active control of equipment or a process.

A process or equipment is said to be “off-line” when it is in shut-down.

On-line

A system is said to be “on-line” when it is in active control of equipment or a process.

A process or equipment is said to be “on-line” when it is operating.

Operating temperature

The temperature a system and its modules are operating on.

Note

Special switching amplifiers or dedicated input modules, like the SDIL-1608, are required to read the status of NAMUR proximity switches.



For systems it represents the temperature within the cabinet. For modules in general it represents the temperature outside the module in its direct vicinity. For specific modules (i.e. QPP and universal modules) operating temperature is specified as ‘outside’ and ‘inside’ module temperature.

In Safety Manager cabinets temperature monitoring is done in the CP chassis within the QPP module. For remote IO locations (e.g. remote cabinets) temperature monitoring is done within the universal module(s).

Operational state

The values of an application point during normal process operation.

P

Peer Control Data Interface (PCDI)

A Honeywell licensed communication interface for non-safe peer-to-peer data communication between (Experion) Process controllers and SM Controllers.

Peer ID

A responder in Ethernet communication. Counterpart of a Node ID (See “Node ID” on page 204.)

Peer-to-peer

A logical connection between two points.

Plant

A component in Safety Builder which contains devices, controllers as well as physical and logical communication configurations used to interconnect these devices and controllers.

Point

A data structure in the IO database, usually containing information about a field entity. A point can contain one or more parameters. Safety Manager uses different point types to represent a range of different field values.

Point Configurator

A tool of the Safety Builder used to create and modify points of a SM Controller.

Point Viewer

A tool of the Safety Builder used to view points with dynamic update of states and values.

Power Supply Unit (PSU)

Separate module which supplies electrical power to the Safety Manager.



Precision Time Protocol (PTP)

See “Time protocol” on page 216

Probability of Failure on Demand (PFD)

A value that indicates the probability of a system failing to respond to a demand. PFD equals 1 minus Safety Availability. (ISA, S84.01, 1996)

Process safety time (PST)

The time a process can be left running uncontrolled without loosing the ability to regain control.

See also: Diagnostic Test Interval (DTI).

Process states

A process can have many states. Related to fault detection and reaction in the safety loop of a process, the following process states are described:

• running without detected faults

• running with detected faults

• halted

Process value

An amount, expressed in engineering units, that represents the value of a process variable, e.g. a temperature, a pressure or a flow.

Programmable electronic system (PES)

System for control, protection or monitoring based on one or more programmable electronic devices, including all elements of the system such as power supplies, sensors and other input devices, data highways and other communication paths, and actuators and other output devices (see Figure 20 on page 207).

Note

The structure of a PES is shown in Programmable electronic system (PES): structure and terminology A). Programmable electronic system (PES): structure and terminology B) illustrates the way in which a PES is represented in IEC 61508, with the programmable electronics shown as a unit distinct from sensors and actuators on the EUC and their interfaces, but the programmable electronics could exist at several places in the PES. Programmable electronic system (PES): structure and terminology C) illustrates a PES with two discrete units of programmable electronics. Programmable electronic system (PES): structure and terminology D) illustrates a PES with dual programmable electronics (i.e. two channel), but with a single sensor and a single actuator.



Q

Quad Processor Pack (QPP)

The main processing module of the SM Controller.

Quadruple Modular Redundant (QMR)

Safety configuration providing a 2oo4D configuration. The QMR technology is used in the architecture of a redundant QPP where on-board 1oo2D voting (see Dual Modular Redundant (DMR)) is combined with 1oo2D voting between the two QPPs.

Voting takes place on two levels: First on a module level and secondly between the Control Processors.

QMR is characterized by a high level of diagnostics, fault coverage and fault tolerance.

R

Redundancy

• In an item, the existence of more than one means of performing a required function.

• Use of duplicate (or triple or quadruple) modules or devices to minimize the chance that a failure might disable an entire system.

Figure 20 Programmable electronic system (PES): structure and terminology

Extend of PES

Input interfacesA-D converters Communications

Output interfacesD-A converters

Output devices/final elements(eg actuators)

Input devices(eg sensors)

A) Basic PES structure

Programmable electronics(see note)

PE PE1 2PE1PE

PE2

B) Single PES with single program-mable electronic device (ie one PES

comprised of a single channel ofprogrammable electronics)

C) Single PES with dual program-mable electronic devices linked in aserial manner (eg intelligent sensor

and programmable controller)

D) Single PES with dual program-mable electronic devices but with

shared sensors and final elements (ieone PES comprised of two channels

of programmable electronics)



Repair time

The time allowed to keep a Safety Instrumented System (SIS) running with a fault present that “may affect safety upon accumulation of multiple faults”. Repair time is introduced to extend the SIS up-time for a limited time frame, allowing system repair.

Repair timer

A configurable count-down timer triggered upon detection of a fault that minimizes the safety availability of the system.

The default repair window is 200 hours, which is more than sufficient if spare parts are available. The repair timer can be deactivated.

Each Control Processor has its own repair timer. Once running, a repair timer shows the remaining time to repair the fault that triggered the repair timer in the Control Processor (200 hours default). If the fault is not repaired within the repair time the Control Processor containing the fault halts.

A repair timer protects the system from certain fault accumulations that may affect the safety of Safety Manager. The timer only starts on detection of:

• faults on output modules with fault reaction set to Low

• faults detected with non-redundant IO bus extenders.

Reset

See: Fault reset.

Risk

Combination of the probability of occurrence of harm and the severity of that harm.

Router

A network device which forwards packets (messages or fragments of messages) between networks.

The forwarding decision is based on network layer information and routing tables, often constructed by routing protocols.

S

Safe

A design property of an item in which the specified failure mode is predominantly in a safe direction.



Safe failure

Failure which does not have the potential to put the safety-related system in a hazardous or fail-to-function state.

SafeNet

A SIL3 network protocol used by Safety Manager for i.e. safe data exchange between Safety Managers.

Safety

Freedom from unacceptable risk.

Safety Availability

The fraction of time (%) that a safety system is able to perform its designated safety service when the process is operating. See also Probability of Failure on Demand (PFD).

Safety Builder

• Station software used to configure, design, validate, log and monitor a Safety Manager project.

• Protocol used by Safety Manager to communicate with Safety Stations.

Safety Historian

Sequence of events collecting device. Windows-based software tool used to record, view and process sequence of events (SOE) data. SOE data is stored in a database for (re-)use at a later stage.

See also: Event collection & management system and Sequence Of Events (SOE).

Safety Instrumented Function (SIF)

A Safety Instrumented Function (SIF) is an isolated function, initially designed to protect “life and limb” against a specific hazard. A more popular term for SIF is safety loop. Each SIF operates on its own Safety Integrity Level.

See also: Safety instrumented System (SIS) and Safety integrity level (SIL).

Safety instrumented System (SIS)

A Safety Instrumented System (SIS) is a system that executes one or more SIFs. The various SIFs inside a SIS may each require a different Safety Integrity Level.

Note

Whether or not the potential is realized may depend on the channel architecture of the system; in systems with multiple channels to improve safety, a safe hardware failure is less likely to result in an erroneous shutdown.



A SIS should be able to support all SIFs, including the one with the highest SIL level.

See also: Safety Instrumented Function (SIF) and Safety integrity level (SIL).

Safety integrity

Probability of a safety-related system to satisfactorily perform the required safety functions under all stated conditions within a stated period of time.

Safety integrity level (SIL)

Discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PE safety-related systems, where safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest.

Note• The target failure measures for the safety integrity levels are specified in Safety

integrity levels: target failure measures for a safety function, allocated to the Safety Instrumented System operating in low demand mode of operation and Safety integrity levels: target failure measures for a safety function, allocated to the Safety Instrumented System operating in high demand or continuous mode of operation.

Table 24 Safety integrity levels: target failure measures for a safety function, allocated to the Safety Instrumented System operating in low demand mode of operation

Safety integrity level Low demand mode of operation(average probability of failure to perform its design function on demand)

4 10-5 to 10-4

3 10-4 to 10-3

2 10-3 to 10-2

1 10-2 to 10-1

NOTE: see notes below for details on interpreting this table.

Table 25 Safety integrity levels: target failure measures for a safety function, allocated to the Safety Instrumented System operating in high demand or continuous mode of operation

Safety integrity level High demand or continuous mode of operation (probability of a dangerous failure per hour)

4 10-9 to 10-8

3 10-8 to 10-7



2 10-7 to 10-6

1 10-6 to 10-5

NOTE: see notes below for details on interpreting this table.

Table 25 Safety integrity levels: target failure measures for a safety function, allocated to the Safety Instrumented System operating in high demand or continuous mode of operation (continued)

Safety integrity level High demand or continuous mode of operation (probability of a dangerous failure per hour)

Note1. The parameter in Safety integrity levels: target failure measures for a safety function,

allocated to the Safety Instrumented System operating in high demand or continuous mode of operation, probability of a dangerous failure per hour, is sometimes referred to as the frequency of dangerous failures, or dangerous failure rate, in units of dangerous failures per hour.

2. This document sets a lower limit on the target failure measures, in a dangerous mode of failure, than can be claimed. These are specified as the lower limits for safety integrity level 4 (that is an average probability of failure of 10-5 to perform its design function on demand, or a probability of a dangerous failure of 10-9 per hour). It may be possible to achieve designs of safety-related systems with lower values for the target failure measures for non-complex systems, but it is considered that the figures in the table represent the limit of what can be achieved for relatively complex systems (for example programmable electronic safety-related systems) at the present time.

3. The target failure measures that can be claimed when two or more E/E/PE safety-related systems are used may be better than those indicated in Safety integrity levels: target failure measures for a safety function, allocated to the Safety Instrumented System operating in low demand mode of operation and Safety integrity levels: target failure measures for a safety function, allocated to the Safety Instrumented System operating in high demand or continuous mode of operation providing that adequate levels of independence are achieved.

4. It is important to note that the failure measures for safety integrity levels 1, 2, 3 and 4 are target failure measures. It is accepted that only with respect to the hardware safety integrity will it be possible to quantify and apply reliability prediction techniques in assessing whether the target failure measures have been met. Qualitative techniques and judgements have to be made with respect to the precautions necessary to meet the target failure measures with respect to the systematic safety integrity.

5. The safety integrity requirements for each safety function shall be qualified to indicate whether each target safety integrity parameter is either:

• the average probability of failure to perform its design function on demand (for a low demand mode of operation); or

• the probability of a dangerous failure per hour (for a high demand or continuous mode of operation).



Safety life cycle

Necessary activities involved in the implementation of safety-related systems, occurring during a period of time that starts at the concept phase of a project and finishes when all of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities are no longer available for use.

Safety Manager

A safety solution to protect the integrity of a Process Under Control (PUC) and/or Equipment Under Control (EUC) in accordance with IEC 61508. Assuming a full range configuration, Safety Manager includes the following components:

• SM Controller

• SM chassis IO

• SM universal IO

• Field interfaces (e.g. FTA’s, cabling)

Safety Station is used to control and configure Safety Manager, and to enable communication with other applications.

For details see Safety Manager components.

Safety Manager A.R.T.

Safety Manager with Advanced Redundancy Technique. Safety Manager A.R.T. uses specific hardware in a dedicated architecture and has extended availability compared to Safety Manager. Safety Manager A.R.T. has the capability to continue normal operation with a combination of a Control Processor fault and an IO fault.

Safety related

A flag to indicate that a signal is used for a safe function.

See also: Safe and Safety-related system.

Safety-related system

Designated system that both:

• implements the required safety functions necessary to achieve or maintain a safe state for the EUC, and

• is intended to achieve, on its own or with other E/E/PE safety-related systems, other technology safety-related systems or external risk reduction facilities, the necessary safety integrity for the required safety functions.



Safety Station

Station running Safety Builder to control and configure Safety Manager. Safety Station can also run one or more other applications to manage loggin and communication. Examples are: Safety Historian, Trip & Bypass management, communication with plant control systems.

Note1. The term refers to those systems, designated as safety-related systems, that are

intended to achieve, together with the external risk reduction facilities, the necessary risk reduction in order to meet the required tolerable risk.

2. The safety-related systems are designed to prevent the EUC from going into a dangerous state by taking appropriate action on receipt of commands. The failure of a safety-related system would be included in the events leading to the identified hazard or hazards. Although there may be other systems having safety functions, it is the safety-related systems that have been designated to achieve, in their own right, the required tolerable risk. Safety-related systems can broadly be divided into safety-related control systems and safety-related protection systems, and have two modes of operation.

3. Safety-related systems may be an integral part of the EUC control system or may interface with the EUC by sensors and/or actuators. That is, the required safety integrity level may be achieved by implementing the safety functions in the EUC control system (and possibly by additional separate and independent systems as well) or the safety functions may be implemented by separate and independent systems dedicated to safety.

4. A safety-related system may:• be designed to prevent the hazardous event (that is if the safety-related systems

perform their safety functions then no hazard arises). The key factor here is the ensuring that the safety-related systems perform their functions with the degree of certainty required (for example, for the specified functions, that the average probability of failure should not be greater than 10-4 to perform its design function on demand).

• be designed to mitigate the effects of the hazardous event, thereby reducing the risk by reducing the consequences. As for the first item in this list, the probability of failure on demand for the specified functions (or other appropriate statistical measure) should be met.

• be designed to achieve a combination of both kinds of systems.5. A person can be part of a safety-related system. For example, a person could receive

information from a programmable electronic device and perform a safety task based on this information, or perform a safety task through a programmable electronic device.

6. The term includes all the hardware, software and supporting services (for example power supplies) necessary to carry out the specified safety function (sensors, other input devices, final elements (actuators) and other output devices are therefore included in the safety-related system).

7. A safety-related system may be based on a wide range of technologies including electrical, electronic, programmable electronic, hydraulic and pneumatic.



Second fault timer

See: Repair timer.

Secondary Means

A means designed to drive towards a safe state in case the primary means is unable or unreliable to do so.

An example of a secondary means is the watchdog: The watchdog is designed to drive the Control Processor and related outputs to a safe state if the Control Processor itself is unable or unreliable to do so.

Secondary Means Of De-energization (SMOD)

A SMOD is a Secondary Means designed to de-energize the output in case the primary means is unable or unreliable to do so.

Figure 21 on page 214 shows an example of a SMOD protecting 4 output channels.

Sequence Of Events (SOE)

The function detecting the occurrence of events. See also: Safety Historian and Event collection & management system.

Figure 21 Schematic diagram of a SMOD with 4 channels

d8

d32,z32

Vdc int.

Vdc ext.

OUT4+

OUT-

z8,d30,z30 0 Vdc

&

OUT3+

OUT1+

OUT2+

WDGd2

CH1

CH2

CH3

CH4

SMODGroup On/Off

On/Off

On/Off

On/Off

On/Off

Group

CH4

CH3

CH1 readback

CH2 readback

readback

readback

readback



Serial communication

Communication that is based on either an RS232, RS422 or RS485 link.

Shutdown

A process by which an operating Plant or system is brought to a non-operational state.

SICC

IO signal wiring using system interconnection cables that hook up the FTA board to the IO.

SICP

IO signal wiring using system interconnection cables that hook up the screw terminals to the IO.

Single fault tolerant

Built-in ability of a system to correctly continue its assigned function in the presence of a single fault in the hardware or software.

Single fault tolerant for safety

Built-in ability of each Safety Manager configuration to continue to maintain safety in the presence of a single fault in the hardware or software.

SM Controller

Assembly of Control Processor, Controller chassis and BKM. A Controller can be redundant or non redundant. A redundant Controller contains two Control Processors. A non redundant Controller contains one Control Processor. Note that IO is not included.

SM chassis IO

SM chassis IO stands for Safety Manager chassis based IO. This type of IO is always chassis-mounted within a Safety Manager cabinet. This type of IO is also called ‘chassis IO’.

SM universal IO

SM universal IO stands for Safety Manager universal IO. This type of IO is IOTA-mounted in remote locations and/or within a Safety Manager cabinet.

SM RIO Link

A real-time communication IO-bus that uses a dedicated protocol for safe exchange of IO data between an SM Controller and one or more SM universal IO modules.



SM universal IO module

A SM universal IO module is a Remote Universal Safe device. It has multiple channels that can be configured individually depending on system needs. A SM universal IO module is placed on an IOTA.

Typical SM universal IO modules are:

• RUSIO modules

• RUSLS modules

Storage temperature

The temperature the system can be stored at.

Switch

A network device which forwards packets (messages or fragments of messages) by means of packet switching.

The forwarding decision is based on the most expedient route (as determined by some routing algorithm). Not all packets travelling between the same two hosts, even those from a single message, will necessarily follow the same route.

System Interconnection Cable (SIC)

Cables to connect IO modules with FTAs or terminals.

Systematic safety integrity

Part of the safety integrity of safety-related systems relating to systematic failures in a dangerous mode of failure.

T

Third party device

See “External device” on page 195.

Time protocol

A collective for Internet protocols to provide machine readable date and time:

• The Precision Time Protocol (PTP) is a protocol that allows precise synchronization of networks. It is used in SafeNet where it reaches clock synchronization accuracies of 10ms.

Note

Systematic safety integrity cannot usually be quantified (as distinct from hardware safety integrity which usually can).



• The Network Time Protocol (NTP) is an older protocol for synchronizing the clocks of computer systems over internet/ethernet. Safety Manager supports NTP3 and NTP4, reaching clock synchronization accuracies of 100ms.

Timestamp

As a verb, the act of putting the current time together with an event. As a noun, the time value held with an event.

Trend

A display defined primarily for presentation of and navigation through historical information.

Trip

An action by which part of an operating Plant or system is brought to a non-operational state.

See also: Shutdown.

Triple Modular Redundant (TMR)

Safety technology which is based on comparison principles and which requires triplicated system components.

U

Universal Safety Interface (USI)

Communication module of the SM Controller.

V

Validation

Confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled.



Verification

Confirmation by examination and provision of objective evidence that the specified requirements have been fulfilled.

Voting configuration

To prevent that a safety-related system remains passive or false signals occur in this system it is possible to use voting. With voting the safety-related system makes a decision based on signals. The usage of more than one signal enhances the safety and reliability of the system.

W

Watchdog

A combination of diagnostics and an output device (typically a switch) the aim of which is to monitor the correct operation of the programmable electronic (PE) devices and takes action upon detection of an incorrect operation.

Wide area network (WAN)

A general term to refer to a piece of a network and its components that are used to inter-connect multiple LANs over a wide area.

Note

In the context of IEC 61508, verification means the process of demonstrating for each phase of the relevant safety lifecycle (overall, E/E/PES, software), by analysis and/or tests, that, for the specific inputs, the deliverables meet in all respects the objectives and requirements set for the specific phase.Examples of verification activities would include:1. Reviews on deliverables (documents from all phases of the safety lifecycle) to ensure

compliance with the objectives and requirements of the phase taking into account the specific inputs to that phase.

2. Design reviews.3. Tests performed on the designed products to ensure that they perform according to

their specifications.4. Integration tests performed where different parts of a system are put together in a

step-by-step manner and by the performance of environmental tests to ensure that all the parts work together in the specified manner.

Note

The watchdog is used to de-energize a group of safety outputs when dangerous failures are detected in order to put the EUC into a safe state. The watchdog is used to increase the on-line diagnostic coverage of the logic system


Index

Aanalog input faults 171, 175Analog inputs (AI)

Synchronization 180analog output faults 172, 176

Bbasic skills and knowledge 5battery 51

checklist 74, 76life 52voltage 52

BKM faults 165

Ccabinet

door 11, 12, 94calculation errors

calculated value outside specified range 181counter outside specified range 181divide by zero 181function blocks 183overflow 181prevention 181square root negative number 181

clearing all forces 99clock source 202communication statistics 146communication status 146compare error 178competences of people 10continuous mode of operation 203, 210Controller configurations 192

Ddangerous failure 193

diagnostic message 156diagnostic messages 105diagnostics

calculation errors 182digital input faults 170, 174Digital inputs (I)

Synchronization 179digital output faults 171, 175door 11, 12, 94

Eelectrostatic discharge (ESD) 11EMC warning 11Equipment Under Control (EUC) 6, 7, 8error 194, 200

human ~ 200errors

diagnostic messages 105QPP display messages 102

ESD bonding point 11ESD wrist strap 11EUC risk 194

Ffailure 193, 195, 209

dangerous ~ 193safe ~ 209

fault 151, 196database 156detection 152, 155reaction 152, 196reaction state 157repair 162

faultsBKM 165IO compare 178local analog input 171local analog output 172


Index

local digital input 170local digital output 171PSU 166QPP 163remote analog input 175remote analog output 176remote digital input 174remote digital output 175USI 165

forceclear all 99key switch 99

forcing inputs/outputs 99clearing all forces 99listing all forced points 99

function blockscalculation errors 183

functional safety 198functional safety assessment 199

Hhardware safety integrity 199high demand mode of operation 203, 210human error 200

IIEC 61508 6IEC 61511 6Input synchronization

Analog inputs 180Digital inputs 179

inputs 99clearing all forces 99

IO compare faults 178isolate 152

Kkey

Safety Mananager ~ switches 89

Llink

~ status report 146, 148link status report

communication ~ 146, 148listing all forced points 99low demand mode of operation 203, 210

Mmarker

diagnostic 156diagnostic message 156

markersalarm 156

master ~ 202messages

diagnostics 105QPP display 102

mode of operation 203, 210continuous ~ 203, 210high demand ~ 203, 210low demand ~ 203, 210

Ooutputs 99

clearing all forces 99

Ppoints 99

clearing all forces 99listing all forced ~ 99

precautions when working on Safety Manager 11prerequisite skills 5Process Under Control (PUC) 6Programmable Electronic System (PES) 206PSU faults 166

QQPP display messages 102QPP faults 163

Rrepair timer 153, 159, 208report

communication link status ~ 146, 148risk 208RUSIO faults 168

Index


Ssafe failure 209safety 198, 209

functional ~ 198Safety Instrumented Function (SIF) 6, 7, 8Safety Instrumented System (SIS) 6safety integrity 199, 216

hardware ~ 199systematic ~ 216

Safety Integrity Level (SIL) 6, 7, 8safety life cycle 212Safety Manager 212Safety Manager A.R.T. 212Safety related 153, 212safety-related system 212SIS 151SMOD 153, 214states

Control Processor 154, 191IO 155, 201process 155, 206

stationforcing 93

statisticscommunication ~ 146

statuscommunication ~ 146communication link ~ report 146, 148

switchSafety Manager key ~es 89

SynchronizationAnalog inputs 180Digital inputs 179

synchronize 178, 179systematic safety integrity 216

Ttime-out 167training 10

obtaining information on ~ 10

UUSI faults 165

Vvalidation 217

Wwarnings

diagnostic messages 105watchdog 160, 161


Index

Fax Transmittal Fax Number: +31 (0)73 6219 125

Reader Comments

To: Honeywell Safety Management Systems, attn. Technical Documentation Group

From: Name: Date:

Title:

Company:

Address:

City: State: Zip:

Telephone: Fax:

.

Comments:

You may also call the Technical Documentation Group at +31 (0)73 6273 273,email Honeywell SMS at [email protected], or write to:

Honeywell Process SolutionsSafety Management SystemsP.O. box 1165201 AC ‘s-HertogenboschThe Netherlands

Safety ManagerUser documentation

Honeywell Process SolutionsSafety Management SystemsRietveldenweg 32a5222 AR ‘s-HertogenboschThe Netherlands

safety manager troubleshooting and maintenance guide infi90 documentation... · 2018-10-24 · vii...

Documents