Fs 11500

FSC Safety Manager
Implementation Guidelines
for use with the Honeywell FSC System
Releases 42x and 500
FS11-500
.
Implementation
FSC Safety Manager
FSC Safety Manager

for use with the Honeywell FSC System
Releases 42x and 500
FS11-500
02/98
Copyright, Notices, and Trademarks
© Copyright 1998 by Honeywell Inc.

Revision 05 – February 20, 1998
While this information is presented in good faith and believed to be accurate,

Honeywell disclaims the implied warranties of merchantability and fitness for a
particular purpose and makes no express warranties except as may be stated in
its written agreement with and for its customer.
In no event is Honeywell liable to anyone for any indirect, special or consequential
damages. The information and specifications in this document are subject to
change without notice.
TotalPlant, TDC 3000 and Universal Control Network are U.S. registered
trademarks of Honeywell Inc.
FSC is a trademark of Honeywell Safety Management Systems.
Other brand or product names are trademarks of their respective owners.
Honeywell
Industrial Automation and Control
Automation College
2820 West Kelton Lane
Phoenix, AZ 85023
(602) 313-5669
ii FSC Safety Manager Implementation Guidelines 02/98

About This Publication
This publication is designed to assist you in the implementation of the FSC Safety Manager
Module for use with the Honeywell FSC system Releases 42x and 500. Use this document as an
informational source, a guide and reference to implementation requirements, and for FSC Safety
Manager operational considerations.
All references in this manual to "FSC Safety Manager" or "FSC Safety

Manager Module" pertain only for use with the Honeywell FSC system.
02/98 FSC Safety Manager Implementation Guidelines iii

iv FSC Safety Manager Implementation Guidelines 02/98
Table of Contents
SECTION 1 INTRODUCTION ..........................................................................................................1

1.1 Implementation Overview .............................................................................................1
1.2 FSC Safety Manager Functional Summary ..................................................................3
1.3 FSC Safety Manager Data Flow ...................................................................................6
SECTION 2 FSC-SM OPERATIONAL CONSIDERATIONS ...........................................................9

2.1 FSC Safety Manager Operating Modes........................................................................9
2.2 Address Aliases ..........................................................................................................13
2.3 I/O System ..................................................................................................................16
2.4 FSC Networks.............................................................................................................19
2.5 Sequence of Events (SOE).........................................................................................20
2.6 Saving and Restoring FSC Safety Manager Data ......................................................26
SECTION 3 REDUNDANT FSC SAFETY MANAGERS ................................................................29

3.1 Redundancy Overview ................................................................................................29
3.2 FSC-SMM Database Synchronization ........................................................................34
3.3 Other Redundancy Considerations.............................................................................36
SECTION 4 FSC SAFETY MANAGER START-UP AND SHUTDOWN ........................................39

4.1 Cold Start-up...............................................................................................................39
4.2 Warm Start-up ............................................................................................................43
4.3 Shutdown ....................................................................................................................45
SECTION 5 PERFORMANCE SPECIFICATIONS.........................................................................47

5.1 FSC-SMM Processor Resource Allocation.................................................................47
5.2 Performance Statistics................................................................................................48
5.3 Processing Units .........................................................................................................49
SECTION 6 NIM PROCESSING ....................................................................................................51

6.1 Estimating NIM Loading..............................................................................................51
6.2 Assessment of NIM Processing Load.........................................................................53
6.3 "Remote" NIM Sharing Processing Load ....................................................................54
SECTION 7 BUILDING UCN AND NODE-SPECIFIC POINTS .....................................................59

7.1 UCN Point Building .....................................................................................................59
7.2 Node-specific Point Building .......................................................................................61
7.3 Box Configuration .......................................................................................................66
SECTION 8 ERROR HANDLING ...................................................................................................67

8.1 Soft Failures................................................................................................................67
8.2 Hard Failures ..............................................................................................................70
8.3 Point Configuration Errors...........................................................................................71
8.4 Communication Errors ................................................................................................72
02/98 FSC Safety Manager Implementation Guidelines v

Figures
Figure 1-1 FSC Safety Manager Implementation Dependencies ............................................... 1

Figure 1-2 FSC Safety Manager Relationship to the TPS system.............................................. 3
Figure 1-3 FSC Safety Manager Conceptual Diagram ............................................................... 5
Figure 1-4 Data Flow: UCN to Field and Back............................................................................ 7
Figure 2-1 Local and Remote I/O Subsystem Configuration Example ..................................... 17
Figure 2-2 Diagnostics Display UCN Statistics: Time Sync Parameters .................................. 21
Figure 2-3 SOE Resolution....................................................................................................... 23
Figure 2-4 Throttled Event Collection ....................................................................................... 24
Figure 2-5 FSC-SM Saving and Restoring Data Flow .............................................................. 26
Figure 2-6 US UCN Status Display for Data Save and Restore ............................................... 27
Figure 3-1 Redundant FSC Safety Manager Connected to the UCN and FSC........................ 29
Figure 3-2 FSC Safety Manager Module front panel ................................................................ 30
Figure 3-3 US UCN Status Display for FSC-SMM Switchover ................................................. 33
Figure 3-4 US UCN Status Display for a Failed Node .............................................................. 37
Figure 4-1 Cold Start-up ALIVE States..................................................................................... 39
Figure 4-2 FSC-SMM Personality Download ............................................................................ 40
Figure 4-3 Primary/Secondary Idle State Synchronization ....................................................... 41
Figure 4-4 FSC-SMM UCN Status Display Synchronized State............................................... 42
Figure 4-5 FSC SMM Idle State - Warm Start-up..................................................................... 44
Figure 4-6 FSC-SMM Shutdown UCN Status Display.............................................................. 45
Figure 5-1 FSC-SMM Processor Resource Allocation ............................................................. 47
Figure 6-1 Additional NIMs on UCN Configuration ................................................................... 54
Figure 6-2 Specific Example of Additional NIM on a UCN ....................................................... 55
Figure 7-1 UCN Node Configuration......................................................................................... 60
Figure 7-2 FSC-SM Implementation Dependencies................................................................. 61
Figure 7-3 Node-specific Building Displays - Screen 1............................................................. 64
Figure 7-4 Node-specific Building Displays - Screen 2............................................................. 65
Figure 8-1 US Display: Soft Failures ........................................................................................ 69
Figure 8-2 US Display: NODE STS INFO Target ..................................................................... 72
Figure 8-3 US Display: UCN Statistics Screen, Page 1............................................................ 73
vi FSC Safety Manager Implementation Guidelines 02/98

Tables
Table 1-1 Factors Affecting FSC-SM Implementation Tasks ....................................................2

Table 2-1 FSC User Software Options ....................................................................................11
Table 2-2 FSC-SM - FSC Variable Combinations and FSC-SMM Access Rights...................13
Table 2-3 I/O Characteristics for the Various Module Types ...................................................18
Table 2-4 Save and Restore Command Functions..................................................................28
Table 3-1 FSC-SMM Front Panel Indications ..........................................................................31
Table 3-2 FSC-SMM Switchover Procedure............................................................................33
Table 4-1 FSC-SMM Shutdown ...............................................................................................45
Table 5-1 Performance Specifications.....................................................................................48
Table 5-2 Processing Units for the FSC-SMM.........................................................................49
Table 6-1 NIM Processing Load Estimator ..............................................................................51
Table 6-2 NIM Processing Load Estimate Calculation ............................................................52
Table 6-3 NIM Processing Load Categories............................................................................53
Table 6-4 Implementation of Two Logical Process Networks..................................................55
Table 6-5 Building UCN Node and Node-specific Entities .......................................................56
Table 7-1 UCN Point Building ..................................................................................................59
Table 7-2 Target Maximum Point Counts and Processing Units.............................................62
Table 7-3 Data Point Building ..................................................................................................66
Table 8-1 Softfail Descriptions.................................................................................................68
Table 8-2 Configuration Errors ................................................................................................71
02/98 FSC Safety Manager Implementation Guidelines vii

Acronyms
AM ...........................................................................................................................Application Module
APM..........................................................................................................Advanced Process Manager
APMM.......................................................................................... Advanced Process Manager Module
CG .......................................................................................................................... Computer Gateway
CL............................................................................................................................. Control Language
CM...........................................................................................................................Computing Module
CP ......................................................................................................................................Central Part
CP ............................................................................................................................ Control Processor
CP .............................................................................................................................. Control Program
CPU................................................................................................................. Central Processing Unit
DCS............................................................................................................ Distributed Control System
DEB ......................................................................................................................... Data Entity Builder
EPROM ..........................................................................Erasable Programmable Read-Only Memory
FLD............................................................................................................... Functional Logic Diagram
FSC ............................................................................................................................ Fail Safe Control
FSC-DS .......................................................................................................FSC Development System
FSC-SM............................................................................................................... FSC Safety Manager
FSC-SMM................................................................................................FSC Safety Manager Module
HM................................................................................................................................. History Module
I/O...................................................................................................................................... Input/Output
LC.................................................................................................................................Logic Controller
LCN ....................................................................................................................Local Control Network
LM ................................................................................................................................. Logic Manager
LRAM .................................................................................................. Local Random Access Memory
NCF .............................................................................................................Network Configuration File
NIM...............................................................................................................Network Interface Module
PED ................................................................................................................ Parameter Entry Display
PI .............................................................................................................................. Personality Image
PLC ..................................................................................................... Programmable Logic Controller
PM ............................................................................................................................... Process Module
PMM ............................................................................................................. Process Manager Module
PSD ................................................................................................. Power Supply Distribution Module
PSU ..........................................................................................................................Power Supply Unit
PU ................................................................................................................................Processing Unit
RAM ..............................................................................................................Random Access Memory
ROM .......................................................................................................................Read-Only Memory
SM ................................................................................................................................Safety Manager
SOE.......................................................................................................................Sequence of Events
TAC ......................................................................................................... Technical Assistance Center
TDC ................................................................................................................ Total Distributed Control
TDF ...............................................................................................................Translated Database File
TPS .........................................................................................................................TotalPlant Solution
UCN............................................................................................................. Universal Control Network
US ..............................................................................................................................Universal Station
VBD ......................................................................................................................... Vertical Bus Driver
WD ........................................................................................................................................Watchdog
viii FSC Safety Manager Implementation Guidelines 02/98

Parameters
AI ...................................................................................................................................... Analog Input

AO...................................................................................................................................Analog Output
CCSRC ........................................................................................................... Contact Cut Out Source
DC............................................................................................................................. Digital Composite
DI ........................................................................................................................................Digital Input
DLYTIME ............................................................................................................................ Delay Time
DO ...................................................................................................................................Digital Output
LODSTN ..................................................................................... Logic Output Connection Destination
NODEASSN.............................................................................................................. Node Assignment
NTWKNUM................................................................................................................ Network Number
OP...............................................................................................................................................Output
PLCADDR.......................................................................................................FSC-SRS Alias Address
PTEXECST......................................................................................................... Point Execution State
PV .............................................................................................................................. Process Variable
PVCHGDLY .............................................................................................................. PV Change Delay
PVCHGTMR .............................................................................................................PV Change Timer
SLOTNUM .........................................................................................................................Slot Number
SP ............................................................................................................................................ Setpoint
02/98 FSC Safety Manager Implementation Guidelines ix

References
For FSC-SM documentation:
Publication Publication Binder Binder

Title Number Title Number
FSC Safety Manager Installation FS20-500 Implementation TPS 3076
Guide FSC Safety Manager
FSC Safety Manager Implementation FS11-500 Implementation TPS 3076
Guidelines FSC Safety Manager
FSC Safety Manager Control FS09-500 Implementation TPS 3076
Functions FSC Safety Manager
FSC Safety Manager Parameter FS09-550 Implementation TPS 3076
Reference Dictionary FSC Safety Manager
FSC Safety Manager Configuration FS88-500 Implementation TPS 3076
Forms FSC Safety Manager
FSC Safety Manager Service Manual FS13-500 Implementation TPS 3076
FSC Safety Manager
For FSC documentation:
Publication Publication
Title Number
FSC Safety Manual PM.MAN.8047
FSC Hardware Manual PM.MAN.8048
FSC Software Manual PM.MAN.8025
x FSC Safety Manager Implementation Guidelines 02/98

Section 1 – Introduction
1.1 Implementation Overview
Section summary This section contains the following topics:
Subsection Topic See Page
1.1 Implementation Overview ............................................................................1

1.2 FSC Safety Manager Functional Summary .................................................3
1.3 FSC Safety Manager Data Flow..................................................................6
Summary of FSC-SM Though most information in this publication relates to FSC Safety
implementation tasks Manager (FSC-SM) functions, FSC-SM data points and operating
considerations, along with other implementation activities, must also be
completed to make the FSC-SM functional.
FSC-SM Figure 1-1 shows all dependencies that must be completed before the
implementation FSC-SM can be fully operational. It does not indicate the order of task
dependencies
completion.
Figure 1-1 – FSC Safety Manager Implementation Dependencies
VOLUME CONFIGURATION AREA NAMES
SM Checkpoint Volume
AREA DATABASE
User volumes for storage PICTURE EDITOR

of .EB files or IDFs Process Operations
FREE FORMAT LOGS Standard Operational

Continuous History Volume Displays and Reports
BUTTON CONFIGURATION
User-Built Schematics
Free Format Logs
NETWORK INTERFACE Buttons

MODULE (NIM)
History Collection and
UCN Points Retrieval
UNIT NAMES NIM Points
SM Points
FSC address assignments
and functional logic
FSC-SM
programming
Data Points HM HISTORY GROUPS
FSC configuration
including FSC-SMM
configuration
FSC-SM
02/98 FSC Safety Manager Implementation Guidelines 1

1.1 Implementation Overview, Continued
FSC-SM Items outlined in Table 1-1 may be affected by, or used to implement an
implementation tasks FSC-SM.
Table 1-1 – Factors Affecting FSC-SM Implementation Tasks

Item Description
Unit Names The process units are defined for each FSC-SM data point.
Area Names The area name and descriptor are defined for any units with FSC-SM points
that are assigned to an area.
LCN Nodes All LCN nodes are defined in this activity. This includes the Network Interface
Modules (NIMs) that provide the interface to the Universal Control Network(s)
(UCNs) on which the FSC-SM resides.
Volume Configuration The Network Interface Module (NIM) checkpoint volume, &8np, and the
CL/PM sequences and &9np, are established in this activity.
ATTENTION Volume &8np must have adequate storage space to

accommodate the FSC-SM checkpoint data plus space to accommodate all
other devices on all of the Universal Control Networks in this system. Volume
&9np must have adequate space to accommodate all CL/PM sequences.
Application Module Any AM points that are members of a control strategy that includes FSC-SM
points are built in this activity.
Network Interface Module UCN points which define to the UCN where an FSC-SM resides, and the
node-specific points that define the nodes on that UCN, including the NIM and
the FSC-SM, are built in this activity. Also, FSC-SM data points are built in
this activity. Connections to the FSC-SM points are defined in
tagname.parameter form.
ATTENTION Prior to point building, the FSC-SMM must be configured on

the FSC. FSC addresses must also be defined.
Picture Editor, Free Format Any pictures, logs and buttons built by these activities can access FSC-SM
Logs, Button Configuration points once the points are built and loaded.
HM History Groups FSC-SM data point values for which continuous history is to be collected are
defined in this activity. This is done by assigning them to specific History
Module (HM) history groups.
Area Database This activity defines how and where data for data points, including FSC-SM
data points, are used and displayed in a given process area. The area
database is the database loaded into a Universal Station (US), and thus
defines the process area monitored and controlled through the US.
Control Language (CL) CL/AM and CL/PM programs can access FSC-SM parameter values. CL/CM
programs cannot access FSC-SM parameter values. A Control Language that
runs on an FSC-SM is not available.
Functional Logic This is done on the FSC user station, which is connected to an FSC
Programming communication module. The FSC user station interfaces with the FSC Safety
Manager, and contains software that supports the user in performing a
number of design and maintenance tasks, including the design of the
application program (using functional logic diagrams, or FLDs).
2 FSC Safety Manager Implementation Guidelines 02/98

1.2 FSC Safety Manager Functional Summary
FSC Safety Manager The FSC Safety Manager (FSC-SM) provides a dual redundant fault-tolerant
summary controller for safety and shutdown application on the Universal Control
Network (UCN).
The FSC-SM consists of an FSC controller and an FSC Safety Manager

Module (FSC-SMM). The FSC-SMM provides the interface to the UCN.
FSC Safety Manager Figure 1-2 gives an overview of the FSC Safety Manager connected to the
diagram TotalPlant Solution (TPS) network.
Figure 1-2 – FSC Safety Manager Relationship to the TPS system
TPS Operator Stations*
LCN
NIM
PM
APM FSC Safety Manager

HPM
LM UCN A
S Central I/O
SM
UCN B M Part System
UCN M
FSC
* The TPS operator stations are:

• Universal Stations,
• UXSs, FSC user station
• Universal Work Stations, and
• Global User Stations. (with FSC Development
System software or
FSC Navigator software)
Continued on next page

1.2 FSC Safety Manager Functional Summary, Continued
Functional overview The FSC Safety Manager resides as a node on the UCN and consists of
these main functional blocks:
• FSC Safety Manager Module
• FSC Controller — including these components:
– Control Processors,
– Communication Modules,
– I/O Modules, and
– Power Supply Modules.
FSC-SMM functions The FSC-SMM collects and processes information to and from the FSC
Controller. The FSC-SMM converts this data to UCN data types
(tag.parameter) and performs the following functions:
• engineering unit conversion,
• alarm handling and annunciation for FSC-SM points,
• diagnostic status reporting, and
• UCN communication functions.
FSC Control The FSC Control Processors execute the control program as defined by the
Processor functions user in the Functional Logic Diagrams (FLDs).
The Control Processors read and synchronize the inputs. The inputs are
then processed by the control program and the result is updated to the
output modules.
The FSC Control Processors perform self-tests of the FSC hardware on a

continuous basis. Diagnostic information on detected faults is provided to
the FSC-SMM for reporting at the US.
FSC user station The FSC user station contains the FSC user software, which supports the
user in performing a number of design and maintenance tasks., including
the design of the application program (using functional logic diagrams, or
FLDs). The FSC Development System software (R42x) or FSC Navigator
software (R500) allows the user to:
• configure FSC variables and attributes,
• create the control program via Functional Logic Diagrams (FLDs),
• load the control program into the FSC-SM,
• monitor the system status, and
• force FSC variables for loop check-out and maintenance of field
devices.

1.2 FSC Safety Manager Functional Summary, Continued
FSC Safety Manager Figure 1-3 illustrates the FSC Safety Manager subsystem.
functional diagram
Figure 1-3 – FSC Safety Manager Conceptual Diagram
TPS Operator Stations
FSC-SMM
LCN UCN Scan
Safety Manager Module (SMM)

UCN Comm. Cycle
Comm.
NIM
Data
Data
Con-
UCN Table
version
PM Alarm
Diag-
Gen-
nostics
APM eration
HPM SMM
FSC Safety Manager
Data
LM Tables
SM
FSC
CP Scan
Data Cycle
Tables
FSC Logic Controller

FSC user station
Field
Control
Program
FSC US I/O
Comm. System
FSC
Comm.

1.3 FSC Safety Manager Data Flow
UCN to field and back As illustrated in Figure 1-4, data being written to, and read from, the I/O
system takes two paths within the FSC Safety Manager.
• The UCN output path:
– receives data from the UCN,
– posts the data in the FSC-SMM's Data Table,
– transfers the data to the Control Processor's Data Tables,
– processes (tests, modifies) the data in the FLD control program,
– posts the processed data back to the Control Processor's Data Table,
and
– sends the processed data to the field via the I/O system or
– sends it to other FSC systems via the FSC Communication Network.
• The UCN input path:
– collects data directly from the field via the I/O system or via the FLD
control program, or
– collects data from other FSC systems via the FSC Communication
Network, and
– posts the data in the Control Processor's Data Tables,
– transfers the processed data to the FSC-SMM's Data Table, and
– places the data on the UCN.
ATTENTION The FLD control program running in the FSC is in the

path between the FSC-SMM output data points and the I/O subsystem.
The FLD control program is capable of altering the data output from a
Universal Station and the raw input data from the process. It is
important to understand what the FLD control program is doing, as it
is not possible to view the FLD control program from the US.

1.3 FSC Safety Manager Data Flow, Continued
Figure 1-4 – Data Flow: UCN to Field and Back
FSC Safety Manager
FLD
FSC-SMM CP
UCN Control
Data Table Data Tables
Program
I/O FSC
FSC System Comm.
Safety Manager FSC
Module Controller
= UCN Output Path

Field FSC
= UCN Input Path Devices Systems

Left blank intentionally

Section 2 – FSC-SM Operational Considerations
2.1 FSC Safety Manager Operating Modes
2.1 FSC Safety Manager Operating Modes ........................................................... 9

2.2 Address Aliases.............................................................................................. 13
2.3 I/O System...................................................................................................... 16
2.4 FSC Networks ................................................................................................ 19
2.5 Sequence of Events (SOE) ............................................................................ 20
2.6 Saving and Restoring FSC Safety Manager Data .......................................... 26
FSC-SM operating The FSC Safety Manager supports two basic operating modes: RUN mode
and startup modes and RAM mode. For each of the basic operating modes, two startup
modes are supported.
The operating modes apply to the type of physical memory the FSC
Control Program is located in. The startup modes apply to the process
control behavior of the FSC Control Processors when started after being
shut down.
The FSC-SM operating and startup modes are defined during

configuration of FSC at the FSC user station.
RUN mode When the FSC-SM is configured for RUN mode, the FSC Control
Program is located in EPROM.
EPROMs are programmed at the dedicated FSC EPROM Programmer
using the FSC user software (FSC Development System or FSC
Navigator). The EPROMs are placed on the FSC Central Processing Unit
(CPU).
RAM mode When the FSC-SM is configured for RAM mode, the FSC Control
Program is located in random-access memory (RAM).
The FSC Control Program is loaded into the RAM of the FSC Control
Processor via a serial communication link. Loading is done from the FSC
user station using the FSC Development System software (R42x) or FSC
Navigator (R500).
ATTENTION RAM mode only applies to the part of FSC Control

Program located at the FSC CPU module. The part of the FSC Control
Program for the FSC Communication Processors is always located in
EPROM.

2.1 FSC Safety Manager Operating Modes, Continued
Coldstart When the FSC-SM startup mode is Coldstart, the FSC Control Processor
initializes all variables to the configured power-on values before
processing the FLD Control Program for the first time after startup.
The power-up values for FSC variables are configured during the process
interface definition, using the system configuration option of the FSC user
software: FSC Development System (R42x) or FSC Navigator (R500).
Warmstart When the FSC-SM startup mode is Warmstart, after startup, the FSC
Control Processor resumes execution of the FLD Control Program, using
the variable status as it existed at the moment of the shutdown of the
Control Processor.
When the FSC Control Processor is started for the first time after
download of a new Control Program in RAM, or if the Control Processor
was shut down because of a detected safety-critical hardware fault, the
Control Processor starts up as with the Coldstart mode, initializing all
variables to the configured power-on values before processing the FLD
Control Program for the first time.
ATTENTION For FSC-SM configurations with redundant Control

Processors, the startup mode only applies if both Control Processors were
shut down. If a Control Processor is started while the redundant Control
Processor is running, the starting Control Processor is synchronized with
the current processing status before it starts processing the FSC Control
Program for the first time.
ATTENTION In FSC-SM configurations configured for Warmstart, the

FSC Control Processor that was shut down last should always be started
first, as the status of this Control Processor best resembles the actual
operational state of the process.
Refer to the FSC Hardware Manual and FSC Software Manual

for further details.

FSC Configuration The safety functions of the FSC-SM and the actual process interface is
and FLD Control realized through the FSC part of the FSC Safety Manager. The FSC
Program Design
configuration and the design of the Control Program, by means of
functional logic diagrams (FLDs), is accomplished through the FSC user
software (FSC Development System or FSC Navigator).
Table 2-1 lists the FSC user software options that are of interest for
configuration and FLD design for the FSC part of the FSC-SM.
Table 2-1 – FSC User Software Options

FSC Navigator FSC-DS Description
Option Option
System Configure FSC A configuration tool to:
Configuration system • define the FSC hardware configuration (including the
FSC-SMM),
• define the interface of the FSC system to the process,
• define the alias addresses to link FSC variables to
FSC-SMM points,
• define the interface to devices and other FSC systems
via serial communication links.
Print \ Project Print FSC system Print hardcopy of the engineering documentation as defined
Configuration configuration during the configuration stage.
Design FLDs Design functional A graphical tool to define the FSC Control Program in
logic diagrams functional logic diagrams (FLDs) containing Arithmetic,
Logic and Timing functional symbols.
Print \ Functional Hardcopy of Print hardcopy of the functional logic diagrams as created in
Logic Diagrams functional logic the FLD design editor.
diagrams
Translate Translate A tool to:
Application application • verify the correct and consistent implementation of the
FSC configuration and the functional logic diagrams,
• convert the FSC Configuration Database and functional
logic diagrams into a format which can be executed by
the FSC Control Processor.
View Log Show application View the results of various FSC user software options, e.g.
logging files translation and verification.
Program Program Program EPROMs for the FSC Control and Communication
EPROMs application in Processors.
EPROMs

FSC Configuration
and FLD Control
Program Design,
continued
Table 2-1 – FSC User Software Options (continued)
FSC Navigator FSC-DS Description
Option Option
Verify Application Verify application A tool which communicates with the FSC system to:
in FSC system • verify the correct translation and download of the FSC
configuration and functional logic diagrams (FLDs), and
• log changes made to the FSC configuration and
functional logic diagrams.
Monitor System View FSC A tool which communicates with the FSC system to:
system and • load the FSC Control Program into the RAM of the FSC
process status Control Processor,
• monitor process signals on a per-signal basis, e.g. for
loop checking,
• monitor the Control Program status per functional logic
diagram,
• retrieve FSC system and field loop diagnostic information
from the FSC system, and
• force variables to a fixed value.
ATTENTION The functional logic diagrams and alias address

assignments within the FSC cannot be modified from the US, LCN or
UCN levels.
For further details on FSC configuration and the design of

functional logic diagrams, refer to the FSC Software Manual.

2.2 Address Aliases
DCS address FSC-SM points are linked to FSC variables via alias addresses.
For FSC variables, the alias address is referred to as the DCS address.
A DCS address is a five-digit number assigned to a variable in the FSC
that allows nodes on the UCN to reference that variable. The DCS address
of an FSC variable is the counterpart of the PLC address of an FSC-SM
point.
FSC variable access Table 2-2 lists the valid combinations of FSC-SM points and FSC
rights variables and access rights for the FSC Safety Manager Module
(FSC-SMM).
Table 2-2 – FSC-SM - FSC Variable Combinations and FSC-SMM

Access Rights
FSC-SM point FSC variable FSC-SMM Note
Access Rights
Analog Input (AI) Analog Input (AI) Read Only
Analog Output (AO) Read Only
Binary Input (BI) Read Only 1,2
Binary Output (BO) Read Only 1,2
Analog Output (AO) Binary Input (BI) Read/Write 1,2,3
Digital Input (DI) Digital Input (I) Read Only
Digital Output (O) Read Only
Digital Output (DO) Digital Input (I) Read/Write 3
Digital Composite (DC) Digital Input (I) Read/Write 3
Numeric (N) Binary Input (BI) Read/Write 1,3
Logic (L) Analog Input (AI) Read Only
Analog Output (AO) Read Only
Digital Input (I) Read/Write 3
Binary Input (BI) Read/Write 1,3
Binary Output (BO) Read Only 1
Flag (F) Digital Input (I) Read/Write 3
Timer (T)
PV Timer (T) Read Only
Start Digital Input (I) Read/Write 3
Reset Digital Input (I) Read/Write 3
Setpoint Binary Input (BI) Read/Write 1,3

2.2 Address Aliases, Continued
FSC variable access Notes:

rights, continued 1. The format of FSC BI and BO variables must be Float.
2. FSC-SM PI 53.00: The value for FSC BI and BO variables linked to
FSC-SM Analog Input and Output points is restricted to integer
numbers in the range 0-4095.
FSC-SM PI 53.01 and higher: The Analog Input and Output points
support the full floating point range.
3. To ensure the integrity of the safety-critical function of the FSC part of
the FSC-SM, the FSC-SMM has no direct write access to outputs of
the FSC system. All write access is routed through FSC input variables
(I, BI) with location COM. Via the FLD Control Program, the
condition for output control is realized.
For more information refer to Section 2.4 of the FSC Safety

Manager Control Functions manual.
Linking FSC-SMM A link between an FSC-SMM point and an FSC variable is made when the
points to FSC combination of the FSC-SMM point type and FSC variable is valid and
variables the FSC-SMM point PLC address matches the FSC variable DCS address.
Assigning Alias DCS addresses are assigned to FSC variables on an individual basis, using
Addresses the system configuration option the FSC user software.
The following rules apply:

• The FSC variables type I with location COM are grouped in areas. The
FSC Control Processor references these variables by their relative
address in their area. If the FSC variable I is linked to an FSC-SMM
Flag point, the DCS address of the first I variable (and PLC address of
the link Flag point) can be selected freely. All subsequent I variables
and Flag points must be assigned to the DCS/PLC address of the first
variable/point, plus the difference between the relative FSC address of
the variable with respect to the starting I variable.
• For FSC variables of type I, both the relative FSC addresses and the
DCS addresses increment in steps of 1. Thus, if a Flag point is linked to
an FSC variable of type I, location COM, with relative address 4, and
the DCS address is set at 1000, then the DCS address for the I variable
with relative address 20 must be 1016 (4 / 1000, 5 / 1001, 6 / 1002,
etc.).

2.2 Address Aliases, Continued
Assigning Alias • For FSC variables of type BI, the relative FSC addresses increment in
Addresses, continued steps of 4 and the DCS addresses in steps of 1. Thus, if a Numeric point
is linked to an FSC variable of type BI, location COM, with relative
address 4, and the DCS address is set at 1000, then the DCS address for
the BI variable with relative address 20 must be 1004 (4 / 1000, 8 /
1001, 12 / 1002, etc.).
• Although the FSC variable types O and BO are also grouped in areas,
the above rule for DCS address assignment do not apply to the O and
BO variables.
• For an FSC-SMM Timer point, four DCS addresses must be assigned.
The DCS address for the PV, Setpoint and Set parameters of the Timer
point can be selected freely. The DCS address for the Reset parameter
must match the DCS address of the Set parameter plus 1.
For more information on DCS address assignment to FSC

variables, refer to the FSC Software Manual.

2.3 I/O System
I/O system The interconnection of the FSC-SM with the process is realized through
I/O modules located in the FSC part of the FSC-SM.
I/O modules can be located in the FSC Central Part rack, or in I/O racks.
The interconnection between the Control Processor and the I/O system is
realized via Vertical Buses.
In FSC-SM configurations with redundant Control Processors, the I/O
system can be redundant, non-redundant, or a combination of both. In the
latter case, independent Vertical Buses are used to control the I/O system.
Non-Redundant I/O In configurations with non-redundant I/O, 18 I/O modules can be located
in a single I/O rack. The modules in the non-redundant I/O section are
controlled by the first Control Processor and the second Control Processor
alternately.
In configurations which combine redundant I/O and non-redundant I/O, an

independent Vertical Bus is used to interconnect the two Control
Processors in parallel with the non-redundant I/O modules.
Redundant I/O In configurations with redundant I/O, 9 I/O module pairs can be located in
a single I/O rack. For each pair, one I/O module is controlled by the first
Control Processor. The other I/O module is controlled by the second
Control Processor.
The I/O signals of the redundant pairs are wired in parallel to the field.
Separate Vertical Buses interconnect the Control Processors with their

own I/O modules.

2.3 I/O System, Continued
I/O System diagram Figure 2-1 is an example diagram of the FSC-SM I/O system
configurations.
Figure 2-1 – Local and Remote I/O Subsystem Configuration Example
UCN FSC-SM
Central Part 1
RESET C
..
P
U S
M
C
O W
V
B
V
B
P
S
P
S
CP rack
M M D D D DBM D U
ENABLE
Central Part 2
C
.. Redundant
P
S C V V P P
U
M
M
O
M
W
D
B
D
B
D DBM
S
D
S
U
CP rack
Redundant I/O Rack with

.. .. .. .. .. .. .. .. .. .. redundant I/O
.. .. .. .. .. .. .. ..
.. .. .. .. H H
.. .. .. .. B
D
B
D
Non-redundant I/O
Rack with
.. .. .. .. .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
.. H
non-redundant I/O
.. .. .. .. .. .. .. .. B
D
Redundant
V-bus
Non-redundant
V-bus
I/O types supported The FSC Safety Manager supports digital and analog input and output
signals.
The I/O signals can be terminated in the FSC cabinet, at Elco or Field
Termination Assemblies (FTAs), or they can be terminated externally, e.g.
in marshaling cabinets.

2.3 I/O System, Continued
I/O characteristics Table 2-3 describes the associated I/O characteristics with the various
module types.
Table 2-3 – I/O Characteristics for the Various Module Types

Field Inputs Field Outputs
• Digital 24, 48, 60 Vdc • Digital 24, 48, 60, 110, 220 Vdc
115 Vac • Digital 115 Vac
• Analog 0(4) - 20 mA • Analog 0(4) - 20 mA
0(1) - 5 Vdc • Relay
0(2) - 10 Vdc

2.4 FSC Networks
FSC network FSC systems can be interconnected in communication networks.

capabilities
The network is realized through serial communication links, dedicated for
data exchange between the FSC systems.
Data exchange is based on Honeywell Safety Management Systems'
proprietary FSC Communication Protocol, which allows exchange of
safety-critical information.
For more information regarding the FSC networking capabilities,

refer to the FSC Safety Manual and FSC Software Manual.

2.5 Sequence of Events (SOE)
SOE summary During each program scan, the FSC's Control Processor (CP) updates its
data tables to the FSC-SMM, including timestamp information when the
data was read from/updated to the field.*
The FSC-SMM processor examines designated discrete variables, linked
to FSC-SMM digital input (DI) points, for a change of state (an event).
When the FSC-SMM processor detects an event for a DI point which was
configured for SOE, it generates an event, using the FSC timestamp for
event processing.
* Timestamps applied by the FSC are on a "per scan" basis.
FSC-SM SOE SOE within FSC-SM involves user configuration of the FSC-SMM for:
configuration
• timestamping and event distribution processes, and
• journaling and display of detected events.
Time synchronization Time synchronization is transparent to the user and has the following
characteristics:
• The NIM provides time synchronization for all nodes on the UCN.
• The FSC-SMM synchronizes the clock on the FSC Control Processors
with LCN time - having a clock resolution of 1 millisecond.
ATTENTION The FSC-SM Time Sync will override any attempt by the
user to set FSC time using the FSC Development System.

2.5 Sequence of Events (SOE), Continued
Time Sync diagram Figure 2-2 shows a US Diagnostics display summarizing Time Sync
parameters.
Figure 2-2 – Diagnostics Display UCN Statistics: Time Sync Parameters

20 Jun 97 14:27:31 1
SM DETAIL UCN STATS PAGE 2
HELP RESET
RESET STATS
STATS
STATS PAGE 1
BOX
FSC-SM
STATUS EVENT SENDER STATISTICS
MESSAGES SENT 3
VERS/
VERS/ MESSAGES RETRIED 0
REVIS RECEIVER DROPPED 0
NAKS RECEIVED 0
FSC-SM
BOX THROTTLING REQUESTED 0
CONFIG NUMBER OF EVENT RCVRS 1
UCN TIME SYNCH STATUS TIME SYNCH STATISTICS

STATS
STATS UCN DATE 20 Jun 97 SYNCH ERRORS 0
UCN TIME 14:27:31 LOST MESSAGES 0
MAINT SYNCHER NODE 1 CLOCK ERRORS 0
SUPPORT CURRENT STATE OK DRIFT THRESHOLD 0
DRIFT VALUE 0
SOFT
FAILURE
UCN 1 PRI/SEC PRIMARY UCN CHANNEL CHANNELA FILE POS NON_PREF

NODE 7 STATUS OK AUTO SWAP ENABLE SYNCHST SYNCHED
TYPE SM PLATFORM FSC

Comparing events The NIM and FSC-SM have time synchronization features which keep
between FSCs time within all the FSC-SMs within ±3 ms.
The same timestamps of the same event recorded by two FSC-SMs could
be off by as much as ±1 scan time of the FSC-SM with the longer scan
±3 ms.
Timestamping within Timestamps within the FSC have the following characteristics:
the FSC
• Timestamps are based on the FSC clock time measured and
synchronized between the FSC Control Processors following the
refresh of the Input Status.
• All detected events within a given FSC scan will have a timestamp of
the same value of time. However, if the FSC-SMM is not synchronized
to LCN time for whatever reason, DI SOE events do not get a
timestamp from the SMM but from the NIM. In this case, DI SOE
events detected within the same FSC scan may have different values of
time.
• After each FSC Control Program cycle, the FSC Control Processor
updates its data tables, including timestamp information, to the
FSC-SMM.
• The FSC-SMM monitors the DI data table for all DI points configured
for SOE, and generates an SOE event if a state change is detected. The
timestamp used for the SOE event is the timestamp provided by the
FSC Control Processor.
DI SOE timestamping The FSC-SM clock is synchronized to the LCN time provided through the
NIM for consistent and comparable timestamping of DI SOE events
throughout the TotalPlant Solution (TPS) system.
Timestamping for the FSC-SM is the responsibility of the FSC-SMM

Processors. The FSC-SMM collects any DI events once per FSC Control
Program cycle and uses the same clock time to timestamp all events
within that cycle.
Non-DI SOE The FSC-SMM does not assume responsibility for the timestamping of
event/alarm non-DI SOE alarms and events. These timestamps are provided by the
timestamping
NIM.
SOE resolution SOE resolution (T_res) is equivalent to the FSC Control Program Cycle
Time. This cycle time is calculated by the FSC user software depending on
the FSC configuration and control program.

SOE resolution Figure 2-3 illustrates SOE resolution (T_res) for the FSC.
diagram
Figure 2-3 – SOE Resolution
T_res
FSC Scan 1 FSC Scan 2 FSC Scan 3

T1 T2 T3 T4
SOE event recovery Event recovery of timestamped events has the following characteristics:
• It occurs only during FSC-SMM or NIM failover/switchover.
• No operator intervention is required.
• The FSC-SM will buffer timestamped events for at least 20 seconds.
• SOE Event Recovery will restart a collection from t–20 seconds.
• In failover situations, Event Recovery will involve a reread of events
that are no more than 20 seconds old.
• During buffer overflow situations (no available buffer space and no
events older than 20 seconds), the FSC-SM will drop new events.
ATTENTION There is no SOE Event Recovery at FSC-SMM startup

(IDLE-to-RUN transition). Instead, events timestamped within the FSC
(for the FSC-SMM) will be given a timestamp of zero.
SOE event recovery SOE Event Recovery ends when:

cut-off point
• event timestamps exceed the LCN time at start of recovery, and
• the FSC SOE Event Buffer is emptied.

Throttled event FSC-SMM will filter event bursts through the use of a PV Change Delay
collection function. This function is similar to that available for alarming using the
DLYTIME parameter. PVCHGDLY (preset) and PVCHGTMR (timer) are
the supporting parameters.
Figure 2-4 illustrates how unwanted changes in events are ignored.
Figure 2-4 – Throttled Event Collection
x y z
Time
1
PV
0
ignored events
PVCHGTMR zero counting down
Event N Event N+1
PV=1 PV=0
t=x t=y
Event recovery and Flushing an FSC-SMM database from Primary to Secondary will have the
flushing following effect on event recovery:
• Point databases changes and active delay timers will be flushed to the
Secondary.
• Although SOE event data is not flushed, it is maintained in such a way
that it will not be lost.
Event distribution SOE Event Distribution is characterized by the following:

• FSC-SMM will distribute timestamped events per established UCN
procedures.
• Total local alarm and event output is limited to 512 over any 10-second
period.
• Long-term SOE may not exceed 16 events per second.

Journals and listings Displayed timestamp resolution will be 1 ms, with Sequence Stamp
Differences equivalent to FSC Scan Time.
SOE configuration To use SOE, you must configure the selected DI points to be collected for
SOE on the TPS system.

2.6 Saving and Restoring FSC Safety Manager Data
Restoring and saving Checkpoint saving/restoring and saving/restoring functional logic

data summary diagrams (FLD) control programs are separate operations. FLD control
programs are saved and restored to the FSC-SM from the FSC user
station, using the FSC Development System software or FSC Navigator
software. Checkpoint saving and restoring is done at the US.
For more information refer to the FSC Software Manual.
Saving/restoring data
flow Figure 2-5 shows the saving and restoring data flow for the FSC Safety
Manager.
Figure 2-5 – FSC-SM Saving and Restoring Data Flow
PROGRAM
History Module, LOAD
Cartridge or
SAVE Floppy RESTORE
DATA DATA
Point Data Program

NIM Point Data
Program
SMM Point Data
FLD
FSC FSC
User Station Control
Processor
I/O System

2.6 Saving and Restoring FSC Safety Manager Data,
Continued
Saving and restoring The three bottom targets of the UCN Status display, shown in Figure 2-6,
data using the US save and restore the NIM and FSC Safety Manager data points.
Status display
Figure 2-6 – US UCN Status Display for Data Save and Restore
MAKE SELECTION 24 Sep 96 14:05:00 1
UCN CABLE STATUS: OK UCN 01 STATUS UCN CONTROL STATE: BASIC

UCN AUTO CHECKPNT: INHIBIT
01 NIM 02 03 NIM 04 11 PM 12 13 LM 14 31 SM 32 35 SM 36
OK OK OK OK OK OK
BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP
LOAD/SAVE CONTROL AUTO UCN CABLE RUN SLOT DETAIL

RESTORE STATES CHECKPT STATUS STATES SUMMARY STATUS
PROGRAM RESTORE SAVE
LOAD DATA DATA

2.6 Saving and Restoring FSC Safety Manager Data,
Continued
Function of save and Table 2-4 outlines the functions of the US Status display save/restore
restore targets targets.
Table 2-4 – Save and Restore Command Functions

Command Description
PROGRAM Loads the NIM and FSC-SMM software personality image
LOAD from the &UCN volume on an HM, or from a cartridge or
floppy, to the NIM and selected FSC-SMM(s) in the selected
FSC Safety Manager(s).
RESTORE Restores point data stored in the &8np checkpoint volume
DATA on an HM, or from a cartridge or floppy, to the NIM and the
FSC-SMM(s) in the selected FSC Safety Manager(s).
SAVE DATA Saves point data in the NIM and FSC-SMM(s) in the
selected FSC Safety Manager(s) into the &8np checkpoint
volume on an HM, or onto a cartridge or floppy. This target
requests a "demand" checkpoint. Automatic checkpointing
may also save this data at the established automatic
checkpoint interval for this system.
For more information on checkpointing, refer to Section 21 of

the Engineer's Reference Manual in the Implementation/Startup and
Reconfiguration-2 binder.

Section 3 – Redundant FSC Safety Managers
3.1 Redundancy Overview

3.1 Redundancy Overview...............................................................................29

3.2 FSC-SMM Database Synchronization .......................................................34
3.3 Other Redundancy Considerations ...........................................................36
Overview The FSC Safety Manager redundancy scheme is made up of two

components.
• FSC - Dual Channel Redundant configuration.
• FSC-SMM - hot spare module in the redundant FSC Central Part.
This subsection will focus primarily on the FSC Safety Manager
FSC-SMM redundancy.
ATTENTION FSC-SMM redundancy does not interfere with FSC

redundancy. If, however, a failure is detected by an FSC Control Processor
which requires the processor to shut down, the state of the associated
FSC-SMM will be affected.
FSC-SMM /FSC Figure 3-1 shows the redundant architecture of the FSC-SMM and FSC
redundancy scheme controller.
Figure 3-1 – Redundant FSC Safety Manager Connected to the UCN and FSC
UCN
FSC-SMM Redundant Pair FSC
FSC-SMM
Conversions CP1
Alarms
Data Table Data Table
Messaging
UCN Communication
FSC-SMM
CP2
Conversions
Alarms Data Table Data Table
Messaging
UCN Communication
A B

3.1 Redundancy Overview, Continued
FSC Safety Manager Both FSC-SMMs communicate with the UCN, but only the Primary
status indication performs main functions like point processing, etc. The other FSC-SMM,
the Secondary, is in hot stand-by.
The status of the FSC-SMM is shown on the front panel of the module.
Figure 3-2 shows the front panel of an FSC Safety Manager Module.
Figure 3-2 – FSC Safety Manager Module front panel

FSC
TM
STATUS
TX
P
A A
B
10008/2/U

FSC-SMM front panel The 'STATUS', 'Tx', 'P' and the 'A' and 'B' LED indicators, as seen in
indications Figure 3-2, provide information on the status of the FSC-SMM. Table 3-1
gives an overview of the description of each.
Table 3-1 – FSC-SMM Front Panel Indications

LED indicator Description and Action
STATUS GREEN – Personality Image is loaded and running.
RED – Module is performing power-up self-tests or has
entered the ALIVE state.
RED/GREEN (flashing) – Module has entered the FAIL
state.
Tx When ON, the FSC-SMM is transmitting data to the UCN
P ON – FSC-SMM is Primary
OFF – FSC-SMM is Secondary
A, B ON – preferred cable
ATTENTION In non-redundant FSC configurations, the 'P' LED will

always be off.
FSC-SMM redundancy The FSC-SMM offers functionally redundant communications modules

functional summary with redundant ports and paths operating continuously. FSC-SMM
redundancy consist of two major tasks:
• self-diagnostics and switchover control, and
• FSC-SMM database synchronization.

FSC-SMM and FSC Each FSC-SMM monitors the link to its associated Control Processor. A
redundancy fault in this interface will trigger the FSC-SMMs to choose the best of two
interfacing
FSC interface situations. Failure of a link to an FSC Control Processor
will initiate a failover. While both Control Processors are running, the
FSC-SMMs will attempt to isolate the emerging failures and maintain the
most effective interface.
Redundant FSC-SMMs route switchover requests through the UCN, and

via the FSC Control Processors to provide security against failure. When a
failure does occur, various subsystems will either flag the Diagnostic
Manager or kill the module entirely when a fault situation happens.
ATTENTION Existing FSC module installation guidelines, as they

pertain to redundant communication cards, must also be followed with
redundant FSC-SMMs. FSC-SMM configuration is done using the FSC
Development System.
FSC-SMM failover Failover involves the fault-initiated shutdown of an FSC-SMM Primary

followed by the Secondary's assumption of the Primary State. Failovers
are the result of an FSC-SMM or an FSC-SMM interface fault. FSC-SMM
redundancy failover occurs in five seconds or less - when measured from
primary failure to where the (new) primary FSC-SMM completes a
priming scan.
The faults that can cause a failover to the FSC-SMM hot spare include the
following:
• The on-line FSC-SMM stops communicating with its Control
Processor.
• The hot spare FSC-SMM is receiving information from the UCN, but
the on-line FSC-SMM is not.
• The on-line FSC-SMM encounters an internal failure.
FSC-SMM switchover FSC-SMM switchovers result from an Operator Station command. For
operator-requested switchovers, the FSC-SMM will complete
Primary/Secondary switchover and Point Processing priming within two
Point Processor Scan Times (normally two seconds). An additional 0.5
seconds (2 seconds maximum) will be required for Secondary
resynchronization.

FSC-SMM switchover To begin operator-initiated switchover, you must follow the procedure
procedure outlined in Table 3-2. Figure 3-3 shows this procedure graphically.
Table 3-2 – FSC-SMM Switchover Procedure

Step Action
1 Select target node from US UCN STATUS display.
2 Select "RUN STATES" target.
3 Select "SWAP PRIMARY" target.
4 Select "ENTER" target.
US UCN status Figure 3-3 shows the US UCN Status display used for operator-initiated
display for FSC-SMM FSC-SMM switchover.
switchover
Figure 3-3 – US UCN Status Display for FSC-SMM Switchover

MAKE SELECTION 18 SEP 96 09:18:28 2
UCN CABLE STATUS: OK UCN 01 STATUS UCN CONTROL STATE: BASIC

UCN AUTO CHECKPNT: INHIBIT
01 NIM 02 03 NIM 04 11 PM 12 13 LM 14 31 SM 32 35 SM 36
OK OK OK OK OK OK

STARTUP IDLE SHUTDOWN SWAP CANCEL ENTER

PRIMARY

3.2 FSC-SMM Database Synchronization
FSC-SMM database FSC-SMM database synchronization has the following characteristics:

synchronization
• The FSC-SMM Primary will only failover to an unsynced Secondary if
that Primary is in the Fail state. An unsynced Secondary will not
automatically take over if the Primary is unable to communicate via the
UCN (e.g. if cables have been disconnected). This results in an
OFFNET/OK or OFFNET/IDLE situation.
• If the Secondary is unsynced, the FSC-SMM will reject operator-
initiated switchover requests.
• Following operator-requested switchovers, FSC-SMM database
synchronization will occur in five seconds or less for a maximum
250 Kbyte database. Operator-requested switchovers are only accepted
if both the Primary and the Seconday are in the same state and if both
control processors have the same status. This means that no switchover
request will be accepted if both nodes are idle and the Secondary control
processor is not running and the Primary control processor is. The
operator will always have the lowest priority.
FSC-SMM flushing Flushing is the act of copying database changes between redundant pairs,
and has the following characteristics:
• Flush operations occur in under 0.125 seconds.
• There is no need to synchronize or flush any FSC data.
• Parameter writes are flushed to the Secondary prior to UCN
acknowledgment.
• Flushing is done over the UCN.
Primary/secondary Both FSC-SMM Primary and Secondary will participate in UCN Time
FSC-SMM UCN time Sync. However, FSC time sync is the responsibility of the FSC-SMM
sync
Primary. Upon FSC-SMM failover/switchover:
• The new FSC-SMM Primary will initiate Event Recovery and issue a
request to the FSC to retransmit timestamped events which were
buffered over the last 20 seconds.
• The new FSC-SMM Primary will assume responsibility for FSC time
sync.

3.2 FSC-SMM Database Synchronization, Continued
FSC-SMM redundant FSC-SMM redundant communication paths are characterized by the

communication paths following:
• Functionally redundant communication operate on a continual basis.
• FSC-SMM initiates the switchover of FSC-SMMs via the FSC Control
Processors by issuing requests to the FSC to set the FSC-SMM active or
inactive.
• FSC-SMM uses the UCN to exchange data between redundant
FSC-SMMs.
• FSC-SMM uses an intraslot (Primary to/from Secondary) messaging
service provided by the FSC. This additional communications path
assists the FSC-SMMs in diagnosing UCN or partner FSC-SMM
problems.
UCN-specific UCN-specific FSC-SMM redundancy is characterized by the following:

FSC-SMM redundancy
• On-line and spare FSC-SMMs have unique addresses, allowing both to
participate in UCN communications.
• Only the primary FSC-SMM in a pair can send point information on the
UCN at any given time.
• The FSC-SMM uses the UCN to also exchange RDR (status) records
between redundant FSC-SMMs.
• From the UCN's perspective, FSC-SM redundancy emulates that of
other UCN nodes. This includes redundant cable interfaces, cable
handling algorithms, redundant nodes, fixed UCN Shadow Addressing,
reconfigurable Primary/Secondary UCN Node Addressing, UCN Status
Display handling and redundancy status parameters.
ATTENTION If retries result in continued use of incorrect partner

addressing, an FSC-SMM that is in a start-up sequence (vs. an Idle or Run
state) will crash, having assumed that it could be corrupting the UCN.

3.3 Other Redundancy Considerations
UCN addressing The UCN address is configured at the FSC user station and loaded with
the control program into the FSC Control Processors. The FSC user
software only allows odd UCN addresses to be configured.
In the ALIVE state, the FSC-SMM will display the odd address in the top
slot or the even address in the bottom slot.
In the IDLE/RUN states, the primary assumes the odd address (where
points are built) and the secondary assumes the even (backup) address.
When the FSC-SMM is installed, the FSC Control Processors load the
UCN address into the FSC-SMM.
See the FSC Software Manual for configuration details.
Preference Preference toward one of the FSC-SMMs enables the redundant pair to
better resolve contention situations. Preference is based on top/bottom file
position, the top is preferred (an FSC convention).
Hard failure Hard failure situations will result in FSC-SMM shutdown (to the FAIL
state or total reset). Hard failure situations include component, program or
database failures which may or may not interfere with FSC Control
Processor operation, but are considered detrimental to either the FSC, the
partner FSC-SMM or the UCN.
ATTENTION The absence of communications will serve to signal the

partner FSC-SMM of the failure situation.

3.3 Other Redundancy Considerations, Continued
Failed node A failed node is seen at the Operator Station's System Status display, as
FAIL or OFFNET.
Figure 3-4 shows the UCN Status display for a failed node.
ATTENTION Bring up this display when you have a failed or OFFNET

node. However, do not attempt to interpret these numbers. Call your
Honeywell Technical Assistance Center (TAC) personnel for assistance.
Figure 3-4 – US UCN Status Display for a Failed Node

10 Jun 97 14:27:31 1
SM DETAIL MAINT SUPPORT NODE STS INFO
ERROR NODE STS

BLOCK INFO
FSC-SM
STATUS 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
VERS/ C0 08 01 30 24 34 01 30 00 00 00 00 00 00 04 0C
REVIS
00 00 20 08 00 50 0C C0 00 46 00 EA 00 46 00 EA
FSC-SM
CONFIG
00 00 00 00 00 00 04 84 00 00
------ D0 ------- ------ D1 ------- ----- D2 -------- ------ D3 -------
UCN
UCN 00 5C DB 2C 00 00 00 05 00 00 00 5A 00 00 00 03
STATS
STATS ------ D4 ------- ------ D5 ------- ----- D6 -------- ------ D7 -------
00 00 00 00 00 00 00 00 00 00 45 00 00 00 00 0D
MAINT ------ A0 ------- ------ A1 ------- ------ A2 ------- ------ A3 --------
SUPPORT 00 5C DB 2C 00 5C DB 2C 00 00 00 00 00 4E 3D EC
------ A4 ------- ------ A5 ------- ------ A6 ------- ------ A7 --------
SOFT
00 5E 0E 34 01 30 24 00 00 59 B4 E0 00 5D 0C 6C
FAILURE
UCN 1 PRI/SEC PRIMARY UCN CHANNEL CHANNELB FILE POS NON_PREF

NODE 41 STATUS FAIL AUTO SWAP ENABLE SYNCHST NOSYNCH


Section 4 – FSC Safety Manager Start-up and Shutdown
4.1 Cold Start-up
4.1 Cold Start-up .............................................................................................39

4.2 Warm Start-up ...........................................................................................43
4.3 Shutdown...................................................................................................45
Cold start-up Following power-up reset, the FSC-SMM will operate from Read-Only
Memory (ROM). It will perform self-testing and then arrive at one of the
two ALIVE states illustrated in Figure 4-1, depending on file position.
Figure 4-1 – Cold Start-up ALIVE States
Power-up/Reset
Self-test complete, Self-test Self-test complete,

preferred file non-preferred file
position (top) position (bottom)
no PI detected no PI detected
Alive, with Alive, with

odd UCN even UCN
shadow shadow
address -64 address -64
ATTENTION Before the FSC-SMM can enter the ALIVE state, a

Control Program with the FSC-SMM configured must have been
previously loaded into the Fail Safe Controller from the FSC user station.
For more information on FSC start-up and shutdown, refer to the

FSC Software Manual.

4.1 Cold Start-up, Continued
Downloading Next, the operator must select one of the two FSC-SMM nodes (from the
FSC-SMM personality UCN Status display) and initiate a Personality download.
Figure 4-2 – FSC-SMM Personality Download

odd UCN even UCN
shadow shadow
address address
OR
PI download started
Alive,
with PI
downloading
PI download completed
Idle, with
odd UCN
address
ATTENTION Repeat steps in Figure 4-2 to download the second

FSC-SMM. Note that the second FSC-SMM assumes the even UCN
address.

Cold start-up - When an FSC-SMM reaches the IDLE state, it begins searching for, or
FSC-SMM idle state communicating with, a partner FSC-SMM. This process is carried out
over the UCN.
Once contact is made with a partner, Primary/Secondary states are

resolved and the FSC-SMMs then move to synchronize their databases.
This is illustrated in Figure 4-3.
Figure 4-3 – Primary/Secondary Idle State Synchronization
Idle, with Idle, with

odd UCN even UCN
address address
Partner FSC-SMM Partner FSC-SMM

detected detected

unsynced unsynced
Secondary Primary
Partner database synced Database synced

synced synced
Secondary Primary

Cold start-up - During database synchronization, the Primary suspends all normal
FSC-SMM idle state, operations involving its database. This synchronization process requires
continued
less than two seconds to complete. During this completion time, any UCN
parameter access requests are queued for later servicing.
Figure 4-4 shows UCN Status display once the FSC-SMMs have reached
synchronization state. Note the "IDLE" or "OK" for the Primary and
"BACKUP" for the Secondary.
Figure 4-4 – FSC-SMM UCN Status Display Synchronized State

MAKE SELECTION 18 SEP 96 09:18:28 2
UCN CONTROL STATE: BASIC
UCN CABLE STATUS: OK UCN 01 STATUS UCN AUTO CHECKPNT: INHIBIT
NIM AUTO CHECKPNT: DISABLE
01 NIM 02 03 NIM 04 11 PM 12 13 LM 14 31 SM 32 35 SM 36
OK OK OK OK IDLE OK

PROGRAM RESTORE SAVE CANCEL ENTER
LOAD DATA DATA

4.2 Warm Start-up
Warm start-up Warm start-up is the condition where an FSC-SMM has retained its
Personality (PI) and database after a reset. Therefore, the device is allowed
to continue processing without operator intervention.
FSC-SMM IDLE/RUN With warm start-up following reset, the FSC-SMM will operate from
state - warm start-up EPROM to perform self-testing. It then looks for the existence of a valid
Personality and database and proceeds without operator intervention. The
Personality will take control of the FSC-SMM platform and bring the
system to the state it was in (IDLE or RUN) prior to the reset, assuming
conditions allow operation in that state to continue (e.g. state of control
processor).
ATTENTION The new Secondary, when swapped, will not perform any
self-test (fast restart).

4.2 Warm Start-up, Continued
FSC-SMM idle/run Figure 4-5 illustrates the various steps for a warm start-up.
state - warm start-up,
continued
Figure 4-5 – FSC SMM Idle State - Warm Start-up
Power-up/Reset
Self-test complete Self-test Self-test complete

odd UCN even UCN
shadow shadow
address address
PI detected PI detected
Primary/Secondary
status unresolved
Primary Secondary

odd UCN even UCN
address address
Partner FSC-SMM Partner FSC-SMM

detected detected

unsynced unsynced
Secondary Primary
Partner database synced Database synced
Idle/run, with Idle/run, with

synced synced
Secondary Primary

4.3 Shutdown
Shutdown Shutdown returns an FSC-SMM to its ALIVE state. Shutdowns may be

initiated from the Operator Station using the procedure outlined in Table
4-1.
Table 4-1 – FSC-SMM Shutdown

Step Action
1 Select the targeted node from the screen shown in Figure 4-6.
2 Select the "RUN STATES" target.
3 Select "IDLE" target, then select "ENTER."
4 Select the "SHUTDOWN" target, then select "ENTER."
ATTENTION If the Shutdown command is received by a Primary that

has a Synced Secondary, a No-Fault Switchover (without resync) will be
executed prior to the shutdown.
UCN shutdown status Figure 4-6 shows the UCN Status display for FSC-SMM shutdown.
display
Figure 4-6 – FSC-SMM Shutdown UCN Status Display
MAKE 18 SEP 96 09:18:28 2
SELECTION UCN CONTROL STATE: BASIC
UCN CABLE STATUS: UCN 01 UCN AUTO CHECKPNT: INHIBIT
OK STATUS
01 NIM 0 03 NIM 04 11 PM 12 13 LM 14 31 SM 32 35 SM 36
OK 2 OK OK OK OK OK 1
LOAD/SAVE CONTROL AUTO UCN CABLE RUN 2 SLOT DETAIL

STARTUP IDLE SHUTDOWN SWAP CANCEL ENTER

3
4 PRIMARY


Section 5 – Performance Specifications
5.1 FSC-SMM Processor Resource Allocation
5.1 FSC-SMM Processor Resource Allocation ...............................................47

5.2 Performance Statistics ..............................................................................48
5.3 Processing Units........................................................................................49
Performance Figure 5-1 outlines the relative allocation of FSC-SMM Processor

specifications resources to the major tasks and functions for the FSC Safety Manager.
summary
Figure 5-1 – FSC-SMM Processor Resource Allocation
Operating
System Application
Reserve Reserve
10%
FSC Interfacing,
Database, 10%
Synchronization /
Flushing, Diagnostics,
UCN Communications
(Overhead) Point Processing,
Event Detection and
24% Generation
36%
Parameter Access
20%
Overhead One of the resource allocations of the FSC-SMM Processor that may need
further explaining is overhead. Overhead includes the background
functions required to support the FSC-SM node and FSC-SMM interface
to the FSC. It includes the following:
• FSC Control Processor interfacing,
• diagnostics and status, and
• redundancy and checkpointing.

5.2 Performance Statistics
Performance Table 5-1 outlines the performance specifications for the FSC Safety
specifications Manager.
Table 5-1 – Performance Specifications

Parameter Specification
Point Processing Scan rate: 1 sec.

0.5 sec.
UCN Parameter Access 800 read requests per second*

100 control writes per second
Database 2 seconds for a maximum database of 250 Kbytes

Synchronization
Failover 5 seconds
Primary/Secondary 2 seconds
Switchover and Point
Process Priming
SOE Resolution FSC Control Program scan time

* Represents a combined load of LCN (US, HM, AM, CM) and UCN (peer-to-peer)
initiated request.

5.3 Processing Units
Processing units for Table 5-2 outlines the processing units for the FSC-SMM.
the FSC-SMM
Table 5-2 – Processing Units for the FSC-SMM
Point Type Processing Units per Processing Units
Point for 0.5 s per Point for 1 s
scan period scan period
Digital Input 1.9 0.95
Digital Output 1.3 0.65
Digital Composite 8.1 4.05
Analog Input 12.5 6.25
Analog Output 3.1 1.55
Logic Slot 200 100
Flag (SLOTNUM ≤ 512) 0 0
Flag (SLOTNUM > 512) 0 0
Numeric 0 0
Timer 1.9 0.95


Section 6 – NIM Processing
6.1 Estimating NIM Loading
6.1 Estimating NIM Loading ................................................................................. 51

6.2 Assessment of NIM Processing Load ............................................................ 53
6.3 "Remote" NIM Sharing Processing Load........................................................ 54
NIM processing load Table 6-1 gives an example of an NIM processing load estimate. In this
example example, the total induced load is 335, which is 33.5% of the maximum
load allowed for an NIM.
Table 6-1 – NIM Processing Load Estimator

Load Sources Units to be Entered in Number Load Induced
Number Column Factor Load
PM/LM/ SM Induced Load 1 10 10

PMs, LMs and SMs on UCN Number of PMs, LMs and SMs on UCN
US Induced Load
Universal Stations Number principally accessing this NIM 3 15 45
Schematic Displays on those Number principally accessing this NIM 1 30 30
USs
HM Induced Load
History Modules Number principally accessing this NIM 1 30 30
Checkpointing Number of HMs checkpointing this NIM 1 70 70
AM and CG Induced Loads

AMs with 68020 microprocessor Number principally accessing this NIM 1 150 150
AMs with 68000 microprocessor Number principally accessing this NIM 0 95 0
Computer Gateways Number principally accessing this NIM 0 60 0
Total Induced Load: 335

Maximum Allowable Load: 1000
% of Maximum Allowable Load: 33.5%

6.1 Estimating NIM Loading, Continued
Estimating NIM The NIM processing load estimate is calculated as outlined in Table 6-2.
processing loading
Table 6-2 – NIM Processing Load Estimate Calculation

Step Action
1 Multiply the value you entered in the Number column in Table 6-1 by
the factor in the Load Factor column.
2 Enter the results in the Induced Load column.
3 Total the values in the Induced Load column.
ATTENTION You should make such an estimate for each NIM in your
system.
Considerations for You should keep the following factors in mind when calculating the NIM
NIM load calculation processing load.
• Count redundant node pairs (NIMs, AMs, PMMs, LMs and SMs) as
one.
• The load factor for schematic displays is based on a schematic with 250
parameters which is principally accessing this NIM (four-second update
intervals).
• The AM load factor is based on a fully loaded AM accessing data from
this NIM.
• If you have several NIMs, you might consider using a spreadsheet on a
personal computer to do your calculations.

6.2 Assessment of NIM Processing Load
NIM processing load Table 6-3 outlines the NIM processing load categories.
categories
Table 6-3 – NIM Processing Load Categories

Induced Load Performance Result
Rating
750 Performance as Will perform as specified under all actual

(75%) Specified system use conditions.
750 to 1000 Marginally Display of information from this NIM and its
(75% to 100%) Acceptable reporting of events may occasionally be
sluggish, especially during a process upset
or a peak load such as multiple point
loading.
1000 Overloaded Should a failover to the backup NIM or

(100%) some other system upset occur, the view
to the process may be temporarily lost.

6.3 "Remote" NIM Sharing Processing Load
Adding NIMs to the An additional NIM (redundant NIM pair can be added to the UCN and the
UCN LCN to share the processing load with another NIM. Figure 6-1 illustrates
the new UCN configuration with an additional NIM.
Figure 6-1 – Additional NIMs on UCN Configuration
LCN nodes see two logical UCNs
LCN
NIM NIM
One physical UCN
NIM assignments From the LCN viewpoint, the two NIMs (two redundant NIM pairs) are on
separate process networks, even though they are connected to the same
physical UCN. NIM assignments are as follows:
• NIM 1 (configured as ThisNIM) - assigned to process network n (n is in
the range from 1 to 20; each UCN and each Data Highway is one
process network).
• NIM 2 (configured as RemotNIM) - assigned to process network n+1.
ATTENTION Assignment of network numbers is arbitrary, but consistent.

Logical assignment simplifies operating practices (see Figure 6-2).

6.3 "Remote" NIM Sharing Processing Load, Continued
Implementation of two To implement two logical process networks, you must follow the
logical process procedure outlined in Table 6-4.
networks
Table 6-4 – Implementation of Two Logical Process Networks

Step Action
1 ThisNIM and RemotNIM and their process networks must be defined

in the Network Configuration File (NCF) through the Engineering
Personality's LCN NODES activity.
2 All UCN nodes, including NIMs, must be defined on both process

networks by building UCN entities (NIM points) and node-specific
entities (box points).
3 In the UCN node entities, approximately half of the nodes on each

process network are configured with NODEASSN = ThisNIM and the
remainder with NODEASSN = RemotNIM.
4 Each node assigned as ThisNIM on process network n is assigned as

RemotNIM on n+1, and each node assigned as ThisNIM on process
network n+1 is assigned as RemotNIM on network n.
NIM addition example Figure 6-2 gives an example of an additional NIM on a UCN
configuration.
Figure 6-2 – Specific Example of Additional NIM on a UCN
LCN
NIM NIM
NIMs 01 and 02 NIMs 03 and 04
Logical UCNs 01 and 02
PM 05
SM 07

NIM addition example, For the UCN node numbers in Figure 6-2, you would build the UCN node
continued and node-specific entities as outlined in Table 6-5.
Table 6-5 – Building UCN Node and Node-specific Entities

Node UCN UCN Entity NODEASSN Node-Specific
Name Entity Name
NIM 01 01 $NM01N01 ThisNIM N/A
NIM 03 01 $NM01N03 RemotNIM N/A
PM05 01 $NM01N05 ThisNIM $NM01B05
SM07 01 $NM01N07 RemotNIM $NM01B07
PM05 02 $NM02N05 RemotNIM $NM02B05
SM07 02 $NM02N07 ThisNIM $NM02B07

Operational Take into account the following considerations when you have two logical
considerations for process networks (NIMs).
two logical NIMs
• Use the SAVE DATA target to checkpoint data from the UCN nodes.
The restoration of checkpoint data to the nodes can be accomplished
only from the UCN Status display. For the process network, the nodes
are assigned to (NODEASSN = ThisNIM).
• If you try data restoration from the wrong display, a "node assignment"
error message appears. If some of the points in a UCN node are
assigned to process network n+1, you will have to use SAVE DATA
twice, once for each UCN Status display.
• For automatic checkpointing to save all data - you must enable it
through the UCN Status displays for both process networks.
• Alarming, message transfers and event-initiated processing are handled
by the NIMs and no special operational considerations are required.
• If FSC-SMM memory is corrupted, a checksum error will be detected.
Operational Take into account the following considerations when building process
considerations for points to reside on two logical UCNs.
two logical UCNs
• Assign approximately equal numbers of points to each UCN (parameter
NTWKNUM).
• Assign points that use peer-to-peer communication to the same UCN.


Section 7 – Building UCN and Node-specific Points
7.1 UCN Point Building
7.1 UCN Point Building....................................................................................59

7.2 Node-specific Point Building......................................................................61
7.3 Box Configuration ......................................................................................66
UCN point building One UCN point must be built for each node on the UCN. This includes
summary each NIM and FSC-SM (non-redundant and redundant).
The UCN and LCN points are reserved entities (see Subsection 2.1 of the
Data Entity Builder Manual). These entities must be built and loaded
before data points can be loaded into the UCN nodes.
UCN point building UCN points are built with the Data Entity Builder. Table 7-1 outlines the
procedure procedure.
Table 7-1 – UCN Point Building

Step Action
1 Select NETWORK INTERFACE MODULE on the Engineering Main

Menu.
2 Select UCN NODE CONFIGURATION.
For information about the values to be entered, refer to the FSC

Safety Manager Parameter Reference Dictionary in the Implementation
FSC Safety Manager binder.

7.1 UCN Point Building, Continued
UCN point building The example listed below shows how reserved entities would be built for
example the UCN. It will reference Figure 7-1.
EXAMPLE:
UCN Node UCN Point Node-specific Point
NIM, UCN node no. 1 $NM02N01 N/A
NIM, UCN node no. 2 $NM02N02 N/A
FSC-SM (or PM, LM), node no. 9 $NM02N09 $NM02B09
Figure 7-1 – UCN Node Configuration
LCN
NIM
NIM
01 02
11
09
13
UCN
02 Process network
number for this
17 UCN (0-20)
15
19

7.2 Node-specific Point Building
Node-specific point You must build node-specific points for each FSC-SM, including all
building summary redundant pairs on the UCN. Figure 7-2 shows where the node-specific
FSC-SM data points information resides within the implementation
scheme.
Figure 7-2 – FSC-SM Implementation Dependencies

UCN Points
NIM Points
SM Points
FSC-SMM
SMM Data
Points
FSC
FSC-SMM database The FSC Safety Manager Module database is configured from the
Universal Station. Once loaded into the FSC Safety Manager, this
FSC-SMM configuration data can be saved on the History Module and
downloaded over the UCN to the FSC-SMM.
Functional Logic The FLD Control Program for the FSC is developed using the FSC user
Diagram database software. Once loaded in the memory of the FSC Control Processors, the
control programs are saved in the FSC database on the FSC user station,
where multiple FLD programs can be saved under separate file names.
ATTENTION All diagnostic information that is provided in the FSC is

available at the US.

7.2 Node-specific Point Building, Continued
Determining total The maximum number of Processing Units for the FSC-SMM is 7500.
FSC-SMM processing Before building point displays, it is important that you determine your
units
target maximum point counts and Processing Units. This can be done
using Table 7-2.
Table 7-2 – Target Maximum Point Counts and Processing Units

Maximum Processing Number of Total
Point Type Allowable Unit Value X Points = Point Processing
Point Per Point Desired Units
Count
Digital Input
0.5 sec. digital scan 2000 1.9 X _______ = __________
1.0 sec. digital scan 0.95 X _______ = __________
Digital Output
Digital Composite
Analog Input
0.5 sec. analog scan 1000 12.5 X _______ = __________
1.0 sec. analog scan 6.25 X _______ = __________
Analog Output
0.5-sec. analog scan 1000 3.1 X _______ = __________
1.0 sec. analog scan 1.55 X _______ = __________
Logic
0.5 sec. digital scan 30 200 X _______ = __________
1.0 sec. digital scan 100 X _______ = __________
Timer
POINT PROCESSING TOTAL __________

Determining total
FSC-SMM processing ATTENTION Please note the following:
units, continued • 0.5 sec. digital scan when scan rate = AR1DT2 or AR2DT2.
1.0 sec. digital scan when scan rate = AR1DT1.
0.5 sec. analog scan when scan rate = AR2DT2.
1.0 sec. analog scan when scan rate = AR1DT2.
• The Point Processing total must be 7500 or less to be valid.
• The maximum number of connections between FSC-SMM points
and FSC variables is 2000, excluding connections made via flag and
numeric points.
• FLAG and NUMERIC points use a fixed amount of processing
overhead (PU = 0) and therefore are not required to be calculated into
the Point Mix determination. You can configure as many as:
− 2000 Flag points
− 1000 Numeric points.
ATTENTION Table 7-2 may be reproduced for use as a configuration

worksheet.

Node-specific building Figure 7-3 and Figure 7-4 show the node-specific building displays for the
displays US.
Figure 7-3 – Node-specific Building Displays - Screen 1

PED >>>>>> POINT : $NM10B61 UNIT: SY
NODE -SPECIFIC CONFIGURATION (FOR SM)
NUMBER OF ANALOG INPUT (NAISLOT) 100

SLOTS
NUMBER OF ANALOG OUTPUT (NAOSLOT) 5

SLOTS
NUMBER OF DIGITAL INPUT (NDISLOT) 600

SLOTS
NUMBER OF DIGITAL OUTPUT (NDOSLOT) 400

SLOTS
NUMBER OF LOGIC SLOTS (NLOGSLOT) 20
NUMBER OF DIG. COMPOSITE (NDCSLOT) 80

SLOTS
DIG. COMPOSITE NONE STATE (NONETXT) NONE
NUMBER OF NUMERICS (NNUMERIC) 1000
SM START ADDR OF NUM ARRAY (NNLSBA) 41001
F1=PED F3= F5=OVERWRITE F7=RECON F9=WLK BACK F11=

F2=RECALL DISP F4= F6= F8=PED STATUS F10=WRITE F12=LOAD

Node-specific building
displays, continued
Figure 7-4 – Node-specific Building Displays - Screen 2

PED >>>>>> POINT : $NM10B61 UNIT: SY
NODE -SPECIFIC CONFIGURATION (FOR SM)
NUMBER OF FLAGS (NFLAG) 1000
SM START ADDR OF FLAG ARRAY (FLLSBA) 2001
NUMBER OF TIMERS (NTIMER) 10
SCAN RATE (SCANRATE) AR1DT1 AR1DT2 AR2DT2
F1=PED F3= F5=OVERWRITE F7=RECON F9=WLK BACK F11=

F2=RECALL DISP F4= F6= F8=PED STATUS F10=WRITE F12=LOAD

7.3 Box Configuration
Data point building Data points are built with the Data Entity Builder. Table 7-3 outlines the
procedure you should use.
Table 7-3 – Data Point Building

Step Action
1 Select NETWORK INTERFACE MODULE from the Engineering Main

Menu.
2 Select PROCESS POINT BUILDING.
3 Choose the type of point(s) desired (i.e. Analog, Digital, Digital

Composite, Timer, Flag, Numeric Logic).
4 Select point type options desired. Refer to the FSC Safety Manager
Control Functions manual for information about each point type.
ATTENTION FSC-SMM output points cannot be mapped to FSC

outputs. FSC programming (using FLDs) is required to affect real
output control. This can only be done at the FSC user station using
the FSC Development System software (R42x) or FSC Navigator
software (R500).
5 Select the Parameter Entry screen displays. Enter parameters. Refer

to FSC Safety Manager Parameter Reference Dictionary for
parameter details.
Refer to the FSC Safety Manager Installation Guide in this

binder for US configuration of FSC-SMM data points.
Loading points Points are loaded by selecting appropriate targets on the Data Entity
Builder's Command Menu or from the Parameter Entry display by pressing
a function key.
ATTENTION Points can only be loaded when the designated slot is in

the inactive state.

Section 8 – Error Handling
8.1 Soft Failures
8.1 Soft Failures ..............................................................................................67

8.2 Hard Failures .............................................................................................70
8.3 Point Configuration Errors .........................................................................71
8.4 Communication Errors...............................................................................72
Soft failures Soft failures are situations where control and process view are maintained,
but a fault has jeopardized system integrity.
An FSC Safety Manager soft failure may have many different causes.

8.1 Soft Failures, Continued
Softfail descriptions Table 8-1 lists the types of softfails that may be encountered.
Table 8-1 – Softfail Descriptions

Code Journaled Text Displayed on FSC-SMM Interpretation and/or Comments
Text FSC-SMM Diagnostic
Displays
19 UCNPRSFL Primary Cannot Talk FSC-SMM has lost the ability to communicate
to Secondary on UCN over the UCN.
20 UCNSCPFL Secondary Cannot Talk FSC-SMM has lost the ability to communicate
to Primary on UCN over the UCN.
21 NOSYNCH Secondary Not Synched Loss of FSC-SMM Redundancy.
34 UCNOVRUN UCN Overrun FSC-SMM unable to prefetch data from remote

nodes (peer-to-peer inputs).
35 PPXOVRUN Point Processor FSC-SMM point scanning is lagging behind

Overrun schedule.
54 LCLLNOSC LC Not Scanning FSC-SMM Point Processing requires the Logic

Controller to scan its inputs and its user
program.
63 LCIOCDFL LC Comm or I/O Card FSC System Aliases are signaling an I/O fault.
Fault
80 SMTSFLT FSC-SMM Time Synch Set by an FSC-SMM upon detection of a UCN

Failure Time Sync failure.
Causes include:
• UCN Time Synch hardware/software failure.
81 LCTSFLT LC Time Synch Failure Set by an FSC-SMM upon detection of a Logic

Controller Time Synch error.
Causes include:
• FSC Time Synch hardware failure.
• FSC Time Synch command processing
failure.

8.1 Soft Failures, Continued
Soft failures US Figure 8-1 shows a US display which provides the various FSC Safety
display Manager soft failures and their corresponding error codes.
ATTENTION Active soft failures will be highlighted.
Figure 8-1 – US Display: Soft Failures

21 May 97 22:42:20 1
SM DETAIL SOFT FAILURES
FSC-SM
STATUS
19 Primary Cannot Talk to Secondary on UCN
VERS/ 20 Secondary Cannot Talk to Primary on UCN
REVIS 21 Secondary Not Synched
34 UCN Overrun
FSC-SM 35 Point Processing Overrun
CONFIG 54 LC Not Scanning
63 LC Comm or I/O Card Fault
UCN 80 SMM Time Synch Failure
STATS 81 LC Time Synch Failure
MAINT
SUPPORT
SOFT
FAILURE
UCN 1 PRI/SEC PRIMARY UCN CHANNEL CHANNEL B FILE POS NON_PREF


8.2 Hard Failures
Hard failures Hard failures will result in FSC-SMM shutdown (to the FAIL state,
summary ALIVE state or total reset). Hard failures include the following:
• component failure,
• program or database failure.
Crash codes Fail (crash) situations involve a large number of possible error codes.
Contact the Technical Assistance Center (TAC) for help in identifying the
causes of such failures.

8.3 Point Configuration Errors
Errors in configuring The FSC-SMM will only recognize LC aliases previously configured
points within the FSC. Table 8-2 lists configuration errors for the FSC Safety
Manager.
Table 8-2 – Configuration Errors

Error Description
ILLEGAL VALUE Attempt to write an FSC hardware addressing

parameter (e.g. PLCADDR, LODSTN, CCSRC,
ILCxxxxx, etc.) which specifies an Alias not
available within the host FSC.
READ ONLY Response to attempts to write to a read-only

FSC-SM parameter.
CONFIGURATION An invalid LC alias (PLCADDR). Attempts to change

MISMATCH PTEXECST to ACTIVE will be denied.

8.4 Communication Errors
US display for Figure 8-2 is the US display which allows you to access the
communication Communication Error Block screen. To do this, you need to select the
errors target
"NODE STS INFO" target.
Figure 8-2 – US Display: NODE STS INFO Target

10 Jun 97 14:27:31 1
SM DETAIL MAINT SUPPORT NODE STS INFO
ERROR NODE STS

BLOCK INFO
BOX
FSC-SM
STATUS FAILURE INFO
CURRENT PROCESSOR FAILURE : NULL
VERS/
VERS/ PREVIOUS STATUS : OFFNET
REVIS
REDUNDANCY INFO
FSC-SM
BOX REDUN PARTNER UCN VISIBILITY : VISIBLE
CONFIG REDUN PARTNER PL VISILIBITY : NOT VISIBLE
UCN
UCN PERSONALITY LOAD INFO
STATS
STATS NODE LOAD FAILURE INFO : 0
LOAD FLAGS : 40
MAINT
MAINT LOAD PACKET NUMBER : 914
SUPPORT NODE PERFORMING LOAD : 1
SOFT STARTUP/FAILOVER INFO : 00

FAILURE


8.4 Communication Errors, Continued
US display showing Figure 8-3 shows the US UCN statistics display which lists the various
UCN statistics UCN communication error statistics, along with other UCN statistics. The
values given are samples of what might be expected.
Figure 8-3 – US Display: UCN Statistics Screen, Page 1

10 Jun 97 14:27:31 1
SM DETAIL UCN STATS PAGE 1
HELP RESET
RESET STATS
STATS
STATS PAGE 2
BOX
FSC-SM
STATUS NO COPY BUFFERS 0 TOTAL CABLE SWAPS 1
TOKEN ROTATION TIME 0 CABLE A SILENCE 0
VERS/
VERS/ NO SUCCESSOR FOUND 0 CABLE B SILENCE 0
REVIS ASKED WHO FOLLOWS 0 CABLE A NOISE 0
TOKEN PASSED FAILED 0 CABLE B NOISE 0
FSC-SM
BOX NOISE BITS 0 NO-RESPONSE ERRORS 0
CONFIG CHECKSUM ERROR 0 UNEXPECTED RESPONSES 0
REPEATER ERROR 0 ERRORS IN RESPONSES 0
UCN
UCN PARTIAL FRAME 0 AUTO-RECONNECTS 0
STATS
STATS
STATS RECEIVED FRAME TOO LONG 0
NO RECEIVE BUFFERS 0 LOCAL MESSAGES 0
MAINT RECEIVE OVERRUN 0 MESSAGES SENT 306
SUPPORT DUPLICATE RWR 0 MESSAGES RECEIVED 122
NULL RWR (RESYNCH) 0 MESSAGES DISCARDED 0
SOFT TRANSMIT UNDERRUN 0 REPLY TIMEOUTS 0
FAILURE TRANSMIT FRAME TOO LONG 0

UCN addressing An FSC Safety Manager UCN address is configured at the FSC user
errors station. Range checking within the FSC user software is assumed (1-63,
odd addresses only). The top/bottom module placement within a given slot
determines top/bottom shadow addressing. It is therefore impossible for an
FSC-SMM to operate with an invalid UCN address. However, there is no
protection against duplicate use of a UCN address.


Index
A F, G
Access rights, 13 FAIL state, 36
Adding NIMs to the UCN, 54 Failed node, 37
Address aliases, 13, 14, 15 Failover, 32, 48
Alias addresses, 13, 14, 15 FLD Control Program design, 11
ALIVE state, 39 Flushing, 24, 34
Application module, 2 Free format logs, 2
Area database, 2 Front panel of FSC-SMM module, 30
Area names, 2 FSC configuration, 11
Assigning alias addresses, 14, 15 FSC Control Processor functions, 4
FSC Development System (FSC-DS), 4, 11, 12
FSC Navigator, 4, 11, 12
B FSC network capabilities, 19
FSC Safety Manager diagram, 3
Button configuration, 2 FSC Safety Manager functional diagram, 5
FSC SMM functions, 4
FSC user software, 4, 11, 12
C FSC user station, 2, 4
Cold start-up, 39 FSC variable access rights, 13
Comparing events between FSCs, 22 FSC variables, 14
Configuration errors, 71 FSC-SMM and FSC redundancy interfacing, 32
Control Language (CL), 2 FSC-SMM database, 61
Crash codes, 70 FSC-SMM database synchronization, 34
FSC-SMM failover, 32
FSC-SMM flushing, 34
D FSC-SMM front panel indications, 31
FSC-SMM points, 14
Data Entity Builder, 59 FSC-SMM redundancy, 29
Data flow, 6 FSC-SMM redundancy, 35
Data point building, 66 FSC-SMM switchover, 32
Database synchronization, 34, 48 FSC-SMM switchover procedure, 33
DCS address, 13 Functional Logic Diagram database, 61
DI SOE timestamping, 22 Functional logic diagrams (FLDs), 4
Diagnostics, 21 Functional logic programming, 2
DLYTIME, 24
Downloading FSC-SMM personality, 40
H
E Hard failures, 36, 70
HM History Groups, 2
Event distribution, 24
Event recovery, 23
Event recovery and flushing, 24
Event recovery cut-off point, 23

Index
I, J P
I/O characteristics, 18 Performance specifications, 48
I/O system, 16 Picture Editor, 2
I/O system diagram, 17 Point process priming, 48
I/O types, 17 Point processing, 48
IDLE state, 41 Preference, 36
Implementation dependencies, 1 Primary/Secondary switchover, 48
Implementation tasks, 1 Processing units, 49, 62
PVCHGDLY, 24
PVCHGTMR, 24
J
Journals and listings, 25 R
RAM mode, 9
L Redundancy, 29, 35
Redundancy interfacing, 32
LCN nodes, 2 Redundant architecture, 29
Linking FSC-SMM points to FSC variables, 14 Redundant communication paths, 35
Loading points, 66 Redundant I/O, 16
Redundant NIM pair, 54
Resource allocation, 47
M Restoring and saving data summary, 26
Module front, 30 RUN mode, 9
N S
Network capabilities, 19 Saving and restoring data, 26, 27
Network Interface Module (NIM), 2 Sequence of Events (SOE), 20
NIM addition example, 55 Shutdown, 45
NIM assignments, 54 SOE configuration, 25
NIM load calculation, 52 SOE event recovery, 23
NIM processing load, 51 SOE event recovery cut-off point, 23
NIM processing load categories, 53 SOE resolution, 22, 48
NIM processing load estimator, 51 SOE resolution diagram, 23
Node-specific building displays, 64 Soft failures, 67
Node-specific point building, 61 Soft failures US display, 69
Non-DI SOE event/alarm timestamping, 22 Softfail descriptions, 68
Non-redundant I/O, 16 Start-up
Cold, 39
Warm, 43
O Startup mode
Coldstart, 10
Operating modes Warmstart, 10
RAM mode, 9 Status indication, 30
RUN mode, 9 Switchover, 32
Operational considerations for two logical NIMs, 57 Switchover procedure, 33
Operational considerations for two logical UCNs, 57
Operator-requested switchovers, 34
Overhead, 47

Index
T V
Throttled event collection, 24 Volume configuration, 2
Time Sync diagram, 21
Time synchronization, 20
Timestamping, 22 W
Warm start-up, 43
U
UCN addressing, 36
UCN addressing errors, 73
UCN input path, 6
UCN output path, 6
UCN parameter access, 48
UCN point building example, 60
UCN point building procedure, 59
UCN shutdown status display, 45
UCN statistics display, 73
UCN status display, 33
UCN time sync, 34
UCN-specific FSC-SMM redundancy, 35
Unit names, 2
US Display - Soft Failures, 69

READER COMMENTS
Honeywell IAC's Automation College welcomes your comments and suggestions to improve future editions of this and
other documents.
You can communicate your thoughts to us by fax or mail using this form, or by placing a toll-free telephone call. We
would like to acknowledge your comments—please include your complete name, address, and telephone number.
BY FAX: Use this form and fax to us at 1-602-313-4108.
BY TELEPHONE: In the USA, use our toll-free number 1-800-822-7673 (available in the 48 contiguous states
except Arizona; in Arizona dial 1-602-313-5558).
BY MAIL: Use this form and mail to us at:
Honeywell Inc.
Industrial Automation and Control
Automation College
2820 West Kelton Lane
Phoenix, AZ 85023-3028
Title of Document: FSC Safety Manager Issue Date: 02/98

Document Number: FS11-500 Writer: HSMS Product Marketing
COMMENTS:
RECOMMENDATIONS:
Name: Date:
Title:
Company:
Address:
City: State: ZIP:
Telephone: Fax:
.
.
Industrial Automation and Control Helping You Control Your World
Honeywell Inc.
16404 North Black Canyon Highway
Phoenix, Arizona 85023-3033

Fs 11500

Uploaded by

Fs 11500

Uploaded by

FSC Safety Manager

FSC Safety Manager

© Copyright 1998 by Honeywell Inc.

While this information is presented in good faith and believed to be accurate,

ii FSC Safety Manager Implementation Guidelines 02/98

All references in this manual to "FSC Safety Manager" or "FSC Safety

02/98 FSC Safety Manager Implementation Guidelines iii

SECTION 1 INTRODUCTION ..........................................................................................................1

SECTION 2 FSC-SM OPERATIONAL CONSIDERATIONS ...........................................................9

SECTION 3 REDUNDANT FSC SAFETY MANAGERS ................................................................29

SECTION 4 FSC SAFETY MANAGER START-UP AND SHUTDOWN ........................................39

SECTION 5 PERFORMANCE SPECIFICATIONS.........................................................................47

SECTION 6 NIM PROCESSING ....................................................................................................51

SECTION 7 BUILDING UCN AND NODE-SPECIFIC POINTS .....................................................59

SECTION 8 ERROR HANDLING ...................................................................................................67

02/98 FSC Safety Manager Implementation Guidelines v

Figure 1-1 FSC Safety Manager Implementation Dependencies ............................................... 1

vi FSC Safety Manager Implementation Guidelines 02/98

Table 1-1 Factors Affecting FSC-SM Implementation Tasks ....................................................2

02/98 FSC Safety Manager Implementation Guidelines vii

viii FSC Safety Manager Implementation Guidelines 02/98

AI ...................................................................................................................................... Analog Input

02/98 FSC Safety Manager Implementation Guidelines ix

For FSC-SM documentation:

Publication Publication Binder Binder

For FSC documentation:

x FSC Safety Manager Implementation Guidelines 02/98

Section summary This section contains the following topics:

Subsection Topic See Page

1.1 Implementation Overview ............................................................................1

Figure 1-1 – FSC Safety Manager Implementation Dependencies

VOLUME CONFIGURATION AREA NAMES

User volumes for storage PICTURE EDITOR

FREE FORMAT LOGS Standard Operational

Free Format Logs

NETWORK INTERFACE Buttons

02/98 FSC Safety Manager Implementation Guidelines 1

Table 1-1 – Factors Affecting FSC-SM Implementation Tasks

ATTENTION Volume &8np must have adequate storage space to

ATTENTION Prior to point building, the FSC-SMM must be configured on

2 FSC Safety Manager Implementation Guidelines 02/98

The FSC-SM consists of an FSC controller and an FSC Safety Manager

Figure 1-2 – FSC Safety Manager Relationship to the TPS system

TPS Operator Stations*

APM FSC Safety Manager

* The TPS operator stations are:

Continued on next page

02/98 FSC Safety Manager Implementation Guidelines 3

The FSC Control Processors perform self-tests of the FSC hardware on a

Continued on next page

4 FSC Safety Manager Implementation Guidelines 02/98

Figure 1-3 – FSC Safety Manager Conceptual Diagram

TPS Operator Stations

Safety Manager Module (SMM)

FSC Logic Controller

02/98 FSC Safety Manager Implementation Guidelines 5

ATTENTION The FLD control program running in the FSC is in the

Continued on next page

6 FSC Safety Manager Implementation Guidelines 02/98

Figure 1-4 – Data Flow: UCN to Field and Back

FSC Safety Manager

= UCN Output Path

02/98 FSC Safety Manager Implementation Guidelines 7

8 FSC Safety Manager Implementation Guidelines 02/98

Section summary This section contains the following topics:

Subsection Topic See Page

2.1 FSC Safety Manager Operating Modes ........................................................... 9

The FSC-SM operating and startup modes are defined during

ATTENTION RAM mode only applies to the part of FSC Control

02/98 FSC Safety Manager Implementation Guidelines 9

ATTENTION For FSC-SM configurations with redundant Control

ATTENTION In FSC-SM configurations configured for Warmstart, the

Refer to the FSC Hardware Manual and FSC Software Manual

Continued on next page

10 FSC Safety Manager Implementation Guidelines 02/98

Table 2-1 – FSC User Software Options