HC900 Process & Safety Controller
Contents
1. Dl 16 A 900G02 Relay Output Se Dl 16 Relay Output OR Dl 82 900HO1 900G02 gooHot 900632 OR DI 32 DO 8 KI lt 900632 SE S a 9 Se ZS D Dl 16 9 900603 900G04 9 5 V gt VALID HIGH lt 32 0 V 0 0 V gt VALID LOW lt 3 5 V 24VDC 24VDC Relay Output a z et 2 ae 900HO1 8 900G02 4 BEE Relav Output ORUDI 32 900632 BiG 900H01 ease Relay Output 900G03 y E Ge Relav Output 900G04 900HO1 Sinking DO 16 DI bi 900H02 Relay Output 900H01 Note DI Sense is inverted when Load is placed on High side relay sinks power DI Sense is NOT inverted when Load is located on Low side relay sources power A lt Note DI Sense is inverted Note DI Sense is inverted Figure 13 Individual Series DO connections Revision 4 0 HC900 Process amp Safety Controller Safety Manual 45 June 2015 Design and Implementation of HC900 Control Svstem 24VDC 9 5 V gt VALID HIGH lt 32 0 V 0 0 V gt VALID LOW lt 3 5 V es desch Mac A 4 DO 8 900HO3 DI 16 900G03 900G04 DI Soreng Relay Output 900H32 ous SEH 900GO2 or Dl 32 900G32 Q Q S a o a Relay Output Sinking DO 16 900HO1 900HO2 DI 16 DI 900G02 or DI 32 900G32 Note DI Sense is in2. Revision 4 0 HC900 Process amp Safety Controller Safety Manual 31 June 2015 Design and Implementation of HC900 Control Svstem High Low Limiter Provide high low limit for an analog X value Turns ON HI or LO digital output if input exceeds or falls below set limits If X lt or Low Limit value then OUT LoLIM L ON H OFF If X gt or High Limit value then OUT HiLIM L OFF H ON If X gt Low Limit value and lt high Limit value then OUT X L OFF H OFF Velocity Limiter Limits the rate at which an analog input value X can change when a digital input signal EN is ON Individual rate of change limits is configured for an increasing and a decreasing X respectively Separate digital status outputs indicate when High H or Low L rate limits are active If EN OFF or system state NEWSTART then OUT X L OFF H OFF If EN ON and OUT lt X then OUT moves toward X at Increasing RATE limit L OFF H ON until OUT X If EN ON and OUT gt X then OUT moves toward X at Decreasing RATE L ON until OUT X H OFF Rate of Change Provides an analog output representing units per minute change of the analog input Compare setpoints for high and low rate of change Compare selections for increasing decreasing or both directions of change A logic 1 ON output when input rate exceeds high rate setpoint A logic 1 ON output when input rate is less than t
3. 8 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 HC900 Control System Architectures Refer to the following manuals for more details on the various HC900 control system architectures Introduction to the Hardware The Honeywell HC900 Process Controller includes a set of hardware modules that can be combined and configured as required for a wide range of small to medium process control applications Some of the modules are required in all configurations Others are optional they are selected as appropriate to provide optional functions and or to size the system either in initial planning or in modifying and or expanding the system to meet changing requirements An HC900 Controller configuration with multiple controllers is illustrated in Figure 4 This illustration includes key numbers that identify components that are described in Table 2 An HC900 Redundant Controller configuration with multiple I O racks is illustrated in Figure 5 Only SIL certified modules may be used in safety applications Safety controllers C50S C70S and C75S MUST be matched with the corresponding Safety Scanners S50S and S75S Safety models CPUs and Scanners have orange faceplates il PROCESS A g il as TIT A TA 8 H HI o Figure 4 Configuration with Multiple Controllers Revision 4 0 HC900 Process amp Safety Controller Safety Manual 9 June 2015 HC900 Control System Architectures Table 2
4. Expanded HC900 Controller Configuration The HC900 Controller design enables users and OEMs who are adept in system integration to assemble a system that fits a broad range of requirements Any configuration can be readily modified or expanded as requirements dictate In initial configuration and in subsequent modifications the HC900 Controller affords an optimum balance of performance and economy Configurations such as those shown in Figure and in Figure 2 as well as many variations can be assembled from modular components Many of the components are available from Honeywell and some are available from third party suppliers These modular components are available in any quantity and mix that make the most sense for a given application As indicated in Figure 3 the HC900 Controller includes provisions for communication via Ethernet with host systems such as the Honeywell Experion HMI and other HMI software that supports Ethernet Modbus TCP protocol Also the communication structure of the HC900 Controller enables remote placement of input output components allowing significant economies in cabling and wiring 6 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Introduction Redundant HC900 100 baseT UI Figure 3 Single process with redundancies Revision 4 0 HC900 Process amp Safety Controller Safety Manual 7 June 2015 Introduction This page is intentionally left blank
5. Modbus Write A communication function block that expands the write capabilitv of the Modbus Slave function block to 8 additional data points Multiple blocks mav be connected to the same Modbus Slave block The Modbus write block has 8 inputs and no outputs The Modbus destination for each of the eight inputs can be configured An enable pin lets the data value be written once per scan The configuration data for each point will consist of the address of the destination device on the Modbus link the register address of the desired data and the register tvpe Integer or Float Modbus writes to a function block inside a safety worksheet are only permitted while operating in the RUN Program or Program modes Modbus TCP Slave A communication function block that allows the controller to act as a master device and communicate with slave devices via the Ethernet port of the controller Requires one block per slave device up to 32 devices maximum Only one block may be assigned to each slave device It supports 4 read and 4 write parameters plus provides digital indication of communication integrity This block does not support bit packing and single bit writing If the register is an integer data type the floating point input will be rounded up prior to writing to the address register Integer values are converted to floating point values prior to output If a Modbus slave device does not respond to a request the last output v
6. Safety Configuration validation e For safety enabled configuration there is a validation check at controller level which will reject the configuration if validation fails There is a validation check for the configuration mismatch also and it will alert the host of the error e If user wants to change a configuration from a non safety configuration to a safety configuration the configuration must not contain function blocks that are not supported on a safety worksheet see table 4 Safety system startup Below are points to be noted for system startup e HC900 defines the safety failsafe state of outputs to be LOW or OFF Process blocks may be set per the users requirements Any other value or state must be accomplished outside the HC900 safety control system e Output blocks with validation have a restart input function pin This pin provides the system operator the ability to control the startup of the failed block When connected and the FAIL pin goes ON the 50 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem output state of the block will remain in FAILSAFE as well as the Blocks FAIL PIN until the fault is cleared repaired and the pin transitions from a OFF Low to ON High state All the failsafe values are to be OFF in safety applications When RIUP occurs the validated safety block s restart pin will remain OFF until user enabled the
7. e Redundant Networks for Host communications Redundant Networks for Host communications are provided on the C75S CPU Both network ports are continuously active on the Lead controller The network ports on the Reserve CPU are not available for external communications Experion HS and the 900 Control Station 15 inch model support redundant Ethernet communications and automatically transfer communications during a network failure Scanner 2 S75S module provides 2 ports one for each CPU connection to I O Process Applications can be run on the Safety system with separate process IO modules Revision 4 0 HC900 Process amp Safety Controller Safety Manual 13 June 2015 HC900 Control System Architectures TT TM Figure 6 Redundant Configuration with multiple I O racks C75S CPU only 14 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 HC900 Control System Architectures HC900 controller Features Hardware e Modular rack structure components are ordered individually as needed e CPU with Ethernet communications e Easy to assemble modify and expand e Local C30S and Remote input output racks C50S C70S private Ethernet linked sub network e Parallel processing a microprocessor in each I O module performs signal processing to preserve update rates and proper failsafe action on loss of Controller updates e Power supplies provide power to CPU rack and Scanner I O rack
8. 56 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 HC900 Control System Fault Detection and Response Fault Reaction and IO states The Fault Reaction FR state of each IO point is the predetermined state or action the point assumes in case of faults e ALL outputs have a defined fault reaction failsafe of OFF de energized LOW e All Input blocks may be configured to either Low OFF de energized High or Hold e Reaction times Based on 500 ms normal and 50 ms fast scan times e Fault reaction IO fault reaction input stimuli to output drive is a maximum of 1 5 seconds for non redundant svstems IO fault reaction input stimuli to output drive is a maximum of 3 seconds for redundant svstems The fault reaction time allows for a failover time of 1 5 seconds Internal diagnostic reaction is a maximum of 1 second from detection Fault reaction and IO states are explained below The response to faults in the Controller application and or IO e The fault reaction towards Controller and or application faults is fixed e The fault reaction to Input faults can be configured on a point or module level it should be customized to the application for which HC900 is used e On loss of communications between Controller and remote racks e Non redundant svstems The remote rack will drive its output module going to their failsafe state OFF de energized for safetv outputs and the user confi
9. Descriptions of Major Components Key No Component Description Source Name 1 Controller Includes Rack Power Supply Controller Module Honeywell Local Rack and I O modules 2 UO Expansion Optional Includes Rack Power Supply Scanner Honeywell Rack Module and I O modules C50S C70S CPUs only 3 Operator 900 Control Station operator interface Honeywell Interface communicates via Ethernet or RS 485 serial link 4 PC Optional PC laptop or desktop connects to PC amp USB to RS485 Configuration RS 485 or Ethernet port s on any one Controller convertors are from Tool module Includes Honeywell Designer Software third party suppliers configuration software Configuration software is from Honeywell 5 HMI Human Optional PC link to Ethernet network which may PC is from third party Machine include other HMIs other HC900 Controllers and supplier HMI software Interface other networks including Internet is available from Typically includes HMI operating software Honeywell PlantScape A d or SpecView32 or Mav also include Designer Software configuration from third part tool and utility software i party supplier 6 Ethernet Enables connection of the private Ethernet Honeywell Qualified 100Base T 100Base T port on a C50S C70S CPU only Switch from Honeywell Switch Controller Module to the S50S Scanner modules or third party suppliers on 2 3 or 4 I O Expansion racks
10. l HMI software is Tvpicallv includes HMI operating software available from Honevwell PlantScape May also include Designer configuration tool and or SpecView32 or utility software from third party supplier 6a Ethernet Required if using 2 or more I O Expansion racks Honeywell 100Base T Provides connection of the private I O Ethernet Switch 100Base T port on a C75S Controller Module to the S75S Scanner modules Switch not required for connection to a single I O rack 6 Ethernet Enables inter connection of several 10 100Base T Honeywell or third 10 100Base T Ethernet devices in an Ethernet network Devices party suppliers Switch or include other HC900 Controllers HMIs and can Router also include routers brouters servers and other devices in wider networks 7 Shielded Connects I O S75S expansion racks to C75S Honeywell or third Ethernet CAT5 controllers and or to 10 100baseT Ethernet party suppliers cable switches It also connects to 900 Control Stations and PC SCADA software applications Fiber Optics Controller to remote rack distance up to 750m Cable 2460 ft with one fiber cable Distances up to 1500m 4920 ft are possible with a fiber switch used as a repeater at the midpoint 8 RS 485 cable Shielded twisted pair cable connects Isolated Honeywell or Third Controller port to field devices or PC with RS 485 party suppliers convertor 12 HC900 Process amp Safety Controller Safety Manual Revi
11. 1Quad Process Only May only be used on the process worksheet 900TEK xxxx Low VoltageTerminal Block Euro style Process amp Safety 900TBK xxxx Low VoltageTerminal Block Barrier stvle Process A Safetv 900TER xxxx High VoltageTerminal Block Euro style Process amp Safety 900TBR xxxx High VoltageTerminal Block Barrier style Process amp Safety 900TCK xxxx High Density Terminal Block Euro style Process amp Safety 900TNF xxxx Filler Block Terminal Cover Process amp Safety 90ORTA xxxx Analog Input Remote Terminal Panel RTP Process Only 900RTR xxxx Relay Output Remote Terminal Panel RTP Process Only 9OORTS xxxx DI DO AO Remote Terminal Panel RTP Process Only 60 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Reliabilitv Data Reliabilitv Data Table 9 Reliabilitv Data MTBF 60 C MTBF 25 C MTTR Category Model Hours Years Hours Years Hours 900C30S xxxx xx 264 382 30 18 607 761 69 38 8 900C50S xxxx xx 264 382 30 18 607 761 69 38 8 Controllers 900C70S xxxx xx 261 789 29 88 601 282 68 64 8 900C75S xxxx xx 261 789 29 88 601 282 68 64 8 bere 900S50S xxxx xx 302 259 34 50 774 175 88 38 8 900S75S xxxx xx 264 382 30 18 607 761 69
12. North and South America contact details refer to the back page of this manual or the appropriate Honevwell Solution Support web site Honeywell Organization WWW Address URL Corporate Honeywell Process Solutions HPS Technical tips Training http www honevwell com www honevwellprocess com https www honevwellprocess com en US explore products control monitoring and safetv svstems scalable control solutions hc900 control system Pages hc900 controller aspx http www honeywellprocess com en US training Telephone and Email Contacts Area Organization Phone Number United States and 1 800 343 0228 Customer Service Canada Honeywell Inc 1 800 423 9883 Global Technical Support Email Sales A l FP Sales Apps Honeywell com Global Email Support Honeywell Process Solutions or TAC hfs tac support honeywell com iv HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Svmbol Definitions The following table lists those svmbols that mav be used in this document and on the product to denote certain conditions Svmbol Definition This DANGER svmbol indicates an imminentiv hazardous situation which DANGER if not avoided will result in death or serious injurv This WARNING symbol indicates a potentially hazardous situation which if A WARNING not avoided could result in death or serious injury This CAUTION symbol ma
13. and Stop Bit to 1 XYR 5000 Transmitter This communication function block expands the read capability of the 5XYRB Slave function block to access parameters of XYR5000 Transmitters 5XYRB block s ADDR output is connected to the ADDR input of this block to access all the parameters The 5XYRT block has 12 output parameters which are supplied by 5XYRB block Since these parameters have fixed Modbus register addresses there is no configuration data associated with this block All outputs can be connected or tagged in the same manner as any other function block output If communication between the HC900 and the XYR5000 base radio is lost the last read values will be supplied on the 5XYRT outputs 38 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem XVR 6000 Wireless Gatewav This block allows the HC900 controller to act as a master device and communicate with an XYR6000 wireless gateway via the Ethernet port of the controller Configuration in HC900 master requires one block per gateway up to 32 gateways or 1024 parameters maximum Only one block may be assigned to each XYR6000 gateway slave device Even if it does not read or write parameters it provides a means of connecting XYR6000 wireless transmitter blocks to it by way of ADDR output pin The block outputs provide digital indication of communication integrity
14. 2015 Design and Implementation of HC900 Control Svstem Combines with the signal tag or page connector to route a signal between points anvwhere in the Function Block diagram without having to draw a softwire between them Connectors may only be connected to function block inputs Signal tags or page connectors supported may be analog or digital Connector Signal tags are user assigned names that can be associated with the output of any item They can be assigned to displays used to connect discontinuous wires to other block inputs using connectors in the Signal Tag same or in another FBD Worksheet assigned to Data X X Storage used for Peer to Peer communication between multiple networked controllers using Modbus communications To identify important block output pins for monitoring A Page Connector lets you connect a signal from a worksheet page to another page and across worksheets Page connectors are similar to signal tags except they do not appear in any signal tag lists Page Connector They are tags but they have no descriptors decimal X X places or alarm event notification properties You can rename them Page connectors can be monitored The Watch Summary window has a tab for page connectors The following are the validation IO function blocks which are available for the process and safety configuration of HC900 controller configuration e Analog Input Voting Function Block AI V The c
15. For transmitter parameters that are readable there is separate 6XYRT block which is connected to 6XYRWG via the ADDR output pin at the bottom of this block If more parameters of any of the transmitters are to be read then TCPR block can be used with 6XYRWG block similar to TCPS and TCPR combination All outputs of the block can be connected or tagged in the same manner as any other function block output If XYR6000 gateway slave device does not respond to a request the last output value will be maintained XYR 6000 Transmitter Use this block to read the process variables and device status of any XYR6000 transmitter To access XYR6000 parameters connect this block s ADDR input to the ADDR output of the XYR6000 Gateway 6XYRWG block Five parameters PV1 PV2 PV3 PV4 and DEV_STAT are read from the XYR6000 transmitter DEV_STAT value contains several statuses of the transmitter and each status from DEV_STAT is assigned its own output pin of this block If a 6XYRWG gateway does not respond to a request from the HC900 the last read values will be maintained on the 6XYRT outputs HVAC Blocks Relative Humidity Calculates RH as a function of wet bulb temperature dry bulb temperature and atmospheric pressure 0 100 RH is output as a floating point number between 0 and 100 This block calculates the Absolute Humidity and Enthalpy based on the input Air temperature X1 Air relative
16. If a single I O expansion rack is connected directly to a Controller Module the Switch is not required 6a Ethernet Enables inter connection of several 10 100Base T Third party suppliers 10 100Base T Ethernet devices in an Ethernet network Devices Switch or include other HC900 Controllers HMIs and can Router also include routers brouters servers and other devices in wider networks 7 Shielded CAT5 Connects I O expansion racks S50S only to Honeywell or Third Ethernet cable controllers C50 C70 CPU only and or to party suppliers 10 100baseT Ethernet switches Fiber Optics Controller to remote rack distance up to 750m Cable 2460 ft with one fiber cable Distances up to 1500m 4920 ft are possible with a fiber switch used as a repeater at the midpoint 8 Shielded CAT5 Connects devices in Ethernet Open Connectivity Honeywell or Third Ethernet cable network to 900 Control Stations and PC SCADA party suppliers applications 9 RS 485 cable Shielded twisted pair cable connects Isolated Honeywell or Third Controller port to field devices or PC with RS 485 party suppliers convertor 10 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 HC900 Control System Architectures Redundancy mi ZK Eim 1 Modbus Slave 10 100 baseT 4 900 Control Station 900 Control Station IL E I ei iw E Le Sy Ont fu ce fi AL Ethernet Switches os TOT j leaa
17. Redundancy e Redundant C75S CPU e Redundancy Switch Module RSM required between redundant CPUs e Redundant Power Supply provides redundant power to any CPU rack or Scanner2 I O rack e Power Status Module PSM required when using a second power supply in Scanner I O rack Communications All CPUs except where noted e Two galvanic isolated RS 485 serial ports e RS 485 port used for 2 wire link to HMI or field devices with port configuration as Modbus RTU master or slave e Ethernet 10 100Base T connection to up to 5 PC hosts via Modbus TCP protocol Peer to Peer communication with other HC900 Controllers for process applications and the Internet C70S has 2 Ethernet ports for connection to up to 10 PC hosts It also supports Modbus TCP Initiator function over both ports e Private Ethernet 100Base T connection to I O expansion racks except C30S CPU Redundancy e Supervisory Network Ethernet 10 100 baseT to PC Applications Designer amp HC Utilities communicates to peer HC900 Controllers over Ethernet for process applications C75S has two Ethernet ports Lead C75S CPU supports up to 10 concurrent sockets It also supports Modbus TCP Initiator function over both ports e I O Network Direct connection to each C75S CPU e Device Network Isolated RS 485 Serial Interface Modbus RTU Two serial ports available Each port can be set as Modbus Master or Slave Host Serial Interface for Honeywell or third part
18. block can transfer data into the safety worksheet when enabled for non critical safety functions 48 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem Below is an example configuration for keeping a field device safetv device in safe state till user acknowledges after controller restarts from a fault such as a processor memory faults as listed in table about fault reaction It is user responsibility to configure such safety start up application as controller will continue resume to run with fault ASYS1 1 CYCTIME CYCMINS NEWSTART RESTART poe FROM USER LOGIC gt 4 010801 ARSTRT FAIL LTCH101 2 AND102 3 L N ALM_ACTIV SOFT R P CLEAR gt a U co DIS FBFAIL RESTART SIGNAL 7 ALM_UNACK VFAIL Dl V103 4 HWOK 5 FB 010210 CH A 010203 LOWBTRY FAIL RESTART FAIL HITEMP l SFAIL MSTR_FAIL VFAIL RESTART FAULT P CH B 020203 LOCKED CH C 030203 TIME OFF N A BBLK_CNT DS_LIMIT Figure 17 Sample controlled start up configuration Module Replacement DO V and AO V use an input module to verify the output s value Failure of the input module will cause the FBFAIL pin the ON state however the output of the block unless configured otherwise with logic will maintain the output value without verification Caution configuration considerations must be taken by the user configuration to prevent a verify
19. for achieving the required SIL The safety integrity requirements for each individual safety function may differ The safety function and SIL requirements are derived from hazard analysis and risk assessments The higher the level of adapted safety integrity the lower the likelihood of dangerous failure of the SIS These standards also address the safety related sensors and final elements regardless of the technology used The HC900 can be used in a specific SIF that demands SIL 1 or SIL 2 Only the HC900 portion of the EUC control system will be documented in this safety manual HC900 can be used only in applications for low Demand mode operation Revision 4 0 HC900 Process amp Safety Controller Safety Manual 1 June 2015 The Safetv Manual Safetv Integritv Level SIL The IEC 61508 standard specifies 4 levels of safetv performance for safetv functions These are called safety integrity levels Safety integrity level 1 SIL1 is the lowest level of safety integrity and safety integrity level 4 SIL4 the highest level If the level is below SILI the IEC 61508 and IEC 61511 do not apply HC900 can be used for processing multiple SIFs simultaneously demanding a SILI and SIL2 The IEC 61508 and IEC 61511 Standards SISs have been used for many years to perform safety instrumented functions e g in chemical petrochemical and gas plants In order for instrumentation to be effectively used for safety instrumented functions it is essent
20. information about HC900 that is relevant for integration into a Safety Instrumented System SIS References The following list identifies all documents that may be sources of reference for material discussed in this publication Document Title HC900 Process amp Safety Controller Installation and User guide HC900 Process Controller Technical Overview Specification HC900 Module Specification Process Control Designer Specification HC900 Process Control Designer User Guide HC900 Process Control Utilities User Guide HC900 Process Controller Function Block Reference Guide HC900 Process Controller Communications User Guide HC900 Controller Redundancy Overview amp System Operation 900 Control Station For use with HC900 Process Controller Station Designer Software manual IEC 61508 2010 External document IEC 61511 2004 External document Revision Information ID 51 52 25 154 51 52 03 31 51 52 03 41 51 52 03 43 51 52 25 110 51 52 25 126 51 52 25 109 51 52 25 111 51 52 25 133 51 52 25 148 51 52 25 149 N A N A Document Name Revision Number Publication Date 51 52 25 153 HC900 Process amp Safety Controller Safety Manual t Release 1 9 January 2014 Redundancy updates 2 0 June 2014 Cyber Security updates 3 0 July 2014 SafetyWrite updates 4 0 June 2015 Revision 4 0 HC900 Process amp Safety Controller Safety Manual iii June 2015 Support and Contact Information For Europe Asia Pacific
21. or NSTEP is connected to any other function type then their values are loaded into the Sequencer only when NSET goes through a positive transition Counters Timer s Blocks Resettable Timer The Resettable Timer block has the following attributes Provides increasing or decreasing timing base on an enable input Increasing time from 0 or preload value Decreasing time from preset or preload value Increasing time provides digital output upon reaching preset Decreasing time provides digital output upon reaching zero Reset input sets increasing timer to zero Reset input sets decreasing timer to preset value Preset value may be internal or remote via a dedicated input Inc Dec selection is via digital input Toggling the reset RST pin resets the current elapsed time and loads the new preset value therefore if changing the preset value remote or local the user must enter the new preset value then reset the timer for the new preset to be used during the next time cycle If the timer is reset prior to entering the new preset value the timer will use its previous preset for its compare condition 24 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem Periodic Timer Function 1 or 2 1 Time Cycle Generates a discrete output pulse at a specified start time based on the real time clock and at specified tim
22. outputs will remain OFF and the blocks fail status will remain ON until user intervenes When scanner RIUP occurs its outputs remain in failsafe until the controller informs the scanner what to drive the outputs to The I O channel will not resume controlling the process value until the channel is restarted when the RESTART pin is connected on the DO V and AO V function blocks Non Redundant control system C30S C50S C70S When the scanner loses communications for two or more normal cycles outputs will go and remain in the failsafe state until the controller informs the scanner what to drive the outputs to The restart pin is provided to control the outputs resumption of normal operation Redundant control system C75S When the scanner loses communications to the LEAD for two or more normal scan cycles transfer of the LEAD occurs between the controllers if the RESERVE has the ability to communicate with more scanners over the redundant IO Link a diagnostics will be posted and normal operation continues However if the RESERVE controller does not have the ability to communicate with more scanners the outputs will go and remain in failsafe until the controller informs the scanner what to drive the outputs to The restart pin is provided to control the outputs resumption of normal operation The user can control the operation when the scanner resumes controlling outputs with proper configuration and use of AO V and DO V s RESTART pin The u
23. to get an output Multiplies four inputs to get an output Note All four 4 Input MUL inputs must be connected Unconnected inputs default to zero If only 3 inputs are needed the 4th should be connected to a constant value of 1 Free Form Math Read inputs A through H and calculates the output based on specified general purpose calculation 26 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem Calculation Blocks Compare Compares value of X input to value of V input and turns ON one of three outputs based on this comparison Compares up to 6 analog inputs to a 4 or user entered deviation setpoint to a 7th input reference value and sets the output true if anv input exceeds the deviation value from the reference value Output is off if all inputs are less than the deviation Plus Dev Compare Value auf Reference input User entered Plus Deviation value Deviation Minus Dev Compare Value Reference input User Compare entered Minus Deviation value Minus Deviation value should be a positive number If any IN 1 6 gt the Plus Dev Compare value Out ON If any IN 1 6 lt the Minus Dev Compare value Out ON Note When the reference input is the average of the 6 inputs the block performs deviation from average Note All inputs should be used or a single value should be connected to multiple inputs Unus
24. 00 Process Controller ss sse seenseneenzzznni 5 l Se EE H M Modbus TCP protocol ss sessensenzznnnnnznzznnznnnzanznnnznnznnanaa 6 O OEMS TA dase 6 P Parallel processing 1 325 ii ia g 15 PC Configuration Mt ati i re a 10 PRO ii as a A U a eet 16 Principle of Fault Detection and Response 56 R Redundant example of single procese sse 11 features hardware ss sseeeennezzennnzzonnnnznzzzznnnnnzena 15 References E EA E ATE AET iii Relative Humidity 14 ssektee etiert Ree sbsctiiea pis S ien iii 39 NEI EE 15 RUN LOCKED i i aa E ea 50 S Safety Configuration validation ss seeneennzzonnizin safety function L Safety Instrumented System SIS Safety system startup SEL oral iss sies SIL certification Telephone and Email Contacts ss seessesnenzznninmnnzznnze iv Text String xiii he ait eae 40 Toggle Flip Flop i e i te 23 topologies es TSS EE Ultrasonic Meterse sessin A E 29 62 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 INDEX Sales and Service For application assistance current specifications pricing or name of the nearest Authorized Distributor contact one of the offices below ASIA PACIFIC Honevwell Process Solutions TAC hfs tac support honeywell com Australia Honeywell Limited Phone 61 7 3846 1255 FAX 61 7 3840 6481 Toll Free 1300 36 39 36 Toll Free Fax 1300 36 04 70 China PRC Shangh
25. 38 8 900G01 xxxx 871 840 99 53 2 208 063 252 06 8 900G02 xxxx 577 124 75 98 1 942 899 221 79 8 Digital Input 900G03 xxxx 754 006 86 07 1 797 527 205 20 8 900G04 xxxx 730 903 83 44 1 757 146 200 59 8 900G32 xxxx 750 927 85 72 1 844 739 210 59 8 900H01 xxxx 1 493 242 170 46 2 984 444 340 69 8 a 900HO2 xxxx 793 768 90 61 1 832 495 209 19 8 Digital Output 900HO3 xxxx 1 363 185 155 61 3 104 510 354 40 8 900H32 xxxx 694 591 79 29 1 712 941 195 54 8 900A01 xxxx 859 200 98 08 2 758 445 314 89 8 Analog Input 900A16 xxxx 656 721 74 97 1 742 121 198 87 8 900B01 xxxx 872 438 99 59 2 366 422 270 14 8 unt 900B08 xxxx 450 165 51 39 1 156 399 132 01 8 900B16 xxxx 276 211 31 53 780 228 89 07 8 900R04 xxxx 2 627 846 299 98 4 798 281 547 75 8 900R08 xxxx 2 651 931 214 55 3 497 620 399 27 8 Backe 900R12 xxxx 1 306 852 149 18 2 442 543 278 83 8 900RO8R xxxx 1 111 424 126 87 2 226 417 254 16 8 900R12R xxxx 882 714 100 77 1 746 259 199 34 8 900RRO xxxx 2 876 655 328 38 5 050 114 576 48 8 900P01 xxxx 1 372 642 168 37 3 558 394 429 12 8 ee 900P02 xxxx 1 397 267 164 95 3 481 917 437 86 8 900P24 xxxx 1 637 152 195 99 3 884 133 478 82 8 Support 900PSM xxxx 12 063 128 1377 07 21 506 643 2455 10 8 900RSM xxxx 12 063 128 1377 07 21 506 643 2455 10 8 PFQ 900K01 xxxx 8 Revision 4 0 HC900 Process amp Safety Controller Safety Manual 61 June 2015 INDEX INDEX A Absolute Value iii isikg ini ie es io i abfiblekaiji bin EES 27 AGA3 Orifice Meter nee nn 28 AGAZ T
26. 42 Figure 10 Digital Output Validation Block A 42 Figure ll Fault Monitor BOCK 3 2s 5 sccstssesessessttegsiseey obsess ee op ensuseadeaessbep capesespessgsoopsonesadteavhsoepshpessdeeveesves ENER 43 Figure 12 IO V function block connections 2 00 ee eee eeeeeeceseceseceseeesecuaecaaecseecaeeeseceaeeeeeeeesasesecsaecsaecsaessaesaaeeaa 44 Figure 13 Individual Series DO connections eeceeeeesceescesecesecesecaecoeecaeecaeeeaeeeaeeeeeeeesseeeseseaecsaecnaessaesaeeeaa 45 Figure 14 Common Series DO connections nn enn ern nn nn sana s ass nsa anna tna nn mn ntn stmata 46 Figure 15 Series Relay for Analog Oumuts nanna tan nnnnnnnnnnnnnnnnnznnnz nn 46 Figure 16 Safety Dataflow ENEE SR ER Ta 48 Figure 17 Sample controlled start up Configuration s m nnnnnnnnnnzenznnznnnznnaninnnnnnnnnnnnnnrnnnrnnnnnnnnnnzan 49 Figure 18 Sample VFAIL qualification mnn near nr nn ns nsa nanna anna nn sr nnrnnnmnnnnnnznn 49 vili HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 The Safetv Manual This manual is intended for users who have Honeywell HC900 product with SIL certification and intend to use it in SIF Scope The Safety Manual provides information about HC900 that is relevant for integration into a Safety Instrumented System SIS This manual is aimed at technical personnel responsible for such integration The Safety Manual is a reference guide providin
27. Analog Output 0 to 20mA 16 channel Process amp Safety Uses AO1 or A16 for Al V and AO V function blocks 900G01 xxxx Digital Input Contact type 16 channel Process amp Safety Input channels must have an individual series blocking diode 900G02 xxxx Digital Input 24VDC 16 channel Process amp Safety 900G03 xxxx Digital Input 120 240 VAC 16 channel Process amp Safety 900G04 xxxx Digital In 120 240 VAC 125VDC 16 channel Isolated Process amp Safety 900G32 xxxx Digital Input 24VDC 32 channel Process amp Safety Revision 4 0 June 2015 HC900 Process amp Safety Controller Safety Manual 59 HC900 Control System Fault Detection and Response 900HO1 xxxx Digital Output Relavs 8 channel Process amp Safety for DO V USE G02 for 24 VDC G03 for 120 240 VAC G04 for 120 240VAC 125 VDC Function block input must be inverted if the N C contact is used 900HO2 xxxx Digital Output 24VDC 16 channel Process A Safetv for DO V USE 900G02 or 900G32 Function block input must be inverted 900HO3 xxxx Digital Output Process A Safetv for DO V USE 120 240 VAC 900G03 8 channel Function block input must be inverted 900H32 xxxx Digital Output 24VDC 32 channel Process amp Safety Use 900G02 or 900G32 Function block input must be inverted 900K01 xxxx Pulse Freq Quad 4chan
28. BFAIL signal returns to the normal LOW state within the user configured timeout The time out period is set in OFDT106 Digital Variable FB RSTRT resets the FAIL logic for the next capture The FB RSTRT ON additionally provides the operator with a flag to indicate an improper state of FB RSTRT which if left ON would disable the VFAIL Q signal The timing of this flag is set using ONDT107 Note execution order is critical for proper operation Forcing e There can be forced blocks in the safety portion of the configuration and there can be forced blocks in the process portion of the configuration e Forcing is not allowed on safety worksheet in RUN MODE but allowed in RUN PROGRAM mode Mode changes in safety configuration e Changing operational mode from RUN PROGRAM to RUN will be prevented if Forced OUTPUTS exist in the safety worksheet A diagnostic will be posted and the controller LED will blink the proper diagnostic code e Changing operational mode from RUN PROGRAM or RUN to PROGRAM Mode will result in ALL physical process and safety outputs to their cleared state Variable writes e Writing configuration values via designer in monitor mode is allowed in the RUN PROGRAM mode but user cannot change configuration values in RUN mode with the non critical safety selection in the default disabled state Prior to changing mode to RUN user needs to verify that the configuration downloaded for the safety blocks is the same as what is running
29. BaB SEH h l l l SEENTII thernet Switches added for distance Figure 5 Two safety applications process with redundancies C75S CPU only This illustration includes kev numbers that identifv components that are described in Table 3 Revision 4 0 HC900 Process amp Safety Controller Safety Manual June 2015 HC900 Control System Architectures Table 3 Descriptions of Major Redundancy Components Key No Component Description Source Name 1 Controller Includes Rack 2 Power Supplies 2 C75S Honeywell Local Rack Controllers 1 Redundancy Switch Module RSM 2 O Expansion Includes 1 S75S Scanner 2 module 1 Power Honeywell Rack Supply and up to 4 8 or 12 I O modules Optional second Power Supply and Power Status Module PSM on 8 and 12 slot I O racks 3 Operator 900 Control Station operator interface Honeywell Interface communicates via Ethernet or RS 485 serial link 4 PC Optional PC laptop or desktop connects to PC amp USB to RS485 Configuration RS 485 or Ethernet port s on any one LEAD convertors are from Tool Controller module Includes Honeywell Designer third party suppliers Software configuration software Configuration software is from Honeywell 5 HMI Human Optional PC link to Ethernet network which may PC is from third party Machine include other HMIs other HC900 Controllers and supplier Interface other networks including Internet
30. Communication data may flow in either direction in other operating modes e Safety related variable values cannot be changed in RUN mode with the non critical safety selection in the default disabled state They may be changed in RUN PROGRAM mode e The safety related MODBUS registers cannot be written in the RUN mode e Download of a safety enabled configuration is disallowed if there is a mismatch of I O channel type e Writing configuration values in monitor mode to safety blocks is disallowed when controller is in RUN mode e Forcing of safety blocks is disallowed when controller is in RUN mode e The Write Constant block in a Process worksheet is not allowed into a Safety worksheet e The Read Constant block in a Safety worksheet is not allowed from a Process worksheet e A confirmation is required from user if mode change is requested while forced safety blocks exist in configuration Revision 4 0 HC900 Process amp Safety Controller Safety Manual 53 June 2015 Design and Implementation of HC900 Control Svstem HC900 svstem Start up test Svstem Checks 1 Verify IO channel isolation to other channels and ground 2 Verify all Contact inputs contain blocking diodes as shown Figure 12 3 Verify Watchdog function operates properly 4 Properly configured firewall above E1 E2 To ensure that the watchdog test operates successfully e Power cycle the controller without batteries e Ifthe watchdog test fails the controll
31. F Otherwise E1 to E16 as specified in program PGM segment SEG Logic Blocks 2 Input AND Turns digital output OUT ON when inputs X1 and X2 are ON Turns digital output OUT ON when inputs X1 through 4 Input AND X4 are ON 8 Input AND Turns digital output OUT ON when inputs X1 through X8 are ON Revision 4 0 HC900 Process amp Safety Controller Safety Manual 21 June 2015 Design and Implementation of HC900 Control Svstem 2 Input OR Monitors two digital input signals X V to set state of digital output signal OUT If X OFF and Y OFF then OUT OFF If X ON and or Y ON then OUT ON 4 Input OR Turns digital output OUT OFF when inputs X1 through X4 are OFF Thus if input X1 or X2 or X3 or X4 are ON then OUT ON If all inputs are OFF then OUT OFF 8 Input OR Turns digital output OUT OFF when inputs X1 through X8 are off thus If input X1 or X2 or X3 or X4 or X5 or X6 or X7 or X8 are ON then OUT ON If all inputs are OFF then OUT OFF Exclusive OR Turns a digital output signal OUT ON only if one of two digital input signals X Y is ON Otherwise the output is OFF NOT Reverse state of a digital input X Digital Switch Sets the output of the block equal to either input A or Input B depending on the value of input SA If input SA Select A is ON then OUT Input A otherwise OUT Input B Tri
32. Hand Off Auto Switch The Hand Off Auto HOA switch function block permits state change requests from a Local Operator Interface or a Remote source The block states are BYPASS external manual operation of a device Hand manual operation from an operator interface Auto default requests are operated automatically or Off relay to be switched to Bypass Hand or Auto The HOA switch is also used with the Device Control DC function block to comprise a Pump Control algorithm which is used to manipulate the state of a controlled device pump Sequencer Each sequencer supports up to 16 digital outputs that may be either on or off in each of 50 states e g PURGE FILL HEAT etc per block The sequencer may have up to 64 sequential steps that activate within the states of the process Steps of the sequencer may be configured to advance based on time on digital event 2 per step or a manual advance A separate jog function is also provided The function can also configure an analog output on a step basis The operational sequence for the steps is retained in a separate sequence file in the memory of the controller that may be selected on demand through a user interface or via a recipe ATTENTION If either or both NSEQ and NSTEP are connected directly to analog variables when that analog variable changes for example via a recipe load then the Sequencer block will immediately use the new value internally If NSEQ
33. Honeywell HC900 Process amp Safety Controller Safety Manual Doc No 51 52 25 153 Revision 4 0 Date June 2015 Honeywell Process Solutions Notices and Trademarks Copvright 2015 bv Honevwell Revision 4 0 June 2015 Warrantv Remedv Honevwell warrants goods of its manufacture as being free of defective materials and faultv workmanship Contact vour local sales office for warrantv information H warranted goods are returned to Honevwell during the period of coverage Honevwell will repair or replace without charge those items it finds defective The foregoing is Buver s sole remedy and is in lieu of all other warranties expressed or implied including those of merchantability and fitness for a particular purpose Specifications may change without notice The information we supply is believed to be accurate and reliable as of this printing However we assume no responsibility for its use While we provide application assistance personally through our literature and the Honeywell web site it is up to the customer to determine the suitability of the product in the application Honeywell Process Solutions 512 Virginia Drive Fort Washington PA 19034 Honeywell is a U S registered trademark of Honeywell Other brand or product names are trademarks of their respective owners ii HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 About This Document Abstract The Safety Manual provides
34. Humidity X2 and Barometric Pressure P3 Humidity and This block does not have any Configurable Enthalpy parameters Output pin ERR turns ON when any of the inputs X1 X2 P3 are out of range or if either of output values are out of range In case of ERR ON outputs Y1 and Y2 are set to 0 0 Revision 4 0 HC900 Process amp Safety Controller Safety Manual 39 June 2015 Design and Implementation of HC900 Control Svstem This block calculates the Humiditv Ratio Enthalpv Dew point temperature Wet bulb temperature and Absolute Moisture based on the input Drv bulb Psvchrometric temperature DRV Relative Humiditv RH and Calculations Atmospheric Pressure ATMP A single configurable parameter specifies if inputs and outputs use metric svstem units Note The wet bulb temperature output is updated only once for every three executions of the block Other Items A named diagram item capable of holding a single Analog value The value can be connected to function block inputs with a softwire and may be changed by operator interface displays or recipe load Analog Variable A named diagram item capable of holding a single Digital value The value can be connected to function block inputs with a softwire and may be changed by operator interface displays or recipe load Digital Variable Provides a numeric value as an input to a function Numeric Constant block May be change
35. IEC 61511 the standard for the process industry The IEC 61511 is called Functional safety Safety instrumented systems for the process industry sector It is also referred to as the ANSI ISA 84 00 01 This standard addresses the application of SISs for the process industries It requires a process hazard and risk assessment to be carried out to enable the specification for SISs to be derived In this standard a SIS includes all components and subsystems necessary to carry out the safety instrumented function from sensor s to final element s The standard is intended to lead to a high level of consistency in underlying principles terminology and information within the process industries This should have both safety and economic benefits The IEC 61511 sits within the framework of IEC 61508 For more information regarding or help on implementing or determining the applied safety standards for your plant process please contact your Honeywell affiliate Our Safety Consultants can help you to e perform a hazard risk analysis e determine the SIL requirements e design the Safety Instrumented System e validate and verify the design e train your local safety staff Revision 4 0 HC900 Process amp Safety Controller Safety Manual 3 June 2015 The Safetv Manual This page is intentionally left blank 4 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Introduction The Honeywell HC900 P
36. S worksheet into the associated Safety Worksheet for variables enabled for NON CRITICAL safety functions NON CRITICAL safety function are functions that will NOT affect the ability of the Safety configuration to achieving its intended safe state if when the transfer fails corrupted value wrong value stuck value etc A simple example of this may be represented by a digital value used to light the pilot of a boiler The setting of the value is seen as a command which starts a logical process however the ability of the process to detect faults properly operate and achieve a safe state on a fault such as lack of purge time detecting of flame etc as well as the ability permissions to execute the command are not affected and remain in place All variables that are enabled inside the safety worksheet must undergo analysis by a safety expert to ensure proper use and functionality Variables on the safety worksheet that do not require access from value outside of the safety application must have the enable turned OFF the non critical safety function is OFF disabled by default The following data flow diagram for safety worksheets including data to from other devices is illustrated in the following diagram Revision 4 0 HC900 Process amp Safety Controller Safety Manual 47 June 2015 Design and Implementation of HC900 Control Svstem DEVICE 1 N DATA FLOW IS BLOCKED L zm G mmm mm Permissible dataflow between exter
37. able electronic E E PE safety instrumented system SIS safety related system IEC 61508 the standard for all E E PE safety related systems The IEC 61508 is called Functional safety of electrical electronic programmable electronic safety related systems IEC 61508 covers all safety related systems that are electrotechnical in nature i e Electrical Electronic and Programmable Electronic systems E E PE 2 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 The Safetv Manual Generic standard The standard is generic and is intended to provide guidance on how to develop E E PE safetv related devices as used in Safetv Instrumented Svstems SIS The IEC 61508 e serves as a basis for the development of sector standards e g for the machinery sector the process sector the nuclear sector etc e can serve as stand alone standard for those sectors where a sector specific standard does not exist SIL IEC 61508 details the design requirements for achieving the required Safety Integrity Level SIL The safety integrity requirements for each individual safety function may differ The safety function and SIL requirements are derived from the hazard analysis and the risk assessment The higher the level of adapted safety integrity the lower the likelihood of dangerous failure of the SIS This standard also addresses the safety related sensors and final elements regardless of the technology used
38. after an OFF to ON transition of the RUN input An ON to OFF transition of the RUN input before the delay time has elapsed causes the timer to reset Transitions from ON to OFF of the input are not delayed If RUN is OFF then OUT OFF If previous RUN input is OFF and RUN is ON then TIMER DELAY If RUN is ON and TIMER is 0 then OUT ON delay time has timed out If RUN is ON and TIMER is NOTO then Time TIMER 1 On Delay Off Delay Timer Block is configurable as On Delay or Off Delay For On Delay output turns ON when timer expires For Off Delay output turns OFF when timer expires Revision 4 0 June 2015 HC900 Process amp Safety Controller Safety Manual 25 Design and Implementation of HC900 Control Svstem Calendar Event The Calendar Event Block compares user entered time and date setpoints to the real time clock to generate digital Event outputs These Event outputs can be integrated into a control strategv to activate time svnchronized activities For example the Event outputs can be used turn on or turn off the lights in an office building Each Calendar Event block supports up to eight Event outputs In addition the block allows vou to configure up to five sets of time and date setpoints called Setpoint Groups These Setpoint Groups can be used to activate different sets of time and date setpoints to handle different conditions Using the example of an office building Set
39. ai Honeywell China Inc Phone 86 21 5257 4568 Fax 86 21 6237 2826 Singapore Honeywell Pte Ltd Phone 65 6580 3278 Fax 65 6445 3033 South Korea Honeywell Korea Co Ltd Phone 822 799 6114 Fax 822 792 9015 EMEA Honeywell Process Solutions Phone 80012026455 or 44 0 1344 656000 Email Sales FP Sales Apps Honeywell com or TAC hfs tac support honeywell com AMERICA S Honeywell Process Solutions Phone TAC 1 800 423 9883 or 215 641 3610 Sales 1 800 343 0228 Email Sales FP Sales Apps Honeywell com or TAC hfs tac support honeywell com Revision 4 0 June 2015 HC900 Process amp Safety Controller Safety Manual 63 For more information To learn more about HC 900 Process Controller visit www honeywellprocess com Or contact vour Honevwell Account Manager Process Solutions Honevwell 1250 W Sam Houston Pkwv S Houston TX 77042 Honevwell Control Svstems Ltd Honevwell House Skimped Hill Lane Bracknell England RG12 1EB Shanghai Citv Centre 100 Jungi Road Shanghai China 20061 www honevwellprocess com 51 52 25 153 Rev 4 0 June 2015 2015 Honeywell International Inc Honevwell
40. alue will be maintained Modbus writes to a function block inside a safety worksheet are only permitted while operating in the RUN Program or Program modes Modbus TCP Read A communication function block that expands the read capability of the Modbus TCP Slave function block to 16 additional data points Multiple blocks may be connected to the same Modbus TCP Slave block The Modbus TCP read block has no inputs and 16 outputs Up to 16 registers can be configured as the source of data for the outputs The configuration data for each point will consist of the address of the source device on the Modbus link the register address of the desired data and the register type Integer Float or Bit Packed The sixteen outputs can be connected or tagged in the same manner as any other function block output Modbus TCP Write A communication function block that expands the write capability of the Modbus TCP Slave function block to 8 additional input data points Multiple blocks may be connected to the same Modbus TCP Slave block The Modbus TCP write block has 8 inputs and no outputs Up to 8 registers can be configured as the data destination of the inputs The configuration data for each point will consist of the address of the source device on the Modbus link the register address of the desired data and the register type Integer Float Revision 4 0 June 2015 HC900 Process amp Safety Controll
41. and Implementation of HC900 Control Svstem Write Variable Writes a new value to a selected Variable number Select the target variable number from the specific function block reference data and enter it in the appropriate field in the Write Variable Number dialog box If EN is ON then the Variable selected is set to the value of X For example X a constant value Write variables in to a safety worksheet function block is only permitted when operating in the RUN PROGRAM or PROGRAM modes Safety Note Variables on the safety worksheet may be written while operating in the Run locked safety mode using the write variable function block when defined and used as a non critical safety variable Non critical safety variables are defined during configuration development by the safety engineer Track and Hold Provides an output that tracks the value of the input X when a digital input signal TC is On or when TC is OFF holds output at last value of X If TC ON then OUT X TRACK If TC OFF then OUT Last value of X HOLD BCD Translator Accepts up to 8 digital inputs in sequence and interprets the ON OFF status of the first 4 inputs as a BCD value between 0 and 9 and the second 4 digits as a value between 10 and 80 Digital Encoder This block s main function is to totalize the number of ON states from up to 16 digital signals The block digitally encodes up to 16 digital inputs to a sin
42. and must be enclosed in parentheses for example NOT g Pushbutton Provides the interface from the operator panel to the logic functions of the controller Provides a one shot logic ON in response to pressing the corresponding function key on the operator interface This selection lets you configure the Pushbutton function display which will provide the interface to the four logic operator keypad keys F1 through F4 You can do this for up to 8 Pushbutton blocks giving you 4 groups total 32 pushbuttons that can be set up for selection on your display buttons 1 8 When you select a pushbutton group on a display button 1 8 the operator interface will display the pushbutton function group screen and buttons F1 F4 on the operator interface will display the information that has been set up for that group Note This was an original standard display page in the 559 1042 Operator Interfaces This function block can be retained when converting to the 900CS Control Station by adding independent Pushbuttons in the Station Designer software and include feedback for each Revision 4 0 June 2015 HC900 Process amp Safety Controller Safety Manual 23 Design and Implementation of HC900 Control Svstem Four Selector Switch Provides 16 digital outputs in groups of four A dedicated display allows activating of only one output per group while other outputs in the associated group are turned off
43. ble from third party suppliers These modular components are available in any quantity and mix that make the most sense for a given application As indicated in Figure 3 the HC900 Controller includes provisions for communication via Ethernet with host systems such as the Honeywell Experion HMI and other HMI software that supports Ethernet Modbus TCP protocol Also the communication structure of the HC900 Controller enables remote placement of input output components allowing significant economies in cabling and wiring Redundant Controllers and Non Redundant IO The following six components refer to Single process with redundancies C75S CPU only e Redundant CPUs Redundancy is provided by two C75S CPUs operating in a controller rack this rack does not have I O A Redundancy switch module RSM sits between the CPUs e Redundant CPU Power Two power supplies one for each C75S CPU e Redundant CPU I O connection Each CPU has its own 100 base T Ethernet physical communication link with one or more racks of I O Multiple I O racks require Ethernet switches e T O racks 8 slot racks w redundant power supplies are shown but four additional racks sizes types are available 4 slot rack 8 slot rack 12 slot rack and 12 slot w redundant power supplies A Power Status Module PSM is required with the redundant power supplies rack High and low capacity universal AC power supplies are available as well as a 24V DC Power Supply
44. ck w redundant Power Process A Safetv 900RRO xxxx Redundant Controller Rack Process amp Safety 900P01 xxxx 120 240 VAC 60W Process 900P02 xxxx 120 240 VAC 28 W Process 900P24 xxxx 24 VDC 60 W Process 900PSM xxxx Redundant Power status module Process amp Safety 900RSM xxxx Redundant Switch module Process amp Safety 58 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 HC900 Control System Fault Detection and Response 900C30S xxxx xx C30 Controller Process A Safetv No Scanner 900C50S xxxx xx C50 Controller Process amp Safety Uses Scanner 1 S50S 900C70S xxxx xx C70 Controller Process amp Safety Uses Scanner 1 S50S 900S50S xxxx xx IO Scanner 1 Process amp Safety Used with C50S and C70S 900C75S xxxx xx C75S Redundant Controller Process amp Safety Uses Scanner 2 S75S 900S75S xxxx xx IO Scanner 2 Process amp Safety Used with C75S 900A01 xxxx Analog Input Process amp Safety 8 channel 900A16 xxxx Analog Input Hi level 16channel Process amp Safety 900B01 xxxx Analog Output 0 to 20mA 4 channel Process amp Safety Uses AO1 or A16 for Al V and AO V function blocks 900B08 xxxx Analog Output 0 to 20mA 8 channel Process amp Safety Uses AO1 or A16 for Al V and AO V function blocks 900B16 xxxx
45. compensate for the time the power was off or to resynchronize with the time of day AGAB Detail The Detail method AGA8DL uses the gas analysis of up to 21 components From the gas analysis the super compressibility factor gas density at flowing and standard conditions and gas relative density at standard conditions are calculated for input into the AGA calculation for the meter type chosen Used when accurate gas analysis is available either via an on line gas analyzer or from laboratory measurements The Detail method can handle up to 21 gas components typically found in natural gas If this information is available the Detail method is preferable as accurate results are obtainable over a wider range of conditions than the Gross method AGAS Gross The Gross method is used to approximate natural gas by treating it as a mixture of three components equivalent hydrocarbon component Nitrogen and Carbon Dioxide It is typically used for dry sweet no H2S natural gas There are two methods used Gross Method 1 calculates the super compressibility and gas density from knowledge of the relative density heating value and carbon dioxide hydrogen and carbon monoxide components Gross Method 2 calculates the super compressibility and gas density from knowledge of the relative density Nitrogen carbon dioxide hydrogen and carbon monoxide components The Gross Method only works over a limited range of conditions but requires less
46. d CPU B The input can force a failover between CPUs Four Alarm with This block monitors four analog input values SP1 SP2 SP3 SP4 and performs up to four alarm comparisons against the PV input Configurable Alarm types are Disabled Low High The associated output pins AL1 Hysteresis through AL4 will turn ON if the configured HIGH or LOW alarm condition is present The individual hysteresis settings for each alarm are used to prevent output cycling 30 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem This block monitors a user selected fault condition of the Controller Rack or Module allowing the user to configure their fault stategv Multiple tvpes of faults can be monitored with multiple fault monitor blocks Fault Monitor Signal Selector Blocks Selects higher of two analog input values X amp Y for output Indicates when Y is higher than X If X gt or Y then OUT X YHI OFF If X c V then OUT V VHI High Selector ON Selects lower of two analog input values X amp Y for output Indicates when Y is lower than X If X lt or Y then OUT X YLO OFF If X gt Y then OUT Y YLO ON Low Selector Switch Selects input Y for output when digital input signal SY X X is ON If SY ON then OUT Y Otherwise OUT X The single output value is selecte
47. d by the Carbon potential CARB function block Revision 4 0 June 2015 HC900 Process amp Safety Controller Safety Manual 27 Design and Implementation of HC900 Control Svstem Totalize Integrates an Analog variable using a specified rate Rate mav be in units per minute hour or dav A preset is provided to reset the value when a specific quantitv has been accumulated and provides a digital status output Separate digital enable and reset inputs are provided Accumulated value mav increment from 0 to preset for increasing totals or decrement from the preset to 0 for decreasing totals Continuous Average Provides the average value of a single analog parameter for a user specified time period plus the running instantaneous average within the time period Running average value is updated at the end of each sample period Time periods to 1440 0 minutes are supported At the end of the time period the running average value is transferred to I O process output Hold input allows excluding samples from the average when active Cold Start On the first cycle after a cold start the instantaneous average output is initialized to current input value the sample counter begins to increment and the period timer begins to decrement assuming that Reset is OFF The previous average output is set to zero Warm Start On a warm start the calculations continue where they left off There is no attempt to
48. d from up to 8 analog inputs by a number from 1 to 8 Note Numbers less than one select input one as the output Numbers greater than eight select Input 8 as the output Rotary Switch Provide bumpless switching between two analog input values X Y that is triggered by a digital input signal SY When switched the output ramps to the new value at a specified rate YRATE and XRATE Bumpless configuration values set the rate at which the output Analog Xfer OUT changes to a switched value Y or X X X Switch respectively If SY is switched to ON then OUT changes to Y value at YRATE If SY is switched to OFF then OUT changes to X value at XRATE When OUT reaches the selected target input OUT tracks the selected input until SY changes Auxiliary Blocks Generate output characteristic curve based on up to 11 configurable Breakpoints for both input X and Output OUT values OUT interpolation of OUT Yb values for segment in which X falls If X lt X 1 then OUT OUT 1 If X gt X 11 then OUT OUT 11 X A ATTENTION The X n value must be lt X n 1 value Thus if fewer than 11 breakpoints are needed be sure to configure any unneeded breakpoints with the same X and OUT values used for the previous breakpoint Function Generator Modifies an analog input value X to include LEAD T2 Lead Lag and LAG TI time constants of from 0 to 99 minutes X X when a digital input EN is ON
49. d through configuration only For digital inputs O OFF 1 ON You have the option to enter descriptive text on the Text String Function Block Diagram Any entered data has no effect on the operation of the Controller Connects control functions together simply by double Soft Wire clicking on an Input or Output pin of one function block and then double clicking on an Input or Output pin of another block A wire node lets you distribute an output signal to multiple input pins The wire node has 4 pins any one pin can be connected to an output signal this action defines the pin as the input pin of the wire node and the pin is marked with an arrow head the other three pins of the wire node are then automatically defined as output pins and can be connected to input pins of function blocks or other wire nodes Note that multiple Wi soft wires can be connected to each of the three ire Node A Ger output pins of the wire node so vou can distribute an output signal to more than three input pins on function blocks or other wire nodes using just one wire node Also note that vou can wire an input connector to the input pin of a wire node This input connector can refer to either a signal tag or a page connector This is useful if vou want to distribute a signal on one page or worksheet to multiple places on another page or worksheet 40 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June
50. duction to the Harchware iiie dai i idiei ee e iai E e ikii aii 9 Non Redundant Controller and Non Redundant IO nanna nanna anna 13 Redundant Controllers and Non Redundant IO nanna rna nanna 13 HC900 controller Features ana aAmA Ann Ent An An aeda aiaia 15 Scope of SIL Certification for HC900 Control System Architectures sen 16 Design and Implementation of HC900 Control System e nnnnnnznzznnnzna 17 Allowable Function Blocks for Process and Safety Functions ssa nnn na 17 HC900 Control System Operational Modes nanna anna nr ana nt nanna 44 Hardware and wiring requirements for safety configuration ss seen nnnennnenn nn nnnnnnnn renta 44 HC900 Safety configurations 0 2 cece cet eeeeeeceeeee cee eeeeaeeeeaeeceeeeecaaeeeeaaeseceeeceaeeesaaeeeeaaeseeeesaeeesiaeeeeneeesaees 47 HC900 Control System Diagnostics 52 HC900 SIL Control System communications 0 seen enneennnannnnnnnnnnnananatnnnnnnntanannnntnnatnnztananinztAzazznzETA 53 HC900 system Start Up Test 54 MUG OOO FIP D EE 55 Probability of Failure on Demand PFD for Low Demand Mode ss nennnnnnnnnnnnzn mnn nnnnnaa 55 HC900 Control System Fault Detection and Response 56 Principle of Fault Detection and Hesponse A 56 Diagnostic Test Interval EE 56 Fault Reaction and IO states sa AK Ann AA Ant An nn nnnnnnnmnn na 57 HC900 Controller Diaonoeice HA KA AK An At An An tAnAnnnnnEnEmnT 58 ele BC Bee une eleT UE 58 RE Ngee EE 61 el
51. e GE 62 Revision 4 0 HC900 Process amp Safety Controller Safety Manual vii June 2015 Tables Table 1 IEC 61508 versus IEC 61511 terminology nn ern ern sas nanna nanna nt 2 Table 2 Descriptions of Major Componentz cee eeeecceescesecesecesecesecsaecseecaeeeseseaeeeeeseeesecseesaecsaecsaecsaeeaaeeneeeas 10 Table 3 Descriptions of Major Redundancy Components mm nsennnnnznnznannnennnnnnnnrannnnnnrnnsnnn nn znn 12 Table 4 Function Blocks ss iii ia b va er 17 Table 5 Status Mdicators ri Eeer ET AER 52 Table 6 SIE Levels tege A L U A i e E 55 Table 7 Diagnostic Test Intetvals sinisiin oaeee oni ART aj 56 Table 8 SIE Compatibility sornes en ER nr ej 58 Table9 Reliability Data sisien 61 Figures Figure 1 Small HC900 Controller Configuration nee nn nn snn ern santanna nara n nt 5 Figure 2 Expanded HC900 Controller Configuration nn nnn seren nn sas sn snanar rat 6 Figure 3 Single process with redundancies a e sia eei E Eas E e E ESE SRE ee RSE 7 Figure 4 Configuration with Multiple Controllerg ecceeceeeceseceseceseceseceaecsaecseeeseseneseaesseeseeseenseenseenaes 9 Figure 5 Two safety applications process with redundancies C75S CPU only 11 Figure 6 Redundant Configuration with multiple I O racks C75S CPU only 14 Figure 7 Analog Input Voting Block 41 Figure 8 Analog Output Validation Block 42 Figure 9 Digital Input Voting Block
52. e periods thereafter Start Times Month Day Hour Minute Second Cycle Periods Monthly Weekly Daily Time Cycle Periods within a Day Hours 0 23 Minutes 0 59 Seconds 0 59 Note Once started period repeats until reset 2 Reset Cycle Generates a digital output based on a digital input and at regular intervals thereafter Time Start ON to OFF transition of reset input Cycle Time Period Hours 0 23 Minutes 0 59 Seconds 0 59 Up Down Counter The output counts the number of rising edge logic transactions on the input to the block up to a preset value RPRE or LPRE When the preset value is reached a logic output PREI is enabled until a Reset input RST resets the block A Reset input RST resets the block Value may be set to increase to the preset value or decrease from the preset value Off Delay Timer Provides an OFF state logic output delayed by a user specified delay time after an ON to OFF transition of the RESET input An OFF to ON transition of the RESET input before the delay time has elapsed causes the timer to reset Transitions from OFF to ON of the input are not delayed If RESET is ON then OUT ON If previous RESET input is ON and RESET is OFF then TIMER DELAY If RESET is OFF and TIMER is not 0 then time TIMER 1 If RESET is OFF and TIMER is 0 then OUT OFF delay time is reset On Delay Timer Provides an ON state logic output delayed by a user specified delay time
53. ed by this block In either case points are added by selecting the line and clicking on Add to list Each trend point block can support up to 50 points The trend function will support up to 250 points Revision 4 0 June 2015 HC900 Process amp Safety Controller Safety Manual 35 Design and Implementation of HC900 Control Svstem Communications Blocks A communications function block that allows interconnecting controllers with Ethernet media and networking devices to communicate with each other It requires one block per controller up to 32 Peer Conn controllers maximum It supports up to 8 Read and 4 Write parameters The block does not support forcing but it will allow data writes to any of its inputs Writes into function blocks on a safety worksheet are only permitted while operating in the Run Program or Program modes A Peer Data Exchange block that expands the Read capability of the Peer Comm function block to 16 additional points Multiple Peer Read blocks may be Peer Read connected to the same Peer Comm function block Peer Reads inside a safety worksheet are only permitted while operating in the RUN Program or Program modes A Peer Data Exchange block that expands the Write capability of the Peer Comm function block to 8 additional points Multiple Peer Write blocks may be connected to the same Peer Comm function block Peer Write A communication functi
54. ed inputs will default to 0 Absolute Value Calculates the absolute value of a single analog variable input Useful when you need to output a positive number Square root Extracts the square root of the analog input X as long as the input is greater than the configured DROPOFF value If X gt DROPOFF then OUT square root of X Otherwise OUT 0 Mass Flow Calculates gas mass flow OUT from differential pressure input value X that represents a pressure drop across an orifice plate for example It accepts two other inputs to include pressure Y and or temperature Z compensation in the calculation The calculation includes square root extraction Min Max Avg Sum Accepts inputs from up to six analog input values X1 X6 and calculates these values for output Minimum input value Maximum input value Average of input values SUM of input values Standard Deviation value Alarm output for deviations Turns ON ALM when any input is outside the configured number of standard deviations when the configuration parameter DEV gt 0 Negate Convert a value to the opposite sign value i e 5 in 5 out 6 in 6 out Dewpoint Monitors Dewpoint or Carbon Potential or uses a Zirconia Probe sensor input to supply a Dewpoint PV to a PID function block for Dewpoint control Use in conjunction with other blocks including a PID to generate more elaborate control strategies than that provide
55. er Safety Manual 37 Design and Implementation of HC900 Control Svstem XVR 5000 Base Station This block allows the HC900 controller to act as a Modbus master device and communicate with XYR5000 base radios via the serial port of the controller Configuration of the HC900 master requires one block per base radio up to 32 base radios or 1024 parameters maximum Only one block may be assigned to each XYR5000 base radio slave device The block supports 10 read parameters from the XYR5000 plus it provides digital indication of communication integrity For attached transmitters there is a separate 5XYRT block which is connected to 5XYRB via the address ADDR output of the 5XYRB block Since all the parameters of 5XYRB block have fixed Modbus register addresses there is no configuration data associated with addressing of the parameters All outputs can be tagged in the same manner to any other function block output NOTE 1 To read proper values of all transmitter parameters when connecting an HC900 to the XYR5000 system the XYR5000 base radio must be set to Register Mapping Mode If a XYR5000 base radio slave device does not respond to a request the last output value will be maintained NOTE 2 The output values of the 5XYRB block may be added to the Custom Modbus Map without the need to assign tags to the output pins NOTE 3 In the serial port configuration set the Baud rate to Match Base Radio Parity to NONE or EVEN default
56. er does not start and a yellow LED blinks Refer to the POST power on Self Test in the HC900 User Manual for more information e The controller will start and work fine in case the watchdog test passes START UP 1 Review and follow HC900 Controller Installation and User Guide 51 52 25 107 prior to applying power to the unit 2 Verify controller mode switch is in the proper operating position RUN RUN PROGRAM PROGRAM 3 Ensure all INPUTS and OUTPUTS are in their proper start up state per the application requirements 4 Ensure all operator interfaces are properly connected and functional 5 Ensure that all the requirements of this safety manual have been complied with 6 Ensure all safety precautions and trained safety personnel are in place 7 Obtain and follow all start up procedures provided by the safety application engineers 8 Apply power to the system per the start up procedure 9 Verify Controller start up LED sequence if accessible completes the stat up sequence 54 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 HC900 PFD Safety related systems can be classified as operating in either a low demand mode or in a high demand continuous mode IEC 61508 quantifies this classification by stating that the frequency of demands for operation of the safety system is no greater than once per year in the low demand mode or greater than once per year in high demand contin
57. est enabled scale EN1 EN4 is applied to the lagged PV value The output of the selected scale is then the output of the function block OUT A bumpless analog transfer over time is applied when switching between the selected scales If no scales are selected then the default input value DFLT is written to the output If the block is disabled the user configured Off Value is written to the output Turning ON an override input OV1 OV4 sets its output prior to multiplexing high or low depending on the state of the override input high OV HI On or Off The general forcing of outputs is permitted within this block Ramping and clamping will not apply to the output if it is forced Trend Rate The trend block is used to configure up to three storage rates for the HC900 trend backfill historical data collection feature Only one trend block is allowed in a configuration Trend Point The trend point block is used to configure the data points to be stored by the HC900 trend backfill historical data collection feature The data collection rate for the points configured in the block is determined by the output pin of the TRND block that it is connected to There is a global parameter found under the Designer Edit menu to select whether trend points are to be configured by Modbus address or by Signal Tag Depending on this choice double clicking the block will open one of two dialogs to configure the points to be trend
58. fail and resulting failsafe action when repairing the failed input module ASYS1 10 DO V101 1 FROM USER LOGIC gt lt 4 010201 CYCTIME RESTART SIGNAL gt lt gt ASTRT FAIL CYCMINS 4 B DIS FBFAIL AND103 3 NEWSTART COLD START VFAIL VFAIL_Q RESTART nl ALM_ACTIV ALM_UNACK WOK LOWBTRY HITEMP N LTCHIO2 2 L t 0003 000 U TGFF105 8 NOT104 i ATOG OUT MSTR_FAIL ONDT106 7 BLOCK OR108 5 RUN 1 VEAIL WARNING SS RESET LOCKED COLD START gt 8 TIME_OFF ONDT 107 RUN FE RSTRT ON NA SELK_CNT OS_LIMIT Figure 18 Sample VFAIL qualification Revision 4 0 HC900 Process amp Safety Controller Safety Manual 49 June 2015 Design and Implementation of HC900 Control Svstem Figure18 illustrates a means to prevent VFAIL from turning on immediately after the input module is replaced FBFAIL driving high is latched by LTCH102 which when ANDed with an inverted input to AND103 prevents the qualified VFAIL signal VFAIL_Q from driving ON This configuration enhancement allows the user to replace the failed input module without causing a VFAIL trip since the module will be restarted automatically prior to reconnecting the field connections The user would subsequently re enable VFAIL when it is LOW by toggling FB RSTRT ON then OFF thus clearing the latched LTCH102 output The remaining function blocks OFDT106 NOT104 TGFF105 provides a diagnostic warning if FB RSTRT is not toggled after the F
59. g detailed information regarding safety aspects in HC900 A reference guide is a HC900 related guide and does not describe tasks in terms of how to perform the task in terms of steps to follow A reference guide can provide input to support decisions required to achieve a certain objective Basic Skills and Knowledge Before you start work on the HC900 SIS it is assumed that you are certified to do work on safety related systems and devices and that you have appropriate knowledge of e The concepts and functioning of the HC900 e The applicable process and equipment under control within the SIS e This Safety Manual e Site procedures e Applicable safety standards e g IEC 61508 and IEC 61511 This guide assumes that you have a basic familiarity with the process es connected to the equipment under control and that you have a complete understanding of the hazard and risk analysis Safety Standards for Process amp Equipment Under Control PUC EUC Processes and Equipment Under Control PUC EUC in the process industry require a high level of safety Safety Instrumented Systems SIS are used to perform Safety Instrumented Functions SIF Instrumentation that is used for SIFs must meet minimum standards and performance levels Standards like TEC 61508 and IEC 61511 have been developed for this purpose One of the performance criteria that these standards apply is the Safety Integrity Level SIL IEC 61508 details the design requirements
60. g of the modular system in the configuration Safety configurations should make use of these blocks such as the startup control function outline in Figure 17 These blocks do not count against the users function block count and are always operating in the background however if the blocks are added to a commissioned system for additional reporting or control aCOLD START will be required The HC900 configuration is done in Designer using Process and Safety worksheets The process configuration is used for non safety process control configurations i e PID loops and is fully accessible in all modes of operation The safety configuration is similar to the process configuration except it s made with a restricted set of function blocks on a safety worksheet and restricts changes when operating in the RUN mode Safety functions must be protected from outside influence to assure proper operation The HC900 controller ONLY operates as a safety application when it is running in the RUN MODE also known as RUN LOCK MODE Dataflow into the safety worksheet is only permitted from IO modules while operating in the RUN SAFETY MODE Normal process type operations including communications within the safety worksheet are only permitted during RUN PROGRAM PROGRAM or OFFLINE modes of operation with the exception of the data transfer into the safety worksheet using the WVAR function block The WVAR function block when enabled will transfer data from the PROCES
61. gger Turns a Logic output OUT ON for one logic scan cycle when a logic input goes from OFF to ON If X ON and previous value of X was OFF then OUT ON one scan Otherwise OUT OFF Selectable Trigger This block allows you to select one of the following input conditions for triggering the digital output The input state changes from OFF to ON The input state changes from ON to OFF Both of the above When this block is triggered its output will be ON for one cycle This block will also allow you to select one of the following initial scan behaviors No trigger action following a Cold Start or Warm Start Trigger the output on the initial scan following a Cold Start takes precedence over the input pin conditions Trigger the output on the initial scan following a Warm Start takes precedence over the input pin conditions Trigger the output on the initial scan following a Cold Start or Warm Start takes precedence over the input pin conditions Latch Latches output OUT ON when latch input L turns ON and maintain latched output until unlatch input U turns ON Note that latch input must be OFF for unlatch input to work If U ON then OUT OFF If L ON then OUT ON Else OUT Previous State 22 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem Toggle Flip Flop Pr
62. gle floating point output value Sixteen digital inputs Example ON causes the input to be included in the total output Unconnected pins default to OFF Forcing of the output is not permitted Digital Decoder The Digital Decoder function converts an analog value from the Value Input to the binary equivalent value on the 16 digital outputs 1 through 16 The Value Input accepts whole numbers between 0 and 65535 Fractional values are ignored The output value OCNT bottom of block indicates the total number of digital outputs that are ON as an analog value For example a value of 285 would be represented by binary 0000000100011101 where OUT 1 is LSB and OUT 16 is MSB OCNT 5 OUT 1 3 4 5 9 are ON All 16 outputs and the OCNT signal pin are monitored Forcing of the outputs is not permitted Device Control The Device Control function block is normally used to control pumps Based on certain events the device will be placed into one of six states READY PRESTART STARTING RUNNING STOPPING DISABLED or FAILED The READY off state is the initial state of the function block Forcing of outputs is not permitted within this block Revision 4 0 June 2015 HC900 Process amp Safety Controller Safety Manual 33 Design and Implementation of HC900 Control Svstem Alternator The Alternator function block is tvpicallv used to alternate the starting sequence of a group of pumps valves f
63. gurable value for process outputs Failsafe action will be with three seconds based on a 500ms normal cycle Note All other racks will continue to operate normallv unless thev are configured to do otherwise Input modules associated with the Rack will go to their programmed failsafe values Redundant svstems Loss of IO communications to the Lead CPU that results in the reserve CPU with more IO Racks will result in the transfer of Lead controller to the Reserve controller if the Reserve Controller has better communications Loss of IO communications to both the Lead and Reserve controllers results in the rack going to its failsafe states similar to the Non Redundant system above Fault Detection This section describes the fault detection and reaction of the svstem The system performs continuous diagnostics on all critical parts of the system All SIF related diagnostics are executed with background execution task with a complete diagnostic execution within the defined Diagnostic Test Interval When the system detects a fault the diagnostic will be reported and the corresponding action is performed Below the system responses of safety related modules are explained Revision 4 0 June 2015 HC900 Process amp Safety Controller Safety Manual 57 HC900 Control System Fault Detection and Response Processor module The processor module performs diagnostic tests on all critical parts of the module like memory processors address li
64. he low rate setpoint Read Constant Reads the numerical value of a selected configuration parameter in a given function block Select the index number of the required parameter from the specific function block reference data and enter it in the appropriate field in the Read Constant Properties dialog box The main purpose of this control block is to make a block configuration parameter constant available for display To do this you must enter the corresponding parameter index number for the selected configuration parameter Select the index number of the required parameter from the specific function block reference data and enter it in the appropriate field in the Read Constant Properties dialog box When used ina safety worksheet the specific function block must also be on a safety worksheet Write Constant Writes the numerical value of a selected configuration parameter to a given control block Select the index number of the required parameter from the specific function block reference data and enter it in the appropriate field in the Write Constant Properties dialog box If EN is ON change the selected parameter to the value of X ATTENTION Not valid for all blocks Write constants into a safety worksheet function block is only permitted when operating in the RUN PROGRAM or PROGRAM modes 32 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design
65. he module and the module responds with accumulated pulse counts preset indicator PREI when preset value is reached counter overflow indicator OVFL and FAIL The block converts the accumulated pulse count to EU 18 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem Pulse Output This function block generates a pulse train of a specified number of pulses following a start instruction The pulse frequency is selectable The output controls an output transistor on a Pulse Frequency Quadrature module The number of pulses remaining following a start instruction is provided on the output pin Quadrature Input This function block measures controls movement of an actuated device A digital encoder connected to the actuated device produces two channels A and B of square waves offset 90 degrees Quadrature refers to the 4 logic states between these two waves The rising edge to rising edge cycle on channel A or B indicates that one set of bars on the encoder have passed by its optical sensor By counting these passing rising edges the Quadrature block measures 1 distance or whatever engineering units are being controlled by the device 2 position that is distance from a marker designated as zero 3 direction indicated by the sequence between the two channels A leads B or B leads A More precise measurement control i
66. ial that the instrumentation meets certain minimum standards and performance levels To define the characteristics main concepts and required performance levels standards IEC 61508 and IEC 61511 have been developed The introduction of Safety Integrity level SIL is one of the results of these standards This brief provides a short explanation of each standard Detailed information regarding IEC 61508 and 61511 can be found on the IEC web site http www iec org What standard to use e If you are in the process sector and you are an owner user it is strongly recommended that you pay attention to the IEC 61511 ANSIAISA 84 00 01 e If you are in the process sector and you are a manufacturer it is strongly recommended that you pay attention to the IEC 61508 e If you are in another sector it is strongly recommended that you look for and use your sector specific IEC standard for functional safety if there is one If none exists you can use the IEC 61508 instead IEC 61508 and IEC 61511 terminology This guide contains both IEC 61508 and IEC 61511 related terminology As the IEC 61511 sits within the framework of IEC 61508 most of the terminology used may be interchanged Table 1 below provides an overview of the most common interchangeable terminology Table 1 IEC 61508 versus IEC 61511 terminology IEC 61508 terminology IEC 61511 terminology safety function safety instrumented function electrical electronic programm
67. ilters etc Each block accepts up to 16 inputs and controls up to 16 outputs There are four unique alternation styles used to control the output starting sequence so that you can limit the amount of repeat or continuous usage of a single device pumps valves etc If an output device fails or has been disabled then an alternate device will be used in order to meet the requested demand You may specify the alternator s active outputs and the order in which the outputs are manipulated Stage The Stage function block provides differential On Off control and is typically used to monitor pressure and flow for controlling pumps and operating valves There are four individual stages grouped together in the function block The block monitors from one to two analog inputs PV1 PV2 which are common to all four stages compares them for each stage by a configurable comparator and provides On Off control outputs for the four stages based on configurable setpoints for each stage Each stage can be individually enabled and forced ON or OFF OVON OVOFF Previous interlocking prevents a stage s output from turning ON until the previous stage has turned ON Next interlocking prevents a stage s output from turning OFF until the output of the next stage in sequence has turned OFF Interlocking is provided for stages where the output of the stage is dependent on the state of the previous and next stage It also works across sequentially co
68. instrumentation to implement AGAS Orifice Meter Calculations for Orifice Metering 28 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem AGA7 Turbine Meter Calculations for gas measurement by Turbine Meters AGAQ Ultrasonic Meter Calculations for gas flow measurements from multi path Ultrasonic Meters Alarm Monitor Blocks High Monitor Monitors two analog input values X and Y and turns ON a digital output if X exceeds Y A hysteresis adjustment is provided to prevent output cycling If X gt Y then OUT ON If X lt or Y Hysteresis then OUT OFF If Y Hysteresis lt X lt Y then OUT Previous State Low Monitor Monitors two analog input values X and Y and turns ON a digital output if X is less than Y A hysteresis adjustment is provided to prevent output cycling If X lt Y then OUT ON If X gt or Y Hysteresis then OUT OFF If Y Hysteresis gt X gt Y then OUT Previous State System Monitor FSYS The Fast Logic Status Block FSYS is a function block and is part of the Fast Scan Alarm Monitor Blocks category It provides read access to controller status values including those related to the Fast Scan execution cycle The output may be connected to function block inputs The outputs may also be connected to
69. ks when the state of any connected SPP is changed from the operator panel or communication request Setpoint Scheduler Blocks Synchronizes changes in setpoint Program State for Setpoint multiple SPP function blocks when the state of any Scheduler connected SPP is changed from the operator panel or communication request State Switch Connects to Master block SPS via dedicated connection and accepts digital inputs to cause scheduler mode changes The State Switch block accepts state request digital inputs and produces an encoded output for input to the master SPS block Connects to Master block SPS via dedicated connection and provides logic 1 ON state digital outputs for Scheduler modes The State Flags block State Flags accepts the encoded master block state as input and produces digital outputs corresponding to the current value of STFL The eight setpoint outputs of the Auxiliary Setpoint Setpoint block are set to the current step value The current step Scheduler is an input to the block and must be connected to the Auxiliary step output of a Master Scheduler block At the end of a step the outputs of the slave block go directly to the next step value That is Ramps are not supported Event Decoder Sets up to sixteen digital event outputs that may be ON or OFF on a per segment basis If Program Number PGM 0 Segment Number SEG 0 or Program State STA is RESET then E1 to E16 OF
70. nal devices worksheets and I O devices Prohibited dataflow between external devices worksheets and I O devices DATA FLOW IS ALLOWED Process Worksheet l DEVICE 2 Functions Safetv Critical functions Process Functions gt Limited dataflow between external devices worksheets and I O devices WVAR used for transfer Non Critical Safetv Functions Figure 16 Safetv Dataflow Guidelines for developing safetv configuration e Remember that the safety configurations are for controller revisions 6 xx and above only Earlier revisions don t support safety configuration e Safety worksheets appear only if the Safety Controller designated by an S following the model number is selected i e C75S e The safety configuration must be entered and fully contained within the safety worksheets Process configuration can be entered in process worksheet They are independent of each other with safety data flow outbound only when operating in the SAFETY RUN mode In a safety enabled configuration Process blocks can read outputs of both Process and Safety blocks but Safety blocks can only read and process outputs from other Safety blocks when operating in the SAFETY RUN mode Safety blocks can write to Process and Safety blocks but Process blocks can only write to other process blocks when operating in the SAFETY RUN mode The Write Variable function
71. nes etc When a fault is detected the CPU module will post the fault reset itself and restart the application configuration if possible Safety related modules Modules diagnostics are scanned every fast or normal scan interval depending on the application configuration When a fault if detected a diagnostic is reported and the associated function blocks fault pin is asserted Output modules are driven to their failsafe state either under controller direction or detection of a loss of communication to its controller or scanner The failsafe time out of communication loss with an IO module is 1 5 seconds based on a 500 ms normal scan time Controller application will continue to execute based upon the applications configuration HC900 Controller Diagnostics HC900 Controller diagnostics can be found in HC900 Process Controller Installation and User Guide 51 52 25 154 or 51 52 25 107 for Legacy HC900 SIL Compatibility Verify Hardware and Firmware revision numbers at the following URL https www honevwellprocess com librarv support Public Downloads HC900 Safetv Controller Modules Revisions zip Table 8 SIL Compatibilitv Model Number Description Process Safety Notes Applications 900R04 xxxx 4 Slot Rack Process amp Safety 900RO8 xxxx 8 Slot Rack Process A Safetv 900R 12 xxxx 12 Slot Rack Process A Safetv 900RO8R xxxx 8 Slot Rack w redundant Power Process amp Safety 900R12R xxxx 12 Slot Ra
72. nnected function blocks In order for interlocking between function blocks to operate the interlocking Input Output pin of a STAGE function block must be directly connected or with a signal tag to another STAGE function block interlocking Input Output pin An improper connection such as inserting another function block type between two successive Stage blocks invalidates the interlock signal The HC900 Controller can support up to 16 Stage algorithms Each algorithm has a dedicated display for operation and monitoring on the Operator Interface The operator Interface supports on line changes of the setpoints delay times and interlock selections The general forcing of outputs is not permitted within this block 34 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem Ramp The RAMP function block is typically used for variable speed valve position and chemical feed control applications to reduce the output value as more external devices are enabled For example If one pump is running at 100 and a second pump is enabled the output value may be re scaled to 50 by the pump 2 enable signal The ramp block references an analog signal and using four separate scales multiplexed together provides a single analog output over a programmed range A configurable signal lag LAG TIME is applied to the referenced analog input PV The high
73. o the chassis or frame of the equipment shall be bonded to Protective Earth at the source of supply in accordance with national and local electrical code requirements Revision 4 0 HC900 Process amp Safety Controller Safety Manual June 2015 Terms and Abbreviations 1001 One out of one 2003 Two out of three Basic Safety The equipment must be designed and manufactured such that it protects against risk of damage to persons by electrical shock and other hazards and against resulting fire and explosion The protection must be effective under all conditions of the nominal operation and under single fault condition DU Dangerous Undetected failures FMEDA Failure Modes Effects and Diagnostic Analysis Functional Safety The ability of a system to carry out the actions necessary to achieve or to maintain a defined safe state for the equipment machinery plant apparatus under control of the system GTS Global Technical Support Center HFT Hardware Fault Tolerance Low demand mode Mode where the frequency of demands for operation made on a safety related system is no greater than one per year and no greater than twice the proof test frequency PFDAva Average Probabilitv of Failure on Demand Safetv Freedom from unacceptable risk of harm Safetv Assessment The investigation to arrive at a judgment based on evidence of the safety achieved by safety related sy
74. ofile may be a ramp or soak except the last segment must be a soak In addition to the main ramp and soak output value a second AUX analog value is available for each step of the program This output is a fixed soak value that may be used to provide a setpoint value for a secondary control loop in the process A Setpoint guarantee function is provided that holds the program if a process variable exceeds a predefined deviation from setpoint Selections allow setpoint guarantee to be active for the entire program for soak segments only or for user specified segments or for no segments Up to 3 Process Variables may be configured as inputs to the block for setpoint guarantee Recipe Selection Block Loads numbered RECIPE NUM when digital signal LD is ON into the various blocks of the controller If LD ON then Recipe numbered NUM is loaded in place of the current set of variable values 20 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem Event Decoder Sets up to sixteen digital event outputs that mav be ON or OFF on a per segment basis If Program Number PGM 0 Segment Number SEG 0 or Program State STA is RESET then E1 to E16 OFF Otherwise E1 to E16 as specified in program PGM segment SEG Synchronizer Synchronizes changes in setpoint Program State for multiple SPP function bloc
75. ommon analog input voting function block is connected to any combination of three input channels Up to three input channels may be connected to the source the function block output pin reflects the first channel that agrees within 3 of the other valid enabled channel CH A CH B Al V O P CH C VFAIL Compare Figure 7 Analog Input Voting Block e Analog Output Validation Function Block AO V The analog input selected is compared to the AO channel output value for verification of output Revision 4 0 HC900 Process amp Safety Controller Safety Manual 41 June 2015 Design and Implementation of HC900 Control Svstem Electrical Desired Value VFAIL Se Compare Figure 8 Analog Output Validation Block e Digital Input Voting Function Block DI V The common digital input function block is connected to any combination of three input channels Up to three input channels may be connected to the digital source the function block output pin reflects the majority of valid enabled input channels CH A CH B D l V O P CH C VFAIL Compare Figure 9 Digital Input Voting Block e Digital Output Validation Function Block DO V The digital input selected is compared to the DO channel output state for verification of output Note The state used for DO V comparison mav require an inversion selection inside the function block checked Digital inputs ON state corres
76. on Design and implementation Allowable Function Blocks for Process and Safetv Functions The following table lists the function blocks which are allowed in the safetv portion and the function blocks which are allowed in the process control portion of an HC900 controller configuration Table 4 Function Blocks can FB CanFB FB that Category and ina SS SSC SE l eg Function block Description of Function safetv f Name related E Ilona ety function control config 5 FB2 uration UO Blocks X Reads value of an Analog Input from a specified Analog Input physical I O address S a Analog Input This block is used oniv for Thermocouples when the with Remote thermocouple Cold Junction is in a remote location i e X X Cold Junction NOT connected at the Al module Reads values of up two to three Analog Inputs from Analog Input specified real I O addresses Function block value x Xx with Voting reflects channels that are within tolerance 3 of each other The output range high and range low values 0 20 max Analog Output set the milliamp output values that correspond to the 0 X X to 100 span limits of the inputs The output range high and range low values 0 20 max Analog Output set the milliamp output values that correspond to the 0 x X with Feedback to 100 span limits of the inputs Feedback channel validates physical output is within tolerance 3 Discrete Input Provides the digital stat
77. on block that allows the controller to act as a Master device and communicate with slave devices using the Modbus protocol Requires one block per slave device up to 32 devices maximum Only one block may be assigned to each device Supports 4 read and 4 write parameters plus provides digital indication of communication integrity Integer values are converted to floating point values prior to output If a Modbus slave device does not respond to a request the last output value will be maintained Modbus writes to a function block inside a safety worksheet are only permitted while operating in the RUN Program or Program modes Modbus Slave A communication function block that expands the read capability of the Modbus Slave function block to 32 additional data points Multiple blocks may be connected to the same Modbus Slave block The Modbus read block has no inputs and 32 outputs Up to 32 registers can be configured as the source of Modbus Read data for the outputs The configuration data for each point will consist of the address of the source device on the Modbus link the register address of the desired data and the register type Integer Float or Bit Packed The sixteen outputs can be connected or tagged in the same manner as any other function block output 36 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem
78. onfiguration require approved listed IO modules and interconnected to ensure proper fault detection and action is achieved The diagram below outlines this wiring concept The digital output channel controlling the external master field relay should be located in the first local rack of a non redundant system Additionally two outputs from two modules provide maximum safety protection SSeeeaee sensal SES beetebuerg glegbegbegtegegegiegbeg Asbest be required on contact inputs 200G01 cox Figure 12 IO V function block connections 44 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem The external master field relav shown in Figure 12 is further demonstrated in Figure 13 through Figure 15 They demonstrate the connection of the series output relay s NORMALLY OPEN contact to protect against outputs that are stuck ONT This relav mav be added individuallv as shown in Figure 13 and Figure 15 or common for multiple channel outputs as shown in Figure 14 and Figure 15 The external master field relav must be configured to open when the DO V or AO V functions on the safetv worksheet indicate a failure with the Fail or VFail pin ON 24VDC 24VDC Sourcing A me ae 8 900H01 a Relav Output A 900HO1 a
79. oning Output or TPSC Three Position Step Output output types Position Prop Output Allows the control of a valve or other actuator having an electric motor driven by two digital output channels one to move the motor upscale the other to move it downscale with a feedback signal to indicate motor position Supports motor speeds from 12 300 seconds Outputs 17 through 32 of the 32 Channel DO Module may not be used for TPO Time Proportioning Output PPO Position Proportioning Output or TPSC Three Position Step Output output types Frequency Input The function is used for measuring speed and rate It reads a single frequency channel from a Pulse Frequency Quadrature input module The signal is scaled from the selected frequency span to the selected output range in engineering units providing an output value in engineering units The input signal is rejected if it is below a selected pulse width The frequency of pulses above this width must be within the range specified by Pulse Width Range otherwise the output goes to failsafe and a failure to convert error occurs Pulse Input This function block reads pulses from a single input channel on a Pulse Frequency Quadrature input module It measures quantity by scaling the number of pulses to engineering units EU It measures rate in engineering units by dividing number of pulses by time The preset values reset preset action and hold flags are sent to t
80. ovides an ON state output when a digital input goes from OFF to ON and the previous state of the output was OFF and an OFF state output when the digital input goes from OFF to ON and the previous state of the output was ON OUT ON when X changes from OFF to ON and the previous state of OUT was OFF OUT OFF when X changes from OFF to ON and the previous state of OUT was ON Reset sets output to OFF regardless of current state Free Form Logic Reads digital inputs A through H and calculates the output based on specified Boolean logic function Offers the following Boolean logic functions AND entered as OR entered as NOT entered as not XOR entered as Left parenthesis Right parenthesis This function block consumes significantly more execution time than gate logic Extensive use of this block in the fast logic scan can add significantly more time to the overall system cycle time Use only the following list of words and characters in an equation AND logical AND OR logical OR NOT unary NOT XOR exclusive OR or And parentheses three types Variables cannot have No Type A left parenthesis must have a matching right parenthesis The matching parenthesis must be the same type that is or Parentheses may be nested to any depth Logical AND OR and XOR must have a left and right operand Unary NOT must have one operand to the right and the oper
81. point Groups can be used to activate a different set of time and date setpoints for each season of the vear Spring Summer Fall and Winter Each Calendar Event block supports five Setpoint Groups The block also allows vou to configure up to 16 Special Davs On these Special Davs the Calendar Event Block will override its normal Event processing for a 24 hour period For example vou can configure selected Event outputs to remain off on designated holidavs Real Time Clock The Real Time Clock block provides output pins that Vou can access in vour configuration to make decisions based on the value of the controllers Real Time Clock value Time and Date Controls change between Daylight Saving and Standard time Indicates when controller time is in Daylight Saving If the controller is using a network time server indicates if the connection to server has failed Math Blocks Scale and Bias Multiplies an analog input value X by a scaling constant K and adds Bias to it ADD Adds two inputs X Y to get an output SUB Subtracts one input X from another Y to obtain an output MUL Multiplies one analog input value X by another Y Divides one input X by another Y If Y 0 then OUT DIV 0 and block status is set to error otherwise OUT X Y 4 Input ADD Adds four inputs X Y1 Y2 and Y3 to get an output Subtracts three analog inputs X1 X2 X3 from input Y 4 Input SUB
82. pond to the presence of a HIGH input voltage on its terminals whereas digital outputs ON either drive the output voltage ON for sourcing types and OFF for sinking types of outputs DO V Electrical Desired State VFAIL Sr Compare Figure 10 Digital Output Validation Block 42 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem e Fault monitor function block FMON154 6 DIAG FAIL ee CLRFLT Figure 11 Fault Monitor Block In this function block the type of diagnostic for monitoring is user configurable providing an output fault pin for logical action of the fault The fault pin is set to indicate the selected fault type detected by controller The CLRFLT input pin allows the user to clear out any faults For more details on these function blocks refer to sections for these respective blocks in the Function Blocks manual HC900 Process Control Designer Function Block Reference Guide 51 52 25 109 Revision 4 June 2015 D HC900 Process amp Safety Controller Safety Manual 43 Design and Implementation of HC900 Control Svstem HC900 Control System Operational Modes Refer installation guide information on operating modes Hardware and wiring requirements for safety configuration Only Safety Controllers and Scanners may be used in a safety application The IO channels used in a safety c
83. present All Rack Hi Temp and Module Fail Pins are OFF All channels are operating normally HCD Controller Diagnostic Summary GOOD Monitor sch f l All communication ports are GOOD and operating without errors Rack 1 Status GOOD All Rack Modules physical type matches the configuration type and meets the applications requirement All Rack Status are GOOD for those present All Rack Diagnostic Summaries are GOOD for those present HCD Redundant Controllers Monitor Redundancy System GOOD Redundancy Link GOOD Lead CPU GOOD Reserve CPU GOOD Scanner 2 Link GOOD The different diagnostics in the system gives different indications for failures Below is detailed information on diagnostic failures and system indications for user actions needed to remove those failures 52 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem HC900 SIL Control Svstem communications HC900 communicates to external hosts on TCP IP and MODBUS serial protocols Refer to the manual 900 control station for use with HC900 51 52 25 148 There are some points which need to be kept in mind while using communications in safety configuration They are as follows e While operating in the SAFE RUN MODE communication data MODBUS and PEER communication may only flow from the safety work sheet
84. r entered limit value setpoint to determine an alarm condition The setpoint may be entered by the user or be another analog signal in the controller Alarm actions may be high low or high deviation low deviation or band deviation For deviation alarming a second analog signal provides the reference and setpoints represent deviation from the reference The alarm output may be inverted to create a normally active digital output A user selection for latching until acknowledged or automatically reset is provided A user specified hysteresis value in the engineering units of the process variable is provided An on delay time value up to 240 seconds is available to prevent momentary alarm actions A digital disable input is available to disable alarm actions Alarm Group The Alarm Group Function Block allows you to tie alarm groups into the Control Strategy It provides events for unacknowledged and active user conditions plus remote acknowledgement of all alarms in the group This block is always stored in the reserved block area 40 thru 59 are always in the configuration whether visible in the FBD or not and all outputs of the block are updated every alarm scan Force Present Output indicates the presence of any forced blocks in the controller Input can clear all forces and prevent new forces Redundancy Status Used with redundant CPUs only such as C75S The output pins indicate the lead reserve status of CPU A an
85. rocess Controller is an integrated loop and logic controller that is designed specifically for small and medium scale unit operations System Overview It comprises a set of hardware and software modules that can be assembled to satisfy any of a broad range of control applications The HC900 Controller System can consist of a single rack as indicated in Figure 1 or can be can be networked with other controllers via Ethernet links to expand the dimensions of process control over a wider range of unit processes as indicated in Figure 2 Although the HC900 E1 E2 ports provide protection against Cyber security DOS type attacks additional protection is required for safety applications using a properly configured firewall device configured to prevent uncontrolled messages into the controller Please refer to HC900 Process amp Safety Controller Installation and User guide 51 52 25 154 for further information The figures in this manual assume the firewall is installed properly above the controller s Ethernet connection s E1 and E2 3 party Ol Figure 1 Small HC900 Controller Configuration Revision 4 0 HC900 Process amp Safety Controller Safety Manual 5 June 2015 Introduction PR VR WE SAFETY SYSTEM 1 Peer to Peer Process Control Application p Figure 2
86. s done by counting more logic states determined by the two waves For example the quadrature state of channels A and B create four unique logic states When these four unique logic states are decoded the resolution obtained is 4 times 4X the resolution of the encoder So with this in mind 250 cycles would yield 1000 quadrature states Loop Blocks PID Provides Proportional P Integral and Derivative D 3 mode control action based on the deviation or error signal created by the difference between the setpoint SP and the Process Variable analog input value PV On Off Provide ON OFF control The output is either ON 100 or OFF 0 Carbon Potential A combined Carbon Potential and PID algorithm determines Carbon Potential of furnace atmospheres based on a Zirconium probe input Digital interface to control loops to initiate autotuning change control action force bumpless transfer and Roop snitch select tuning set It connects to a PID TPSC or CARB function block Digital interface to control loops to select automatic or manual modes and or local or remote setpoint MGEP Switch Connects to PID ON OFF CARB or TPSC mode block input Turns ON the output that corresponds to the current Mode Flags value of MODE Turns OFF all other outputs Revision 4 0 HC900 Process amp Safety Controller Safety Manual 19 June 2015 Design and Implementation of HC900 Con
87. sensor subsystem PFD is the average probability of failure on demand for the logic subsystem PD is the average probabilitv of failure on demand for the final element subsvstem Care must be taken to calculate the svstem elements properlv to achieve the correct results Annex B of IEC61508 6 provides detailed information and techniques for determination of the system The HC900 provides both analog and digital input voting blocks They can be configured as lool One out of one Single channel point of failure 1002 One out of two One channel out of two 1002D One out of two One channel out of two diagnostic 1003 or 2003 voting groups Other system architectures can be found in IEC 61508 6 Note Users can obtain the PFD data for all modules from Honeywell Revision 4 0 HC900 Process amp Safety Controller Safety Manual 55 June 2015 HC900 Control System Fault Detection and Response HC900 Control System Fault Detection and Response Principle of Fault Detection and Response The goal of fault detection and reaction is to detect and isolate faults that affect the safety of the process under control within a time frame that is acceptable for the process Fault detection and reaction occurs at different levels These levels are e system level e module level e Channel level System level Combinations of modules and IO faults are controlled at system level Depending on the hardware and config
88. sers of redundant controllers should ensure the desired C75S CPU is in Lead before removing power from the reserve opposite CPU Revision 4 0 June 2015 HC900 Process amp Safety Controller Safety Manual 51 Design and Implementation of HC900 Control Svstem HC900 Control System Diagnostics The CPU module performs diagnostic tests on all critical parts of the module like memory processors address lines etc When a critical fault is detected the CPU will raise an alarm and reboot If a non critical fault is detected the module will raise a warning and continue to function The I O function blocks in Monitor Mode are used to determine the Channel Sensor Status output value and state of the block Fail Pins In monitor mode Designer provides overview information for the Controller and Racks to check the behavior of the system Communications Link status can also be found in Designer monitor mode To confirm normal operation of the system before provoking a diagnostic the following status indicators should be in the status listed below Table 5 Status Indicators LED Controller status LED is green and blinking with the scan Indicators GA g Scanner status LED is green and blinking with the scan Module status LED is green and blinking with the scan Function Analog Svstem Monitor HWOK is ON Block Monitors Fast Svstem Monitor HWOK is ON All Rack Monitors Rack OK Pin are ON for those
89. signal tags for operator interface monitoring System Monitor ASYS The Analog System Status Block is a function block and is part of the Alarm Monitor category It provides read access to controller status values including those related to the Analog execution cycle The output may be connected to function block inputs The outputs may also be connected to signal tags for operator interface monitoring When you click on the ASYS function block on a diagram the Controller System Parameters dialog box opens The 50 or 60 Hz selection is used to establish the integration times for analog to digital conversion This is needed to prevent aliasing the line frequency when converting low level signals such as thermocouples In the United States the line frequency is 60Hz Revision 4 0 June 2015 HC900 Process amp Safety Controller Safety Manual 29 Design and Implementation of HC900 Control Svstem IO Rack Monitor The rack monitor block is a repositorv for controller expansion rack I O module information including diagnostics The Rack function block provides Read Write access to I O Rack values This block is always stored in the reserved block area 96 thru 100 are always in the configuration whether visible in the FBD or not The total number is dependent on the controller type Analog Alarm The analog alarm block accepts an analog signal as a process variable and compares it to a use
90. sion 4 0 June 2015 HC900 Control System Architectures Non Redundant Controller and Non Redundant IO The HC900 control system is an integrated loop and logic controller that is designed specifically for small and medium scale unit applications It comprises a set of hardware and software modules that can be assembled to satisfy the requirement of any of a broad range of safety and process control applications The HC900 control system can consist of a single rack as indicated in Figure 1 it can be networked with other HC900 control systems via Ethernet links to expand the dimensions of control over a wider range of unit processes as indicated in Figure 2 support a single process with redundancies as indicated in Figure 3 or provide stand alone safety or mixed safety process applications as shown in Figure 6 A feature summary list is provided after these topologies The HC900 Controller design enables users and OEMs who are adept in safety system integration to assemble a safety system that fits a broad range of requirements Any configuration can be readily modified or expanded as requirements dictate In initial configuration and in subsequent modifications the HC900 Controller affords an optimum balance of performance and economy Configurations such as those shown in Figure and Figure 2 as well as many variations can be assembled from modular components Many of the components are available from Honeywell and some are availa
91. stems Further definitions of terms used for safety techniques and measures and the description of safety related systems are given in IEC 61508 4 SFF Safe Failure Fraction the fraction of the overall failure rate of a device that results in either a safe fault or a diagnosed unsafe fault SIF Safety Instrumented Function a set of equipment intended to reduce the risk due to a specific hazard a safety loop SIL Safety Integrity Level discrete level one out of a possible four for specifying the safety integrity requirements of the safety functions to be allocated to the E E PE safety related systems where Safety Integrity Level 4 has the highest level of safety integrity and Safety Integrity Level 1 has the lowest SIS Safety Instrumented System Implementation of one or more Safety Instrumented Functions A SIS is composed of any combination of sensor s logic solver s and final element s Revision 4 0 June 2015 HC900 Process amp Safety Controller Safety Manual Contents The Safety EE 1 El EE 1 Basi SKills and Knowledge is iuris pi ka EES Ee dE eERAE AE dE 1 Safety Standards for Process amp Equipment Under Control PUC EUO Lena 1 The IEC 61508 and IEC 61511 Standards nn an nn anrnnaan ann 2 ite PT i A eM c lel ata ticle a NY 5 System OVERVIEW II i i ai a aa a ri a daniiidan n 5 HC900 Control System ArG MMe CRS Se i i ia i ra pe e i e i d dr i 9 Intro
92. trol Svstem 3 Position Step This block combines a PID controller with 3 Position Step Control output functions to provide motor position control without position sensing Allows the control of a valve or other actuator having an electric motor driven by two digital output channels one to move the motor upscale the other to move it downscale without a feedback slidewire linked to the motor shaft Outputs 17 through 32 of the 32 Channel DO Module may not be used for TPO Time Proportioning Output PPO Position Proportioning Output or TPSC Three Position Step Output output types Write Tune Const Writes the numerical value of Gain Rate and Reset to a Target PID TPSC or CARB block without any operator interaction Invalid for block number whose type is other than PID CARB or TPSC If the target block is in AUTO mode tuning parameter change will cause a bump in the output If any input value is out of range no values will be written Error checking must be added to the Designer configuration Auto Manual Bias On transfer from Manual to Auto Bias is calculated to make PV Bias Output Setpoint Programmer Blocks Programmer Runs a setpoint ramp soak program that produces a setpoint output on a time based profile that is loaded into the block A single profile may be from 2 to 50 segments in length Profiles are stored in the controller s memory Each segment of the pr
93. uous mode Table 6 SIL Levels Safety Low demand mode of operation High demand or continuous integrity level the average probability of failure to mode of operation SIL perform its design function on demand Probability of cea failure per our 5 4 y B 4 210 Ost z10 io 10 3 210 to lt 10 210 to lt 10 2 SR to lt 10 210 to lt 10 A m g 1 210 to lt 10 210 to lt 10 Probability of Failure on Demand PFD for Low Demand Mode Probability of failure on demand PFD is the SIL value for a low demand safety related system as related directly to order of magnitude ranges of its average probability of failure to satisfactorily perform its safety function on demand PFD calculations are commonly used for process safety applications and applications where ESDs are used Besides parts 2 and 3 of the IEC EN 61508 part 6 represents one of the central parts for the development of safety related systems Detailed information is given for the quantitative calculations of safety related systems IEC61508 6 provides detailed information how to calculate the PFD values for various system configurations as well as equations for generating the diagnostic coverage DC and safe failure fraction SFF PFDsys PFDs PFD PEDrE PFDsys is the average probability of failure on demand of a safety function for the E E PE safety related system PFDs is the average probability of failure on demand for the
94. uration of a system the fault reaction to such combinations will be different Module level Faults at module level are controlled at controller level Depending on the hardware and configuration of a system the fault reaction is determined by the Control Processor Channel level Faults at channel level are controlled at controller level Depending on the hardware and configuration of a system the fault reaction is determined by the Control Processor and or universal module s Diagnostic Test Interval The Diagnostic Test interval DTI is the time in which detection and isolation of faults takes place The DTI of the HC900 is a diagnostic suite of test running in the background of the controller The HC900 diagnostic tests are as follows Table 7 Diagnostic Test Intervals Sub system Diagnostic Test interval Micro processor diagnostics 1 Minute Memory diagnostics 24 hours Watchdog diagnostics Once on power cycle of controller w o batteries on startup No command required to be sent to do test Controller does WD test on start whenever RAM continent is lost power cycled w o batteries FPGA diagnostics 800 milliseconds Flash memory diagnostics Once every restart new start of controller or scanner Note Flash memory is not used during normal operations Real Time Clock diagnostics Once every restart new start of controller Note Real Time Clock is not used during normal operation
95. urbine Meter ennenennnenenenenennennz 29 AGAS Detail sisien i E AEN eee 28 Analog Input Voting Function Block ALA 41 Analog Output Validation Function Block AO V 41 Analog Variable vc ccies cies ie sts ie ada 40 C Can FB be used in a safety related function 17 Categorv and Function block Name Communi ationsi sis ii e g SOEN de Controller Local Rack D Description Of Function ss esennennzznnnnenzznnnzznnaznna 17 Descriptions of Major Components ss sseeseennzennznzznni 10 Dewpoijnti ei e a st 27 Diagnostic Test Internal 56 Digital Output Validation Function Block DO V 42 E E E PE safety related devices ses ssesensenznnsnzznniennzi 3 Ethernet 100Base T Switch 12 Ethernet links ais fa ta di a patata a ib 5 Event Decoder ii si 21 F EE Fault monitor function block Fault Reaction ER Forcing H Hardware eege eege Eegeregie 15 Hardware and wiring for safety configuration 44 hazard and risk analysis ccescccssecsssesseesseesseeesteesseeeenees 1 hazard risk apaken im tie Ace 3 HC900 Control System Diagnostics 52 HC900 Safety configurations ss sssseneseenzzentenenzznnzznni FHE900 Systemi testa isir e hupecessceveseceecnyetagurndenes HCD Monitor Sp HMI Human Machine Interface HMI software Honeywell affiliate Honeywell Experion HM Honeywell HC9
96. us of a digital input point and x x provides interface to other algorithms and functions Provides the digital status of a digital input point and Discrete Input provides interface to other algorithms and functions with Votin p Compares Up to three inputs function block output X X 9 reflects the majority of valid input channels Physical input channels must be the same model no 8 Point Digital Provides read access for up to 8 physical digital inputs x Input all read at the same time Revision 4 0 HC900 Process amp Safety Controller Safety Manual 17 June 2015 Design and Implementation of HC900 Control Svstem Discrete Output Provides a digital status from the algorithms and functions to a physical logic output Outputs 17 through 32 of the 32 Channel DO Module may not be used for TPO Time Proportioning Output PPO Position Proportioning Output or TPSC Three Position Step Output output types Discrete Output with Feedback Provides a digital status from the algorithms and functions to a physical logic output Feedback channel validates physical output 8 Point Digital Output Provides write access for up to 8 physical digital outputs all written at the same time Time Prop Out Proportions the amount of ON time and OFF time of a Digital Output over a user defined cycle time Outputs 17 through 32 of the 32 Channel DO Module may not be used for TPO Time Proportioning Output PPO Position Proporti
97. verted 75 VAC gt VALID HIGH lt 250 VAC 0 0 V gt VALID LOW lt 20 VAC Relay Output DI 16 j 900HO1 900GO2 or Dl 32 900G32 Q g gt 1 sooces d 900G04 Note DI Sense is inverted when Load is placed on High side relay sinks power DI Sense is NOT inverted when Load is located on Low side relay sources power Figure 14 Common Series DO connections Internal 24v Supply 24VDC AO 4 900801 AO 8 900B08 jj AO 16 900B16 Al 8 900A01 Validation channel in or Al 16 parallel with Load 900A16 Use of Intemal supply requires one relay per Analog Output 424VDC Internal 24v Supply Relay Output AO 4 900B01 900H01 AO 8 900B08 AO 16 900B16 Al 8 Validation channel in 900A01 series with Load or Al 16 900A16 Relay Output 900H01 Extemal 24v AO 8 900808 AO 16 900816 Al 8 900A01 or Al 16 900A16 Use of External supply allows for a common relay for Analog Output External 24VDC 24v Supply Relay Output 900H01 AO 8 900808 AO 16 900B16 Al 8 900A01 or Al 16 900A16 Figure 15 Series Relay for Analog Outputs 46 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem HC900 Safety configurations HC900 configurations provide critical system monitoring blocks which the user may optionally use for control and monitorin
98. y be present on Control Product instrumentation A CAUTION and literature If present on a product the user must consult the appropriate part of the accompanying product literature for more information This CAUTION symbol indicates a potentially hazardous situation which if CAUTION not avoided may result in property damage WARNING PERSONAL INJURY Risk of electrical shock This symbol warns the user of a potential shock hazard where HAZARDOUS LIVE voltages greater than 30 Vrms 42 4 Vpeak or 60 Vdc may be accessible Failure to comply with these instructions could result in death or serious injury A ATTENTION Electrostatic Discharge ESD hazards Observe precautions for CRN handling electrostatic sensitive devices CAUTION HOT SURFACE This symbol warns the user of potential hot surfaces which should be handled with appropriate caution Protective Earth PE terminal Provided for connection of the protective earth green or green yellow supply system conductor AN Functional earth terminal Used for non safetv purposes such as noise immunitv SE improvement NOTE This connection shall be bonded to protective earth at the source of supply in accordance with national and local electrical code requirements Earth Ground Functional earth connection NOTE This connection shall be bonded to Protective earth at the source of supply in accordance with national and local electrical code requirements Chassis Ground Identifies a connection t
99. y operator interface Revision 4 0 HC900 Process amp Safety Controller Safety Manual 15 June 2015 HC900 Control System Architectures Scope of SIL Certification for HC900 Control System Architectures The HC900 control systems shown in all of the topologies above are included in this SIL certification with the exception of e 900 Control Station and other supervisory control systems These systems are outside the scope of SIL certification for the HC900 Control System However the non interference of these communication protocols is part of the scope to allow connection of these interfaces during safety related operations e Hubs switches and cabling These are part of building the network and are part of the black channel and are not required for SIL certification e The PFQ Pulse Frequency Quadrature I O module is non interfering in this SIL certification project e RIPs Remote Terminal Panels and associated cables are not part of this SIL certification project e Attention An HC900 control system retains its SIL2 rating only when operating in the Run Locked Safe mode and if all of the components that comprise the HC900 control system are operating within their operating temperature range and consists of SIL compatible modules 16 HC900 Process amp Safety Controller Safety Manual Revision 4 0 June 2015 Design and Implementation of HC900 Control Svstem Refer Installation guide secti
Download Pdf Manuals
Related Search