Safety Manager R151.4 Software Change Notice Version: 1.0

Safety Manager R151.4 Software Change Notice Version: 1.0 Safety Manager R151.4 / 1.0 Software Change Notice 1

Disclaimer This document contains Honeywell proprietary information. Information contained herein is to be used solely for the purpose submitted, and no part of this document or its contents shall be reproduced, published, or disclosed to a third party without the express permission of Honeywell International Sàrl. While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a purpose and makes no express warranties except as may be stated in its written agreement with and for its customer. In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The information and specifications in this document are subject to change without notice. Copyright 2014 - Honeywell International Sàrl Safety Manager R151.4 / 1.0 Software Change Notice 2

Table of Content 1 Introduction... 5 1.1 About Safety Manager... 5 1.2 About this Document... 5 1.3 Safety Manager Status... 6 1.4 Conventions... 7 2 Getting Started... 8 2.1 Compatibility... 8 2.2 Safety Manager functionality support... 8 2.3 Supported Safety Manager Releases... 12 2.4 Migrate Application... 12 2.5 Safety Builder... 19 2.6 Knowledge Builder... 21 2.7 Experion Integration Support... 22 3 Release Overview... 23 3.1 Feature compare... 23 3.2 Release Details... 23 4 Anomalies Resolved... 28 5 Known Restrictions... 29 5.1 Changing Function Block gives an error during compilation (PAR1420, 1-12IVDA2)... 29 5.2 Off-sheet transfer is not updated after renaming input (1-1VSN5T)... 29 5.3 Communication time out protocol Modbus RTU (1-7SK0HR/1-ASG7E7)... 29 5.4 Remove Force enable procedure (1-14UOTT/1-14UOWF)... 30 5.5 On-line adding Universal Safety IO modules (4401/4850/4824)... 30 5.6 Loading using the Loading privilege level (PAR4641)... 30 5.7 Writing packaged coils using Modbus (1-6XH0HS)... 31 5.8 Analog Output value on Universal Safety Logic solver is not transported via SafeNet (1-THYTLL)... 33 5.9 FDM operation failures in case of SM configuration with HIGH cycle time. (1-2KGC1TL)... 33 6 Special Considerations... 34 6.1 On-line modification (PAR3072/3262/3265/1-AKLE9C)... 34 6.2 Key switch QPP... 34 6.3 Knowledge Builder Client (PAR1073)... 34 6.4 User guides... 34 6.5 Data types within Experion releases... 35 6.6 Safety Manager Controller Sequence of Event... 35 6.7 Network Time Protocol (NTP) (PAR2035)... 35 6.8 Writing a point via SafeNet from Safety Builder (PAR3104)... 35 6.9 Multi site - Bulk Copy (1-B89IZT)... 36 6.10 Using feedback loops on a sheet (1-AL1SR8)... 36 6.11 Clock source configurations (PAR 1790)... 37 6.12 Unable to set Safety Manager Controller to the loaded mode (PAR3466)... 37 6.13 Adding new SafeNet points on-line (PAR3398)... 37 Safety Manager R151.4 / 1.0 Software Change Notice 3

6.14 Spare Parts FC-QPP-0001 and FC-QPP-0002... 37 6.15 Certification EN/ISO 13849-1 (PAR3973)... 38 6.16 Universal Safety I/O module status online view (1-T75FTL)... 38 6.17 Adding an AO channel to a Universal Safety IO (PAR4644)... 38 6.18 MODBUS PLC address ranges (PAR4342/7273)... 38 6.19 CDA Integration with Experion Process Control system... 39 6.20 Renamed CDA tag parameters names... 40 6.21 RUSLS Remote Universal Safe Logic Solver... 41 6.22 Multiple-Protocols... 41 6.23 Universal Safety I/O... 41 6.24 Universal Safety I/O HART enabled devices (1-RJUE1R)... 41 6.25 Export to UNISIM... 41 6.26 Sheet difference reported for FLDs containing Equation block... 41 6.27 Un-expected points reported in OLM report (1-NBCUL6, 1-T5AGKA, 1-SJCNHR 1-POSKKA)... 42 6.28 Universal Safety Logic Solver does not make use of power up values. (1-U0U6RX)... 42 6.29 Process Values clamped at bottom scale (1-28YYZQ6)... 42 6.30 Known anomalies... 43 7 Annex A: Contents of Release... 44 7.1 Software Version Identification... 44 7.2 Files in Package... 46 8 Notices and Trademarks... 47 Safety Manager R151.4 / 1.0 Software Change Notice 4

1 Introduction 1.1 About Safety Manager Safety Manager is a highly reliable, high-integrity safety system for safety-critical control applications. As part of Honeywell s Experion Process Knowledge System (PKS), integrated or in stand-alone applications, Safety Manager forms the basis for functional safety, providing protection of persons, plant equipment, and the environment, combined with optimum availability for continuous plant operation. Safety Manager offers safety, reliability and efficiency form its foundations. Safety Manager is a user-programmable, modular, microprocessor-based safety system, which can perform a wide range of critical process control and safety instrumented functions, including: High-integrity process control, Burner/boiler management systems, Process safeguarding and emergency shutdown, Turbine and compressor control and safeguarding, Fire and gas detection systems, and Pipeline monitoring. 1.2 About this Document This document describes the new features, resolved problems Compared to Safety Manager R151.2, known restrictions and special considerations for Safety Manager R151.4. Please read this document in its entirety prior to installation and use of this software. The latest version of this SCN is always available on the Honeywell Process Solutions website. Safety Manager R151.4 is dated May 6, 2014. 1.2.1 Revision History Version Month Description 1.0 May 2014 Initial version Safety Manager R151.4 / 1.0 Software Change Notice 5

1.3 Safety Manager Status STATUS SOFTWARE RELEASES: SM R133.5 SM R146.1 SM R151.4 Safety Manager Software Release R133.5 remains a main release for Experion Safety Manager. This release is used for maintenance release for all running systems without remote IO. Also to be used for expansions in existing Plants. Safety Manager Software Release R146.1 is the golden release for Safety Manager with Chassis IO only. Safety Manager Software Release R146.1 does not support Universal Safety IO, hence upgrades from previous releases to Safety Manager R146.1 is only possible if no Universal Safety IO is configured. Safety Manager R140.x and R145.x configurations with Universal Safety IO shall be migrated to Safety Manager R151.4 Safety Manager Software Release R151.4 is the main functional release for Experion Safety Manager. FOR CURRENT USERS: Maintenance Release Safety Manager R151.4 foremost rationale is to deliver field wiring cross-talk robustness improvements to Universal Safety IO and Universal Safety Logic Solver. Cross talk will drive the affected channels to the fault state (safe). It is advised to upgrade to Safety Manager R151.4 if USIO or USLS spuriously report loop faults or channel hardware faults EC91, EC110, EC117 and EC123 without evident root cause (PAR 1-28BZSF1). A cross-talk enhancement is delivered for Safety Manager FC-SDOL-0424 and FC-SDOL-0448 cards. Cross-talk has been seen in rare occasions when multiple Safety Managers combine field wires from multiple SDOL cards in a multi-core cable without shielding per wire pair. Cross-talk will drive the affected channels to the fault state (safe). It is advised to upgrade to Safety Manager R151.4 if one or more SDOL cards spuriously report current detected in output loop EC5 or EC29 without evident root cause (PAR 1-28BXJWS). Please refer to section 4 Anomalies Resolved for a comprehensive list of all customer reported issues resolved with R151.4 Safety Manager R151.4 is an upgrade for: Safety Manager ART systems as this release solves the IO module faults which sometimes are reported immediately after an IO Extender module was removed from a running system. Safety Manager systems causing an unknown journal alarm in EPKS causing an event overload. Safety Manager systems with Universal Safety Logic Solvers as this release solves the spurious communication link fault reported on Universal Safety IO modules and Universal Safety Logic Solvers after the links were removed from a Universal Safety Logic Solver in the same network. Networks with only Universal Safety IO modules are not affected and do not need this software upgrade. SPECIAL CONSIDERATIONS: Please pay special attention to the following known restrictions described in detail in section 5 Known Restrictions: Universal Safety Logic Solver on-line modification may be blocked On-line Software upgrade from Safety Manager R150. See paragraph 2.4.5.6 Safety Manager R151.4 / 1.0 Software Change Notice 6

1.4 Conventions The following symbols are used in Safety Manager documentation: Tip This symbol is used for useful, but not essential, suggestions. Attention This symbol is used for information that emphasizes or supplements important points Caution This symbol warns of important facts on Safety Manager system behavior or architecture. Safety Manager R151.4 / 1.0 Software Change Notice 7

2 Getting Started 2.1 Compatibility This section describes the compatibility restrictions that need to be considered. 2.1.1 Safety Manager cycle time The cycle time of an existing application, based on chassis I/O which is migrated from Safety Manager Releases prior to Safety Manager R150.1 will increase depending on the I/O configuration. An average impact of 10% must be considered. 2.2 Safety Manager functionality support The following table gives an overview the hardware needs and software support of Safety Manager main functionalities: Safety Manager R151.4 / 1.0 Software Change Notice 8

2.2.1 Knowledge Builder The Safety Manager User Assistance Documentation R151.1.10 provided with this release is compatible with Knowledge Builder 4.8.0.5. If needed update the installed Knowledge Builder engines to R4.4 with the installation set included in this release package. Knowledge Builder will not install correctly if Microsoft.Net Framework 1.1 Hot fix or higher is installed. You are requested to uninstall versions of Microsoft.Net Framework 1.1 Hot fix or higher before installing Knowledge Builder. To uninstall Microsoft.Net Framework 1.1 Hot fix or higher select Start>Settings>Control Panel>Add or Remove Programs. Select Microsoft.Net Framework 1.1 Hot fix or higher from the list and press Change/Remove. When installing on a target computer that has Microsoft.Net Framework 2 installed you must update Knowledge Builder to meet Microsoft.Net Framework 2 requirements. For update instructions and update files see the updates folder on the Knowledge Builder 4.8.0.5 installation CD. Safety Manager R151.4 / 1.0 Software Change Notice 9

2.2.2 Experion compatibility 2.2.2.1 Experion releases Table below shows compatibility and dependency between Experion/FDM/UNISIM/PMD and Safety Manager functionality: Safety Manager R151.4 / 1.0 Software Change Notice 10

2.2.2.2 Experion Station Safety Builder can be installed on Experion Stations that comply with the requirements as defined in paragraph 2.2.3 Operating system 2.2.2.3 Knowledge Builder If Knowledge Builder 4.8.0.5 is already installed, the Safety Manager User Assistance Documentation R151.1.10 can be added to the existing book sets. 2.2.3 Operating system Safety Builder R151.4 was specifically developed and tested to run on, Windows 7 32/64 bit Ultimate/Professional/Enterprise and Windows Server 2008 R2. Safety Builder R151.4 is only supported by these tested Windows versions. Safety Builder is not affected by Microsoft Windows patches (1-1INPJK) Using Safety Builder R151.4 on any Windows version other than mentioned above is considered improper use of the software. Honeywell Safety Management Systems cannot be held liable in any way for any damages that result from using Safety Builder on a Windows version other than Windows 7/ Windows Server 2008. Safety Manager R151.4 / 1.0 Software Change Notice 11

2.2.4 FSC compatibility Safety Manager R151.4 is not compatible with any FSC releases. 2.3 Supported Safety Manager Releases In case an Upgrade/Migrate is started from a not supported Safety Manager release it is recommended to contact the local Honeywell National Response Center (NRC), Customer Response Center (CRC), Global TAC Center, or Solution Support Center (SSC). 2.4 Migrate Application 2.4.1 Backup your application It is always strongly recommended that you create a backup of your application with the previous release of Safety Manager before starting the migration to Safety Manager R151.4 Migrate Application migrates a complete Plant (including all configured controllers). In case the migration fails, the reason will be reported. Go back to the original application, make the required modification and migrate again. Safety Manager R151.4 is able to use applications created using Safety Builder Releases R133.1, R133.2, R133.3, R133.4, R133.5, R140.2, R140.3, R145.1, R145.2, R146.1, R150.1, R151.1, R151.2 and R151.3. Safety Builder R151.4 reports that you have to run Migrate Application if a plant from releases R133.x, R140.x, R145.x, R146.x, R150.x and R151.x is selected via Network Configurator. Safety Manager R151.4 / 1.0 Software Change Notice 12

Migrate Application To migrate to Safety Manager R151.4 select the option Migrate Application. This function can be found as follows. Migrate Application will migrate the complete plant, including all Safety Manager Controllers configured in that plant. The migrate feature is not protected by privilege level access. 2.4.2 Known restrictions 2.4.2.1 Follow the On-Line Modification procedure. The On-Line Modification procedure should be followed. At the start of On-Line Modification: The system should run without IO faults otherwise the first Control Processor (CP) will not start-up after loading it. During the actual Load: Do NOT apply a Fault Reset (Direct or Remote) else the SM Controller may abort software loading. 2.4.2.2 Password protection Migrate Application is not password protected. The privileges levels are temporary disabled during the Migrate Application. After the migration the privileges levels are active again. 2.4.2.3 Experion integration Safety Manager R151.4 supports two integration methods with Experion, namely: Via the Experion protocol using Dual LAN connectivity to the FTE network, and Via the CDA protocol using full FTE connectivity to the FTE network. Existing Experion / Safety Manager installations migrating to Safety Manager R151.4 will continue to use the Experion protocol and dual LAN method. For new controllers the customer can choose the desired integration method. Experion integration via Experion protocol over Dual LAN The Experion communication link can only be configured on channel A of the USI communication module. This means that Experion links configured on channel B cannot be migrated. Before starting the migration, change the configuration of the Experion link to channel A. Safety Manager R151.4 / 1.0 Software Change Notice 13

Experion integration via CDA Protocol and FTE The FTE support provides maximum communication availability for Safety Manager being an FTE node within the Experion communication architecture. It provides detailed node diagnostics and transparent availability within the Experion architecture. Full FTE support is coupled with CDA integration in Experion. Upgrading from dual LAN connectivity to full FTE requires specific hardware changes and changes to the Experion point database and custom graphics. For migration to full FTE node: Requires Experion R410.1 or higher The impact to existing custom graphics and point database have to be evaluated as well as the impact to point licenses on Experion server Upgrade from USI-0001 to USI-0002, and Two communication channels (A and B) of the USI communication module have to be configured. Experion communication link can only be configured on channel A of the USI communication module. Channel B of the same USI will automatically be occupied. This means that Experion links configured on channel B cannot be migrated. Before starting the migration, change the configuration of the Experion link to channel A. 2.4.2.4 Universal Safety I/O connection Safety Manager R151.4 support Universal Safety I/O communication (SM RIO Link) only via dedicated channel of the USI communication module of the Control Processor. 2.4.2.5 I/O property Safety Related The "Safety Related" property of points can be used to simplify SIL-assessments and consistency checks. It is strongly advised to set this property to the correct value. When the property Safety Related of a point is left to Undefined this will be reported as a warning by Application Compiler. To avoid those warnings configure the property Safety Related of a point to Yes or No. This can be done after the project is migrated. The Safety Related property of points is for documentation purposes only. 2.4.3 Considerations 2.4.3.1 Migration log file overwritten When starting Migrate Application, the log file of the previous Migrate Application will be overwritten. Safety Manager R151.4 / 1.0 Software Change Notice 14

2.4.4 Off-line modification The Off-line modification procedure is defined in chapter 6 of the Installation and Upgrade Guide. 2.4.4.1 Off-line modification report During Software loading and upgrading procedure the SM Controller will generate an OLM report. This report identifies the differences between both Control Processors. This OLM report can be viewed by activating Actual diagnostics and focusing on EC 151 and analyze the details. During the OLM procedure the OLM check details are presented twice. CP1 CP2 OLM report Running Running Set to Idle Running SB-Load new application Running CP1 reports with CP2 Set to Run Startup Running Running Halted CP2 reports with CP1 Running SB-Continue Running Equalizing Running Running Unexpected report of deleted points by OLM report. Scenario: Migrating from a previous release of Safety Manager, Compiling and Loading the application may result in unexpected report of deleted points by the OLM report. This is the result of the application compiler cleaning up points that have been left in the SM Controller database by a previous release of Safety Manager. To be able to verify the unexpected items in the OLM report the following actions have to be taken: 1. Before migrating to Safety Manager R151.4 you have to: a. Export the IO points in the version the SM Controller is running. b. Archive the audit trail from the SM Controller that is about to be migrated. This is to clean up the audit trail. 2. Migrate the SM Controller to Safety Manager R151.4. 3. Compile the application. 4. Print out the audit trail of the compiled SM Controller. 5. Note: Both documents mentioned in item 1a and 4 needs to be checked for unexpected items in the OLM report. 6. The unexpected items mentioned in the OLM report have an Application address which can be found also in the export file of the IO points. The export file of the IO points shows the related Tag numbers, which can verify against the audit trail that they have been cleaned up by the compiler. Example: Verify if point mentioned in OLM report with Application address 178 is one of the points that the compiler has cleaned up. Safety Manager R151.4 / 1.0 Software Change Notice 15

2.4.5 On-line modification 2.4.5.1 Universal Safety I/O module Spare Channel option In case spare channel detection is enabled adding and/or deleting a point will generate a Device detected on spare channel during On-line Modification. 2.4.5.2 Safety Manager Peer to Peer (SafeNet) Sometimes after loading first Control Processor (CP) an error code 186: External communication fault with. is reported. (E.g. due to not optimal communication infrastructure). Before proceeding make sure the details of this diagnostic message are analyzed. After it is selected to continue, the communication with the peer safety Manager that are reported in details of error code 186 will be lost. To prevent loss of Safety Manager Peer to Peer communication make sure that unexpected error code 186 is resolved before proceeding with On-line modification. Safety Manager R151.4 / 1.0 Software Change Notice 16

2.4.5.3 On-line software upgrade from R133.4 or R133.5 When executing online software upgrade from Safety Manager R133.4 to Safety Manager R151.4 and system is configured with QPP-0001 an Error code 33 may be reported and Load Controller fails. This can be ignored. Restarting Load Controller will lead to successful upgrade. 2.4.5.4 On-line software upgrade Universal Safety I/O module On-line Software upgrade of Universal Safety IO modules is not supported for Safety Manager R140.2 and R140.3 to Safety Manager R151.4. To enable On-line Software upgrade, first execute On-line software upgrade to Safety Manager R145.2. 2.4.5.5 On-line software upgrade from Safety Manager R150.1 (1-11FBXRN) During On-line software upgrade from Safety Manager R150.1 to Safety Manager R151.4 Safety Builder may show a red cross and On-line software upgrade appears to be blocked. When on-line software upgrade was started the system is running fault free and if no other faults are reported as defined in the On-line Modification Guide the first CP should be cycled to Stop and back to Run. After restarting download the On-line software upgrade will continue and complete. 2.4.5.6 On-line software upgrade from Safety Manager R150.1 shows multiple EC 141 During On-line software upgrade executed from Safety Manager R150.1 to Safety Manager R151.4.following anomaly may be observed: Modification Guide multiple error codes 141 appear. If this is observed, it is strongly advised to complete the following steps before commencing the online modification: 1. Turn the QPP key switch of the IDLE QPP to the STOP position. The R150.1 Control Processor remains RUNNING. 2. Toggle the Reset key switch once. 3. Turn the QPP key switch of the IDLE QPP to the RUN position. The R150.1 Control Processor remains RUNNING. 4. Wait for the QPP to show CPReady on the display, 5. Wait 10 seconds 6. Check Diagnostics, 7. If 0 to 3 error code 141 is reported Then all is OK and continue with next step Else repeat from step 1. 8. Resume the on-line modification procedure at step C2.i as defined in the On-line Modification Guide 2.4.5.7 On-line adding and removing Universal Safety IO /Universal Safety Logic Solver module When adding Universal Safety IO / Universal Safety Logic Solver module to the application (Topology change) the application must be changed first before Universal Safety IO /Universal Safety Logic Solver module are powered up. Adding/deleting of Universal Safety IO / Universal Safety Logic solver must not be done as part of a firmware upgrade to Safety Manager R151.4. (1-UA45D9) Removing Universal Safety IO / Universal Safety Logic Solver modules on-line is supported from the highest node number downwards. Add Universal Safety IO / Universal Safety Logic Solver modules on-line is supported from the highest node number upwards. Safety Manager R151.4 / 1.0 Software Change Notice 17

2.4.6 Safety Manager Software Migration Matrix Safety Manager Software Migration Matrix visualizes information regarding On-line software upgrade. Safety Manager R151.4 / 1.0 Software Change Notice 18

2.4.7 Safety Manager Universal Safety IO Migration Following table shows upgrade information w/r/t the Universal Safe IO modules 2.5 Safety Builder Safety Builder is an all-in-one tool for configuring, loading and monitoring Safety Manager. Note: Some tools may not be available, depending on your license and package. 2.5.1 License and software package Safety Builder is supplied in three packages. The license number issued to the Customer determines the type of software package installation. The available Safety Builder software packages are: Demo. This package has limited functionality and serves primarily for demonstration purposes. You cannot print nor create/view a logical view. Contractor. This package has limited functionality and allows Safety Manager contractors to design a system. Contractors use Safety Builder in the pre-engineering phase only. Basic. This package offers all Safety Builder functions with the exception of some (future) Engineering options. 2.5.2 Quick installation Note: These instructions are not suitable for upgrading from a previous release of Safety Builder. They apply to new installations only. Note: You must have administrator rights to install this software. This section provides a brief overview of the installation instructions. It is recommended to: Close all Windows applications before installing a software package. Install Knowledge Builder and the user documentation before installing Safety Builder. For installation details see the Quick Reference Guide on Knowledge Builder. Safety Manager R151.4 / 1.0 Software Change Notice 19

2.5.2.1 Installing Safety Builder With Knowledge Builder installed, open chapter 2 of the Software Reference. This chapter contains detailed installation instructions for Safety Builder. Installing Safety Builder allows the user to use the Safety Builder tools required to configure, load and communicate with Safety Manager. Although not recommended, Safety Builder can be installed separate from Knowledge Builder. 2.5.2.2 Installation procedure 1. Insert the Safety Builder CD ROM in the CD drive. 2. If the installation does not start automatically, run setup.exe from the root of the CD ROM. 3. Click the option install from the appearing installation menu and click next. 4. Accept the license agreement after reading it and click next. (If you do not accept, the installation will abort). 5. Enter your user name, your company name and the serial number supplied with the Safety Builder CD ROM and click next. 6. Enter the license number that determines the type of installation and click next. (The license number is supplied with the Safety Builder CD ROM) 7. Click next until you get an overview screen. 8. Check if you agree with the default settings; if not, click back until you reach the setting you wish to modify. 9. Click next to start the actual installation 10. Click finish to exit the installation program after installation completed. 2.5.2.3 Post installation instructions If after installing Safety Manager Safety Builder reports error "Class not registered, ClassID: 88d96a0c-f192-11d4-a65f-0040963251e5" it means that the MSXML6 is not installed. Safety Builder should be reinstalled. Safety Manager R151.4 / 1.0 Software Change Notice 20

2.6 Knowledge Builder Use the Knowledge Builder application to display Experion platform and Safety Manager platform on-line documentation. You can install the Knowledge Builder client and server applications on any computer running Windows Server 2008 R2 and Windows 7 (Professional, Ultimate and Enterprise). 2.6.1 Safety Manager User documentation The Safety Manager User Assistance Documentation R151.1.10 is included as: Online user documentation and PDF user documentation. 2.6.2 Supported installation types Knowledge Builder supports Full, Client, Server Only, and CD installations. Ensure you understand the different install options before installing Knowledge Builder on your computer. Installation type descriptions: Full Install. The full option installs all of the required components on your computer. Your computer can then be used stand-alone or as a Knowledge Builder server. Client Install. The client option installs the browser application on your computer. Your computer can then be used to access the content located on a remote Knowledge Builder server. Server Only Install. The server only option installs a Knowledge Builder server (content files) on a designated network location, where a functional Knowledge Builder client is not required. A full or client install can browse to this server only location. CD Install. The CD option is similar to the client install, except that a Knowledge Builder CD must be in the CD-ROM drive to view the content. This option is typically used on laptop computers. 2.6.3 Installing Knowledge Builder 1. Exit any running applications. 2. If you plan to remove any existing book sets before installing this version of Knowledge Builder, Honeywell recommends that you run the Knowledge Builder Backup Restore Utility to export or back up book set content and Dynamic Help. For instructions, see Launching the Knowledge Builder Backup Restore Utility. 3. Insert the Knowledge Builder CD into the CD-ROM drive. 4. In Windows Explorer, browse to the Knowledge_Builder folder on the CD and double-click the setup.exe file. 5. Follow the on-screen instructions to install the software. The defaults can be used if a full install is required. If you need one of the other install types (as listed to the left) you will need to change the install type. 6. If prompted for an MNGR account, use a "strong password" on this computer and the same password for all clients accessing the server. 7. Remove the CD from the CD-ROM drive. 8. Restart the computer. 9. Knowledge Builder may not function properly if you do not restart the computer. 10. Repeat this procedure on any other computers requiring Knowledge Builder. Safety Manager R151.4 / 1.0 Software Change Notice 21

2.6.4 Launching Knowledge Builder applications 2.6.4.1 Launching Knowledge Builder To launch Knowledge Builder do one of the following: Choose Start > Programs > Honeywell > Knowledge Builder Tools > Knowledge Builder. Double-click the Knowledge Builder icon located on you desktop. 2.6.4.2 Launching the Knowledge Builder Backup Restore Utility (KBBackupRestore.exe) Read the kbbup.pdf file located in the Utilities\KB BackupRestore Utility folder on the Knowledge Builder CD. 2.6.4.3 Launching the Password Utility (PWDUtil.exe) Read the PwdUtil_Instructions.txt file located in the Utilities\Password Utility folder on the Knowledge Builder CD. 2.7 Experion Integration Support 2.7.1 Experion SCADA: Safety Manager diagnostic message files on Experion To get a correct Safety Manager diagnostic representation on Experion SCADA the following files will need to be copied (replaced) to the Experion Server: fsc_module.txt fsc_fault.txt Most likely the file location at the Experion server is: \Experion PKS\Server\Data. 2.7.2 CDA integration in Experion: Safety Manager Experion Components Installer To be able to see the Safety Manager detail displays, system tree icons and CDA error messages on Experion the Safety Manager R151.4 Experion Components.msi has to be installed on the Experion Server and Experion stations when file replication is not used. The Safety Manager R151.4 Experion Components.msi is a standalone installer. For CDA Experion integration, the detail displays must be installed using this installer, before starting Experion. Safety Manager R151.4 / 1.0 Software Change Notice 22

3 Release Overview Safety Manager R151.4 is a scheduled maintenance release of the Safety Manager R15x series. Safety Manager R15x focuses on further reduction of the total cost of ownership by increasing engineering and maintenance efficiency and increased safety availability by allowing distribution of the safety application over multiple Universal Safety Logic Solvers. The latter fits perfect on distributed applications like pipeline monitoring and well head control. 3.1 Feature compare Following table shows feature set comparison of Safety Manager R151.4: 3.2 Release Details Enhancements on customer request are identified by unique identification (1-xxxxxx) 3.2.1 Integration with Experion Process Control system CDA integration in Experion provides operational integration comparable to C200/C300 process controller integration. Point data is instantly available in custom graphics and peer to peer relations. A unique point publishing mechanism to the Experion is used to allow application development in multiple locations or accommodate customer requirements for strict segregation between the process control and safety maintenance network. CDA integration provides a safe and cost effective integrated solution over the lifetime of the solution. The CDA integration contains the following: Hardware points for all hardware modules in the Safety Manager Process points for FLDs containing inputs and or outputs. Standard parameter sets per input or output block Publishing of I/O points enabling data access / P-2-P / alarms in Experion Safety Manager R151.4 / 1.0 Software Change Notice 23

3.2.2 Safety Manager Advanced Redundancy Technique (A.R.T.). Safety Manager (redundant): Is single fault tolerant on hardware modules per Safety Instrumented Function (SIF). Can tolerate a combination of different single hardware faults per SIF. Tolerates multiple hardware faults at the same time in the systems. With all of the above the process remains safe guarded (SIL3) even in degraded systems mode. Safety Manager R150 has optional Advanced Redundancy Technique. Safety Manager A.R.T.: has the same functionality as mentioned above, and provides multi fault tolerance on the IO buss, and supports replacement of all faulty chassis I/O modules without degrading the system for both redundant and non-redundant chassis I/O. 3.2.3 Direct FDM to USI HART pass thru For Universal Safety I/O modules Safety Manager R151.4 supports HART pass thru functionality. This allows users to monitor and maintain HART field devices connected to the Universal Safety I/O modules direct on Experion Field Device Manager (FDM). Fetaures supported are: Configuration of the analog channels that support HART pass-thru Device configuration lock via Safety Builder FDM configuration and version management via Safety Builder export Safety Manager R151.4 / 1.0 Software Change Notice 24

3.2.4 Universal Safety Logic Solver Safety Builder R151 introduces a new module as part of the Universal Safety I/O family, namely the Remote Universal Safe Logic Solver (FC-RUSLS-3224). The FC-RUSLS-3224 module: Has 32 Universal Safe IO channels with configurable channel function; configuration is done in Safety Builder, Is depending on the Safety Manager for configuration, communication and on-line view, Support the execution of FLDs on the module, separate from the Safety Manager Controller. Specifications per FC-RUSLS-3224: Max. properties per module # Markers 512 Register bytes 256 Timers 10mSec 4 Timers 100mSec 32 Timers 1Sec 32 Timers 1min 16 Counters 16 Is approved for SIL 3 applications. 3.2.5 Multiple protocols in combination with Remote IO link on the same communication module Safety Builder R151 is able to operate the Remote IO protocol parallel to other protocols on the same communication module. The maximum links supported are 10 SafeNet and 20 Universal Safety I/O modules OR 20 SafeNet links and 10 Universal Safety I/O modules. 3.2.6 Non-Redundant Universal Safety I/O Safety Builder R151 supports non redundant Universal Safety I/O. On-line modifications are supported for: all redundant system components, and Non-redundant components that are not changing (configuration or firmware). 3.2.7 Low latency SOE for Universal Safety I/O modules Safety Manager R151.4 Safety Builder R151 supports in addition to the normal SOE, Low latency SOE. These SOE events are time stamped on the Universal I/O module with a resolution of 1 msec. 3.2.8 FLD Intellectual Property Protection Safety Builder R151 supports FLD intellectual Property protection through: Password validation when Opening, Deleting, and Printing of protected FLDs in the Application Editor. Enforce protection while Copy FLD and Import FLD function in Application Editor. Password validation when View FLD in Application Viewer. Safety Manager R151.4 / 1.0 Software Change Notice 25

3.2.9 Modbus Master Safety Builder R151 supports Modbus Master Redundant communication only ModbusTCP. (ModbusRTU support via Gateway) Support ModbusTCP gateway exception 0xB Support Function code 1,2,3,4 5,6, 15 and 16 Physical link supported Ethernet only (FTE not supported) 1 Modbus Master per USI Max 32 logical links per USI (this includes Safety Builder, Experion, Modbus slave links) Support packed DI/DO. (via ModbusTCP Function Code 3,4,6,16) 3.2.10 Automatic cold start (1-S4VSRB) Safety Builder R151 supports automatic Cold startup of Safety Manager. This feature must be enabled via Controller properties. 3.2.11 Paper Machine Drive (PMD) Integration (1-PY02IR) Safety Builder R151 supports integration with Experion PMD Process Controller via CDA. PMD Support from release 800.1. 3.2.12 Dual independent SOE Collectors. (1-OJ60AH) Safety Builder R151 offers the possibility to configure both Experion SOE (via CDA) and Safety Historian (via SCADA) hence creating a dual independent SOE collector. 3.2.13 Safety Historian on Serial communication Channels (1-QLAX4H) With Safety Builder R151 Channel C and D (Serial communication) on the USI can be configured as SOE Channel. To enable event retrieval via channel C or D an external Serial /TCP converter is necessary. 3.2.14 Universal Safety Logic Solver cycle time (1-PMBIAF) Universal Safety Logic Solver is running at optimized application cycle time which can be lower or equal to the Safety Manager application cycle. The actual Universal Safety Logic Solver application cycle time is displayed via Safety Builder. 3.2.15 Fast marker write For Modbus (Master/Slave), PCDI and CDA protocols all Coil/Marker writing are processed within 2 application cycles, significantly increasing write performance compared to previous Safety Manager releases. Safety Manager R151.4 / 1.0 Software Change Notice 26

3.2.16 Improved USIO Line Monitored configuration change (1-2QVIUPO)During On-line Modification process a LM configuration difference is detected between the CP s. A Diagnostic WARNING will be generated in case continuing the On-line Modification process would end up in a loop fault. (WARNING: Continuing OLM, results in loops set to fault reaction) 3.2.17 Reduced spurious report of "Current detected in output loop" (1-28BXJWS, 1-28BZSF1) With Safety Builder R151 the line monitored output card (SDOL-0424/SDOL-0448) has now Reduced Signal noise injection and improved Signal noise immunity 3.2.18 Changed Communication overrun (EC66) Diagnostic into Statistic (1-2C5EJ4S) Based on feedback received from customer the Communication overrun diagnostics has been changed into a communication statistic. To check the stability of the communication networks it is recommended to monitor the communication statistics. Safety Manager R151.4 / 1.0 Software Change Notice 27

4 Anomalies Resolved This section provides an overview of the issues resolved related to previous Safety Manager Release. Following table indicates anomalies reported by customers and solved with Safety Manager R151.4 PAR # Function Abstract 1-1E3NS4E Controller Management It is not always possible to successfully upgrade a non-redundant Safety Manager if the Safety Manager QPP was previously loaded with a redundant configuration. 1-1PA7CD3 Firmware No signal update when Safety Manager field DI or COM digital output is connected to DEVCTLA DI pin. 1-1N2FG9L Firmware When removing the IO Extender module from a running nonredundant SM A.R.T. IO chassis sometimes IO modules from another chassis are reported faulty. 1-1IY22OA Firmware An unknown journal alarm in EPKS is causing an event overload. RCVBGN repeating every 1 minute. 1-1ZPC8FZ Firmware RIO Two application cycles lag seen between Loop AND bit and Channel Diagnostic bit set to faulty with the AI signals connected to USIO. 1-107J1XF Firmware QPP A diagnostic error code 197 (secondary switch off activated) is reported when all SDOL-0448 modules are reported faulty with EC2 at the same moment. 1-2EFWTQD Firmware RIO FDM cannot communicate with Hart device connected to USIO; Safety Manager shows EC72 HART Device not Connected. Safety Manager R151.4 / 1.0 Software Change Notice 28

5 Known Restrictions 5.1 Changing Function Block gives an error during compilation (PAR1420, 1-12IVDA2) Safety Manager Release R100.1 and higher Configurations: Changing Function Block (FB) Descriptions & Conditions: When changing an FB which is used on one or more FLDs, these FLDs are not refreshed with the latest changes. Translate Application reports all FLDs with the changed Function Block. Changes on a function block that require a refresh on the FLD s that use these function blocks are Interface signal types Timer set points Counter Cycle-pulse Work around: Use Change option from the pop-up menu to update the FLD s that use this changed Function Block. 5.2 Off-sheet transfer is not updated after renaming input (1-1VSN5T) Configurations: Changing tag numbers Descriptions & Conditions: When a tag number of an input is changed, and connected on that input there is an off-sheet marker (with the same name) the off-sheet marker will not change accordingly the input change. Work around: Go to off-sheet marker select change and press ok. The text will be updated. Work around: None. 5.3 Communication time out protocol Modbus RTU (1-7SK0HR/1-ASG7E7) Configurations: Applies for Modbus RTU protocol only Descriptions & Conditions: The minimum time out of non redundant Modbus with redundant cp s communication shall be set to 15 seconds. Work around: Set time out 15 seconds. Safety Manager R151.4 / 1.0 Software Change Notice 29

5.4 Remove Force enable procedure (1-14UOTT/1-14UOWF) Configurations: All Descriptions & Conditions: If a point is forced in a running redundant Safety Manager Controller and during a modification this point is set to force enable No, after the On-line modification (OLM) the point is still forced. The force of this point can only be cleared via the Safety Builder Clear all forces option or by disabling the FORCE ENABLE key. When trying to start-up the View all Forces, while having this point forced the Safety Builder will terminate. Work around: Clear the force by using Clear all Forces before using View All forces. 5.5 On-line adding Universal Safety IO modules (4401/4850/4824) Configurations: Safety Manager Controller with Universal Safety I/O modules running. Descriptions & Conditions: The maximum number of Remote Universal Safe IO redundant modules that can be added during one On-line Modification (OLM) is 8 modules. If more than 8 modules have to be added this shall be done in phases. Do not perform OLM when a communication cable is disconnected. Workaround: When adding or removing in batches of 8 modules is not possible, an off-line modification is required. 5.6 Loading using the Loading privilege level (PAR4641) Configurations: All. Descriptions & Conditions: When using the Loading privilege level it is not possible to complete a load. While busy with (or just after completing) loading of the redundant CP than error code appears that the Loaded flag cannot be set. Workaround: Use another privilege level or enable Disconnected Load and Set Controller Loaded. Safety Manager R151.4 / 1.0 Software Change Notice 30

5.7 Writing packaged coils using Modbus (1-6XH0HS) Configurations: Safety Manager Controller with Modbus RTU communication. Descriptions & Conditions: Safety Manager supports the feature of reading and writing packaged coils for Modbus communication. This feature allows that multiple coils can be packed and accessed with a single Modbus function code. This saves allocation space in Modbus masters that support packaged coils and also limits the communication load. To avoid additional logic inside Safety Manager for packing and unpacking bits into registers, this option is integrated in the Modbus communication stack of Safety manager. Most F&G (Fire and Gas) equipment use this method of transferring detector information. If Safety Manager receives a read or write register command, it checks if these register addresses are existing in Safety Manager. If no BI (Binary Input) tag numbers are allocated to these addresses, it checks if the addresses exist as DI points. If so, the register value will be written to the digital input signals. For example, if the register address is "1", but this address is not used in Safety Manager, it checks if address 1 is a valid address as coil. If it is, the register value will be written to digital input address 1 thru 16 (a register is 16 bits).. Workaround: There are different actions depending on whether you have a running application or a new project: For running applications: 1. Check address ranges of Markers and Registers Same address range: start address for marker and register addresses are the same Different address range: start address for marker and register addresses are different and are not overlapping. 2. If different address ranges are configured for Markers and Registers, No further action needed Safety Manager R151.4 / 1.0 Software Change Notice 31

3. If same or overlapping address ranges are configured for Markers and Registers, a. Create a new Binary Input (BI); Tag number: DO_NOT_DELETE Description: Do not delete this tag number Location: COM Type: Word Logical Connection: Modbus link Address: Last available Binary Input Modbus address (No need to place created tag number on sheet) b. Compile and Load application following the on-line Modification procedure. After the implementation this solution in the Safety Manager, the entire configured Modbus binary input address range will be recognized as register area. This means when writing an unused register from the Modbus master device, Safety Manager will respond with message invalid address. For new projects: Configure addresses for markers and registers which are not in the same range and have an overlap: Example: Markers are configured in address range: DI: 1 416 DO: 417-832 Registers are configured in address range: BI: 5001-5064 BO: 5065 5128 Safety Manager R151.4 / 1.0 Software Change Notice 32

5.8 Analog Output value on Universal Safety Logic solver is not transported via SafeNet (1-THYTLL) Configurations: Application having SafeNet and Universal Safety Logic Solver. Descriptions & Conditions: When an Analog Output on the Universal Safety Logic Solver is allocated to a target Safety Manager controller via SafeNet, the target controller does not receive the value. Workaround: Use COM signals to transport an analog output signal from a Universal Safety Logic solver to Target Safety Manager 5.9 FDM operation failures in case of SM configuration with HIGH cycle time. (1-2KGC1TL) Configurations: Application having higher cycle times and connected to FDM Descriptions & Conditions: FDM bulk operations results to FDM-Bulk-Operation failures for applications with high cycle time Workaround: increase FDM RCI timeout Safety Manager R151.4 / 1.0 Software Change Notice 33

6 Special Considerations Users will need to take the following special considerations into account. 6.1 On-line modification (PAR3072/3262/3265/1-AKLE9C) When doing an On-line Modifications always make use of the OLM procedure. During the actual Load: Do NOT apply a Fault Reset (Direct or Remote). The Safety Manager Controller will stop the software loading. 6.2 Key switch QPP When the QPP key switch is placed between IDLE and STOP position the Safety Manager Controller will see this as that the key switch is set in the RUN position. The display of the QPP will show CPReady. It is possible to start-up the Safety Manager Controller in this situation. 6.3 Knowledge Builder Client (PAR1073) Knowledge Builder Client will be installed automatically on C:\Program Files. User can not select other drive 6.4 User guides If a user looks for task specific instructions, the following considerations apply: Dedicated instructions for operators have not been identified; tool usage instructions for operators can be extracted from the on-line tools section in the Software Reference. Dedicated instructions for engineers have not been identified; tool usage instructions for engineers can be extracted from the various tool sections in the Software Reference. Safety Manager R151.4 / 1.0 Software Change Notice 34

6.5 Data types within Experion releases When configuring Safety Manager Data types in Experion, AI and AO data types should be used as shown in Table 1. Table 1 Point type AI / AO Experion R210 or lower Experion R300 and higher 0-20mA FSC020MA SM020MA 4-20mA FSC420MA SM420MA 0-5 V FSC05V SM05V 1-5 V FSC15V SM15V 0-10 V FSC010V SM010V 2-10 V FSC210V SM210V 6.6 Safety Manager Controller Sequence of Event System events System events with SOE number 0, 1, 2, 3 and 5 do not exist. Safety Manager Controller does not reserve these SOE numbers for system events anymore. The system events have to be configured the same way as normal points connected to the SOE Only controller. SOE-ID update The application must be compiled in order to have all SOE IDs assigned correctly before these can be used by Experion/Safety Historian 6.7 Network Time Protocol (NTP) (PAR2035) The property Clock source timeout must be set to 1 Hour or more. 6.8 Writing a point via SafeNet from Safety Builder (PAR3104) It is not possible to write a point of an indirect connected Safety Manager with Safety Builder. Precondition: Connected only via a SafeNet link. (Safety Builder => Safety Manager Controller 1 => SafeNet => Safety Manager Controller 2) Safety Manager R151.4 / 1.0 Software Change Notice 35

6.9 Multi site - Bulk Copy (1-B89IZT) Make sure that before copying multiple FLDs from another Safety Manager Controller the privilege level of this source Safety Manager Controller is disabled. 6.10 Using feedback loops on a sheet (1-AL1SR8) Using feedback loops on one sheet can result in unexpected behavior. The user designs a function on a sheet using logic symbols. The function the user designed on a sheet is executed in sequence. The sequence of execution is determined by the Application Compiler function of the Safety Builder. The Application Compiler has NO knowledge on the sequence of the function that was designed by the user. With logic as defined in the picture at the right the Application Compiler cannot determine what function (1, 2 or 3) is executed first. In case the order of execution is 1, 3, 2 then there might be a difference of output => Personally analyzing the sheet you expect same results on 1 and 2. This logic can appear in an unlimited number of variations: e.g. using registers. Using lots of logic symbols going from 3 to 2 The essence of this issue is a multiple feedback of a signal on one sheet. Note: The Application Compiler is consistent when generating the sequence of execution. If the sheet does NOT change the sequence does NOT change. The Safety Builder helps to detect ambiguous marker feedback loops. During compilation a Warning will be generated when it detects an ambiguous execution of the sheet. (in sheet example if execution is 1-3-2, 2-3-1). e.g. In General: Be conscious when using Multiple feedbacks on ONE sheet Feedback loops should be tested thoroughly Work around. - Implement feedback via multiple sheets using off and on sheet references. - Prevent the Application compiler to generate internal points to store intermediate results. (3) e.g. In Sheet example connect 3 to off sheet reference. Safety Manager R151.4 / 1.0 Software Change Notice 36

6.11 Clock source configurations (PAR 1790) It is possible to configure clock source priorities in SafeNet networks which are not supported by the Safety Controller. The slave Safety Manager Controller will only respond to its direct master Safety Manager Controller, even if a higher master SM Controller is configured as time master. Be sure that clock sources configurations are only with direct connected master Safety Manager Controllers. 6.12 Unable to set Safety Manager Controller to the loaded mode (PAR3466) In case an IO module is deleted from an application it is necessary to compile the application twice before it can be set to loaded. An attempt to set the controller to loaded after the first compile fails. Controller remains in the modified mode. 6.13 Adding new SafeNet points on-line (PAR3398) When adding a new SafeNet inputs on-line, the signal will get the configured power-up value for the first cycle and not the value of the source output. SafeNet Inputs that could cause a process trip through de-activation need to be forced in the application, to avoid such an accidental process stop. It is advisable to first add the points and logic and bypass this with for example a or-gate and a '1'. In this situation the signal and logic can be tested before it will be implemented in the real logic. If all is tested, the OR-gate and 1 has to be deleted. This needs another OLM. Another option is to set the power up value correctly. This will set the value correct during the first cycle but may result testing of the logic is not possible. 6.14 Spare Parts FC-QPP-0001 and FC-QPP-0002 In case the Safety Manager system needs replacement of one QPP the Replacing a QPP module in a redundant Safety Manager Controller in the Safety Manager s Installation and Upgrade Guide should be followed. The QPP will self learn and copy the software and application of the other running CP. When the QPP-0002 which serves as the replacement needs to be downgraded to match the running CP it is possible that the Self learning is not completed and QPP cannot start up. In this case the Load option of Safety Builder should be activated. The Safety Manager system will indicate this by showing $FFFFFFFF or $00000000 as the CRC of the embedded software of the QPP. See Safety builder - System Info. Safety Manager R151.4 / 1.0 Software Change Notice 37

6.15 Certification EN/ISO 13849-1 (PAR3973) Configurations: SM Controller with Universal Safety I/O modules running. Descriptions & Conditions: To comply with the EN/ISO 13849-1 standard : Digital input signals allocated to the Remote Universal Safe IO module must be configured as Line monitored Digital Input. Digital output signals allocated to Remote Universal Safe IO module must have shielded field wiring. 6.16 Universal Safety I/O module status online view (1-T75FTL) Configurations: SM Controller with Universal Safety I/O modules running. Descriptions & Conditions: During Load of Safety Manager also the Remote Universal Safe IO modules receive new software. During this time the detailed status of the Universal Safety I/O modules is not updated. This results in swapping online Universal Safety IO status. 6.17 Adding an AO channel to a Universal Safety IO (PAR4644) Configurations: SM Controller with Universal Safety I/O modules running. Descriptions & Conditions: Adding an AO point to Remote Universal Safe IO needs a load module requires a connected load (external device or resistor) on the channel to make OLM possible and successful. If there is no load on the channel the RUSIO module cannot perform the calibration and OLM will not continue or fail. 6.18 MODBUS PLC address ranges (PAR4342/7273) Configurations: SM Controller with logical link protocol Modbus. Descriptions & Conditions: With Safety Manager R140.3 and higher it is possible to configure the PLC addresses of Inputs & Outputs on same address. When PLC addresses of inputs & outputs are overlapping then the communication between the Device & Safety Manager Controller will not operate correctly. To ensure correct operation of Safety Manager Device communication the Output Address range should be non overlapping and should be defined after the Input address range. Safety Manager R151.4 / 1.0 Software Change Notice 38

6.19 CDA Integration with Experion Process Control system Existing Applications should be compiled before publishing to Experion server. Publishing of IO points - Delete all before update. This option is not recommended to be used for an on-line system. It will require a restart of the communication modules before Experion is able to receive any alarms and events. The restart can be achieved on-line by restarting the CPs sequentially. After each restart the CPs should be synchronized. Publishing to Experion the Safety builder must run on a PC that is in the same workgroup or domain as the Experion server and is using an account that has Experion privileges (1-OJ1CAZ) QPP does not acknowledge writes, hence peers would not get acknowledge when writes are not received by the Safety Manager. (PAR2018/1-O5M3U) Safety Manager R151.4 / 1.0 Software Change Notice 39

6.20 Renamed CDA tag parameters names With Safety Manager R151.1 CDA tag parameter names have changed which might have effect on the faceplates designed using Safety Manager R150.1. Following list contains the changed CDA tag parameter name changes compared to Safety Manager R150.1 Block Name Parameter Name (R150.1) Parameter Name (R151.1) SM_DOCOM OPFL PVFL SM_DOCOM OP PV SM_BOCOM OP PV SM_AI EngUnits EUDESC SM_AI BOTTOMSCALE PVEULO SM_AI TOPSCALE PVEUHI SM_AO EngUnits EUDESC SAI_NR_CHAN PVPERC PV SAI_R_CHAN PVPERC PV To activate the Safety Manager R151.4 parameter names when migrating from Safety Manager R150 the Force Update All option in the publish dialog box must be selected. (Only first time with Safety Manager R151.4) The Experion Custom displays (faceplates), trends, history, peer to peer configurations and all other Experion clients using Safety Manager parameters that have been changed has to be modified according to new parameters names in Safety Manager R151.4. Safety Manager R151.4 / 1.0 Software Change Notice 40

6.21 RUSLS Remote Universal Safe Logic Solver Before changing Execution Environment of an FLD make sure to remove Sheet transfers first to properly de-allocate the sheet transfer allocation. 6.22 Multiple-Protocols The current USI performance model includes only SafeNet and Remote IO link communication protocols. Other protocols will be added. 6.23 Universal Safety I/O In Safety Manager R151.4 the Universal Safety I/O does not automatically accept communication infrastructure changes that affect Time synchronization. The Universal Safety I/O module must be power cycled after a change in delay is made for example when a switch level is added. Both Remote IO links require the same number of switches and only tolerate 10 km difference in fiber length. 6.24 Universal Safety I/O HART enabled devices (1-RJUE1R) The HART enabled device connected to a Universal Safety IO/Universal Safety Logic Solver analog output channel can only be serviced if the analog output channel is forced. 6.25 Export to UNISIM The UNISIM product is used to simulate the application of Safety Manager. To transfer correct information from Safety Manager to UNISIM the option Export to Unisim must be used Since Release SM R14x Safety Manager supports Smoke & Heat detectors. An extra property ( Boolean Property Output has been introduced. The Smoke & Heat detectors of Safety Manager R140 is fully supported by UNISIM R400 or Higher UNISIM supports FLD Intellectual Property Protection. Safety Manager R151.4 UNISIM export format is fully supported as of UNISIM R430 6.26 Sheet difference reported for FLDs containing Equation block When performing an On-line software upgrade from a release older than R145.1 a sheet having an Equation block are reported on the sheet difference report, and can be ignored. Safety Manager R151.4 / 1.0 Software Change Notice 41

6.27 Un-expected points reported in OLM report (1-NBCUL6, 1-T5AGKA, 1-SJCNHR 1-POSKKA) With Safety Manager R151.1 the Float rounding routine is updated due to Implementation of Universal Safety Logic Solver. This means when migrating from Safety Manager R150.1 (and older) to Safety Manager R151.4 and FLD containing constants of type Float e.g. Float Constants, Equation Blocks can get rounded differently. This result in FLD s reported in OLM report. When R150.1 application is migrated on-line to Safety Manager R151.4 more Functional Logic Diagrams (FLDs) may be reported as different as expected. This is caused by a minor execution time difference of these FLDs running on the different firmware versions. It is recommended to validate the reported FLDs. The differences do not exist for R140.x and R145.x applications migrated to Safety Manager R151.4. 6.28 Universal Safety Logic Solver does not make use of power up values. (1-U0U6RX) Configured power-up values of Register, counter and flip-flops are not applied in FLD s running on the Universal Safety Logic Solver. 6.29 Process Values clamped at bottom scale (1-28YYZQ6) With Safety Manager R151.2 the Process Value of analog input signals communicated with external devices (e.g. PCDI) is clamped at bottom scale. Some customers based the design philosophy on the incorrect behavior for chassis IO AI and the peer could detect a BADPV without the use of loop diagnostic signals. With Safety Manager R151.2 this behavior is corrected. AI values are now clamping at Bottom scale. Safety Manager R151.4 / 1.0 Software Change Notice 42

6.30 Known anomalies This section provides an overview of the not yet resolved problems with high priority reported by customers and confirmed to be an issue with Safety Manager R151.4 PAR# 1-PJOJWJ 1-TGE3XF 1-TY8121 1-U9BLGJ 1-US08LI 1-11AX57Q 1-11L2JJ1 Abstract Migration of Safety Manager R145 database to Safety Manager R151 takes very long time. Reported SM alarms remain active even after CP1/CP2 set to IDLE & RUN and ALM condition reset. Universal Safety IO fault reaction value not shown application viewer when the channel is forced (maintenance override active). Plant Copy from one to another project not possible if the Windows language set is different. Duplicated block names can be configured in the Experion properties of the FLD. If tags are built with the same name in two SM applications and you load and publish the tags, the duplicate CDA tag of the first loaded SM application will be deleted without any warning while even when delete all before update was not chosen. The point database cannot be exported due to markers allocated to a non existing sheet. Safety Manager R151.4 / 1.0 Software Change Notice 43

7 Annex A: Contents of Release 7.1 Software Version Identification Honeywell components Component Version Safety Manager R151.4 V214 Safety Processor 151.4.0.214 COM boot 151.4.0.214 COM system 151.4.0.214 RIO 151.4.0.214 Component Safety Manager R151.4 embedded software CRC 0x4917D415 Honeywell Experion components Component Version FSC_Fault.txt 151.4.0.214 FSC_Module.txt 151.4.0.214 Honeywell Safety Manager Tools Component Version SafeNet Timeout Estimator R151.1 Safety Manager to Experion Converter 2.72 Safety Manager to Safety Historian Converter 0.0063 version Third party components Component Version Microsoft Direct Access Components (MDIAC) 2.8 Microsoft XML parser 6.0 Microsoft Windows (32/64 Bit) Server 2008 R2 7 Ultimate 7 Professional 7 Enterprise Safety Manager R151.4 / 1.0 Software Change Notice 44

Knowledge Builder Honeywell components Component Version KB_Client 4.8.0.5 Third party components Component Version Acrobat Reader for Windows 10 En_US Microsoft XML parser 6.0 Microsoft.Net Framework 3.5 ( integrated with Windows 7) Microsoft Windows Server 2008 R2 7 Ultimate 7 Professional 7 Enterprise Safety Manager R151.4 / 1.0 Software Change Notice 45

7.2 Files in Package Safety Manager R151.4 deployment unit contains following items. Name SM R151.4 SCN.pdf 0x0409.ini ISSetup.dll Safety Manager.msi setup.exe Setup.ini splash.bmp WindowsInstaller-KB893803-x86.exe CRC.INI embedded software.bin Format.xml, IntermediateStructure.xml, Metadata.xml, Types.xml pefu1.sym, safetybuilder.chm, SafetyBuilder.exe SBExport_Schema.xsd FSCad.bpl, FSCLib.bpl Honeywell.Com.ECI.DataContracts.dll, ECIClient.dll, ECICommon.dll VCompile.bpl, VConfCA.bpl, VConfCC.bpl, VConfVar.bpl VCore.bpl, VECI.bpl, VImEx.bpl, VIntf.bpl, VLib.bpl, VLibBP.bpl VLibD.bpl, VLibUI.bpl, VMigrate.bpl, VOnline.bpl, VShell.bpl VViewSts.bpl, VViewVar.bpl CATemplate.mdb CCTemplate.mdb DiagnosticsTemplate.mdb Safety Manager Tools User Assistance Documentation (UAD) Safety Manager R151.4 Experion components.msi Experion message files Folder Root Root Root Root Root Root Root Root Program files Program files\templates Tools User_Assistance Experion_Components Experion_Message_Files Safety Manager R151.4 / 1.0 Software Change Notice 46

8 Notices and Trademarks Honeywell International Inc. 2014. All Rights Reserved. While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a purpose and makes no express warranties except as may be stated in its written agreement with and for its customer. In no event is Honeywell liable to anyone for any indirect, special or consequential damages. The information and specifications in this document are subject to change without notice. Experion, TotalPlant, TDC 3000 and Universal Control Network are U.S. registered trademarks of Honeywell Inc. PlantScape is a trademark of Honeywell International Inc. FSC and QMR are trademarks of Honeywell Safety Management Systems. Other brand or product names are trademarks of their respective owners. Honeywell International Process Solutions 1860 West Rose Garden Lane Phoenix, AZ, 85027, USA +1 800-822-7673 www.honeywell.com/ps Safety Manager R151.4 / 1.0 Software Change Notice 47