1756-RM093B-EN-P, GuardLogix™ Controller Systems Safety
Contents
1. sensor 2 sensor 1791DS IB8X0B8 To calculate the Logix System PFH for each safety loop in the simple example system shown above sum the PFH values for each component in the loop Table 1 6 below provides a simplified example of PFH value calculations for each safety loop in Figure 1 2 using the PFH values and test intervals from Table 1 5 on page 1 7 Table 1 6 PFH Calculations by Safety Loop Loop 1 Loop 2 Component PFH Component PFH 1791DS iB12 8 75E 10 11791DS IB8XOB8 1118 10 GuardLogix Controller 1 9 E 10 GuardLogix Controller 1 9 E 10 1791DS 1B4X0X4 5 24E 9 1791DS IB4X0X4 5 24E 9 Loop 1 Total PFH 6 305E 9 Loop2Total PFH 5 541E 9 When calculating PFH values you must take into account the specific requirements of your application including test intervals SIL Compliance The programmable controller may conservatively be assumed to ETER contribute 10 of the reliability burden A SIL 3 system may need to Distribution and Weight incorporate multiple inputs for critical sensors and input devices as well as dual outputs connected in series to dual actuators dependent on SIL assessments for the safety related system Publication 1756 RM093B EN P October 2005 SIL Concept 1 9 40 of the PFD Safety Reaction Times Sensor Figure 1 3 Reliability Burden Sensor O Y 10 of the PFD L2. aan 4 4 SNN for Safety Consumed Tags o ooo o o 4 4 SNNs for Out Of Box Modules o ooo o o ooo 4 4 SNN for Safety Module with a Different Configuration OUER as heg FLARDE gh DAE HH geed TGS ts BOGS A 4 4 SNNs when Copying a Safety Project ia EER WERE 8 4 5 Chapter 5 Differentiating Between Standard and Safety 5 1 sta Sale LaS LETTER RADA OE a 5 1 Using Standard Tags in Safety Routines Tag Mapping 5 2 Understanding the Safety Task 5 3 Safety Task Limitations o a o a 5 3 Safety Task Execution ui oe 04 ox Ga tah oe Bde 5 4 Safety DiE TER de WERD EP LE od We RE Gel et a a 5 5 Safety ROMS x cake eau DE tae amp dee Ee oe ee ke 5 5 Chapter 6 Safety Concept Assumptions 000000005 6 1 Basics of Application Development and Testing 6 1 Commissioning Life Cycle ai extn A Eg 6 2 Specification of the Control Function 144 ee ERK as 6 3 Create the Project e RES DA aes do Reeth ee Ee 6 4 Testing the Application Program 6 4 Generating the Safety Signature ER esa ER DR Ke 6 4 Project Verification Vest 6 5 ws gain gus tae Bee 6 5 Confirm the Preek sesde HE SE das 6 6 Safety Validation cio RS DER SE A Pe hee 6 7 Locking the GuardLogix Controller naaa aaa 6 7 Downloading the Safety Application Program 6 8 Uploading the Safety Application Program 6 8 Online Eding SEED ED ERs Rae Sere ed 6 8 ie EE Flan W
3. See Appendix B for information on calculating the system reaction time Publication 1756 RM093B EN P October 2005 3 6 DeviceNet Safety 1 0 for the GuardLogix Control System Safety Considerations for VO Modules on the Safety Network Publication 1756 RM093B EN P October 2005 You must commission all devices with the MAC ID and baud rate if necessary before their installation on the safety network Ownership Every module in the GuardLogix system is owned by only one controller in the architecture When a controller owns an I O module it stores the module s configuration data as defined by the user This data controls how the module behaves in the system TIP Ownership applies to outputs An output or output assembly can only have one owner A module can only be configured by one originator which automatically becomes the configuration owner for that module No other device can send configuration data to the module TIP You can return the module to the Out of Box condition by selecting the Reset Ownership button from the Safety tab of the Module Properties dialog in RSLogix 5000 Configuration Signature The Configuration Signature defines the module s configuration and lets a non owner device establish a connection It can be read and monitored The Configuration signature is used to uniquely identify a module s configuration in several operations e During download from a configuration tool the C
4. Confirm the Project Record Safety Signature Safety Validation Independent Review Project Valid Yes Lock the Controller Publication 1756 RM093B EN P October 2005 6 12 Safety Application Development Publication 1756 RM093B EN P October 2005 Monitoring System Status Chapter Monitoring Status and Handling Faults The GuardLogix architecture provides the user many ways of detecting and reacting to faults in the system The first way that users can handle faults is to make sure they have completed the checklists for their application see Appendix C This chapter discusses methods of monitoring system status and describes system faults and fault routines To monitor system status you can view the status of safety tag connections You can also determine current operating status by interrogating various device objects It is your responsibility to determine what data is most appropriate to initiate a shutdown sequence CONNECTION_STATUS Data The first member of the tag structure associated with safety input data and produced consumed safety tag data contains the status of the connection This member is a pre defined data type called CONNECTION_STATUS i Data Type MyProducedConsumedSafetyType En ol xj Name MyProducedConsumeds afetyT ype Description Publication 1756 RMOS3B EN P October 2005 7 2 Monitoring Status and Handling Faults Pub
5. Safety Application Development 6 9 Forcing Inhibiting a Module Changing Your Application Program All data contained in an I O produced or consumed safety tag including CONNECTION_STATUS can be forced while the project is Safety Unlocked and no Safety Signature exists However forces must be uninstalled not just disabled on all safety tags before the safety project can be Safety Locked or a Safety Signature can be generated You cannot force safety tags while the project is Safety Locked or when a Safety Signature exists You can install and uninstall forces on standard tags TIP regardless of the Safety Locked or Unlocked state Inhibiting a module is configured at the safety I O module level All modules on the branch past the inhibited module are also inhibited If either a safety I O module or a producer controller is inhibited the consumed safety data for each connection is reset to 0 You cannot inhibit or uninhibit Safety I O modules or producer controllers if the application is Safety Locked or a Safety Signature exists The following rules apply to changing your application program in RSLogix 5000 e Only authorized specially trained personnel can make program edits These personnel should use all supervisory methods available for example using the controller keyswitch and software password protections e When authorized specially trained personnel make program edits they assume the central safety re
6. Tags associated with safety I O and produced or consumed safety data must be controller scoped safety tags Tian Any controller scoped safety tag is readable by any standard routine but the update rate and time is based on the execution of the Safety Task This means that safety tags are updated at the Safety Task periodic rate not the network RPI Safety tag input data arrives at the controller based on the Safety Task RPI time The range of the Safety Task RPI for safety inputs and safety consumed tags is 1 to 500 ms Using Standard Tags in Safety Routines Tag Mapping Controller scoped standard tags can be mapped into safety tags providing you with a mechanism to synchronize standard and safety actions For information on how to map tags see the GuardLogix Controllers User Manual publication number 1756 UM020 ATTENTION When using standard data ina safety routine you are responsible for providing a reliable means of ensuring that the data is used in a safe manner One way to do this is to qualify the standard data with safety data as shown in the following example Figure 5 1 Qualifying Standard Data with Safety Data Safety Tag Mapping d x E Standard Tag Name amp Safety Tag Name Delete Row e Node38ComboModule l PtO7Data Node30ComboModule O PtO3Data MappedBooleg LatchOneShot Ons Node30ComboModule 0 Pt03Data J E Safety input qualifier for mapped tag Latch
7. Recovery from a non recoverable controller fault requires re download of the application program Non Recoverable Safety Faults In the event of a non recoverable safety fault the controller logs the fault to the controller scoped fault handler and shuts down the Safety Task including safety I O and safety logic To recover from a non recoverable safety fault safety memory is re initialized either from the Safety Signature happens automatically when you clear the fault or if no Safety Signature exists via an explicit download of the safety project Publication 1756 RM093B EN P October 2005 7 4 Monitoring Status and Handling Faults Publication 1756 RM093B EN P October 2005 You can override the safety fault by clearing the fault log entry through the controller scoped safety fault handler This allows standard tasks to keep running ATTENTION Overriding the safety fault does not clear it If you override the safety fault it is your responsibility to prove that doing so maintains SIL 3 Recoverable Faults Controller faults caused by user programming errors in a safety program trigger the controller to process the logic contained in the project s safety program fault handler The safety program fault handler provides the application with the opportunity to resolve the fault condition and then recover You must provide proof to your certifying agency ATTENTION that automatic recovery from recoverable faul
8. The maximum time allowed from the start of Safety Task execution to its completion Exceeding the Safety Task Watchdog triggers a non recoverable safety fault Standard Component Any object task tag program etc that is NOT marked as being a safety related item Standard Controller As used in this document standard controller refers generically to a ControlLogix controller Symbolic Addressing A method of addressing which provides an ASCII interpretation of the tag name System Reaction Time The worst case time from a safety related event as input to the system or as a fault within the system until the time that the system is in the safe state System Reaction Time includes sensor and activator Reaction Times as well as the Controller Reaction Time Task A scheduling mechanism for executing a program A task provides scheduling and priority information for a set of one or more programs Glossary 5 that execute based on a certain criteria Once a task is triggered activated all of the programs assigned scheduled to the task execute in the order in which they are displayed in the controller organizer Timeout Multiplier This value determines the number of messages that may be lost before declaring a connection error Valid Connection Safety connection is open and active with no errors Publication 1756 RMOS3B EN P October 2005 6 Glossary Notes Publication 1756 RM093B EN P October 20
9. is triggered while the task is still executing from the previous trigger Partnership The Primary Controller and Safety Partner must both be present and the hardware and firmware must be compatible for partnership to be established Publication 1756 RMOS3B EN P October 2005 2 Glossary Publication 1756 RM093B EN P October 2005 Pending Edit A change to a routine that has been made in RSLogix 5000 software but has not yet been communicated to the controller by accepting the edit Periodic Task A task that is triggered by the operating system at a repetitive period of time Whenever the time expires the task is triggered and its programs are executed Data and outputs established by the programs in the task retain their values until the next execution of the task or until they are manipulated by another task Periodic tasks always interrupt the continuous task Primary Controller The processor in a dual processor controller that performs standard controller functionality and communicates with the Safety Partner to perform safety related functions Recoverable Fault A fault which when properly handled by the fault handling mechanisms provided by the GuardLogix controller and implemented by the user does not force user logic execution to be terminated Requested Packet Interval RPI When communicating over a network this is the maximum amount of time between subsequent production of input data Routine A
10. Ls Input Connection 1 Output L i i Logic gt Connection 1 Module Output 0 N mm ma EE N mm ma mm Logix System Reaction Time The following sections provide information on calculating the Logix System Reaction Time for a simple input logic output chain and for a more complex application using produced consumed safety tags in the logic chain Publication 1756 RM093B EN P October 2005 B 2 Reaction Times Publication 1756 RM093B EN P October 2005 Simple Input Logic Output Chain Figure B 2 Logix System Reaction Time for Simple Input Logic Output Chain 1756 L62S A 1756 DNB 1756 ENBT 4 Output Connection 5 Output Module 2 Input Connection DeviceNet 1 Input Module The Logix System Reaction Time for any simple input logic output chain consists of the following five components 1 Input Module Delay Time 2 Input data transfer time via the input connection 3 Controller processing time Logic 4 Output data transfer time via the output connection 5 Output Module Delay Time To aid you in determining the reaction time of your particular control loop a Microsoft Excel spreadsheet is available in the Tools folder of the RSLogix 5000 software CD Reaction Times B 3 Logic Chain Using Produced Consumed Safety Tags Figure B 3 Logix System Reaction Time for Input Controller A Logic Controller B Logic Output Chain 4 P
11. MOD Modulo determine the remainder after one value is divided by a second value SQR Square Root calculate the square root of a value NEG Negate take the opposite sign of a value ABS Absolute Value take the absolute value of a value GSVO Get System Value get controller status information ue ssyl2 Set System Value set controller status information 1 The length operand must be a constant when the COP instruction is used in a safety routine 2 Refer to the GuardLogix Controllers User Manual publication number 1756 UM020 for special considerations when using the GSV and SSV instructions For detailed information on the instructions in the table above refer to the Logix5000 Controllers General Instructions Reference Manual publication 1756 RMOO Publication 1756 RMOS3B EN P October 2005 A 4 Safety Instructions Publication 1756 RM093B EN P October 2005 System Reaction Time Appendix B Reaction Times To determine the system reaction time of any control chain you must sum the reaction times of all of components of the safety chain System Reaction Time Sensor Reaction Time Logix System Reaction Time Actuator Reaction Time Figure B 1 System Reaction Time System Reaction Time Sensor Reaction Time EE Er RE EER EES 1 De ln i i l put Reaction Safety Task Output Time gt l Reaction es P Reaction Time L Actuator Reaction Time mm l gt Input Module
12. X 1756 L61S X X X X X X X X X 1756 L62S 1756 LSP X X X X X X X X X 1791DS IB12 X X X X X 1791DS IB8X0B8 X X X X X 1791DS IB4XOW4 X X X X X 1756 A4 AT A10 X X X X X A13 amp A17 1756 PA72 X X X X X 1756 PA75 X X X X X 1756 PB72 X X X X X 1756 PB75 X X X X X 1756 PA75R X X X X X 1756 PB75R X X X X X In an emergency stop unction NFPA79_2002 requires that as a final measure electrical power is disconnected via electromechanical components If the GuardLogix system including safety O modules does not provide an electromechanical output you must fulfill the NFPA requirement through the use of additional electromechanical components Publication 1756 RM093B EN P October 2005 1 6 SIL Concept Agency Certifications GuardLogix PFD and PFH Specifications Publication 1756 RM093B EN P October 2005 GuardLogix user documentation typically lists the agency certifications for which the products are approved If a product has achieved agency certification it is marked as such on the product labeling Product certifications are listed in the product s specifications table as shown in the example below Certification UL UL Listed Industrial Control Equipment CSA CSA Certified Process Control Equipment for Class Division 2 Group A B C D Hazardous Locations FM FM Approved Equipment for use in Class Division 2 Group A B C D Hazardous Locations CE European Uni
13. a safety application program Check List for GuardLogix Application Program Development Company Site Project definition Number Fulfilled Comment Yes No 1 Are you using version 14 or higher of RSLogix 5000 the GuardLogix system programming software 2 Were the programming guidelines in Chapter 6 followed during creation of the safety application program 3 Does the safety application program contain only relay ladder logic 4 Does the safety application program contain only those instructions listed in Appendix A as suitable for safety application programming 5 Does the safety application program clearly differentiate between safety and standard tags 6 Are only safety tags used for safety routines 7 Have you verified that safety routines do not attempt to read from or write to standard tags 8 Have you verified that no safety tags are aliased to standard tags and vice versa 9 Is each output safety tag correctly configured and connected to a physical output channel 10 Have you verified that all mapped tags have been conditioned in safety application logic 11 Have you defined the process parameters that are monitored by fault routines 12 Has the program been reviewed by an independent safety reviewer if required 13 Has the review been documen
14. and test whether they are equal NEQ Not Equal To test whether one value is not equal to a second value LIM Limit Test test whether a value falls within a specified range CLR Clear clear a value cop Copy copy a value Move MOV Move copy a value MVM Masked Move copy a specific part of an integer Publication 1756 RM093B EN P October 2005 Safety Instructions A 3 Table A 2 Subset of General Logix Instruction Set Type Mnemonic Name Purpose AND Bitwise AND perform bitwise AND operation ie NOT Bitwise NOT perform bitwise NOT operation OR Bitwise OR perform bitwise OR operation XOR Bitwise Exclusive OR perform bitwise exclusive OR operation JMP Jump To Label jump over a section of logic that does not always need to be executed skips to referenced label instruction LBL Label labels an instruction so that it can be referenced by a JMP instruction JSR Jump to Subroutine jump to a separate routine Program RET Return return the results of a subroutine Cortal SBR Subroutine pass data to a subroutine TND Temporary End mark a temporary end that halts routine execution MCR Master Control Reset disable all the rungs in a section of logic AFI Always False Instruction disable a rung NOP No Operation insert a placeholder in the logic ADD Add add two values SUB Subtract subtract two values MUL Multiply multiply two values Math DIV Divide divide two values Compute
15. definition P 2 program checklist C 5 download 6 8 editing life cycle 6 11 offline editing 6 10 online editing 6 10 upload 6 8 program compare utility 6 7 program indentification 6 4 program verification 6 5 programming software 1 2 project confirmation 6 6 proof test interval in PFD and PFH calculations 1 7 Proof tests 1 2 proof tests 1 2 0 gualifying standard data 5 2 R reaction time safety task 1 10 system 1 9 recoverable fault definition 1 2 recoverable faults 7 4 reliability burden 1 8 reguested packet interval definition 1 2 RSLogix 5000 changing your application program 6 9 commissioning life cycle 6 2 revision 1 4 safe failure fraction 1 7 safety application instructions A 1 definition 1 2 safety certifications and compliances 1 5 safety concept assumptions 6 1 safety consumed tags safety network number 4 4 Safety Functions DeviceNet Safety 1 0 3 1 Safety Output 3 5 safety network number 4 2 definition 1 3 manual assignment 4 2 out of box modules 4 4 safety consumed tags 4 4 safety partner configuration 2 2 definition 1 3 hardware overview 2 2 location 2 2 safety program 5 5 definition 1 3 safety routine 5 5 definition 1 3 Safety Signature definition 1 3 deleting 6 5 generating 6 4 restricted operations 6 5 safety tags 5 1 definition 1 3 invalid data types 5 1 safety task definition 1 4 execution 5 4 overview 5 3 Index 3 safety task period 1 10 de
16. filled in for every single SIL output channel in a system This is the only way to make sure that the requirements are fully and clearly implemented This checklist can also be used as documentation on the connection of external wiring to the application program Output Check List for GuardLogix System Company Site Safety Function definition SIL output channels in the Number All Output Module Requirements Yes No Comment 1 Have you followed installation instructions and precautions to conform to applicable safety standards 2 Have you performed functional verification tests on the modules 3 Have you uploaded and compared the configuration of each module to the configuration sent by configuration tool 4 Have you verified that test outputs are not used as safety outputs 5 Are modules wired in compliance with GAT 4 according to EN 954 1 7m 6 Have you verified that the electrical specifications of the output and the actuator are compatible 1 For information on wiring your DeviceNet Safety 1 0 module refer to the product documentation for your specific module Publication 1756 RM093B EN P October 2005 Checklists for GuardLogix Safety Applications C 5 Checklist for Developing a Use the following checklist to help maintain safety when creating or Safety Application Program modifying
17. installation configuration and troubleshooting we offer TechConnect Support programs For more information contact your local distributor or Rockwell Automation representative or visit http support rockwellautomation com Installation Assistance If you experience a problem with a hardware module within the first 24 hours of installation please review the information that s contained in this manual You can also contact a special Customer Support number for initial help in getting your module up and running United States 1 440 646 3223 Monday Friday 8am 5pm EST Outside United Please contact your local Rockwell Automation representative for any States technical support issues New Product Satisfaction Return We test all of our products to ensure that they are fully operational when shipped from the manufacturing facility However if your product is not functioning and needs to be returned United States Contact your distributor You must provide a Customer Support case number see phone number above to obtain one to your distributor in order to complete the return process Outside United Please contact your local Rockwell Automation representative for States return procedure Rockwell Automation 777 East Wisconsin Avenue Suite 1400 Milwaukee WI 53202 5302 USA Tel 1 414 212 5200 Fax 1 414 212 5201 Headquarters for Allen Bradley Products Rockwell Software Products and Global Manufacturing Soluti
18. is copied to a different hardware installation within the same routable CIP Safety system IMPORTANT If you assign SNNs manually take care to ensure that system expansion does not result in duplication of SNN and Node Address combinations Publication 1756 RMOS3B EN P October 2005 4 4 Understanding CIP Safety and the Safety Network Number Considerations for Assigning the SNN Publication 1756 RM093B EN P October 2005 SNN for Safety Consumed Tags When a safety controller that contains produced safety tags is added to the I O Configuration tree the SNN of the producing controller must be entered The SNN may be copied from the producing controller s project and pasted into the new controller being added to the I O Configuration tree Refer to the GuardLogix Controllers User Manual publication number 1756 UM020 for information on how to copy and paste an SNN SNNs for Out Of Box Modules The new SNN of an out of box DeviceNet Safety I O module is set in that module the first time that it is connected to the safety system and prior to the Safety Signature being applied to the GuardLogix controller project IMPORTANT To allow the SNN to be set in the I O modules connect to the DeviceNet Safety I O module prior to applying the Safety Signature to the safety controller project The SNN assignment will then be tested as part of the normal safety verification that occurs after the Signature is applied and before the s
19. only in a safety program and that it consists of one or more instructions suitable for safety applications See Appendix A for a list of Safety Application Instructions and standard Logix Instructions that may be used in safety routine logic Safety Signature A value calculated by the firmware that uniquely represents the logic and configuration of the safety system It is used to ensure the integrity of the safety application program during downloads to the controller Safety Tags A safety tag has all the attributes of a standard tag except that the GuardLogix controller provides mechanisms certified to SIL 3 to ensure the integrity of their associated data They can be program scoped or controller scoped Publication 1756 RMOS3B EN P October 2005 4 Glossary Publication 1756 RM093B EN P October 2005 Safety Task A Safety Task has all the attributes of a standard task except that it is valid only in a GuardLogix controller and that it may schedule only safety programs Only one Safety Task can exist in a GuardLogix controller The Safety Task must be a periodic timed task Safety Task Period The period at which the Safety Task executes Safety Task Reaction Time The sum of the Safety Task Period plus the Safety Task Watchdog This time represents the worst case delay from any input change presented to the GuardLogix controller until the processed output is available to the producing connection Safety Task Watchdog
20. the Safety Task Period and the Safety Task Watchdog Safety Task Period and Safety Task Watchdog The Safety Task Period is the period at which the Safety Task executes The Safety Task Watchdog time is the maximum permissible time for Safety Task processing If the cycle time exceeds the Safety Task Watchdog time a non recoverable safety fault occurs in the controller and outputs transition to the safe state off automatically For more information on faults see Chapter 7 Monitoring Status and Handling Faults The Safety Task Watchdog time is user defined but must be less than or equal to the Safety Task Period The Safety Task Watchdog time is set in the task properties window of RSLogix 5000 software This value can be modified online regardless of controller mode but it cannot be changed once the controller is Safety Locked or once a Safety Signature is created See Chapter 6 for more information on Safety Lock and the Safety Signature For information on calculating the safety system reaction times see Appendix B Reaction Times Contact Information When f hs nas A failure with 2 de AE contact your local Rockwell Automation distributor With this contact you Device Failure Occurs ones e return the device to Rockwell Automation so the failure is appropriately logged for the catalog number affected and a record is made of the failure e request a failure analysis Gf necessary to try to determine the cause o
21. y Fill out the Safety Checklists in Appendix C Safety Validation Independent Review Project Valid Yes Lock the Controller End Publication 1756 RM093B EN P October 2005 Safety Application Development 6 3 Specification of the Control Function You must create a specification for your control function Use this specification to verify that program logic correctly and fully addresses your application s functional and safety control requirements The specification may be presented in a variety of formats depending on your application However the specification must be a detailed description that includes Gf applicable e Sequence of operations e Flow and timing diagrams e Sequence charts e Program description e Program print out e Verbal descriptions of the steps with step conditions and actuators to be controlled including input definitions output definitions I O wiring diagrams and references theory of operation e Matrix or table of stepped conditions and the actuators to be controlled including the sequence and timing diagrams e Definition of marginal conditions for example operating modes EMERGENCY STOP etc The I O portion of the specification must contain the analysis of field circuits that is the type of sensors and actuators e Sensors Digital or Analog Signal in standard operation dormant current principle for digital sensors sensors OFF means no signa
22. 05 Numerics 1756 A10 1 4 1 5 1756 A13 1 4 1 5 1756 A17 1 4 1 5 1756 A4 1 4 1 5 1756 A7 1 4 1 5 1756 DNB firmware revision 1 4 hardware overview 2 3 1756 ENBT firmware revision 1 4 hardware overview 2 3 1756 PA72 1 4 1 5 1756 PA75 1 4 1 5 1756 PA75R 1 4 1 5 1756 PB72 1 4 1 5 1756 PB75 1 4 1 5 1756 PB75R 1 4 1 5 A agency certifications 1 6 application development basics 6 1 application program see program C certifications 1 5 chassis catalog numbers 1 4 hardware overview 2 2 checklist GuardLogix controller system 2 4 C 2 program development C 5 SIL 3 Inputs C 3 SIL 3 outputs C 4 CIP safety protocol definition 1 1 overview 2 3 routable system 4 1 commissioning life cycle 6 2 communication bridges hardware overview 2 3 communication modules catalog numbers 1 4 configuration signature 3 6 connection status 7 2 CONNECTION_STATUS data type 7 1 contact information 1 10 Index control and information protocol Definition P 2 control function specification 6 3 D DeviceNet Safety communications overview 2 4 DeviceNet Scanner Interface Module hardware overview 2 3 diagnostic coverage Definition P 2 E EN954 1 CAT 4 P 1 1 1 EtherNet IP communications overview 2 3 EtherNet IP Communication Interface Module hardware overview 2 3 European norm Definition P 2 failure contact information 1 10 faults non recoverable controller faults 7 3 non recoverable safety faults 7 3 overridin
23. A72 AC Power supply C NA numbers 1756 PB72 DCP l C NA ki 1756 IN596 1756 PA75 AC Power supply B NA Power Supply E 756 PB75 DC Power supply B NA 1756 PA75R AC Redundant power supply A NA 1756 IN573 1756 PB75R DC Redundant power supply A NA Communication 1756 ENBT EtherNet Bridge Module A 3 6 1756 IN019 ENET UMO01 Modules 1756 DNB DeviceNet Bridge Module A 6 2 1756 IN566 DNET UMO04 Programming 9324 xxxx RSLogix 5000 NA 14 NA consult Online Help Software 1 or higher 2 These publications are available from Rockwell Automation by visiting www rockwellautomation com literature TIP Slots of a SIL 3 system chassis not used by the SIL 3 system may be populated with other ControlLogix modules that are certified to the Low Voltage and EMC Directives Refer to www ab com certification ce to find the certificate for the Programmable Control ControlLogix Product Family Publication 1756 RM093B EN P October 2005 SIL Concept 1 5 Safety Certifications and Compliances Table 1 3 Product Certifications Table 1 3 lists the Logix products referenced in this manual and the safety certifications compliances for which these products are approved when they are so marked Catalog Number UL508 CSA CSA CSA FM 3600 IEC 61131 2 IEC 61508 EN954 1 ANSI NFPA 0222 222 C222 FM 3611 SIL3 Cat 4 RIA 15 06 79 1 No 142 No 213 No 1010 1999 1756 DNB X X X X 1756 ENBT X X X
24. AB Allen Bradley GuardLogix Controller Systems Catalog Numbers 1756 L61S 1756 L62S 1756 LSP Safety Reference Manual e ee oe TE ey m ii Rockwell Automation Important User Information Solid state equipment has operational characteristics differing from those of electromechanical equipment Safety Guidelines for the Application Installation and Maintenance of Solid State Controls Publication SGI 1 1 available from your local Rockwell Automation sales office or online at http www ab com manuals gi describes some important differences between solid state equipment and hard wired electromechanical devices Because of this difference and also because of the wide variety of uses for solid state equipment all persons responsible for applying this equipment must satisfy themselves that each intended application of this equipment is acceptable In no event will Rockwell Automation Inc be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment The examples and diagrams in this manual are included solely for illustrative purposes Because of the many variables and requirements associated with any particular installation Rockwell Automation Inc cannot assume responsibility or liability for actual use based on the examples and diagrams No patent liability is assumed by Rockwell Automation Inc with respect to use of information circuits equipment o
25. L Input Output Module Controller Module Actuator 50 of the PFD Input Module System Reaction Time The system reaction time is the amount of time from a safety related event as input to the system until the system is in the safe state Faults within the system can also have an effect upon the reaction time of the system The system reaction time is the sum of the following reaction times Sensor Input Safety Task Output Actuator Reaction Reaction Reaction Reaction Reaction Time Time Time Time Time Each of the times listed above is variably dependent on factors such as the type of I O module and instructions used in the program For a list of the available safety instructions see Appendix A in this publication For a full description of safety instruction logic operation and execution refer to the GuardLogix Safety Application Instruction Set Reference Manual publication 1756 RMO95 For a full description of standard instruction logic operation and execution refer to the Logix5000 Controllers General Instruction Set Reference Manual publication 1756 RMOO3 Publication 1756 RMOS3B EN P October 2005 1 10 SIL Concept Safety Task Reaction Time The Safety Task Reaction Time is the worst case delay from any input change presented to the controller until the processed output is set by the output producer It is less than or equal to the sum of
26. L 3 certified GuardLogix components Table 1 2 lists non SIL 3 certified components that may be used with SIL 3 GuardLogix systems For the most current list of GuardLogix and DeviceNet Safety I O certified series and firmware revisions see www ab com certification safety Firmware revisions are available by visiting www support rockwellautomation com ControlFlash Table 1 1 SIL 3 Certified GuardLogix Components Installation Related Documentation Device Type Catalog Number Description Instructions User Manual Primary Controller 1756 L61S Controller with 2 MB memory ControlLogix556xS 1756 j ControlLogix 756 L62S Controller with 4 MB memory 1756 INO45 1756 UM020 Safety Partner 1756 LSP Safety Partner ControlLogix55SP 1791DS IB12 DeviceNet Safety Input Module DeviceNet Safety 1 0 Modules 1791DS IB8X0B8 DeviceNet Safety Input Solid State Output Module 1 These publications are avai 1791DS IBAXOWA DeviceNet Safety Input Relay Output Module able from Rockwell Automation by visiting www rockwellautomation com literature Table 1 2 Components Suitable for Use With SIL 3 Systems 1791DS IN001 1791DS UMOO1 Related Documentation Installation User Manual Device Type Catalog Number Description Series Version Instructions Chassis 1756 A4 A7 A10 Chassis B NA 1756 INO80 None available for A13 A17 these catalog 1756 P
27. Safety protocol allows the routing of CIP Safety messages to and from CIP Safety devices through non certified bridges switches and routers To prevent errors in non certified bridges switches or routers from becoming dangerous each end node within a routable CIP Safety Control System must have a unique node reference The unique node reference is a combination of a Safety Network Number SNN and the Node Address of the node Safety Network Number The Safety Network Number SNN is assigned by a software configuration tool or by the user Each DeviceNet network that contains safety nodes must have at least one unique SNN Each ControlBus chassis that contains one or more safety devices must have at least one unique SNN Safety Network Numbers assigned to each safety network or network sub net must be unique TIP Multiple SNNs can be assigned to a DeviceNet subnet or a ControlBus chassis that contains more than one safety device However for simplicity we recommend that each DeviceNet subnet have one and only one unique SNN This is also the case for each ControlBus chassis Figure 4 2 CIP Safety Example with SNNs Router Sani EE Firewall te MG a mao e a a ja V ja joa GIE No A 2 Z Z Ss 2 a j DA co ko ko co 2 j uo E LO LO LO E LO E LO E LO id GuardPLC SNN 1 SNN 3 SNN 5 Safety 1 0 1 0 1 0 1 0 VO 1 0 SNN_2 1 0 SNN_4 1 0 SNN
28. The safety signature is composed of an ID identification number date and time Safety Application Development 6 5 You can generate the Safety Signature if all of the following conditions are true the controller is online the controller is in program mode the controller is Safety Unlocked the controller has no safety forces or pending online safety edits and the Safety Task status is OK Once application program testing is complete you must generate the Safety Signature The programming software automatically uploads the Safety Signature after it is generated IMPORTANT To verify the integrity of every download you must manually record the Safety Signature after initial creation and check the Safety Signature after every download to ensure that it matches the original You can delete the Safety Signature only when the GuardLogix controller is Safety Unlocked and the controller is not in the Run mode keyswitch in RUN position When a Safety Signature exists the following actions are not permitted within the Safety Task e Online offline programming or editing e Forcing Safety I O e Data manipulation except through routine logic Project Verification Test To check the application program for adherence to the specification you must generate a suitable set of test cases covering the application The set of test cases must be filed and retained as the test specification You must include a set of tes
29. _6 Publication 1756 RMO93B EN P October 2005 Understanding CIP Safety and the Safety Network Number 4 3 Each CIP Safety device must be configured with an SNN Any device that originates a safety connection to another safety device must be configured with the SNN of the target device If the CIP Safety System is in the start up process prior to the functional safety testing of the system the originating device may be used to set the unique node reference into the device The SNN used by the system is a six byte hexadecimal number The SNN can be set and viewed in one of two formats time based or manual When the Time based format is selected the SNN represents a localized date and time When the manual format is selected the SNN represents a network type and a decimal value from 1 to 9999 Figure 4 3 SNN Formats x x Format Format Generate C Time based Generate C Manual 1756 Backplan Decimal 9999 Number Number 2E80_02EB_5143 Hex Copy 0001_0000_270F Hex Copy Cancel Help Cancel Help The assignment of a time based SNN is automatic when creating a new GuardLogix Safety Controller project and adding new Safety I O modules Manual manipulation of SNN s is required in the following situations e If safety consumed tags are used e If the project will consume safety input data from a module whose configuration is owned by some other device e If a safety project
30. afety system is authorized SNN for Safety Module with a Different Configuration Owner When a safety I O module whose configuration is owned by some other device is added to the I O Configuration tree an SNN will automatically be assigned by RSLogix 5000 If the module s configuration owner had already assigned an SNN to the module or network the original SNN will need to be re entered on the module s Safety Network Number dialog Refer to the GuardLogix Controllers User Manual publication number 1756 UMO20 for information on changing copying and pasting Safety Network Numbers Understanding CIP Safety and the Safety Network Number 4 5 SNNs when Copying a Safety Project If a safety project is copied to another project intended for a different hardware installation and that installation may reside within the same routable CIP Safety System the SNN must be changed as described in the GuardLogix Controllers User Manual publication number 1756 UMO20 to ensure that SNN is not repeated Publication 1756 RMOS3B EN P October 2005 4 6 Understanding CIP Safety and the Safety Network Number Publication 1756 RM093B EN P October 2005 Differentiating Between Standard and Safety Using Safety Tags Chapter 5 Characteristics of Safety Tags the Safety Task and Safety Programs Both standard non safety related and safety related components can be used in the GuardLogix Control System However you must make a
31. ansfer time via the input connection input module settings for e RPI e Timeout Multiplier e Delay Multiplier the amount of network communication traffic the system s EMC environment Controller processing time Safety Task Period Setting Safety Task Watchdog Setting the number and execution time of instructions in the Safety Task any higher priority tasks that may pre empt Safety Task execution Produced Consumed tag data transfer time via the produced consumed connection consumed tag settings ford e RPI e Timeout Multiplier e Delay Multiplier the amount of network communication traffic the system s EMC environment Output data transfer time via the output connection Safety Task Period Setting output module s settings for e Timeout Multiplier e Delay Multiplier the amount of network communication traffic the system s EMC environment Output Module Delay time 1 These settings are available in RSLogix by pressing tl Properties dialog 2 These settings are available in RSLogix by pressing tl Tag Safety Data dialog type of output module he Advanced button on the Safety tab of the Module he Advanced button on the Safety tab of the Consumed For more information Reaction Times B 5 The GuardLogix Controllers User Manual publication number 1756 UM020 contains information on configuring delay times and reaction time limits
32. as altel AE EES IT ROET TE 6 9 Monitoring Status and Handling Faults Safety Instructions Reaction Times Checklists for GuardLogix Safety Applications Table of Contents vii Inhibiting a Module adora RS s abou hehe cee bi 6 9 Changing Your Application Program 6 9 Performing Offline Edits yj td Dad tad 6 10 Performing Online Beit oar a DRR cee hy Ose HI 6 10 Editing Your Project EERS DRR RR RES SOS 6 11 Chapter 7 Monitoring System Status moco 7 1 CONNECTION_STATUS Data 0 0 0 0 0000000 7 1 Get System Value GSV and Set System Value SSV o Sect do Fe ER DR RE De ee EP Lae ir 7 2 GuardLogix System Faults YE DERE Ed EE ees 7 3 Non Recoverable Controller Faults 7 3 Non Recoverable Safety Faults 7 3 Recoverable Falls iria a RE IE Bene Ka Re 7 4 Appendix A Safety Application Instructions 664 REKE eee a ee eG A 1 Standard Instruction Subset naaa aaaea A 2 Appendix B System Reaction TIME sr se Ri RE De es Poe ee ER B 1 Logix System Reaction TIMES IA RIA OES B 1 Simple Input Logic Output Chain aaaea B 2 Logic Chain Using Produced Consumed Safety Tags B 3 Factors Affecting Logix System Reaction Time Een DOGS VA ae DRR DIER e aed ete od B 4 Appendix C Checklist for GuardLogix Controller System C 2 Checklist for DeviceNet Safety Inputs C 3 Checklist for DeviceNet Safety Outputs C 4 Che
33. ation program to latch these I O point failures and ensure proper restart behavior DeviceNet Safety I 0 for the GuardLogix Control System 3 3 1 0 Module Connection Status A CIP Safety system provides connnection status for each I O device in the safety system If an input connection failure is detected the operating system sets all associated inputs to their de energized Safe state and reports the failure to the ladder logic If an output connection failure is detected the operating system can only report the failure to the ladder logic the outputs are de energized by the output module IMPORTANT Ladder logic must be included in the application program to monitor and latch any connection failures and ensure proper restart behavior How to Latch and Reset Faulted 1 0 The diagrams in Figure 3 1 and Figure 3 2 provide examples of the ladder logic required to latch and reset an I O module connection or point failure Figure 3 1 shows the ladder logic required for an input point Figure 3 2 shows the ladder logic required for an output point IMPORTANT Both of these diagrams are examples and are for illustrative purposes only The suitability of this logic depends upon your specific system requirements Publication 1756 RM093B EN P October 2005 3 4 DeviceNet Safety 1 0 for the GuardLogix Control System Figure 3 1 Example Ladder Logic to Latch and Reset an Input Input Module Input Fault
34. between GuardLogix controllers is possible via EtherNet IP through the use of 1756 ENBT bridge modules Figure 2 1 Peer to Peer Communication via 1756 ENBT and EtherNet IP EtherNet IP E E N m mn ao ControllerA amp 3S 2 Controller B l lu l lu 8 8 8 z TIP Peer to peer safety communication between two GuardLogix controllers in the same chassis is also possible via the backplane lt Backplane de N co a T Te LO N 1756 L62S Publication 1756 RMOS3B EN P October 2005 2 4 GuardLogix Controller System Programming Overview Publication 1756 RM093B EN P October 2005 DeviceNet Safety The 1756 DNB DeviceNet Interface module lets the GuardLogix controller control and exchange data with DeviceNet Safety I O modules Figure 2 2 DeviceNet Communications via 1756 DNB 1756 DNB 1756 L62S DeviceNet Safety VO Module DeviceNet Safety I O Module RSLogix 5000 Programming Software The programming software for the GuardLogix Controller is RSLogix 5000 version 14 x or higher RSLogix 5000 is not safety certified RSLogix 5000 is used to define the location ownership and configuration of I O modules and controllers The software is also used for creation testing and debugging application logic Initially only relay ladder logic is supported in the GuardLogix Safety Task See Appendix A for information on the set of logic instructions available for safety appl
35. circuit to prevent automatic restart if the standard Safety output input MappedTag is failed in a stuck at 1 state Publication 1756 RM093B EN P October 2005 Characteristics of Safety Tags the Safety Task and Safety Programs 5 3 Understanding the Safety Creation of a GuardLogix project automatically creates a single Safety Task Task The Safety Task has these additional characteristics e The GuardLogix controller is the only controller that supports the Safety Task e The Safety Task cannot be deleted or inhibited e The GuardLogix controller supports a single Safety Task e Within the Safety Task you can schedule multiple safety programs composed of multiple safety routines e You cannot schedule or execute standard routines from within the Safety Task The Safety Task is a periodic timed task with a user selectable task priority and watchdog It should be the controller s top priority and the user defined program watchdog must be set to accommodate fluctuations in the execution of the Safety Task Safety Task Limitations You specify both the Safety Task Period and the Safety Task Watchdog The Safety Task Period is the period at which the Safety Task executes The Safety Task Watchdog is the maximum time allowed from the start of Safety Task scheduled execution to its completion For more information on the Safety Task Watchdog see Appendix B Reaction Times The Safety Task Period is limited to a maximum o
36. cklist for Developing a Safety Application Program C 5 Glossary Index Publication 1756 RMOS3B EN P October 2005 Table of Contents viii Publication 1756 RM093B EN P October 2005 Introduction Manual Set Up Preface This manual is intended to describe the GuardLogix Controller system which is type approved and certified for use in safety applications up to and including SIL 3 according to IEC 61508 and applications up to and including category CAT 4 according to EN954 1 You must read and understand the safety concepts and requirements presented in this manual prior to operating a GuardLogix controller based safety system This manual explains how the GuardLogix Control System can be used in safety applications up to and including SIL 3 according to IEC 61508 and applications up to and including category CAT 4 according to EN954 1 The following table describes the information available in each section Section Title Description Chapter 1 SIL Concept Introduction to the SIL concept and how it relates to the GuardLogix Control system Chapter 2 GuardLogix Controller Brief overview of the main components of the System SIL 3 capable GuardLogix Control System Chapter 3 DeviceNet Safety 1 0 for Discussion of safety 1 0 for use in the the GuardLogix Control GuardLogix Control System System Chapter 4 Understanding CIP Safety Defines the Safety Network Number and and the Saf
37. dLogix Safety Application GuardLogix Safety Application Instruction Set Reference 1756 RMO095 Instruction Set Manual Information on installing DeviceNet Safety I O Modules DeviceNet Safety I 0 Installation Instructions 1791DS INO01 Information on using DeviceNet Safety 1 0 Modules DeviceNet Safety I O User Manual 1791DS UMOO1 Information on the Logix5000 Instruction Set Logix5000 General Instruction Set Reference Manual 1756 RM003 Information on programming Logix5000 controllers Logix Common Procedures Programming Manual 1756 PM001 Information on using RSLogix 5000 Import Export Utility Logix Import Export Reference Manual 1756 RM084 If you would like a manual you can e download a free electronic version from the internet at www rockwellautomation com literature e purchase a printed manual by contacting your local Allen Bradley distributor or Rockwell Automation sales office Publication 1756 RMOS3B EN P October 2005 Preface 4 Publication 1756 RM093B EN P October 2005 SIL 3 Certification Chapter 1 SIL Concept This chapter introduces you to the Safety Integrity Level SIL concept and how the GuardLogix Controller meets the requirements for SIL 3 certification For information about See page SIL 3 Certification 1 1 Functional Verification Tests 1 2 GuardLogix Architecture for SIL 3 Applications 1 3 GuardLogix System Compo
38. e The GuardLogix controller has a functional verification test interval of 15 years Other components of the system such as Safety I O modules sensors and actuators generally have shorter functional verification test intervals The controller should be included in the functional verification testing of the other components in the safety system aa Users specific applications determine the timeframe for the functional verification test interval However this is mainly related to Safety I O modules and field instrumentation SIL Concept 1 3 GuardLogix Architecture The following illustration shows a typical SIL function including for SIL 3 Applications 0 r verall Safety Function ee e the overall safety function e the GuardLogix portion of the overall safety function e how other devices for example HMI are connected while operating outside the function Figure 1 1 Typical SIL Function Programming Software HMI read only access to safety tags Plant wide Ethernet SIL 3 GuardLogix System DeviceNet Safety 1 0 DeviceNet Safety l l I l Oo a eee DeviceNet i Safety 1 0 l l l CIP Safety i Acua Honor SIL 3 GuardLogix System To non safety related systems outside GuardLogix SIL 3 certified function Publication 1756 RM093B EN P October 2005 1 4 SIL Concept GuardLogix System Components Table 1 1 lists the SI
39. eaction Time Figure 3 2 Example Ladder Logic to Latch and Reset an Output Output Module Output Faulted Connection Faulted Internal Tag as ey Output Point Status Output Module Output Point Output Faulted Fault Reset Fault Reset ee eee Oneshot A Faulted T aa Tag ONS U pons i Output Faulted Output Point Internal Tag Data User defined logic to CN activate output VI Vo The ladder logic in Figure 3 2 has the same latch and reset concept as that shown in Figure 3 1 The first rung latches an internal indication that either the module connection or the specific output point has failed The second rung resets the internal indication but only if the fault has been repaired and only on the rising edge of the Fault Reset signal This prevents the safety function from automatically restarting if the reset signal gets stuck on The third rung includes application specific logic to drive the state of an output point This logic is conditioned by the output faulted internal indicator The input reaction time is the time from when an input signal is changed to when network data is sent The output reaction time is the time from when a network signal is received to when the state of output terminal is changed For information on determining the input and output reaction times refer to the product documentation for your specific DeviceNet Safety VO module
40. ed Connection Faulted Internal Tag KIZ Input Point Status Input Module Input Point Input Faulted Fault Reset Fault Reset s fik pe i Oneshot Connection Faulted T p Tag ONS U EE 1 Input Faulted Output pea Internal Tag Internal Tag ta Publication 1756 RM093B EN P October 2005 os a The first rung latches an internal indication that either the module connection or the specific input point has failed The second rung resets the internal indication but only if the fault has been repaired and only on the rising edge of the Fault Reset signal This prevents the safety function from automatically restarting if the Fault Reset signal gets stuck on The third rung shows the input point data used in combination with the internal fault indication to control an output The output is internal data that may be used in combinational logic later to drive an actual output If an actual output is used directly it may or may not require logic similar to that shown in Figure 3 2 for latching and resetting output connection failures The Fault Reset contact shown in these examples is typically activated as a result of operator action The Fault Reset could be derived as a result of combinational logic or directly from an input point in which case it may or may not require conditioning of its own DeviceNet Safety I 0 for the GuardLogix Control System 3 5 R
41. ed on the Safety tab of the Controller Properties dialog fs Controller Properties SD_safetycontroller 15 x General Serial Port System Protocol User Protocol Major Faults Minor Faults Date Time Advanced Fie Safety Memory Safety Application Unlocked Safety Lock Unlock Safety Status Safety Signature ID none Date Time Delete e When replacing Safety 1 0 Configure Only When No Safety Signature Exists Configure Always Which option you choose depends upon whether any portion of the CIP Safety System is being relied upon to maintain SIL 3 behavior Publication 1756 RMOS3B EN P October 2005 3 8 DeviceNet Safety 1 0 for the GuardLogix Control System Publication 1756 RM093B EN P October 2005 during the replacement and functional testing of the module as described below ATTENTION Enable the Configure Always feature only if the entire routable CIP Safety Control System is not being relied on to maintain SIL 3 behavior during the replacement and functional testing of a module If other parts of the CIP Safety Control System are being relied upon to maintain SIL 3 ensure that the controller s Configure Always feature is disabled Do not place any modules in the Out of Box condition on any CIP Safety Network when the Configure Always feature is enabled except while following the module replacement procedure in the GuardLogix Controllers User Manual pub
42. er supply e 1756 PB72 DC power supply e 1756 PB75 DC power supply e 1756 PA75R AC power supply redundant e 1756 PB75R DC power supply redundant 1756 PSCA or 1756 PSCA2 Redundant power supply chassis adapter required for use with redundant power supplies No extra configuration or wiring is required for SIL 3 operation of the ControlLogix power supplies Any failure though unlikely would be detected as a failure by one or more of the active components of the GuardLogix system Therefore the power supply is not relevant to the safety discussion GuardLogix Controller System 2 3 CIP Safety Protocol Communication Bridges Safety related communication between GuardLogix controllers takes place via produced and consumed safety tags These safety tags use the CIP Safety protocol which is designed to preserve data integrity during communication For more information on safety tags see Chapter 5 Characteristics of Safety Tags the Safety Task and Safety Programs The following communication interface modules are available to facilitate communication over Ethernet IP and DeviceNet networks via the CIP Safety protocol e 1756 ENBT EtherNet IP Communication Interface Module e 1756 DNB DeviceNet Interface Module aa Due to the design of the CIP Safety control system CIP safety bridge devices like the 1756 ENBT and 1756 DNB are not required to be SIL 3 certified EtherNet IP Peer to peer safety communication
43. ety Network provides guidelines for its use Number Chapter 5 Characteristics of Safety Defines safety tags and provides guidelines for Tags the Safety Task their use Describes the Safety Task safety and Safety Programs programs and safety routines Chapter 6 Safety Application Outlines the safety concept of the system Development discusses the safety requirements affecting application program development editing upload download validation and security It also covers forcing data and inhibiting the controller and 1 0 Chapter 7 Monitoring Status and Information on monitoring system status and Handling Faults explanations of fault types Appendix A Safety Instructions Mnemonics for Safety Application Instruction Set and acceptable standard Logix Instructions AppendixB Reaction Times Calculations and explanations of system and controller Reaction Times Appendix C Checklists for GuardLogix Checklists for GuardLogix system I 0 and Safety Applications application program development Glossary Definition of the terms used in this manual Publication 1756 RMOS3B EN P October 2005 Preface 2 Understanding Terminology The following table defines acronyms used in this manual Publication 1756 RM093B EN P October 2005 Acronym Full Term Definition 1002 One Out of Two Refers to the behavioral design of a multi processor system CIP Common A messaging protocol used by Logix5000 Indus
44. f 500 ms and cannot be modified online Ensure that the Safety Task has enough time to finish before it is triggered again Safety Task Watchdog Timeout a non recoverable safety fault in the GuardLogix controller occurs if the Safety Task is triggered while it is still executing from the previous trigger See Chapter 7 Monitoring Status and Handling Faults for more information Publication 1756 RM093B EN P October 2005 5 4 Characteristics of Safety Tags the Safety Task and Safety Programs Publication 1756 RM093B EN P October 2005 Safety Task Execution The Safety Task executes in the same manner as standard periodic tasks with the following exceptions e The Safety Task does not begin executing until the Primary Controller and Safety Partner have established their control partnership and the Coordinated System Time CST is synchronized However standard tasks begin executing as soon as the controller transitions to RUN mode Safety input tags and safety consumed tags are updated at the beginning of Safety Task execution Safety input values are frozen at the start of Safety Task execution As a result timer related instructions e g TON TOF etc will not include time elapsed during a single Safety Task execution They will keep accurate time from one task execution to another but the time base will not change during the Safety Task execution ATTENTION This behavior differs from standard task execu
45. f the failure Publication 1756 RM093B EN P October 2005 GuardLogix Controller Hardware Chapter 2 GuardLogix Controller System This chapter discusses the GuardLogix Control System components including the primary controller and safety partner chassis power supply communication bridges and the programming software For a brief listing of components suitable for use in SIL 3 applications see Table 1 2 on page 1 4 For more detailed and up to date information see www ab com certification safety When installing a GuardLogix controller follow the information in the GuardLogix Controllers Installation Instructions publication 1756 IN045 The GuardLogix controller consists of a Primary Controller catalog number 1756 L61S or 1756 L62S and a Safety Partner catalog number 1756 LSP These two modules work in a 1002 architecture to create the SIL 3 capable controller They are described in the following sections Both the Primary Controller and Safety Partner perform power up and run time functional diagnostic tests of all safety related components in the controller Both also feature status LEDs For details on LED operation refer to the GuardLogix Controllers User Manual publication 1756 UM020 Mihaela LEDs are not reliable indicators for safety functions They should be used only for general diagnostics during commissioning or troubleshooting Do not attempt to use LEDs as operational indicators Primary Cont
46. finition 1 4 limitations 5 3 overview 1 10 safety task reaction time 1 10 definition 1 4 safety task watchdog 1 10 definition 1 4 modifying 1 10 overview 1 10 setting via RSLogix 5000 1 10 safety task watchdog timeout 5 3 Safety Locking 6 7 default 6 7 passwords 6 8 restricted operations 6 7 SIL 3 certification P 1 1 1 Logix components 1 4 TUV Rheinland 1 2 user responsibilities 1 2 SIL compliance Distribution and weight 1 8 SIL function example 1 3 SIL policy 1 1 1 10 software changing your application program 6 9 commissioning life cycle 6 2 SSV instruction 7 2 standard instructions A 2 system reaction time 1 9 calculating B 1 definition 1 4 T tags produced consumed safety data 5 1 safety 0 5 1 terminology used throughout manual P 2 timeout multiplier definition 1 5 U unique node reference defined 4 2 Publication 1756 RM093B EN P October 2005 4 Index Publication 1756 RM093B EN P October 2005 Rockwell Automation Support www rockwellautomation com Corporate Headquarters Rockwell Automation provides technical information on the web to assist you in using its products At http support rockwellautomation com you can find technical manuals a knowledge base of FAQs technical and application notes sample code and links to software service packs and a MySupport feature that you can customize to make the best use of these tools For an additional level of technical phone support for
47. for the input connection Safety Task and output connection For reaction times associated with DeviceNet Safety I O modules consult the product documentation for your specific module Publication 1756 RMOS3B EN P October 2005 B 6 Reaction Times Publication 1756 RM093B EN P October 2005 Appendix C Checklists for GuardLogix Safety Applications The checklists in this Appendix are required for planning programming and start up of a SIL 3 certified GuardLogix application They may be used as planning guides as well as during functional verification testing If used as planning guides the checklists can be saved as a record of the plan The checklists on the following pages provide a sample of safety considerations and are not intended to be a complete list of items to verify Your particular safety application may have additional safety requirements for which we have provided space in the checklists Publication 1756 RMOS3B EN P October 2005 C 2 Checklists for GuardLogix Safety Applications Checklist for GuardLogix Controller System Check List for GuardLogix System Company Site Safety Function definition Number Fulfilled Comment Yes No 1 Are you using only the components listed in Tables 1 1 and 1 2 or on the www ab com ce
48. g 7 4 recoverable 7 4 forcing 6 9 fraction of detected common cause failures 1 7 fraction of undetected common cause failures 1 7 G get system value GSV defintion P 2 GSV instructions 7 2 H hard faults recovery 7 3 hardware fault tolerance 1 7 Publication 1756 RM093B EN P October 2005 2 Index VO modules replacement 3 7 3 8 IEC 61508 SIL 3 certification P 1 1 1 inhibiting a module 6 9 installing a controller 2 1 instructions safety application A 1 standard subset A 2 L Logix components SIL 3 certified 1 4 Logix instruction set A 2 Logix system reaction time calculating B 2 M mapping tags 5 2 N non recoverable controller fault definition 1 1 non recoverable controller faults 7 3 non recoverable safety fault 1 1 non recoverable safety faults 7 3 re starting the safety task 7 3 0 offline edits 6 10 online definition 1 1 online editing 6 8 6 10 Output Delay Time 3 5 overlap definition 1 1 ownership 3 6 P partnership definition 1 1 peer to peer communications 2 3 pending edits 6 8 period task definition 1 2 Publication 1756 RM093B EN P October 2005 PFD See probability of failure on demand PFH See probability of failure per hour power supplies 1 4 hardware overview 2 2 SIL 3 certified 2 2 primary controller definition 1 2 hardware overview 2 1 probability of failure on demand PFD 1 6 1 8 definition P 2 probability of failure per hour PFH 1 6 1 8
49. gnature exists IMPORTANT TO verify the integrity of every download you must manually record the Safety Signature after initial creation and check the Safety Signature after every download to ensure that it matches the original Downloads to a Safety Locked GuardLogix controller are allowed only if the Safety Signature the hardware series and the OS version of the offline project all match those contained in the target GuardLogix controller and the controller s Safety Task status is OK IMPORTANT If the Safety Signature does not match and the controller is Safety Locked you must unlock the controller to download Downloading to the controller deletes the Safety Signature As a result you must re validate the application If the GuardLogix controller contains a Safety Signature the Safety Signature will be uploaded with the project This means that any changes to offline data will be overwritten as a result of the upload If there is no Safety Signature and the controller is Safety Unlocked you can perform online edits to your safety routines Pending edits cannot exist when the controller is Safety Locked or when there is a Safety Signature Online edits may exist when the controller is Safety Locked However they may not be assembled cancelled etc TIP Online edits in standard routines are unaffected by the Safety Locked or Unlocked state See page 6 9 for more information on making edits to your application program
50. ication Instructions Mnemonic ENPEN Enable Pendant Appendix A Table A 1 Safety Application Instruction Descriptions Purpose Monitors two safety inputs to control a single output and has a 3 s inputs nconsistent timeout value ESTOP E Stop Monitors two safety inputs to control a single output and has a 500 ms inputs nconsistent timeout value RIN Redundant Input Monitors two safety inputs to control a single output and has a 500 ms inputs inconsistent timeout value ROUT Redundant Output Monitors the state of one input to control and monitor two outputs DIN Diverse Input Monitors two diverse safety inputs to control a single output and has a 500 ms inputs nconsistent timeout value FPMS 5 Position Mode Selector Monitors 5 safety inputs to control 1 of the 5 outputs corresponding to the active input THRS Two Handed Run Station Monitors two diverse safety inputs one from a right hand pushbutton and one from a left hand pushbutton to control a single output LC Light Curtain Monitors two safety inputs from a Light Curtain to control a single output For more information on the instructions in the table above refer to the GuardLogix Safety Application Instruction Set Reference Manual publication 1756 RMO09S Publication 1756 RMOS3B EN P October 2005 A 2 Safety Instructions Standard Instruction Subset Routines in the Safety Task
51. ications Authorized personnel may change an application program but only by using one of the processes described in Changing Your Application Program on page 6 9 Overview Typical Safety Functions of DeviceNet Safety VO Modules Chapter 3 DeviceNet Safety 1 0 for the GuardLogix Control System Before operating a GuardLogix safety system containing DeviceNet Safety I O you must read understand and follow the installation operation and safety information provided in the publications listed in Table 1 1 on page 1 4 Field DeviceNet Safety I O can be connected to safety input and output devices allowing these devices to be controlled by the GuardLogix control system For safety data I O communications are performed through safety connections using the DeviceNet Safety Protocol logic is processed in the safety controller Safe State The following is treated as the safe state by safety I O modules e Safety outputs OFF e Output data to network OFF DeviceNet Output to Network OFF Safety Status SS Output OFF The DeviceNet Safety I O modules should be used for applications that are in the safe state when the safety output turns OFF and the output data to the network turns OFF Diagnostics DeviceNet Safety I O modules perform self diagnostics when the power is turned ON and periodically during operation If a diagnostic failure is detected the safety outputs and output data to the network are
52. l Determination of redundancies required for SIL levels Discrepancy monitoring and visualization including the user s diagnostic logic e Actuators Position and activation in standard operation normally OFF Safe reaction positioning when switching OFF or power failure Discrepancy monitoring and visualization including the user s diagnostic logic Publication 1756 RM093B EN P October 2005 6 4 Safety Application Development Publication 1756 RM093B EN P October 2005 Create the Project The logic and instructions used in programming the application must be e easy to understand e easy to trace e easy to change e easy to test All logic should be reviewed and tested Keep safety related logic and non safety related logic separate Label the Program The application program is clearly identified by one of the following e Name e Date e Revision e Any other user identification Testing the Application Program This step consists of any combination of Run and Program mode online or offline edits upload and download and informal testing that is required to get an application running properly Generating the Safety Signature To help ensure that a specific project is downloaded to the correct target controller the GuardLogix controller and RSLogix 5000 support the creation of a Safety Signature The Safety Signature uniquely identifies each project including its logic data tags etc
53. lication number 1756 UM020 Refer to the GuardLogix Controller User Manual publication number 1756 UM020 for more information on replacing an I O module The Routable CIP Safety Control System Router Chapter 4 Understanding CIP Safety and the Safety Network Number To understand the safety requirements of a CIP Safety Control System including the Safety Network Number SNN you must first understand how communications are routable in CIP Control Systems The CIP Safety control system represents a set of interconnected CIP Safety Devices The routable system represents the extent of potential mis routing of packets from an originator to a target within the CIP Safety control system The system is isolated such that there are no other connections into the system For example because the system below cannot be interconnected to another CIP Safety system through a larger i e plant wide Ethernet backbone it illustrates the extent of a routable CIP Safety system Figure 4 1 CIP Safety System Example Firewall Switch TF TTF OS Switch N N CO Ee CO LO Mm 1756 L62S GuardPLC Safety 1 0 1 0 i i Safety Safety 1 0 1 0 Safety 1 0 Publication 1756 RMOS3B EN P October 2005 4 2 Understanding CIP Safety and the Safety Network Number Unique Node Reference The CIP Safety protocol is an end node to end node safety protocol The CIP
54. lication 1756 RM093B EN P October 2005 The CONNECTION_STATUS data type contains RunMode and ConnectionFaulted status bits The following table describes the combinations of the RunMode and ConnectionFaulted states Table 7 1 Safety Connection Status RunMode Status ConnectionFaulted Safety Connection Operation is equals Status equals 1 Run 0 Valid Data is actively being controlled by the producing device The producing device is in Run mode 0 Idle 0 Valid The connection is active and the producing device is in the Idle state The safety data is reset to zero 0 Idle 1 Faulted The safety connection is faulted The state of the producing device is unknown The safety data is reset to zero 1 1 Invalid state ATTENTION Safety I O connections and produced consumed connections cannot be configured to fault the controller if a connection is lost and the system transitions to the safe state Therefore if you need to detect a module fault to ensure that the system maintains SIL 3 you must monitor the Safety I O CONNECTION_STATUS bits and initiate the fault via program logic Get System Value GSV and Set System Value SSV Instructions The GSV and SSV instructions allow you to get GSV and set SSV controller system data stored in device objects When you enter a GSV SSV instruction the programming software displays the valid object classes object names and attribute names for each instruction Res
55. logical and visible distinction between the standard and safety related portions of the application RSLogix 5000 provides this differentiation via safety tags the Safety Task safety programs and safety routines The GuardLogix Control System supports the use of both standard and safety tags in the same project However the programming software differentiates standard from safety tags both visually and operationally Safety tags have all the attributes of standard tags with the addition of mechanisms to provide SIL 3 data integrity You can declare safety tags of any valid data type Tags that cannot be used as safety tags are those with the following data types e AXIS_CONSUMED e AXIS_GENERIC e AXIS_SERVO e AXIS_SERVO_DRIVE e AXIS_VIRTUAL e MOTION_GROUP e MESSAGE e COORDINATE_SYSTEM e REAL IMPORTANT Aliasing between standard and safety tags is prohibited in safety applications Tags classified as safety tags must be either controller scoped or safety program scoped Safety program scoped safety tags can only be read by or written to via a safety routine scoped in the same safety program Controller scoped safety tags can be read but not written to by standard routines As you develop your application logic you must Publication 1756 RMOS3B EN P October 2005 5 2 Characteristics of Safety Tags the Safety Task and Safety Programs differentiate safety controller scoped tags from standard controller scoped tags
56. low are based on the equations from Part 6 of IEC 61508 with the following assumptions e The architecture is 1002 e A detected error in either channel will result in the outputs being transitioned to their safe state e The functional verification test interval T1 is 15 years 131 400 hours e The hardware fault tolerance equals 1 e The safe failure fraction is 99 1 e The fraction of detected common cause failures Bp is 0 5 e The fraction of undetected common cause failures B is 1 0 Table 1 4 PFD Values for GuardLogix Controller System Components Component Functional Verification PFD Test Interval 1756 L6xS and 1756 LSP 15 years 8 5E 6 3 months 9 58E 7 6 months 1 92E 6 1791DS IB12 1 year 3 83E 6 2 years 7 66E 6 3 months 1 21E 6 6 months 2 41E 6 1791DS IB8X0B8 1 year 4 82E 6 2 years 9 64E 6 3 months 5 81E 6 1791 DS IB4X0W4 6 months 1 18 E 5 Table 1 5 PFH Values for GuardLogix Controller System Components Component Functional Verification PFH Test Interval 1756 L6xS and 1756 LSP 15 years 1 9E 10 1791DS IB12 3 months 8 75E 10 1791DS IB8X0B8 3 months 1 11E 9 1791DS IBAXOWA 3 months 5 24E 9 Publication 1756 RM093B EN P October 2005 1 8 SIL Concept Figure 1 2 PFH Calculation Example 1791DS IB12 sensor GuardLogix Controller cs 1791DS 1B4X0X4 actuator actuator
57. mming or start up an individual checklist can be filled in for every single SIL input channel in a system This is the only way to make sure that the requirements are fully and clearly implemented This checklist can also be used as documentation on the connection of external wiring to the application program Input Check List for GuardLogix System Site Safety Function definition SIL input channels in the Number Yes No Comment 1 Have you followed installation instructions and precautions to conform to applicable safety standards 2 Have you performed functional verification tests on the system and modules 3 Are control diagnostics and alarming functions performed in seguence in application logic 4 Have you uploaded and compared the configuration of each module to the configuration sent by configuration tool 5 Are modules wired in compliance with GAT 4 according to EN 954 1 7 6 Have you verified that the electrical specifications of the sensor and input are compatible 1 For information on wiring your DeviceNet Safety 1 0 module refer to the product documentation for your specific module Publication 1756 RMOS3B EN P October 2005 C 4 Checklists for GuardLogix Safety Applications Checklist for DeviceNet For programming or start up an individual requirement checklist must Safety Outputs be
58. nents 1 4 Safety Certifications and Compliances 1 5 Agency Certifications 1 6 Definitions of PFD and PFH 1 6 SIL Compliance Distribution and Weight 1 8 Safety Reaction Times 1 9 Safety Task Period and Safety Task Watchdog 1 10 Contact Information When Device Failure Occurs 1 10 The GuardLogix Controller system is type approved and certified for use in safety applications up to and including SIL 3 according to IEC 61508 and applications up to and including category CAT 4 according to EN954 1 SIL requirements are based on the standards current at the time of certification In addition the standard tasks within GuardLogix controllers can be used either for standard applications or SIL 2 safety applications as described in the Using ControlLogix in SIL 2 Applications Reference Manual publication 1756 RMOO1 In either case do not use SIL 2 or standard tasks and variables to build up safety loops of a higher level The Safety Task is the only task certified for SIL 3 applications IMPORTANT When the GuardLogix controller is in the maintenance or programming mode or the application has not been validated by the user the user is responsible for maintaining safe conditions Publication 1756 RMOS3B EN P October 2005 1 2 SIL Concept Functional Verification Tests Publication 1756 RMO093B EN P October 2005 RSLogix 5000 programming software is required to create programs for the GuardLogix controller The T V Rhei
59. nland has approved the GuardLogix Controller system for use in safety related applications up to SIL 3 in which the de energized state is considered to be the safe state All of the examples related to I O included in this manual are based on achieving de energization as the safe state for typical Machine Safety and Emergency Shutdown ESD Systems IMPORTANT The system user is responsible for e the set up SIL rating and validation of any sensors or actuators connected to the GuardLogix system project management and functional testing access control to the safety system including password handling programming the application software and the device configurations in accordance with the information in this safety reference manual and the GuardLogix Controllers User Manual publication number 1756 UM020 When applying Functional Safety restrict access to qualified authorized personnel who are trained and experienced The Safety Lock function with passwords is provided in RSLogix 5000 For information on using the Safety Lock feature refer to the GuardLogix Controllers User Manual publication number 1756 UM020 IEC 61508 requires the user to perform various functional verification tests of the equipment used in the system Functional verification tests are performed at user defined times For example functional verification test intervals can be once a year once every fifteen years or whatever timeframe is appropriat
60. ns 1 1 Where to find updated information on GuardLogix controller and 1 4 DeviceNet Safety 1 0 certified series and firmware revisions Publication 1756 RMOS3B EN P October 2005 iv Summary of Changes Publication 1756 RM093B EN P October 2005 SIL Concept GuardLogix Controller System DeviceNet Safety 1 0 for the GuardLogix Control System Table of Contents Preface NTO Mere AAA AE RR OE N OE OIE P 1 Manual SSE Ut ics EAS OR N REED P 1 Understanding Terminology ES ee P 2 Related Documentation is tE needed P 3 Chapter 1 SIE S Cercato NA ANS ee Eg 1 1 Functional Verification Tests ratito ey eta Gas 1 2 GuardLogix Architecture for SIL 3 Applications 1 3 GuardLogix System Component ooo oo ooo s 1 4 Safety Certifications and Compliances 1 5 Agency Certifications eco AR ab AE DE Bee TA 1 6 GuardLogix PFD and PFH Specifications u 1 6 Definitions of PFD and PEN adi eee ek ees 1 6 PFD and PFH Calculations 4 isdn bon ie eS ead 1 7 SIL Compliance Distribution and Weight 1 8 Safety Reaction DES RE as Aah wed EE hese eae ER 1 9 System Reaction Time ADD ER SVS EE ean eS 1 9 Safety Task Reaction Time 4 2 9 1004 kent 45 46 9 35 1 10 Safety Task Period and Safety Task Watchdog 1 10 Contact Information When Device Failure Occurs 1 10 Chapter 2 GuardLogix Controller Hardware o o ooooo s 2 1 Primary Controller ae eds 2 1 e A A E 2 2 Safe
61. ode save the project Answer Yes to the Upload Tag Values prompt 2 With RSLogix 5000 offline save the project with a new name such as Offlineprojectname ACD where projectname is the name of your project 3 Close the project 4 Rename the original project archive file to Originalprojectname ACD where projectname is the name of your project 5 With the controller still in Program mode upload the project from the controller Name the uploaded project Onlineprojectname ACD where projectname is the name of your project Answer Yes to the Upload Tag Values prompt 6 Invoke another instance of RSLogix 5000 and open the project named Originalprojectname ACD Safety Application Development 6 7 7 Use the two instances of RSLogix 5000 to compare the following e all of the properties of the GuardLogix controller and DeviceNet Safety I O modules e all of the properties of the Safety Task safety programs and safety routines e all of the logic in the safety routines TIP RSLogix 5000 features a Program Compare utility that may be helpful in identifying changed safety components but it must not be used in place of a manual compare Safety Validation An independent third party review of the safety system may be required before the system is approved for operation Locking the GuardLogix Controller The GuardLogix Controller system can be Safety Locked to protect safety con
62. of the GuardLogix controller may use a subset of the Logix instruction set consisting of the following instructions Table A 2 Subset of General Logix Instruction Set Type Mnemonic Name Purpose XIC Examine If Closed enable outputs when a bit is set XIO Examine If Open enable outputs when a bit is cleared OTE Output Energize set a bit OTL Output Latch set a bit retentive Bit OTU Output Unlatch clear bit retentive ONS One Shot triggers an event to occur one time OSR One Shot Rising triggers an event to occur one time on the false to true rising edge of change of state OSF One Shot Falling triggers an event to occur one time on the true to false falling edge of change of state TON Timer On Delay time how long a timer is enabled TOF Timer Off Delay time how long a timer is disabled RTO Retentive Timer On accumulate time Timer CTU Count Up count up CTD Count Down count down RES Reset reset a timer or counter EQU Equal To test whether two values are equal GEQ Greater Than Or Equal To test whether one value is greater than or equal to a second value GRT Greater Than test whether one value is greater than a second value LEQ Less Than Or Equal To test whether one value is less than or equal to a second value Compare LES Less Than test whether one value is less than a second value MEQ Masked Comparison for pass source and compare values through a Equal mask
63. on 89 336 EEC EMC and Low Voltage Directives compliant with EN61000 6 4 Industrial Emissions C Tick Australian Radio Communications Act compliant with AS NZS 2064 Industrial Emissions T V Functional Safety SIL 1 to 3 according to IEC 61508 Category 1 to 4 according to EN954 1 Definitions of PFD and PFH Safety related systems can be classified as operating in either a low demand mode or in a high demand continuous mode IEC 61508 quantifies this classification by stating that the frequency of demands for operation of the safety system is no greater than once per year in the low demand mode or greater than once per year in high demand continuous mode The SIL value for a low demand safety related system is directly related to order of magnitude ranges of its average probability of failure to satisfactorily perform its safety function on demand or simply probability of failure on demand PFD The SIL value for a high demand continuous mode safety related system is directly related to the probability of a dangerous failure occurring per hour PFP Although PFD and PFH values are usually associated with each of the three elements making up a safety related system the sensors the actuators and the logic element they can be associated with each component of the logic element that is each module of a programmable controller SIL Concept 1 7 PFD and PFH Calculations The PFD and PFH calculations in the tables be
64. onfiguration Signature provides you with a means to check that the device and the configuration tool agree on the information downloaded e During device replacement the Configuration Signature allows you to verify that the configuration in the configuration tool is the correct configuration If the originator is used to automatically configure a device the Configuration Signature indicates whether reconfiguration is necessary and ensures the integrity of the operation e During connection establishment the originator and the target devices use the Configuration Signature to ensure that both devices are using the same configuration data DeviceNet Safety I 0 for the GuardLogix Control System 3 7 The Configuration Signature is auto generated by RSLogix 5000 when an I O module is added to the GuardLogix controller project 1 0 Module Replacement The replacement of safety devices requires that the replacement device be configured properly and that the replacement device s operation be user verified ATTENTION During replacement or functional testing of a module the safety of the system must not rely on any portion of the affected module Two options are available for I O module replacement You can configure the controller to always automatically configure the replacement module or you can choose to allow automatic configuration via the controller only when a Safety Signature does not exist These options are locat
65. ons Americas Rockwell Automation 1201 South Second Street Milwaukee WI 53204 2496 USA Tel 1 414 382 2000 Fax 1 414 382 4444 Europe Rockwell Automation SA NV Vorstlaan Boulevard du Souverain 36 BP 3A B 1170 Brussels Belgium Tel 32 2 663 0600 Fax 32 2 663 0640 Asia Pacific Rockwell Automation 27 F Citicorp Centre 18 Whitfield Road Causeway Bay Hong Kong Tel 852 2887 4788 Fax 852 2508 1846 Headquarters for Dodge and Reliance Electric Products Americas Rockwell Automation 6040 Ponders Court Greenville SC 29615 4617 USA Tel 1 864 297 4800 Fax 1 864 281 2433 Europe Rockwell Automation Brihlstra amp e 22 D 74834 Elztal Dallau Germany Tel 49 6261 9410 Fax 49 6261 17741 Asia Pacific Rockwell Automation 55 Newton Road 11 01 02 Revenue House Singapore 307987 Tel 65 351 6723 Fax 65 355 1733 Publication 1756 RMOS3B EN P October 2005 Supersedes Publication 1756 RM093A EN P January 2005 Copyright 2005 Rockwell Automation Inc All rights reserved Printed in the U S A
66. or online editing TIP Limit online edits to minor program modifications such as setpoint changes or logic additions deletions and modifications Online edits are affected by the Safety Lock and Safety Signature features of the GuardLogix controller See Generating the Safety Signature on page 6 4 and Locking the GuardLogix Controller on page 6 7 for more information For detailed information on how to edit ladder logic in RSLogix 5000 while online see the Logix5000 Controllers Quick Start publication 1756 QS001 Safety Application Development 6 11 Editing Your Project Figure 6 2 Online and Offline Edit Process Offline Edit y Open Project Any Safety Changes Unlock the Controller Delete Safety Signature y Make Desired Make Desired Modifications to Standard Logic Attach to Controller and Download Modifications to Safety Logic Attach to Controller and Download Test the Application Program Confirm the Project Online Edit J Generate Safety Signature Attach to Controller Any Safety Changes Yes Make Desired Modifications to Standard Logic Unlock the Controller Test the Application Delete Safety Program Signature Y Make Desired y Test the Application Program y Make Required Project Verification Test Modifications Tests No Delete Safety Passed Signature Yes
67. r software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibited Throughout this manual when necessary we use notes to make you aware of safety considerations Identifies information about practices or circumstances that can cause an explosion in a hazardous environment which may lead to personal injury or death property damage or economic loss IMPORTANT Identifies information that is critical for successful application and understanding of the product Identifies information about practices or circumstances that can lead to personal injury or death property damage or economic loss Attentions help you ATTENTION e identify a hazard e avoid a hazard e recognize the consequence Allen Bradley ControlLogix GuardLogix RSLogix RSNetWorx for DeviceNet and RSLinx are trademarks of Rockwell Automation Inc DeviceNet is a trademark of the Open DeviceNet Vendor Association Trademarks not belonging to Rockwell Automation are the property of their respective holders Summary of Changes The information below summarizes the changes to this manual since the last publication To help you find new and updated information in this release of the manual we have included change bars as shown to the right of this paragraph For information about See Using the standard task in SIL 2 safety applicatio
68. roduced Consumed Connection EtherNet 3 5 E E N faa aa N ao Controller A amp 2 2 2 z 2 Controller B g 8 g g 2 I E 1 Input 2 Input Connection 6 Output Connection 7 Output Module Module DeviceNet DeviceNet The Logix System Reaction Time for any input controller A logic controller B logic output chain consists of the following seven components 1 Input Module Delay Time 2 Input data transfer time via the input connection 3 Controller processing time Logic 4 Produced Consumed data transfer time via the produced consumed connection 5 Controller processing time Logic 6 Output data transfer time via the output connection 7 Output Module Delay Time To aid you in determining the reaction time of your particular control loop a Microsoft Excel spreadsheet is available in the Tools folder of the RSLogix 5000 software CD Publication 1756 RM093B EN P October 2005 B 4 Reaction Times Publication 1756 RM093B EN P October 2005 Factors Affecting Logix System Reaction Time Components The Logix Reaction Times components discussed in the previous sections can be influenced by a number of factors as described in the table below Table B 1 Factors Affecting Logix System These Reaction Time Components Input Module Delay Time Reaction Time Are influenced by the following factors Input Point Delay Settings type of input module Input data tr
69. roller The Primary Controller is the processor that performs standard and safety functions and communicates with the Safety Partner for safety related functions in the GuardLogix Control System The Primary Controller consists of a central processor I O interface and memory Publication 1756 RMOS3B EN P October 2005 2 2 GuardLogix Controller System Safety 1 0 Chassis Power Supplies Publication 1756 RM093B EN P October 2005 Safety Partner In order to satisfy SIL 3 requirements a Safety Partner catalog number 1756 LSP must be installed in the slot immediately to the right of the Primary Controller The Safety Partner is a co processor that provides redundancy for safety related functions in the system The Safety Partner is configured by the Primary Controller Only a single download of the user program to the primary controller is required The Safety Partner s operating mode is controlled by the Primary Controller For information on DeviceNet Safety I O modules for use with the GuardLogix controller see Chapter 3 The 1756 Axx chassis provides the physical connections between modules and the GuardLogix system Any failure though unlikely would be detected as a failure by one or more of the active components of the system Therefore the chassis is not relevant to the safety discussion ControlLogix power supplies suitable for use in SIL 3 applications include 1756 PA72 AC power supply e 1756 PA75 AC pow
70. rtification safety index html site with the corresponding firmware release 2 Have you calculated the system s safety response time for each safety chain 3 Does the system s response time include both the user defined Safety Task program watchdog software watchdog time and the Safety Task rate period 4 Is the system response time in proper relation to the process tolerance time 5 Have probability PFD PFH values been calculated according to the system s configuration 6 Have you performed all appropriate functional verification tests 7 Have you determined how your system will handle faults 8 Does each network in the safety system have a unique SNN 9 Is each CIP safety device configured with the correct SNN 9 Have you generated a Safety Signature 10 Have you uploaded and recorded the Safety Signature for future comparison 11 Following a download have you verified that the Safety Signature in the controller matches the recorded Safety Signature 12 Do you have an alternate mechanism in place to preserve the safety integrity of the system when making online edits 13 Have you taken into consideration the checklists for using SIL inputs and outputs listed on pages C 3 and C 4 Publication 1756 RM093B EN P October 2005 Checklists for GuardLogix Safety Applications C 3 Checklist for DeviceNet Safety Inputs Company For progra
71. set of logic instructions in a single programming language such as a ladder diagram Routines provide executable code for the project in a controller Each program has a main routine You can also specify optional routines Safety Application Instructions Safety Instructions which provide safety related functionality They have been certified to SIL 3 for use in safety routines Safety Component Any object task program routine tag module etc that is marked as a safety related item Glossary 3 Safety VO Safety I O has most of the attributes of Standard I O except it features mechanisms certified to SIL 3 to ensure data integrity Safety Network Number SNN Uniquely identifies a network across all networks in the safety system The end user is responsible is responsible for assigning a unique number for each safety network or safety sub net within a system The Safety Network Number makes up part of the Unique Node Identifier UNID Safety Partner The processor in a dual processor controller that works with the Primary Controller to perform safety related functions Safety Program A Safety Program has all the attributes of a standard program except that it can only be scheduled in a Safety Task The safety program consists of zero or more safety routines It cannot contain standard routines or standard tags Safety Routine A safety routine has all the attributes of a standard routine except that it is valid
72. sponsibility while the changes are in progress These personnel must also maintain safe application operation e When editing online you must use an alternate protection mechanism to maintain the safety of the system e You must sufficiently document all program edits including authorization impact analysis execution test information revision information If online edits exist in the standard routines only those edits are not required to be validated before returning to normal operation Publication 1756 RM093B EN P October 2005 6 10 Safety Application Development Publication 1756 RM093B EN P October 2005 e You must ensure that changes to the standard routine with respect to timing and tag mapping are acceptable to your safety application e You can edit the logic portion of your program while Offline or Online as described in the following sections Performing Offline Edits When offline edits are made to standard program elements only and the Safety Signature matches following a download you can resume operation When offline edits affect the safety program you must revalidate the entire application before resuming operation The flowchart on page 6 11 illustrates the process for offline editing Performing Online Edits If online edits affect the safety program you must revalidate the entire application before resuming operation The flowchart on page 6 11 illustrates the process f
73. tandard program except that it can only be scheduled in the Safety Task A safety program may also define program scoped safety tags A safety program may be scheduled or unscheduled A safety program can contain only safety components All of the routines in a safety program must be safety routines A safety program cannot contain standard routines or standard tags A safety routine has all the attributes of a standard routine except that it can only exist in a safety program One safety routine may be designated as the main routine Another safety routine may be designated as the fault routine Only safety instructions may be used in safety routines For a listing of safety application instructions see Appendix A To preserve SIL 3 you must ensure that your safety ATTENTION logic does not attempt to read or write standard tags Publication 1756 RMOS3B EN P October 2005 5 6 Characteristics of Safety Tags the Safety Task and Safety Programs Publication 1756 RM093B EN P October 2005 Safety Concept Assumptions Basics of Application Development and Testing 1 Chapter 6 Safety Application Development The safety concept assumes that those responsible for creating operating and maintaining the application are fully qualified specially trained personnel experienced in safety systems the user applies the logic correctly meaning that programming errors can be detected Programming errors can be de
74. tected by strict adherence to specifications programming and naming rules the user performs a critical analysis of their application and uses all possible measures to detect a failure the user confirms all application downloads via a manual check of the Safety Signature before the initial startup of a safety related system the entire system is checked by a complete functional test The application program for the intended SIL 3 system should be developed by the system integrator and or user trained and experienced in safety applications The developer must follow good design practices including the use of e Functional specifications including Flow charts Timing diagrams Sequence charts e Program review e Program validation Publication 1756 RMOS3B EN P October 2005 6 2 Safety Application Development SCAR g The flowchart below shows the steps required for commissioning a mmissioning Lif l Pd 8 Co seis aa ia Cyc E GuardLogix system The items in bold text are explained in the following sections Figure 6 1 Commissioning the System Specify the Control Function Create Project Create Project Online Offline Attach to Controller and Download Test the Application Program Generate Safety Signature Project Verification Test Tests Passed Yes Make required modifications Delete Safety Signature Confirm the Project Record Safety Signature
75. ted and signed Publication 1756 RMOS3B EN P October 2005 C 6 Checklists for GuardLogix Safety Applications Publication 1756 RM093B EN P October 2005 Glossary Assemble Edits This action is taken by the user when they have made online edit changes to the GuardLogix controller and want the changes to become permanent since the user can test un test or cancel the edits Cancel Edits Action taken by the user to reject any unassembled online edit changes CIP Safety Protocol A network communications method designed and certified for transport of data with high integrity Configuration Signature A unique number that identifies a device s configuration The Configuration Signature is made up of an ID number date and time Non recoverable Controller Fault A fault that forces all processing to be terminated and requires controller power to be cycled from off to on The user program is not preserved and must be re downloaded Non recoverable Safety Fault A fault which even though properly handled by the fault handling mechanisms provided by the GuardLogix controller and implemented by the user terminates all Safety Task processing and requires external user action to restart the Safety Task Online Situation where the user is monitoring modifying the program in the GuardLogix controller Overlap When a task periodic or event
76. tion For standard tags that are mapped to safety tags the standard tag values are copied into Safety Task memory at the start of Safety Task and do not change during execution Safety produced tags are produced at the conclusion of Safety Task execution Safety output tags are sent to safety outputs at the conclusion of Safety Task execution The Safety Task responds to mode changes i e Run to Program or Program to Run at timed intervals As a result the Safety Task may take more than one task period but always less than two to make a mode transition Characteristics of Safety Tags the Safety Task and Safety Programs 5 5 Safety Programs Safety Routines IMPORTANT While Safety Unlocked and without a Safety Signature the controller prevents simultaneous write access to safety memory from the Safety Task and communications commands As a result the Safety Task can be held off until a communications update completes The time required for the update varies by tag size Therefore safety connection and or safety watchdog timeouts could occur For example if you make online edits when the Safety Task rate is set to 1 ms a safety watchdog timeout could occur To compensate for the hold off time due to a communications update add 2 ms to the Safety Watchdog time NOTE When the controller is Safety Locked or a Safety Signature exists this situation cannot occur A safety program has all the attributes of a s
77. trial systems Protocol DC Diagnostic The ratio of the detected failure rate to the total Coverage failure rate EN European Norm The official European Standard GSV Get System Value A ladder logic instruction that retrieves specified controller status information and places it in a destination tag PC Personal Computer used to interface with and control a Computer Logix based system via RSLogix 5000 programming software PFD Probability of The average probability of a system to fail to Failure on perform its design function on demand Demand PFH Probability of The probability of a system to have a dangerous Failure per Hour failure occur per hour SNN Safety Network A unique number that identifies a safety network Number or safety sub net across all networks in the safety system SSV Set System Value A ladder logic instruction that sets controller system data TUNID Target Unique A unique number identifying each safety 1 0 Network Identifier device that can act as a target Preface 3 Related Documentation The table below provides a listing of publications that contain important information about GuardLogix Controller systems For Read this document Document number Information on installing the GuardLogix Controller GuardLogix Controller Installation Instructions 1756 1N045 Information on configuration and programming for the GuardLogix User Manual 1756 UM020 GuardLogix System Information on the Guar
78. trictions exist for using the GSV and SSV instructions with safety components IMPORTANT The Safety Task cannot perform GSV or SSV operations on standard attributes The attributes of safety objects that can be written by the standard task are for diagnostic purposes only They do not affect Safety Task execution Monitoring Status and Handling Faults 7 3 GuardLogix System Faults The GuardLogix Controllers User Manual publication number 1756 UM020 provides information on which safety attributes are accessible via GSV and SSV instructions For more information on using GSV and SSV instructions see the Logix5000 Controllers General Instructions Reference Manual publication 1756 RM003 Faults in the GuardLogix system fall into three categories e Non recoverable Controller Faults e Non recoverable Safety Faults e Recoverable Faults These are explained in more detail in the following sections For information on handling faults refer to the GuardLogix Controllers User Manual publication number 1756 UM020 Non Recoverable Controller Faults A non recoverable controller fault occurs if the controller s internal diagnostics fail Partnership is lost when a non recoverable controller fault occurs in either the Primary Controller or the Safety Partner causing the other to generate a non recoverable watchdog timeout fault Standard task and Safety Task execution stops and safety I O transitions to the safe state
79. trol components from modification The Safety Lock feature applies only to safety components such as the Safety Task safety routines safety I O Safety Signature etc However Safety Locking alone does not satisfy SIL 3 requirements No portion of a safety component can be modified while the controller is in the Safety Locked state When the controller is Safety Locked the following actions are not permitted in the Safety Task e Online offline programming or editing e Forcing safety I O e Data manipulation except through routine logic e Generating or deleting the Safety Signature The default state of the controller is Safety Unlocked You may place the controller in a Safety Locked state regardless of whether the controller is online or offline and regardless of whether you have the original source of the program However no safety forces or pending online safety edits may be present Safety Locked or Unlocked status cannot be modified when the keyswitch is in the RUN position Publication 1756 RM093B EN P October 2005 6 8 Safety Application Development Downloading the Safety Application Program Uploading the Safety Application Program Online Editing Publication 1756 RM093B EN P October 2005 To provide an additional layer of protection separate passwords may be used for Safety Locking or Unlocking the controller Passwords are optional Upon download full application testing is required unless a Safety Si
80. ts 1 maintains SIL 3 When a safety program fault handler does not exist or the fault is not recovered by it the controller processes the logic in the controller scoped fault handler terminating safety program logic execution and leaving safety I O connections active but idle IMPORTANT When the execution of safety program logic is terminated due to a recoverable fault that is not handled by the safety program fault handler the safety I O connections are closed and re opened to re initialize safety connections If user logic is terminated as a result of a recoverable fault that is not recovered safety outputs are placed in the safe state and the producer Monitoring Status and Handling Faults 1 5 of safety consumed tags commands the consumers to place them in a safe state TIP When using safety I O for standard applications safety I O will be commanded to the safe state as a result of the above If a recoverable safety fault is overridden in the controller scoped fault handler only standard tasks keep running If the fault is not overridden the standard tasks are also shut down ATTENTION Overriding the safety fault does not clear it If you override the safety fault it is your responsibility to prove that doing so maintains SIL 3 Publication 1756 RMOS3B EN P October 2005 7 6 Monitoring Status and Handling Faults Publication 1756 RM093B EN P October 2005 Safety Instructions Safety Appl
81. ts to prove the validity of the calculations formulas used in your application logic Equivalent range tests are acceptable These are tests within the defined value ranges at the limits or in invalid value ranges The necessary number of test cases depends on the formulas used and must comprise critical value pairs Publication 1756 RM093B EN P October 2005 6 6 Safety Application Development Publication 1756 RM093B EN P October 2005 Active simulation with sources field devices must also be included since it is the only way to verify that the sensors and actuators in the system are wired correctly Verify the operation of programmed functions by manually manipulating sensors and actuators You must also include tests to verify the reaction to wiring faults and network communication faults Project Verification includes required functional verification tests of fault routines input and output channels etc to ensure that the safety system operates properly See Functional Verification Tests on page 1 2 for more information Confirm the Project You must print or view the project and manually compare the uploaded safety I O and controller configurations safety data and safety task program logic to ensure that the correct safety components were downloaded tested and retained in the safety application program The steps below illustrate one method for confirming the project 1 With the controller in Program m
82. turned OFF Publication 1756 RMOS3B EN P October 2005 3 2 DeviceNet Safety 1 0 for the GuardLogix Control System Publication 1756 RM093B EN P October 2005 Status Data In addition to input and output data some DeviceNet Safety I O modules support status data to monitor the I O circuits Refer to your module s product documentation Status LEDs The DeviceNet Safety I O modules include status LEDs For details on LED operation refer to the product documentation for your specific module Maia LEDs are not reliable indicators for safety functions They should be used only for general diagnostics during commissioning or troubleshooting Do not attempt to use LEDs as operational indicators ON or OFF Delay Function Some DeviceNet Safety I O modules may support ON delay and OFF delay functions for input signals You must include OFF delay times when calculating system reaction time See Appendix B for information on system reaction time Input and Output Line Conditioning DeviceNet Safety I O modules provide pulse test and monitoring capabilities If the module detects a failure it sets the offending input or output to its Safe state and reports the failure to the controller The failure indication is made via the input or output point status and is maintained for a configurable amount of time or until the failure is repaired which ever comes first IMPORTANT Ladder logic must be included in the applic
83. ty A A RD N alg u 2 2 CHASSIS s DERDES ES EO a ily AE a OD 2 2 Power supplies os AA PVA ED DERS GR 2 2 CIP Safety Protocol si REED DR SE EG N EO EE 2 3 Communication Bridges ese DERE SE dd 2 3 Programming Overview ug nd bee GR ae EE BS 2 4 RSLogix 5000 Programming Software 2 4 Chapter 3 OVCTVICW 4 35 SERE A ER he ge Ha ARA 3 1 Typical Safety Functions of DeviceNet Safety I O Modules 3 1 SAPS SIE sr A Fob est eet BAAR Ra 3 1 Dia SnOsucs a EE ER Ap tie Bee ROE EE ES aS L 3 1 Status Data ML Ghee a GR cee che ay N 3 2 Status LED Stus ESE A a a atte ence 3 2 ON or OFF Delay EUA REA eee 3 2 Input and Output Line Conditioning 3 2 I O Module Connection Status 5 3 3 Publication 1756 RMOS3B EN P October 2005 Table of Contents vi Understanding CIP Safety and the Safety Network Number Characteristics of Safety Tags the Safety Task and Safety Programs Safety Application Development Publication 1756 RM093B EN P October 2005 How to Latch and Reset Faulted 1 O 3 3 Reaction TIME rn ule A EA EE OMe 3 5 Safety Considerations for I O Modules on the Safety NetWork A OE KEN 3 6 a O A 3 6 Configuration Signature wisi RE Gah a Sls wn SE 3 6 I O Module Replacements EE wie RE ER Re 3 7 Chapter 4 The Routable CIP Safety Control System 4 1 Unique Node Referentes pa EE tae he ew ias 4 2 Safety Network NUDE a TN ee ER 4 2 Considerations for Assigning the SNN
Download Pdf Manuals
Related Search