Allen-Bradley Rockwell Automation 1734-AENT User manual

GuardLogix Controller Systems

Catalog Numbers 1756-L61S, 1756-L62S, 1756-L63S,

1768-L43S, 1768-L45S

Safety Reference Manual

Important User Information

Solid state equipment has operational characteristics differing from those of electromechanical equipment. Safety Guidelines for the Application, Installation and Maintenance of Solid State Controls (publication SGI-1.1

available from your local Rockwell

Automation sales office or online at http://www.rockwellautomation.com/literature/ ) describes some important differences between solid state equipment and hard-wired electromechanical devices. Because of this difference, and also because of the wide variety of uses for solid state equipment, all persons responsible for applying this equipment must satisfy themselves that each intended application of this equipment is acceptable.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

WARNING

Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.

IMPORTANT

ATTENTION

Identifies information that is critical for successful application and understanding of the product.

Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence

SHOCK HAZARD

Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.

BURN HAZARD

Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.

Rockwell Automation, Allen-Bradley, TechConnect, ControlLogix, GuardLogix, CompactLogix, CompactBlock Guard I/O, ArmorBlock Guard I/O, Guard I/O, ControlFlash, Logix5000, SLC, RSLogix

5000, RSNetWorx for EtherNet/IP, RSNetWorx for DeviceNet, RSNetWorx for ControlNet, FactoryTalk Security, and RSLinx are trademarks of Rockwell Automation, Inc.

Trademarks not belonging to Rockwell Automation are property of their respective companies.

3 Publication 1756-RM093F-EN-P - January 2010

Summary of Changes

The information below summarizes the changes to this manual since the last publication.

To help you find new and updated information in this release of the manual, we have included change bars as shown to the right of this paragraph.

This manual now covers 1768 Compact GuardLogix controllers as well as 1756 GuardLogix controllers. When ‘GuardLogix’ is used alone throughout the manual, it refers to both 1756 and 1768 GuardLogix controllers.

Topic

1768 Compact GuardLogix Controller User Manual and Installation

Instructions added to list of Additional Resources

1768-L43S and 1768-L45S Compact GuardLogix controllers and 1768 power supplies added to list of GuardLogix System Components

1784-CF64 and 1784-CF128 CompactFlash cards added to list of

GuardLogix System Components

1734-AENT POINT I/O Ethernet Adapter added to list of components suitable for use with a GuardLogix system

1768-L43S and 1768-L45S Compact GuardLogix controller hardware

Information on EN50156 Compliance with 1756 ControlLogix SIL 2

Inputs

Storing and Loading a Project from Nonvolatile Memory

Using Safety Add-On Instructions

PFD and PFH data for 1768-L43S and 1768-L45S controllers

PFD data for 20-year proof test intervals

Updated terminology to distinguish between safety task signature, instruction signature, safety instruction signatures

Page

11

16

16

17

25

45

62

83

101 and 102

102

throughout

3

Summary of Changes


Table of Contents

Safety Integrity Level (SIL)

Concept

Preface

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

About This Publication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Who Should Use This Publication . . . . . . . . . . . . . . . . . . . . . 9

Understanding Terminology . . . . . . . . . . . . . . . . . . . . . . . . 10

Additional Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

SIL 3 Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Functional Verification Tests . . . . . . . . . . . . . . . . . . . . . . . . 14

GuardLogix Architecture for SIL 3 Applications. . . . . . . . . . . 15

GuardLogix System Components . . . . . . . . . . . . . . . . . . . . . 16

GuardLogix Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . 18

GuardLogix PFD and PFH Specifications . . . . . . . . . . . . . . . 19

Safety Integrity Level (SIL) Compliance Distribution and

Weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

System Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Safety Task Reaction Time . . . . . . . . . . . . . . . . . . . . . . . 21

Safety Task Period and Safety Task Watchdog. . . . . . . . . 21

Contact Information If Device Failure Occurs . . . . . . . . . . . . 22

GuardLogix Controller System

Chapter 2

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

1756 GuardLogix Controller Hardware . . . . . . . . . . . . . . . . . 23

Primary Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Safety Partner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

1768 Compact GuardLogix Controller Hardware . . . . . . . . . . 25

CIP Safety Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Safety I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Communication Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Programming Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

CIP Safety I/O for the GuardLogix

Control System

Chapter 3

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Typical Safety Functions of CIP Safety I/O Modules . . . . . . . 29

Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Status Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Status Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

On- or Off-delay Function . . . . . . . . . . . . . . . . . . . . . . . 30

Reaction Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5 Publication 1756-RM093F-EN-P - January 2010 5

Table of Contents

6

Safety Considerations for CIP Safety I/O Modules . . . . . . . . . 31

Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Safety I/O Configuration Signature . . . . . . . . . . . . . . . . . 31

I/O Module Replacement . . . . . . . . . . . . . . . . . . . . . . . . 32

CIP Safety and the Safety Network

Number

Chapter 4

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

The Routable CIP Safety Control System. . . . . . . . . . . . . . . . 35

Unique Node Reference . . . . . . . . . . . . . . . . . . . . . . . . . 36

Safety Network Number . . . . . . . . . . . . . . . . . . . . . . . . . 36

Considerations for Assigning the Safety Network

Number (SNN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Safety Network Number (SNN) for Safety Consumed

Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Safety Network Number (SNN) for Out-of-box Modules. . 38

Safety Network Number (SNN) for Safety Module with a

Different Configuration Owner . . . . . . . . . . . . . . . . . . . . 38

Safety Network Number (SNN) when Copying a Safety

Project. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Characteristics of Safety Tags, the

Safety Task, and Safety Programs

Chapter 5

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Differentiate Between Standard and Safety . . . . . . . . . . . . . . 41

SIL 2 Safety Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

SIL 2 Safety Control in the Safety Task . . . . . . . . . . . . . . 42

SIL 2 Safety Control in Standard Tasks

(1756 GuardLogix Controllers Only) . . . . . . . . . . . . . . . . 45

EN50156 Compliance With 1756 ControlLogix

SIL 2 Safety Inputs in Dual-channel Configurations with 1756 GuardLogix Controllers. . . . . . . . . . . . . . . . . . 45

SIL3 Safety – the Safety Task . . . . . . . . . . . . . . . . . . . . . . . . 47

Safety Task Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Safety Task Execution Details . . . . . . . . . . . . . . . . . . . . . 48

Safety Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Safety Routines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Safety Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Standard Tags in Safety Routines (Tag Mapping) . . . . . . . 51


Chapter 6

Safety Application Development

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Safety Concept Assumptions . . . . . . . . . . . . . . . . . . . . . . . . 53

Basics of Application Development and Testing . . . . . . . . . . 53

Commissioning Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Specification of the Control Function . . . . . . . . . . . . . . . 55

Publication 1756-RM093F-EN-P - January 2010

Table of Contents

Create the Project. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Test the Application Program . . . . . . . . . . . . . . . . . . . . . 56

Generate the Safety Task Signature . . . . . . . . . . . . . . . . . 57

Project Verification Test . . . . . . . . . . . . . . . . . . . . . . . . . 57

Confirm the Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Safety Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Lock the GuardLogix Controller . . . . . . . . . . . . . . . . . . . 60

Downloading the Safety Application Program. . . . . . . . . . . . 61

Uploading the Safety Application Program . . . . . . . . . . . . . . 61

Online Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Storing and Loading a Project from Nonvolatile Memory. . . . 62

Force Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Inhibit a Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Editing Your Safety Application . . . . . . . . . . . . . . . . . . . . . . 63

Performing Offline Edits . . . . . . . . . . . . . . . . . . . . . . . . . 64

Performing Online Edits . . . . . . . . . . . . . . . . . . . . . . . . . 64

Edit Your Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Chapter 7

Monitor Status and Handle Faults

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Monitoring System Status. . . . . . . . . . . . . . . . . . . . . . . . . . . 67

CONNECTION_STATUS Data . . . . . . . . . . . . . . . . . . . . . 67

Input and Output Line Conditioning . . . . . . . . . . . . . . . . 68

I/O Module Connection Status . . . . . . . . . . . . . . . . . . . . 68

De-energize to Trip System . . . . . . . . . . . . . . . . . . . . . . 69

Use Connection Status Data to Initiate a Fault Via

Program Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Get System Value (GSV) and Set System Value (SSV)

Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

GuardLogix System Faults . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Nonrecoverable Controller Faults . . . . . . . . . . . . . . . . . . 75

Nonrecoverable Safety Faults . . . . . . . . . . . . . . . . . . . . . 75

Recoverable Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Safety Instructions

Safety Add-On Instructions

Appendix A

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Safety Application Instructions . . . . . . . . . . . . . . . . . . . . . . . 77

Metal Form Safety Application Instructions . . . . . . . . . . . . . . 79

Safety Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80


Appendix B

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Creating and Using a Safety Add-On Instruction . . . . . . . . . . 83

Create Add-On Instruction Test Project . . . . . . . . . . . . . . 85

Publication 1756-RM093F-EN-P - January 2010 7

8

Table of Contents

Reaction Times

Create a Safety Add-On Instruction . . . . . . . . . . . . . . . . . 85

Generate Instruction Signature . . . . . . . . . . . . . . . . . . . . 85

Download and Generate Safety Instruction Signature. . . . 86

SIL 3 Add-On Instruction Qualification Test. . . . . . . . . . . 86

Confirm the Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Safety Validate Add-On Instructions . . . . . . . . . . . . . . . . 87

Create Signature History Entry . . . . . . . . . . . . . . . . . . . . 87

Export and Import the Safety Add-On Instruction . . . . . . 87

Verify Safety Add-On Instruction Signatures . . . . . . . . . . 88

Test the Application Program . . . . . . . . . . . . . . . . . . . . . 88

Project Verification Test . . . . . . . . . . . . . . . . . . . . . . . . . 88

Safety Validate Project . . . . . . . . . . . . . . . . . . . . . . . . . . 88


Appendix C

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

System Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Logix System Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . 89

Simple Input-logic-output Chain . . . . . . . . . . . . . . . . . . . 90

Logic Chain Using Produced/Consumed Safety Tags . . . . 91

Factors Affecting Logix Reaction-time Components . . . . . 92

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Checklists for GuardLogix Safety

Applications

Appendix D

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Checklist for GuardLogix Controller System . . . . . . . . . . . . . 96

Checklist for Safety Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Checklist for Safety Outputs. . . . . . . . . . . . . . . . . . . . . . . . . 98

Checklist for Developing a Safety Application Program. . . . . 99

Probability of Failure on Demand

(PFD) and Probability of Failure per Hour (PFH) Data

Appendix E

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

GuardLogix Controller and Guard I/O Safety Data . . . . . . . 101

PFD Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

PFH Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Glossary

Index


Preface

Introduction

Topic

About This Publication

Who Should Use This Publication

Understanding Terminology

Additional Resources

Page

9

9

10

11

About This Publication

This manual is intended to describe the GuardLogix controller system, which is type-approved and certified for use in safety applications up to and including SIL 3 according to IEC 61508 and IEC 62061, safety applications up to and including Performance Level PLe

(Category 4) according to ISO 13849-1.

This publication covers both 1756 and 1768 GuardLogix controller systems. When ‘GuardLogix controllers’ is used alone in this publication, it refers to both 1756 and 1768 GuardLogix controllers.

Information specific to one controller type will include the bulletin number, 1756 or 1768.

Who Should Use This

Publication

Use this manual if you are responsible for the development, operation, or maintenance of a GuardLogix controller-based safety system. You must read and understand the safety concepts and requirements presented in this manual prior to operating a

GuardLogix controller-based safety system.


Preface

Understanding Terminology

The following table defines terms used in this manual.

PFH

PL

SNN

SSV

--

Terms and Definitions

Abbreviation

1oo2

CIP

CIP Safety

DC

EN

GSV

PC

PFD

Full Term

One out of Two

Common Industrial Protocol

Common Industrial Protocol –

Safety Certified

Diagnostic Coverage

Definition

Identifies the programmable electronic controller architecture.

A communication protocol designed for industrial automation applications.

SIL 3 rated version of CIP

The ratio of the detected failure rate to the total failure rate.

European Norm.

Get System Value

The official European Standard.

A ladder logic instruction that retrieves specified controller status information and places it in a destination tag.

Personal Computer Computer used to interface with, and control, a Logix-based system via

RSLogix 5000 programming software.

Probability of Failure on Demand The average probability of a system to fail to perform its design function on demand.

Probability of Failure per Hour The probability of a system to have a dangerous failure occur per hour.

Performance Level

Safety Network Number

Set System Value

Standard

ISO 13849-1 safety rating

A unique number that identifies a section of a safety network.

A ladder logic instruction that sets controller system data.

Any object, task, tag, program, or component in your project that is not a safety-related item (that is, standard controller refers generically to a ControlLogix or CompactLogix controller).


Preface

Additional Resources

The table below provides a listing of publications that contain important information about GuardLogix controller systems.

Resource

GuardLogix Controller Installation Instructions, publication

1756-IN045

Description

Provides information on installing the GuardLogix controller

GuardLogix Controllers User Manual, publication 1756-UM020 Configuring and programming the GuardLogix system

CompactLogix Controllers Installation Instructions, publication

1768-IN004

Provides information on installing Compact GuardLogix controllers

1768 Compact GuardLogix Controllers User Manual, publication

1768-UM002

Details how to configure, program, and operate a 1768 CompactLogix system, and provides technical specifications.

GuardLogix Safety Application Instruction Set Reference Manual, publication 1756-RM095

Provides information on the GuardLogix Safety Application instruction set

CompactBlock Guard I/O DeviceNet Safety Module Installation

Instructions, publication 1791DS-IN002

Guard I/O DeviceNet Safety Modules User Manual, publication

1791DS-UM001

Guard I/O EtherNet/IP Safety Modules Installation Instructions, publication 1791ES-IN001

Guard I/O EtherNet/IP Safety Modules User Manual, publication

1791ES-UM001

Provides information on installing CompactBlock Guard I/O DeviceNet

Safety modules

Provides information on using Guard I/O DeviceNet Safety modules

Provides information on installing CompactBlock Guard I/O EtherNet/IP

Safety modules

Provides information on using Guard I/O EtherNet/IP Safety modules

Using ControlLogix in SIL2 Applications Safety Reference Manual, publication 1756-RM001

Describes requirements for using ControlLogix controllers, and

GuardLogix standard task, in SIL 2 safety control applications.

Logix5000 General Instruction Set Reference Manual, publication

1756-RM003

Provides information on the Logix5000 Instruction Set

Logix Common Procedures Programming Manual, publication

1756-PM001

Provides information on programming Logix5000 controllers, including managing project files, organizing tags, programming and testing routines, and handling faults

Logix5000 Controllers Add-On Instructions Programming Manual, publication 1756-PM010

Provides information on using creating and using standard and safety

Add-On Instructions in Logix applications.

ControlLogix System User Manual, publication 1756-UM001 Provides information on using ControlLogix in non-safety applications

DeviceNet Modules in Logix5000 Control Systems User Manual, publication DNET-UM004

Provides information on using the 1756-DNB module in a Logix5000 control system

EtherNet/IP Modules in Logix5000 Control Systems User Manual, publication ENET-UM001

Provides information on using the 1756-ENBT module in a Logix5000 control system

ControlNet Modules in Logix5000 Control Systems User Manual, publication CNET-UM001

Provides information on using the 1756-CNB module in Logix5000 control systems

Logix5000 Controllers Execution Time and Memory Use Reference

Manual, publication 1756-RM087

Provides information on estimating the execution time and memory use for instructions

Logix Import Export Reference Manual, publication 1756-RM084 Provides information on using RSLogix 5000 Import/Export utility

You can view or download publications at http://literature.rockwellautomation.com

. To order paper copies of technical documentation, contact your local Rockwell Automation distributor or sales representative.


Preface

Notes:


Chapter

1

Safety Integrity Level (SIL) Concept

Introduction

SIL 3 Certification


This chapter introduces you to the Safety Integrity Level (SIL) concept and how the GuardLogix controller meets the requirements for SIL 3 certification.

Topic

SIL 3 Certification

Functional Verification Tests

GuardLogix Architecture for SIL 3 Applications

GuardLogix System Components

GuardLogix Certifications

GuardLogix PFD and PFH Specifications

Safety Integrity Level (SIL) Compliance Distribution and Weight

System Reaction Time

Safety Task Period and Safety Task Watchdog

Contact Information If Device Failure Occurs

16

18

19

20

Page

13

14

15

21

21

22

1756 and 1768 GuardLogix controller systems are type-approved and certified for use in safety applications up to and including SIL 3 according to IEC 61508 and IEC 62061, safety applications up to and including Performance Level PLe (Category 4) according to

ISO 13849-1. SIL requirements are based on the standards current at the time of certification.

IMPORTANT

When the GuardLogix controller is in the Run or Programming mode and the application has not been validated by the user, the user is responsible for maintaining safe conditions.

In addition, the standard tasks within 1756 GuardLogix controllers can be used either for standard applications or SIL 2 safety applications as described in the Using ControlLogix in SIL 2 Applications Reference

Manual, publication 1756-RM001 . In either case, do not use SIL 2 or standard tasks and variables to build up safety loops of a higher level.

The safety task is the only task certified for SIL 3 applications.

The standard task in 1768 Compact GuardLogix controllers may not be used for SIL 2 safety applications.

RSLogix 5000 programming software is required to create programs for 1756 and 1768 GuardLogix controllers.

13

Chapter 1 Safety Integrity Level (SIL) Concept

The TÜV Rheinland has approved GuardLogix controller systems for use in safety-related applications up to SIL 3, in which the de-energized state is considered to be the safe state. All of the examples related to I/O included in this manual are based on achieving de-energization as the safe state for typical Machine Safety and Emergency Shutdown (ESD) Systems.

IMPORTANT

The system user is responsible for:

• the set-up, SIL rating, and validation of any sensors or actuators connected to the GuardLogix system.

• project management and functional testing.

• access control to the safety system, including password handling.

• programming the application software and the device configurations in accordance with the information in this safety reference manual and the GuardLogix Controllers User Manual, publication 1756-UM020 , or the 1768 Compact GuardLogix

Controllers User Manual publication 1768-UM002 .

When applying Functional Safety, restrict access to qualified, authorized personnel who are trained and experienced. The safety-lock function, with passwords, is provided in RSLogix 5000 software.

For information on using the safety-lock feature, refer to the

GuardLogix Controllers User Manual, publication 1756-UM020 or the

1768 Compact GuardLogix Controllers User Manual publication

1768-UM002 .

Functional Verification

Tests

IEC 61508 requires the user to perform various functional verification tests of the equipment used in the system. Functional verification tests are performed at user-defined times. For example, functional verification test intervals can be once a year, once every 15 years, or whatever timeframe is appropriate.

GuardLogix controllers have a functional verification test interval of up to 20 years. Other components of the system, such as Safety I/O modules, sensors, and actuators may have shorter functional verification test intervals. The controller should be included in the functional verification testing of the other components in the safety system.

IMPORTANT

Your specific applications determine the timeframe for the functional verification test interval. However this is mainly related to Safety I/O modules and field instrumentation.

For more information on the requirements of a functional verification

test, see Project Verification Test on pages 57

and 58 .


Safety Integrity Level (SIL) Concept Chapter 1

GuardLogix Architecture for SIL 3 Applications

The following illustration shows a typical SIL function, including:

• the overall safety function.

• the GuardLogix portion of the overall safety function.

• how other devices (for example, HMI) are connected, while operating outside the function.

Typical SIL Function

Programming Software

HMI

Read-only Access to Safety Tags

To Plant-wide Ethernet

Switch

CIP Safety

Overall Safety Function

SIL 3 GuardLogix System

CIP Safety

I/O Module

Actuator

Sensor

CIP Safety I/O Module on

Ethernet Network

DeviceNet Safety Network

CIP Safety

I/O Module

Actuator

Sensor

CIP Safety I/O Module on

Ethernet Network

Compact GuardLogix Controller with 1768-ENBT Module

Actuator

Sensor

SIL 3 Compact GuardLogix System



GuardLogix System

Components

The tables in this section list SIL 3-certified GuardLogix components for both 1756 and 1768 systems as well as non-SIL 3-certified components that may be used with SIL 3 GuardLogix systems.

For the most current list of GuardLogix controller and CIP Safety I/O modules certified series and firmware revisions, see http://www.rockwellautomation.com/products/certification/safety/ .

Firmware revisions are available at http://support.rockwellautomation.com/ControlFlash/ .

SIL 3-Certified GuardLogix Components

Related Documentation

(1)

Installation

Instructions

User Manual

Device Type

1756 Primary controller

(ControlLogix556xS)

Cat. No.

1756-L61S

1756-L62S

1756-L63S

1756-LSP

Description

Controller with 2 MB standard, 1 MB safety memory

Controller with 4 MB standard, 1 MB safety memory

Controller with 8 MB standard, 3.75 MB safety memory

Safety partner

1756-IN045 1756-UM020

1756 Safety partner

(ControlLogix55SP)

1768 Compact

GuardLogix Controller

(CompactLogix4xS)

1768-L43S

1768-L45S

Controller with support for two 1768 modules

Controller with support for four 1768 modules

1768-IN004 1768-UM002

CIP Safety I/O modules on DeviceNet networks

CIP Safety I/O modules on EtherNet/IP networks

For the most current list of certified series and firmware revisions, see the safety certificate at http://www.rockwellautomation.com/products/certification/safety/

1791DS-IN001

1791DS-IN002

1732DS-IN001

1791DS-UM001

1791ES-IN001 1791ES-UM001

(1) These publications are available from Rockwell Automation by visiting http://literature.rockwellautomation.com.

Components Suitable for Use With 1768 Compact GuardLogix Controller Safety Systems

Device Type

Power supply

Communication modules

1768-ENBT EtherNet/IP bridge module

1734-AENT POINT I/O Ethernet Adapter

1734-AENTR

1768-CNB

POINT I/O Ethernet Adapter

ControlNet bridge module

9324-xxxx RSLogix 5000 software Programming software

CompactFlash

Cards

Cat. No.

1768-PA3

1768-PB3

1784-CF64

1784-CF128

Description

Power supply, ac

Power supply, dc

64MB CompactFlash Card


Series

N/A

N/A

A

A

A

A

N/A

N/A

N/A

(1)

N/A

N/A

(1) This version or later.

(2) These publications are available from Rockwell Automation by visiting http://literature.rockwellautomation.com

.

Version

(1)

N/A

N/A

3.1.1

3.001

3.001

2.1.1

18


(2)

Installation

Instructions

User Manual

None available.

1768-IN001

1768-IN002

1734-IN590

1734-IN040

1768-IN006

N/A

N/A

N/A

ENET-UM001

1734-UM011

None available.

CNET-UM001

Consult online help.

N/A

N/A



Components Suitable for Use With 1756 GuardLogix Controller Safety Systems

Device Type

Chassis

Power supply

Communication modules

Programming software

CompactFlash

Cards

Cat. No.

1756-A4, A7, A10,

A13, A17

1756-PA72

1756-PB72

1756-PA75

Chassis

Description

Power supply, ac

Power supply, dc

Power supply, ac

1756-PB75

1756-PA75R

1756-PB75R

1756-ENBT

1756-EN2T

1756-EN2F

(1)

Power supply, dc

Redundant power supply, ac

Redundant power supply, dc

EtherNet/IP bridge module

1734-AENT

1756-DNB

1756-CN2

1756-CN2R

9324-xxxx

POINT I/O Ethernet Adapter

DeviceNet bridge module

ControlNet bridge module

ControlNet bridge module, redundant media

RSLogix 5000 software

1784-CF64

1784-CF128



Series

B

C

C

B

B

A

A

A

A

A

A

A

A

A

N/A

N/A

N/A

(2)

Version

N/A

N/A

N/A

N/A

N/A

N/A

N/A

3.6

2.005

2.005

3.001

6.2

12.1

12.1

14

(3)

N/A

N/A

(2)

1756-IN019

1756-IN603

1756-IN606

1734-IN590

1756-IN566

1756-IN602

1756-IN602

NA

(1) A 1756-PSCA or 1756-PSCAR redundant power supply chassis adapter is required for use with redundant power supplies.

(2) This version or later.

(3) RSLogix 5000 software, version 15, does not support GuardLogix safety controllers.

(4) These publications are available from Rockwell Automation by visiting http://literature.rockwellautomation.com

.

N/A

N/A


(4)

Installation

Instructions

1756-IN080

1756-IN596

1756-IN573

1734-UM011

DNET-UM004

CNET-UM001

CNET-UM001

N/A

N/A

User Manual

None available.

ENET-UM001

Consult online help.

Slots of a SIL 3 system chassis not used by the 1756 SIL 3 system may be populated with other ControlLogix (1756) modules that are certified to the Low Voltage and EMC Directives.

Expansion slots of a SIL 3 system bus that are not used by the 1768

SIL 3 system may be populated with other CompactLogix (1768) modules that are certified to the Low Voltage and EMC Directives.

To find the certificates for the ’Programmable Control – ControlLogix

Product Family’ and ’Programmable Control – CompactLogix Product

Family’, refer to http://www.rockwellautomation.com/products/certification/ce/ .



GuardLogix Certifications

This table lists the main GuardLogix certifications. For the full listing of current safety certifications and associated products, refer to http://www.rockwellautomation.com/products/certification/safety/ index.html

.

18

Catalog

Number

1756-L61S,1756-L62S, 1756-L63S X

1768-L43S, 1768-L45S X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

GuardLogix user documentation typically lists the agency certifications for which the products are approved. If a product has achieved agency certification, it is marked as such on the product labeling.

Product certifications are listed in the product’s specifications table, similar to the example shown below.

Certification Description

Functional

Safety

(1)

Certified by TÜV: capable of SIL 1 to 3, according to IEC 61508, and

PLe/Cat. 4 according to ISO 13849-1

Certified by UL: capable of SIL 3, see UL File E256621.

c-UL-us UL Listed Industrial Control Equipment, certified for US and Canada. See

UL File E65584.

UL Listed for Class I, Division 2 Group A,B,C,D Hazardous Locations, certified for U.S. and Canada. See UL File E194810.

CSA

FM

CE

C-Tick

CSA Certified Process Control Equipment. See CSA File LR54689C.

CSA Certified Process Control Equipment for Class I, Division 2 Group

A,B,C,D Hazardous Locations

FM Approved Equipment for use in Class I Division 2 Group A,B,C,D

Hazardous Locations

European Union 2004/108/EC EMC Directive, compliant with:

•

EN 61000-6-4; Industrial Emissions

•

EN 61326-1; Meas./Control/Lab., Industrial Requirements

•

EN 61000-6-2; Industrial Immunity

•

EN61131-2; Programmable Controllers (Clause 8, Zone A & B)

Australian Radiocommunications Act, compliant with: AS/NZS CISPR 11;

Industrial Emissions

(1) When used with specified software versions and as described in the GuardLogix Controller Systems Safety

Reference Manual, publication 1756-RM093 .

See the Product Certification link at http://www.rockwellautomation.com/products/certification/ for

Declarations of Conformity, Certificates, and other certification details.



GuardLogix PFD and PFH

Specifications

Sensor

Safety-related systems can be classified as operating in either a low demand mode, or in a high demand/continuous mode. IEC 61508 quantifies this classification by stating that the frequency of demands for operation of the safety system is no greater than once per year in the low demand mode, or greater than once per year in high demand/continuous mode.

The Safety Integrity Level (SIL) value for a low demand safety-related system is directly related to order-of-magnitude ranges of its average probability of failure to satisfactorily perform its safety function on demand or, simply, probability of failure on demand (PFD). The SIL value for a high demand/continuous mode safety-related system is directly related to the probability of a dangerous failure occurring per hour (PFH).

PFD and PFH values are associated with each of the three primary elements making up a safety-related system (the sensors, the logic element, and the actuators). Within the logic element you also have input, processor, and output elements.

For PFD and PFH values and functional verification (proof) test

intervals for CIP Safety I/O modules, see Appendix E

,

Probability of

Failure on Demand (PFD) and Probability of Failure per Hour (PFH)

Data

.

1791DS-IB12

PFH Example


1791DS-IB4XOX4

LOOP 1 Logix5562S Logix55LSP

DeviceNet EtherNet

Actuator

Actuator

LOOP 2

Sensor

Sensor

1791DS-IB8XOB8



To determine the logic element PFH for each safety loop in the simple example system shown in the PFH Example, sum the PFH values for each component in the loop. The PFH Equations by Safety Loop table provides a simplified example of PFH value calculations for each safety loop shown in the PFH Example illustration.

PFH Equations by Safety Loop

For this loop Sum the PFH values of these components

Total PFH for loop 1 = 1791DS-IB12 + GuardLogix controller + 1791DS-IB4XOX4

Total PFH for loop 2 = 1791DS-IB8XOB8 + GuardLogix controller + 1791DS-IB4XOX4

When calculating PFH values, you must take into account the specific requirements of your application, including test intervals.

Safety Integrity Level (SIL)

Compliance Distribution and Weight

The GuardLogix controller and I/O system may conservatively be assumed to contribute 10% of the reliability burden. A SIL 3 system may need to incorporate multiple inputs for critical sensors and input devices, as well as dual outputs connected in series to dual actuators dependent on SIL assessments for the safety related system.

Reliability Burden

+V

10% of the PFD

40% of the PFD

Sensor

Sensor

Input

Module

Controller

Output

Module

Actuator

Actuator

50% of the PFD


System Reaction Time


The system reaction time is the amount of time from a safety-related event as an input to the system until the system sets corresponding outputs to their safe state. Faults within the system can also have an effect upon the reaction time of the system. The system reaction time is the sum of the following reaction times.

Sensor

Reaction

Time

+

Input

Reaction

Time

+

Safety Task

Reaction

Time

+

Output

Reaction

Time

+

Actuator

Reaction

Time

Each of the times listed above is variably dependent on factors such as the type of I/O module and instructions used in the program.

Safety Task Reaction Time

The Safety Task Reaction Time is the worst-case delay from any input change presented to the controller until the processed output is set by the output producer. It is less than or equal to the sum of the safety task period and the safety task watchdog.

Safety Task Period and Safety Task Watchdog

The safety task period is the interval at which the safety task executes.

The safety task watchdog time is the maximum permissible time for safety task processing. If safety task processing time exceeds the safety task watchdog time, a non-recoverable safety fault occurs in the controller and outputs transition to the safe state (off) automatically.

You define the safety task watchdog time, which must be less than or equal to the safety task period.

The safety task watchdog time is set in the task properties window of

RSLogix 5000 software. This value can be modified online, regardless of controller mode, but it cannot be changed when the controller is safety-locked or once a safety task signature is created.



Contact Information If

Device Failure Occurs

If you experience a failure with any SIL 3-certified device, contact your local Rockwell Automation distributor. With this contact, you can:

• return the device to Rockwell Automation so the failure is appropriately logged for the catalog number affected and a record is made of the failure.

• request a failure analysis (if necessary) to try to determine the cause of the failure.


Chapter

2

GuardLogix Controller System

Introduction

Topic

1756 GuardLogix Controller Hardware

1768 Compact GuardLogix Controller Hardware

CIP Safety Protocol

Safety I/O

Communication Bridges

Programming Overview

Page

23

25

25

25

26

28

For a brief listing of components suitable for use in Safety Integrity

Level (SIL) 3 applications, see the table on page 16 . For more detailed

and up-to-date information see http://www.rockwellautomation.com/products/certification/safety/ .

When installing a GuardLogix controller, follow the information in the

GuardLogix Controllers Installation Instructions, publication

1756-IN045 , or CompactLogix Controllers Installation Instructions, publication 1768-IN004 .

1756 GuardLogix Controller

Hardware

The 1756 GuardLogix controller consists of a primary controller, catalog number 1756-L61S, 1756-L62S, or 1756-L63S, and a safety partner, catalog number 1756-LSP. These two modules work in a 1oo2 architecture to create the SIL 3-capable controller. They are described in the following sections.

Both the primary controller and safety partner perform power-up and run-time functional diagnostic tests of all safety-related components in the controller.

Both also feature status indicators. For details on status indicator operation, refer to the GuardLogix Controllers User Manual, publication 1756-UM020 .

IMPORTANT

Status indicators are not reliable indicators for safety functions.

They should be used only for general diagnostics during commissioning or troubleshooting. Do not attempt to use status indicators to determine operational status.


Chapter 2 GuardLogix Controller System

24

Primary Controller

The primary controller is the processor that performs standard and safety control functions and communicates with the safety partner for safety-related functions in the GuardLogix control system. The primary controller consists of a central processor, I/O interface, and memory.

Safety Partner

To satisfy SIL 3 requirements, a safety partner, catalog number

1756-LSP, must be installed in the slot immediately to the right of the primary controller. The safety partner is a co-processor that provides redundancy for safety-related functions in the system.

The safety partner is configured by the primary controller. Only a single download of the user program to the primary controller is required. The safety partner’s operating mode is controlled by the primary controller.

Chassis

The 1756-A xx chassis provides the physical connections between modules and the 1756 GuardLogix system. Any failure, though unlikely, would be detected as a failure by one or more of the active components of the system. Therefore, the chassis is not relevant to the safety discussion.

Power Supplies

These ControlLogix power supplies are suitable for use in SIL 3 applications:

•

1756-PA72 ac power supply

•

1756-PA75 ac power supply

•

1756-PB72 dc power supply

•

1756-PB75 dc power supply

•

1756-PA75R ac power supply (redundant)

•

1756-PB75R dc power supply (redundant)

•

1756-PSCA or 1756-PSCA2 redundant power-supply chassis adapter (required for use with redundant power supplies)


GuardLogix Controller System Chapter 2

No extra configuration or wiring is required for SIL 3 operation of the

ControlLogix power supplies. Any failure would be detected as a failure by one or more of the active components of the GuardLogix system. Therefore, the power supply is not relevant to the safety discussion.

1768 Compact GuardLogix

Controller Hardware

The 1768 Compact GuardLogix controllers combine the primary and safety partner controllers in a single controller hardware package to form a SIL-3 capable controller. Compact GuardLogix controllers feature a 1768 backplane and a 1769 backplane to support standard

1769 I/O modules.

Controller Maximum 1768 Modules (local) Maximum 1769 I/O Modules

(local and remote)

1768-L43S 2

1768-L45S 4

16

30

The 1768 Compact GuardLogix controller is powered by a 1768-PA3 or 1768-PB3 power supply. A 1769-ECR end cap is also required.

CIP Safety Protocol

Safety I/O

Safety-related communication between GuardLogix controllers takes place via produced and consumed safety tags. These safety tags use the CIP Safety protocol, which is designed to preserve data integrity during communication.

For more information on safety tags, see Chapter 5 , Characteristics of

Safety Tags, the Safety Task, and Safety Programs

.

For information on CIP Safety I/O modules for use with GuardLogix

controllers, see Chapter 3

.



Communication Bridges

These communication interface modules are available to facilitate communication over Ethernet/IP, DeviceNet, and ControlNet networks via the CIP Safety protocol.

GuardLogix System

1756

1768

Communication Modules

•

1756-ENBT, 1756-EN2T, or 1756-EN2F EtherNet/IP bridge module

•


•

1756-DNB DeviceNet bridge module

•

1756-CN2 ControlNet bridge module

•

1756-CN2R Redundant ControlNet bridge module

•

1768-ENBT

•


•

1768-CNB

•

1768-CNBR

IMPORTANT

Due to the design of the CIP Safety control system, CIP safety bridge devices, like those listed in the table, are not required to be SIL 3-certified.

EtherNet/IP Network

Peer-to-peer safety communication between GuardLogix controllers is possible via the EtherNet/IP network through the use of 1756-ENBT,

1756-EN2T, or 1768-ENBT bridge modules. An EtherNet/IP bridge module lets the GuardLogix controller control and exchange safety data with CIP Safety I/O modules on an EtherNet/IP network.

Peer-to-peer Communication via 1756-ENBT Modules and the EtherNet/IP Network

Ethernet Switch

EtherNet/IP

Network

EtherNet/IP

Network

CIP Safety I/O Module


Controller B

Controller A



DeviceNet Network



GuardLogix Controller System Chapter 2

TIP

Peer-to-peer safety communication between two 1756

GuardLogix controllers in the same chassis is also possible via the backplane.

Backplane

DeviceNet Safety Network

The 1756-DNB DeviceNet bridge module lets the 1756 GuardLogix controller control and exchange safety data with CIP Safety I/O modules on a DeviceNet network.

DeviceNet Communication via a 1756-DNB Module

DeviceNet

Network



ControlNet Network

The 1756-CN2 or 1768-CNB module lets the GuardLogix controller produce and consume safety tags over ControlNet networks to other

GuardLogix processors or remote CIP Safety I/O networks.

ControlNet

Network

Controller A

Controller B



DeviceNet

Network

27


Programming Overview

The programming software for the GuardLogix controller is

RSLogix 5000 software.

RSLogix 5000 software is used to define the location, ownership, and configuration of I/O modules and controllers. The software is also used to create, test, and debug application logic. Initially, only relay ladder logic is supported in the GuardLogix safety task.

See

Appendix A for information on the set of logic instructions

available for safety applications.

Authorized personnel may change an application program, but only by using one of the processes described in

Editing Your Safety

Application

on page

63

.


Chapter

3

CIP Safety I/O for the GuardLogix Control

System

Introduction

Topic

Overview

Typical Safety Functions of CIP Safety I/O Modules

Reaction Time

Safety Considerations for CIP Safety I/O Modules

Page

29

29

31

31

Overview

Before operating a GuardLogix safety system containing CIP Safety

I/O modules, you must read, understand, and follow the installation, operation, and safety information provided in the publications listed in the

SIL 3-Certified GuardLogix Components tables on page 16 .

CIP Safety I/O modules can be connected to safety input and output devices, allowing these devices to be monitored and controlled by the

GuardLogix controller. For safety data, I/O communication is performed through safety connections using the CIP Safety protocol; safety logic is processed in the GuardLogix controller.

Typical Safety Functions of

CIP Safety I/O Modules

The following is treated as the safe state by CIP Safety I/O modules:

•

Safety outputs: OFF

•

Safety input data to controller: OFF

CIP Safety Network

Safety

Status

Safety Output, OFF

Safety

Input

Data

The CIP Safety I/O modules should be used for applications that are in the safe state when the safety output turns OFF.


Chapter 3 CIP Safety I/O for the GuardLogix Control System

Diagnostics

CIP Safety I/O modules perform self-diagnostics when the power is turned ON and periodically during operation. If a diagnostic failure is detected, safety input data (to the controller) and local safety outputs are set to their safe state (OFF).

Status Data

In addition to safety input and output data, CIP Safety I/O modules support status data to monitor module and I/O circuit health. Refer to your module’s product documentation for specific product capabilities.

Status Indicators

The CIP Safety I/O modules include status indicators. For details on status indicator operation, refer to the product documentation for your specific module.

On- or Off-delay Function

Some CIP Safety I/O modules may support On-delay and Off-delay functions for input signals. Depending upon your application, you may need to include Off-delay, On-delay, or both when calculating system reaction time.

See

Appendix C for information on system reaction time.


Reaction Time

CIP Safety I/O for the GuardLogix Control System Chapter 3

The input reaction time is the time from when the signal changes on an input terminal to when safety data is sent to the GuardLogix controller.

The output reaction time is the time from when safety data is received from the GuardLogix controller to when the output terminal changes state.

For information on determining the input and output reaction times, refer to the product documentation for your specific CIP Safety I/O module.

See Appendix C

for information on calculating the system reaction time.

Safety Considerations for

CIP Safety I/O Modules

You must commission all devices with a node or IP address and communication rate, if necessary, before their installation on a safety network.

Ownership

Each CIP Safety I/O module in a GuardLogix system is owned by one

GuardLogix controller. Multiple GuardLogix controllers and multiple

CIP Safety I/O modules can be used without restrictions in chassis or on networks as needed. When a controller owns an I/O module, it stores the module’s configuration data, as defined by the user. This controls how the modules operate in the system.

From a control standpoint, safety output modules can only be controlled by one controller. Each safety input module is also owned by a single controller; however safety input data can be shared

(consumed) by multiple GuardLogix controllers.

Safety I/O Configuration Signature

The configuration signature defines the module’s configuration. It can be read and monitored. The configuration signature is used to uniquely identify a module’s configuration. When using a GuardLogix controller, you do not have to monitor this signature. It is monitored automatically by the GuardLogix controller.



I/O Module Replacement

The replacement of safety devices requires that the replacement device be configured properly and that the replacement device’s operation be user-verified.

ATTENTION

During replacement or functional testing of a module, the safety of the system must not rely on any portion of the affected module.

Two options for I/O module replacement are available on the Safety tab of the Controller Properties dialog in RSLogix 5000 software:

•

Configure Only When No Safety Signature Exists

•

Configure Always

Safety I/O Replacement Options



CIP Safety I/O for the GuardLogix Control System Chapter 3

Configure Only When No Safety Signature Exists

This setting instructs the GuardLogix controller to configure a safety module only when the safety task does not have a safety task signature, and the replacement module is in an out-of-box condition, meaning that a safety network number does not exist in the safety module.

If the safety task has a safety task signature, the GuardLogix controller only configures the replacement CIP Safety I/O module if the module already has the correct safety network number, the module electronic keying is correct, and the node or IP Address is correct.

Configure Always

The GuardLogix controller will always attempt to configure a replacement CIP Safety I/O module if the module is in an out-of-box condition, meaning that a safety network number does not exist in the replacement safety module, and the node number and I/O module keying matches the controller’s configuration.

ATTENTION

Enable the Configure Always feature only if the entire routable

CIP Safety control system is not being relied on to maintain

SIL 3 behavior during the replacement and functional testing of a module.

If other parts of the CIP Safety control system are being relied upon to maintain SIL 3, make sure that the controller’s

Configure Always feature is disabled.

It is your responsibility to implement a process to make sure proper safety functionality is maintained during device replacement.

ATTENTION

Do not place any modules in the out-of-box condition on any CIP

Safety network when the Configure Always feature is enabled, except while following the module replacement procedure in the GuardLogix Controllers User Manual, publication

1756-UM020 , or the 1768 Compact GuardLogix Controllers User

Manual, publication 1768-UM002 .

33


Notes:


Chapter

4

CIP Safety and the Safety Network Number

Introduction

To understand the safety requirements of a CIP Safety control system, including the safety network number (SNN), you must first understand how communication is routable in CIP control systems.

Topic

The Routable CIP Safety Control System

Considerations for Assigning the Safety Network Number (SNN)

Page

35

38

The Routable CIP Safety

Control System

The CIP Safety control system represents a set of interconnected CIP

Safety devices. The routable system represents the extent of potential mis-routing of packets from an originator to a target within the CIP

Safety control system. The system is isolated such that there are no other connections into the system. For example, because the system below cannot be interconnected to another CIP Safety system through a larger, plant-wide Ethernet backbone, it illustrates the extent of a routable CIP Safety system.

CIP Safety System Example

Router/

Firewall

(1)

Switch Switch

SmartGuard

CIP Safety I/O

CIP Safety I/O CIP Safety I/O

CIP Safety I/O

CIP Safety I/O

CIP Safety I/O

(1) The router or firewall is set up to limit traffic.

CIP Safety I/O

CIP Safety I/O


Chapter 4 CIP Safety and the Safety Network Number

Unique Node Reference

The CIP Safety protocol is an end-node to end-node safety protocol.

The CIP Safety protocol allows the routing of CIP Safety messages to and from CIP Safety devices through non-certified bridges, switches, and routers.

To prevent errors in non-certified bridges, switches, or routers from becoming dangerous, each end node within a routable CIP Safety control system must have a unique node reference. The unique node reference is a combination of a safety network number (SNN) and the node address of the node.

Router/

Firewall

Switch

Safety Network Number

The safety network number (SNN) is assigned by software or by the user. Each CIP Safety network that contains Safety I/O nodes must have at least one unique SNN. Each ControlBus chassis that contains one or more safety devices must have at least one unique SNN. Safety network numbers assigned to each safety network or network sub-net must be unique.

TIP

More than one SNN can be assigned to a CIP Safety subnet or a

ControlBus chassis that contains more than one safety device.

However, for simplicity, we recommend that each CIP Safety subnet have one and only one unique SNN. This is also the case for each ControlBus chassis.

CIP Safety Example with More Than One SNN

Switch

36

CIP Safety I/O

CIP Safety I/O

SNN_2

SNN_1

CIP Safety I/O

CIP Safety I/O

SNN_4

SNN_3

CIP Safety I/O

CIP Safety I/O

SNN_6

SNN_5

SmartGuard

CIP Safety I/O

CIP Safety I/O

SNN_7


CIP Safety and the Safety Network Number Chapter 4

Each CIP Safety device must be configured with an SNN. Any device that originates a safety connection to another safety device must be configured with the SNN of the target device. If the CIP Safety system is in the start-up process prior to the functional safety testing of the system, the originating device may be used to set the unique node reference into the device.

The SNN used by the system is a 6-byte hexadecimal number. The

SNN can be set and viewed in one of two formats: time-based or manual. When the time-based format is selected, the SNN represents a localized date and time. When the manual format is selected, the SNN represents a network type and a decimal value from 1…9999.

SNN Formats


The assignment of a time-based SNN is automatic when creating a new GuardLogix safety controller project and adding new Safety I/O modules.

Manual manipulation of an SNN is required in the following situations:

•

If safety consumed tags are used.

•

If the project will consume safety input data from a module whose configuration is owned by some other safety device.

•

If a safety project is copied to a different hardware installation within the same routable CIP Safety system.

IMPORTANT

If you assign an SNN manually, take care to ensure that system expansion does not result in duplication of SNN and node address combinations.

37


Considerations for

Assigning the Safety

Network Number (SNN)

The assignment of the SNN is dependent upon factors including the configuration of the controller or CIP Safety I/O module.

Safety Network Number (SNN) for Safety Consumed Tags

When a safety controller that contains produced safety tags is added to the I/O Configuration tree, the SNN of the producing controller must be entered. The SNN may be copied from the producing controller’s project and pasted into the new controller being added to the I/O Configuration tree.

Refer to the GuardLogix Controllers User Manual, publication


Manual, publication 1768-UM002 , for information on how to copy and paste an SNN.

Safety Network Number (SNN) for Out-of-box Modules

Out-of-box CIP Safety I/O modules do not have an SNN. The SNN is set when a configuration is sent to the module by the GuardLogix controller that owns the module.

IMPORTANT

To add a CIP Safety I/O module to a configured GuardLogix system (the SNN is present in the GuardLogix controller), the replacement CIP Safety module should have the correct SNN applied before it is added to the CIP Safety network.

Safety Network Number (SNN) for Safety Module with a Different

Configuration Owner

When a CIP Safety I/O module is owned by a different GuardLogix controller (controller B), and then is added to another GuardLogix project (controller A project), RSLogix 5000 software assigns the SNN based on the current project. Since the current project (controller A project) is not the true configuration owner, you need to copy the original SNN (controller B project) into the configuration in controller

A’s project. This is easy to do with standard copy and paste commands. The result is that the CIP Safety I/O module produces data to two GuardLogix controllers at the same time. You can do this for a maximum of 16 controllers.


CIP Safety and the Safety Network Number Chapter 4



Manual, publication 1768-UM002 , for information on changing, copying, and pasting safety network numbers.

Safety Network Number (SNN) when Copying a Safety Project

ATTENTION

If a safety project is copied for use in another project with different hardware or in a different physical location, and the new project is within the same routable CIP Safety system, every SNN must be changed in the second system. SNN values must not be repeated.



Manual, publication 1768-UM002 , for information on changing the SNN.



Notes:


Chapter

5

Characteristics of Safety Tags, the Safety

Task, and Safety Programs

Introduction

This chapter explains how to use the standard and safety components of the GuardLogix system.

Topic

Differentiate Between Standard and Safety

SIL 2 Safety Applications

SIL3 Safety – the Safety Task

Safety Programs

Safety Routines

Safety Tags


Page

41

42

47

49

50

50

52

Differentiate Between

Standard and Safety

Because it is a Logix series controller, both standard

(non-safety-related) and safety-related components can be used in the

GuardLogix control system.

You can perform standard automation control from standard tasks within a GuardLogix project. 1756 GuardLogix controllers provide the same functionality as other 1756 ControlLogix series controllers. 1768

Compact GuardLogix controllers provide the same functionality as other 1768-L4 x CompactLogix controllers. What differentiates 1756 and 1768 GuardLogix controllers from standard controllers is that they provide a SIL 3-capable safety task.

However, a logical and visible distinction is required between the standard and safety-related portions of the application. RSLogix 5000 software provides this differentiation via the safety task, safety programs, safety routines, safety tags, and safety I/O modules. You can implement both SIL 2 and SIL 3 levels of safety control with the safety task of the GuardLogix controller.


Chapter 5 Characteristics of Safety Tags, the Safety Task, and Safety Programs

SIL 2 Safety Applications

You can perform SIL 2 safety control by using the 1756 or 1768

GuardLogix controller’s safety task.

Because 1756 GuardLogix controllers are part of the ControlLogix series of processors, you can perform SIL 2 safety control with a 1756

GuardLogix controller by using standard tasks or the safety task. This capability provides unique and versatile safety control options, since most applications have a higher percentage of SIL 2 safety functions than SIL 3 safety functions.

SIL 2 Safety Control in the Safety Task

The 1756 and 1768 GuardLogix safety task can be used to provide SIL

2 as well as SIL 3 safety functions. If SIL 3 safety functions need to be performed at the same time as SIL 2 safety functions, you must fulfill

the requirements defined in the SIL3 Safety – the Safety Task ,

Safety

Programs , and

Safety Routines sections of this chapter, as well as the

SIL 2 requirements listed in this section.

SIL 2 Safety Logic

From a GuardLogix safety control perspective, the biggest difference between SIL 2 and SIL 3 safety-rated devices is that SIL 2 is generally single-channel, while SIL 3 is typically dual-channel. When using safety-rated I/O, which is required by the safety task, SIL 2 safety can be single-channel, reducing system complexity.

IMPORTANT

If a combination of SIL 2 and SIL 3 safety functions are used at the same time within the safety task, you must prevent SIL 2 input signals from directly controlling SIL 3 safety functions.

This can be done by using specific safety task programs or routines to separate SIL 2 and SIL 3 safety functions.

Within the safety task, RSLogix 5000 software includes a set of safety-related ladder-logic instructions. In addition to these safety-rated ladder logic instructions, GuardLogix controllers feature application-specific SIL 3-rated safety instructions. All of these logic instructions may be used in Cat 1…4 and SIL 1…3 safety functions.

For SIL 2-only safety, a safety task signature is not required. However, if any SIL 3 safety functions are used within the safety task, a safety task signature is required.



Characteristics of Safety Tags, the Safety Task, and Safety Programs Chapter 5

Safety-locking the safety task once testing is completed is recommended for SIL 2 applications. Locking the safety task enables additional security features. You may also use FactoryTalk Security and RSLogix 5000 routine source protection to limit access to safety-related logic.

For more information on generating a safety task signature and safety-locking the safety task, refer to the GuardLogix Controllers User

Manual, publication 1756-UM020 , or the Compact GuardLogix

Controllers User Manual, publication 1768-UM002 .

SIL 2 Safety Inputs

CompactBlock Guard I/O (1791-series) and ArmorBlock Guard I/O

(1732-series) safety input modules support single-channel SIL 2 safety input circuits. Since these modules are also rated for SIL 3 operation, mixing SIL 2 and SIL 3 circuits on the same module is allowed, provided you follow these guidelines.

These two wiring examples show how to wire SIL 2 safety circuits to

Guard I/O safety input modules. These examples make use of onboard test sources (T0…T x) that are resident on all 1791 and 1732 safety input modules.

Input Wiring

I0 I1 T0 T1

Guard I/O modules group inputs in pairs to facilitate Cat 3, Cat 4, and

SIL 3 safety functions. For use in Cat 1, Cat 2, and SIL 2 safety functions, module inputs should still be used in pairs as illustrated.

Two SIL 2 safety functions are shown wired to inputs I0 and I1 using test sources T0 and T1, respectively.

Input Wiring in Pairs

I0 I1 T0 T1

43


For Cat 1, Cat 2, and SIL 2 safety functions, the Guard I/O safety modules need specific configurations within the GuardLogix project.

In this example, inputs 0, 1, 6, 7, 8, 9, 10, and 11 are part of a CAT 1,

2 or SIL 2 safety function. Inputs 2 and 3, as well as 4 and 5 are part of a CAT 3, CAT 4, or SIL 3 safety function.

Input Configuration

44

Field

Type

Value

Single

Discrepancy Time N/A

Point Mode Safety Pulse Test

Test Source Set values based on how the field device is physically wired to the module. To make sure the test source is properly enabled, open and view settings on the Test Output tab.

Input Delay Time User input based on field device characteristics.

IMPORTANT

The onboard pulse test outputs (T0…Tx) are typically used with field devices that have mechanical contacts. If a safety device that has electronic outputs is used (feeding safety inputs), they must have the appropriate safety ratings.

IMPORTANT

If you are using GuardLogix Safety Application Instructions, be sure to configure your safety input modules as single, not equivalent or complementary. These instructions provide all dual-channel functionality necessary for PLd (Cat. 3) or

PLe (Cat. 4) safety functions.

Refer to the GuardLogix Safety Application Instruction Set

Reference Manual, publication 1756-RM095 .




SIL 2 Safety Control in Standard Tasks (1756 GuardLogix

Controllers Only)

Because of the quality and amount of diagnostics built into the 1756

ControlLogix series of controllers, you can perform SIL 2 safety functions from within standard tasks. This is also true for 1756

GuardLogix controllers.

To perform SIL 2 safety control within a GuardLogix standard task, you must abide by requirements defined in the Using ControlLogix in

SIL 2 Applications Safety Reference Manual, publication 1756-RM001 .

IMPORTANT

You may not use the standard task in a 1768 Compact

GuardLogix controller for SIL-2 safety applications.

EN50156 Compliance With 1756 ControlLogix SIL 2 Safety Inputs in Dual-channel Configurations with 1756 GuardLogix Controllers

Dual-channel configuration is required for compliance in certain safety-related applications, including burner-related safety functions.

These examples provide guidelines for satisfying EN50156 SIL 2 dual-channel requirements.

SIL 2 Dual-channel Inputs (Standard Side of 1756 GuardLogix Controllers)

You must implement clear and easily-identifiable separation between both input channels and adhere to all existing SIL 2 requirements as defined in Using ControlLogix in SIL 2 Applications, publication

1756-RM001 .

Channel A Channel B

Ch0+

Ch0-

Ch0+

Ch0-

+

-

Voltage

Transmitter A

+

Voltage

Transmitter B

-

45


SIL 2 Input Data

Keep channel A and channel B input data separate at all times.

This example illustrates one method for separating channel A and channel B data in your application. Any logic processing that needs to occur must follow

ControlLogix SIL 2 guidelines.

IMPORTANT

Do not perform safety-specific functions within these routines.

Safety evaluation must be handled within the 1756 GuardLogix safety task.

Transferring SIL 2 Data Into the Safety Task

To transfer channel A and channel B SIL 2 safety data into the

GuardLogix safety task, use the safety tag mapping functionality in

RSLogix 5000 software. The tag names used here are for example purposes. Implement and follow naming conventions that are appropriate for your application.

46

TIP

To use the safety tag mapping feature, choose Map Safety Tags from the Logic menu in RSLogix 5000 software.

Safety Functions Within the 1756 GuardLogix Safety Task

Follow these guidelines for using SIL 2 and SIL 3 safety functions within the safety task:

IMPORTANT

You must not use SIL 2 data to directly control a SIL 3 output.

•

All available safety application instructions may be used.

•

SIL 3 safety input modules (that is , Guard I/O modules) may be used with single-channel configuration for SIL 2 safety functions.

•

Use of the safety task signature and safety-locking the application is recommended.



SIL 2 Outputs

Follow these guidelines for SIL 2 outputs:

•

Guard I/O output modules used for SIL 2 safety outputs must be configured for dual-channel operation.

•

All Guard I/O output modules are approved for use in SIL 2 applications.

– 1732DS-IB8XOBV4

– 1791DS-IB8XOBV4, 1791ES-IB8XOBV4

– 1791DS-IB4XOW4

– 1791DS-IB8XOB8

– 1734-OB8S

IMPORTANT

You cannot use Flex or 1756 output modules in EN 50156

SIL 2 applications.

SIL3 Safety – the Safety

Task

Creation of a GuardLogix project automatically creates a single safety task. The safety task has these additional characteristics:

•

GuardLogix controllers are the only controllers that support the safety task.

•

The safety task cannot be deleted.

•

GuardLogix controllers support a single safety task.

•

Within the safety task, you can schedule multiple safety programs composed of multiple safety routines.

•

You cannot schedule or execute standard routines from within the safety task.

The safety task is a periodic timed task with a user-selectable task priority and watchdog. In most cases, it is the controller’s top priority and the user-defined program watchdog must be set to accommodate fluctuations in the execution of the safety task.



Safety Task Limitations

You specify both the safety task period and the safety task watchdog.

The safety task period is the period at which the safety task executes.

The safety task watchdog is the maximum time allowed from the start of safety task scheduled execution to its completion.

For more information on the safety task watchdog, see

Appendix C

,

Reaction Times

.

The safety task period is limited to a maximum of 100 ms and cannot be modified online. Make sure that the safety task has enough time to finish before it is triggered again. Safety task watchdog timeout, a non-recoverable safety fault in the GuardLogix controller, occurs if the safety task is triggered while it is still executing from the previous trigger.

See

Chapter 7 , Monitor Status and Handle Faults

, for more information.

Safety Task Execution Details

The safety task executes in the same manner as standard periodic tasks, with the following exceptions:

•

The safety task does not begin executing until the primary controller and safety partner have established their control partnership and the coordinated system time (CST) is synchronized. However, standard tasks begin executing as soon as the controller transitions to Run mode.

•

Although the configurable range of the requested packet interval

(RPI) for safety inputs and safety consumed tags is 1…100 ms, safety input tags and safety-consumed tags are updated only at the beginning of safety task execution. This means that even though the I/O RPI can be faster than the safety task period, the data does not change during safety task execution. The data is read only once at the beginning of the safety task execution.



•

Safety input values are frozen at the start of safety task execution. As a result, timer-related instructions, such as TON and TOF, will not update during a single safety task execution.

They will keep accurate time from one task execution to another, but the accumulated time will not change during safety task execution.

ATTENTION

This behavior differs from standard Logix task execution, but is similar to PLC or SLC behavior.

•

For standard tags that are mapped to safety tags, the standard tag values are copied into safety memory at the start of the safety task and do not change during safety task execution.

•

Safety output tag (output and produced) values are updated at the conclusion of safety task execution

•

The safety task responds to mode changes (for example, Run to

Program or Program to Run) at timed intervals. As a result, the safety task may take more than one task period, but always less than two, to make a mode transition.

IMPORTANT

While safety-unlocked and without a safety task signature, the controller prevents simultaneous write access to safety memory from the safety task and communication commands.

As a result, the safety task can be held off until a communication update completes. The time required for the update varies by tag size. Therefore, safety connection and/or safety watchdog timeouts could occur. (For example, if you make online edits when the safety task rate is set to 1 ms, a safety watchdog timeout could occur.)

To compensate for the hold-off time due to a communication update, add 2 ms to the safety watchdog time.

When the controller is safety-locked or a safety task signature exists, the situation described in this note cannot occur.

Safety Programs


A safety program has all the attributes of a standard program, except that it can be scheduled only in the safety task. A safety program may also define program-scoped safety tags. A safety program may be scheduled or unscheduled.

A safety program can contain only safety components. All of the routines in a safety program are safety routines. A safety program cannot contain standard routines or standard tags.

49


Safety Routines

Safety routines have all the attributes of standard routines, except that they can exist only in safety programs. One safety routine may be designated as the main routine. Another safety routine may be designated as the fault routine. Only safety-certified instructions may be used in safety routines.

For a listing of safety instructions, see

Appendix A .

ATTENTION

To preserve SIL 3, you must make sure that your safety logic does not attempt to read or write standard tags.

Safety Tags

50

The GuardLogix control system supports the use of both standard and safety tags in the same project. However, the programming software operationally differentiates standard tags from safety tags.

Safety tags have all the attributes of standard tags with the addition of mechanisms to provide SIL 3 data integrity.

Valid Data Types for Safety Tags

•

AUX_VALVE_CONTROL

•

BOOL

•

CAM_PROFILE

•

CAMSHAFT_MONITOR

•

DIVERSE_INPUT

•

MUTING_FOUR_SENSOR_BIDIR

•

EIGHT_POS_MODE_SELECTOR

•

MUTING_TWO_SENSOR_ASYM

•

EMERGENCY_STOP

•

ENABLE_PENDANT

•

•

MUTING_TWO_SENSOR_SYM

MOTION_INSTRUCTION

•

CB_CONTINUOUS_MODE

•

EXT_ROUTINE_CONTROL

•

PHASE

•

CB_CRANKSHAFT_POS_MONITOR

•

EXT_ROUTINE_PARAMETERS

•

PHASE_INSTRUCTION

•

CB_INCH_MODE

•

CB_SINGLE_STROKE_MODE

•

•

FBD_BIT_FIELD_DISTRIBUTE

FBD_CONVERT

•

•

REDUNDANT_INPUT

REDUNDANT_OUTPUT

•

CONFIGURABLE_ROUT

•

CONNECTION_STATUS

•

CONTROL

•

COUNTER

•

DCI_MONITOR

•

DCI_START

•

DCI_STOP

•

DCI_STOP_TEST

•

DCI_STOP_TEST_LOCK

•

DCI_STOP_TEST_MUTE

•

DINT

•

FBD_COUNTER

•

FBD_LOGICAL

•

FBD_MASK_EQUAL

•

FBD_MASKED_MOVE

•

FBD_TIMER

•

FIVE_POS_MODE_SELECTOR

•

SINT

•

INT

•

LIGHT_CURTAIN

•

MAIN_VALVE_CONTROL

•

MANUAL_VALVE_CONTROL

•

SAFETY_MAT

•

SERIAL_PORT_CONTROL

•

SFC_ACTION

•

SFC_STEP

•

SFC_STOP

•

•

STRING

THRS_ENHANCED

•

TIMER

•

TWO_HAND_RUN_STATION

IMPORTANT

Aliasing between standard and safety tags is prohibited in safety applications.



Tags classified as safety tags are either controller-scoped or program-scoped. Controller-scoped safety tags can be read by either standard or safety logic or other communication devices, but can only be written to by safety logic or another GuardLogix safety controller.

Program-scoped safety tags are only accessible by local safety routines. These are routines that reside within the safety program.

Tags associated with Safety I/O and produced or consumed safety data must be controller-scoped safety tags.

IMPORTANT

Any controller-scoped safety tag is readable by any standard routine, but the update rate is based on the execution of the safety task. This means that safety tags are updated at the safety task periodic rate, which is different from standard tag behavior.

Standard Tags in Safety Routines (Tag Mapping)

Controller-scoped standard tags can be mapped into safety tags, providing you with a mechanism to synchronize standard and safety actions.

ATTENTION

When using standard data in a safety routine, you are responsible for providing a reliable means of ensuring that the data is used in an appropriate manner. Using standard data in a safety tag does not make it safety data. You must not directly control a safety output with standard tag data.

This example illustrates how to qualify the standard data with safety data.

Qualify Standard Data with Safety Data


MappedBooleanTag LatchOneShot

ONS

Node30ComboModule:I.Pt07Data

Node30ComboModule:O.Pt03Data

Node30ComboModule:O.Pt03Data

Safety Input Qualifier for Mapped Tag

Latch circuit to prevent automatic restart if the standard input (MappedTag) is failed in a ‘stuck at 1’ state.

Safety Output

51



Resource

Logix5000 Controllers Design

Considerations Reference Manual, publication 1756-RM094

GuardLogix Controllers User Manual, publication 1756-UM020

1768 Compact GuardLogix Controllers User

Manual, publication 1768-UM002

Description

Provides information on managing tasks and the effects of task execution and timing on user data

Contains information on how to map tags

Contains information on how to map tags


Chapter

6

Safety Application Development

Introduction

Safety Concept

Assumptions

Topic

Safety Concept Assumptions

Basics of Application Development and Testing

Commissioning Life Cycle

Downloading the Safety Application Program

Uploading the Safety Application Program

Online Editing

Storing and Loading a Project from Nonvolatile Memory

Force Data

Inhibit a Module

Editing Your Safety Application

Page

53

53

54

61

61

61

62

62

63

63

The safety concept assumes that:

• if you are responsible for creating, operating, and maintaining the application, you are fully qualified, specially trained, and experienced in safety systems.

• you apply the logic correctly, meaning that programming errors can be detected. Programming errors can be detected by strict adherence to specifications, programming and naming rules.

• you perform a critical analysis of the application and use all possible measures to detect a failure.

• you confirm all application downloads via a manual check of the safety task signature.

• you perform a complete functional test of the entire system before the operational startup of a safety-related system.

Basics of Application

Development and Testing


The application program for the intended SIL 3 system should be developed by the system integrator or a user trained and experienced in safety applications. The developer must follow good design practices:

•

Use functional specifications, including flow charts, timing diagrams and sequence charts.

•

Perform a program review.

•

Perform program validation.

53

Chapter 6 Safety Application Development

Commissioning Life Cycle

The flowchart below shows the steps required for commissioning a

GuardLogix system. The items in bold text are explained in the following sections.

Commission the System

Specify the Control Function

Create Project

Online

Create Project

Offline

Test the Application

Program

Attach to Controller and Download

Generate Safety Task Signature

Make required modifications

Project Verification Test

No

Delete Safety Task

Signature

Tests

Passed?

Yes

Confirm the Project

Record Safety Task

Signature

Fill out the Safety Checklists in

Appendix D

Safety Validation (Independent Review)

Project

Valid?

Yes

Lock the Controller / End

No



Safety Application Development Chapter 6

Specification of the Control Function

You must create a specification for your control function. Use this specification to verify that program logic correctly and fully addresses your application’s functional and safety control requirements. The specification may be presented in a variety of formats, depending on your application. However, the specification must be a detailed description that includes (if applicable):

• sequence of operations.

• flow and timing diagrams.

• sequence charts.

• program description.

• program print out.

• written descriptions of the steps with step conditions and actuators to be controlled. This includes:

– input definitions.

– output definitions.

– I/O wiring diagrams and references.

– theory of operation.

• matrix or table of stepped conditions and the actuators to be controlled, including the sequence and timing diagrams.

• definition of marginal conditions, for example, operating modes and EMERGENCY STOP.

The I/O portion of the specification must contain the analysis of field circuits, that is, the type of sensors and actuators.

•

Sensors (Digital or Analog)

– Signal in standard operation (dormant current principle for digital sensors, sensors OFF means no signal)

– Determination of redundancies required for SIL levels

– Discrepancy monitoring and visualization, including your diagnostic logic

•

Actuators

– Position and activation in standard operation (normally OFF)

– Safe reaction/positioning when switching OFF or power failure

– Discrepancy monitoring and visualization, including your diagnostic logic

55


Create the Project

The logic and instructions used in programming the application must be:

• easy to understand.

• easy to trace.

• easy to change.

• easy to test.

All logic should be reviewed and tested. Keep safety-related logic and standard logic separate.

Label the Program

The application program is clearly identified by one of the following:

•

Name

•

Date

•

Revision

•

Any other user identification

Test the Application Program

This step consists of any combination of Run and Program mode, online or offline edits, upload and download, and informal testing that is required to get an application running properly.



Generate the Safety Task Signature

The safety task signature uniquely identifies each project, including its logic, data, and tags. The safety task signature is composed of an ID

(identification number), date, and time.

You can generate the safety task signature if all of the following conditions are true:

•

RSLogix 5000 software is online with the controller.

•

The controller is in program mode.

•

The controller is safety-unlocked.

•

The controller has no safety forces or pending online safety edits.

•

The safety task status is OK.

Once application program testing is complete, you must generate the safety task signature. The programming software automatically uploads the safety task signature after it is generated.

IMPORTANT

To verify the integrity of every download, you must manually record the safety task signature after initial creation and check the safety task signature after every download to make sure that it matches the original.

You can delete the safety task signature only when the GuardLogix controller is safety-unlocked and, if online, the keyswitch is in the

REM or PROG position.

When a safety task signature exists, the following actions are not permitted within the safety task:

•

Online or offline programming or editing of safety components

•

Forcing Safety I/O

•

Data manipulation (except through routine logic or another

GuardLogix controller)



To check the application program for adherence to the specification, you must generate a suitable set of test cases covering the application.

The set of test cases must be filed and retained as the test specification.

57


58

You must include a set of tests to prove the validity of the calculations

(formulas) used in your application logic. Equivalent range tests are acceptable. These are tests within the defined value ranges, at the limits, or in invalid value ranges. The necessary number of test cases depends on the formulas used and must comprise critical value pairs.

Active simulation with sources (field devices) must also be included, since it is the only way to verify that the sensors and actuators in the system are wired correctly. Verify the operation of programmed functions by manually manipulating sensors and actuators.

You must also include tests to verify the reaction to wiring faults and network communication faults.

Project verification includes required functional verification tests of fault routines, input and output channels, to ensure that the safety system operates properly.

To perform a functional verification test on the GuardLogix controller, you must perform a full test of the application. You must toggle each sensor and actuator involved in every safety function. From a controller perspective, this means toggling the I/O point going into the controller, not necessarily the actual activators. Be sure to test all shutdown functions, since these functions are not typically exercised during normal operation. Also, be aware that a functional verification test is only valid for the specific application tested. If the controller is moved to another application, you must also perform startup and functional verification testing on the controller in the context of its new application.

See

Functional Verification Tests on page 14 for more information.


You must print or view the project, and manually compare the uploaded Safety I/O and controller configurations, safety data, and safety task program logic to make sure that the correct safety components were downloaded, tested, and retained in the safety application program.

If your application program contains a safety Add-On Instruction that has been sealed with an instruction signature, you must also compare the instruction signature, date/time, and safety instruction signature to the values you recorded when you sealed the Add-On Instruction.

See

Appendix B, Safety Add-On Instructions

for information on creating and using safety Add-On Instructions in SIL 3 applications.




The steps below illustrate one method for confirming the project.

1. With the controller in Program mode, save the project.

2. Answer Yes to the Upload Tag Values prompt.

3. With RSLogix 5000 software offline, save the project with a new name, such as Offlineprojectname.ACD, where projectname is the name of your project.

This is the new tested master project file.

4. Close the project.

5. Move the original project archive file out of this directory.

You can delete this file or store it in an archival location. This step is required because if RSLogix 5000 software finds the projectname.ACD in this directory, it will correlate it with the controller project and will not perform an actual upload.

6. With the controller still in Program mode, upload the project from the controller.

7. Save the uploaded project as Onlineprojectname.ACD, where projectname is the name of your project.

8. Answer Yes to the Upload Tag Values prompt.

9. Invoke another instance of RSLogix 5000 software and open the project named Offlineprojectname.ACD.

10. Use the two instances of RSLogix 5000 software to compare the following:

•

All of the properties of the GuardLogix controller and CIP

Safety I/O modules

•

All of the properties of the safety task, safety programs and safety routines

•

All of the logic in the safety routines

TIP

RSLogix 5000 software features a Program Compare utility that may be helpful in identifying changed safety components, but it must not be used in place of a manual compare. (Compare the offlineprojectname.acd to onlineprojectname.acd.)

59


Safety Validation

An independent, third-party review of the safety system may be required before the system is approved for operation. An independent, third-party certification is required for IEC 61508 SIL 3.

Lock the GuardLogix Controller

The GuardLogix controller system can be safety-locked to protect safety control components from modification. The safety-lock feature applies only to safety components, such as the safety task, safety programs, safety routines, safety tags, safety Add-On Instructions, safety I/O, and safety task signature. However, safety-locking alone does not satisfy SIL 3 requirements.

No aspect of safety can be modified while the controller is in the safety-locked state. When the controller is safety-locked, the following actions are not permitted in the safety task:

•

Online or offline programming or editing

•

Forcing safety I/O

•

Data manipulation (except through routine logic or another

GuardLogix controller)

•

Creating or editing safety Add-On Instructions

•

Generating or deleting the safety task signature

The default state of the controller is safety-unlocked. You may place the safety application in a safety-locked state regardless of whether you are online or offline, and regardless of whether you have the original source of the program. However, no safety forces or pending safety edits may be present. Safety-locked or -unlocked status cannot be modified when the keyswitch is in the RUN position.

To provide an additional layer of protection, separate passwords may be used for safety-locking or -unlocking the controller. Passwords are optional.



Downloading the Safety

Application Program

Upon download, full application testing is required unless a safety task signature exists.

IMPORTANT

To verify the integrity of every download, you must manually record the safety task signature after initial creation and check the safety task signature after every download to make sure that it matches the original.

Downloads to a safety-locked GuardLogix controller are allowed only if the safety task signature, the hardware series, and the OS version of the offline project all match those contained in the target GuardLogix controller and the controller’s safety task status is OK.

IMPORTANT

If the safety task signature does not match and the controller is safety-locked, you must unlock the controller to download.

Downloading to the controller deletes the safety task signature.

As a result, you must re-validate the application.

Uploading the Safety

Application Program

Online Editing

If the GuardLogix controller contains a safety task signature, the safety task signature will be uploaded with the project. This means that any changes to offline safety data will be overwritten as a result of the upload.

If there is no safety task signature and the controller is safety-unlocked, you can perform online edits to your safety routines.

TIP

You cannot edit standard or safety Add-On Instructions while online.

Pending edits cannot exist when the controller is safety-locked or when there is a safety task signature. Online edits may exist when the controller is safety-locked. However, they may not be assembled or cancelled.

TIP

Online edits in standard routines are unaffected by the safety-locked or -unlocked state.

See page

63

for more information on making edits to your application program.



Storing and Loading a

Project from Nonvolatile

Memory

In version 18 or later, GuardLogix controllers support firmware upgrades and user program storage and retrieval by using a

CompactFlash card. In a 1756 GuardLogix system, only the primary controller uses a CompactFlash card for nonvolatile memory.

When you store a safety application project on a CompactFlash card,

Rockwell Automation recommends you select Remote Program as the

Load Mode, that is, the mode the controller should enter following the load. Prior to actual machine operation, operator intervention is required to start the machine.

You can only initiate a load from nonvolatile memory:

• if the controller type specified by the project stored in nonvolatile memory matches your controller type.

• if the major and minor revisions of the project in nonvolatile memory matches the major and minor revisions of your controller.

• if your controller is not in Run mode.

Loading a project to a safety-locked controller is allowed only when the safety task signature of the project stored in nonvolatile memory matches the project on the controller. If the signatures do not match or the controller is safety-locked without a safety task signature, you must first unlock the controller before attempting to update the controller via nonvolatile memory.

IMPORTANT

If you unlock the controller and initiate a load from nonvolatile memory, the safety-lock status, passwords, and safety task signature will be set to the values contained in nonvolatile memory once the load is complete.

Force Data

All data contained in an I/O, produced, or consumed safety tag, including CONNECTION_STATUS, can be forced while the project is safety-unlocked and no safety task signature exists. However, forces must be uninstalled, not just disabled, on all safety tags before the safety project can be safety-locked or a safety task signature can be generated. You cannot force safety tags while the project is safety-locked or when a safety task signature exists.

TIP

You can install and uninstall forces on standard tags regardless of the safety-locked or -unlocked state.


Inhibit a Module


You cannot inhibit or uninhibit Safety I/O modules or producer controllers if the application is safety-locked or a safety task signature exists.

Follow these steps to inhibit a specific Safety I/O module.

1. In RSLogix 5000 software, right-click the module and choose

Properties.

2. On the Module Properties dialog, click the Connection tab.

3. Check Inhibit Connection and click Apply.

The module is inhibited whenever the checkbox is checked. If a communication module is inhibited, all downstream modules are also inhibited.

Editing Your Safety

Application


The following rules apply to changing your Safety application in

RSLogix 5000 software:

•

Only authorized, specially-trained personnel can make program edits. These personnel should use all supervisory methods available, for example, using the controller keyswitch and software password protections.

•

When authorized, specially-trained personnel make program edits, they assume the central safety responsibility while the changes are in progress. These personnel must also maintain safe application operation.

•

When editing online, you must use an alternate protection mechanism to maintain the safety of the system.

•

You must sufficiently document all program edits, including:

– authorization.

– impact analysis.

– execution.

– test information.

– revision information.

63


•

If online edits exist only in the standard routines, those edits are not required to be validated before returning to normal operation.

•

You must ensure that changes to the standard routine, with respect to timing and tag mapping, are acceptable to your safety application.

•

You can edit the logic portion of your program while offline or online, as described in the following sections.

Performing Offline Edits

When offline edits are made to only standard program elements, and the safety task signature matches following a download, you can resume operation.

When offline edits affect the safety program, you must revalidate the entire application before resuming operation.

The flowchart on page 65 illustrates the process for offline editing.

Performing Online Edits

If online edits affect the safety program, you must revalidate the entire application before resuming operation. The flowchart on page

65

illustrates the process for online editing.

TIP

Limit online edits to minor program modifications such as setpoint changes or logic additions, deletions, and modifications.

Online edits are affected by the safety-lock and safety task signature features of the GuardLogix controller.

See

Generate the Safety Task Signature

on page

57

and Lock the

GuardLogix Controller on page 60 for more information.

For detailed information on how to edit ladder logic in RSLogix 5000 software while online, see the Logix5000 Controllers Quick Start, publication 1756-QS001 .



Edit Your Project

Online and Offline Edit Process

Online Edit Offline Edit

Open Project

No

Make Desired

Modifications to

Standard Logic

Attach to Controller and

Download

Test the Application

Program

Confirm the Project

Any Safety

Changes?

Yes

Unlock the Controller

Delete Safety

Application Signature

Make Desired

Modifications to Safety

Logic

Attach to Controller and

Download

END

Attach to Controller

Any Safety

Changes?

Yes

Unlock the Controller

Delete Safety


Make Desired

Modifications


Program

Generate Safety Task Signature

No

Project Verification Test

Make Desired

Modifications to

Standard Logic


Make Required

Modifications

Program

END

Tests

Passed?

Yes

Confirm the Project

No Delete Safety


Record Safety


Safety Validation

(Independent Review)

No

Project

Valid?

Yes

Lock the Controller

END



Notes:


Chapter

7

Monitor Status and Handle Faults

Introduction

The GuardLogix architecture provides you with many ways of detecting and reacting to faults in the system. The first way that you can handle faults is to make sure you have completed the checklists

for your application (see Appendix D ).

Topic

Monitoring System Status

GuardLogix System Faults

Page

67

74

Monitoring System Status

To monitor system status, you can view the status of safety tag connections. You can also determine current operating status by interrogating various device objects. It is your responsibility to determine what data is most appropriate to initiate a shutdown sequence.

CONNECTION_STATUS Data

The first member of the tag structure associated with safety input data and produced/consumed safety tag data contains the status of the connection. This member is a pre-defined data type called

CONNECTION_STATUS.


Chapter 7 Monitor Status and Handle Faults

68

The CONNECTION_STATUS data type contains RunMode and

ConnectionFaulted status bits. The following table describes the combinations of the RunMode and ConnectionFaulted states.

Safety Connection Status

RunMode

Status

1 = Run

0 = Idle

0 = Idle

1

ConnectionFaulted

Status

0 = Valid

0 = Valid

1 = Faulted

1

Safety Connection Operation

Data is actively being controlled by the producing device. The producing device is in Run mode.

The connection is active and the producing device is in the Idle state. The safety data is reset to zero.

The safety connection is faulted. The state of the producing device is unknown. The safety data is reset to zero.

Invalid state.

ATTENTION

Safety I/O connections and produced/consumed connections cannot be configured to fault the controller if a connection is lost and the system transitions to the safe state. Therefore, if you need to detect a module fault to ensure that the system maintains SIL 3, you must monitor the Safety I/O

CONNECTION_STATUS bits and initiate the fault via program logic.

Input and Output Line Conditioning

I/O modules provide pulse test and monitoring capabilities. If the module detects a failure, it sets the offending input or output to its safety state and reports the failure to the controller. The failure indication is made via input or output status and is maintained for a configurable amount of time after the failure is repaired.

IMPORTANT

You are responsible for providing application logic to latch these I/O failures and to make sure the system restarts properly.

I/O Module Connection Status

The safety protocol portion of the controller’s operating system provides status for each I/O module in the safety system. If an input connection failure is detected, the operating system sets all associated


Monitor Status and Handle Faults Chapter 7 inputs to their de-energized (safety) state, and the associated input status to faulted. If an output connection failure is detected, the operating system sets the associated output status to faulted. The output module de-energizes the outputs.

IMPORTANT

You are responsible for providing application logic to latch these I/O failures and to make sure the system restarts properly.

De-energize to Trip System

GuardLogix controllers are part of a de-energize to trip system, which means that zero is the safety state. All inputs and outputs are set to zero when a fault is detected. As a result, any inputs being monitored by one of the diverse input instructions (Diverse Inputs or Two-hand

Run Station) should have normally-closed inputs conditioned by logic similar to the logic in Rung 4 of

Ladder Logic Example 2 and

Ladder

Logic Example 3 on pages

72

and 73 . The exact logic required is both

application and input-module dependent. However, the logic must create a safety state of 1 for the normally-closed input of the diverse input instructions.


Use Connection Status Data to Initiate a Fault Via Program Logic

The following diagrams provide examples of the application logic required to latch and reset I/O failures. The examples show the logic necessary for input only modules, as well as input and output combination modules. The examples use a feature of the I/O modules called Combined Status, which presents the status of all of the input channels in a single boolean variable. Another boolean variable represents the status of all the output channels. This approach reduces the amount of I/O conditioning logic required and forces the logic to shut down all input or output channels on the affected module.

Use the

Input Fault Latch and Reset Flow Chart

on page

70

to determine which rungs of logic are required for different application situations.

Ladder Logic Example 1 shows logic that overwrites the

actual input tag variables while a fault condition exists. If the actual input state is required for troubleshooting while the input failure is

latched, use the logic shown in Ladder Logic Example 2 . This logic

uses internal tags that represent the inputs to be used in the application logic. While the input failure is latched, the internal tags are set to their safety state. While the input failure is not latched, the actual input values are copied to the internal tags.

69


Use the Output Fault Latch and Reset Flowchart

to determine which

rungs of application logic in Ladder Logic Example 3

on page

73

are required.

Input Fault Latch and Reset Flow Chart

Start

No

Does this safety function require operator intervention after a safety input failure?

Yes

No

Are the inputs used to drive safety application instructions?

Yes

Can Circuit Reset be used for operator intervention?

Yes

Make sure you select

Manual Reset for the safety application instruction.

No

Write logic to latch input failure.

(Example Rung 0) Yes

Is input fault information required for diagnostic purposes?

No Write logic to set inputs to safety state. (Example Rungs 2 and 3)

Write logic to latch input failure.

(Example Rung 0)

Write logic to unlatch input failure. (Example Rung 1)

No Are any inputs used in an instruction with diverse inputs?

(DIN or THRS)

Yes

Write logic to set safety state value when input is faulted. (Example Rung 4)

Done


Monitor Status and Handle Faults Chapter 7

Ladder Logic Example 1

Node 30 is an 8-point input/8-point output combination module.

Node 31 is a 12-point input module.

0

If the input status is not OK, then latch the inputs faulted indication.

Node30:I.InputStatus

/

Node31:I.CombinedStatus

/

Node30InputsFaulted

L

Node31InputsFaulted

L

1

If the raising edge of the fault reset signal is detected and the input status is OK, then unlatch the inputs faulted indication.

FaultReset InputFaultResetOneShot

ONS



Node30InputsFaulted

U

Node31InputsFaulted

U

2

If the inputs are faulted, then overwrite the input tags with safety state values.

Node30InputsFaulted Node30:I.Pt00Data

U

Node30:I.Pt01Data

U

Node30:I.Pt07Data

U

3

If the inputs are faulted, then overwrite the input tags with safety state values.


U

Node31:I.Pt01Data

U

Node31:I.Pt11Data

U

4

If the inputs faulted indication is true, then set the Diverse input values to their safety state (1).


L

Node30:I.Pt03Data

L





Node 31 is a 12-point input module.

0

If the input status is not OK, then latch the inputs faulted indication.


/


/

Node30InputsFaulted

L

Node31InputsFaulted

L

1



ONS



Node30InputsFaulted

U

Node31InputsFaulted

U

2

If the inputs are not faulted, then write the input tag values to the internal representations of the inputs.

Node30InputsFaulted

/

Node30:I.Pt00Data Node30Input00

Node30:I.Pt01Data

Node30Input01

Node30:I.Pt07Data

Node30Input07

3

If the inputs are not faulted, then write the input tag values to the internal representations of the inputs.

Node31InputsFaulted

/

Node31:I.Pt00Data Node31Input00

Node31:I.Pt01Data

Node31Input01

Node31:I.Pt11Data

Node31Input11

4

If the inputs faulted indication is true, then set the internal representations of the Diverse inputs to their safety state (1).

Node30InputsFaulted Node31Input01

L

Node31Input03

L



Output Fault Latch and Reset Flowchart

Start

Does this safety function require operator intervention after a safety output failure?

Yes

Write logic to latch output failure. (Example Rung 0)

Write logic to set outputs to a safety state. (Example Rung 2)

No

Yes

Is output fault information required for diagnostic purposes?

No

Write logic to latch output failure. (Example Rung 0)

Write logic to unlatch output failure (Example Rung 1)

Done



0

If the output status is not OK, then latch the output faulted indication.

Node30:I.OutputStatus

/

Node30OutputsFaulted

L

1



ONS

Node30:I.OutputStatus


U

2


/

RedundantOutputTag.O1 Node30:O.Pt00Data

RedundantOutputTag.O2

Node30:O.Pt01Data



Get System Value (GSV) and Set System Value (SSV) Instructions

The GSV and SSV instructions let you get (GSV) and set (SSV) controller system data stored in device objects. When you enter a

GSV/SSV instruction, the programming software displays the valid object classes, object names, and attribute names for each instruction.

Restrictions exist for using the GSV and SSV instructions with safety components.

IMPORTANT

The safety task cannot perform GSV or SSV operations on standard attributes.

The attributes of safety objects that can be written by the standard task are for diagnostic purposes only. They do not affect safety task execution.


Resource


1768 Compact GuardLogix Controllers

User Manual, publication 1768-UM002

Logix5000 Controllers General

Instructions Reference Manual, publication 1756-RM003

Description

Provides information on which safety attributes are accessible via GSV and SSV instructions

Contains more information on using GSV and

SSV instructions

GuardLogix System Faults

Faults in the GuardLogix system fall into these three categories:

•

Nonrecoverable controller faults

•

Nonrecoverable safety faults

•

Recoverable faults

For information on handling faults, refer to the GuardLogix Controllers

User Manual, publication 1756-UM020 , or the 1768 Compact

GuardLogix Controllers User Manual, publication 1768-UM002 .




Nonrecoverable Controller Faults

A nonrecoverable controller fault occurs if the controller’s internal diagnostics fail. Partnership is lost when a nonrecoverable controller fault occurs in either the primary controller or the safety partner, causing the other to generate a nonrecoverable watchdog timeout fault. Standard task and safety task execution stops, and Safety I/O transitions to the safe state.

Recovery from a nonrecoverable controller fault requires a download of the application program.

Nonrecoverable Safety Faults

In the event of a non-recoverable safety fault, the controller logs the fault to the controller-scoped fault handler and shuts down the safety task, including Safety I/O and safety logic.

To recover from a nonrecoverable safety fault, safety memory is reinitialized either from the safety task signature (happens automatically when you clear the fault) or, if no safety task signature exists, via an explicit download of the safety project.

You can override the safety fault by clearing the fault log entry through the controller-scoped safety fault handler. This allows standard tasks to keep running.

ATTENTION

Overriding the safety fault does not clear it. If you override the safety fault, it is your responsibility to prove that doing so maintains SIL 3.

75


Recoverable Faults

Controller faults caused by user programming errors in a safety program trigger the controller to process the logic contained in the project’s safety program fault handler. The safety program fault handler provides the application with the opportunity to resolve the fault condition and then recover.

ATTENTION

You must provide proof to your certifying agency that automatic recovery from recoverable faults maintains SIL 3.

When a safety program fault handler does not exist or the fault is not recovered by it, the controller processes the logic in the controller-scoped fault handler, terminating safety program logic execution and leaving safety I/O connections active, but idle.

IMPORTANT

When the execution of safety program logic is terminated due to a recoverable fault that is not handled by the safety program fault handler, the safety I/O connections are closed and reopened to reinitialize safety connections.

If user logic is terminated as a result of a recoverable fault that is not recovered, safety outputs are placed in the safe state and the producer of safety-consumed tags commands the consumers to place them in a safe state.

TIP

When using safety I/O for standard applications, safety I/O will be commanded to the safe state if user logic is terminated as a result of a recoverable fault that is not recovered.

If a recoverable safety fault is overridden in the controller-scoped fault handler, only standard tasks keep running. If the fault is not overridden, the standard tasks are also shut down.

ATTENTION

Overriding the safety fault does not clear it. If you override the safety fault, it is your responsibility to prove that doing so maintains SIL 3.


Appendix

A


Introduction

Topic

Safety Application Instructions

Metal Form Safety Application Instructions

Safety Instructions


Page

77

79

80

81

For the latest information, see our safety certificates at http://www.rockwellautomation.com/products/certification/safety/ .

Safety Application

Instructions

Mnemonic

CROUT

DCS

DCST

DCSTL

DCSTM

DCM

DCSRT

SMAT

Name

Configurable Redundant

Output

Dual Channel Input -

Stop


Stop With Test


Stop With Test and Lock


Stop With Test and Mute


Monitor


Start

Safety Mat

RSLogix 5000, Version 17 and Later, Safety Application Instructions

Purpose

Controls and monitors redundant outputs.

Monitors dual-input safety devices whose main purpose is to provide a stop function, such as an E-stop, light curtain, or gate switch.

Monitors dual-input safety devices whose main purpose is to provide a stop function, such as an E-stop, light curtain, or gate switch. It includes the added capability of initiating a functional test of the stop device.

Certification

•

BG

•

TÜV

•

BG

•

TÜV

•

BG

•

TÜV

Monitors dual-input safety devices whose main purpose is to provide a stop function, such as an E-stop, light curtain, or gate switch. It includes the added capability of initiating a functional test of the stop device and can monitor a feedback signal from a safety device and issue a lock request to a safety device.

•

BG

•

TÜV

TÜV Monitors dual-input safety devices whose main purpose is to provide a stop function, such as an E-stop, light curtain, or gate switch. It includes the added capability of initiating a functional test of the stop device and the ability to mute the safety device.

Monitors dual-input safety devices.

Energizes dual-input safety devices whose main function is to start a machine safely, for example an enable pendant.

Indicates whether or not the safety mat is occupied.

•

BG

•

TÜV

•

BG

•

TÜV

TÜV


Appendix A Safety Instructions

Mnemonic Name

THRSe Two-Hand Run Station –

Enhanced

Purpose

Monitors two diverse safety inputs, one from a right-hand push button and one from a left-hand push button, to control a single output. Features configurable channel-to-channel discrepancy time and enhanced capability for bypassing a two-hand run station.

Certification

•

BG

•

TÜV

TSAM

TSSM

FSBM

Two Sensor

Asymmetrical Muting

Two Sensor Symmetrical

Muting

Provides temporary, automatic disabling of the protective function of a light curtain, using two muting sensors arranged asymmetrically.

Provides temporary, automatic disabling of the protective function of a light curtain, using two muting sensors arranged symmetrically.

TÜV

TÜV

Four Sensor Bidirectional

Muting

Provides temporary, automatic disabling of the protective function of a light curtain, using four sensors arranged sequentially before and after the light curtain’s sensing field.

TÜV

RSLogix 5000, Version 14 and Later, Safety Application Instruction Descriptions

Mnemonic

ENPEN

ESTOP

RIN

ROUT

DIN

FPMS

THRS

LC

Name

Enable Pendant

Purpose

Monitors two safety inputs to control a single output and has a 3-s inputs-inconsistent timeout value.

Certification

•

TÜV

E-Stop Monitors two safety inputs to control a single output and has a 500-ms inputs-inconsistent timeout value.

•

TÜV

Redundant Input Monitors two safety inputs to control a single output and has a 500-ms inputs-inconsistent timeout value.

•

TÜV

Redundant Output

Diverse Input

Monitors the state of one input to control and monitor two outputs.

Monitors two diverse safety inputs to control a single output and has a

500-ms inputs-inconsistent timeout value.

•

TÜV

•

TÜV

5-Position Mode Selector Monitors five safety inputs to control one of the five outputs corresponding to the active input.

•

TÜV

Two Handed Run Station Monitors two diverse safety inputs, one from a right-hand push button and one from a left-hand push button, to control a single output.

Light Curtain

•

TÜV

Monitors two safety inputs from a Light Curtain to control a single output.

•

TÜV


Safety Instructions Appendix A

Metal Form Safety

Application Instructions

These instructions are available in RSLogix 5000 software, version 17 and later.

Mnemonic

CBCM

CBIM

CBSSM

CPM

CSM

EPMS

AVC

MVC

MMVC

Name

Clutch Brake Continuous

Mode

Clutch Brake Inch Mode

Clutch Brake Single

Stoke Mode

Crankshaft Position

Monitor

Camshaft Monitor

Eight-position Mode

Selector

Auxiliary Valve Control

Main Valve Control

Maintenance Manual

Valve Control

Purpose

Used for press applications where continuous operation is desired.

Used for press applications where minor slide adjustments are required, such as press setup.

Used in single-cycle press applications.

Used to determine the slide position of the press.

Monitors motion for the starting, stopping, and running operations of a camshaft.

Monitors eight safety inputs to control one of the eight outputs corresponding to the active input.

Controls an auxiliary valve that is used in conjunction with a main valve.

Controls and monitors a main valve.

Used to manually drive a valve during maintenance operations.

Certification

•

BG

•

TÜV

•

BG

•

TÜV

•

BG

•

TÜV

•

BG

•

TÜV

•

BG

•

TÜV

•

BG

•

TÜV

•

TÜV

•

BG

•

TÜV

•

BG

•

TÜV




Routines in the safety task may use these ladder logic safety instructions.

Ladder Logic Safety Instructions, RSLogix 5000 Software, Version 14 and Later

Type

Bit

Timer

Compare

Move

Logical

MVM

AND

NOT

OR

XOR

NEQ

LIM

CLR

COP

(1)

MOV

CTD

RES

EQU

GEQ

TON

TOF

RTO

CTU

GRT

LEQ

LES

MEQ

Mnemonic Name

XIC

XIO

OTE

OTL

OTU

ONS

OSR

OSF

Examine If Closed

Examine If Open

Output Energize

Output Latch

Output Unlatch

One Shot

One Shot Rising

One Shot Falling

Timer On Delay

Timer Off Delay

Retentive Timer On

Count Up

Time how long a timer is enabled

Time how long a timer is disabled

Accumulate time

Count up

Count Down

Reset

Count down

Reset a timer or counter

Equal To Test whether two values are equal

Greater Than Or Equal To Test whether one value is greater than or equal to a second value

Greater Than

Less Than Or Equal To

Less Than

Masked Comparison for

Equal

Not Equal To

Limit Test

Clear

Copy

Purpose

Enable outputs when a bit is set

Enable outputs when a bit is cleared

Set a bit

Set a bit (retentive)

Clear bit (retentive)

Triggers an event to occur one time

Triggers an event to occur one time on the false-to-true (rising) edge of change-of-state

Triggers an event to occur one time on the true-to-false (falling) edge of change-of-state

Test whether one value is greater than a second value

Test whether one value is less than or equal to a second value

Test whether one value is less than a second value

Pass source and compare values through a mask and test whether they are equal

Test whether one value is not equal to a second value

Test whether a value falls within a specified range

Clear a value

Copy a value

Move

Masked Move

Bitwise AND

Bitwise NOT

Bitwise OR

Bitwise Exclusive OR

Copy a value

Copy a specific part of an integer

Perform bitwise AND operation

Perform bitwise NOT operation

Perform bitwise OR operation

Perform bitwise exclusive OR operation


Safety Instructions Appendix A

Ladder Logic Safety Instructions, RSLogix 5000 Software, Version 14 and Later

Type

Program

Control

Math/

Compute

I/O

DIV

MOD

SQR

NEG

ABS

GSV

(2)

SSV

(2)

Mnemonic

JMP

LBL

JSR

RET

SBR

TND

MCR

AFI

Name

Jump To Label

Purpose

Jump over a section of logic that does not always need to be executed (skips to referenced label instruction)

Labels an instruction so that it can be referenced by a JMP instruction Label

Jump to Subroutine

Return

Subroutine

Temporary End

Jump to a separate routine

Return the results of a subroutine

Pass data to a subroutine

Mark a temporary end that halts routine execution

Master Control Reset Disable all the rungs in a section of logic

Always False Instruction Disable a rung

NOP

ADD

SUB

MUL

No Operation

Add

Subtract

Multiply

Insert a placeholder in the logic

Add two values

Subtract two values

Multiply two values

Divide

Modulo

Square Root

Negate

Absolute Value

Get System Value

Divide two values

Determine the remainder after one value is divided by a second value

Calculate the square root of a value

Take the opposite sign of a value

Take the absolute value of a value

Get controller status information

Set System Value Set controller status information

(1) The length operand must be a constant when the COP instruction is used in a safety routine. The length of the source and the destination must be the same.

(2) Refer to the GuardLogix Controllers User Manual, publication 1756-UM020 , for special considerations when using the GSV and SSV instructions.


Resource

GuardLogix Safety Application Instruction Set

Reference Manual, publication 1756-RM095

Logix5000 Controllers General Instructions

Reference Manual, publication 1756-RM003

Description

Provides more information on the safety application instructions

Contains detailed information on the

Logix instruction set




Appendix

B

Safety Add-On Instructions

Introduction

Topic

Creating and Using a Safety Add-On Instruction


Page

83

88

With RSLogix 5000 software, version 18 and later, you can create safety Add-On Instructions. Safety Add-On Instructions let you encapsulate commonly-used safety logic into a single instruction, making it modular and easier to reuse.

Safety Add-On Instructions use the instruction signature of high-integrity Add-On Instructions and also a SIL 3 safety instruction signature for use in safety-related functions up to and including SIL 3.

Creating and Using a Safety

Add-On Instruction

The flowchart on page

84

shows the steps required for creating a safety Add-On Instruction and then using that instruction in a SIL 3 safety application program. The shaded items are steps unique to

Add-On Instructions. The items in bold text are explained in the pages following the flowchart.


Appendix B Safety Add-On Instructions

84

To Modify a Safety

Add-On Instruction

(off-line)

Modify Safety

Add-On Instruction

Delete Instruction

Signature

Go Off-line

Delete Safety Task Signature, if it exists

Flowchart for Creating and Using Safety Add-On Instructions

To Use a Safety Add-On Instruction

To Create a Safety Add-On Instruction

Create or Open a Project

Create Add-On Instruction Test Project

Import Safety Add-On Instruction

Create Safety Add-On Instruction

Create/modify Application

Generate Instruction Signature

Download

Create/Modify Test Program

Download

(Generate Safety

Instruction Signature)

Verify Safety Add-On Instruction

Signatures

Go back to original test project

No

Change Mode to Run

Perform SIL3 Add-On

Instruction Qualification Test

Go back to original test project

No

Instruction Signature

Valid?

Yes

Safety

Instruction Signature

Valid?

Yes

No

All

Tests Pass?

Yes

Confirm Project


Change Mode to Program

Safety Validate the Add-On Instruction

Create Signature History Entry

(offline)

Record Instruction Signature, Date/Time, and Safety Instruction Signature

Make Required

Modifications

Create Safety Task Signature

Confirm Project

Change Mode to Run

Export Safety Add-On Instruction

Safety Add-On Instruction available for use

Yes

Delete Safety Task

Signature

No

Are

Changes to the

Add-On Instruction

Required?


No

All

Tests Pass?

Yes

Record Safety Task Signature

Safety Validate Project

No

Project Valid?

Yes

Done



Safety Add-On Instructions Appendix B

Create Add-On Instruction Test Project

You need to create a unique test project, specifically for creating and testing the safety Add-On Instruction. This must be a separate and dedicated project to minimize any unexpected influences.

Follow the guidelines for projects described in

Create the Project on page 56 .

Create a Safety Add-On Instruction

For guidance in creating Add-On Instructions, refer to the Logix5000

Controllers Add-On Instruction Programming Manual, publication

1756-PM010 .

Generate Instruction Signature

The instruction signature lets you quickly determine if the instruction has been modified. Each Add-On Instruction has the ability to have its own signature. The instruction signature is required when an Add-On

Instruction is used in safety-related functions, and may be required for regulated industries. Use it when your application calls for a higher level of integrity.

The instruction signature consists of an ID number and timestamp that identifies the contents of the Add-On Instruction at a given point in time.

Once generated, the instruction signature seals the Add-On

Instruction, preventing it from being edited while the signature is in place. This includes rung comments, tag descriptions, and any instruction documentation that was created. When the instruction is sealed, you can perform only these actions:

•

Copy the instruction signature

•

Create or copy a signature history entry

•

Create instances of the Add-On Instruction

•

Download the instruction

•

Remove the instruction signature

•

Print reports

85


When an instruction signature has been generated, RSLogix 5000 software displays the instruction definition with the seal icon.

86

IMPORTANT

If you plan to protect your Add-On Instruction by using the source protection feature in RSLogix 5000 software, you must enable source protection prior to generating the instruction signature.

Download and Generate Safety Instruction Signature

When a sealed safety Add-On Instruction is downloaded for the first time, a SIL 3 safety instruction signature is automatically generated.

The safety instruction signature is an ID number that identifies the execution characteristics of the safety Add-On Instruction.

SIL 3 Add-On Instruction Qualification Test

Safety Add-On Instruction SIL 3 tests must be performed in a separate, dedicated application to make sure unintended influences are minimized. The developer must follow a well-designed test plan and perform a unit test of the safety Add-On Instruction that exercises all possible execution paths through the logic, including the valid and invalid ranges of all input parameters.

Development of all safety Add-On Instructions must meet IEC 61508 -

‘Requirements for software module testing’, which provides detailed requirements for unit testing.


You must print or view the project, and manually compare the uploaded safety I/O and controller configurations, safety data, safety

Add-On Instruction definitions, and safety task program logic to make sure that the correct safety components were downloaded, tested, and retained in the safety application program.

See

Confirm the Project on page 58

for a description of one method for confirming a project.



Safety Add-On Instructions Appendix B

Safety Validate Add-On Instructions

An independent, third-party review of the safety Add-On Instruction may be required before the instruction is approved for use. An independent, third-party validation is required for IEC 61508 SIL 3.

Create Signature History Entry

The signature history provides a record for future reference. A signature history entry consists of the instruction signature, the name of the user, the timestamp value, and a user-defined description. Up to six history entries may be stored. You must be offline to create a signature history entry.

TIP

The Signature Listing report in RSLogix 5000 software prints the instruction signature, the timestamp, and the safety instruction signature. Print the report by right-clicking Add-On

Instruction in the Controller Organizer and choosing

Print>Signature Listing.

Export and Import the Safety Add-On Instruction

When you export a safety Add-On Instruction, choose the option to include all referenced Add-On Instructions and User-Defined Types in the same export file. By including referenced Add-On Instructions, you make it easier to preserve the signatures.

When importing Add-On Instructions, consider these guidelines.

•

You cannot import a safety Add-On Instruction into a standard project.

•

You cannot import a safety Add-On Instruction into a safety project that has been safety-locked or one that has a safety task signature.

•

You cannot import a safety Add-On Instruction while online.

•

If you import an Add-On Instruction with an instruction signature into a project where referenced Add-On Instructions or

User-Defined Types are not available, you may need to remove the signature.

87


Verify Safety Add-On Instruction Signatures

After you download the application project containing the imported safety Add-On Instruction, you must compare the instruction signature value, the date and timestamp, and the safety instruction signature values with the original values you recorded prior to exporting the safety Add-On Instruction. If they match, the safety Add-On

Instruction is valid and you can continue with the validation of your application.


This step consists of any combination of Run and Program mode, online or offline program edits, upload and download, and informal testing that is required to get an application running properly.


Perform an engineering test of the application, including the safety system.

See

Functional Verification Tests on page 14 and

Project Verification

Test on page 57 for more information on requirements.

Safety Validate Project

An independent, third-party review of the safety system may be required before the system is approved for operation. An independent, third-party validation is required for IEC 61508 SIL 3.


88

Resource

Logix5000 Controllers Add-On Instructions

Programming Manual, publication

1756-PM010

Import/Export Project Components

Programming Manual, publication

1756-PM019

Description

Provides information on planning, creating, using, importing and exporting Add-On

Instructions in RSLogix 5000 applications

Contains detailed information on importing and exporting


Appendix

C

Reaction Times

Introduction

Topic


Logix System Reaction Time

Page

89

89


To determine the system reaction time of any control chain, you must add up the reaction times of all of components of the safety chain.

System Reaction Time = Sensor Reaction Time + Logix System

Reaction Time + Actuator Reaction Time



Input Reaction

Time

Safety Task

Reaction Time

Output

Reaction Time

Actuator

Reaction Time

Sensor

Reaction Time

Input Module

Input Connection

Logix System Reaction Time

Logic

Output

Connection

Output

Module

Logix System Reaction Time

The following sections provide information on calculating the Logix

System Reaction Time for a simple input-logic-output chain and for a more complex application using produced/consumed safety tags in the logic chain.


Appendix C Reaction Times

Simple Input-logic-output Chain

Logix System Reaction Time for Simple Input-logic-output Chain

3. Logic

1. Safety

Input Module

2. Safety Input

Connection

4. Safety Output

CIP Safety Network

Connection

5. Safety

Output Module

The Logix System Reaction Time for any simple input-logic-output chain consists of the following five components:

1. Input module delay time

2. Input data transfer time via the input connection

3. Controller processing time (Logic)

4. Output data transfer time via the output connection

5. Output module delay time

To aid you in determining the reaction time of your particular control loop, a Microsoft Excel spreadsheet is available in the Tools folder of the RSLogix 5000 software CD.


Reaction Times Appendix C

Logic Chain Using Produced/Consumed Safety Tags

3. Logic

Logix System Reaction Time for Input-Controller A Logic-Controller B Logic-Output

Chain

4. Produced/Consumed Safety Connection

EtherNet

Network

EtherNet

Switch

EtherNet

Network

5. Logic

1. Safety

Input Module

2. Safety Input

Connection


6. Safety Output

Connection


7. Safety

Output

Module

The Logix System Reaction Time for any input-controller A logic-controller B logic-output chain consists of the following seven components:

1. Input module delay time

2. Input data transfer time via the input connection


4. Produced/Consumed data transfer time via the produced/consumed connection


6. Output data transfer time via the output connection

7. Output module delay time

To aid you in determining the reaction time of your particular control loop, a Microsoft Excel spreadsheet is available in the Tools folder of the RSLogix 5000 software CD.



92

Factors Affecting Logix Reaction-time Components

The Logix Reaction Time components described in the previous sections can be influenced by a number of factors.

Factors Affecting Logix System Reaction-time

These reaction time components

Input module delay time

Input data transfer time via the input connection

Controller processing time

Produced/Consumed tag data transfer time via the produced/consumed connection

Output data transfer time via the output connection

Output module delay time

Are influenced by the following factors

Input point delay settings

Type of input module

Input module settings for:

(1)

•

RPI

•

Timeout Multiplier

•

Delay Multiplier

The amount of network communication traffic

The system’s EMC environment

Safety Task Period setting

Safety Task Watchdog setting

The number and execution time of instructions in the safety task

Any higher priority tasks that may preempt safety task execution

Consumed tag settings for:

(2)

•

RPI

•

Timeout Multiplier

•

Delay Multiplier



Safety Task Period setting

Output module’s settings for:

•

Timeout Multiplier

•

Delay Multiplier



Type of output module

(1) These settings are available in RSLogix 5000 software by pressing the Advanced button on the Safety tab of the Module Properties dialog.

(2) These settings are available in RSLogix 5000 software by pressing the Advanced button on the Safety tab of the Consumed Tag Safety Data dialog.


Reaction Times Appendix C


Resource


1768 Compact GuardLogix Controllers User

Manual, publication 1768-UM002

Description

Contains information on configuring delay times and reaction time limits for the input connection, safety task, and output connection

Consult the product documentation for your specific module for reaction times associated with CIP Safety I/O modules.




Introduction

Checklists for GuardLogix Safety

Applications

Appendix

D

The checklists in this appendix are required for planning, programming, and start up of a SIL 3-certified GuardLogix application.

They may be used as planning guides as well as during functional verification testing. If used as planning guides, the checklists can be saved as a record of the plan.

The checklists on the following pages provide a sample of safety considerations and are not intended to be a complete list of items to verify. Your particular safety application may have additional safety requirements, for which we have provided space in the checklists.

Topic

Checklist for GuardLogix Controller System

Checklist for Safety Inputs

Checklist for Safety Outputs

Checklist for Developing a Safety Application Program

TIP

Page

96

97

98

99

Make copies of the checklists and keep these pages for future use.


Appendix D Checklists for GuardLogix Safety Applications

Checklist for GuardLogix Controller System

8

9

6

7

10

Checklist for GuardLogix System

2

3

Company

Site

Safety Function Definition

Number

1

4

System Requirements

Are you using only the components listed in

SIL 3-Certified GuardLogix Components on page 16

and on the http://www.rockwellautomation.com/products/certification/safety/ site, with the corresponding firmware release?

Have you calculated the system’s safety response time for each safety chain?

Does the system’s response time include both the user-defined safety task program watchdog (software watchdog) time and the safety task rate/period?

Is the system response time in proper relation to the process tolerance time?

Yes

Fulfilled

No

5 Have probability (PFD/PFH) values been calculated according to the system’s configuration?

Have you performed all appropriate functional verification tests?

Have you determined how your system will handle faults?

Does each network in the safety system have a unique SNN?

Is each CIP safety device configured with the correct SNN?

Have you generated a safety task signature?

11

12

13

14

Have you uploaded and recorded the safety task signature for future comparison?

Following a download, have you verified that the safety task signature in the controller matches the recorded safety task signature?

Do you have an alternate mechanism in place to preserve the safety integrity of the system when making online edits?

Have you taken into consideration the checklists for using SIL inputs and outputs

listed on pages 97

and

98

?

Comment


Checklists for GuardLogix Safety Applications Appendix D

Checklist for Safety Inputs

For programming or start up, an individual checklist can be filled in for every single SIL input channel in a system. This is the only way to make sure that the requirements are fully and clearly implemented.

This checklist can also be used as documentation on the connection of external wiring to the application program.

Input Checklist for GuardLogix System

2

3

Company

Site


SIL Input Channels

Number

1

Input Module Requirements

Have you followed installation instructions and precautions to conform to applicable safety standards?

Yes

Fulfilled

No

4

5

6

Have you performed functional verification tests on the system and modules?

Are control, diagnostics, and alarming functions performed in sequence in application logic?

Have you uploaded and compared the configuration of each module to the configuration sent by configuration tool?

Are modules wired in compliance with PLe/Cat. 4 according to ISO 13849-1?

(1)

Have you verified that the electrical specifications of the sensor and input are compatible?

Comment

(1) For information on wiring your CIP Safety I/O module, refer to the product documentation for your specific module.



Checklist for Safety Outputs

For programming or start up, an individual requirement checklist must be filled in for every single SIL output channel in a system. This is the only way to make sure that the requirements are fully and clearly implemented. This checklist can also be used as documentation on the connection of external wiring to the application program.

Output Checklist for GuardLogix System

4

5

2

3

Company

Site


SIL Output Channels

Number

1

Output Module Requirements

Have you followed installation instructions and precautions to conform to applicable safety standards?

Have you performed functional verification tests on the modules?

Yes

Fulfilled

No

Have you uploaded and compared the configuration of each module to the configuration sent by configuration tool?

Have you verified that test outputs are not used as safety outputs?

6

Are modules wired in compliance with PLe/Cat. 4 according to ISO 13849-1?

(1)

Have you verified that the electrical specifications of the output and the actuator are compatible?

Comment

(1) For information on wiring your CIP Safety I/O module, refer to the product documentation for your specific module.


Checklists for GuardLogix Safety Applications Appendix D

Checklist for Developing a

Safety Application Program

Use the following checklist to help maintain safety when creating or modifying a safety application program.

Checklist for GuardLogix Application Program Development

6

7

3

4

8

9

Company

Site

Project Definition

Number

1

2

5

Application Program Requirements

Are you using version 14, or version 16 or later of RSLogix 5000 software

(1)

, the

GuardLogix system programming software?

Were the programming guidelines in

Chapter 6

followed during creation of the safety application program?

Does the safety application program contain only relay ladder logic?

Does the safety application program contain only those instructions listed in

Appendix A

as suitable for safety application programming?

Does the safety application program clearly differentiate between safety and standard tags?

Are only safety tags used for safety routines?

Have you verified that safety routines do not attempt to read from or write to standard tags?

Have you verified that no safety tags are aliased to standard tags and vice versa?

Yes

Fulfilled

No

10

11

12

13

14

Is each safety output tag correctly configured and connected to a physical output channel?

Have you verified that all mapped tags have been conditioned in safety application logic?

Have you defined the process parameters that are monitored by fault routines?

Have you sealed any safety Add-On Instructions with a instruction signature and recorded the safety instruction signature?

Has the program been reviewed by an independent safety reviewer (if required)?

Has the review been documented and signed?

Comment

(1) RSLogix 5000 software, version 18 or later supports 1768 Compact GuardLogix controllers.



Notes:


Appendix

E

Probability of Failure on Demand (PFD) and

Probability of Failure per Hour (PFH) Data

Introduction

Topic

GuardLogix Controller and Guard I/O Safety Data

PFD Values

PFH Values

Page

101

102

102

The following examples show probability of failure on demand (PFD) and probability of failure per hour (PFH) values for GuardLogix 1oo2

SIL 3 systems.

GuardLogix Controller and

Guard I/O Safety Data

All of the examples use the following data.

GuardLogix Controller Safety Specifications

Attribute

Hardware fault tolerance

Safe failure fraction

Functional test interval (T1)

1756 GuardLogix

Controllers

1

99.1%

20 years

1768 Compact GuardLogix

Controllers

1

99.0%

20 years


Appendix E Probability of Failure on Demand (PFD) and Probability of Failure per Hour (PFH) Data

PFD Values

Calculated PFD by Functional Test Interval

Cat. No.

Description

2 Years

(17,520 hours)

Calculated PFD

5 Years

(43,800 hours)

10 Years

(87,600 hours)

Not applicable

5.5E-06 1756-L6xS and

1756-LSP

1768-L43S and

1768-L45S

1791DS-IB12


Compact GuardLogix Controller 1.1E-06

CIP Safety 12-point input module 1.754E-06

1791DS-IB16 CIP Safety 16-point input module 1.70E-06

1791DS-IB8XOB8 CIP Safety 8-point input/ 8-point output module 1.755E-06

2.7E-06

4.419E-06

4.25E-06

4.421E-06

5.7E-06

8.962E-06

8.50E-06

8.963E-06

1791DS-IB4XOW4 CIP Safety 4-point input/4-point relay output module

4.151E-05

1791DS-IB8XOBV4 CIP Safety 8-point input/4 bi-polar output module 1.75E-06

1732DS-IB8XOBV4

1732DS-IB8

1791ES-IB16

CIP Safety 8-point input module


1.70E-06

1.65E-06

1791ES-IB8XOBV4 CIP Safety 8-point input/4 bi-polar output module 1.70E-06

1734-IB8S CIP Safety 8-point input module 1.17E-06

1734-OB8S CIP Safety 8-point output module 1.21E-06

1.207E-04

4.37E-06

4.25E-06

4.14E-06

4.26E-06

2.93E-06

3.03E-06

2.978E-04

8.74E-06

8.50E-06

8.27E-06

8.51E-06

5.86E-06

6.06E-06

(1) The 20-year PFD data for this product applies only to product with a manufacture date code of 2009/01/01 (January 1, 2009) or later. See the product label for the date code.

20 Years

(175,200 hours)

1.2E-05

1.2E-05

6.013E-06

(1)

1.70E-05

6.013E-06

(1)

7.684E-04

(1)

1.75E-05

1.70E-05

1.65E-05

1.70E-05

1.17E-05

1.21E-05

PFH Values

The data below applies to proof test intervals up to and including

20 years.

Cat. No.

1756-L6xS and 1756-LSP

1768-L43S and 1768-L45S

1791DS-IB12

1791DS-IB16

1791DS-IB8XOB8

1791DS-IB4XOW4

1791DS-IB8XOBV4

1732DS-IB8XOBV4

1732DS-IB8

1791ES-IB16

1791ES-IB8XOBV4

1734-IB8S

1734-OB8S

PFH Calculations

Description

GuardLogix controller

Compact GuardLogix controller



CIP Safety 8-point input/ 8-point output module

CIP Safety 4-point input/4-point relay output module

CIP Safety 8-point input/4 bi-polar output module



CIP Safety 8-point input/4 bi-polar output module


CIP Safety 8-point output module

PFH (1/Hour)

2.0E-10

2.0E-10

6.84E-11

1.94E-10

6.84E-11

4.072E-09

(1)

2.00E-10

1.94E-10

1.89E-10

1.94E-10

1.34E-10

1.38E-10

(1)

(1)

(1) The PFH data for this product applies only to product with a manufacture date code of 2009/01/01 (January 1, 2009) or later. See the product label for the date code.



Glossary

Add-On Instruction

An instruction that you create as an add-on to the Logix instruction set. Once defined, an Add-On Instruction can be used like any other

Logix instruction and can be used across various projects. An Add-On

Instruction is composed of parameters, local tags, logic routine, and optional scan mode routines.

Assemble Edits

You assemble edits when you have made online edit changes to the controller program and want the changes to become permanent since you can test, un-test, or cancel the edits.

Cancel Edits

Action taken to reject any unassembled online edit changes.

CIP Safety Protocol

A network communication method designed and certified for transport of data with high integrity.

Configuration Signature

A unique number that identifies a device’s configuration. The configuration signature is made up of an ID number, date, and time.\

Instruction Signature

The instruction signature consists of an ID number, and date/timestamp that identifies the contents of the Add-On Instruction definition at a given point in time.

Nonrecoverable Controller Fault

A fault that forces all processing to be terminated and requires controller power to be cycled from off to on. The user program is not preserved and must be redownloaded.

Nonrecoverable Safety Fault

A fault, which even though properly handled by the fault handling mechanisms provided by the safety controller and implemented by the user, terminates all safety task processing, and requires external user action to restart the safety task.

103

Glossary

104

Online

Situation where you are monitoring/modifying the program in the controller.

Overlap

When a task (periodic or event) is triggered while the task is still executing from the previous trigger.

Partnership

The primary controller and safety partner must both be present, and the hardware and firmware must be compatible for partnership to be established.

Pending Edit

A change to a routine that has been made in RSLogix 5000 software, but has not yet been communicated to the controller by accepting the edit.

Periodic Task

A task that is triggered by the operating system at a repetitive period of time. Whenever the time expires, the task is triggered and its programs are executed. Data and outputs established by the programs in the task retain their values until the next execution of the task or until they are manipulated by another task. Periodic tasks always interrupt the continuous task.

Primary Controller

The processor in a dual-processor controller that performs standard controller functionality and communicates with the safety partner to perform safety-related functions.

Recoverable Fault

A fault, which when properly handled by implementing the fault handling mechanisms provided by the controller, does not force user logic execution to be terminated.

Requested Packet Interval (RPI)

When communicating over a network, this is the maximum amount of time between subsequent production of input data.



Glossary

Routine

A set of logic instructions in a single programming language, such as a ladder diagram. Routines provide executable code for the project in a controller. Each program has a main routine. You can also specify optional routines.

Safety Add-On Instruction

An Add-On Instruction that can use safety application instructions. In addition to the instruction signature used for high-integrity Add-On

Instructions, safety Add-On Instructions feature a SIL 3 safety instruction signature for use in safety-related functions.

Safety Application Instructions

Safety Instructions which provide safety-related functionality. They have been certified to SIL 3 for use in safety routines.

Safety Component

Any object, task, program, routine, tag, or module that is marked as a safety-related item.

Safety Instruction Signature

The safety instruction signature is an ID number that identifies the execution characteristics of the safety Add-On Instruction. It is used to verify the integrity of the safety Add-On Instruction during downloads to the controller.

Safety I/O

Safety I/O has most of the attributes of standard I/O except it features mechanisms certified to SIL 3 to ensure data integrity.

Safety Network Number (SNN)

Uniquely identifies a network across all networks in the safety system.

The end user is responsible is responsible for assigning a unique number for each safety network or safety subnet within a system. The safety network number makes up part of the Unique Node Identifier

(UNID).

Safety Partner

The processor in a dual-processor controller that works with the primary controller to perform safety-related functions.

105

Glossary

106

Safety Program

A safety program has all the attributes of a standard program, except that it can only be scheduled in a safety task. The safety program consists of zero or more safety routines. It cannot contain standard routines or standard tags.

Safety Routine

A safety routine has all the attributes of a standard routine except that it is valid only in a safety program and that it consists of one or more

instructions suitable for safety applications (See Appendix A

for a list of Safety Application Instructions and standard Logix Instructions that may be used in safety routine logic.)

Safety Tags

A safety tag has all the attributes of a standard tag except that the

GuardLogix controller provides mechanisms certified to SIL 3 to ensure the integrity of their associated data. They can be program-scoped or controller-scoped.

Safety Task

A safety task has all the attributes of a standard task except that it is valid only in a GuardLogix controller and that it may schedule only safety programs. Only one safety task can exist in a GuardLogix controller. The safety task must be a periodic/timed task.

Safety Task Period

The period at which the safety task executes.

Safety Task Reaction Time

The sum of the safety task period plus the safety task watchdog. This time represents the worst case delay from any input change presented to the GuardLogix controller until the processed output is available to the producing connection.

Safety Task Signature

A value, calculated by the firmware, that uniquely represents the logic and configuration of the safety system. It is used to verify the integrity of the safety application program during downloads to the controller.



Glossary

Safety Task Watchdog

The maximum time allowed from the start of safety task execution to its completion. Exceeding the safety task Watchdog triggers a nonrecoverable safety fault.

Standard Component

Any object, task, tag, program, and so on, that is not marked as being a safety-related item.

Standard Controller

As used in this document, standard controller refers generically to a

ControlLogix controller.

Symbolic Addressing

A method of addressing which provides an ASCII interpretation of the tag name.


The worst case time from a safety-related event as input to the system or as a fault within the system, until the time that the system is in the safe state. System Reaction Time includes sensor and activator

Reaction Times as well as the Controller Reaction Time.

Task

A scheduling mechanism for executing a program. A task provides scheduling and priority information for a set of one or more programs that execute based on a certain criteria. Once a task is triggered

(activated), all of the programs assigned (scheduled) to the task execute in the order in which they are displayed in the controller organizer.

Timeout Multiplier

This value determines the number of messages that may be lost before declaring a connection error.

Valid Connection

Safety connection is open and active, with no errors.

107

Glossary

Notes:


Numerics

1734-AENT

16

, 17

hardware overview

26

1734-AENTR

16

1756-A10

17

1756-A13

17

1756-A17

17

1756-A4

17

1756-A7

17

1756-CN2 firmware revision

17

hardware overview

26

1756-CN2R firmware revision

17

1756-DNB firmware revision

17

hardware overview

26

1756-EN2F firmware revision

17

1756-EN2T firmware revision

17

1756-ENBT firmware revision

17

hardware overview

26

1756-PA72

17

1756-PA75

17

1756-PA75R

17

1756-PB72

17

1756-PB75

17

1756-PB75R

17

1768-CNB

16

hardware overview

26

1768-CNBR hardware overview

26

1768-ENBT

16

hardware overview

26

1768-PA3

16

1768-PB3

16

A

Add-On Instruction certify

83

instruction signature

85

safety instruction signature

86

agency certifications

18

application development basics

53

application program

See program


Index

C

CE

18

certifications

18

chassis catalog numbers

17

hardware overview

24

checklist

GuardLogix controller system

28 ,

96

program development

99

SIL 3 Inputs

97

SIL 3 outputs

98

CIP safety protocol definition

103

overview

25

routable system

35

commissioning life cycle

54

communication bridges hardware overview

26

communication modules catalog numbers

17

configuration signature

31

connection status

68

CONNECTION_STATUS data type

67

contact information

22

control and information protocol

Definition

10

control function specification

55

ControlNet bridge module hardware overview

26

CSA

18

C-Tick

18

c-UL-us

18

D

DeviceNet Safety communication overview

27

DeviceNet scanner interface module hardware overview

26

diagnostic coverage definition

10

E

EN50156 Compliance

45

EN954-1

CAT 4

9

, 13

EtherNet/IP communication overview

26

109

Index

110

EtherNet/IP communication interface module hardware overview

26

European norm.

definition

10

L

ladder logic safety instructions

80

Logix components

SIL 3-certified

16

Logix system reaction time calculating

90

F

failure contact information

22

faults nonrecoverable controller faults

75

nonrecoverable safety faults

75

overriding

75

recoverable

76

FM

18

forcing

62

functional verification tests

14

M

mapping tags

51

metal form instructions

79

N

nonrecoverable controller faults

75

, 103

nonrecoverable safety faults

75

, 103

restarting the safety task

75

G

get system value (GSV) defintion

10

GSV instructions

74

H

hard faults recovery

75

hardware fault tolerance

101

O

offline edits

64

online definition

104

online editing

61 ,

64

output delay time

31

overlap definition

104

ownership

31

I

I/O modules replacement

32

33

IEC 61508

Safety Integrity Level (SIL) 3 certification

9 ,

13

, 86

inhibiting a module

63

installing a controller

23

instruction signature

85

definition

103

instructions safety

80

safety application

77

ISO 13849-1

9 ,

13

P

partnership definition

104

peer-to-peer communication

26

pending edits

61

Performance Level definition

10

period task definition

104

PLe

9

, 13

power supplies

17

hardware overview

24

SIL 3-certified

24

primary controller definition

104

hardware overview

24

probability of failure on demand (PFD)

19

20

definition

10

probability of failure per hour (PFH)

19 -

20

definition

10


Index program checklist

99

download

61

editing life cycle

65

offline editing

64

online editing

64

upload

61

program compare utility

59

program indentification

56

program verification

57

programming software

13

project confirmation

58

proof tests

14 see functional verification tests

Q

qualifying standard data

51

R

reaction time safety task

21

system

21

recoverable faults

76 ,

104

reliability burden

20

requested packet interval definition

104

RSLogix 5000 software changing your application program

63

commissioning life cycle

54

revision

16 ,

17

S

safe failure fraction

101

safety application instructions

77

definition

105

safety certifications and compliances

18

safety concept assumptions

53

safety consumed tags safety network number

38

safety functions

CIP Safety I/O

29

Safety Output

31

safety instruction signature

86

definition

105

Safety Integrity Level (SIL) compliance distribution and weight

20

function example

16

policy

13

22

Safety Integrity Level (SIL) 3 certification

9 ,

13 ,

86

Logix components

16

TÜV Rheinland

14

user responsibilities

14

safety network number

36

definition

105

manual assignment

36

out-of-box modules

38

safety consumed tags

38

safety partner configuration

24

definition

105

hardware overview

24

location

24

safety program

49

definition

106

safety routine

50

definition

106

safety tags

50

definition

106

valid data types

50

safety task definition

106

execution

48

overview

47

safety task period

21

definition

106

limitations

48

overview

21

safety task reaction time

21

definition

106

safety task signature definition

106

deleting

57

generating

57

restricted operations

57

safety task watchdog

21

definition

107

modifying

21

overview

21

setting via RSLogix 5000

21

timeout

48

safety-locking

60

default

60

passwords

60

restricted operations

60

set system variable (SSV) instruction

74


Index signature history

87

software changing your application program

63

commissioning life cycle

54

system reaction time

21

calculating

89

definition

107

T

tags produced/consumed safety data

50

Safety I/O

50 see also safety tags

terminology used throughout manual

10

timeout multiplier definition

107

U

UL

18

unique node reference defined

36


Rockwell Automation Support

Rockwell Automation provides technical information on the Web to assist you in using its products. At http://www.rockwellautomation.com/support/ , you can find technical manuals, a knowledge base of FAQs, technical and application notes, sample code and links to software service packs, and a MySupport feature that you can customize to make the best use of these tools.

For an additional level of technical phone support for installation, configuration, and troubleshooting, we offer TechConnect support programs. For more information, contact your local distributor or Rockwell Automation representative, or visit http://www.rockwellautomation.com/support/ .

Installation Assistance

If you experience an anomoly within the first 24 hours of installation, review the information that's contained in this manual.

You can contact Customer Support for initial help in getting your product up and running.

United States or Canada 1.440.646.3434

Outside United States or

Canada

Use the Worldwide Locator at http://www.rockwellautomation.com/support/americas/phone_en.html

or contact your local Rockwell Automation representative.

,

New Product Satisfaction Return

Rockwell Automation tests all of its products to ensure that they are fully operational when shipped from the manufacturing facility. However, if your product is not functioning and needs to be returned, follow these procedures.

United States

Outside United States

Contact your distributor. You must provide a Customer Support case number (call the phone number above to obtain one) to your distributor to complete the return process.

Please contact your local Rockwell Automation representative for the return procedure.

Documentation Feedback

Your comments will help us serve your documentation needs better. If you have any suggestions on how to improve this document, complete this form, publication RA-DU002 , available at http://www.rockwellautomation.com/literature/ .


Supersedes Publication 1756-RM093E-EN-P - July 2008 Copyright © 2010 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.

No results