Fail Safe Control

Fail Safe Control
Safety Manual
Release 710
Revision 03 (01/2011)
FS90-710
Copyright, Notices and Trademarks
© 2011 – Honeywell Safety Management Systems a Division of Honeywell Aerospace B.V.
Release 710
Revision 03 (01/2011)
While this information is presented in good faith and believed to be accurate,

Honeywell Safety Management Systems disclaims the implied warranties of
merchantability and fitness for a particular purpose and makes no express warranties
except as may be stated in its written agreement with and for its customer.
In no event is Honeywell Safety Management Systems liable to anyone for any indirect,
special or consequential damages. The information and specifications in this document
are subject to change without notice.
TotalPlant, TDC 3000 and Universal Control Network are U.S. registered trademarks of
Honeywell International Inc.
Experion PKS and Plantscape are U.S. registered trademarks of Honeywell International
Inc.
FSC and QMR are trademarks of Honeywell Safety Management Systems.
Other brands or product names are trademarks of their respective holders.
No part of this document may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of
Honeywell Safety Management Systems.
TABLE OF CONTENTS
Section 1 – Introduction ............................................................................................... 1

1.1 System Overview ....................................................................................................................1
1.2 Certification .............................................................................................................................3
1.3 Standards Compliance............................................................................................................5
1.4 Definitions .............................................................................................................................11
Section 2 – FSC Architectures ................................................................................... 19

2.1 Section Overview ..................................................................................................................19
2.2 Introduction ...........................................................................................................................20
2.3 Single Central Part and Single I/O (1oo1D, DMR) ...............................................................21
2.4 Redundant Central Parts and Single I/O (100x2/./1 processors) ........................................22
2.5 Redundant Central Parts and Redundant I/O (100x2/./. processors)..................................24
2.6 Redundant Central Parts with Redundant and Single I/O (100x2/./. processors) ................26
2.7 Quadruple Modular Redundant (QMR™) Architecture (10020/./. processors) ....................28
Section 3 – Design Phases for an E/E/PE Safety-Related System .......................... 31

3.2 Overall Safety Lifecycle ........................................................................................................32
3.3 Specification of the Safety Class of the Process ..................................................................38
3.4 Specification of the Instrumentation Related to the Safety System......................................39
3.5 Specification of the Functionality of the Safety System........................................................42
3.6 Approval of Specification ......................................................................................................44
Section 4 – Implementation Phases of FSC as a Safety-Related System .............. 45

4.1 Overview ...............................................................................................................................45
4.2 FSC Project Configuration ....................................................................................................46
4.3 System Configuration Parameters........................................................................................48
4.4 Specification of Input and Output Signals.............................................................................51
4.5 Implementation of the Application Software .........................................................................52
4.6 Verification of an Application ................................................................................................53
4.7 Verifying an Application in the FSC System .........................................................................55
FSC Safety Manual

Table of Contents i
Section 5 – Special Functions in the FSC System ................................................... 59
5.1 Overview ...............................................................................................................................59
5.2 Forcing of I/O Signals ...........................................................................................................60
5.3 Communication with Process Control Systems (DCS / ICS) ................................................63
5.4 FSC Networks .......................................................................................................................65
5.5 On-Line Modification .............................................................................................................70
5.6 Safety-Related Non Fail-Safe inputs.....................................................................................72
Section 6 – FSC System Fault Detection and Response ......................................... 75

6.2 Voting ....................................................................................................................................77
6.3 FSC Diagnostic Inputs ..........................................................................................................79
6.4 FSC Alarm Markers...............................................................................................................82
6.4.1 Input Fault Detection.............................................................................................................84
6.4.2 Transmitter Fault Detection...................................................................................................86
6.4.3 Redundant Input Fault Detection ..........................................................................................87
6.4.4 Output Fault Detection ..........................................................................................................88
6.4.5 I/O Compare Error Detection ................................................................................................91
6.4.6 Central Part Fault Detection..................................................................................................96
6.4.7 Internal Communication Error ...............................................................................................97
6.4.8 FSC-FSC Communication Fault Detection ...........................................................................98
6.4.9 Device Communication Fault Detection................................................................................99
6.4.10 Temperature Alarm .............................................................................................................100
6.5 Calculation Errors................................................................................................................101
Section 7 – Using the FSC Alarm Markers and Diagnostic Inputs........................ 105
7.1 Section Overview ................................................................................................................105
7.2 Applications of Alarm Markers and Diagnostic Inputs ........................................................106
7.3 Shutdown at Assertion of FSC Alarm Markers ...................................................................107
7.4 Unit Shutdown.....................................................................................................................108
7.5 Diagnostic Status Exchange with DCS...............................................................................113
Section 8 – Wiring and 1oo2D Output Voting in AK5 and AK6 Applications....... 115
Section 9 – Fire and Gas Application Example ...................................................... 119
Section 10 – Special Requirements for TUEV-Approved Applications ................ 129
FSC Safety Manual

ii Table of Contents
Figures
Figure 1-1 CE mark .....................................................................................................................................8

Figure 1-2 Failure model ...........................................................................................................................12
Figure 1-3 Programmable electronic system (PES): structure and terminology .......................................14
Figure 2-1 Single Central Part, single I/O configuration............................................................................21
Figure 2-2 Functional diagram: single Central Part, single I/O .................................................................21
Figure 2-3 Redundant Central Parts, single I/O configuration ..................................................................22
Figure 2-4 Functional diagram: redundant Central Parts, single I/O.........................................................23
Figure 2-5 Redundant Central Parts, redundant I/O configuration ...........................................................24
Figure 2-6 Functional diagram: redundant Central Parts, redundant I/O..................................................25
Figure 2-7 Redundant Central Parts with redundant and single I/O configuration...................................26
Figure 2-8 Functional diagram: redundant Central Parts with redundant and single I/O..........................27
Figure 2-9 Functional diagram: QMR™ architecture ................................................................................28
Figure 3-1 Overall safety lifecycle .............................................................................................................33
Figure 3-2 E/E/PES safety lifecycle (in realization phase) ........................................................................34
Figure 3-3 Software safety lifecycle (in realization phase)........................................................................34
Figure 3-4 Relationship of overall safety lifecycle to E/E/PES and software safety lifecycles..................35
Figure 3-5 Specification of I/O signals for the FSC system.......................................................................40
Figure 3-6 Example of hardware specification of analog input for FSC system .......................................41
Figure 3-7 Example of functional logic diagram (FLD)..............................................................................43
Figure 4-1 Main screen of FSC Navigator.................................................................................................46
Figure 4-2 Basic functions of FSC project configuration programs...........................................................47
Figure 4-3 Verification of the application software ....................................................................................54
Figure 4-4 Verification log file ....................................................................................................................55
Figure 4-5 Sample verification report ........................................................................................................58
Figure 5-1 Forcing sequence ....................................................................................................................60
Figure 5-2 Example of a printout of engineering documents ....................................................................63
Figure 5-3 Examples of FSC communication networks ............................................................................65
Figure 5-4 FSC master/slave interconnection ...........................................................................................66
Figure 5-5 Redundant FSC communication link .......................................................................................66
Figure 5-6 Response time in network with multiple masters.....................................................................68
Figure 5-7 Sheet differences .....................................................................................................................70
Figure 5-8 Configuration of a redundant input ..........................................................................................72
Figure 5-9 Example of functionality of a redundant digital input function..................................................73
Figure 6-1 Input failure alarm marker function ..........................................................................................83
Figure 6-2 Intended square-root function ................................................................................................102
Figure 6-3 Square-root function with validated input value .....................................................................102
Figure 7-1 Diagram to shut down system in case of output compare error ............................................107
Figure 7-2 Wiring diagram for unit shutdown ..........................................................................................108
Figure 7-3 Configuration of the unit shutdown output .............................................................................109
Figure 7-4 Configuration of the process outputs .....................................................................................111
Figure 7-5 Functional logic diagram of unit shutdown.............................................................................112
Figure 7-6 FSC system information to DCS ............................................................................................113
Figure 8-1 Redundant I/O wiring in AK6 and non-surveiled AK5 applications for 1oo2D systems.........116
Figure 9-1 System alarm (FLD 50)..........................................................................................................120
Figure 9-2 Input loop 1 (FLD 100) ...........................................................................................................120
Figure 9-3 Control of the alarm horn (FLD 500) ......................................................................................122
Figure 9-4 Control of the failure alarm horn (FLD 501) ...........................................................................123
Figure 9-5 Control of the override alarm horn (FLD 502)........................................................................123
Figure 9-6 Control of the test alarm horn (FLD 503) ...............................................................................124
Figure 9-7 Control and acknowledge of the alarm horns (FLD 505).......................................................125
FSC Safety Manual

Table of Contents iii
Figures (continued)
Figure 9-8 Control of the common alarm indication (FLD 510) ...............................................................125
Figure 9-9 Control of the common test indication (FLD 520) ..................................................................126
Figure 9-10 Control of the common failure alarm indication (FLD 530) ..................................................126
Figure 9-11 Control of the common override indication (FLD 540) .........................................................127
Figure 9-12 Alarm sequence function block (FLD FB-900).....................................................................128
Figure 9-13 Alarm latching, alarm reset and lamp test function block (FLD 912) ...................................128
Figure 10-1 System parameters ..............................................................................................................131
Figure 10-2 Power supply........................................................................................................................134
Tables
Table 1-1 FSC compliance to standards .....................................................................................................5

Table 1-2 Safety integrity levels: target failure measures for a safety function, allocated to an
E/E/PE safety-related system operating in low demand mode of operation ................15
Table 1-3 Safety integrity levels: target failure measures for a safety function, allocated to an
E/E/PE safety-related system operating in high demand or continuous mode of
operation .......................................................................................................................15
Table 2-1 FSC architectures......................................................................................................................20
Table 3-1 Overall safety lifecycle overview ...............................................................................................35
Table 3-2 Relation between FSC architectures and requirement classes AK1-6, according to DIN
V 19250.........................................................................................................................38
Table 4-1 Memory types............................................................................................................................49
Table 5-1 Procedure to enable forcing ......................................................................................................60
Table 5-2 Procedure to force a variable ....................................................................................................61
Table 5-3 Performance factors ..................................................................................................................67
Table 5-4 FSC-FSC communication timeout.............................................................................................69
Table 6-1 Voting schemes for single FSC components ............................................................................77
Table 6-2 Voting schemes for redundant components..............................................................................78
Table 6-3 Explanation of redundancy voting schemes..............................................................................78
Table 6-4 Diagnostic inputs (channel status) ............................................................................................79
Table 6-5 Diagnostic inputs (loop status) ..................................................................................................80
Table 6-6 FSC alarm markers ...................................................................................................................82
Table 6-7 System response in case of digital hardware input compare error...........................................93
Table 6-8 System response in case of analog input compare error..........................................................94
Table 6-9 System response in case of digital output compare error.........................................................95
FSC Safety Manual

iv Table of Contents
Abbreviations
AC...................................................................................................................................... Alternating current

AI .................................................................................................................................................Analog input
AK ....................................................................................................Anforderungsklasse (requirement class)
AO............................................................................................................................................. Analog output
BI ............................................................................................................................................... Multiple input
BO............................................................................................................................................ Multiple output
CE............................................................................................................................. Conformité Européenne
CP.................................................................................................................................................Central part
CPU ............................................................................................................................Central processing unit
CSA ............................................................................................................ Canadian Standards Association
DBM................................................................................................................Diagnostic and battery module
DC.............................................................................................................................................. Direct current
DCS ....................................................................................................................... Distributed control system
DI ..................................................................................................................................................Digital input
DIN............................................................................Deutscher Industrienorm (German industrial standard)
DMR........................................................................................................................ Dual Modular Redundant
DO ..............................................................................................................................................Digital output
DTI .............................................................................................................................Diagnostic Test Interval
ECM......................................................................................................... Enhanced Communication Module
E/E/PES..................................................................... Electrical/Electronic/Programmable electronic system
EEA........................................................................................................................ European Economic Area
EEC .............................................................................................................European Economic Community
EMC..................................................................................................................Electromagnetic compatibility
EPKS .................................................................................................. Experion Process Knowledge System
EPM .................................................................................................................. Enhanced Processor Module
EPROM.......................................................................................Erasable programmable read-only memory
ESD ..............................................................................................................................Emergency shutdown
EU......................................................................................................................................... European Union
EUC ......................................................................................................................... Equipment under control
F&G ............................................................................................................................................... Fire & Gas
FAT ........................................................................................................................... Factory acceptance test
FB ............................................................................................................................................ Function block
FLD .......................................................................................................................... Functional logic diagram
FM............................................................................................................................................Factory Mutual
FMEA..................................................................................................................Failure mode effect analysis
FS ......................................................................................................................................................Fail-safe
FSC.......................................................................................................................................Fail Safe Control
FSC-DS ............................................................................................ Fail Safe Control Development System
H&B ...................................................................................................................................Hartmann & Braun
H-bus ........................................................................................................................................Horizontal bus
HBD ............................................................................................................................... Horizontal bus driver
HSMS .............................................................................................Honeywell Safety Management Systems
I................................................................................................................................................................Input
I/O .................................................................................................................................................Input/output
IC ............................................................................................................................................... Input channel
ICS.......................................................................................................................... Integrated control system
IM................................................................................................................................................Input module
NFS............................................................................................................................................. Non fail-safe
O ...........................................................................................................................................................Output
OC .......................................................................................................................................... Output channel
FSC Safety Manual

Table of Contents v
Abbreviations (continued)
OLM .................................................................................................................................On-line modification

OM ...........................................................................................................................................Output module
PC ..................................................................................................................................... Personal computer
PES.............................................................................................................Programmable electronic system
PST .................................................................................................................................. Process safety time
PSU .................................................................................................................................... Power supply unit
QMR ..............................................................................................................Quadruple Modular Redundant
RAM........................................................................................................................ Random-access memory
SER ..................................................................................................................Sequence-of-event recording
SIF ................................................................................................................... Safety Instrumented Function
SIL .................................................................................................................................. Safety integrity level
SMOD .................................................................................................. Secondary means of de-energization
SM I/O........................................................................................................... I/O modules of Safety Manager
SOE .................................................................................................................................Sequence of events
TPS................................................................................................................................... TotalPlant Solution
TÜV...........................................................................................................Technischer Überwachungsverein
UL ..........................................................................................................................Underwriters Laboratories
V-bus ............................................................................................................................................Vertical bus
VBD ....................................................................................................................................Vertical bus driver
WD.................................................................................................................................................. Watchdog
FSC Safety Manual

vi Table of Contents
REFERENCES
FSC Documentation:
Publication Publication
Title Number
FSC Safety Manual R710 FS90-710
FSC Software Manual R700 FS80-700
FSC Hardware Manual FS02-710
FSC Obsolete Modules FS02-701
FSC Service Manual FS99-704
FSCSOE Documentation:
Title Number
FSCSOE – Basic Version FS50-xxx*
FSCSOE – Network Option FS51-xxx*
FSCSOE – Foxboro I/A Interface Option FS52-xxx*
FSCSOE – Yokogawa CS Interface Option FS53-xxx*
FSCSOE – Web Option FS54-xxx*
* 'xxx' is the release number. For example, the manuals for FSCSOE R140 are referred to
as FS50-140, FS51-140, etc.
FSC-SM Documentation:
Title Number
FSC Safety Manager Installation Guide FS20-500
FSC Safety Manager Implementation Guidelines FS11-500
FSC Safety Manager Control Functions FS09-500
FSC Safety Manager Parameter Reference Dictionary FS09-550
FSC Safety Manager Configuration Forms FS88-500
FSC Safety Manager Service Manual FS13-500
FSC Safety Manual

Table of Contents vii
Left blank intentionally
FSC Safety Manual

viii Table of Contents
Section 1 – Introduction
1.1 System Overview
Section This section provides general information on the FSC system and its
compliance to standards, as well as a glossary of terms. It covers the
following topics:
Subsection Topic See page

1.1 System Overview.............................................................................................. 1
1.2 Certification....................................................................................................... 3
1.3 Standards Compliance ..................................................................................... 5
1.4 Definitions ....................................................................................................... 11
System overview The Fail Safe Control (FSC) system is a microprocessor-based

control system for safety applications. The system can be configured
in a number of different basic architectures (1oo1D, 1oo2D, QMR)
depending on the requirement class of the process, the availability
required and the FSC hardware modules used. This also means that
field signals can be handled in multiple voting schemes (1oo1,
1oo1D, 1oo2, 1oo2D, 2oo4D) as described in section 6.
The safety of the FSC system is obtained through its specific design
for these applications. This design includes facilities for self-testing of
all FSC modules through software and specialized hardware based on
a failure mode effect analysis (FMEA) for each module. Additional
software routines are included to guarantee proper execution of the
software. This approach can be classified as software diversity. These
features maintain fail-safe operation of the FSC system even in the
single-channel configurations. By placing these single-channel
versions in parallel, one gets not only safety but also availability:
proven availability.
FSC Safety Manual

Section 1: Introduction 1
The FSC system and the FSC user station (with the FSC Navigator
software) from Honeywell Safety Management Systems provide the
means to guarantee optimum safety and availability. To achieve these
goals, it is essential that the system is operated and maintained by
authorized and qualified staff. If it is operated by unauthorized or
unqualified persons, severe injuries or loss of production may result.
This Safety Manual covers the applications of the FSC system for
requirement classes (German: Anforderungsklassen) AK1 to AK6 in
accordance with DIN V 19250 of May 1994.
This Safety Manual also covers the applications that must comply
with Safety Integrity Levels (SIL 1 to SIL 3) as indicated in the IEC
61508.
FSC Safety Manual

2 Section 1: Introduction
1.2 Certification
Standards Since functional safety is at the core of the FSC design, the system
compliance has been certified for use in safety applications all around the world.
FSC was developed specifically to comply with the strict German
DIN/VDE functional safety standards, and has been certified by TÜV
for use in AK 1 to 6 applications. FSC has also obtained certification
in the United States for the UL 1998 and ANSI/ISA S84.01
standards.
FSC-based safety solutions and related Honeywell services can help
you comply with the new ANSI/ISA S84.01 standard for safety-
instrumented systems up to Safety Integrity Level (SIL) 3, as well as
the new international standard IEC 61508 for functional safety. These
new standards address the management of functional safety
throughout the entire life cycle of your plant.
Certification FSC has been certified to comply with the following standards:
TÜV Bayern (Germany) — Certified to fulfill the requirements of

"Class 6" (AK6) safety equipment as defined in the following
documents: DIN V VDE 19250, DIN V VDE 0801 incl. amendment
A1, DIN VDE 0110, DIN VDE 0116, DIN VDE 0160 incl.
amendment A1, DIN EN 54-2, DIN VDE 0883-1, DIN IEC 68,
IEC 61131-2.
Instrument Society of America (ISA) — Certified to fulfill the

requirements laid down in ANSI/ISA S84.01.
Canadian Standards Association (CSA) — Complies with the

requirements of the following standards:
CSA Standard C22.2 No. 0-M982 General Requirements – Canadian
Electrical Code, Part II;
CSA Standard C22.2 No. 142-M1987 for Process Control Equipment.
Underwriters Laboratories (UL) — Certified to fulfill the

requirements of UL 508, UL 991, UL 1998, and ANSI/ISA S84.01.
CE compliance — Complies with CE directives 89/336/EEC (EMC)

and 73/23/EEC (Low Voltage).
FSC Safety Manual

Factory Mutual (FM) — Certified to fulfill the requirements of
FM 3611 (nonincendive field wiring circuits for selected modules).
The FSC functional logic diagrams (FLDs) are compliant with

IEC 61131-3.
The design and development of the FSC system are compliant with
IEC 61508:1999, Parts 1-7 (as certified by TÜV).
FSC Safety Manual

1.3 Standards Compliance
Standards This subsection lists the standards that FSC complies with, and also
provides some background information on CE marking (EMC
directive and Low Voltage directive).
Table 1-1 FSC compliance to standards

Standard Title Remarks
DIN V 19250 Measurement and control. Safety applications up to safety

(1/89, 5/94) Fundamental safety aspects to be class AK 8
considered for safety-related
measurement and control equipment.
(German title: Leittechnik.
Grundlegende Sicherheits-
betrachtungen für MRS-
Schutzeinrichtungen)
DIN V 0801 (1/90) Principles for computers in safety- Microprocessor-based safety

and Amendment A related systems. systems
(10/94) (German title: Grundsätze für Rechner
in Systemen mit Sicherheitsaufgaben)
VDE 0116 (10/89) Electrical equipment of furnaces.

(German title: Elektrische Ausrüstung
von Feuerungsanlagen)
EN 54 part 2 (01/90) Components of automatic fire detection

systems, Introduction
(German title: Bestandteile
automatischer Brandmeldeanlagen)
EN 50081-2-1994 Electromagnetic compatibility – Generic

emission standard, Part 2: Industrial
environment
EN 50082-2-1995 Electromagnetic compatibility – Generic

immunity standard, Part 2: Industrial
environment
IEC 61010-1-1993 Safety Requirements for Electrical

Equipment for Measurement, Control
and Laboratory Use, Part 1: General
Requirements
IEC 61131-2-1994 Programmable controllers. Part 2:

Equipment requirements and tests
UL 1998 Safety-related software, first edition Underwriters Laboratories
UL 508 Industrial control equipment, sixteenth Underwriters Laboratories

edition
FSC Safety Manual

Table 1-1 FSC compliance to standards (continued)
UL 991 Test for safety-related controls Underwriters Laboratories

employing solid-state devices,
second edition
FM 3611 Electrical equipment for use in Factory Mutual Research

Class I, Division 2,
Class I, Division 2, Class II, Division 2, and Applies to the field wiring circuits of
Groups A, B, C & D Class III, Division 1 and 2, the following modules:
hazardous locations 10101/2/1, 10102/2/1, 10105/2/1,
Class II, Division 2, 10106/2/1 and 10205/2/1.
Groups F & G
CSA C22.2 Process control equipment. Canadian Standards Association

Industrial products. No. 142 (R1993)
IEC 60068-1 Basic environmental testing

procedures
IEC 60068-2-1 Cold test 0°C (32°F); 16 hours;

system in operation;
reduced power supply voltage (-15%)
U=20.4 Vdc or (-10%); U=198 Vac
IEC 60068-2-1 Cold test –10°C (14°F); 16 hours;

system in operation
IEC 60068-2-2 Dry heat test up to 65°C (149°F); 16 hours;

system in operation;
increased power supply voltage
(+15%): U=27.6 Vdc or
(+10%): U=242 Vac
IEC 60068-2-3 Test Ca: damp heat, steady state 21 days at +40°C (104°F),
93% relative humidity;
function test after cooling
IEC 60068-2-3 Test Ca: damp heat, steady state 96 hours at +40°C (104°F),
93% relative humidity;
system in operation
IEC 60068-2-14 Test Na: change of temperature — –25°C to +55°C (–13°F to +131°F),
withstand test 12 hours,
95% relative humidity,
recovery time: max. 2 hours
IEC 60068-2-30 Test Db variant 2: cyclic damp +25°C to +55°C (+77°F to +131°F),
heat test 48 hours,
80-100% relative humidity,
recovery time: 1-2 hours
FSC Safety Manual

Table 1-1 FSC compliance to standards (continued)
IEC 60068-2-6 Environmental testing – Part 2: Excitation: sine-shaped with sliding

Tests – Test frequence;
Fc: vibration (sinusoidal) Frequency range: 10-150 Hz
Loads: 10-57 Hz; 0.075 mm
57-150 Hz; 1 G
Duration: 10 cycles (20 sweeps) per
axis
No. of axes: 3 (x, y, z)
Traverse rate: 1 oct/min
System in operation
IEC 60068-2-27 Environmental testing – Part 2: Half sinus shock

Tests – Test 2 shocks per 3 axes (6 in total)
Ea: shock Maximum acceleration: 15 G
Shock duration: 11 ms
System in operation
FSC Safety Manual

CE marking The CE mark (see Figure 1-1) is a compliance symbol which
indicates that a product meets the requirements of the EU directives
that apply to that product. CE (Conformité Européenne) marking is a
prerequisite to marketing FSC systems in the European Union.
EU directives are documents issued on the authority of the Council of

the European Union. They set out requirements and regulations for
certain categories of products or problem areas. The directives apply
not only to the member countries of the European Union but to the
whole European Economic Area (EEA), which is made up of Austria,
Belgium, Denmark, Finland, France, Germany, Greece, Iceland,
Ireland, Italy, Liechtenstein, Luxembourg, the Netherlands, Norway,
Portugal, Spain, Sweden and the United Kingdom.
The directives have the following key objectives:

• free movement of goods within the EU/EEA geographical regions
through harmonization of standards and elimination of trade
barriers,
• safety of persons, their property and of animals, and
• protection of the environment.
Figure 1-1 CE mark
For control products like FSC, a number of EU directives apply. The

FSC product is compliant with two of these: the Electromagnetic
Compatibility (EMC) Directive (89/336/EEC) and the Low Voltage
Directive (73/23/EEC). Each is discussed in more detail below.
FSC Safety Manual

EMC directive One of the EU directives that FSC complies with is the EMC
(89/336/EEC) directive, or Council Directive 89/336/EEC of 3 May 1989 on the
approximation of the laws of the Member States relating to
electromagnetic compatibility as it is officially called. It "applies to
apparatus liable to cause electromagnetic disturbance or the
performance of which is liable to be affected by such disturbance"
(Article 2).
The EMC directive defines protection requirements and inspection
procedures relating to electromagnetic compatibility for a wide range
of electric and electronic items.
Within the context of the EMC directive, 'apparatus' means all
electrical and electronic appliances together with equipment and
installations containing electrical and/or electronic components.
'Electromagnetic disturbance' means any electromagnetic phenomenon
which may degrade the performance of a device, unit of equipment or
system. An electromagnetic disturbance may be electromagnetic
noise, an unwanted signal or a change in the propagation medium
itself.
'Electromagnetic compatibility' is the ability of a device, unit of
equipment or system to function satisfactorily in its electromagnetic
environment without introducing intolerable electromagnetic
disturbances to anything in that environment.
There are two sides to electromagnetic compatibility: emission and
immunity. These two essential requirements are set forth in Article 4,
which states that an apparatus must be constructed so that:
(a) the electromagnetic disturbance it generates does not exceed a
level allowing radio and telecommunications equipment and other
apparatus to operate as intended;
(b) the apparatus has an adequate level of intrinsic immunity of
electromagnetic disturbance to enable it to operate as intended.
The EMC directive was originally published in the Official Journal of
the European Communities on May 23, 1989. The directive became
effective on January 1, 1992, with a four-year transitional period.
During the transitional period, a manufacturer can choose to meet
existing national laws (of the country of installation) or comply with
the EMC directive (demonstrated by the CE marking and Declaration
of Conformity). The transitional period ended on December 31, 1995,
which meant that as of January 1, 1996 compliance with the EMC
directive became mandatory (a legal requirement). All electronic
products may now only be marketed in the European Union if they
meet the requirements laid down in the EMC directive. This also
applies to FSC system cabinets.
FSC Safety Manual

Low voltage The FSC product also complies with the low voltage directive, or
directive Council Directive 73/23/EEC of 19 February 1973 on the
(73/23/EEC) harmonization of the laws of the Member States relating to electrical
equipment designed for use within certain voltage limits as it is
officially called. It states that "electrical equipment may be placed on
the market only if, having been constructed in accordance with good
engineering practice in safety matters in force in the Community, it
does not endanger the safety of persons, domestic animals or property
when properly installed and maintained and used in applications for
which it was made" (Article 2).
The low voltage directive defines a number of principal safety
objectives that electrical equipment must meet in order to be
considered "safe".
Within the context of the low voltage directive, 'electrical equipment'

means any equipment designed for use with a voltage rating of
between 50 and 1,000 V for alternating current (AC) and between 75
and 1,500 V for direct current (DC).
The low voltage directive was originally published in the Official

Journal of the European Communities on March 26, 1973. It was
amended by Council Directive 93/68/EEC, which became effective on
January 1, 1995, with a two-year transitional period. During the
transitional period, a manufacturer can choose to meet existing
national laws (of the country of installation) or comply with the low
voltage directive (demonstrated by the CE marking and Declaration of
Conformity). The transitional period ended on December 31, 1996,
which meant that as of January 1, 1997 compliance with the low
voltage directive became mandatory (a legal requirement). All
electronic products may now only be marketed in the European Union
if they meet the requirements laid down in the low voltage directive.
This also applies to FSC system cabinets.
FSC Safety Manual

1.4 Definitions
Definitions This section provides a list of essential safety terms that apply to the
FSC system. All definitions have been taken from IEC 61508-4
(FDIS version, February '98).
Dangerous failure Failure which has the potential to put the safety-related system in a
hazardous or fail-to-function state.
NOTE: Whether or not the potential is realized may depend on the channel
architecture of the system; in systems with multiple channels to improve safety, a
dangerous hardware failure is less likely to lead to the overall dangerous or
fail-to-function state.
Error Discrepancy between a computed, observed or measured value or

condition and the true, specified or theoretically correct value or
condition.
EUC risk Risk arising from the EUC or its interaction with the EUC control
system.
Failure The termination of the ability of a functional unit to perform a

required function.
NOTE 1: The definition in IEV 191-04-01 is the same, with additional notes.
NOTE 2: See Figure 1-2 for the relationship between faults and failures, both in
IEC 61508 and IEV 191.
NOTE 3: Performance of required functions necessarily excludes certain behaviour,
and some functions may be specified in terms of behaviour to be avoided. The
occurrence of such behaviour is a failure.
NOTE 4: Failures are either random (in hardware) or systematic (in hardware or
software).
Fault Abnormal condition that may cause a reduction in, or loss of, the
capability of a functional unit to perform a required function
NOTE: IEV 191-05-01 defines "fault" as a state characterized by the inability to
perform a required function, excluding the inability during preventative maintenance
or other planned actions, or due to lack of external resources.
Functional safety Part of the overall safety relating to the EUC and the EUC control
system which depends on the correct functioning of the E/E/PE
safety-related systems, other technology safety-related systems and
external risk reduction facilities.
FSC Safety Manual

L (i-1) FU
Level (i) Level (i-1)
L (i) FU L (i) FU
L (i+1) FU L (i+1) FU L (i+1) FU L (i+1) FU
"F" state
failure
"Entity X"
L (i+1) FU L (i+1) FU L (i+1) FU L (i+1) FU
"F" state
failure cause
cause
(L = level; i = 1, 2, 3 etc; FU = functional unit)
a) Configuration of a functional unit b) Generalised view
Level (i) Level (i-1) Level (i) Level (i-1)
fault
failure failure
"Entity X" "Entity X"
fault
failure fault failure failure cause
fault failure cause
c) IEC 1508's and ISO/IEC 2382-14's view d) IEC 50(191)'s view
NOTE 1 As shown in a), a functional unit can be viewed as a hierarchical composition of multiple levels, each of which can in turn be called
a functional unit. In level (i), a "cause" may manifest itself as an error (a deviation from the correct value or state) within this level (i) functional
unit, and, if not corrected or circumvented, may cause a failure of this functional unit, as a result of which it falls into an "F" state where it is no
longer able to perform a required function (see b)). This "F" state of the level (i) functional unit may in turn manifest itself as an error in the
level (i-1) functional unit and, if not corrected or circumvented, may cause a failure of this level (i-1) functional unit.
NOTE 2 In this cause and effect chain, the same thing ("Entity X") can be viewed as a state ("F" state) of the level (i) functional unit into which
it has fallen as a result of its failure, and also as the cause of the level (i-1) functional unit. This "Entity X" combines the concept of "fault" in IEC
1508 and ISO/IEC 2382-14, which emphasises its cause aspect as illustrated in c), and that of "fault" in IEC 50(191), which emphasises its
state aspect as illustrated in d). The "F" state is called fault in IEC 50(191), whereas it is not defined in IEC 1508 and ISO/IEC 2382-14.
NOTE 3 In some cases, a failure may be caused by an external event such as lightning or electrostatic noise, rather than by an internal fault.
Likewise, a fault (in both vocabularies) may exist without a prior failure. An example of such a fault is a design fault.
Figure 1-2 Failure model
Functional safety Investigation, based on evidence, to judge the functional safety

assessment achieved by one or more E/E/PE safety-related systems, other
technology safety-related systems or external risk reduction facilities.
Human error Mistake.

Human action or inaction that produces an unintended result.
FSC Safety Manual

Hardware safety Part of the safety integrity of the safety related systems relating to
integrity random hardware failures in a dangerous mode of failure
NOTE: The term relates to failures in a dangerous mode. That is, those failures of a
safety-related system that would impair its safety integrity. The two parameters that
are relevant in this context are the overall dangerous failure rate and the probability
of failure to operate on demand. The former reliability parameter is used when it is
necessary to maintain continuous control in order to maintain safety, the latter
reliability parameter is used in the context of safety-related protection systems.
Mode of operation Way in which a safety-related system is intended to be used, with

respect to the frequency of demands made upon it in relation to the
proof check frequency, which may be either:
− low demand mode - where the frequency of demands for operation
made on a safety-related system is not significantly greater than the
proof check frequency; or
− high demand or continuous mode - where the frequency of
demands for operation made on a safety-related system is
significantly greater than the proof check frequency
NOTE: Typically for low demand mode, the frequency of demands on the safety-
related system is the same order of magnitude as the proof test frequency (i.e.
months to years where the proof test interval is a year). While typically for high
demand or continuous mode, the frequency of demands on the safety-related system
is hundreds of times the proof test frequency (i.e. minutes to hours where the proof
test interval is a month).
Programmable System for control, protection or monitoring based on one or more

electronic system programmable electronic devices, including all elements of the
(PES)
system such as power supplies, sensors and other input devices, data
highways and other communication paths, and actuators and other
output devices (see Figure 1-3).
NOTE: The structure of a PES is shown in Figure 1-3 a). Figure 1-3 b) illustrates
the way in which a PES is represented in IEC 61508, with the programmable
electronics shown as a unit distinct from sensors and actuators on the EUC and their
interfaces, but the programmable electronics could exist at several places in the PES.
Figure 1-3 c) illustrates a PES with two discrete units of programmable electronics.
Figure 1-3 d) illustrates a PES with dual programmable electronics (i.e. two
channel), but with a single sensor and a single actuator.
FSC Safety Manual

input interfaces output interfaces
extent communications
A-D converters D-A converters
of PES
programmable
electronics
(see note)
input devices output devices/final elements

(eg sensors) (eg actuators)
a) Basic PES structure
PE 1
PE
PE PE 1 PE 2
PE 2
b) Single PES with single program- c) Single PES with dual program- d) Single PES with dual program-
mable electronic device (ie one PES mable electronic devices linked in a mable electronic devices but with
comprised of a single channel of serial manner (eg intelligent sensor shared sensors and final elements (ie
programmable electronics) and programmable controller) one PES comprised of two channels
of programmable electronics)
NOTE The programmable electronics are shown centrally located but could exist at several places in the PES.
Figure 1-3 Programmable electronic system (PES):

structure and terminology
Risk Combination of the probability of occurrence of harm and the

severity of that harm.
Safe failure Failure which does not have the potential to put the safety-related
system in a hazardous or fail-to-function state.
NOTE: Whether or not the potential is realized may depend on the channel
architecture of the system; in systems with multiple channels to improve safety, a
safe hardware failure is less likely to result in an erroneous shutdown.
Safety Freedom from unacceptable risk.
Safety integrity level Discrete level (one out of a possible four) for specifying the safety
(SIL) integrity requirements of the safety functions to be allocated to the
E/E/PE safety-related systems, where safety integrity level 4 has the
highest level of safety integrity and safety integrity level 1 has the
lowest.
NOTE 1: The target failure measures for the safety integrity levels are specified in
Table 1-2 and Table 1-3.
FSC Safety Manual

Table 1-2 Safety integrity levels: target failure measures for a safety
function, allocated to an E/E/PE safety-related system operating in
low demand mode of operation
Safety integrity level Low demand mode of operation
(average probability of failure to perform its
design function on demand)
4 ≥ 10-5 to < 10-4
3 ≥ 10-4 to < 10-3
2 ≥ 10-3 to < 10-2
1 ≥ 10-2 to < 10-1

NOTE: See notes 3 to 7 below for details on interpreting this table.
Table 1-3 Safety integrity levels: target failure measures for a safety
function, allocated to an E/E/PE safety-related system operating in
high demand or continuous mode of operation
Safety integrity level High demand or continuous mode of
operation (probability of a dangerous failure
per hour)
4 ≥ 10-9 to < 10-8
3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

NOTE: See notes 3 to 7 below for details on interpreting this table.
NOTE 3: The parameter in Table 1-3 for high demand or continuous mode of
operation, probability of a dangerous failure per hour, is sometimes referred to as the
frequency of dangerous failures, or dangerous failure rate, in units of dangerous
failures per hour.
NOTE 4: This document sets a lower limit on the target failure measures, in a
dangerous mode of failure, that can be claimed. These are specified as the lower
limits for safety integrity level 4 (i.e. an average probability of failure of 10-5 to
perform its design function on demand, or a probability of a dangerous failure of 10-
9
per hour). It may be possible to achieve designs of safety-related systems with
lower values for the target failure measures for non-complex systems, but it is
considered that the figures in the table represent the limit of what can be achieved
for relatively complex systems (for example programmable electronic safety-related
systems) at the present time.
NOTE 5: The target failure measures that can be claimed when two or more E/E/PE
safety-related systems are used may be better than those indicated in Table 1-2 and
Table 1-3 providing that adequate levels of independence are achieved.
FSC Safety Manual

NOTE 6: It is important to note that the failure measures for safety integrity levels
1, 2, 3 and 4 are target failure measures. It is accepted that only with respect to the
hardware safety integrity will it be possible to quantify and apply reliability
prediction techniques in assessing whether the target failure measures have been
met. Qualitative techniques and judgements have to be made with respect to the
precautions necessary to meet the target failure measures with respect to the
systematic safety integrity.
NOTE 7: The safety integrity requirements for each safety function shall be
qualified to indicate whether each target safety integrity parameter is either:
− the average probability of failure to perform its design function on demand (for a
low demand mode of operation); or
− the probability of a dangerous failure per hour (for a high demand or continuous
mode of operation).
Safety lifecycle Necessary activities involved in the implementation of safety-related

systems, occurring during a period of time that starts at the concept
phase of a project and finishes when all of the E/E/PE safety-related
systems, other technology safety-related systems and external risk
reduction facilities are no longer available for use.
Safety-related system Designated system that both:

− implements the required safety functions necessary to achieve or
maintain a safe state for the EUC, and
− is intended to achieve, on its own or with other E/E/PE
safety-related systems, other technology safety-related systems or
external risk reduction facilities, the necessary safety integrity for
the required safety functions
NOTE 1: The term refers to those systems, designated as safety-related systems,
that are intended to achieve, together with the external risk reduction facilities, the
necessary risk reduction in order to meet the required tolerable risk.
NOTE 2: The safety-related systems are designed to prevent the EUC from going
into a dangerous state by taking appropriate action on receipt of commands. The
failure of a safety-related system would be included in the events leading to the
identified hazard or hazards. Although there may be other systems having safety
functions, it is the safety-related systems that have been designated to achieve, in
their own right, the required tolerable risk. Safety-related systems can broadly be
divided into safety-related control systems and safety-related protection systems,
and have two modes of operation.
NOTE 3: Safety-related systems may be an integral part of the EUC control system
or may interface with the EUC by sensors and/or actuators. That is, the required
safety integrity level may be achieved by implementing the safety functions in the
EUC control system (and possibly by additional separate and independent systems
as well) or the safety functions may be implemented by separate and independent
systems dedicated to safety.
FSC Safety Manual

NOTE 4: A safety-related system may:
a) be designed to prevent the hazardous event (i.e. if the safety-related systems
perform their safety functions then no hazard arises). The key factor here is the
ensuring that the safety-related systems perform their functions with the degree
of certainty required (for example, for the specified functions, that the average
probability of failure should not be greater than 10-4 to perform its design
function on demand).
b) be designed to mitigate the effects of the hazardous event, thereby reducing the
risk by reducing the consequences. As for a), the probability of failure on
demand for the specified functions (or other appropriate statistical measure)
should be met.
c) be designed to achieve a combination of a) and b).
NOTE 5: A person can be part of a safety-related system. For example, a person
could receive information from a programmable electronic device and perform a
safety task based on this information, or perform a safety task through a
programmable electronic device.
NOTE 6: The term includes all the hardware, software and supporting services (e.g.
power supplies) necessary to carry out the specified safety function (sensors, other
input devices, final elements (actuators) and other output devices are therefore
included in the safety-related system).
NOTE 7: A safety-related system may be based on a wide range of technologies
including electrical, electronic, programmable electronic, hydraulic and pneumatic.
Systematic safety Part of the safety integrity of safety-related systems relating to

integrity systematic failures in a dangerous mode of failure
NOTE: Systematic safety integrity cannot usually be quantified (as distinct from
hardware safety integrity which usually can).
Validation Confirmation by examination and provision of objective evidence

that the particular requirements for a specific intended use are
fulfilled.
FSC Safety Manual

Left blank intentionally.
FSC Safety Manual

Section 2 – FSC Architectures
2.1 Section Overview
Section This section provides information on the various FSC architectures. It

covers the following topics:

2.1 Section Overview............................................................................................ 19
2.2 Introduction ..................................................................................................... 20
2.3 Single Central Part and Single I/O (1oo1D, DMR) ......................................... 21
2.4 Redundant Central Parts and Single I/O (100x2/./1 processors) .................. 22
2.5 Redundant Central Parts and Redundant I/O (100x2/./. processors) ........... 24
2.6 Redundant Central Parts with Redundant and Single I/O
(100x2/./. processors) ..................................................................................... 26
2.7 Quadruple Modular Redundant (QMR™) Architecture (10020/./. processors)28
FSC Safety Manual

Section 2: FSC Architectures 19
2.2 Introduction
Basic architectures The Fail Safe Controller can be supplied in a number of architectures,
each with its own characteristics and typical applications. Table 2-1
below provides an overview of the available architectures.
Table 2-1 FSC architectures

Central Part I/O
CPU type Remarks See section
configuration configuration
10002/1/2 or 1oo1D architecture;
2.3
10012/1/2 Applications up to AK4
Single Single
10020/1/1 or DMR architecture;
2.3
10020/1/2 (QPM) Applications up to AK6
10002/1/2 or 1oo2D architecture;
Single, 2.4, 2.5, 2.6
10012/1/2 Applications up to AK6
redundant,
Redundant
single and 10020/1/1 or QMR™ architecture;
redundant 2.7
10020/1/2 (QPM) Applications up to AK6
DMR = Dual Modular Redundant

QMR = Quadruple Modular Redundant
All FSC architectures can be used for safety applications. The

preferred architecture depends on the availability requirements.
The FSC architectures defined in Table 2-1 are discussed in more
detail in subsections 2.3 to 2.7.
FSC Safety Manual

20 Section 2: FSC Architectures
2.3 Single Central Part and Single I/O (1oo1D, DMR)
This FSC architecture has a single Central Part and single input and
output (I/O) modules (see Figure 2-1).
The I/O modules are controlled via the Vertical Bus Driver (VBD),
which is located in the Central Part, and the Vertical bus (V-Bus),
which controls up to 10 I/O racks. Each I/O rack is controlled via the
Horizontal Bus Driver (HBD). No redundancy is present except as
built into those modules where redundancy is required for safety
(memory and watchdog).
If the Central Part contains a processor module, type 100x2/./., the

system is suitable for applications up to AK4 (1oo1D architecture).
In case of a Quad Processor Module (QPM, 10020/1/x), the system is
suitable for applications up to AK6 (SIL 3) (DMR architecture).
System Bus
Up to 14 VBD
CENTRAL PART CPU COM WD PSU DBM VBD
H-Bus V-Bus
FS NFS FS NFS HBD Up to 10 HBD
INPUTS OUTPUTS
Figure 2-1 Single Central Part, single I/O configuration
ESD Watchdog
Module SMOD
Sensor
Input Output
xx
yyy Module Processor Module
Input Interfaces Central Part Output Interfaces Final Element
Figure 2-2 Functional diagram: single Central Part, single I/O
FSC Safety Manual

2.4 Redundant Central Parts and Single I/O
(100x2/./1 processors)
This FSC architecture has redundant Central Parts and single input
and output (I/O) modules (see Figure 2-3 and Figure 2-4).
The I/O modules are controlled via the VBDs, which are located in
each Central Part, and the V-Bus, which controls up to 10 I/O racks.
Each I/O rack is controlled via the HBD. The processor is fully
redundant, which allows continuous operation and bump less
(zero-delay) transfer in case of a Central Part failure.
Even though there is a bump less transfer between Central Parts if the
first failure occurs, the remaining risk must be limited within a certain
time. This time can be derived in a quantitative manner through the
Markov modeling techniques using the mathematics defined in
IEC 61508 and ANSI/ISA S84.01. A more pragmatic approach, which
is actually recommended by TÜV Product Services, is to allow
continued operation for 72 hours, leaving sufficient fault tolerance
time (FTT) for the organization to act upon the failure annunciation.
For the 10020/./. QuadPM processor module, see section 2.7. (For
details on the second fault timer refer to section 4.5.8 of the software
manual.)
System Bus
CENTRAL PART 1 CPU COM WD PSU DBM VBD
H-Bus
V-Bus
FS NFS OR FS NFS HBD
INPUTS OUTPUTS
Figure 2-3 Redundant Central Parts, single I/O configuration
FSC Safety Manual

Central Part1
ESD Watchdog
Module
V+
Processor
SMOD
Sensor
Input
xx
yyy Module
Output
Module
Processor
Final Element
Watchdog
Module
Input Interfaces Central Part2 Output Interfaces
Figure 2-4 Functional diagram: redundant Central Parts, single I/O
FSC Safety Manual

2.5 Redundant Central Parts and Redundant I/O
(100x2/./. processors)
This FSC architecture has redundant Central Parts and redundant

input and output (I/O) modules (OR function on outputs) (see Figure
2-5 and Figure 2-6).
each Central Part and the V-Bus, which controls up to 10 I/O racks.
Each I/O rack is controlled via the HBD. The processor and I/O are
fully redundant, which allows continuous operation and bumpless
(zero-delay) transfer in case of a Central Part or I/O failure.
Even though there is a bumpless transfer between Central Parts if the
details on the second fault timer refer to section 4.5.8 of the FSC
software manual.)
OUTPUTS NFS NFS FS FS HBD HBD
INPUTS FS FS NFS NFS HBD HBD
Figure 2-5 Redundant Central Parts, redundant I/O configuration
FSC Safety Manual

Central Part 1
ESD Watchdog
Module
Output
Module
Input
Module Processor
SMOD
Sensor
xx Quad
yyy
Voter
SMOD
Input
Module Processor
Output
Module
Watchdog
Module
Input Interfaces Central Part 2 Output Interfaces
Final Element
Figure 2-6 Functional diagram: redundant Central Parts,

redundant I/O
FSC Safety Manual

2.6 Redundant Central Parts with Redundant and Single I/O
(100x2/./. processors)
This FSC architecture has redundant Central Parts and redundant

input and output (I/O) modules (OR function on outputs) combined
with single input and output modules (see Figure 2-7 and Figure 2-8).
each Central Part, and the V-Bus, which controls up to 10 I/O racks.
Each I/O rack is controlled via the HBD. The processor and I/O are
fully redundant, which allows continuous operation and bumpless
(zero-delay) transfer in case of a Central Part or I/O failure of the
redundant I/O modules.
Even though there is a bumpless transfer between Central Parts if the
CENTRAL PART 1 CPU COM WD PSU DBM VBD VBD
CENTRAL PART 2 CPU COM WD PSU DBM VBD VBD
FS NFS
WDR FS NFS HBD
INPUTS / NFS NFS FS FS HBD HBD

OUTPUTS
FS FS NFS NFS
HBD HBD
Figure 2-7 Redundant Central Parts with redundant and

single I/O configuration
FSC Safety Manual

details on the second fault timer refer to section 4.5.8 of the FSC
software manual.)
Central Part 1
ESD Watchdog
Module
Watchdog
Repeater
Output
Module
Input
Module Processor V+
SMOD
Sensor SMOD
xx Input Quad
yyy
Module Voter
Output
Module
SMOD
Input
Module Processor
Output
Module
Watchdog
Module
Final Element
Figure 2-8 Functional diagram: redundant Central Parts

with redundant and single I/O
FSC Safety Manual

2.7 Quadruple Modular Redundant (QMR™) Architecture
(10020/./. processors)
QMR™ The Quadruple Modular Redundant (QMR™) architecture with

architecture 2oo4D voting is an evolution of the proven 1oo2D concept. The
QMR™ architecture with 2oo4D voting is based on dual-processor
technology, and is characterized by a high level of diagnostics and
fault tolerance.
The QMR™ architecture is used in conjunction with the 10020/1/x
Quad Processor Module (QPM). Redundant Central Parts each contain
two main processors and memory (see Figure 2-9 below), which
results in quadruple redundancy and, combined with 2oo4D voting,
boosts the overall safety performance of the system.
Central Part 1
ESD Watchdog
Module
CPU Output
Processor Module
Input
Module
Processor SMOD
Sensor
xx Quad
yyy
Voter
CPU
Processor SMOD
Input
Module
Processor Output
Module
Watchdog
Module
Final Element
Figure 2-9 Functional diagram: QMR™ architecture
The 2oo4D voting is realized by combining 1oo2 voting for both main
processors and memory on one Quad processor module, and 1oo2D
voting between the two Central Parts. Voting is therefore applied on
two levels: on a module level and between the Central Parts.
FSC Safety Manual

With redundant I/O configurations, each path is primarily controlled
by one of the Central Parts, including an independent switch which is
controlled by the Central Part's Watchdog module. Furthermore, each
Central Part is able to switch off the output channels of the other
Central Part through dedicated SMOD (Secondary Means Of De-
energization) hardware circuitry which is located on the FSC fail-safe
output modules.
There are no second fault timer (SFT) restrictions if one of the Central
Parts is down.
FSC Safety Manual

FSC Safety Manual

Section 3 – Design Phases for an E/E/PE Safety-Related
System
Section This section describes the design phases for an E/E/PE safety-related
system. It covers the following topics:

3.2 Overall Safety Lifecycle .................................................................................. 32
3.3 Specification of the Safety Class of the Process............................................ 38
3.4 Specification of the Instrumentation Related to the Safety System ............... 39
3.5 Specification of the Functionality of the Safety System.................................. 42
3.6 Approval of Specification ................................................................................ 44
FSC Safety Manual

Section 3: Design Phases for an E/E/PE Safety-Related System 31
3.2 Overall Safety Lifecycle
Safety lifecycle In order to deal in a systematic manner with all the activities
necessary to achieve the required safety integrity level for the E/E/PE
safety-related systems, an overall safety lifecycle is adopted as the
technical framework (as defined in IEC 61508) (see Figure 3-1).
The overall safety lifecycle encompasses the following risk reduction

measures:
• E/E/PE safety-related systems,
• other technology safety-related systems, and
• external risk reduction facilities.
The portion of the overall safety lifecycle dealing with E/E/PE safety-
related systems is expanded and shown in Figure 3-2. The software
safety lifecycle is shown in Figure 3-3. The relationship of the overall
safety lifecycle to the E/E/PES and software safety lifecycles for
safety-related systems is shown in Figure 3-4.
The overall, E/E/PES and software safety lifecycle figures (Figure
3-1, Figure 3-2 and Figure 3-3) are simplified views of reality and as
such do not show all the iterations relating to specific phases or
between phases. The iterative process, however, is an essential and
vital part of development through the overall, E/E/PES and software
safety lifecycles.
FSC Safety Manual

32 Section 3: Design Phases for an E/E/PE Safety-Related System
1 Concept
Overall scope
2 definition
Hazard and risk

3 analysis
Overall safety
4 requirements
Safety requirements
5 allocation
9
Safety-related Safety-related External risk
systems: 10 systems: 11 reduction
Overall planning facilities
E/E/PES other
6 operation
OveralI
and
7 Overall
safety
8 OveralI
installation and
technology
maintenance validation
8commissioning Realisatio Realisatio Realisatio
(see E/E/PES
planning planning planning safety
lifecycle)
Overall installation
12 and commissioning
Overall safety
13
Back to appropriate
validation overall safety lifecycle
phase
Overall operation, Overall modification

14 maintenance and repair 15 and retrofit
Decommissioning
16 or disposal
NOTE 1 Activities relating to verification , management of functional safety and functional safety assessment are
not shown for reasons of clarity but are relevent to all overall, E/E/PES and software safety lifecycle phases.
NOTE 2 The phases represented by boxes 10 and 11 are outside the scope of this standard.
NOTE 3 Parts 2 and 3 deal with box 9 (realisation) but they also deal, where relevant, with the programmable electronic
(hardware and software) aspects of boxes 13, 14 and 15.
Figure 3-1 Overall safety lifecycle
FSC Safety Manual

Box 9 in figure 3-1
E/E/PES safety lifecycle
Safety-related
9 systems:
E/E/PES 9.1 E/E/PES safety requirements
Realisation specification
Safety functions Safety integrity
9.1.1 9.1.2
requirements requirements
9.1.1
specification specification
9.2 E/E/PES safety 9.3 E/E/PES design

validation planning and development
9.4 E/E/PES integration 9.5 E/E/PES operation and

maintenance procedures
9.6 E/E/PES
safety validation
One E/E/PES safety
lifecycle for each To box 14
E/E/PE safety-related
system in figure 3-1
To box 12 in figure 3-1
Figure 3-2 E/E/PES safety lifecycle (in realization phase)
Software safety lifecycle
9.1 Software safety requirements

specification
9.1.1 Safety functions 9.1.2 Safety integrity
requirements requirements
E/E/PES specification specification
safety
lifecycle
(see figure 3-1)
9.2 Software safety 9.3 Software design

validation planning and development
9.4 PE integration 9.5 Software operation and

(hardware/software) modification procedures
9.6 Software safety

validation
To box 14
in figure 3-1
To box 12 in figure 3-1
Figure 3-3 Software safety lifecycle (in realization phase)

FSC Safety Manual
Box 9 of overall
safety lifecycle
(see figure 3-1)
9
Safety-related
systems:
E/E/PES
Realisation
E/E/PES Software
safety safety
lifecycle lifecycle
(see figure 3-2) (see figure 3-3)
Figure 3-4 Relationship of overall safety lifecycle to E/E/PES and

software safety lifecycles
Objectives Table 3-1 indicates the objectives to be achieved for all phases of the
overall safety lifecycle (Figure 3-2).
Table 3-1 Overall safety lifecycle overview

Phase Objective Figure
3-1 box
number
Concept To develop a level of understanding of the EUC and its 1

environment (physical, legislative etc.) sufficient to enable
the other safety lifecycle activities to be satisfactorily
carried out.
Overall scope To determine the boundary of the EUC and the EUC 2
definition control system;
To define the scope of the hazard and risk analysis (for
example process hazards, environmental hazards, etc.).
Hazard and risk To identify the hazards and hazardous events of the EUC 3
analysis and the EUC control system (in all modes of operation),
for all reasonably foreseeable circumstances including
fault conditions and misuse;
To identify the event sequences leading to the hazardous
events identified;
To determine the EUC risks associated with the
hazardous events identified.
FSC Safety Manual

Table 3-1 Overall safety lifecycle overview (continued)
Title Objective Figure
3-1 box
number
Overall safety To develop the specification for the overall safety 4

requirements requirements, in terms of the safety functions
requirements and safety integrity requirements, for the
E/E/PE safety-related systems, other technology safety-
related systems and external risk reduction facilities, in
order to achieve the required functional safety.
Safety requirements To allocate the safety functions, contained in the 5

allocation specification for the overall safety requirements (both the
safety functions requirements and the safety integrity
requirements), to the designated E/E/PE safety-related
systems, other technology safety-related systems and
external risk reduction facilities;
To allocate a safety integrity level to each safety function.
Overall operation and To develop a plan for operating and maintaining the 6
maintenance planning E/E/PE safety-related systems, to ensure that the
required functional safety is maintained during operation
and maintenance.
Overall safety To develop a plan to facilitate the overall safety validation 7

validation planning of the E/E/PE safety-related systems.
Overall installation To develop a plan for the installation of the E/E/PE safety- 8
and commissioning related systems in a controlled manner, to ensure the
planning required functional safety is achieved;
To develop a plan for the commissioning of the E/E/PE
safety-related systems in a controlled manner, to ensure
the required functional safety is achieved.
E/E/PE To create E/E/PE safety-related systems conforming to 9

safety-related the specification for the E/E/PES safety requirements
systems: realization (comprising the specification for the E/E/PES safety
functions requirements and the specification for the
E/E/PES safety integrity requirements).
Other technology To create other technology safety-related systems to 10

safety-related meet the safety functions requirements and safety
systems: realization integrity requirements specified for such systems.
External risk reduction To create external risk reduction facilities to meet the 11
facilities: realization safety functions requirements and safety integrity
requirements specified for such facilities.
Overall installation To install the E/E/PE safety-related systems; 12

and commissioning To commission the E/E/PE safety-related systems.
FSC Safety Manual

Table 3-1 Overall safety lifecycle overview (continued)
Title Objective Figure
3-1 box
number
Overall safety To validate that the E/E/PE safety-related systems meet 13

validation the specification for the overall safety requirements in
terms of the overall safety functions requirements and the
overall safety integrity requirements, taking into account the
safety requirements allocation for the E/E/PE safety-related
systems.
Overall operation, To operate, maintain and repair the E/E/PE 14

maintenance and safety-related systems in order that the required functional
repair safety is maintained.
Overall modification To ensure that the functional safety for the E/E/PE 15
and retrofit safety-related systems is appropriate, both during and after
modification and retrofit activities have taken place.
Decommissioning or To ensure that the functional safety for the E/E/PE safety- 16
disposal related systems is appropriate in the circumstances during
and after the process of decommissioning or disposing of
the EUC.
Sequence of The overall safety lifecycle should be used as a basis. The most
phases important item with respect to the FSC system is the sequence of
phases for the safety-related system.
The safety-related system connects to the process units, the control
system and the operator interface. Consequently, the specification of
the safety-related system is made late in the project. However, the first
system that is required during start-up and commissioning is the safety
system to ensure the safe commissioning of the total plant. The result
is always a very tight schedule for the detailed design and production
of the safety-related system, and this requires a system that can be
designed and modified in a flexible way, and if possible is
self-documenting.
The FSC safety system can be programmed during manufacturing and

modified on site via the specification of the safety function (the
functional logic diagrams or FLDs). The application program and
updated application documentation are generated automatically and
are available in a very short period of time.
Section 4 details the design phases with regard to the safety system
(FSC system).
FSC Safety Manual

3.3 Specification of the Safety Class of the Process
Requirement Each production process must be classified with regard to safety. In

classes Germany this classification must be done by the safety department of
the company. Some applications require TÜV approval
(TÜV = Technischer Überwachungsverein). The FSC system can be
used in several architectures depending on the demands with respect
to safety and availability. The table below shows the relation between
FSC architectures and requirement classes and availability degrees,
respectively.
Table 3-2 Relation between FSC architectures and requirement

classes AK1-6, according to DIN V 19250
INCREASED SAFETY
Maximum requirement class (AK)

FSC architectures AK4 (= SIL 2) AK5 (= SIL 3) AK6 (= SIL 3)
INCREASED AVAILABILITY
single Central Part + a a* a*

single I/O (1oo1D, DMR)
redundant Central Parts + a a a
single I/O (1oo2D, QMR)
redundant & single I/O
(1oo2D, QMR)
redundant I/O
(1oo2D, QMR)
* Only possible if a 10020/1/x Quad Processor Module (QPM) is used.
For more information on voting refer to Section 6.
FSC Safety Manual

3.4 Specification of the Instrumentation Related to the Safety
System
Instrumentation The field instruments related to the safety system consist of valves,
related to safety limit switches, high-level and low-level pressure switches,
system temperature switches, flow switches, manual switches, etc. Inputs and
outputs used for safety applications are primarily digital. There is,
however, a strong tendency towards analog I/O.
The instrumentation index generally contains:

• Tag number,
• Description,
• Make,
• Supplier, and
• Setting.
FSC Safety Manual

Connections to The connection to the safety system is specified in the form of a tag
safety system number with a description and termination details. The description
(Service) provides additional information on the tag number and very
often includes information for the signal's "health situation"
(Qualification).
Configuration documents of application: DEMO_1 Date: 08-31-2000 Time: 13:39 Page: 2
Input signal specification
Type Tag number Service Qualification Location Unit Subunit Sheet Safety Force En. Write En. SER En. SER seq. no.
I 53HS-101 LAMPTEST TEST MCP 102 Yes Yes No No -

I 53_HS_101 LAMPTEST "TEST" MCP 104 Yes Yes No No -
I 91XA-651A Door switch Close AH 5000 91UZ-650 0 Yes No No No -
I ACK-PUSHBUTTON PNL 107 Yes Yes No No -
I ACKNOWLEDGE DCS 106 Yes Yes No No -
I AF_Audible ANN 105 No No No No -
I AF_Common_Alarm ANN 105 No No No No -
I ALARM-1 ALARM STATUS DCS 107 Yes Yes No No -
I AUDIBLE ANN 107 No No No No -
I Ack_PushButton PNL 105 Yes Yes No No -
I CENTR.PART-FAULT System marker SYS 0 Yes No No No -
I CLOCK-SYNC FSC-CLOCK-SYNCHRON. CLOCK-SYNC SYS 0 No No No No -
I COMMON ANN 107 No No No No -
I DEVICE-COM.FLT System marker SYS 0 Yes No No No -
I EARTH-LEAKAGE EARTH LEAKAGE PSU'S NO FAILURE CAB 123 Yes Yes No No -
I ENABLE FORCE-ENABLE ENABLE SYS 0 Yes No No No -
I EXT.COMMUNIC.FLT System marker SYS 0 Yes No No No -
I FIRSTUP-ALARM-1 SUBLOCAION-FSC FIRSTUP FLAG DCS 107 Yes Yes No No -
I FIRSTUP-ALARM-2 SUBLOCATION-FSC FIRSTUP FLAG DCS 107 Yes Yes No No -
I FIRSTUP-RESET DCS 106 Yes Yes No No -
I FLASHER-0.5Hz System marker SYS 107 No No No No -
I FLASHER-1Hz System marker SYS 107 No No No No -
I FSC-SYSTEM-FAULT System marker SYS 123 Yes No No No -
I INPUT-FAILURE System marker SYS 122 Yes No No No -
I INT.COMMUNIC.FLT System marker SYS 0 Yes No No No -
I IO-COMPARE System marker SYS 120 Yes No No No -
I IO-FORCED System marker SYS 0 Yes No No No -
I LAMPTEST LAMPTEST TEST PNL 123 Yes Yes No No -
I OUTPUT-FAILURE System marker SYS 0 Yes No No No -
I PSU-1 PSU-1 24VDC NO FAILURE CAB 123 Yes Yes No No -
I RED.INPUT-FAULT System marker SYS 0 Yes No No No -
I RESET FSC-FAULT-RESET RESET SYS 121 Yes No No No -
I RESET-ALARM RESET ALARM RESET CAB 123 Yes Yes No No -
I RESET-PUSHBUTTON PNL 107 Yes Yes No No -
I SENSOR-1 109 Yes Yes No No -
I SENSOR-A1 111 Yes Yes No No -
I SENSOR-B1 112 Yes Yes No No -
I SENSOR-CP1 113 Yes Yes No No -
I SENSOR1 110 Yes Yes No No -
I SENSOR_2 109 Yes Yes No No -
Figure 3-5 Specification of I/O signals for the FSC system
FSC Safety Manual

Process interface The first phase of the safety system specification is the inventory of
the input and output signals, i.e. the process interface.
During this specification stage, certain parameters of the I/O module

must be determined by the design engineer, e.g. type of signal (digital
or analog), safety relevance, fail-safe sensors, type of analog signal,
scaling, etc.
Figure 3-6 Example of hardware specification of analog input for

FSC system
The setting of the I/O parameters determine how the FSC system will
treat the inputs and the outputs. The design engineer specifies the
functionality required. In this way the engineer preferably delegates
the safety control aspects to the main processor of the FSC system.
FSC Safety Manual

3.5 Specification of the Functionality of the Safety System
Basic function of The basic function of the safety system is to control the outputs
safety system (process) according to the predefined logic sequence based on the
current status of the process received via the inputs.
The input and the output signals of a safety system are a mixture of
both digital and analog signals. For digital signals, the relation
between input and output can be established with logical functions
including AND, OR and NOT. This is also possible with analog
signals after they have been verified to be below or above a defined
setpoint. In order to allow certain process conditions to occur or to
continue, time functions are required within the safety system (e.g.
delayed on, delayed off, pulse time). In the FSC system, the above
basic functions have been extended to include a number of other
functions that allow more complex functions such as counters,
calculations, communication, etc.
A communication link to a supervisory control system may be

required for management purposes. This is also specified in this phase
of the overall design.
FSC Safety Manual

Relations between The second phase of the safety system specification is the detailing of
inputs and outputs the relations between inputs and outputs in order to ensure that during
healthy conditions of the input signals the process stays in the
predefined "operational safe status", and to ensure that the process
will be directed into predefined "non-operational safe status" if an
unhealthy process (input) condition occurs.
The relations are determined via functional logic diagrams (see Figure
3-7). The functional logic diagrams are created using the 'Design
FLDs' option of FSC Navigator.
M 53HS-101 3
C LAMPTEST 1
P "TEST" 1
C 53PT-920.H 1 40003
O MAIN LINE = 110 BAR 2 3 53PT-920.H M
M Signal type: W A >
_1 11 HIGH ALARM C
> 1 5 "ALARM" P
3 A D 5
53PT-920 53PRA-920
5 1
MAIN LINE PRESSURE D A MAIN LINE PRESSURE
1 1
102 MAIN LINE PRESSURE

103 1 Signal type: F
3 53PT-920.L M
>1
_ 11 LOW ALARM C
> 1 6 "ALARM" P
C 53PT-920.L 1 40004
O MAIN LINE = 75 BAR 2
M Signal type: W A
53TT-900 3 A D 5 53TR-900
5 1
MAIN LINE TEMP D A MAIN LINE TEMP
2 2
102 MAIN LINE TEMP

103 2 Signal type: F
C 53FT-700.H 1 40001
O MAIN LINE = 75% 2 S 3 53FT-700.H M
M Signal type: W A 0 t >
_1 11 HIGH ALARM C
> 1 1 "ALARM" P
t=30 S
R
MAIN LINE FLOW 101
Signal type: F 102 1
S 3 53FT-700.L M
0 t >1
_ 11 HIGH ALARM C
> 1 2 "ALARM" P
C 53FT-700.L 1 40002 t=30 S
O MAIN LINE = 30% 2 R
M Signal type: W A
E Customer : Honeywell NL33

FUNCTIONAL LOGIC DIAGRAMS
D Principal : HSMS Product Marketing
C UNIT 5300
Plant : Branderijstraat 6
B Tel +31 73-6273273 Date 30-5-1997 By: PM NL33
A 5223 AS 's-Hertogenbosch
Honeywell SMS BV Fax +31 73-6219125
P.O. Box 116
Drawing number:
O 30-5-1997 FIRST ISSUE Req/Ordernr : SPEC & TECH DEMO_1 102 103
5201 AC
Serial Unit
Rev Date Description Chk'd 's-Hertogenbosch Project Sheet Cnt'd
Code Code
Figure 3-7 Example of functional logic diagram (FLD)
FSC Safety Manual

3.6 Approval of Specification
Approval The last step before acceptance of the safety system is the approval of
the specifications made during the phases as described in subsections
3.3 to 3.5. The approved specification is the basis for the use of the
safety system. Since the time for the specification preparation is
generally too short and since the safety system influences all process
units, a large number of revisions (function and termination details)
to the specification may be required.
The phases as described in subsections 3.3 to 3.5 are usually

performed by the customer or an engineering consultant acting on
behalf of the customer. The phases that follow will normally be
performed by the supplier of the safety system (e.g. Honeywell Safety
Management Systems for an FSC safety system).
FSC Safety Manual

Section 4 – Implementation Phases of FSC as a
Safety-Related System
4.1 Overview
Section overview This section describes the implementation phases of FSC as a

safety-related system. It covers the following topics:

4.1 Overview......................................................................................................... 45
4.2 FSC Project Configuration.............................................................................. 46
4.3 System Configuration Parameters.................................................................. 48
4.4 Specification of Input and Output Signals....................................................... 51
4.5 Implementation of the Application Software ................................................... 52
4.6 Verification of an Application .......................................................................... 53
4.7 Verifying an Application in the FSC System ................................................... 55
FSC Safety Manual

Section 4: Implementation Phases of FSC as a Safety-Related System 45
4.2 FSC Project Configuration
FSC Navigator During the specification phases as described in subsections 3.3 to 3.5,
the design engineer is supported by FSC Navigator (see Figure 4-1).
Figure 4-1 Main screen of FSC Navigator
FSC Navigator provides a Windows-based user interface with the FSC

system. It is a powerful tool which supports the user in performing a
number of design and maintenance tasks. FSC Navigator can be used
to:
• configure the FSC system,
• design the application program,
• generate application documentation, and
• monitor the FSC system.
Installation The specification of the hardware module configuration and certain

database system parameters are stored in the installation database.
FSC Safety Manual

46 Section 4: Implementation Phases of FSC as a Safety-Related System
I/O database The specification of the tag numbers with description, hardware
configuration, etc. is stored in the input/output (I/O) database, which
is created and maintained using the 'System Configuration' function
of FSC Navigator. The I/O database is the basis for the design of the
functionality of the safety system using functional logic diagrams
(FLDs). The use of a database that contains information on the I/O
signals to produce a number of different documents has the advantage
that the basic information needs to be updated at one place only.
Furthermore, it allows documentation to be updated in a very short
period of time.
Functional logic The functional logic diagrams (FLDs) define the relationship between
diagrams (FLDs) the inputs and the outputs of the safety system (see Figure 2-14). The
variable-related information entered into the I/O database is added
automatically in the functional logic. FSC Navigator also checks the
consistency of the information if the engineer uses tag numbers that
have not been specified in the I/O database.
The basic functions of FSC Navigator's project configuration features
are presented in Figure 4-2.
dBASE III / IV Symbol library
System Configuration Design Functional Logic Diagrams
FLD no. n
Installation (.INS)
Functional Logic
I/O database
Diagrams (FLDs)
(.DAT, .IXT, .IXP)
FLD no. 1
Print Project Print Functional Translate Application

Configuration Logic Diagrams
Hardware Functional
Configuration Logic FSC Application Program
Listing Diagrams
Figure 4-2 Basic functions of FSC project configuration programs
FSC Safety Manual

4.3 System Configuration Parameters
General The first step in the FSC system configuration stage is the
determination of the FSC system configuration parameters.
The most important parameters are:
• Requirement class,
• Central Part architecture,
• Diagnostic Test Interval,
• Interval time between faults,
• Memory type, and
• Power-on mode.
Each of these parameters is described in more detail below.
Requirement class This parameter specifies the safety requirement class for the overall
according to system. It must be set to the requirement classification of the process
DIN V 19250 parts (loops) with the highest safety demand.
Central Part One of the basic functions of the FSC system architectures is selected
architecture in accordance with the demanded safety and availability (see Table 3-
2) by selecting the architecture of the Central Parts.
Diagnostic test The diagnostic test interval (DTI) is the period in which a self-test of
interval the FSC hardware will be executed.
The process safety time (PST = fault tolerant time of the process) is
the time that a fault may be present in the Safety Instrumented
Function (SIF), without possible danger for an installation or an
environment.
The DTI may differ from the PST and is as default set to 3 seconds.
The maximum allowed DTI can be calculated in the overall SIL
calculation of the SIF. If this cannot be determined it is advised to set
DTI equal to the PST.
Interval time During operation, each Central Part of the FSC system performs
between faults self-tests and also tests the allocated I/O modules.
If a fault is detected during self-testing, the Central Part will report the
failure and take action to guarantee a safe operational result. If
possible, the failure will be isolated and Central Part operation
continues. If continuation of the fail-safe operation cannot be
guaranteed, the Central Part shuts down. Failures of certain failure
FSC Safety Manual

types can be isolated, but safe operation can then only be guaranteed
as long as no additional faults occur, which, in correlation with the
first failure, may lead to unsafe operation. Therefore, when continuing
operation, there is a certain risk that such an additional correlating
fault occurs. The longer the Central Part operates, the larger this risk
becomes. In order to keep the risk within acceptable limits, a time
interval must be defined: the interval time between faults, which
reflects the maximum period of time that the Central Part is allowed to
operate after the first failure has occurred. When the interval time
between faults expires, the Central Part will shut down.
The interval time between faults also defines the maximum time
period allowed for a redundant system to run in single Central Part
mode, in requirement classes AK5 and AK6.
The interval time between faults can be defined between 0 minutes

and 22 days, or it can be completely deactivated. In the last case,
organizational measures must be defined to ensure correct action on
FSC system failure reports.
Memory type The memory type specifies the memory type that is used in the FSC
system. There are three memory types:
• EPROM,
• RAM, or
• FLASH.
The memory type determines how the FSC-related software is
transferred to the FSC system as shown in the table below:
Table 4-1 Memory types

EPROM RAM FLASH
COM software EPROMs EPROMs download**
CPU software (system) EPROMs EPROMs download**
CPU software (application) EPROMs download* download**
* To on-board RAM or additional 1-Mb or 4-Mb memory boards.

** To flash memory (requires suitable hardware modules).
Power-on mode The power-on mode provides the conditions for the start-up of the
FSC system. There are two power-on modes:
• Cold start
A cold-start power-on means that the FSC system starts up with the
values of the variables being reset to their power-on values as laid
down in the variable database.
FSC Safety Manual

• Warm start
A warm-start power-on means that the FSC system starts up with
the values of the variables set to their last process values.
Notes:
1. If the FSC system starts up for the first time, a cold start is
performed.
2. If the FSC system is started up after a shutdown that was
caused by a fault, there will always be a cold start, regardless
of the defined power-on mode.
Important!
Using the warm start option in combination with on-line
modification of the application program may result in
spurious diagnostic messages and Central Part shutdown.
FSC Safety Manual

4.4 Specification of Input and Output Signals
Safety Extensive guidance in respect of safety is provided by FSC Navigator

to ensure that the decisions taken by the engineer are correct. The
FSC Navigator offers a number of criteria to assist in allocating the
I/O signals in the safety system. For example, the system
configuration function of FSC Navigator does not allow multiple
allocation or connection of safety-related signals to non safety-related
(untested) modules.
Input/output signals The specification of input and output signals is partly done during the
specification stage. The information entered in that stage does not
contain any information on the physical allocation of the I/O signal in
the safety system.
The physical allocation can be described as:

• the number of the rack in the cabinet(s),
• the position in the rack, and
• the channel number on an input or output module.
This information can be sorted and presented to the user in several

ways using the 'Print Project Configuration' option of FSC Navigator.
Physical allocation The physical allocation in the FSC system can be related to a number
of criteria including:
• subsystems,
• process units,
• location in the plant,
• type of signal, and
• personal preference.
FSC Safety Manual

4.5 Implementation of the Application Software
Translate The 'Translate Application' option of FSC Navigator (the compiler)

generates the application software based on the functional logic
diagrams (FLDs), the I/O database and the installation database.
Implementation After the application software has been generated, it is transferred to

the FSC system. There are basically two ways to do this:
• Downloading it directly to random access memory (RAM) or flash
memory on the CPU and/or COM module(s) in the FSC cabinet.
This method does not require any modules to be removed from the
rack.
• Programming EPROMs, which are subsequently placed on the
CPU and/or COM module(s) in the FSC cabinet. This method
requires modules to be removed from the rack and re-installed.
The loading method that can be used depends on the CPU and COM
module types in the FSC system. Not all module types support
downloading to (flash) memory. Some require EPROMs to be used.
For details on loading software into the FSC system refer to
Section 10 of the FSC Software Manual ("Loading Software").
FSC Safety Manual

4.6 Verification of an Application
Introduction Throughout the design of the application, several verification steps

must be accomplished to guarantee that the final application software
in the FSC system meets the safety requirements of the process.
I/O signal The Print option of FSC Navigator allows the user to create hardcopy
configuration of the I/O signal configuration as stored in the application database.
The hardcopy must be reviewed to verify that the signal configuration
represents the originally defined configuration.
This review may be concentrated on the safety-related configuration
items, e.g. signal safety-related, force enable, hardware allocation and
power-on value.
This activity covers the following aspects:

• data entry by the design engineer,
• operation of the 'System Configuration' option of FSC Navigator,
and
• operation of the user station hardware.
Depending on local legislation, the I/O signal configuration may need

to be approved by an independent certification body, e.g. TÜV.
Functional logic The Print option of FSC Navigator also allows the user to create
diagrams (FLDs) hardcopy of the functional logic diagrams as stored in the application
database. The hardcopy must be reviewed to verify that the functional
logic diagrams represent the intended application program.
The activity covers the following aspects:

• data entry by the design engineer,
• operation of the 'Design FLDs' option of FSC Navigator, and
• operation of the FSC user station hardware.
Depending on local legislation, the functional logic diagrams may

need to be approved by an independent certification body, e.g. TÜV.
FSC Safety Manual

Application After the application has been successfully translated and the
software application software has been transferred to the FSC system, the
customer will verify the correct operation of the application software
via a functional test which is carried out during the Factory
Acceptance Test (FAT), the start-up and commissioning stage.
The customer then verifies if the original requirements have been

correctly implemented in the I/O signal configuration, the system
configuration and the functional logic diagrams.
The major part of this step is carried out using the 'Verify Application'
option of FSC Navigator. FSC Navigator uploads the application
software from the FSC system and verifies if it is "identical" to the
information contained in the application database on the hard disk of
the FSC user station (Figure 4-3). Subsection 4.7 describes this step in
more detail.
The following aspects are covered:

• operation of the 'Translate Application' option of FSC Navigator,
and
• operation of the 'Program EPROMs' option and/or the 'Download
Application' option of FSC Navigator.
Finally, the assessor may carry out a sample functional test with
respect to the safety-related functions in the application software.
Installation (.INS)
I/O database
(.DAT, .IXT, .IXP)
Verify + Compare
FSC Navigator
RS-232C
RS-485
FSC System
CPU, COM COM module

Functional Logic
Diagrams (FLDs)
Figure 4-3 Verification of the application software
FSC Safety Manual

4.7 Verifying an Application in the FSC System
Introduction The 'Verify Application' option of FSC Navigator performs the

verification in two main steps:
1. Verification of the FSC databases, and
2. Verification of the functional logic diagrams.
Both steps will be described briefly. For more information, refer to

Section 11 of the FSC Software Manual ("Verifying an Application").
FSC database The 'Verify Application' option of FSC Navigator compares the
information in the FSC database (as stored on the FSC user station)
with the application software in the FSC system. Any differences
between the FSC database and the FSC application software are
reported on screen and in the log file. The log file can be inspected
using the 'View Log' option of FSC Navigator (see Figure 4-4)
Figure 4-4 Verification log file
FSC Safety Manual

If any differences are detected in a field that affects related
information, this field is reported. For this reason, when you decide to
correct the difference and verify the application for a second time,
additional differences may be reported. For example, if differences are
detected in the characteristics of a specific communication channel
(protocol, interface, baud rate, etc.), only the protocol is reported.
Verification of the FSC database is performed once for every Central
Part of the FSC configuration.
Functional logic After having verified the contents of the FSC databases, FSC
diagrams (FLDs) Navigator also verifies the functional logic diagrams (FLDs) that
make up the application. Any differences found will be displayed on
screen and recorded into the log file.
Note:
If you perform an on-line upgrade to a new FSC Release from
an older release, sheet differences may be reported for all
functional logic diagrams (FLDs) that contain mathematical
routines, PIDs and/or equation blocks, even though no
modifications were implemented. This is normal behavior.
When FSC Releases evolved the internal addressing schemes
are modified occasionally. This will causes the above sheet
differences to be reported. Check the Release note of the FSC
Release that you are upgrading the FSC system(s) to for exact
details.
Test data Due to the importance of the results of the verifications, correct
execution of the 'Verify Application' option of FSC Navigator must
be guaranteed.
This is realized by including test data in each application. The test
data is automatically generated whenever a new application is created
or when an old application is converted to a newer FSC release. When
the application software is generated by the compiler, the test data is
modified. During verification, these differences will then be
recognized and logged. That is why the verification log file will
always report a number of differences. This log file can be shown on
screen or printed (see the sample report on the next page).
It must always be verified that the expected differences are actually
present in the log file.
FSC Safety Manual

Note:
In the error report, the address field of the test variable
VRF.TEST.RECORD may differ with respect to the indicated
addresses contained in the database and the FSC system. The
actual addresses depend on the application.
FSC Safety Manual

Verification log file: DEMO_1 Date: 08-30-2000 Time: 19:10
CRC-32 of application software on CPU in CP 1 : $05E669D6
================================================================================
VERIFICATION OF FSC DATABASE IN FSC SYSTEM
================================================================================
Start of FSC database verification: Date: 08-30-2000 Time: 19:10
NOTE: For all central parts, a total of 5 differences should be reported

with regard to marker variable VRF.TEST.RECORD. These differences
must be reported in order to prove the integrity of the FSC
user station hardware during verification of the FSC database.
>>> CENTRAL PART 1 <<<
ERROR: Mismatching field(s) in regenerated variables database:
Type / Tag number Field Database FSC system
M VRF.TEST.RECORD Safety related Yes No

M VRF.TEST.RECORD Force enable No Yes
M VRF.TEST.RECORD Write enable No Yes
M VRF.TEST.RECORD Power up status On Off
M VRF.TEST.RECORD Address 16 17
Number of errors during verification of FSC database in CP 1 : 5
================================================================================
VERIFICATION OF FUNCTIONAL LOGICS IN FSC SYSTEM
================================================================================
Start of functional logic diagram verification: Date: 08-30-2000 Time: 19:10
NOTE: For all central parts, a total of 4 differences should be reported

with regard to the functional logic on FLD 0. These differences
must be reported in order to prove the integrity of the FSC
user station hardware during verification of the functional logics.
>>> CENTRAL PART 1 <<<
ERROR: Regenerated symbol INVERTER not found on FLD 0
ERROR: Regenerated symbol OR GATE not found on FLD 0
ERROR: Symbol AND GATE on FLD 0 has not been regenerated.
ERROR: Symbol INVERTER on FLD 0 has not been regenerated.
Number of errors during verification of functional logics in CP 1 : 4
================================================================================
TOTALS
================================================================================
Total number of errors found during verification : 9
NOTE: All differences with regard to marker variable VRF.TEST.RECORD

and with regard to the functional logic on FLD 0 are reported
to ensure data integrity of the FSC user station.
For details refer to the FSC Safety Manual.
Verification of application completed. Date: 08-30-2000 Time: 19:10
Figure 4-5 Sample verification report
FSC Safety Manual

Section 5 – Special Functions in the FSC System
5.1 Overview
Section This section describes the special functions in the FSC system. It
covers the following topics:

5.1 Overview......................................................................................................... 59
5.2 Forcing of I/O Signals ..................................................................................... 60
5.3 Communication with Process Control Systems (DCS / ICS).......................... 63
5.4 FSC Networks................................................................................................. 65
5.5 On-Line Modification....................................................................................... 70
5.6 Safety-Related Non Fail-Safe inputs .............................................................. 72
Summary The FSC system is a safety system which has a number of special
functions. These functions are:
• Forcing of I/O signals (maintenance override),
• Communication with process control systems,
• Safety-related communication between FSC systems,
• On-line modification, and
• Safety-related non fail-safe inputs.
Each of these functions is described in more detail below.
FSC Safety Manual

Section 5: Special Functions in the FSC System 59
5.2 Forcing of I/O Signals
General For maintenance or test reasons, it may be required to force an input

or an output to a certain fixed state, e.g. when exchanging a defective
input sensor. This allows the sensor to be replaced without affecting
the continuity of production. While repairing the sensor, the
respective input can be forced to its operational state. Forcing
introduces a potentially dangerous situation as the corresponding
process variable could go to the unsafe state while the force is active.
Force
enable
COM CPU input
Input
module module
A
I/O database
(.DAT, .IXT, .IXP) Output
Force
user station with FSC Navigator B enable
table
Figure 5-1 Forcing sequence
Enabling Table 5-1 shows the procedure to include forcing in the FSC system
(See also Figure 5-1):
Table 5-1 Procedure to enable forcing

Step Action
1 Define the signals that possibly require forcing during operation.
2 Use the 'System Configuration' option of FSC Navigator to set the

force enable flag to 'Yes'.
3 Define the tag number and hardware allocation for the Force
Enable key switch.
4 Translate, program EPROMs or download, test, etc.
FSC Safety Manual

60 Section 5: Special Functions in the FSC System
Setting I/O signals can only be forced using the Process Status Monitoring
and I/O Signal Status features of FSC Navigator. Forcing is only
allowed if the correct password is entered when selecting the force
option.
The status of the force enable flag is also stored in the application
tables in the FSC system. This has been done in such a way that a
change of the force enable flag in the I/O database after translation
does not allow forcing of the corresponding variable without reloading
the application software.
Forces may be set high, low or on a specific value as required. Table

5-2 shows the procedure of how to use forcing.
Table 5-2 Procedure to force a variable

Step Action
1 Activate the Force Enable key switch after approval by the

responsible maintenance manager.
2 Use the 'Monitor System' option of FSC Navigator to select the

variable that needs to be forced.
3 Select the status or value that the variable should be forced to

and activate the force.
Notes:
1. If the Force Enable key switch is deactivated, all forces are
cleared.
2. All force actions are included in the SER report for
review/historical purposes.
3. All forced signals are reported in “List forces”
4. For details on forcing signals refer to Section 12 of the FSC
Software Manual ("On-Line Environment").
Checks FSC Navigator and the FSC system carry out the following checks
before the force is actually executed:
1. FSC Navigator checks if the password is activated.
2. FSC Navigator checks if the Force Enable key switch is activated.
3. FSC Navigator checks if the force enable flag in the application
database is set to 'Yes'.
4. The FSC system checks if the Force Enable key switch is
activated.
FSC Safety Manual

5. The FSC system checks if the force enable flag in the application
tables is set to 'Yes'.
The FSC system continuously checks the Force Enable key switch and
clears all forces immediately as soon as the Force Enable key switch is
deactivated.
IO-FORCED If a force command is accepted for an input or an output, the system

system variable variable IO-FORCED is cleared, which can be used as an
alarm/indication to operation.
On any subsequent force, the IO-FORCED marker will become high
for one application program cycle and then become low again. When
all forces are cleared, IO-FORCED becomes high again.
If one or more forces are activated, the IO-FORCED system marker is

reset (see Section 6).
References Specific TÜV requirements with the regard to forcing are described
in a document by TÜV Bayern Sachsen e.V. and TÜV Rheinland
entitled Maintenance override. This document is available on request;
please contact the HSMS Marketing department (tel.: +31 73-
6273273, fax: +31 73-6219125, e-mail: [email protected]).
All FSC architectures meet the requirements specified in the above
document.
FSC Safety Manual

5.3 Communication with Process Control Systems (DCS / ICS)
Exchanging The FSC system can be used to exchange process data with a process
process data control system or a man machine interface (PC).
This data is represented in the functional logic diagrams (FLDs) as I/O
symbols with location 'COM'. The variables with location 'COM' may
only be used for non safety-related functions. The 'System
Configuration' option of FSC Navigator sets the safety relation flag of
these signals to 'No' (FALSE) and does not allow this flag to be
changed. The safety relation of variables can be checked using the
listing that is produced with the 'Print Project Configuration' option of
FSC Navigator. Figure 5-2 below shows an example of such an input
signal specification.
Configuration documents of application: DEMO_1 Date: 08-31-2000 Time: 13:39 Page: 2
Input signal specification
Type Tag number Service Qualification Location Unit Subunit Sheet Safety Force En. Write En. SER En. SER seq. no.
I 53HS-101 LAMPTEST TEST MCP 102 Yes Yes No No -

I 53_HS_101 LAMPTEST "TEST" MCP 104 Yes Yes No No -
I 91XA-651A Door switch Close AH 5000 91UZ-650 0 Yes No No No -
I ACK-PUSHBUTTON PNL 107 Yes Yes No No -
I ACKNOWLEDGE DCS 106 Yes Yes No No -
I AF_Audible ANN 105 No No No No -
I AF_Common_Alarm ANN 105 No No No No -
I AUDIBLE ANN 107 No No No No -
I Ack_PushButton PNL 105 Yes Yes No No -
I CENTR.PART-FAULT System marker SYS 0 Yes No No No -
I CLOCK-SYNC FSC-CLOCK-SYNCHRON. CLOCK-SYNC SYS 0 No No No No -
I COMMON ANN 107 No No No No -
I DEVICE-COM.FLT System marker SYS 0 Yes No No No -
I EARTH-LEAKAGE EARTH LEAKAGE PSU'S NO FAILURE CAB 123 Yes Yes No No -
I ENABLE FORCE-ENABLE ENABLE SYS 0 Yes No No No -
I EXT.COMMUNIC.FLT System marker SYS 0 Yes No No No -
I FIRSTUP-ALARM-1 SUBLOCAION-FSC FIRSTUP FLAG DCS 107 Yes Yes No No -
I FIRSTUP-ALARM-2 SUBLOCATION-FSC FIRSTUP FLAG DCS 107 Yes Yes No No -
I FIRSTUP-RESET DCS 106 Yes Yes No No -
I FLASHER-0.5Hz System marker SYS 107 No No No No -
I FSC-SYSTEM-FAULT System marker SYS 123 Yes No No No -
I INPUT-FAILURE System marker SYS 122 Yes No No No -
I INT.COMMUNIC.FLT System marker SYS 0 Yes No No No -
I IO-COMPARE System marker SYS 120 Yes No No No -
I IO-FORCED System marker SYS 0 Yes No No No -
I LAMPTEST LAMPTEST TEST PNL 123 Yes Yes No No -
I OUTPUT-FAILURE System marker SYS 0 Yes No No No -
I RED.INPUT-FAULT System marker SYS 0 Yes No No No -
I RESET FSC-FAULT-RESET RESET SYS 121 Yes No No No -
I RESET-ALARM RESET ALARM RESET CAB 123 Yes Yes No No -
I RESET-PUSHBUTTON PNL 107 Yes Yes No No -
I SENSOR-1 109 Yes Yes No No -
I SENSOR_2 109 Yes Yes No No -
Figure 5-2 Example of a printout of engineering documents
FSC Safety Manual

Protocols The following communication protocols are used for communication
with process control systems and computer equipment running
visualization programs:
• TPS network protocol,
• Ethernet protocol (for Experion PKS and PlantScape),
• Modbus RTU and Modbus H&B protocol,
• RKE3964R protocol, and
• FSC-DS protocol.
For details on these communication protocols refer to Appendix F of

the FSC Software Manual ("Communication").
FSC Safety Manual

5.4 FSC Networks
Networks FSC systems may be interconnected to form a safety-related

communication network (see Figure 5-3).
FSC system
1 FSC system
1
FSC system
2
FSC system FSC system FSC system FSC system

3 2 3 4
Point to point (PtP) Multidrop (MD)
Figure 5-3 Examples of FSC communication networks
FSC networks can be used to allow multiple FSC systems to exchange

data in order to perform a joint task. Another possibility is gathering
of sequence-of-event (SOE) data of multiple FSC systems at a single
point in the network.
Master/slave Within the network, systems may be connected in pairs

(point-to-point) (see Figure 5-3, left), or multiple systems may be
connected to the same link (multidrop) (see Figure 5-3, right).
For every communication link, one FSC system operates as a master

and the other systems operate as a slave. The master sends data to the
slave and initiates a request for data from the slave. The slave sends
data after receipt of the data request from the master. Data integrity is
ensured by using the same protocol and surveillance mechanisms as
used for communication between Central Parts in redundant FSC
architectures.
FSC Safety Manual

More than one slave may be connected to one master. One slave may
have multiple masters (see
Figure 5-4).
All FSC systems within the FSC network must have a unique system
number.
MASTER MASTER
FSC system 1 FSC system 2
SLAVE SLAVE SLAVE SLAVE SLAVE
FSC system 3 FSC system 4 FSC system 5 FSC system 6 FSC system 7
Figure 5-4 FSC master/slave interconnection
Data that is used for communication between FSC systems is

represented in the function logic diagrams as I/O symbols with the
location 'FSC'. Variables with location 'FSC' can be of type I, O
(markers), BI or BO (registers), and may be configured for both
safety-related and non safety-related functions.
Redundant For redundant systems, redundant FSC links must be used (see Figure
communication 5-5). This results in a single-fault-tolerant communication network.
FSC system 1 FSC system 2
e.g. e.g.
Redundant CP + Redundant CP +
Redundant I/O Redundant I/O
CP1 CP1
CP2 CP2
Figure 5-5 Redundant FSC communication link
FSC Safety Manual

Response time The response time depends on the application program cycle time of
the systems and the type of the communication link.
Point-to-point The response time is the sum of the application program cycle times
of the master and slave system. The result will always be less than 5
second. This is represented in the following formula:
Tresp = Tam + Tas
Where: Tam = Master application program cycle time.

Tas = Slave application program cycle time.
Note:
Point-to-point links running at baud rates lower than 125 kbaud
are treated as multidrop links.
Multidrop The maximum response time is the sum of the application program
cycle times of the master and the slave system plus the total
communication time needed to serve all systems connected to the
multidrop network. This is represented in the following formula:
63
Tresp = Tam + Tas + Σ 2∗(F1 + 2∗Tr) + (F2 + 8∗Tr) (Mbs + Rbs + 1) +

S=1
F3 ∗ (Mcs + Rcs) + (F2 + 2∗Tr)
Where:
Tam = Master application program cycle time.
Tas = Slave application program cycle time.
Tr = Transmission delay in the physical communication
network (0 for direct cable connections < 1 km).
F1, F2, F3 = Performance factors (in ms), depending on the baud rate
(see table below)
Table 5-3 Performance factors

Baud rate Performance factors
9K6: F1 = 80 F2 = 80 F3 = 37
19K2: F1 = 43 F2 = 43 F3 = 18.4
38K4: F1 = 25 F2 = 25 F3 = 9.2
50K / 57K6: F1 = 21 F2 = 21 F3 = 7
115K2 / 125K: F1 = 15 F2 = 14 F3 = 3
1M: F1 = 9 F2 = 15 F3 = 0
2M: F1 = 8 F2 = 11 F3 = 0
FSC Safety Manual

Notes:
1) With both redundant links operational, a typical value of F1,
F2 and F3 is half the maximum value.
2) Tr, F1, F2 and F3 are 0 if the system number is not used as a
system number for a slave system.
Mbs, Rbs = The number of data blocks to be sent.

Mbs (Rbs) is the number of 256-byte blocks configured for
transfer of Marker (Register) data from the slave system to
the master system or vice versa. If the number of bytes is
not an exact multiple of 256 bytes, an extra block must be
allocated, for example:
1. A slave sends 48 bytes of marker data and 400 bytes of
register data to the master system.
In this situation, Mbs = 1 and Rbs = 2.
2. A master sends 256 bytes of marker data to the slave
system. No register data is sent.
In this situation, Mbs = 1 and Rbs = 0.
Mcs, Rcs = The number of data bytes to be sent.
Mcs (Rcs) is the number of 16-byte blocks configured for
transfer of Marker (Register) data from the slave system to
the master system or vice versa. If the number of bytes is
not an exact multiple of 16 bytes, an extra block must be
allocated.
Multiple masters Consider the network configuration as shown in Figure 5-6 below.
in FSC network A communication server has been connected point-to-point to three
masters, and acts as a slave to each of them. There is a multidrop
connection from the communication server to five slaves. For each
slave, a connection has been configured to each master.
Master 1 Master 2 Master 3
Point to point
Comm
server
Multidrop
Slave 1 Slave 2 Slave 3 Slave 4 Slave 5
Figure 5-6 Response time in network with multiple masters
FSC Safety Manual

To calculate the response time in such a network configuration, you
need to add the response times of all slaves for all masters. In Figure
5-6 above, this means that you need to multiply the response time of
each slave by 3 (providing all communication blocks are equal). In
situations like these, you may need to increase the FSC-FSC
communication timeout in order to be able to communicate all
information (especially at baud rates lower than 1 Mbaud).
Note:
During Translation of the application the timing settings of the
FSC-FSC network are checked on the master application. The
translate function reports a warning when timing is found
critical and an error when it is found overloaded.
Timeout time All systems within the network monitor the operation of the
communication link by means of timeouts.
The timeout depends on the system function and the type of the
communication link (see Table 5-4).
Table 5-4 FSC-FSC communication timeout

Link type System Timeout
Response of the slave is expected
Master within the same application program
Point to point cycle.
Slave 1 second
Configured communication timeout
Master (refer to Section 4 of the FSC
Software Manual).
Multidrop
2x configured communication timeout
Slave time (refer to Section 4 of the FSC
Software Manual).
Note:
If communication fails via all links, the safety-related variables I
and BI of location 'FSC' that are allocated to the system
connected to the link are set to 0. The non safety-related
variables are frozen at their last received state.
FSC Safety Manual

5.5 On-Line Modification
Introduction On-line modification (OLM) is an FSC system option which allows

you to modify the application software, system software and the FSC
hardware configuration of redundant systems while the system
remains operational.
During on-line modification, the changes are upgraded in one Central
Part at a time. Meanwhile, the other Central Part can continue
safeguarding the process.
Compatibility check During the upgrade, the FSC system performs a compatibility check
across the application-related data, in order to guarantee a safe
changeover from the old software to the new software. The system
reports the FLD numbers of the functional logic diagrams that have
changed (see Figure 5-7). This allows easy verification of the
implemented modifications.
Figure 5-7 Sheet differences
FSC Safety Manual

Using the on-line modification option of the FSC system, changes in
the functional logic diagrams (FLDs), the FSC system architecture and
the system software can be implemented in the system without the
need for a plant shutdown.
For details on on-line modification, refer to Appendix D of the FSC
Software Manual ("On-Line Modification").
When modifications in the application are implemented, only a

functional logic test of the modified functions is required by, for
example, TÜV, when the final verification of the implemented
changes is obtained via the sheet difference report of the FSC system
and the 'Verify Application' option of FSC Navigator.
Notes:
1. If you perform an on-line upgrade to a new FSC Release
from an older release, sheet differences may be reported for
all functional logic diagrams (FLDs) that contain
mathematical routines, PIDs and/or equation blocks, even
though no modifications were implemented. This is normal
behavior.
When FSC Releases evolved the internal addressing
schemes are modified occasionally. This will causes the
above sheet differences to be reported. Check the Release
note of the FSC Release that you are upgrading the FSC
system(s) to for exact details.
2. If a function block is changed, a difference will be reported
for all functional logic diagrams that use this function block.
During on-line modification, the 'Verify Application' option
of FSC Navigator may be used to log all revision
information. For more information, refer to Section 11 of the
FSC Software Manual ("Verifying an Application").
FSC networks If a system has been integrated into an FSC communication network,
it performs a compatibility check for all connected systems.
If inconsistencies are detected or if the check for a specific system

cannot be completed for any other reason, an error message is
generated in the extended diagnostics. In case of such an error, no data
will be exchanged with the system after start-up. The communication
can only be re-established after successful completion of the
compatibility check by any of the systems that communicate with each
other, initiated via a CPU reset.
FSC Safety Manual

5.6 Safety-Related Non Fail-Safe inputs
Introduction Safety-related inputs require the use of fail-safe input module (e.g.
10101/2/1 for digital inputs and 10105/2/1 for analog inputs). In
addition, it is also required that fail-safe input devices are used (e.g.
sensors, switches and transmitters). If the input device is not fail-safe,
then redundant sensors (transmitters) and redundant inputs are
required.
Depending on the number of sensors and the FSC architecture applied,
the system offers a variety of "sensor redundancy configurations".
Figure 5-8 shows an example of redundancy type 2oo2, which can be

used for VBD functions with redundant I/O.
Figure 5-8 Configuration of a redundant input
FSC Safety Manual

Digital inputs To check the safety capability of the sensors, they must switch within
a certain time interval specified in the configured maximum on time,
which can be set in the range of 1 second to 2047 minutes.
If the maximum on-time is exceeded, the resulting sensor status is
executed as 'unhealthy'. To detect if all inputs execute the
switch-defined function, an extra timer is added: the maximum
discrepancy timer. If the maximum on timer or the maximum
discrepancy timer expires, a redundant input fault (system alarm
marker) and a sensor fault alarm are generated.
Note:
The maximum on time may also be deactivated. In that case
organizational procedures must exist that ensure periodical
testing of the sensors.
SENSOR-1 3
3
12
&
SENSOR_2 3 4 SENSOR-
3 S & 15 STATUS
11 t 0 6
t=6 min
R
Maximum On time
4 SENSOR_
S >
_1 15 FAULT
t 0 5 "NO FAULT"
=1
t=10 s
R
Maximum discrepancy time
Figure 5-9 Example of functionality of a redundant

digital input function
FSC Safety Manual

Analog inputs For analog inputs, the system monitors if the difference between the
transmitter values does not exceed a predefined value. The maximum
allowable difference is specified in the maximum discrepancy value.
If the difference between the transmitter values exceeds the
maximum value, a redundant input fault (system alarm marker) and
transmitter fault alarm are generated.
The safety-related redundant input configurations are described in

detail in Appendix C of the FSC Software Manual ("Safety-Related
Inputs with Non Fail-Safe Sensors").
FSC Safety Manual

Section 6 – FSC System Fault Detection and Response
Section overview This section describes how the FSC detects system faults and how it
responds to them. It covers the following topics:

6.2 Voting.............................................................................................................. 77
6.3 FSC Diagnostic Inputs .................................................................................... 79
6.4 FSC Alarm Markers ........................................................................................ 82
6.4.1 Input Fault Detection....................................................................................... 84
6.4.2 Transmitter Fault Detection ............................................................................ 86
6.4.3 Redundant Input Fault Detection.................................................................... 87
6.4.4 Output Fault Detection.................................................................................... 88
6.4.5 I/O Compare Error Detection.......................................................................... 91
6.4.6 Central Part Fault Detection ........................................................................... 96
6.4.7 Internal Communication Error......................................................................... 97
6.4.8 FSC-FSC Communication Fault Detection..................................................... 98
6.4.9 Device Communication Fault Detection ......................................................... 99
6.4.10 Temperature Alarm....................................................................................... 100
6.5 Calculation Errors ......................................................................................... 101
Introduction Progressive test software and the use of dedicated hardware allow the
FSC system to detect a number of faults in the field instrumentation
and all predefined faults according to the FMEA model applied
within the FSC system itself, and to provide adequate diagnostics on
any detected fault. As a result, the system is able to respond as a fail-
safe system in accordance with its specifications as projected during
the safety specification stage.
Apart from safety, the FSC system fault detection and response
strategy also provides optimum availability. As the system is able to
locate faults accurately, the faulty part can be isolated from the
process to obtain a safe process state while minimizing the effect on
the remaining process parts.
FSC Safety Manual

Section 6: FSC System Fault Detection and Response 75
Detected faults are reported via extended diagnostics of the FSC
system, via channel-specific diagnostic markers and via system alarm
markers. The diagnostic and alarm markers can be used in the
application software, e.g. to generate an operator alarm or to be passed
to a control system for further processing.
This section describes the behavior of the FSC system in case of faults
and how alarms can be used within the application.
FSC Safety Manual

76 Section 6: FSC System Fault Detection and Response
6.2 Voting
Voting The FSC system is available in single and redundant mode, both for
Central Part and I/O, in several combinations.
For details on the various FSC architectures refer to Section 2.
If the Central Part and I/O are operating in single architectures, it is
obvious what will happen in case a fault is detected: the Central Part
or I/O will go to the safe (i.e. non-operational) state. For redundant
Central Parts and/or I/O, this is less obvious, and users may want to
define the system response in case a fault is detected in one part of the
redundant components. This is the reason that voting has been
incorporated into the system, which allows the users to optimize the
system response to his safety needs.
Single components For all single components in the FSC system, two voting schemes are
available depending on the hardware that is being used. The table
below lists the various options.
Table 6-1 Voting schemes for single FSC components

Voting scheme Used for hardware modules... Fault results in...
1oo1D Diagnostics capabilities Switch-off
(e.g. 10101/./. digital input modules)
1oo1 Without diagnostic capabilities Incorrect
(e.g. 10206/./. digital output modules) operation or
switch-off
The default voting scheme for single Central Parts is 1oo1D for
processor modules 100x2/./. and DMR for process modules 10020/./..
Redundant Redundant components have more voting schemes to choose from,

components depending on the hardware that is being used and on the primary
action in case a fault is detected: switch-off or continue. Table 6-2
and
Table 6-3 on the next page list the various options.
FSC Safety Manual

Table 6-2 Voting schemes for redundant components
Hardware
Primary action at fault Fail-safe Non fail-safe
Safety (switch-off) 1oo2D/ 2oo4D 1oo2
Availability (continue) 2oo2D 2oo2
The default voting scheme for redundant Central Parts is 1oo2D for
processor modules 100x2/./. and 2oo4D (QMR) for processor modules
10020/./..
Table 6-3 Explanation of redundancy voting schemes

Voting Used for hardware Primary action Response to faults
scheme modules... directed at...
1oo2 Without diagnostics Safety The first fault may result in switch-off as
capabilities (switch-off) the faulty module may overrule the
(e.g. 10206/./. digital output correct one.
modules)
2oo2 Without diagnostics Availability The first fault may result in incorrect
capabilities (continue) operation as the faulty module may
(e.g. 10206/./. digital output overrule the correct one.
modules)
1oo2D With diagnostics capabilities Safety For detected faults, operation continues
(e.g. 10101/./. digital input (switch-off) as desired. A fault that cannot be
modules) detected by the diagnostics (probability
= 1 – diagnostic coverage) may result in
switch-off as the faulty module may
overrule the correct one.
2oo2D With diagnostics capabilities Availability For detected faults, operation continues
(e.g. 10101/./. digital input (continue) as desired. A fault that cannot be
modules) detected by the diagnostics (probability
= 1 – diagnostic coverage) may result in
incorrect operation as the faulty module
may overrule the correct one.
2oo4D With diagnostics capabilities Safety + For detected faults and the first fault,
(e.g. 10105/./. analog input availability operation continues as desired. The first
modules or 10106/./. digital fault that cannot be detected by the
input with line monitoring or diagnostics (probability = 1 –
safety-related digital output diagnostics coverage of single leg) will
modules). result in safe operation due to the 1oo2
voting.
FSC Safety Manual

6.3 FSC Diagnostic Inputs
General Apart from the alarm markers, a variety of diagnostic inputs are
available. There are basically two types of diagnostic inputs:
• Diagnostic inputs related to channel status.
These indicate the diagnostic status of a specific I/O channel
allocated to an FSC fail-safe I/O module (see Table 6-4).
• Diagnostic inputs related to loop status.
These indicate the diagnostic status of a process loop in the field
(see Table 6-5).
The diagnostic inputs can be used in the functional logic diagrams.
Diagnostic inputs Table 6-4 below provides an overview of the available channel status
(channel status) diagnostic inputs and the I/O modules for which they exist.
Table 6-4 Diagnostic inputs (channel status)

Type I/O module
I/O type I 10101/1/1, 10101/1/2, 10101/1/3, 10101/2/1,
10101/2/2, 10101/2/3, 10106/2/1, SDI-1624,
SDI-1648, SDIL-1608
I/O type O 10201/1/1, 10201/2/1, 10212/1/1, 10213/1/1,
10213/1/2, 10213/1/3, 10213/2/1, 10213/2/2,
10213/2/3, 10214/1/2, 10215/1/1, 10215/2/1,
10216/1/1, 10216/2/1, 10216/2/3, SDO-0824,
SDO-0448, SDO-04110, SDO-0424, SDOL-
0424, SDOL-0448
I/O type AI 10102/1/1, 10102/1/2, 10102/2/1, 10105/2/1,
SAI-0410, SAI-1620m
I/O type AO 10205/1/1, 10205/2/1, SAO-0220m
WD ../../.. 10201/1/1, 10201/2/1, 10212/1/1, 10213/1/1,
10213/1/2, 10213/1/3, 10213/2/1, 10213/2/2,
10213/2/3, 10214/1/2, 10215/1/1, 10215/2/1,
10216/1/1, 10216/2/1, 10216/2/3, SDO-0824,
SDO-0448, SDO-04110, SDO-0424, SDOL-
0424, SDOL-0448
System response The system response is as follows:

I/O type .. If the channel status is healthy, its diagnostic input is high. If a fault
is detected for the channel, the diagnostic input becomes low. The
status of the diagnostic inputs does not depend on the safety relation
of the channel.
FSC Safety Manual

The markers of the variables that are allocated to the affected module
channel are set to faulty as soon as one Central Part detects a channel
fault.
WD ../../.. This signal is normally '1'. It will be set to LOW if the watchdog
signal of the group to which this channel belongs is set to '0'.
Diagnostic inputs Table 6-5 below provides an overview of the available loop status
(loop status) diagnostic inputs and the I/O modules for which they exist.
Table 6-5 Diagnostic inputs (loop status)

Type I/O module
SensAI 10102/1/1, 10102/1/2, 10102/2/1, 10105/2/1,
SAI-0410, SAI-1620m transmitter status
LoopI 10106/2/1, SDIL-1608 loop status
LoopO 10214/1/2, 10216/1/1, 10216/2/1, 10216/2/3,
SDOL-0424, SDOL-0448 loop status
VM ../../.. 10105/2/1, SAI-1620m Voltage Monitoring
FTA
EFM ../../.. 10106/2/1, SDIL-1608 Earth Fault
System response The system response is as follows:

SensAI Redundant and Single I/O:
The SensAI marker is set to faulty when both Central Parts detect a
sensor fault.
LoopI Redundant and Single I/O:
The LoopI marker is set to faulty when both Central Parts detect a
sensor fault.
LoopO Redundant and Single I/O:
The LoopO marker is set to faulty when both Central Parts detect a
sensor fault.
VM ../../17 The voltage Monitoring (VM) signal is available for the 10105/2/1
and the SAI-1620m modules only and is actually the 17th input
channel of the module. It represents the voltage level at the FTA-T-
14, FS-TSAI-1620m or FS-TSHART-1620m modules, with an
engineering range and units of 0-40 Vdc. Normally the signal will be
between 25 Vdc and 30 Vdc. If one power connection is failing, the
signal will be half of this value, when both are failing, the signal will
be 0 Vdc.
EFM ../../17 The Earth Fault Monitoring (EFM) signal is available only for
10106/2/1 and SDIL-1608 modules and is normally set to '1'. The
EFM signal is referred to as the 17th channel of the module, and can
FSC Safety Manual

be enabled or disabled per module.
The earth fault monitor on the 10106/2/1 and SDIL-1608 module

detects 2 items:
1. A connection between any of the input wires and earth (for
sensors without earth connection)
2. A loss of connection between the VDC power supply and earth
(for sensors with earth connection)
When either one is detected, the signal will be set to ‘LOW’
FSC Safety Manual

6.4 FSC Alarm Markers
Function of The FSC system uses a number of alarm markers to indicate the
alarm markers occurrence of abnormal system situations. The following alarm
markers are used:
Table 6-6 FSC alarm markers

Alarm marker Description
CENTR.PART-FAULT Fault detected within a Central Part.
DEVICE-COM.FLT Communication with a connected device (e.g. a DCS) is

faulty.
EXT.COMMUNIC.FLT Communication with a connected FSC system is faulty.
FSC-SYSTEM-FAULT Overall alarm marker, any fault exists.
INPUT-FAILURE Fault detected for an input channel or input module.
INT.COMMUNIC.FLT Communication between Central Parts faulty.
IO-COMPARE I/O value discrepancy between Central Parts.
OUTPUT-FAILURE Fault detected for an output channel or output module.
RED.INPUT-FAULT A sensor of a safety-related input with non fail-safe sensors

is faulty.
TEMP.PRE-ALARM The temperature within the FSC system exceeds the

pre-alarm setting. (For details refer to the data sheet of the
10006/./. diagnostic and battery module).
TRANSMIT.-FAULT An analog transmitter gives a value outside its specified

range.
IO-FORCED One or more variables are forced (see subsection 5.2).
The normal state of the markers (no fault present) is '1'. If the first
fault occurs, the associated alarm marker changes to '0'. Any
subsequent fault of the same type will cause the alarm marker to be
pulsed to '1' for one application program cycle (see Figure 6-1).
FSC Safety Manual

1 2 3 4
INPUT FAILURE
FSC SYSTEM FAULT
1 No faults present in FSC system
2 First input fault
3 Second input fault
4 Faults corrected and acknowledged via fault reset
Figure 6-1 Input failure alarm marker function
The FSC alarm markers are available in the application program, e.g.
to generate an alarm.
FSC Safety Manual

6.4.1 Input Fault Detection
Input fault detection Input fault detection applies to hardware inputs that are allocated to
fail-safe, tested input modules. The tests include detection of faults
affecting:
• A single input channel,
• A group of input channels at the same input module, and
• All channels of an input module.
Possible faults Possible faults are:

• Inability to represent both the '0' and the '1' state,
• Correlation between inputs, and
• In case of Loop Monitored Inputs, also an open loop or short circuit.
Tested modules Input fault detection applies to hardware inputs allocated to the
following fail-safe input modules:
• 10101/1/1, 10101/1/2, 10101/1/3, 10101/2/1, 10101/2/2, 10101/2/3,
SDI-1624, SDI-1648,
• 10102/1/1, 10102/1/2, 10102/2/1, SAI-0410,
• 10105/2/1, SAI-1620m and
• 10106/2/1, SDIL-1608.
Hardware inputs can be configured to be safety-related or not.
Safety-related If a system fault affects an input configured for a safety-related signal

inputs connected to a tested input module, the faulty input is isolated from
the application. For digital inputs, a '0' value is applied to the
application, regardless of the value present at the input channel. For
analog inputs, the application value is clamped to the configured
bottom scale.
Non safety-related If a system fault affects an input configured for a non safety-related
inputs signal connected to a tested input module, the fault is only alarmed.
The input value is applied to the application program as read from the
input channel.
Loop monitored If a fault affects the loop of a signal configured with loop monitoring,
inputs the loop fault is alarmed. The input value is applied to the application
FSC Safety Manual
program as read from the input channel. This means for instance that
when a short circuit is detected in the loop, a logical “1” will be
applied to the application. At the same time, the LoopI signal of the
corresponding channel is de-activated. In other words, loop
monitored digital inputs follow the exact same behavior as normal
digital inputs, with the advantage that the operator receives a warning
in case the signal becomes inoperable due to a short circuit or open
loop.
Loop monitored inputs The above listed description might contradict with what could be
in ESD applications expected from a ESD function. Though, instead of clamping the
signal to a logical “0” in case of a short circuit, which normally
would result in a process trip, the process is kept alive, and the
operator is warned of a faulty loop. If for some reason a shut down is
required anyway, the corresponding diagnostic input of the signal
(LoopI) can be used as this signal will be deactivated if a loop fault is
detected.
Loop monitored inputs If a loop monitored signal is used in a Fire & Gas application, the
in F&G applications signal will most likely be de-energized in a healthy process situation.
Upon energizing of the signal, action must be taken. This means that
in case a short circuit is detected in the loop, action would be taken,
as a logical “1” is applied to the application. Normally this is not
desired in Fire & Gas applications. Therefore, the input can be
combined with its diagnostic input through an “AND” gate. In this
way action will be taken only when the signal is healthy, and
energized.
Fault alarm Occurrence of an input fault is indicated in the INPUT-FAILURE

alarm marker, as well as the associated diagnostic input(s) and/or
diagnostic loop-monitoring input (10106/2/1, SDIL-1608).
FSC Safety Manual

6.4.2 Transmitter Fault Detection
Transmitter fault A transmitter fault is detected if the value obtained from a transmitter,
detection via an analog input, is outside its configured range.
If an underrange fault is detected, the application value is clamped to

the configured bottom scale. If an overrange is detected, it is clamped
to max. 6.25 V, 12.5 V or 25 mA, depending on the selected range.
Tested modules Transmitter fault detection applies to inputs allocated to the following
fail-safe analog input modules:
• 10102/1/1, 10102/1/2, 10102/2/1, SAI-0410 and
• 10105/2/1, SAI-1620m
Fault alarm Occurrence of a transmitter fault is indicated in the

TRANSMIT.-FAULT alarm marker and the associated sensor
diagnostic input.
FSC Safety Manual

6.4.3 Redundant Input Fault Detection
Redundant input Redundant input fault detection applies to fail-safe inputs with
fault detection redundant non fail-safe sensors.
Digital inputs For digital inputs, a fault is detected if:

• the input value is 'ON' for a longer time period than specified in the
maximum on timer, or
• the input values of the redundant sensors differ for a longer time
period than specified in the maximum discrepancy time.
If a fault is detected, a '0' value is applied to the application.
Analog inputs For analog inputs, a fault is detected if the transmitter values differ
more than the specified maximum discrepancy value. If a fault is
detected, the configured bottom scale is applied to the application.
Fault alarm Occurrence of a redundant input fault is indicated in the

RED.INPUT-FAULT alarm marker.
FSC Safety Manual

6.4.4 Output Fault Detection
Output fault Output fault detection applies to hardware outputs that are allocated
detection to tested output modules. The tests include detection of faults
affecting:
• A single output channel,
• A group of output channels at the same output module,
• All channels of an output module, and
• The secondary means of de-energizing.
Possible faults Possible faults are:

• Inability to represent the '0' state,
• Inability to represent the '1' state (for digital outputs with loop
monitoring),
• Inability to represent the correct value, bottom value, top value and
variations of the current value (for analog outputs),
• Output short circuit,
• Correlation between outputs,
• Arc-suppressing diode faulty (for digital outputs),
• Open circuit in the output loop (for outputs with loop monitoring,
i.e. 10205/1/1, 10205/2/1, 10214/1/2, 10216/1/1, 10216/2/1,
10216/2/3, SAO-0220m, SDOL-0424, SDOL-0448),
• External power supply voltage below the minimum operating
voltage, and
• Inability to represent the "0" and "1" state of the secondary means
of de-energizing.
Important:
The pulse that it used to test the output channel has a duration
of less than 2 milliseconds. at all times. Inductive loads such
as relays and solenoid valves will not notice the test pulse.
Though, fast-scanning devices (such as MM5 unit from S&I)
could notice this test pulse and should therefore make sure
that a detected change of signal state should last for at least 2
milliseconds.
FSC Safety Manual

Tested modules Output fault detection applies to the following fail-safe output
modules:
Module Group specification
− 10201/1/1, 10201/2/1, Group 1: channels 1 to 4
SDO-0824 Group 2: channels 5 to 8
− 10203/1/2 (see note below) Group 1: channels 1 to 4
− 10205/1/1, 10205/2/1, Each channel is a separate group.
SAO-0220m
− 10212/1/1 Group 1: channels 1 to 4
Group 2: channels 5 to 8 (non saf.-rel.)
SDO-04110
− 10213/1/2, 10213/2/2 Group 1: channels 1 to 4
SDO-0448
− 10214/1/2 Group 1: channels 1 to 3
− 10215/1/1, 10215/2/1, Group 1: channels 1 and 2
SDO-0424 Group 2: channels 3 and 4
SDOL-0424
− 10216/2/3, SDOL-0448 Group 1: channels 1 to 4
Note:
The channels of the 10203/1/2 module are single fault tolerant.
In case of a fault within a channel, full output control is still
guaranteed. Therefore, any first channel fault is only reported.
No additional corrective actions will be taken.
Hardware outputs can be configured to be safety-related or not.
Safety-related outputs If a fault affects an output configured for a safety-related signal, the
faulty output is forced to the safe state (i.e. '0'). The '0' value is
applied to the process, regardless of the value calculated by the
application program. Depending on the predefined effects of the fault,
a single channel, a group of channels or all channels of an entire
module are forced to '0'.
If a short circuit is detected for one output channel, that channel is

forced to '0'. If a short circuit is detected for two or more channels
FSC Safety Manual

within a single output group, all channels of the entire group are
forced to '0'.
If any other type of fault is detected for an output channel, the entire
group is regarded faulty and all channels of the group are forced to '0'.
If an entire group of safety-related output channels is regarded faulty,
the second fault timer is started.
If all groups at the same output module are faulty, the entire module is
regarded faulty.
If an entire safety-related output module is regarded faulty, the Central
Part that controls the affected output module will trip. If the module is
located in a single I/O section, the entire FSC system will trip.
Non-safety-related If a fault affects an output configured for a non safety-related signal,

outputs the fault is only reported. The output value that is applied to the
process is calculated by the application program and combined with
the result of the faulty module.
External External power failure is an exceptional fault, which does not cause a
power failure trip of the Central Part that controls the output module, even if
safety-related output signals are allocated to the module.
Fault alarm Occurrence of an output fault is indicated in the OUTPUT-FAILURE

alarm marker, as well as the associated output diagnostic input(s)
and/or diagnostic loop-monitoring input.
FSC Safety Manual

6.4.5 I/O Compare Error Detection
I/O compare error The FSC system includes two high-level safety check functions
detection which are active in redundant FSC configurations:
1. Input compare, and
2. Output compare.
Compare errors occur when a different status for inputs or outputs

between the Central Parts is detected which cannot unambiguously be
allocated to faults in the field or within the FSC system hardware.
Because of the high level of self-testing by the FSC system, compare
errors will be very rare.
If the FSC system is used for surveillance of processes which are

classified in requirement class 5 (AK5) and which must meet the
requirements of DIN V VDE 0801-A1 in its full extent, the
IO-COMPARE alarm marker should be used to initiate a system
shutdown if an I/O compare error is detected in the outputs (see
programming example in Figure 7-1). The final decision whether
automatic shutdown must be programmed lies with the approval
authority (e.g. TÜV) during the acceptance of the plant. For AK6 an
automatic shutdown will occur.
Input and output compare faults are discussed in more detail below.
Tested modules Input compare error detection applies to all hardware inputs.
Output compare error detection applies to all digital hardware outputs
and to communication outputs (O, BO) with location 'FSC'.
Fault alarm Occurrence of an input compare error is indicated in the

IO-COMPARE alarm marker. As the fault applies to inputs, the
INPUT-FAILURE alarm marker is also asserted.
Occurrence of an output compare error is indicated in the

IO-COMPARE alarm marker. If the error concerns an output with
location 'FSC', the EXT.COMMUNIC.FLT alarm marker is also
asserted because communication will halt to the affected FSC system.
FSC Safety Manual

Input compare In redundant FSC configurations, with dual Central Parts, both
Central Parts scan the process inputs every application program cycle.
Each Central Part executes the application program independently of
the other Central Part. For proper operation of the system, both
Central Parts must have an identical application status at all time. It is
therefore essential that they use identical values for the process inputs.
There is no problem if the process inputs are stable. However, if an

input value changes, both Central Parts could read a different value. In
such cases, an identical input value in the Central Parts is obtained via
input synchronization.
Differences in the input status read should be momentary. Persisting

differences could be the result of hardware faults. In that case, the
faulty input channel is reported in the diagnostics, and both Central
Parts use the process value read from the healthy input channel. A
persisting difference in status of an input while no faults are detected
at the accessory hardware channels leads to an input compare error.
Different synchronization algorithms are used for digital and analog
inputs.
Digital input A digital input compare error is detected if the inputs of both Central
synchronization Parts are stable but different (e.g. CP1 continuously '0', CP2
continuously '1'), for the duration of the configured Diagnostic Test
Interval (DTI).
The input compare error detection algorithm puts the following

demands on the dynamic nature of the digital process inputs:
1. If an input changes of state, it must become stable again within the
configured Diagnostic Test Interval.
2. The frequency of continuously changing inputs must be less than
1/DTI.
The synchronization algorithm for digital inputs (I and BI) depends on

the voting scheme that has been configured for the affected module.
Table 6-7 below specifies the system response to a digital input
compare error.
For details on the available voting schemes for the FSC input modules
refer to Section 4 of the FSC Software Manual ("System
Configuration"). For details on voting refer to subsection 6.2.
FSC Safety Manual

Table 6-7 System response in case of digital hardware input
compare error
IF INPUT COMPARE
ERROR AND... THEN...
System markers Applied state
AK Voting Safety- Digital Channel System

class related IO-COMPARE FSC-SYSTEM-FAULT INPUT-FAILURE input diagnostic shutdown
input
1oo2D
1-6 Yes 0 0 0 0 0 No
1oo1D
1oo2D
1-6 No 0 0 0 0 0 No
1oo1D
1oo1
1-6 No 0 0 0 0 0 No
2oo2
1-6 2oo2D Yes 0 0 1 1 0 No
1-6 2oo2D No 0 0 1 1 0 No
0 = false, low, de-energized

1 = true, high, energized
Notes:
1) 1oo1D voting is treated as 1oo2D as the voting of redundant
Central Parts is 1oo2D by default.
2) 2oo2D voting for inputs that must satisfy safety requirement
class higher than AK4 are not allowed. FSC Navigator does
NOT check for this.
3) 2oo4D voting is not shown in this table as the 1oo2 voting
for the applicable modules is fully transparent to the user.
Analog input For analog inputs, the synchronized value is the mean value of the
synchronization input values. An input compare error is detected if the input values
differ more than 2% of the full scale for the duration of the
configured Diagnostic Test Interval.
The input compare error detection algorithm puts the following
demands on the dynamic nature of the analog process inputs:
1. For inputs located at modules within a redundant I/O section
(10102/1/2, 10102/2/1, 10105/2/1 and SAI-1620m), the slope
steepness must be less than 125 mA/s.
2. For inputs located at modules within a single I/O section
(10102/./., 10105/2/1, SAI-0410 and SAI-1620m), the slope
steepness must be less than 20 mA/s.
Note:
Analog input compare errors may, for example, occur when calibrating smart
transmitters using hand-held terminals. Refer to the project maintenance
manual for details on calibrating smart transmitters that are connected to FSC
analog inputs.
FSC Safety Manual

The synchronization algorithm for analog inputs (AI) depends on the
voting scheme that has been configured for the affected module. Table
6-8 below specifies the system response to an analog input compare
error.
Table 6-8 System response in case of analog input compare error

IF INPUT COMPARE
AK Voting Safety- Analog Channel System

class related IO-COMPARE FSC-SYSTEM-FAULT INPUT-FAILURE input diagnostic shutdown
input
1oo2D bottom scale

1-6 Yes 0 0 0 0 No
1oo1D
1oo2D last healthy

1-6 No 0 0 0 0 No
1oo1D value
last healthy
1-6 2oo2D Yes 0 0 1 0 No
value
last healthy
1-6 2oo2D No 0 0 1 0 No
value

Notes:
2) 2oo2D voting for inputs that must satisfy safety requirement
class higher than AK4 are not allowed. FSC Navigator does
NOT check for this.
Output compare As a result of the synchronization algorithms within the FSC system,
both Central Parts will continuously have an identical application
status, which results in identical process outputs.
An output compare error is detected if there is a difference between
the Central Parts with regard to the status of digital outputs (O, BO) or
communication outputs (O, BO) with location 'FSC'.
The synchronization algorithm for digital outputs (O, BO) depends on

the voting scheme that has been configured for the affected module.
Table 6-9 below specifies the system response to a digital output
compare error.
FSC Safety Manual

Note:
Table 6-9 does not apply for outputs with location 'FSC'. If an
output compare error is detected for outputs with location 'FSC',
communication with the system that the outputs are allocated to
is halted.
Table 6-9 System response in case of digital output compare error

IF OUTPUT COMPARE
AK Voting Safety- Digital Channel System

class related IO-COMPARE FSC-SYSTEM-FAULT OUTPUT- output diagnostic shutdown
FAILURE input
1oo2D
1-5 Yes 0 0 0 0 0 No
1oo1D
1oo2D
1-5 No 0 0 0 1 0 No
1oo1D
1-5 2oo2D Yes 0 0 1 1 0 No

1-5 2oo2D No 0 0 1 1 0 No
1oo2D
6 Yes 0 0 0 0 0 Yes
1oo1D
1oo2D
6 No 0 0 0 0 0 Yes
1oo1D
6 2oo2D Yes 0 0 1 0 0 Yes

6 2oo2D No 0 0 1 0 0 Yes

Notes:
2) 2oo2D voting for outputs that must satisfy safety
requirement class higher than AK4 are not allowed. FSC
Navigator does NOT check for this.
FSC Safety Manual

6.4.6 Central Part Fault Detection
Central Part fault Central Part fault detection applies to Central Part modules,
detection horizontal bus driver modules (HBD) and system internal buses.
If an error is detected, the faulty part will be isolated, which may
result in the Central Part trip. Exceptions are faults detected at
non-safety-related HBD modules (10100/1/1, 10100/2/1, ) and some
faults on the Diagnostic and Battery Module (10006/./.), e.g. if the
battery fuse is open.
Tested modules Central Part fault detection applies to the following FSC modules:
• 10001/./1, 10002/1/2, 10004/./., 10005/1/1, 10006/./., 10007/1/1,
10008/./., 10012/1/2, 10014/./., 10018/./., 10020/1/1, 10020/1/2,
10024/./.
• 10100/1/1, 10100/2/1, IO-0001
• System bus, and
• V-bus, H-bus, IOB-0001S, IOB-0001R
Fault alarm Occurrence of a Central Part fault is indicated in the

CENTR.PART-FAULT alarm marker.
FSC Safety Manual

6.4.7 Internal Communication Error
Internal An internal communication error is detected if communication

communication between the Central Parts in a redundant FSC architecture fails. One
error of the Central Parts will trip.
In fully redundant architectures (without single I/O sections), Central
Part 2 will trip. In systems with a single I/O section, one of the Central
Parts will trip, depending on the internal status of the system.
An internal communication error is always reported by the running

Central Part.
FSC Safety Manual

6.4.8 FSC-FSC Communication Fault Detection
FSC-FSC For communication with a connected FSC system, a fault is detected

communication if communication with the connected FSC system fails. If the systems
fault detection are interconnected via redundant communication links, fault detection
applies to each link separately resulting in single fault tolerance
overall.
Inputs and outputs allocated for communication with a connected FSC

system (location 'FSC') can be configured to be safety-related or not.
If both links (CP1 and CP2) to a connected system are faulty, the
safety-related inputs that are received from the connected system are
forced to the safe state (i.e. '0'). The non safety-related inputs are
frozen to the state that was last received from the connected system.
The outputs are not affected. These will be handled by the other FSC
system as there they come in as inputs.
Fault alarm Occurrence of an FSC-FSC communication fault is indicated in the

EXT.COMMUNIC.FLT alarm marker.
FSC Safety Manual

6.4.9 Device Communication Fault Detection
Device
communication The FSC system monitors for several device types if the
fault detection communication link with the device is operating correctly.
Distributed control For distributed control systems (DCS) that communicate with the
system FSC system via the Modbus or RKE3964R protocol, continuous
communication is expected. If no communication is established
within a predefined timeout period (the "device communication
timeout"), the link to the device is regarded faulty. If the device is
connected to the FSC system via a redundant communication link, the
fault detection applies to each link separately resulting in single-fault-
tolerant communication.
Inputs and outputs that are allocated to the distributed control system
(location 'COM') are always non-safety-related.
If all links to the DCS are faulty, the inputs remain frozen at the state
that was last received from the DCS. The outputs are not affected.
Modbus device The device communication timeout for the Modbus protocol can be
communication timeout configured using the 'System Configuration' option of FSC
Navigator. It can be set to any value between 1.0 and 25.0 seconds, or
it can be deactivated altogether.
RKE3964R device The device communication timeout for the RKE3964R protocol can
communication timeout also be configured using the 'System Configuration' option of FSC
Navigator. It can be set to any value between 1 and 90 seconds. If the
RKE3964R protocol is used for communication between FSC and a
DCS, the device communication timeout must be set to a multiple of
3 seconds (which is the default value). If any other value is specified,
RKE communication between FSC systems is assumed.
SOE collecting devices A communication fault for SOE collecting devices is detected if the
device is off-line for more than 1 minute.
Fault alarm Occurrence of a device communication fault is indicated in the

DEVICE-COM.FLT alarm marker.
FSC Safety Manual

6.4.10 Temperature Alarm
Temperature alarm During configuration of the FSC system, the user may define the
temperature range within which the FSC system must operate.
Temperature prealarm values can also be configured.
If the temperature of the running system exceeds the alarm settings, a

fault will be reported. If the temperature exceeds the configured
operating boundaries, the Central Part will shut down.
Tested modules Temperature alarms apply to the operational temperature within the
Central Part as measured at the Diagnostic and Battery module
(10006/./.).
Fault alarm If the temperature exceeds the alarm settings, this is indicated in the
TEMP.PRE-ALARM alarm marker.
FSC Safety Manual

6.5 Calculation Errors
General Calculation errors result from the application program and occur if:
• the calculated value for an analog value is outside the specified
range of the analog output,
• the square root of a negative number is taken,
• A logarithm function is loaded with a negative value or zero,
• a divide-by-zero occurs,
• an overflow of the result of addition, subtraction, multiplication and
division functions occurs,
• a timer is loaded with a value > 2047, or
• a counter is loaded with a value > 8191.
Calculation errors reflect incorrect design of the application program

for the intended function. Once a calculation error occurs for a
specific process variable, the result of successive calculations based
on this variable cannot be ensured and escalation of the anomaly
needs to be prohibited. The FSC system will therefore trip if a
calculation error occurs.
Guidelines on how to avoid calculation errors in the FSC application

program are presented below.
Preventing
calculation errors Calculation errors can be prevented in a number of ways:
• prevention from occurrence through overall process design,
• inclusion of FSC diagnostic data,
• validation of signals when entering the Functional Logic Diagrams
(FLDs), and
• exception handling during the actual calculation.
Prevention by design In line with good software engineering practice, as promoted by

IEC 61508, calculation errors should be avoided by design. This
means that an application should be designed in such a way that the
operands of a symbol in the FLDs can never get an invalid value. The
design approach starts with the ensurance that input values as
obtained from the process remain within a deterministic range, and
subsequently ensuring that the derived values are valid for successive
FSC Safety Manual

operations.
Sometimes, however, it cannot be guaranteed that an input value
remains within a deterministic area which is valid for all functions.
For example, a signal derived from a reverse-acting, non-linear 4-20
mA transmitter which has been configured for a zero top scale in the
application domain could become negative if the transmitter fails and
delivers a signal beyond 20 mA. If the signal is then linearized
through a square-root function, a system trip will occur (square root of
negative number).
transmitter
x
Figure 6-2 Intended square-root function
Preventive measures If a valid input value cannot be guaranteed, preventive measures must
be built into the design. A comparison function can be used as an
indicator that the transmitter value has left its normal operational
band and that the calculation should not be done. The alarm signal is
used to implement corrective action and to indicate the exception to
the operator (see Figure 6-3).
validated
input value
transmitter
≥ &
x
0
alarm /
annunciation
Figure 6-3 Square-root function with validated input value
If diagnostics are not available (e.g. for 0-20 mA transmitters), it is

necessary to implement range checking in the application program
itself. The result of the boundary check is again used for
implementation of corrective actions.
FSC Safety Manual

An important advantage of input validation is that it can be
implemented on input values for which a valid range cannot be
guaranteed. Furthermore, the deviating input can be exactly identified.
This allows the implementation of effective correction strategies
which only apply to the affected part of the process.
Common function block A last option is to create a common function block, e.g. square root,
which is used for all such calculations. The function block validates
the operand(s) and only performs the intended function if the
operands are valid. Otherwise a predefined value is returned. An
additional function block output should be provided which indicates
if the calculation result is valid or not. This output signal can then
again be used for implementation of corrective actions in the
application program.
A special standard function block for this function is included in the
Function Block Library. See appendix I of the FSC Software manual
for details.
FSC Safety Manual

FSC Safety Manual

Section 7 – Using the FSC Alarm Markers and Diagnostic
Inputs
Section overview This section describes how FSC alarm markers and diagnostic inputs
are used. It covers the following topics:

7.1 Section Overview.......................................................................................... 105
7.2 Applications of Alarm Markers and Diagnostic Inputs .................................. 106
7.3 Shutdown at Assertion of FSC Alarm Markers............................................. 107
7.4 Unit Shutdown .............................................................................................. 108
7.5 Diagnostic Status Exchange with DCS......................................................... 113
Section 7: Using the FSC Alarm Markers and Diagnostic Inputs 105
7.2 Applications of Alarm Markers and Diagnostic Inputs
Applications FSC alarm markers and diagnostic inputs can be used within the
functional logic diagrams (FLDs) to respond to abnormalities or to
initiate an alarm. This is illustrated in three examples below.
• Shutdown at assertion of FSC alarm markers
This example shows how to program a shutdown in case of
assertion of FSC alarm markers. This kind of programming could
be used if the system is intended to run in AK5 without operator
surveillance. (See subsection 7.3.)
• Unit shutdown
This example shows how diagnostic inputs of type I/O-TYPE O can
be used to realize independent safeguarding of process units
including only unit shutdown in case of defects.
(See subsection 7.4.)
• Diagnostic status exchange with DCS
This example discusses the functional logic which can be used to
report the status of alarm markers and diagnostic inputs to a
distributed control system (DCS). (See subsection 7.5.)
106 Section 7: Using the FSC Alarm Markers and Diagnostic Inputs
7.3 Shutdown at Assertion of FSC Alarm Markers
If it is not sufficient to initiate an alarm in case the FSC system

detects a fault, and direct system response is required, the FSC alarm
markers can be used to shut down the system via the application
program.
Figure 7-1 shows an example of how to shut down the system in case
of an I/O compare error. An additional manual shutdown hardware
input is provided which the operator can use to initiate a shutdown by
hand.
B 1 B 1
S IO-COMPARE
120 DUMMY
Y Systemmarker
101 Signaltype:B
S & 1
SHUTDOWN 3
MANUALSHUTDOWN 1
"1=HEALTHY" 10
Figure 7-1 Diagram to shut down system in case of output

compare error
If an I/O compare error is detected or a manual shutdown is initiated, a

divide-by-zero is initiated and the FSC system will shut down. Other
alarm markers can be used in a similar way.
Note:
A manual shutdown can also be realized via the ESD input of
the watchdog module (10005/1/1). This module enables the use
of a tested solid-state hardwired connection, which allows the
secondary means of de-energization of all outputs to be
activated. This unique feature allows an ESD pushbutton chain
to be connected to the FSC system which can then be used to
initiate an emergency shutdown (ESD), fully independently of
the central processor.
7.4 Unit Shutdown
Process units If a process can be divided into independent process units, the overall
process availability can be increased by separate shutdown of the
units within the FSC system. Thus, in case a fault is detected within
the hardware of a process unit, only the affected unit needs to be shut
down, while the remaining parts of the process are not affected.
Note:
Unit Shutdown option is not available for FSC systems with
Safety Manager IO modules and chassis.
Configuration of This subsection discusses the configuration, application programming

unit shutdown and wiring required to achieve shutdown per process unit.
Figure 7-2 shows a standard wiring diagram to realize unit shutdown
for three separate process units.
Central Part
CPU MEM WDG Reset
or
COM
Watchdog signal
Unit 10201/./1
shutdown Safety = Yes
outputs
Process WD WD WD WD WD WD
outputs 10201/./1 10201/./1 10201/./1 10201/./1 10201/./1 10201/./1
Safety = No Safety = No Safety = No Safety = No Safety = No Safety = No
Figure 7-2 Wiring diagram for unit shutdown
For each unit, a relay is used to connect the watchdog input signal of
the unit output to the output of the FSC watchdog module (10005/1/1).
This relay is controlled via an output of the FSC system: the unit
shutdown output. In normal operation, all relays are activated. If a
fault is detected within a process unit, the corresponding relay is
deactivated, which results in a shutdown of the unit.
The unit relays must meet the requirements of DIN VDE 0116, part
8.7.4.5 and 8.7.4.6 of October 1989, i.e.:
6
a) Mechanical reliability > 3.10 switches.
b) Contacts protected (e.g. fuses, series resistors, etc.) at 0.6 ∗ nominal
contact current.
c) Electrical reliability > 2.5 ∗ 10 switches.
5
Unit shutdown outputs The unit shutdown outputs must be safety-related (e.g. allocated to a
10201/./1 or 10216/./1 module). This will guarantee that the FSC
system will direct the process to its safe state if a fault occurs which
affects this output.
The power-up status of the output must be on, to allow correct start-up
of the FSC system with activated unit relays (see Figure 7-3).
For optimum availability it is recommended that the unit shutdown
outputs are allocated to redundant output modules.
Figure 7-3 Configuration of the unit shutdown output
Process outputs The process outputs must be allocated to an FSC fail-safe output
(safety-related) module:
− 10201/1/1 Fail-safe digital output module
(24 Vdc, 0.55 A, 8 channels)
− 10203/1/2 Fail-safe output module with double switch-off
− 10205/1/1 Fail-safe analog output module
(0(4)-20 mA, 2 channels)
− 10205/2/1 Fail-safe analog output module
(0(4)-20 mA, 2 channels)
− 10212/1/1 Digital output module
(24 Vdc, 2 A, 4 channels)
− 10216/1/1 Fail-safe loop-monitored digital output module
The safety relation for the outputs must be set to 'No' (see Figure 7-4).
This will suppress the automatic response of the FSC system if faults
occur at safety-related output modules, which allows programming of
the response via the application.
Figure 7-4 Configuration of the process outputs
Application To realize the unit shutdown in the functional logic diagrams, all
programming diagnostic inputs ('SYS' internal markers related to output modules
available in the database) of one process unit are connected to an
AND gate.
The output signal of the AND gate is connected to the unit shutdown
output (see Figure 7-5).
As long as all the diagnostic inputs are healthy, the diagnostic inputs
will be high, the unit shutdown output will be high and the unit relay
is activated (relay contact closed).
If one diagnostic input of an output channel within the unit becomes
'not healthy', the corresponding unit shutdown output becomes low
and the unit relay is deactivated (relay contact open).
Figure 7-5 Functional logic diagram of unit shutdown
In order to realize a switch-off of a defective output channel in

accordance with the normal FSC response for safety-related signals,
the calculated application output should be applied to the output
channel via an AND gate with the channel diagnostic input.
The FSC-FAULT-RESET alarm marker is connected to all unit

shutdown outputs via an OR gate. After an error is detected and
repaired in one unit, that unit may be restarted using the
FSC-FAULT-RESET alarm marker.
After activating the FSC-FAULT-RESET key switch, a pulse timer

must be started. The reason for using a pulse-timer is two fold.
First, the unit output must be activated in order to have the I/O
channel tested healthy. Therefore, the unit output must be activated
longer than one program cycle.
Secondly, the output channel is tested again after the reset key switch
is activated, and before the Diagnostic Test Interval (DTI) has expired.
However, the exact moment of testing is uncertain. Therefore, it must
be made sure as well that the unit output stays activated until the DTI
has expired.
Based on the above, the pulse of the timer should last the same time as
the DTI that is configured.
7.5 Diagnostic Status Exchange with DCS
Distributed control FSC alarm markers and the diagnostic inputs can be transferred to
systems (DCS) distributed control systems (DCSs), e.g. to generate an operator alarm
or to initiate corrective action within the DCS.
Figure 7-6 shows the functional logic diagram to report the occurrence
of an input fault (INPUT-FAILURE alarm marker) and the use of a
diagnostic input (I/O type AI) to report the status of an analog input
channel to a DCS system.
S
S INPUT-FAILURE 0 t INPUT-FAILURE C
Y System marker O
S t=800ms M
R
S I/O type: AI 3 5001 1 MAINLINE C

Y MAINLINE 5 2 DIAGNOSTIC STATUS O
S "Not faulty" 4 A "1=HEALTHY" M
Figure 7-6 FSC system information to DCS
The status of both variables is transferred to the DCS via outputs with
location 'COM', which are allocated to the communication channel
that the DCS is connected to.
Behavior of alarm The behavior of the alarm markers is quasi-static. Normally, if no

markers fault is present, the value of the markers is high. If a fault is detected,
the corresponding alarm marker will become low. On subsequent
faults the alarm marker will become high during one application
program cycle of the FSC system (e.g. 300 ms) and then low again
(see subsection 6.2).
If the scan cycle of the DCS is larger than the FSC application
program cycle, it is possible that any subsequent faults are not
detected by the DCS. The FSC alarm marker is therefore connected to
the output of the DCS via a delayed off timer. Thus, a pulse on the
alarm marker is extended to the configured timer value. To ensure
detection by the DCS, the timer value must be larger than the DCS
scan time.
Behavior of The behavior of the diagnostic inputs is static. Normally, an I/O
diagnostic inputs channel is healthy and the value of the corresponding diagnostic input
is high. If the I/O channel becomes faulty, the diagnostic input will be
low. It remains low until the fault is repaired and a fault reset has
been given. The diagnostic input can therefore be connected directly
to the output to the DCS.
Section 8 – Wiring and 1oo2D Output Voting in AK5 and AK6
Applications
Using standard The FSC architecture with redundant Central Parts and redundant I/O
wiring is a versatile configuration, which may be used in applications of
requirement classes AK1 up to AK6. In applications up to AK4,
standard redundant I/O wiring is used as long as output modules are
not configured 1oo2D.
In applications of requirement class AK5 where CPU module type
100x2/./. is installed (i.e. system configuration 1oo2D), standard
wiring can be used if no output modules are configured 1oo2D, and if
the process runs under continuous operator surveillance, i.e. if the
operator:
• Is able to monitor the process, and
• Is able to respond to achieve the safe process state within acceptable
time.
For this purpose a pushbutton can be provided which the operator can
use to shut down the FSC system connected to the ESD input of the
watchdog module (10005/1/1).
If CPU module type 10020/./. is installed (i.e. system configuration

2oo4D), standard I/O wiring can be used for requirement classes AK1
through AK6, as long as no output modules are configured 1oo2D.
Using special wiring If a 1oo2D system is intended for safeguarding a non-surveiled

process with requirement class AK5, DIN V VDE 0801-A1 requires
that each Central Part by itself is able to shut down the process,
independent of the status of the other Central Part. This requires
specific wiring of the outputs of the FSC system.
Furthermore, all AK6 applications with a 1oo2D system configuration

require independent Central Part shutdown capability.
Applications where output module(s) are configured 1oo2D require

independent Central Part shutdown capability as well, irrespective
whether the system itself is configured 1oo2D or 2oo4D, and
irrespective of the configured requirement class.
FSC Safety Manual

Section 8: Wiring and 1oo2D Output Voting in AK5 and AK6 Applications 115
Single Central Part Single Central Part operation in AK5 and AK6 is only allowed for a
operation limited time (if a 10002/x/x or 10012/x/x CPU module is used).
If a 10020/1/x Quad Processor Module (QPM) with dual processors is
used, there are no restrictions.
Example This section provides an example of how the outputs of an FSC

configuration with redundant Central Parts and redundant I/O can be
wired if special wiring is to be used.
Figure 8-1 shows the wiring principle. The figure shows cross-wiring
of an output channel which each Central Part can use to de-energize
the output channels of the other Central Part via the 24 Vdc
emergency shutdown input of the watchdog module (10005/1/1). The
24 Vdc ESD input is switched via a normally closed relay contact.
The relay must meet the requirements of DIN VDE 0116 part 8.7.4.5
and 8.7.4.6 of October 1989 (see subsection 7.4).
SEC.SWITCH-OFF CP1 SEC.SWITCH-OFF CP2
+ 24 V + 24 V
NC NC
ESD 24 Vdc ESD 24 Vdc

Central part 1 Central part 2
CPU COM WDG CPU COM WDG
Watchdog signal Watchdog signal
+5V +5V
WD WD WD WD WD WD
10201/./1 10201/./1 10201/./1 10201/./1 10201/./1 10201/./1
Safety = Yes Safety = Yes Safety = No Safety = No Safety = Yes Safety = Yes
CP1 I/O SECTION CP2 I/O SECTION
Figure 8-1 Redundant I/O wiring in AK6 and non-surveiled

AK5 applications for 1oo2D systems
FSC Safety Manual

116 Section 8: Wiring and 1oo2D Output Voting in AK5 and AK6 Applications
Secondary The output that is used to realize the ESD function is a dedicated
switch-off system output, the 'secondary switch-off' (tag number:
SEC.SWITCH-OFF). The name 'secondary switch-off' refers to the
capability to switch off the outputs of the other Central Part via the
secondary means of de-energization.
Important!
The SEC.SWITCH-OFF output may not be used in the
application program to initiate a shutdown at a user-specified
condition.
During normal operation, the SEC.SWITCH-OFF output is low and

the relay contact is closed. If a condition occurs which, for example,
requires Central Part 2 to deactivate the outputs of Central Part 1, the
SEC.SWITCH-OFF output is set to high, the relay contact is opened,
and an emergency shutdown is effected on the watchdog module of
Central Part 1. The outputs of Central Part 1 are de-energized via the
watchdog output signal. Similarly, Central Part 1 is able to de-
energize the outputs of Central Part 2.
The SEC.SWITCH-OFF output is allocated to a channel of a fail-safe

output module (10201/./1) in the I/O section of the Central Part. A
fail-safe output module is used to benefit from the FSC self-tests,
which provide diagnostic information if faults are detected at the
module. During the test, the switch-on capability of the output is also
verified.
The Central Part must be able to activate the SEC.SWITCH-OFF

output, not only when running, but also while in shutdown. To enable
activation of the output while in shutdown, the safety relation of the
output module must be configured at 'No' and the watchdog input
signal of this module must be connected to +5 V.
The remaining channels of the output module may be used to drive

non-safety-related process output signals. Contrary to normal
redundant I/O wiring, the outputs controlling the relays may not be
wired in parallel.
FSC Safety Manual

Section 8: Wiring and 1oo2D Output Voting in AK5 and AK6 Applications 117
Left blank intentionally
FSC Safety Manual

118 Section 8: Wiring and 1oo2D Output Voting in AK5 and AK6 Applications
Section 9 – Fire and Gas Application Example
Application example This section describes an application program for a Fire & Gas
(F&G) application, which is designed according to the requirements
of EN-54 part 2, with the OVERRIDE and TEST options installed.
The FSC system does not support alphanumeric displays, so this
option of EN-54 part 2 is not shown here.
The figures in this section are identified by a descriptive text and the
functional logic diagram (FLD) number, which is used in the sheet
references. Where applicable, references to the EN-54 part 2 standard
are shown in italics in square brackets.
The status of the installation, which is monitored and the status of the
FSC system must be uniquely displayed [EN-54 part 2, 2.1.3]. Within
the complete example this is accomplished by the use of hardwired
digital I/O signals, which can drive LEDs or lamps. Another option is
to have the display on a remote location, and communicate the status
via the FSC-FSC communication link [EN-54 part 2, 2.2.13, 2.3.10,
2.4.1.2]. For details on configuring the FSC-FSC communication refer
to Section 4 of the FSC Software Manual ("System Configuration").
Failure of the communication link must be alarmed [EN-54 part 2,
2.3.2.4, 2.3.2.6, 2.3.2.11].
Please note that the sheet references in the functional logic diagrams
must point to a higher FLD number, which means that they are used in
the same application program cycle in order to get the best possible
response time. This response time for automatic fire detectors
resulting in the required outputs is 1 second [EN-54 part 2, 2.2.8].
Functional logic The system alarm FLD (see Figure 9-1) covers the status indication
diagrams (FLDs) for the redundant power supplies (PSU 1 and 2) [EN-54 part 2,
2.3.2.5], the indication for an earth leakage alarm [EN-54 part 2,
2.3.2.7] and the common failure alarm which is set in case of a failure
of any component in the Fire & Gas detection system, including
failures in the F&G detectors.
The failures in the F&G detectors are handled on other FLDs, in this
example in the FLD for each input loop as shown in Figure 9-2
[EN-54 part 2, 2.3.1]. Function Block (FB) 912 handles the latching
function for the alarm status, the alarm reset function and the lamp test
function.
FSC Safety Manual

Section 9: Fire and Gas Application Example 119
P LAMPTEST 3 LAMPTEST
N LAMPTEST 1 50 "TEST"
L "TEST" 6 1 To 510,520,540
3 PSU-1 P
C PSU-1
A PSU-1 24VDC
3
1 1 A
FB B 1
>
_1 9 PSU-1 24VDC
4 "NO FAILURE"
N
L
B "NO FAILURE" 5 912
50 PSU-1 24VDC
501 "NO FAILURE"
2
C PSU-2
A PSU-2 24VDC
3
1 1 A
FB B 1 3 PSU-2 P
B "NO FAILURE" 4 912 >1
_ 9 PSU-2 24VDC N
3 "NO FAILURE" L
50 PSU-2 24VDC
501 3 "NO FAILURE"
C EARTH-LEAKAGE
A EARTH LEAKAGE PSU'S
3
1 1 A
FB B 3 EARTH-LEAKAGE P
B "NO FAILURE" 2 912 >1
_ 9 EARTH LEAKAGE PSU'S N
2 "FAILURE" L
50 EARTH LEAKAGE PSU'S

501 "NO FAILURE"
4
FAILURE LOOP 1 100

"COMMON ALARM" 50 3 3 COMMON-FAILURE P
FAILURE LOOP 2 150 >
_1 A
FB B
>1
_ 9 COMMON FAILURE N
"COMMON ALARM" 50 1 "NO FAILURE" L
1 912
FAILURE LOOP 3 200
"COMMON ALARM" 50
1
FAILURE LOOP 4 250
"COMMON ALARM" 50 1
S FSC-SYSTEM-FAULT
50 System marker
Y System marker
505 6
S
P RESET-ALARM 3
50 RESET ALARM
N RESET ALARM 1
912 5 "RESET"
L "RESET" 3
E
Figure 9-1 System alarm (FLD 50)
100 ALARM LOOP 1

510 1 "COMMON ALARM"
3 ALARM-1 P
9 ALARM LOOP 1 N
13 "ALARM" L
100 ALARM LOOP 1

500 2 "ALARM HORN"
L 3 A E
LOOP-1 100 FAILURE LOOP 1
P 5 A
"COMMON ALARM"
1 FIRE LOOP 1 D F 50 3
G
S I/O type: AI 3 H
Y LOOP-1 5 B 3 FAILURE-1 P
S "Not faulty" 1 I 9 FAILURE LOOP 1 N
FB J
12 "FAILURE" L
911 100 FAILURE LOOP 1
P OVERRIDE-1 3 K
501 4 "ALARM HORN"
N OVERRIDE LOOP 1 1 C
L "OVERRIDE" 10 L
M 100 OVERRIDE LOOP 1

P TEST-1 3 502 "ALARM HORN"
N 6
N TEST LOOP 1 1 D
L "TEST" 9 O 100 OVERRIDE LOOP 1
540 5 "COMMON ALARM"
3 OVERRIDE-1 P
9 OVERRIDE LOOP 1 N
11 "OVERRIDE" L
100 ????
0 ????
7
100 TEST LOOP 1

0 "ALARM HORN"
8
Figure 9-2 Input loop 1 (FLD 100)
FSC Safety Manual

120 Section 9: Fire and Gas Application Example
Input loops The example presented here has four input loops which could come
from Fire & Gas detectors (the other FLD numbers are 150, 200, 250
but they are not shown here as they are identical to FLD 100). The
Fire & Gas detectors are connected using analog input modules.
The output of the detectors can be a digital contact with
loop-monitoring or an analog signal. The function block 911 (FB-911)
handles all functions that can be executed on an input loop [EN-54
part 2, 2.1.5]. These functions are:
• Setting of alarm levels (in this example they are identical for all
loops. In general, these settings are set per input loop, which means
that the alarm levels detection part of the FB must to be transferred
to the FLD of the input loop) [EN-54 part 2, 2.2.1.2].
• Loop status (open loop, short-circuit) as determined via the system
software of the FSC system [EN-54 part 2, 2.3.2.3, 2.3.2.8,
2.3.2.11].
• Override for the input loop [EN-54 part 2, 2.4.3].
• Test function for the input loop [EN-54 part 2, 2.5.2].
Loop status The loop status (operational status, failure status, override status and
test status) is indicated on panel indications with an indication per
status [EN-54 part 2, 2.1.3]. All states are also transferred to other
FLDs via sheet transfers to generate the common status indication
and to drive the audible indications (horn) [EN-54 part 2, 2.2.12].
Failure indication In this example the failure indication and the override indication is
and override done using separate digital outputs. It is possible to use the same
indication digital output per channel but with different common outputs in order
to distinguish uniquely between failure and override [EN-54 part 2,
2.4.4].
Test function The test function is implemented per input loop. The test function on
one input loop may not override or prohibit detection of a fire or gas
alarm on another input loop which is not in test or override [EN-54
part 2, 2.5.1].
FSC Safety Manual

Monitoring for The input loops are monitored for an alarm status. If an alarm status
alarm status occurs, an audible alarm (horn) must also be activated [EN-54 part 2,
2.2.1.1, 2.2.1.2]. The example FLD in Figure 9-3 creates a common
signal of the alarm status in order to activate the horn. The cycle
pulse logic for each loop combined in the NOR gate is required to
activate the horn for every subsequent alarm in the same alarm group.
For each alarm in an alarm group, an entry to the top OR gate is
required as well as a cycle pulse and entry to the bottom NOR gate.
If more than one alarm group is used in one Fire & Gas detection
system, logic as shown in the diagram below is required for each
alarm group.
ALARM LOOP 1 100

"ALARM HORN" 500
2
ALARM LOOP 2 150

"ALARM HORN" 500
2
>1
_
ALARM LOOP 3 200
"ALARM HORN" 500
2
ALARM LOOP 4 250

"ALARM HORN" 500 2 500 ALARM COMMON
& "ALARM HORN"
505
1
>1
_
Figure 9-3 Control of the alarm horn (FLD 500)
Monitoring for All components of the Fire & Gas system, including the input loops
failure status and output loops, are monitored for a failure status. If a failure
occurs, an audible alarm (horn) must also be activated which has a
different frequency than the Fire & Gas audible alarm. The example
FLD in Figure 9-4 creates a common signal of the failure status in
order to activate the failure horn. The cycle pulse logic for each loop
combined in the NOR gate is required to activate the horn for every
subsequent failure in a failure group [EN-54 part 2, 2.3.9]. An entry
to the top OR gate is required for each failure in a failure group, as
well as a cycle pulse and entry to the bottom NOR gate. Failures
which must be covered are power supply failures and earth leakage
failures. Depending on the application, other internal failures of the
FSC system can also be covered by the common failure alarm.
If more than one failure group is used in one Fire & Gas detection
failure group.
FSC Safety Manual

FAILURE LOOP 1 100
"ALARM HORN" 501
4
FAILURE LOOP 1 100

"ALARM HORN" 501
4
FAILURE LOOP 2 150

"ALARM HORN" 501
1
FAILURE LOOP 3 200

"ALARM HORN" 501
1
FAILURE LOOP 4 250

>
_1
"ALARM HORN" 501
1
PSU-2 24VDC 50
"NO FAILURE" 501
3
PSU-1 24VDC 50
"NO FAILURE" 501
2
EARTH LEAKAGE PSU'S 50 & 501 FAILURE COMMON

"NO FAILURE" 501 505 "ALARM HORN"
4 1
>1
_
Figure 9-4 Control of the failure alarm horn (FLD 501)
Override function Input sensors can go faulty during operation. To allow exchanging of
a faulty input sensor without a constant Fire or Gas alarm, it is
necessary to have an override function. The override function is also
visually indicated on the operator panel. Although not required by the
EN-54 part 2 standard, it is possible to generate an override audible
alarm as indicated in the FLD shown in Figure 9-5. The cycle pulse
logic for each loop combined in the NOR gate is required to activate
the horn for every subsequent override in the same alarm group. An
entry to the top OR gate is required for each override in an alarm
group, as well as a cycle pulse and entry to the bottom NOR gate.
alarm group.
OVERRIDE LOOP 1 100

"ALARM HORN" 502 6
OVERRIDE LOOP 2 150

"ALARM HORN" 502 2
>1
_
OVERRIDE LOOP 3 200
"ALARM HORN" 502
3
OVERRIDE LOOP 4 250

"ALARM HORN" 502 3 502 OVERRIDE COMMON
& "ALARM HORN"
505 1
>1
_
Figure 9-5 Control of the override alarm horn (FLD 502)
FSC Safety Manual

Simulation Fire & Gas sensors can go faulty during normal operation. In order to
test the functionality of the sensors, a test function must be
implemented which overrides the audible alarms. A simulation of fire
or gas at the input sensor will generate the alarm indication but will
block the audible indication. The test function is also visually
indicated on the operator panel. Although not required by the EN-54
part 2 standard, it is possible to generate an test audible alarm as
indicated in the FLD shown in Figure 9-6. The cycle pulse logic for
each loop combined in the NOR gate is required to activate the horn
for every subsequent test operation in the same alarm group. An entry
to the top OR gate is required for each test in an alarm group, as well
as a cycle pulse and entry to the bottom NOR gate.
alarm group [EN-54 part 2, 2.5.2].
TEST LOOP 1 100

"ALARM HORN" 503 7
TEST LOOP 2 150

"ALARM HORN" 503
2
>1
_
TEST LOOP 3 200
"ALARM HORN" 503
4
TEST LOOP 4 250

"ALARM HORN" 503 503 TEST COMMON
3 & 505 "ALARM HORN"
1
>1
_
Figure 9-6 Control of the test alarm horn (FLD 503)
Cycle pulse The signals controlling the horn are used to set the horn flip-flop via a
cycle pulse [EN-54 part 2, 2.2.1.1 (alarm), 2.3.2.1 (failure)] (see
Figure 9-7). The horn flip-flops can be reset via a horn reset digital
input signal [EN-54 part 2, 2.3.8]. If multiple alarm groups are used
in a Fire & Gas detection system, these can be combined via an OR
gate between the cycle pulse and the flip-flop. A cycle pulse must be
used for each individual alarm group.
FSC Safety Manual

L HORN_BY_HAND 3
P 1
5 8
& S
COMMON ALARM R
510
505 3 HORN-1 P
1 >1
_ 9 ALARM HORN N
9 "ALARM" L
ALARM COMMON 500

S
"ALARM HORN" 505 1
R
P RESET-HORN 3
N RESET HORN 1
L "RESET" 7
FAILURE COMMON 501

"ALARM HORN" 505
1
OVERRIDE COMMON 502

"ALARM HORN" 505
1
3 HORN-2 P
>
_1 S 9 FAILURE HORN N
8 "ALARM" L
TEST COMMON R
503
"ALARM HORN" 505
1
S FSC-SYSTEM-FAULT
50
Y System marker
505
S 6
Figure 9-7 Control and acknowledge of the alarm horns (FLD 505)
Common alarm The alarm indications for Fire or Gas alarm must be combined into a
common alarm according to the EN-54 part 2, 2.2.1.2, 2.2.1.3, 2.2.19.
This combination is shown in Figure 9-8 as a number of signals
combined in an OR gate. The common alarm indication is combined
with the lamp test function in order to test this visual indication too.
The combination of Fire and Gas alarms into a common alarm must
be done for each individual alarm group.
P LAMPTEST 3
50
N LAMPTEST 1
510 3 ALARM-COMMON P
L "TEST" 6 1
>1
_ 9 ALARM COMMON N
ALARM LOOP 1 100 7 "ALARM" L
"COMMON ALARM" 510
1
ALARM LOOP 2 150

"COMMON ALARM" 510
2 510 COMMON ALARM
>1
_
505 1
ALARM LOOP 3 200
"COMMON ALARM" 510 3
ALARM LOOP 4 250

Figure 9-8 Control of the common alarm indication (FLD 510)
FSC Safety Manual

Common test The indications that tests are executed for Fire or Gas detectors must
indication be combined into a common test indication according to EN-54 part
2, 2.5.2. This combination is shown in Figure 9-9 as a number of
signals combined in an OR gate. The common test indication is
combined with the lamp test function in order to test also this visual
indication.
The combination of Fire and Gas detector test indications into a
common test indication must be done for each individual alarm group.
P LAMPTEST 3
N LAMPTEST 1 50
520
L "TEST" 6 5
TEST LOOP 1 100 3 TEST-COMMON P

"COMMON ALARM" 520 4 >
_1 9 COMMON TEST N
10 "TEST" L
TEST LOOP 2 150
>1
_
TEST LOOP 3 200
P LAMPTEST 3
N LAMPTEST 1 50
520
L "TEST" 6 1
Figure 9-9 Control of the common test indication (FLD 520)
Common failure The indications that failures have been detected in Fire or Gas
indication detectors must be combined into a common failure indication
according to EN-54 part 2, 2.3.1, 2.3.2.2. This combination is shown
in Figure 9-10 as a number of signals combined in an OR gate. The
common failure indication is combined with the lamp test function in
order to test also this visual indication.
The combination of Fire and Gas detector failure indications into a
common failure indication must be done for each individual alarm
group.
P LAMPTEST 3
50
N LAMPTEST 1
530
L "TEST" 6 5
FAILURE LOOP 1 100 3 FAILURE-COMMON P

"COMMON ALARM" 530 4 >
_1 9 FAILURE COMMON N
5 "FAILURE" L
FAILURE LOOP 2 150
>1
_
FAILURE LOOP 3 200
FAILURE LOOP 4 250

Figure 9-10 Control of the common failure alarm indication

(FLD 530)
FSC Safety Manual

Common override The indications that overrides have been made active for Fire or Gas
indication detectors must be combined into a common override indication
according to EN-54 part 2, 2.4.3.1.
This combination is shown in Figure 9-11 as a number of signals
combined in an OR gate. The common override indication is
combined with the lamp test function in order to test also this visual
indication. The combination of Fire and Gas override indications into
a common override indication must be done for each individual alarm
group [EN-54 part 2, 2.4.3.2]. The display of the common override
signal can be done remotely using the FSC-FSC communication
[EN-54 part 2, 2.4.3.3] or via hardwired outputs using a digital output
with loop-monitoring [EN-54 part 2, 2.4.4.4].
P LAMPTEST 3
50
N LAMPTEST 1 540
L "TEST" 6 5
OVERRIDE LOOP 1 100 3 OVERRIDE-COMMON P

"COMMON ALARM" 540 >1
_
5 9 COMMON OVERRIDE N
6 "OVERRIDE" L
OVERRIDE LOOP 2 150
"COMMON ALARM" 540
2
OVERRIDE LOOP 3 200

"ALARM HORN" >1
_
540
3
P LAMPTEST 3
50
N LAMPTEST 1
540
L "TEST" 6 1
S IO-FORCED
Y System marker
S
Figure 9-11 Control of the common override indication (FLD 540)
Alarm sequence The alarm sequence function block handles the control of all visual
function block and audible indications associated with an input loop [EN-54 part 2,
2.2.1.1, 2.2.1.2, 2.3.1]. For the example application, all alarm settings
are identical so the determination of the alarm levels is included in
this function block, but they may differ depending on the fire & gas
detector (see Figure 9-12).
If the alarm levels are not the same for all input loops, the alarm
detection should be included on the FLDs where this function block is
called.
FSC Safety Manual

S S
0 t t 0 G FIRE ALARM COM.
LOOP SIGNAL
A R
t=1 s
R
t=10 s
& A
FB B E FIRE ALARM LAMP
Signal type: F
912
>
_
F 18
& F FIRE ALARM HORN
>
_ &
F 12 H FAILURE ALARM COM.
A
FB B I FAILURE ALARM LAMP
&
912
<
_ >
_1
F 6
& J FAILURE ALARM HORN.
FAILURE SIGNAL B
OVERRIDE SIGNAL C L OVERRIDE ALARM HORN
M OVERRIDE ALARM COM.
K OVERRIDE/TEST
ALARM LAMP
>
_1
A
FB B
912
N TEST ALARM COM.
TEST SIGNAL D O TEST ALARM HORN
Figure 9-12 Alarm sequence function block (FLD FB-900)
The control of the indication is described via Function Block 912 (see
Figure 9-13). This function handles the control of the indications and
the control of the horn in case of the test function (alarms are passed
but the horn is suppressed) and the override function (alarms and horn
are suppressed).
ALARM SIGNAL A S
&
S
P LAMPTEST 3 0 t
123
N LAMPTEST 1 >1
_ B ALARM LAMP
912
L "TEST" 8 1 t=1 s
R
C RESET-ALARM 3
123
A RESET ALARM 1
912
B "RESET" 4 2
Figure 9-13 Alarm latching, alarm reset and lamp test function block
(FLD 912)
Function Block 912 (FB-912) controls the indication status of lamps.

It contains a latching function for each status that needs to be
indicated until a manually initiated reset (key switch) occurs [EN-54
part 2, 2.2.10, 2.3.6]. If the indication status is still active, it will
return to the On status after a defined period. (EN-54 part 2, 2.2.10
defines < 20 seconds; the time in the diagram above is 1 second.)
FSC Safety Manual

Section 10 – Special Requirements for TUEV-Approved
Applications
Requirements for The FSC system can be used for those processes that require TUEV
TUEV approval approval. The requirements for the safety applications are the
following:
1. The maximum application program cycle time is half the process
safety time. For example, the process safety time of a burner
control system is 1 second in accordance with TRD-411 for
boilers > 30 kW (July 1985) Table 1, TRD-412 (July 1985)
Table 1 and DIN 4788 (June 1977) Part 2 Chapter 3.2.3.2 1. This
implies that the application program cycle time must be 0.5
second or less. The application program cycle time is calculated
by the compiler. It is listed in the log file (.LOG) produced by the
compiler, and also shown on screen during translation.
2. If the FSC system detects a fault in its safety-related output
hardware it is possible to de-energize part of the process instead of
de-energizing all outputs. The de-energization of process parts or
all outputs is fully implemented in the system software and cannot
be influenced by the user (see also item 3). The de-energization
depends on the output module type:
− 10201/1/1, Fail-safe digital output module
10201/2/1, (24 Vdc, 0.55 A, 8 channels)
SDO-0824 De-energization per group of output channels:
Group 1: outputs 1, 2, 3, 4.
Group 2: outputs 5, 6, 7, 8.
− 10205/1/1, Fail-safe analog output module
10205/2/1, (0(4)-20 mA, 2 channels)
SAO-0220m De-energization per channel.
FSC Safety Manual

Section 10: Special Requirements for TUEV-Approved Applications 129
− 10212/1/1 Digital output module
De-energization of group 1: outputs 1, 2, 3, 4
(these are the 4 fail-safe outputs).
10213/2/1, (110 Vdc, 0.32 A,4 channels)
SDO-04110 De-energization of group 1: outputs 1, 2, 3, 4.
10213/2/2 (60 Vdc, 0.67 A, 4 channels)
10213/2/3, (48 Vdc, 0.75 A, 4 channels)
SDO-0448 De-energization of group 1: outputs 1, 2, 3, 4.
De-energization of group 1: outputs 1, 2, 3.
10215/2/1, (24 Vdc, 2 A, 4 channels)
SDO-0424 De-energization of group 1: outputs 1, 2
De-energization of group 2: outputs 3, 4.
− 10216/1/1, Fail-safe loop-monitored digital output module
10216/2/1, (24 Vdc, 1 A, 4 channels)
SDOL-0424 De-energization of group 1: outputs 1 to 4.
− 10216/2/3, Fail-safe loop-monitored digital output module
SDOL-0448 (48 Vdc, 0.5 A, 4 channels)
De-energization of group 1: outputs 1 to 4.
If a complete safety-related module is detected faulty, all outputs

connected to the Central Part that controls the output module are
de-energized via the watchdog module (10005/1/1) of that Central
Part. If the output is located in a non-redundant I/O section, all
outputs of the FSC system are de-energized. De-energization is
only effected if safety-related outputs are configured to the faulty
module.
3. If the FSC system detects a fault in its safety-related output
hardware (see item 2 above), a timer is started. When this timer
expires, all outputs are de-energized via the watchdog module
(10005/1/1). This timer can be set to the following values:
− Not used. The timer is not started so an output fault may be
present in the system without further action.
− 0 minutes. This results in immediate de-energization of all
outputs in case of an output fault.
− 1 minute to 22 days. This represents the interval time between
the fault occurring and automatic system shutdown.
FSC Safety Manual

130 Section 10: Special Requirements for TUEV-Approved Applications
The "interval time between faults" can be set using the 'System
Configuration' option of FSC Navigator (Install \ Configuration).
4. If the FSC system detects a fault in its safety-related input
hardware, the faulty input is set to low (off) for digital inputs and
to bottom scale for the analog inputs. This represents the safe
status for both digital and analog inputs. For analog signals this
means that special configuration is required for reversed
transmitters.
5. The watchdog module (10005/1/1) contains an emergency
shutdown (ESD) input. For normal operation, the ESD input must
be 24 Vdc. If the input is forced to 0 V, a Central Part shutdown
and de-energization of the outputs are initiated, independent of the
CPU.
6. For further details on I/O wiring details, termination of I/O signals
and power supply distribution refer to the FSC Hardware Manual
7. The setting of the watchdog and the diagnostic test interval (the
time in which all I/O tests are executed once) and the time
between faults can be checked using the 'Monitor System' option
of FSC Navigator (FSC system \ Sys info \ Parameters) (see
Figure 10-1).
Figure 10-1 System parameters
FSC Safety Manual

8. The 24 Vdc to 5 Vdc DC/DC converter (PSU: 10300/1/1) has
limited capacity. Larger FSC systems may require the use of more
than one power supply unit (PSU). In that case, each additional
PSU requires a watchdog repeater module (10302/1/1 or
10302/2/1) to monitor the 5 Vdc of the PSU which controls the
WD input of all fail-safe output modules connected to that PSU.
9. The M24-20 HE and M24-12 HE power supply units provide
24 Vdc as output voltage. If these power supply units are used, a
watchdog repeater module must be placed to monitor the 24 Vdc
voltage. This watchdog repeater may also be used to monitor the
5 Vdc of a second PSU (see item 8).
Note:
The 1200 S 24 P067 power supply does not require a
watchdog repeater module.
10. The value of the voltage monitor analog input channels of the
10105/2/1 or SAI-1620m modules must be checked in the
application software for the correct transmitter power supply
range for the transmitters connected to that analog input module.
11. To reduce the influence of disturbances on the power supply lines,
all major metal parts (cabinet side walls, doors, 19-inch racks,
horizontal bus rack and flaps, swing frames, etc.) must be
grounded properly.
12. All power supply inputs (except 110/230 Vac) require a power
supply filter to be fitted immediately after the power supply input
terminals.
13. Grounding of the power supplies of the FSC system is only
permitted for the 0 Vdc. Grounding of the +24 Vdc / +48 Vdc /
+60 Vdc / +110 Vdc / +220 Vdc is NOT allowed as an earth fault
will result in an unsafe situation.
14. To maintain the separation between the external power supply
(24 Vdc) and the internal power supply (5 Vdc), the wiring of
these voltage levels must be physically separated. This can be
obtained by using separate ducts and a separate power supply
distribution.
15. Do not use radio transmitting equipment within a radius of 1 m
(3 ft) of the system cabinet when the doors are opened.
16. For details on power supply distribution and watchdog wiring
(especially FSC architecures with redundant Central Parts and
both redundant and single I/O) refer to the FSC Hardware Manual.
FSC Safety Manual

17. Safety-related inputs require the use of fail-safe input modules
(10101/1/1, 10101/1/2, 10101/1/3, 10101/2/1, 10101/2/2,
10101/2/3, 10102/1/1, 10102/1/2, 10102/2/, 10105/2/1, 10106/2/1,
SDI-1624, SDI-1648, SAI-0410, SAI-1620m and SDIL-1608) and
fail-safe input sensors (transmitters). If the input sensors
(transmitters) are not fail-safe, redundant sensors (transmitters)
must be used. Refer to Appendix C of the FSC Software Manual
("Safety-related inputs with non fail-safe sensors") for further
details.
18. If non fail-safe sensors/transmitters are used to realize
safety-related inputs (see Appendix C of the FSC Software
Manual), a maximum on time and a maximum discrepancy time
must be configured. The maximum on time specifies the time that
a signal can remain high before the system will regard the input as
faulty. The maximum discrepancy time specifies the maximum
time that redundant inputs may have different values before the
system regards the input as faulty. Both the maximum on time and
maximum discrepancy time should be configured according to the
dynamic behavior of the input signal.
19. If non fail-safe transmitters are used to realize safety-related
analog inputs (see Appendix C of the FSC Software Manual), a
maximum discrepancy value must be configured. The value
specifies the tolerable difference between the value of the
transmitters before the system will regard the input as faulty.
20. If the FSC system runs without operator surveillance, one of the
following measures shall be taken:
− Inspection of the FSC system status if the FSC system
application is fault free, at least once per 72 hours.
− Alarm indication of the FSC system (e.g. via DCS) if a fault is
detected and subsequent inspection of the FSC system status
within 72 hours after generation of the fault report.
21. The operating conditions of the FSC system shall not exceed the
following ranges:
Operating temperature: 0 to 60°C (32 to 140°F)
Relative humidity: 5% to 95%, non-condensing
Vibration: 2.5 G (10-55-10 Hz)
Shock: 15 G (11 ms, 3 axes, both directions of
the axe)
The operating temperature is measured on the diagnostic and

battery module (DBM) in the Central Part rack. This location has
a higher temperature than outside the cabinet, which results in a
lower ambient temperature for the cabinet. Depending on the
internal dissipation in the cabinet and the ventilation provided, a
FSC Safety Manual

temperature difference of 20°C (39°F) is possible, which results in
a maximum ambient temperature of 40°C (104°F). To minimize
the temperature difference, forced ventilation with one or more
fans can be applied. By using the temperature pre-alarm system
variable, an alarm can be given if the internal temperature rises
too high. For further details on the DBM refer to Section 4 of the
FSC Software Manual ("System Configuration").
22. The storage conditions of the FSC hardware modules shall not
exceed the following ranges:
Storage temperature: –25 to +80°C (–13 to 176°F)
F&G applications Fire and Gas (F&G) applications have the following additional
requirements:
1. Each visual indication (alarm, override or test, failure) shall have
its own dedicated digital output. This digital output may be a
hardware output or a communication output, e.g. to a DCS
system. Override and test status may be combined in one visual
indication. No support for alphanumeric displays is available.
2. Redundant power supplies must be connected to the FSC system
in such a way that the redundant power supplies do not fail at the
same time, e.g. by using diverse primary power sources (e.g.
220 Vac mains and a 24 Vdc from a battery backup). Detection of
power supply failure (e.g. via a voltage-monitoring module) shall
be part of the system design.
Power Supply 1 Power Supply 2

e.g. 220 Vac e.g. 24 Vac
220 Vac / 24 Vdc
Voltage
Monitoring System
Fault
FSCTM
0 Vdc
Figure 10-2 Power supply
FSC Safety Manual

3. Any faults in the Fire & Gas detection system shall be indicated
visually. This indication shall also be active if the Fire & Gas
detection system has been switched off. This can be realized as
shown in Figure 10-2 above, using a normally de-energized relay,
or via a visual indication on a DCS display which is activated if
the communication to the Fire & Gas detection system fails. The
protected side of the fuses are connected to the voltage-monitoring
device in order to detect blown fuses.
4. The field instruments, including panel instruments such as
(key) switches, which are used in conjunction with the FSC
system, must meet the requirements of the applicable parts of the
EN-54 standard. Visual and audible indications shall be as per
paragraph 3.2 of EN-54 part 2.
5. Field inputs must have loop-monitoring (short-circuiting and open
loop). Input module types that can be used are: 10102/1/1,
10102/1/2, 10102/2/1, 10105/2/1, 10106/2/1, SAI-0410, SAI-
1620m and SDIL-1608.
Field outputs must have loop-monitoring (short-circuiting and
open loop). Output module types that can be used are: 10216/1/1,
10216/2/1, 10216/2/3, 10214/1/2, SDOL-0424 and SDOL-0448.
6. The FSC system performs loop testing of output channels
allocated to 10216/1/1, 10216/2/1, 10216/2/3, 10214/1/2, SDOL-
0424 or SDOL-0448 modules in groups of five modules per user-
defined Diagnostic Test Interval. The test interval for each module
shall not exceed 100 seconds.
The number of 10216/1/1, 10216/2/1, 10216/2/3, 10214/1/2,
SDOL-0424 and SDOL-0448 modules in an FSC configuration
for Fire & Gas applications, in a non-redundant I/O section, shall
therefore not exceed the number (5 ∗ 100 seconds) divided by the
Diagnostic Test Interval. The number of 10216/1/1, 10216/2/1,
10216/2/3, 10214/1/2, SDOL-0424 and SDOL-0448 modules in
redundant I/O sections shall not exceed the number (5 ∗ 100
seconds) divided by the 2 ∗ Diagnostic Test Interval.
7. The Fire & Gas detection system shall have earth leakage
monitoring/detection facilities.
8. Remote display of alarms, failures etc. may only be executed via
interconnection of FSC systems using the FSC-FSC
communication option or via hardwired outputs with loop-
monitoring via the 10216/1/1, 10216/2/1, 10216/2/3, 10214/1/2,
SDOL-0424 and SDOL-0448 digital output modules.
Communication and loop monitoring failures must be alarmed.
9. The FSC system is only the basis for an EN-54 compliant
application. The responsibility for a full EN-54 compliant
FSC Safety Manual
application lies with the person(s) responsible for configuring and
application programming of the FSC system. The requirements of
EN-54 which must be covered in the application program can be
found in section 9, which references the requirements that must be
fulfilled in the application program.
10. For details on the mechanical construction requirements (cabinet,
indications, horns) refer to EN-54 part 2 paragraph 3.2.
FSC Safety Manual

Index
A C (continued)
Address field of test variable, 57 CE marking, 3, 4, 8
AK class. See: Requirement class (AK) CENTR.PART-FAULT alarm marker, 82
Alarm markers, 76, 82, 107 Central Part configuration, 48
Application, 106 Central Part faults, 96
Behavior, 82, 113 Fault alarm, 96
CENTR.PART-FAULT, 82, 96 Tested modules, 96
DEVICE-COM.FLT, 82, 99 Channel status diagnostic inputs, 79
EXT.COMMUNIC.FLT, 82, 91, 98 Checks
FSC-FAULT-RESET, 112 Before forcing, 61
FSC-SYSTEM-FAULT, 82 Cold start, 49
INPUT-FAILURE, 82, 85, 91, 113 Common alarm, 125
INT.COMMUNIC.FLT, 82 Common failure indication, 126
IO-COMPARE, 82, 91 Common override indication, 127
IO-FORCED, 82 Common test indication, 126
Normal state, 82 Communication
OUTPUT-FAILURE, 82, 90 Redundancy, 66
RED.INPUT-FAULT, 82, 87 Communication links, 42
TEMP.PRE-ALARM, 82, 100 Timeout, 69
TRANSMIT.-FAULT, 82, 86 Communication networks. See: Networks
Alarm sequence function block, 127 Communication protocols, 64
Allocation of I/O signals, 51 Communication timeout
Analog input compare errors, 94 FSC-FSC, 69
Analog inputs, 74 Communication with process control systems (DCS /
Analog inputs (AI) ICS), 63
And redundant input faults, 87 Compare errors, 91, 107
Synchronization, 93 Fault alarm, 91
ANSI/ISA S84.01, 3 System response to analog input ~, 94
Application database, 47, 52, 55 System response to digital input ~, 93
Application program cycle time, 67, 129 System response to digital output ~, 95
Application software, 52, 53, 54 Tested modules, 91
Approval of specification, 44 Compatibility check during on-line modification, 70,
Audible alarm, 122, 124 71
Availability, 1 Compliance to standards, 5
Availability degrees, 38 Configurations of FSC system, 20
Quadruple Modular Redundant (QMR)
architecture, 28
B Redundant Central Parts and redundant I/O, 24
Redundant Central Parts and single I/O, 22
Baud rates Redundant Central Parts with redundant and single
In networks, 67 I/O, 26
Single Central Part and single I/O, 21
C
Connections to safety system, 40
Continuous mode of operation, 13, 15
Calculation errors, 101 Counters (C)
Prevention, 101, 102 And calculation errors, 101
Canadian Standards Association (CSA), 3 Cycle pulse, 124
FSC Safety Manual

Index 137
Index (continued)
C (continued) E
Cycle time, 67, 129 Earth leakage monitoring/detection, 135
Electromagnetic compatibility (EMC), 9
EMC. See: Electromagnetic compatibility (EMC)
D EMC directive (89/336/EEC), 9
Emergency shutdown (ESD), 107
Dangerous failure, 11 Emergency shutdown (ESD) input, 131
Databases, 52, 55 EPROM mode, 49
I/O database, 47 EPROMs, 52
Installation database, 46 Error, 11
DCS. See: Distributed control systems (DCS) Human ~, 12
De-energization, 129, 130 Error report after verification, 18, 57, 58
Default ESD. See: Emergency shutdown (ESD)
FSC-FSC communication timeout, 69 EU directives, 8
Definition of safety terms, 11 EMC directive (89/336/EEC), 9
Design phases for a safety or ESD system, 35, 37 Low voltage directive (73/23/EEC), 10
Device communication faults EUC risk, 11
Distributed control systems (DCS), 99 European Economic Area (EEA)
Fault alarm, 99 Systems to be delivered in ~, 8, 9, 10
SOE collecting devices, 99 European Union
Device communication timeout Systems to be delivered in ~, 8, 9, 10
Modbus, 99 Exchanging process data, 63
RKE3964R, 99 EXT.COMMUNIC.FLT alarm marker, 82
DEVICE-COM.FLT alarm marker, 82 Extended diagnostics, 71, 76
Diagnostic inputs, 111 External power failure, 90
Application, 106
Behavior, 114
Channel status, 79
Loop status, 80
F
LoopI, 80 Factory acceptance test (FAT), 54
LoopO, 80 Failure, 11
SensAI, 80 Dangerous ~, 11
Diagnostic markers, 76 Safe ~, 14
Diagnostic status exchange with DCS, 106, 113 Failure indication, 121
Diagnostic test Interval (DTI), 48 Failure status, 122
Diagnostics, 76 Fault, 11
And calculation errors, 102 Fault alarm
Digital input compare errors, 93 Central Part faults, 96
Digital inputs (I), 73 Device communication faults, 99
And redundant input faults, 87 FSC-FSC communication faults, 98
Synchronization, 92 I/O compare errors, 91
Digital output compare errors, 95 Input fault, 85
Directives, 8 Output faults, 90
EMC directive (89/336/EEC), 9 Redundant input faults, 87
Low voltage directive (73/23/EEC), 10 Temperature alarm, 100
Distributed control systems (DCS), 63, 113 Transmitter faults, 86
And device communication faults, 99 Fault detection and response, 75, 76
Divide by zero, 101 Analog input compare errors, 94
Downloading software, 52 Behavior of alarm markers, 82
Central Part faults, 96
FSC Safety Manual

138 Index
Index (continued)
F (continued) F (continued)
Device communication faults, 99 Remote display, 135
Digital input compare errors, 93 Requirements, 134
Digital output compare errors, 95 Simulation, 124
FSC-FSC communication faults, 98 Test function, 121, 124
I/O compare errors, 91 Flash memory, 49
Input faults, 84 FLASH mode, 49
Output faults, 88 Force enable flag, 61
Temperature alarm, 100 Force Enable key switch, 61
Transmitter faults, 86 Forcing of inputs and outputs, 60
Voting schemes, 78 Checks, 61
Fault indication for Fire & Gas detection systems, Enabling, 60
135 Setting, 61
Faults FSC configurations
Calculation errors, 101 Overview, 20
Central Part faults, 96 Quadruple Modular Redundant (QMR)
Device communication faults, 99 architecture, 28
FSC-FSC communication faults, 98 Redundant Central Parts and redundant I/O, 24
I/O compare errors, 91 Redundant Central Parts and single I/O, 22
Input faults, 84 Redundant Central Parts with redundant and single
Output faults, 88 I/O, 26
Redundant input faults, 87 Relation between ~ and requirement classes (AK),
Temperature alarm, 100 38
Transmitter, 86 Single Central Part and single I/O, 21
Transmitter faults, 86 FSC Navigator, 46
Field instruments, 135 Basic functions, 47
Filters, 132 Checks prior to forcing, 61
Fire & Gas (F&G) applications Verification of application, 54, 55
Alarm sequence function block, 127 FSC networks. See: Networks
Audible alarms, 122, 124 FSC system
Common alarm, 125 Configurations, 20
Common failure indication, 126 Overview, 1
Common override indication, 127 Quadruple Modular Redundant (QMR)
Common test indication, 126 architecture, 28
Cycle pulse, 124 Redundant Central Parts and redundant I/O, 24
Earth leakage monitoring/detection, 135 Redundant Central Parts and single I/O, 22
Example, 119 Redundant Central Parts with redundant and single
Failure indication, 121 I/O, 26
Fault indication, 135 Sequence of phases for safety-related system, 37
Field instruments, 135 Single Central Part and single I/O, 21
Input loops, 121 Special functions, 59
Input sensors, 123 Standards compliance, 3, 5
Loop status, 121 FSC-FSC communication, 65, 66
Loop testing, 135 FSC-FSC communication faults, 98
Loop-monitoring, 135 Fault alarm, 98
Monitoring for alarm status, 122 FSC-FSC communication protocol
Monitoring of failure status, 122 Timeout, 69
Override function, 123 FSC-FSC communication timeout, 69
Override indication, 121 FSC-SYSTEM-FAULT alarm marker, 82
Redundant power supplies, 134 Function blocks, 71, 121, 127
FSC Safety Manual

Index 139
Index (continued)
F (continued) I (continued)
And calculation errors, 103 Digital inputs, 92
Function of safety system, 42 Input/output signals
Functional logic diagrams (FLDs), 43, 47, 52, 53, 56, Physical allocation, 51
106, 119 Specification, 51
Functional safety, 11 INPUT-FAILURE alarm marker, 82
Functional safety assessment, 12 Installation database, 46
Functional test, 54 Instrumentation index, 39
Instrumentation related to safety system, 39
INT.COMMUNIC.FLT alarm marker, 82
G Interval time between faults, 48, 131
IO-COMPARE alarm marker, 82
Grounding, 132 IO-FORCED alarm marker, 82
IO-FORCED system variable, 62
H
ISA S84.01, 3
Isolation of failures, 48
Hardcopy
Functional logic diagrams (FLDs), 53
I/O signal configuration, 53 L
Hardware safety integrity, 13 Loading software
High demand mode of operation, 13, 15 Downloading to memory, 52
Human error, 12 Programming EPROMs, 52
Log files
I
Verification log file, 55, 56
Logical functions (in FLDs), 42
I/O compare errors, 91, 107 Loop status, 121
Fault alarm, 91 Diagnostic inputs, 80
Tested modules, 91 Loop testing, 135
I/O database, 47, 52, 55 LoopI diagnostic input, 80
I/O signal configuration, 53 Loop-monitoring, 135
IEC 61131-3, 4 LoopO diagnostic input, 80
IEC 61508, 3 Low demand mode of operation, 13, 15
Implementation of application software, 52 Low voltage directive (73/23/EEC), 10
Input compare, 91, 92
Input compare errors
Fault alarm, 91 M
System response to analog ~, 94 Manual shutdown, 107
System response to digital ~, 93 Master, 65, 66
Input faults, 84, 87 Multiple ∼s in FSC networks, 68
Fault alarm, 85 Timeout in FSC networks, 69
Non safety-related inputs, 84 Maximum discrepancy time, 73, 133
Safety-related inputs, 84 Maximum on time, 73, 133
Tested modules, 84 Memory type, 49
Input filters, 132 Modbus device communication timeout, 99
Input loops (in F&G applications), 121 Mode of operation, 13, 15
Input sensors, 123 Monitoring for alarm status, 122
Input synchronization Monitoring of failure status, 122
Analog inputs, 93 Multidrop networks, 65, 69
FSC Safety Manual

140 Index
Index (continued)
M (continued) O (continued)
Response time, 67, 68 Override indication, 121
N P
Networks, 65 PES. See: Programmable electronic system (PES)
Baud rate, 67 Phases of overall safety lifecycle, 35, 37
Master, 65, 66 Physical allocation in FSC system, 51
Multidrop, 65, 67, 68, 69 Point-to-point networks, 65, 69
Multiple masters, 68 Response time, 67
On-line modification, 71 Power supply failure, 134
Point to point, 65, 67, 69 Power supply filters, 132
Response time, 67, 68 Power supply units (PSU), 132
Single fault-tolerant, 66 Redundancy, 134
Slave, 65, 66 Power-on mode
System numbers, 66 After shutdown caused by fault, 50
Timeout time, 69 At first system start-up, 50
Non fail-safe inputs, 72 Cold start, 49
Non fail-safe sensors/transmitters, 133 Warm start, 50
Non safety-related inputs Preventing calculation errors, 101, 102
And input faults, 84 Printing
Non safety-related outputs Functional logic diagrams (FLDs), 53
And output faults, 90 I/O signal configuration, 53
Process control systems (DCS/ICS). See also: DCS
Process interface, 41
O Process outputs (in unit shutdown), 110
Process safety time (PST), 129
Objectives of overall safety lifecycle, 35 Process units, 108
On-line modification (OLM), 70 Programmable electronic system (PES), 13
And warm start, 50 Programming EPROMs, 52
Compatibility check, 70, 71 Project configuration, 46
Function blocks, 71
In FSC networks, 71
Verification of application, 56, 71
Operating conditions, 133
Q
Operating temperature, 133 QMR. See: Quadruple Modular Redundant (QMR)
Operator surveillance, 115, 133 Quadruple Modular Redundant (QMR) architecture,
Output compare, 91, 94 28
Output compare errors Qualification, 40
Fault alarm, 91
System response to digital ~, 95
Output faults, 88 R
Fault alarm, 90
Non safety-related outputs, 90 Radio interference, 132
Safety-related outputs, 89 RAM mode, 49
Tested modules, 89 RED.INPUT-FAULT alarm marker, 82
OUTPUT-FAILURE alarm marker, 82 Redundancy
Overflow, 101 Analog inputs, 74
Override function, 123 Digital inputs, 73
FSC Safety Manual

Index 141
Index (continued)
R (continued) S (continued)
Power supplies, 134 Safety standards, 3, 5
Sensors/transmitters, 72 Safety system
Redundant Central Parts and redundant I/O, 24 Basic function, 42
Redundant Central Parts and single I/O, 22 Connections to ~, 40
Redundant Central Parts with redundant and single Instrumentation related to ~, 39
I/O, 26 Process interface, 41
Redundant communication, 66 Safety system specification
Redundant FSC components Approval of specification, 44
Voting schemes for ~, 78 Connections, 40
Redundant input faults, 87 Functional logic diagrams (FLDs), 43
Analog inputs, 87 Functionality, 42
Digital inputs, 87 Inventory of I/O signals, 41
Fault alarm, 87 Relations between inputs and outputs, 42, 43
Relations between inputs and outputs, 42, 43 Safety-related inputs, 133
Remote display, 135 And input faults, 84
Requirement class (AK), 38, 48 Safety-related non fail-safe inputs, 72
AK5 and AK6 applications, 115 Safety-related outputs
Relation between ~ and FSC configurations, 38 And output faults, 89
Requirements for TÜV approval, 129 Safety-related system, 16
Response time, 67 Secondary switch-off, 117
Multidrop networks, 67, 68 Self-tests, 48
Point-to-point networks, 67 SensAI diagnostic input, 80
Risk, 14 Sensor redundancy, 72
Risk reduction measures, 32 Separation of voltage levels, 132
RKE3964R device communication timeout, 99 Sequence of phases of overall safety lifecycle, 37
Service, 40
Shutdown
S Emergency ~ (ESD), 107
Manual ~, 107
Safe failure, 14 Unit ~, 108, 109, 110, 111
Safety, 1, 14 Shutdown at assertion of FSC alarm markers, 106,
Functional ~, 11 107
Terminology, 11 SIL. See: Safety integrity level (SIL)
Safety classification, 38 Simulation, 124
Safety integrity Single Central Part and single I/O, 21
Hardware ~, 13 Single Central Part operation in AK5 and AK6, 116
Systematic ~, 17 Single fault-tolerant communication network, 66
Safety integrity level (SIL), 14 Single FSC components
Safety lifecycle, 16, 32 Voting schemes for ~, 77
E/E/PES, 34 Slave, 65, 66
Objectives, 35 Timeout in FSC networks, 69
Overall, 33 SOE collecting devices
Phases, 35, 37 And device communication faults, 99
Sequence of phases, 37 Special functions in FSC system, 59
Software, 34 Forcing of I/O signals, 60
Safety or ESD system Specification of input and output signals, 51
Design phases, 35, 37 Square root of negative number, 101
Safety relation, 111 Standards, 5
Safety relation of variables, 63 Standards compliance, 3, 5
FSC Safety Manual

142 Index
Index (continued)
S (continued) U
Storage conditions, 134 UL 1998, 3
Synchronization Underwriters Laboratories (UL), 3
Analog inputs, 93 Unit relays, 109
Digital inputs, 92 Unit shutdown, 106, 108
System alarm FLD, 119 Application programming, 111
System configuration parameters, 48 Configuration, 108
Diagnostic test Interval, 48 Diagnostic inputs, 111
Interval time between faults, 48 Process outputs (safety-related), 110
Memory type, 49 Safety relation of outputs, 111
Power-on mode, 49 Unit shutdown outputs, 109
Requirement class, 48 Unit shutdown outputs, 109
System markers. See: Alarm markers Upgrading to latest version, 56, 71
System numbers in FSC networks, 66
System overview, 1
System variables V
IO-FORCED, 62
Systematic safety integrity, 17 Validation, 17
Verification log file, 55, 56
Verification of application, 53, 55
T Application software, 54
FSC database, 55
Tag numbers, 40 Functional logic diagrams (FLDs), 53, 56
SEC.SWITCH-OFF, 117 I/O signal configuration, 53
TEMP.PRE-ALARM alarm marker, 82 On-line modification, 56, 71
Temperature alarm, 100 Test data, 56
Fault alarm, 100 Verification test report, 18, 56, 58
Tested modules, 100 Voltage-monitoring, 132, 134
Terminology Voting, 77, 78
Safety-related, 11 1oo2D output ~ in AK5 and AK6 applications,
Test data during verification, 56 115
Test function, 121, 124 Fault detection and response, 78
Test variable, 57 Voting schemes, 92, 94
Time functions (in FLDs), 42 1oo1, 77
Timeouts 1oo1D, 77
FSC-FSC communication ∼, 69 1oo2, 78
Multidrop communication link (master), 69 1oo2D, 78
Multidrop communication link (slave), 69 2oo2, 78
Networks, 69 2oo2D, 78
Point-to-point communication link (master), 69 Default ~ for redundant Central Parts, 78
Point-to-point communication link (slave), 69 Default ~ for single Central Parts, 77
Timer in case of fault, 130 Redundant components, 78
Timers (T) Single components, 77
And calculation errors, 101
TRANSMIT.-FAULT alarm marker, 82
Transmitter faults, 86 W
Fault alarm, 86
Tested modules, 86 Warm start, 50
TÜV, 3 On-line modification (OLM), 50
TÜV approval, 129 Watchdog (WD), 131
FSC Safety Manual

Index 143
Index (continued)
W (continued) Wiring and 1oo2D output voting in AK5 and AK6

applications, 115
Watchdog repeater (WDR), 132
FSC Safety Manual

144 Index
READER COMMENTS
Honeywell Safety Management Systems welcomes your comments and suggestions to improve future editions of this
and other documents.
You can communicate your thoughts to us by fax or mail using this form, or by sending an e-mail message. We would
like to acknowledge your comments — please include your complete name, address and telephone number.
BY FAX: Use this form and fax to us at +31 (0)73-6219125 (attn. Worldwide Marketing dept.)
BY E-MAIL: Send an e-mail message to [email protected]

BY MAIL: Use this form and mail to us at:
Honeywell Safety Management Systems
Attn. Marketing Department
P.O. Box 116
5201 AC 's-Hertogenbosch
The Netherlands
Title of Document: Fail Safe Control Issue Date: 01/2011

Safety Manual
Release 710 Rev. 03
Document Number: FS90-710 Writer: Honeywell DE
COMMENTS:
RECOMMENDATIONS:
Name: Date:
Position:
Company:
Address:
Country:
Telephone: Fax:
E-mail address:
.
.
Honeywell Safety Management Systems
P.O. Box 116
5201 AC 's-Hertogenbosch
The Netherlands

Fail Safe Control - Safety Manual

Uploaded by

Copyright:

Available Formats

Fail Safe Control - Safety Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fail Safe Control - Safety Manual

Uploaded by

Copyright:

Available Formats

© 2011 – Honeywell Safety Management Systems a Division of Honeywell Aerospace B.V.

While this information is presented in good faith and believed to be accurate,

FSC and QMR are trademarks of Honeywell Safety Management Systems.

Other brands or product names are trademarks of their respective holders.

Section 1 – Introduction ............................................................................................... 1

Section 2 – FSC Architectures ................................................................................... 19

Section 3 – Design Phases for an E/E/PE Safety-Related System .......................... 31

Section 4 – Implementation Phases of FSC as a Safety-Related System .............. 45

FSC Safety Manual

Section 6 – FSC System Fault Detection and Response ......................................... 75

Section 9 – Fire and Gas Application Example ...................................................... 119

Section 10 – Special Requirements for TUEV-Approved Applications ................ 129

FSC Safety Manual

Figure 1-1 CE mark .....................................................................................................................................8

FSC Safety Manual

Table 1-1 FSC compliance to standards .....................................................................................................5

FSC Safety Manual

AC...................................................................................................................................... Alternating current

FSC Safety Manual

OLM .................................................................................................................................On-line modification

FSC Safety Manual

FSC Safety Manual

FSC Safety Manual

1.1 System Overview

Subsection Topic See page

System overview The Fail Safe Control (FSC) system is a microprocessor-based

FSC Safety Manual

FSC Safety Manual

TÜV Bayern (Germany) — Certified to fulfill the requirements of

Instrument Society of America (ISA) — Certified to fulfill the

Canadian Standards Association (CSA) — Complies with the

Underwriters Laboratories (UL) — Certified to fulfill the

CE compliance — Complies with CE directives 89/336/EEC (EMC)

FSC Safety Manual

The FSC functional logic diagrams (FLDs) are compliant with

FSC Safety Manual

Table 1-1 FSC compliance to standards

DIN V 19250 Measurement and control. Safety applications up to safety

DIN V 0801 (1/90) Principles for computers in safety- Microprocessor-based safety

VDE 0116 (10/89) Electrical equipment of furnaces.

EN 54 part 2 (01/90) Components of automatic fire detection

EN 50081-2-1994 Electromagnetic compatibility – Generic

EN 50082-2-1995 Electromagnetic compatibility – Generic

IEC 61010-1-1993 Safety Requirements for Electrical

IEC 61131-2-1994 Programmable controllers. Part 2:

UL 1998 Safety-related software, first edition Underwriters Laboratories

UL 508 Industrial control equipment, sixteenth Underwriters Laboratories

FSC Safety Manual

UL 991 Test for safety-related controls Underwriters Laboratories

FM 3611 Electrical equipment for use in Factory Mutual Research

CSA C22.2 Process control equipment. Canadian Standards Association

IEC 60068-1 Basic environmental testing

IEC 60068-2-1 Cold test 0°C (32°F); 16 hours;

IEC 60068-2-1 Cold test –10°C (14°F); 16 hours;

IEC 60068-2-2 Dry heat test up to 65°C (149°F); 16 hours;

FSC Safety Manual

IEC 60068-2-6 Environmental testing – Part 2: Excitation: sine-shaped with sliding

IEC 60068-2-27 Environmental testing – Part 2: Half sinus shock

FSC Safety Manual