1756-RM001 - Rockwell Automation
Contents
1. PFD and Calculations for a SIL 2 System Appendix Table 11 2 Year PFD Calculations Common Terms 1001 Configuration 1002 Configuration g g MeanTime i Safe 2 Cat No Firmware Description between i Spurious Spurious gg Version Failure AO XM Failure Agy Tawoa Trip Rate PFH Trip Rate T PFHO9 5 SFF STR STR wu 1794 1816 LEX 1 0 24V DC input module 179 506 15 5 57E 09 2 79E 09 80 1 11E 09 1 67E 09 3514 8 91E 09 2346 5 57E 11 4 90 07 8 Not 1794 1 16 Applicable FL EX 0 35 587 189 2 81E 08 1 40 08 80 5 62E 09 8 43E 09 3514 4 50 08 2346 2 82E 10 2 47E 06 24V DC input module 1794 2 AD LEX 1 0 counter module 55 344 640 1 81E 08 9 03 09 80 3 61E 09 5 42E 09 3514 2 89E 08 2346 1 81 10 1 59 06 1794 2 A E LEX1 0 XT counter module 11714128 8 54E 08 4 27E 08 80 1 71 08 2 56E 08 3514 37E07 2346 8 58 10 7 53 06 1794 4 4 LEX 1 0 counter module 22 027 200 4 54E 08 2 27 08 80 9 08E 09 1 36E 08 3514 7 26E 08 2346 4 55 10 4 00 06 1794 IB10X0B6 LEX 1 0 24V DC input output 100 000 00 1 00E 08 5 00E 09 80 2 00E 09 3 00 02. Analog Input Analog Input 1794 IE8 1794 IE8 MES a 1794 183 Voltage Voltage Transmitter A Transmitter B _ S Analog Input Analog Input 1794 IFAI 1794 IFAI 0000000000000000 0000000000000000 Podgooooooooooooo podoooooooooooooo OODDOOOOOOOOOOOOO 1794 TB3 1794 TB3 Voltage Voltage Transmitter Transmitter B Rockwell Automation Publication 1756 RM001L EN P July 2014 FLEXI O Modules Chapter 6 Wiring the Single ended Input Module in urrent Mode In addition to following the Requirements When Using FLEX I O Analog Input Modules on page 77 before wiring the module consider the following application guideline Place other devices in current loop You can locate other devices in an input channel current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops each module input is 250 ohms Figure 49 FLEX 1 0 Analog Input Wiring in Current Mode
3. Common Terms 1001 Configuration 1002 Configuration MeanTime s 3 i Safe Cat No Firmware Description between Fail Spurious wre X ration Tctoo Trip Rate Trip Rate T s SFF STR STR 1794 1816 FLEX 1 0 24V DC input module 179 506 15 5 57 09 2 79 09 80 1 11E 09 1 67E 09 1762 8 91 09 1178 5 57E 11 2 45 07 8 Not 1794 1 16 Applicable TELEX 1 0 XT 35 587 189 2 81E 08 1 40 08 80 5 62E 09 8 43E 09 1762 4 50 08 1178 2 81E 10 1 24E 06 24V DC input module 1794 2 0 FLEX 1 0 counter module 55 344 640 1 81E 08 2 89E 08 1178 1 81E 10 7 96 07 FLEX1 O XT counter module 11714128 8 54F 08 Notallowedforloo 1178 856F40 377 06 configurations 1794 4 4 FLEX 1 0 counter module 22 027 200 4 54E 08 7 26 08 1178 4 55E 10 2 00 06 1794 1 10 086 FLEX 1 0 24V DC input output 100 000 00 1 00E 08 1 60E 08 1178 1 00 10 4 41E 07 module 0 1794 A FLEX I 0 XT 22 202 487 4 50E 08 7 21 08 1178 4 51 10 1 99 06 IB10XOB6XT i 24V DC input output module ot 1794 0 8 Applicable FLEX1 0 24V DC electronically 100 000 00 1 00F 08 160E08 1178 1 00E 10 441E 07 fused output module 0 1794 OB8EPXT FLEX I 0 XT 24V DC 14 771 049 6 77E
4. i Safe Cat No Firmware Description between i Spurious Spurious Version Failure 49 RS Agu Tertoo Trip Rate PERO Trip Rate T prp MTBF EE STR STR a SFF 1794 TB3 A LEX 1 0 terminal base unit 250 000 00 4 00E 09 2 00 09 80 8 00 10 1 20 09 3514 6 40E 09 12346 4 00 11 3 51 07 0 1794 TB3G A LEX 1 0 cage clamp generic 100 000 00 1 00E 08 5 00E 09 80 2 00E 09 3 00 09 3514 60 08 2346 1 00 10 8 79E 07 erminal base unit 0 1794 TB3GS A LEX 1 0 spring clamp generic 100 000 00 1 00E 08 5 00E 09 80 2 00E 09 3 00 09 3514 60E 08 2346 1 00E 10 8 79E 07 erminal base unit 0 1794 835 LEX 1 0 terminal base unit 100 000 00 1 00E 08 5 00E 09 80 2 00E 09 3 00 09 3514 60 08 2346 1 00 10 8 79E 07 Not 0 Not allowed for 1001 1794 TB3T A Applicable LEX 1 0 temperature terminal 100 000 00 1 00E 08 5 00E 09 80 2 00E 09 3 00 09 3514 configurations 60E 08 2346 1 00E 10 8 79E 07 base unit 0 1794 TB3TS A LEX 1 0 spring clamp 52 312 000 1 91E 08 9 56 09 80 3 82E 09 5 73E 09 3514 3 06E 08 2346 1 91E 10 1 68 06 terminal base unit 1794 TBN A LEX 1 0 NEMA terminal base 100 000 00 1 00E 08 5 00E 09 80 2 00E 09 3 00 09 3514 60E 08 2346 1 00E 10 8 79E 07 unit 0 1794 TBNF A LEX 1 0 NEMA fused terminal 100 000 00 1
5. 43363 Write the application logic generate fault the event of a miscompare between the controller the actual output state and the monitored input Rockwell Automation Publication 1756 RM001L EN P July 2014 ControlLogix 1 0 Modules Chapter 5 Figure 25 Comparison Logic for Requested versus Actual Output Application Logic Output Fault Output Data Echo Monitoring Input Timer must be preset in milliseconds to imer D accommodate 1 communication times of Output Data Echo Monitoring echo signal and filter time of input Fault Secondary A Done Fault Alarm to Operator Output Fault contact must represent module and channel diagnostics The control diagnostics and alarming functions must be performed in sequence For more information on faults see Chapter 8 Faults in the ControlLogix System on page 99 You can also wire two isolated standard outputs in series to critical actuators In the event that a failure is detected the outputs from each of the output modules must be set to OFF to make sure the field devices de energize Figure 26 shows how to wire two isolated standard outputs in series to critical actuators Figure 26 ControlLogix Standard Output Module Wiring with Two Modules Standard Isolated Stan
6. Terminal Block 1 Terminal Block 2 Terminal Block 1 Terminal Block 2 Row Row C Row B Row B Two wire Transmitters Operating in 4 20 mA Current Mode Output from 1756 0B16D Module Pair Trigger Reference Tests 0 Off Two wire Transmitter Dyer is cable length 005 0 5 m 010 1 0 m 025 2 5 m 050 5 0 m 136 Rockwell Automation Publication 1756 RM001L EN P July 2014 Using ControlLogix and FLEX 1 0 Modules in SIL 1 Applications Appendix D Figure 66 SIL 11794 Analog Input Wiring Example Simplex 1756 Analog Input Module Input Values from Field Devices All configured for 0 5V operation Solid state switch controlled by DC output Reference Voltages DIP Switch for Sensor User supplied cable Precision 249 Resistor MOSES AAA Terminal Block 1 Terminal Block 2 Terminal Block 1 Terminal Block 2 Row Row C Row B Row B Two wire Transmitters Operating in 4 20 mA Current Mode Output from 1756 0B16D Module Pair Trigger Reference Tests 0 Off Two wire Transmitter To make your own cable follow the termination board pinout shown below P1 Pins Description 3 nput 0 2 nput 1 1 nput 2
7. 13 Programming and Debugging Tool 14 About the ControlLogix System 14 Gas and Fire Considerations 14 Boiler and Combustion 16 Typical SIL 2 Configurations V seams 17 Simplex Configuration 8 17 Duplex Logic Solver Configurations 24 Duplex System Configuration 25 28 Proof Testing with Redundancy Systems 29 Reaction us aa u aa kak a CENE a 30 Reaction Times in Redundancy Systems 30 Safety Watchdog uapa esce tutt n ap inasa 31 Safety Certifications and Compliances 31 Chapter 2 Module Fault Reporting ces kt asen viet tle 33 Data Echo Communication Check 34 IAM eR MEE 35 Salt Waters psa con LADEN Ld e lata 35 COMMU ICAUOR To I ode eee temere 36 Communication PO ES eite toe 36 ControlNet Network det te Co a Son 36 EtherNet IP Networks au Ga bt va a pps 37 Electronic Keying of Modules in SIL 2 Applications 37 Chapter 3 ControlLogix Controllers ash tod 39 Operating Modes tete hd Ee ee
8. 1794 ACN15 D 10 003 FLEXI O ControlNet adapter 8 223 684 1 22 07 6 08E 08 80 2 43E 08 3 65E 08 8770 1 95 07 5850 1 24 09 2 70E 05 1794 ACNR15 D 10 003 52 0 ControlNet redundant 8 223 684 1 22 07 6 08 08 80 2 43E 08 3 65E 08 8770 1 95 07 5850 1 24 09 2 70E 05 adapter 1794 ACNR15XT D 10 003 FLEXI O XTControlNetadapter 8 223 684 1 22E 07 6 08E 08 80 2 43E 08 3 65E 08 8770 ee 1 95 07 5850 1 24 09 2 70E 05 1794 AENT B 4 003 FLEX 1 0 EtherNET IP adapter 1 779 827 5 62 07 2 81 07 80 1 12E 07 1 69E 07 8770 configurations 8 99 07 5850 6 12E 09 1 30 04 1794 AENTR 1 013 FLEX 1 0 EtherNET IP adapter 1 268 070 7 89E 07 3 94 07 80 1 58E 07 2 37 07 8770 1 26 06 5850 8 87E 09 1 87E 04 Ring media 1794 AENTRXT 1 013 1 268 070 7 89E 07 3 94 07 80 1 58E 07 2 37 07 8770 126E 06 5850 8 87E 09 1 87E 04 ing media Rockwell Automation Publication 1756 RM001L EN P July 2014 131 Appendix C PFD and PFH Calculations for a SIL 2 System Table 12 5 Year PFD Calculations MeanTime Common
9. 1756 EN2TR j ca I 5 2 SN Rockwell Automation Publication 1756 RM001L EN P July 2014 Chapter 1 27 Chapter1 SIL Policy Figure 14 Duplex System ControlNet Configuration Overall Safety Loop x zc LLL EccL u mas su ss 1 ControlLogix Chassis Secondary Chassis SIL 2 certified ControlLogix Safety Loop el Fr Ir l Wr 1 0 Chassis B ontrolNet 1 0 Chassis A OutputCh B Analog Input Digital Input Digital Output Termination Board Termination Board Termination Board r Gaan 0 Tas sss ee ee Sas nee eee isa ea ee E Field Device Field Device Field Device w w l l l l l l l l l l l l l l l l l l 4 The duplex system configuration uses safety and programming principles described in this manual as well as programming and hardware described in the application technique manuals For more information about the ControlLogix SIL 2 certified system refer to ControlLogix SIL 2 System Configuration Using SIL 2 Add On Instructions publication 1756 AT012 Proof Tests IEC 61508 requir
10. Actuator Output2B 1756 EN2T 1756 EN2TR Standard Communication Input 3A Output 4A 1756 EN2TR EtherNet IP Remote 1 0 Chassis Output 4B 1756 EN2TR EtherNet IP Sensor i l EtherNet IP 18 Rockwell Automation Publication 1756 RMO01L EN P July 2014 SIL Policy Chapter 1 Figure 4 Fail safe ControlLogix ControlNet Configuration Safety and Standard Connections on the Same Network 1756 CN2R Output Ch A Communication Dual networks are required because one of the ControlNet networks includes standard devices that is those that are not SIL 2 rated Output Ch B l l l l l l Standard i In Figure 5 non SIL 2 communication on separate subnets lets you place redundant channel I O in the same rack Figure 5 Fail safe ControlLogix ControlNet Configuration with Non SIL 2 Communication Safety and Standard Connections on Separate Networks Overall Safety Loop Output2B Standard Communication ControlNet Remote 1 0 Chassis Output 4A Dual networks are not required because a separate network is being used for standard devices Remote 1 0 Chassis Output4B ControlNet Rockwell Automation Publication 1756 RM001L EN P July 2014 19 Chapter1 SIL Policy 20 Figure 6 Fail safe ControlLogix EtherNet IP Configuration Single DLR Loop for Sa
11. Votes Checks Yes No Comment Before a Modification Are the configuration of the ControlLogix system and the application program created on L the basis of safety aspects Are programming guidelines used for the creation of the application program After a Modification Before Loading Has a review of the application program with regard to the binding system specification been carried out by a person not involved in the program creation Has the result of the review been documented and released date signature Was a backup of the complete program created before loading a program in the ControlLogix system After a Modification After Loading Was a sufficient number of tests carried out for the safety relevant logical linking including 1 0 and for all mathematical calculations Was all force information reset before safety operation Has it been verified that the system is operating properly Have the appropriate security routines and functions been installed 5 controller keyswitch in mode and the key removed Rockwell Automation Publication 1756 RM001L EN P July 2014 143 AppendixE Checklists Notes 144 Rockwell Automation Publication 1756 RM001L EN P July 2014 Numerics 1001 architecture 135 1001 configuration 118 1002 configuration 118 1 year PFD calc
12. 1794 IE8 Analog Input Analog Input 1794 IE8 1794 IE8 1794 TB3 2 Source B EE RUE ic dM D E Analog Input Analog Input 1794 IFAI 1794 IFAI 1794 TB3 1794 TB3 Current RET Current RET Source A Source B Rockwell Automation Publication 1756 RM001L EN P July 2014 81 Chapter6 FLEX 1 0 Modules Wiring the Thermocouple Input Module In addition to following che Requirements When Using FLEX I O Analog Input Modules on page 77 and before wiring the module consider the following application guideline e Wire to the same input channel on both modules When wiring thermocouples wire two in parallel to two modules Use the same channel on each module to make sure of consistent temperature readings Figure 50 FLEX 1 0 Analog Thermocouple Module Wiring Thermocouple Thermocouple 1794 78 Input Module Input Module 1794 118 1794 TB3T 1794 TB3T mmm mmm m Thermocouple Thermocouple RID mV 1794 IRT8 RTD mV 1794 IRT8 Input
13. The diagnostic you implement must monitor the ability ofall SIL 1 inputs to detect a change of state One method would be to turn off the output and monitor that all SIL 1 inputs detect the loss of signal within a short period of time Then when the output turns back on make sure that all SIL 1 inputs properly detect the change You need to consider and mitigate any impact to your system while the diagnostic is executing Figure 64 SIL 1 Digital Input Wiring Example for 1794 1 0 Modules Field Power Field Devices 1 tite 2 othe 3 TIP Field diagnostics as described for 1794 1 0 modules can also be used to meet the requirements for periodic proof testing with either 1794 or 1756 1 0 modules Rockwell Automation Publication 1756 RM001L EN P July 2014 135 AppendixD Using ControlLogix and FLEX 1 0 Modules in SIL 1 Applications Termination boards 1492 TIFM16 F 3 can be used to provide a voltage reference for periodic testing as shown below Figure 65 SIL 11756 Analog Input Wiring Example Simplex 1756 Analog Input Module Input Values from Field Devices All configured for 0 5V operation 1756 Analog Input Module Solid state switch controlled by DC output Reference Voltages DIP Switch for Sensor 1492 CABLExxxUA to 1756 Analog Input Module Precision 249 l Resistor 7
14. o Ch0 cho Ch0 4 cho SIL 2 Transmitter Voltage Output Source Figure 30 Analog Input Wiring Example with Termination Boards Analog Input Module A Input Values from Field Devices All configured for 0 5V operation Precision 249 4 a Analog Input Module Input Values from Field Devices All configured for 0 5V operation Solid state switch controlled by DC output S Reference Voltages tS A lt gt 3 DIP Switch for Sensor z 8 Wiring gt S e mu i Resistor To eu meas 1 l Terminal Block 1 Terminal Block 2 Terminal Block 1 Terminal Block 2 Row Row Row B Row B Two wire Transmitters Operating in 4 20 mA Current Mode s 5 4 e E Rockwell Automation Publication 1756 RM001L EN P July 2014 Output from 1756 08160 Module Pair Trigger Reference Tests 0 Off ControlLogix 1 0 Modules Chapter 5 Wiring the Single ended Input Module in urrent Mode Make sure you review the considerations in Using 1756 Analog Input Modules on page 58 use the corre
15. 1 0 modules calibrate 58 fault reporting 100 proof test 1756 analog input modules 58 1756 analog output modules 67 1756 digital input modules 51 1756 digital output modules 53 1794 analog output modules 84 1794 digital input modules 73 1794 digital output modules 75 wiring 1756 analog input modules 60 1756 analog output modules 69 1756 digital input modules 51 1756 digital output modules 54 1756 RTD input modules 64 1756 thermocouple input modules 64 1794 analog input modules 80 1794 analog output modules 87 1794 digital input modules 74 1794 digital output modules 76 1794 RTD input modules 83 1794 thermocouple input modules 82 HART analog input modules 66 HART analog output modules 71 1 61131 3 89 1 61508 13 28 118 1 61511 13 97 98 105 interface HMI use and application 103 105 K KEYSTATE word 101 keyswitch 35 40 91 checking position 100 life cycle commissioning 96 logic developing 93 Logix CPU Security 90 M manual override circuit 15 Mean Time Between Failures MTBF defined 9 Mean Time To Restoration MTTR defined 10 modes 39 module fault reporting 33 100 monitor channel status 59 68 motion 94 MTBF See Mean Time Between Failures MTBF MTTR See Mean Time To Restoration network update time 31 NFPA 85 NFPA 86 16 0 operating modes 39 output data echo digital outputs and 53 Rockwell Automation Publication 1756 RMO01L EN P July 2014 Index ownersh
16. 108 Rockwell Automation Publication 1756 RM001L EN P July 2014 Reaction Times of the ControlLogix System Appendix A Input filter time is configurable via the Configuration tab on the Module Properties dialog box in the programming software e Ifthe safe state in your application is low use the On gt Off Input Filter Time e If the safe state in your application is high use the Off gt On Input Filter Time Figure 62 Digital Module Configuration Module RPI is configurable via the Connection tab Rockwell Automation Publication 1756 RMOO1L EN P July 2014 109 Appendix 110 Reaction Times of the ControlLogix System For Analog Modules Use this formula to determine worst case reaction time for analog modules in local or remote configurations Worst Case Reaction Time with no faults or errors Real Time Sample RTS Rate Input Module RPI x 4 8 16 2100 ms SIL 2 Task Period SIL 2 Task Watchdog Output Module RPI x 4 8 16 gt 100 ms Output Module Delay Filter time and RTS are configurable via the Configuration tab on the Module Properties dialog box in the programming software Module RPI is configurable via the Connection tab Figure 63 Analog Module Configuration m Module Properties Report Local 2 1756 IF6I 1 1 x General Connection Module Info i larm Configuration Calibration Backplane Channel Input Range 10v to 10V Sensor
17. The application software for the SIL 2 related automation system is created using the programming tool that is RSLogix 5000 software according to IEC 61131 3 The application program has to be created by using the programming tool and contains the specific equipment functions that are to be carried out by the ControlLogix system Parameters for the operating function are also entered into the system using the programming software The safety concept of the SIL 2 ControlLogix system assumes the following The programming software is installed correctly Control system hardware is installed in accordance with product installation guidelines User application code user program uses common and good design practices e test plan is documented and adhered to including well understood proof test requirements and procedures well designed validation process is defined and implemented Rockwell Automation Publication 1756 RM001L EN P July 2014 89 Chapter7 Requirements for Application Development Programming Languages Programming Options Security 90 For the initial start up of a safety related ControlLogix system the entire system must be checked by a complete functional test After a modification of the application program the modified program or logic must be checked For more information on how users should handle changes to their application program see Changing Your Application Pr
18. 1 Year PFD Calculations Common Terms 1001 Configuration 1002 Configuration MeanTime 4 1 Firmware inti between Safe Version Description Failure 9 Failure Trip Rate Te prp E MTBF Fraction STR GE 3 SFF 1756 CNB 11 005 ControlLogix ontrolNe 1 786 977 5 60 07 2 80E 07 95 2 80 08 2 52E 07 448 5 32E 07 2 80 08 1 25 04 communication module 1756 CNBR 11 005 ControlLogix ontrolNe 2 608 543 3 83 07 E redundant communication module 1756 CN2 20 011 ControlLogix ontrolNe 1 096 299 9 12 07 communication module 1756 CN2 25 004 ControlLogix ontrolNe Calculated 1 97 06 communication module MTBF and PFD via FMEA 1756 CN2R 20 011 ControlLogix ontrolNe 1 096 299 9 12E 07 i redundant communication Not Applicable module 1756 CN2R 125 004 ControlLogix ontrolNe Calculated 1 97 06 redundant communication MTBF and module PFD via FMEA 1756 CN2RXT 20 011 ControlLogix XT ontrolNet 1 980 160 5 05 07 redundant communication module 1756 CN2RXT 25 004 ControlLogix XT ControlNet Calculated 1 97 06 9 87E 07 96 6 6 62E 08 9 21E 07 303 63 redundant communication MTBF and module PFD via FMEA 1756 0 7 002 ControlLogix Data Highway Plus
19. 14 nput 3 15 nput 4 16 nput 5 1 nput 6 18 nput 7 12 nput 8 13 nput 9 25 nput 10 24 nput 11 23 nput 12 22 nput 13 Rockwell Automation Publication 1756 RM001L EN P July 2014 137 AppendixD Using ControlLogix and FLEX 1 0 Modules in SIL 1 Applications Pins Description 20 Input 14 21 Input 15 4 RTN 6 8 10 RTN When using controllers and network communication modules follow the guidelines listed in this safety manual IMPORTANT When using 1756 or 1794 outputs in SIL 1 configurations you must implement a secondary means to shut off the outputs Table 14 lists additional considerations that must be made with various ControlLogix modules in a SIL1 application Table 14 Considerations for SIL1 Applications by Module Module Controllers Additional considerations None Use the controller exactly as described previously in this manual ControlNet modules None Use the modules exactly as described previously in this manual Ethernet modules Digital output modules None Use the modules exactly as described previously in this manual Diagnostic output modules are recommended in a SIL1 application Implement a secondary shutdown path if the SIL1 application requires a fail safe OFF in the event of a shorted output Digital input modules Only one module is required in a SIL1 application Periodic tests of the inputs should be performed as described previ
20. 8770 1 62E 07 5850 1 03E 09 2 24E 05 module 1794 IFAIXT FLEX 1 0 isolated analog 7 297 140 1 37E 07 6 85E 08 80 2 74E 08 4 11E 08 8770 2 19E 07 5850 1 40 09 3 05 05 input module 1794 IF4ICFXT I FLEX 1 0 isolated analog 7 297 140 1 37E 07 6 85 08 80 2 74E 08 4 11E 08 8770 2 19E 07 5850 1 40 09 3 05 05 input module 1794 IR8 FLEX 1 0 RTD input module 5 016 231 1 99E 07 9 97 08 80 3 99 08 5 98E 08 8770 3 19E 07 5850 2 06E 09 4 46E 05 1794 IR8XT 1 0 RTD input module 9 585 890 1 04E 07 5 22E 08 80 2 09 08 3 13 08 8770 or oni 1 67E 07 5850 1 06E 09 2 31E 05 1794 IRT8 El FLEX 1 0 RTD Thermocouple 1 407 269 7 11E 07 3 55E 07 80 142E 07 2 13E 07 8770 configurations 1 14 06 5850 7 91 09 1 67E 04 input module 1794 IRT8XT 1 FLEX 1 0 RTD Thermocouple 8 204 792 1 22E 07 6 09 08 80 2 44 08 3 66E 08 8770 1 95E 07 5850 1 24E 09 2 71E 05 input module 1794 IT8 FLEX 1 0 Thermocouple input 2 097 509 4 77 07 2 38 07 80 9 54E 08 1 43E 07 8770 7 63E 07 5850 5 13 09 1 10 04 module 1794 IF2XOF21 FLEX 1 0 isolated analog input 8 464 844 1 18 07 5 91 08 80 2 36 08 3 54E 08 8770 1 89E 07 5850 1 20E 09 2 62E 05 output module 1794 IF2XOF2IXT A FLEX 1 0 isolated analog 6 317 918 1 58 07 7 91E 08 80 3 17 08 4
21. Cat No Description Related Documentation 1794 IR8 FLEX 1 0 RTD input module 1794 IN021 1794 IR8XT FLEX1 0 XT RTD input module 1794 0400 1794 RT8 FLEX 1 0 Thermocouple RTD input module 1794 IN050 1794 IRT8XT FLEX 1 0 Thermocouple RTD analog input module a 1794 2 FLEX 1 0 counter module 1794 IN049 1794 12 FLEX 1 0 counter module V24 UMCTI 1794 4 FLEX 1 0 counter module 1794 IN064 1794 UM016 1794 EAXOE2XT 0 analog input output module 1794 125 1794 IE8XT FLEXI 0 XT analog input module 1794 IN125 1794 0E4XT FLEX I 0 XT analog output module 1794 IN125 1794 OFAIXT FLEX I 0 XT isolated analog output module 1794 IN129 1794 UM008 1794 TB3 FLEX 1 0 terminal base unit 1794 TB3S FLEX 1 0 terminal base unit 1794 TB3T FLEX 1 0 temperature terminal base unit 1794 TB3TS FLEX 1 0 spring clamp temperature terminal base unit 1794 14092 1794 TB3G FLEX 1 0 cage clamp generic terminal base unit 1794 TB3GS FLEX 1 0 spring clamp generic terminal base unit 1794 TBN FLEX 1 0 NEMA terminal base unit 1794 TBNF FLEX 1 0 NEMA fused terminal base unit 1 Some catalog numbers have K suffix This indicates a version of the product that has conformal coating These K versions have the same SIL 2 certification as the non K versions For more information on which products have conformal coating go to http ab com rockwellautomation com 2 These publications are available from Rockwell Automation by visiti
22. Description Provides information on how to use specific instructions to get and set controller system data stored in device objects Logix5000 Controllers Common Procedures Programming Manual publication 1756 PM001 ControlLogix Analog 1 0 Modules User Manual publication 1756 UM009 ControlLogix Digital 1 0 Modules User Manual publication 1756 UM058 Provides information on controller fault codes including major and minor codes and on creating fault and power up routines Provides information on accessing modules run time operational and process status Rockwell Automation Publication 1756 RM001L EN P July 2014 Precautions Accessing Safety related Systems Chapter 9 Use of Human to Machine Interfaces Topic Page Precautions 103 Accessing Safety related Systems 103 You must exercise precautions and implement specific techniques on HMI devices These precautions include but are not restricted to the following e Limited access and security Specifications testing and validation e Restrictions on data and access Limits on data and parameters For more information on how HMI devices fit into a typical SIL loop see Figure 10 on page 24 Use sound techniques in the application software within the HMI and controller HMI related functions consist of two primary activities reading and writing data Reading Parameters in Safety related Systems Reading data is unrestricted becaus
23. 1001 Confi 1001 Configuration 1002 Configuration MeanTime 1 Firmware between Safe Spurious Cat No a Version Description Failure 9 Failure Rate Pru prp 2 MTBF Fraction STR GE a SFF 1756 AXX C ControlLogix chassis 22 652 010 4 41E 08 1756 A4LXT B 4 slot ControlLogix XT chassis 1 069 120 9 35 07 1756 A5XT 5 slot ControlLogix XT chassis 734 420 1 36E 06 1756 A7LXT B 7 slot ControlLogix XT chassis 27 628 178 3 62E 08 1756 A7XT c 7 slot ControlLogix XT chassis 1 081 600 9 25E 07 1756 PB72 C 18 32V DC ControlLogix 31 561 095 3 17E 08 power supply 1756 PA72 C 85 265V AC 10A ControlLogix 18 336 146 5 45E 08 power supply 1756 PA75 B 85 265V AC 13A ControlLogix 18 693 044 5 35E 08 power supply 75W 1756 PA75R A 85 265V AC 13A Redundant 1412877 7 08 07 ControlLogix power supply 1756 PB75 B 18 32V DC 13A ControlLogix 15 675 475 6 38E 08 power supply 1756 PB75R A 18 32V DC 13A Redundant 1 736 020 5 76E 07 ControlLogix power supply 1756 PAXT B Not ControlLogix XT AC power supply 18 693 044 5 35E 08 Applicable Not Applicable 1756 PBXT B ControlLogix XT DC power 1 855 360 5 39E 07 2 69 08 supply 1756 75 B 30 60V DC 13A ControlLogix 5 894 836 1 70 07 8 48E 09 power supply 1756 PH75 B 90 143V DC 13A ControlLogix 2 119 520 4 72 07 2 36E 08 power supply 1756 PSCA A Redundant power supply 45 146 727 2 21E 08 1 11E 09 adapter 1756 PSCA2 A Redundant power supp
24. 95 4 56E 08 4 10E 07 886 8 67E 07 communication module 1756 CN2 25 004 ControlLogix ControlNet Calculated 1 97E 06 9 87 07 96 6 6 62 08 9 21E 07 597 25 1 91E 06 communication module MTBF and PFD via FMEA 1756 CN2R 20 011 ControlLogix ControlNet 1 096 299 9 12 07 4 56E 07 95 4 56E 08 4 10E 07 886 redundant communication Not Applicable module 1756 CN2R 25 004 ControlLogix ControlNet Calculated 1 97E 06 9 87 07 96 6 6 62E 08 9 21E 07 597 25 1 91E 06 redundant communication MTBF and module PFD via FMEA 1756 CN2RXT 20 011 ControlLogix XT ControlNet 1 980 160 5 05 07 2 53E 07 95 2 53E 08 2 27E 07 886 redundant communication module 1756 CN2RXT 25 004 ControlLogix XT ControlNet Calculated 1 97E 06 9 87 07 96 6 6 62E 08 9 21E 07 597 25 1 91E 06 redundant communication MTBF and module PFD via FMEA 1756 DHRIO 7 002 ControlLogix Data Highway Plus 2 503 396 7 59E 07 Remote 1 0 Module 1756 DHRIOXT 7 002 ControlLogix XT Data Highway 2 503 396 7 59E 07 Plus Remote 1 0 Module i 7 Non interference only Not applicable Not applicable 1756 04887 D 12 005 ControlLogix DeviceNe 2 192 202 8 67E 07 communication module 1756 ENBTO 4008 ControlLogix EtherNet 2 088 198 9 10 07 6 006 communication module 1756 EN2T 5 008 ControlLogix EtherNet 1312712 7 62E 07 3 81E 07 95 3 81E 08 3 43E 07 886 3 81E 08 3 37E co
25. Not applicable 1756 1 161 A 3 003 ControlLogix isolated V 20 801 920 4 81E 08 2 40E 08 80 9 61E 09 1 44 08 8770 3 85E 08 9 61E 09 2 11E 04 7 69E 08 5850 4 84 10 1 06E 05 module 1756 IA8D A 3 003 ControlLogix diagnostic V AC 15 966 080 6 26E 08 3 13E 08 80 1 25E 08 1 88E 08 8770 5 01E 08 1 25E 08 2 75E 04 1 00E 07 5850 6 33 10 1 38E 05 input module 1756 18160 3 003 ControlLogix diagnostic V DC 30 228 640 3 31E 08 1 65 08 80 6 62 09 9 92 09 8770 2 65 08 6 62E 09 1 45 04 5 29 08 5850 3 33E 10 7 28E 06 input module 1756 18161 3 003 ControlLogix isolated V DC input 81 443 094 1 23E 08 6 14E 09 80 2 46 09 3 68 09 8770 9 82 09 2 46 09 5 38E 05 1 96 08 5850 1 23 10 2 70 06 module 130 Rockwell Automation Publication 1756 RM001L EN P July 2014 PFD and Calculations fora SIL2 System Appendix Table 12 5 Year PFD Calculations Common Terms 1001 Configuration 1002 Configuration MeanTime i Safe Cat No Firmware Description between i Spurious V 9 Failure 4 10 3 Vm wre Fraction Mu m Rate Toe PERO PFD 1756 IB16ISOE 2 007 ControlLogix isolated V DC 11 537 760 8 67E 08 4 33E 08 80 1 73E 08 2 60E 08 8770 1 39E 07 5850 8 79 10 1 92E 05 Sequence 0f Events input module 1756 1832 3 005 ControlLogixV DC input module
26. RTD input module 9 585 890 1 04E 07 3 13E Not allowed for 1001 1 67 07 1178 1 05E 09 4 61E 06 1794 IRT8 FLEX 1 0 RTD Thermocouple 1 407 269 7 11E 07 1 42 07 configurations 1 14 06 1178 7 27E 09 3 18E 05 input module 1794 IRT8XT 1 FLEX 1 0 RTD Thermocouple 8 204 792 1 22E 07 6 09E 08 80 2 44 08 3 66 08 1762 1 95 07 1178 1 22 09 5 38E 06 input module 1794 18 FLEX 1 0 Thermocouple input 2 097 509 4 77 07 2 38 07 80 9 54 08 1 43 07 1762 7 63 07 1178 4 84 09 2 12 05 module 1794 IF2XOF21 I FLEX 1 0 isolated analog input 8 464 844 1 18E 07 5 91E 08 80 2 36 08 3 54 08 1762 1 89 07 1178 1 19 09 5 22E 06 output module 1794 IF2XOF2IXT A FLEX 1 0 isolated analog 6 317 918 1 58 07 7 91E 08 80 3 17 08 4 75E 08 1762 2 53E 07 1178 1 59 09 7 00E 06 input output module 1794 IE4XOE2XT 0 analog input output 11 800 802 8 47E 08 4 24E 08 80 1 69E 08 2 54E 08 1762 1 36 07 1178 8 50E 10 3 74E 06 module 1794 0E4 B WAT FLEX 1 0 analog output module 18 433 610 5 42E 08 8 68E 08 1178 5 43E 10 2 39E 06 1794 0E4XT B FLEX 1 0 XT analog output 11381744 8 79E 08 141E 07 1178 8 81E 10 3 88E 06 module Not allowed for 1001 1794 OF4l All FLEX 1 0 analog output module 23 884 409 4 19E 08 configurations 670E08 1178 4 19E 10 1 85E 06 1794 OF4IXT FLEX 1 0 analog output 5 493
27. The average probability of a system to fail to perform its design function on on Demand demand PFH Probability of Failure The probability of a system to have a dangerous failure occur per hour per Hour SFF Safe Failure Fraction The ratio of safe failure plus dangerous detected failure to total failures SIL Safety Integrity Level A discrete level for specifying the safety integrity requirements of the safety functions allocated to the electrical electronic programmable electronic E part of the safety system STR Spurious Trip Rate That part ofthe overall failure rate that does not lead to a dangerous undetected failure Channel Equivalent The sum of downtime contributions from both the dangerous detected Mean Downtime failure rate and the dangerous undetected failure rate on a per channel basis Tat System Equivalent The sum of downtimes resulting from dangerous detected and dangerous Downtime undetected failure rates associated with both channels Rockwell Automation Publication 1756 RM001L EN P July 2014 Additional Resources Preface These resources contain more information related to the ControlLogix system Resource ControlLogix SIL 2 System Configuration Using RSLogix 5000 Subroutines publication 1756 010 Description Explains how to configure a SIL 2 certified system by using subroutines provided by Rockwell Automation ControlLogix SIL 2 System Configuration Using RSLogix 5000 Sub
28. 00E 09 8770 1 60E 08 5850 1 00 10 2 19E 06 fused output module 0 1794 OB8EPXT FLEX I 0 XT 24V DC 14 771 049 6 77E 08 3 38E 08 80 1 35E 08 2 03E 08 8770 1 08E 07 5850 6 84E 10 1 49E 05 electronically fused output module 1794 0B16 A FLEX 1 0 24V DC output module 54 322 632 1 84E 08 9 20E 09 80 3 68E 09 5 52E 09 8770 2 95E 08 5850 1 85E 10 4 04 06 1794 0816 A FLEXI O 24V DC protected 100 000 00 1 00E 08 5 00E 09 80 2 00 09 3 00E 09 8770 1 60 08 5850 1 00 10 2 19E 06 output module 0 1794 OB16PXT Not FLEX I 0 XT 26 709 401 3 74E 08 1 87 08 80 7 49E 09 1 12E 08 8770 5 99E 08 5850 3 77 10 8 24 06 Applicable 24V DC protected output module 1794 0W8 A FLEX 1 0 isolated relay output 29 088 895 3 44E 08 1 72E 08 80 6 88E 09 1 03E 08 8770 5 50E 08 5850 3 46 10 7 56 06 module 1794 0W8XT A FLEXI 0 XTisolated relay output 18 518 519 5 40E 08 2 70E 08 80 1 08 08 1 62 08 8770 8 64 08 5850 5 45 10 1 19 05 module 1794 IE8 B FLEX 1 0 analog input module 18 914 770 5 29E 08 2 64E 08 80 1 06 08 1 59E 08 8770 8 46E 08 5850 5 33 10 1 17E 05 ot 1794 1 8 Applicable FLEX 1 0 XT analog input 14 041 000 7 12E 08 3 56E 08 80 1 42 08 2 14E 08 8770 1 14 07 5850 7 20E 10 1 57E 05 module 1794 IHI 1 1 0 isolated analog input 9 885 959 1 01E 07 5 06E 08 80 2 02 08 3 03 08
29. 08 1 08 07 1178 6 78E 10 2 99E 06 electronically fused output module 1794 0B16 A FLEX 1 0 24V DC output module 54 322 632 1 84E 08 5 52E 2 95E 08 1178 1 84 10 8 11E 07 1794 0816 FLEX 1 0 24V DC protected 100 000 00 1 00E 08 3 00 Not allowed for 1001 1 60 08 1178 1 00E 10 4 41E 07 output module 0 configurations 1794 OB16PXT Not FLEX I 0 XT 26 709 401 3 74E 08 1 12E 08 5 99 08 1178 3 75E 10 1 65E 06 m 24V DC protected output module Applicable 1794 0W8 A FLEX 1 0 isolated relay output 29 088 895 3 44E 08 1 03E 5 50E 08 1178 3 44E 10 1 52E 06 module 1794 0W8XT A FLEXI 0 XTisolated relay output 18 518 519 5 40E 08 1 62E 8 64E 08 1178 5 41E 10 2 38E 06 module 1794 8 B FLEX 1 0 analog input module 18 914 770 5 29E 08 1 59E 8 46 08 1178 5 30 10 2 33E 06 ot 1794 IEBXT Applicable FLEX 1 0 XT analog input 14 041 000 7 12E 08 2 ME 1 14 07 1178 7 14E 10 3 14E 06 module 1794 IF4I FLEX 1 0 isolated analog input 9 885 059 1 01 07 3 03E 1 62 07 1178 1 01E 09 4 47E 06 module 1794 IFAIXT FLEX 1 0 isolated analog 7 297 140 1 37E 07 4 ME4 2 19E 07 1178 1 38E 09 6 05E 06 input module 1794 IF4ICFXT FLEXI O XT isolated analog 7 297 140 1 37 07 4 11E 08 219E07 1178 138 09 6 05E 06 input module 1794 IR8 FLEX 1 0 RTD input module 5 016231 1 99 07 5 98E 3 19 07 1178 2 01E 09 8 82 06 1794 IR8XT FLEX 1 0
30. 1 80E 07 2346 1 13E 09 9 94E 06 output module 1756 0B16E 3 003 ControlLogix V DC electronic ally 14 997 714 6 67E 08 3 33 08 80 1 33 08 2 00 08 3514 5 33EF 08 1 33 08 1 17E 04 1 07 07 2346 6 70E 10 5 87E 06 fused output module 1756 0816 3 002 ControlLogix V DC isolated 7 388 160 1 35E 07 6 77 08 80 2 71 08 4 06 08 3514 1 08 07 2 71 08 2 38E 04 2 17E 07 2346 1 37E 09 1 20E 05 output module 1756 0832 A 3 002 ControlLogix V DC output 2 681 316 3 73 07 1 86 07 80 7 46 08 1 12 07 3514 2 98 07 7 46E 08 6 55E 04 5 97E 07 2346 3 82E 09 3 33E 05 module 1756 088 3002 ControlLogix V DC isolated 14 019 200 7 13E 08 3 57E 08 80 1 43 08 2 14E 08 3514 143 125 1 14 07 2346 7 17 10 6 29E 06 electronic ally fused output module 1756 0X8l A 13 002 ControlLogix isolated relay 6 059 635 1 65 07 8 25 08 80 3 30E 08 4 95E 08 3514 3 30 E 04 2 64 07 2346 1 67E 09 1 46E 05 output module 1756 0W16l A 13 002 ControlLogix isolated relay 13 695 899 7 30E 08 3 65E 08 80 1 46E 08 2 19E 08 3514 1 46 17E 07 2346 7 34 10 6 43E 06 output module 1756 0F8 1005 ControlLogix analog output 10 629 795 9 41E 08 4 70E 08 80 1 88 08 2 82E 08 3514 51E 07 2346 9 46 10 8 30 06 module 1756 OF6VI A 1 013 ControlLogix isolated analog 21 604 960 4 63E 08 2 31E 08 80 9 26E 09 1 39 08 3514 E 05
31. 10 462 329 9 56E 08 4 78E 08 80 1 91E 08 2 87 08 8770 1 53E 07 5850 9 70E 10 2 12E 05 1756 IF8 1 005 ControlLogix analog input 8 699254 1 15 07 5 75E 08 80 2 30E 08 3 45 08 8770 9 20E 08 2 30 08 5 04E 04 1 84E 07 5850 1 17E 09 2 55E 05 module 1756 IF8H 1 002 ControlLogix HART analog input 1 291 978 7 74E 07 3 87E 07 80 1 55 07 2 32 07 8770 6 19 07 1 55 07 3 39E 03 1 24E 06 5850 8 69E 09 1 84 04 module 1756 1F16 11 005 Logix analog input 4 592 506 2 18 07 1 09E 07 80 4 35 08 6 53 08 8770 1 74E 07 4 35 08 9 55 04 3 48 07 5850 2 25E 09 4 88 05 module 1756 IF16H 1 002 Logix HART analog input 442 914 2 26E 06 1 13 06 8096 4 52E 07 6 77E 07 8770 1 81E 06 4 52E 07 9 90E 03 3 61E 06 5850 3 06E 08 6 13E 04 module 1756 16015 1013 Con Poe 2 654 080 3 77 07 1 88E 07 80 7 54E 08 1 13 07 8770 3 01 07 7 54E 08 1 65E 03 6 03E 07 5850 3 99E 09 8 59E 05 input module 1756 IF6l 1 013 ControlLogix isolated analog 4 176 185 2 39E 07 1 20E 07 80 4 79 08 7 18 08 8770 1 92 07 4 79E 08 1 05 03 3 83E 07 5850 2 49E 09 5 38 05 input module 1756 1 1650 2 007 ControlLogix 2 150 720 4 65 07 2 32E 07 80 9 30 08 1 39 07 8770 7 9 30 08 7 44 07
32. 17 54 68 EN 50156 16 ESD See emergency shutdown ESD applications EtherNet IP network 37 1756 communication modules 43 components 45 F fail safe configuration about 17 fault detection 99 101 fault handling additional resources 102 detection of faults 99 101 fault reporting 33 100 1794 analog input modules 78 1794 analog output modules 85 1794 digital input modules 74 1794 digital output modules 75 76 additional resources 102 detection of faults 99 101 fault tolerant configuration 25 field devices testing 51 field side output verification 34 fire considerations for 14 Rockwell Automation Publication 1756 RMO01L EN P July 2014 FLEX 1 0 analog input modules calibrate 78 wiring 80 analog output modules calibrate 84 wiring 87 components 115 116 digital input modules wiring 74 digital output modules wiring 76 EN 50156 standard 16 module fault reporting 74 75 76 78 85 RTD input modules wiring 83 terminal base units 116 thermocouple input modules wiring 82 floating point data format 58 67 forcing via software 94 G gas and fire applications 14 Get System Value GSV defined 9 keyswitch position 101 GSV See Get System Value GSV hardware 1756 chassis 41 1756 power supply 41 HART analog input modules 65 66 wiring 65 HART analog output modules 71 wiring 71 high availability configuration 24 HMI changing parameters via 104 devices 17 46 103 use and application 103 105 hold last state 14
33. 1756 0F6VI 1 013 ControlLogix isolated analog 21 604 960 4 63E 08 741E 08 1178 4 64E 10 2 04 06 output module 1756 0 6 1 013 ControlLogix isolated analog 8 354667 1 20 07 1 92 07 1178 1 20E 09 5 29E 06 output module 1756 0F8H A 1002 ControlLogix HART analog 5 118 187 1 95E 07 output module 1794 ACN15 D 10 003 FLEX 1 0 ControlNet adapter 8 223 684 1 22 1794 ACNR15 D 10 003 FLEX 1 0 ControlNet redundant 8 223 684 1 22 adapter 3 13E07 1178 1 97E 09 8 64E 06 s 1 95 07 1178 1 22E 09 5 37 06 1 95 07 1178 1 22E 09 5 37 06 s 1794 ACNR15XT 0 10 003 FLEXI O XTControlNetadapter 8 223 684 1 22E 07 1 95 07 1178 1 22 09 5 37E 06 1794 AENT 4 003 FLEX 1 0 EtherNET IP adapter 1 779 827 5 62E 07 8 99 07 1178 5 72E 09 2 50 05 1794 AENTR 1 013 FLEX 1 0 EtherNET IP adapter 1 268 070 7 89E 07 1 26 06 1178 8 08E 09 3 53E 05 Ring media 1794 AENTRXT 1 013 1 268 070 7 89E 07 1 26 06 1178 8 08 09 3 53E 05 ing media Rockwell Automation Publication 1756 RMO01L EN P July 2014 121 Appendix C PFD and PFH Calculations for a SIL 2 System Table 10 1 Year PFD Calculations
34. 1756 DHRI0 SynchLink 1756 SYNCH 1 Not for use in safety functions 2 Some catalog numbers have K suffix This indicates a version of the product that has conformal coating These K versions have the same SIL 2 certification as the non K versions For more information on which products have conformal coating go to http ab com rockwellautomation com ControlLogix communication modules can be used in peer to peer communication between ControlLogix devices The communication modules can also be used for expansion of I O to additional ControlLogix remote I O chassis Rockwell Automation Publication 1756 RMO01L EN P July 2014 43 Chapter4 ControlLogix Communication Modules ControlNet Modules and Components The ControlNet bridge modules catalog numbers 1756 CNB 1756 CNBR 1756 CN2 1756 CN2R and 1756 CN2RXT provide communication between any nodes properly scheduled on the ControlNet network ControlNet Cabling For remote racks a single RG6 coax cable is required for ControlNet communication Although it is not a requirement to use redundant media with the 1756 CNBR or 1756 CN2R modules it does provide higher system reliability Redundant media is not required for SIL 2 operation ControlNet Repeater The following ControlNet repeater modules are approved for use in safety applications up to and including SIL 2 1786 RPCD ControlNet Hub Repeater Module 1786 RPFS Short distance Fiber Repeater Modul
35. 185 2 39 07 1 20E 07 80 4 79 08 7 18 08 3514 1 92E 07 4 79E 08 4 21E 04 3 83E 07 2346 2 43E 09 2 12 05 input module 1756 16 50 2 007 ControlLogix V DC Sequence Of 2 150 720 4 65E 07 2 32E 07 80 9 30E 08 1 39E 07 3514 3 72 07 9 30 08 8 17E 04 7 44E 07 2346 4 79E 09 4 17E 05 Events input module 1756 IR6I 1 013 ControlLogix isolated RTD input 4 268 525 2 34 07 1 17 07 80 4 69 08 7 03 08 3514 3 75 07 2346 2 38 09 2 08 05 module 1756 IT6l 1 013 ControlLogix isolated 3 957 824 2 53 07 1 26 07 80 5 05E 08 7 58 08 3514 Not allowed for 1001 4 04 07 2346 2 57 09 2 24E 05 thermocouple input module configurations 1756 17612 1 013 ControlLogix isolated enhanced 2 720 046 3 68 07 1 84 07 80 7 35 08 1 10 07 3514 5 88E 07 12346 3 76 09 3 28 05 thermocouple input module 1756 0 16 3 002 ControlLogix V AC output 32 891 456 3 04E 08 1 52 08 80 6 08E 09 9 12 09 3514 2 43E 08 6 08E 09 5 34E 05 4 86E 08 2346 3 05E 10 2 67E 06 module 1756 0A8D 3 003 ControlLogix V AC diagnostic 11 311 040 8 84E 08 4 42E 08 80 1 77 08 2 65 08 3514 7 07E 08 1 77E 08 1 55E 04 1 41E 07 2346 8 89E 10 7 80E 06 output module 1756 0B16 A 3 002 ControlLogix V DC diagnostic 8 884 374 1 13E 07 5 63 08 80 2 25 08 3 38 08 3514 9 00 08 2 25E 08 1 98E 04
36. 2 503 396 5 79E 07 Remote 1 0 Module 1756 DHRIOXTO 7 002 ControlLogix XT Data Highway 2 503 396 5 79E 07 Plus Remote 1 0 Module 5 Non interference only Not applicable Not applicable 1756 04887 D 12 005 ControlLogix DeviceNet 2 192 202 6 61E 07 communication module 1756 ENBTO 4008 EtherNet IP 2 088 198 6 94E 07 6 006 communication module 1756 EN2T 5 008 ControlLogix EtherNet IP 1312712 7 62 07 3 81E 07 95 3 81 08 3 43E 07 448 1 71 04 communication module 1756 EN2T D 10 007 ControlLogix EtherNet IP 269 774 Non interference only plicable communication module Not applicable 1756 EN2TR B 5 008 ControlLogix EtherNet IP 3 664 960 2 73 07 1 36E 07 95 1 36 08 1 23E 07 448 6 11E 05 communication module with fault tolerance 1756 EN2TR 10 006 ControlLogix EtherNet IP Calculated 1 97 06 9 87E 07 96 6 6 62E 08 9 21E 07 303 63 3 82E 06 2582 1 36 09 6 11E 06 communication module with MTBF and fault tolerance PFD via 1756 EN2TRXT C 10 006 ControlLogix EtherNet IP RIS 1 97E 06 9 87E 07 196 696 6 62E 08 9 21E 07 303 63 3 82E 06 2582 1 36 09 6 11E 06 communication module with fault tolerance 1756 EN2TXT 5 008 ControlLogix XT EtherNet I 1 300 000 7 69E 07 3 85E 07 95 3 85 08 3 46E 07 448 7 31 07 3 85 08 1 72 04 Not applicable communication module 1756 EN2TXT D 10 007 ControlLogix XT EtherNet I 269 774 3 71E 06 communic
37. 29E 08 2 64E 08 80 1 06E 08 1 59E 08 3514 8 46E 08 2346 5 30E 10 4 65E 06 t 1794 1 8 B Applicable LEX 1 0 analog input 14 041 000 7 12E 08 3 56E 08 80 1 42 08 2 14E 08 3514 1 14 07 2346 7 15E 10 6 28E 06 module 1794 IF4I 1 LEX 1 0 isolated analog input 9 885 959 1 01 07 5 06E 08 80 2 02E 08 3 03 08 3514 1 62 07 2346 1 02E 09 8 92E 06 module 1794 IFAIXT 1 LEX 1 0 isolated analog 7297 14 1 37 07 6 85E 08 80 2 74 08 4 11E 08 3514 2 19E 07 2346 1 38 09 1 21E 05 input module 1794 IF4ICFXT l LEX 1 0 isolated analog 7 297 14 1 37 07 6 85 08 80 2 74 08 4 11E 08 3514 2 19E 07 2346 1 38 09 1 21E 05 input module 1794 IR8 K LEX 1 0 RTD input module 5 016 23 1 99E 07 9 97E 08 80 3 99E 08 5 98E 08 3514 3 19 07 12346 2 02 09 1 77 05 1794 IR8XT K LEX 1 0 RTD input module 9 585 891 1 04E 07 5 22E 08 80 2 09E 08 3 13E 08 3514 Not allowed for 1001 67E 07 2346 1 05E 09 9 20E 06 1794 IRT8 E1 LEX 1 0 RTD Thermocouple 1 407 269 7 11E 07 3 55E 07 80 1 42 07 2 13E 07 3514 configurations 14E 06 2346 7 43 09 6 43E 05 input module 1794 IRT8XT LEX 1 0 RTD Thermocouple 8 204 792 1 22 07 6 09E 08 80 2 44 08 3 66 08 3514 95 07 2346 1 23 09 1 08 05 input module 1794 18 LEX 1 0 Thermocouple input 2 097 509 4 77 07 2 38E 07 80 9 54 08 1 43 07 3
38. 4 1 Provides general guidelines for installing a Rockwell Automation industrial system Product Certifications website http www ab com Provides declarations of conformity certificates and other certification details In addition to the manuals listed you may want to reference installation instructions listed in Appendix B You can view or download publications at http www rockwellautomation com literature To order paper copies of technical documentation contact your local Allen Bradley distributor or Rockwell Automation sales representative Rockwell Automation Publication 1756 RM001L EN P July 2014 11 Preface Notes 12 Rockwell Automation Publication 1756 RM001L EN P July 2014 Introduction to Safety Integrity Level SIL Chapter 1 SIL Policy Topic Page Introduction to Safety Integrity Level SIL 13 Typical SIL 2 Configurations 17 Typical SIL 2 Configurations 17 Proof Tests 28 Reaction Times 30 Reaction Times in Redundancy Systems 30 Safety Watchdog 31 Safety Certifications and Compliances 31 Certain catalog numbers of the ControlLogix system listed in Appendix B are type approved and certified for use in SIL 2 applications according to these standards e IEC 61508 edition 2 2010 this manual describes architectures required to achieve edition 2 e 61511 Approval requirements are based on the standards current at the time of certification These
39. 5850 4 99E 09 1 07 04 V DC Sequence 0f Events input module 1756 IR6I 101 ControlLogix isolated RTD input 4 268 525 2 34E 07 1 17E 07 80 4 69E 08 7 03E 08 8770 3 75 07 5850 2 43E 09 5 26 05 module 1756 IT6l 1013 ControlLogix isolated 3 957 824 2 53 07 1 26E 07 80 5 05 08 7 58E 08 8770 Not allowed for 1001 4 04E 07 5850 2 63E 09 5 69E 05 thermocouple input module configurations 1756 17612 1013 ControlLogix isolated enhanced 2 720 046 3 68 07 1 84 07 80 7 35 08 1 10 07 8770 5 88E 07 5850 3 89 09 8 37 05 thermocouple input module 1756 0416 3 002 ControlLogix V AC output 32 891 456 3 04E 08 1 52E 08 80 6 08E 09 9 12 09 8770 4 86E 08 5850 3 05 10 6 69E 06 module 1756 0A8D 3 003 ControlLogix V AC diagnostic 11 311 040 8 84E 08 4 42E 08 80 1 77E 08 2 65E 08 8770 141E 07 5850 8 96E 10 1 96 05 output module 1756 0B16 3002 ControlLogix V DC diagnostic 8 884 374 1 13E 07 5 63E 08 80 2 25E 08 3 38E 08 8770 output module 1756 0B16E 3 003 ControlLogix V DC electronic ally 14 997 714 6 67E 08 3 33E 08 80 1 33E 08 2 00E 08 8770 fused output module 1756 0B16 3002 ControlLogix V DC isolated 7 388 160 1 35 07 6 77E 08 80 2 71 08 4 06E 08 8770 output module 1 80E 07 5850 1 15E 09 2 50 05 1 07 07 5850 6 74 10 1 47E 05 2 17 07 5850 1 38E 09 3 01E 0
40. 7 41 08 2346 4 64E 10 4 07E 06 output module 1756 OF6CI 1 013 ControlLogix isolated analog 8 354 667 1 20 07 5 98 08 80 2 39E 08 3 59 08 3514 92 07 2346 1 21 09 1 06E 05 output module 1756 0F8H 11 002 ControlLogix HART analog 5 118 187 1 95 07 9 77E 08 80 3 91E 08 5 86 08 3514 04 3 13 07 2346 1 98 09 1 73E 05 output module 1794 ACN15 D 10 003 LEX 1 0 ControlNet adapter 8 223 684 1 22 07 6 08 08 80 2 43 08 3 65 08 3514 95 07 2346 1 23 09 1 07 05 1794 15 D 10 003 LEX 1 0 ControlNet redundant 8 223 684 1 22E 07 6 08E 08 80 2 43E 08 3 65 08 3514 95 07 2346 1 23 09 1 07 05 adapter 1794 ACNR15XT D 10 003 LEX 1 0 ControlNet adapter 8 223 684 1 22E 07 6 08 08 80 2 43 08 3 65E 08 3514 95 07 2346 1 23 09 1 07 05 ot allowed for 100 1794 AENT 4 003 LEX 1 0 EtherNET IP adapter 1 779 827 5 62E 07 2 81E 07 80 1 12E 07 1 69E 07 3514 configurations 8 99E 07 2346 5 82E 09 5 05E 05 1794 AENTR A 1 013 LEX 1 0 EtherNET IP adapter 1 268 070 7 89E 07 3 94E 07 80 1 58E 07 2 37E 07 3514 26 06 2346 8 28 09 7 16E 05 ing media 1794 AENTRXT 1 013 LEX 1 0 EtherNET IP adapter 1 268 070 7 89 07 3 94E 07 80 1 58E 07 2 37E 07 3514 26 06 2346 8 28 09 7 16 05 ing media 126 Rockwell Automation Publication 1756 RMO01L EN P July 2014
41. 99E 08 2 99E 08 95 2 99E 09 2 69 08 2200 5 69 08 2 99E 09 6 59 05 medium 1786 RPFRL A ControlNet Fiber repeater long 5 717 227 1 75 07 8 75 08 95 8 75E 09 7 87E 08 2200 1 92E 04 1786 RPCD A ontrolNet Hub repeater 28 654 080 3 49E 08 1 74 08 95 1 74E 09 1 57E 08 2200 3 84E 05 1786 RPA B ontrolNet repeater adapter 11 826 146 8 46E 08 4 23E 08 95 4 23E 09 3 81E 08 2200 9 30E 05 1786 RPFRXL B ontrolNet Fiber repeater extra 11 373 440 8 79E 08 4 40E 08 95 4 40 09 3 96E 08 2200 9 67E 05 long 1756 16197 B 20 012 ControlLogix controller 2MB 1 000 053 1 00E 06 5 00E 07 95 5 00E 08 4 50E 07 2200 1 10E 03 20 055 1756 16209 20 012 ControlLogix controller 4MB 1 034 830 9 66 07 4 83E 07 95 4 83E 08 4 35E 07 2200 1 06E 03 20 055 1756 16309 20 012 ControlLogix controller 8MB 1 055 910 9 47E 07 4 74E 07 95 4 74E 08 4 26E 07 2200 1 04E 03 20 055 1756 L63XT 20 012 ControlLogix XT controller 357 760 2 80E 06 1 40 06 95 1 40E 07 1 26E 06 2200 20 055 17564717 20 012 ControlLogix controller 2MB 2 69E 06 1 34E 06 96 1 01E 07 1 25 06 1661 20 055 Not Applicable 1756 17200 20 012 ControlLogix controller 4 2 69E 06 1 34E 06 9696 1 01E 07 1 25E 06 1661 20 055 1756 1737 B 20 012 ControlLogix controller 8MB Calculated 2 69E 06 1 34E 06 96 1 01E 07 1 25E 06 1661 20 055 MTBF and 175
42. Appendix B of this manual Direct Internet connections via other standard devices are not allowed Rockwell Automation Publication 1756 RM001L EN P July 2014 21 Chapter1 SIL Policy Figure 8 Fail safe ControlLogix Configuration with FLEX 1 0 Modules on ControlNet Network HMI For Diagnostics and Visualization see special instructions in Chapter 9 for writing to safety related controllers in the safety loop Plant wide Ethernet Serial Overall Safety Loop p w lt Programming Software For SIL applications a programming terminal is not normally connected w m m w w w w w w w w m m m Lu SIL 2 certified ControlLogix components portion of the overall safety loop 1756 ENBT Actuator To other safety related ControlNet ControlLogix or FLEX 1 0 remote 0 chassis Input Device 1794 FLEX Rail B s j 1002 E I Input Device V ControlNet umu gt To other safety related ControlLogix or FLEX 1 0 remote
43. Dr 001 EtherNet IP InputDevice P ee mm 012 Input Device EtherNet IP V v eM U L L M Rockwell Automation Publication 1756 RM001L EN P July 2014 23 Chapter1 SIL Policy Duplex Logic Solver Configurations In duplex configurations redundant system components are used to increase the availability of the control system The modules in the redundant controller chassis include redundancy modules and network communication modules for redundant communication as well as the ControlLogix controllers SIL 2 I O modules in the safety loop must meet the requirements specified in Chapter 5 ControlLogix I O Modules Figure 10 Typical SIL Loop with Controller Chassis Redundancy Programming Software HMI For SIL applications a programming For Diagnostics and Visualization see special instructions in Chapter 9 for terminal is not normally connected writing to safety related controllers in the safety loop Plant wide Ethernet Serial Overall Safety Loop 1 E n i i5 l gt i 1 ontrolNet IMPORTANT You can also access a remote 1 0 chassis via an l EtherNet IP network if y
44. Format ControlLogix analog output modules perform on board alarm processing to validate that the input signal is within the proper range These features are only available in Floating Point mode To use the Floating Point Data format select the Floating Point Data format in the Module Properties dialog box Program to Respond to Faults Appropriately When programming the SIL 2 system verify that your program examines the appropriate module fault channel fault and channel status bits and responds by initiating the appropriate fault routine Rockwell Automation Publication 1756 RM001L EN P July 2014 67 Chapter 5 68 ControlLogix 1 0 Modules Each module communicates the operating status of each channel to the controller during normal operation Application logic must examine the appropriate bits to initiate a fault routine for a given application For more information on faults see Chapter 8 Faults in the ControlLogix System on page 99 Configure Outputs to De energize in ESD Applications For typical emergency shutdown ESD applications outputs must be configured to de energize When configuring any ControlLogix output module each output must be configured to de energize in the event of a fault and in the event of the controller going into Program mode For exceptions to the typical ESD applications see Chapter 1 SIL Policy on page 13 Monitor Channel Status You must wire each analog output to an actuator and then
45. IB16XT FLEX 1 0 input module 1794 IN124 1794 IB10X0B6 FLEX 1 0 input output module 1794 IN083 1794 IB10X0B6XT FLEX I 0 XT input output module 1794 IN124 1794 0B16 output module 1794 IN094 1794 0B16P FLEXI O protected output module 1794 IN094 1794 0B16PXT FLEX 1 0 protected output module 1794 IN124 1794 0B8EP FLEX 1 0 electronically fused output module 1794 094 1794 OB8EPXT FLEX 1 0 electronically fused output module 1794 IN124 1794 0W8 FLEX 1 0 relay output module 1794 IN019 1794 0W8XT FLEX 1 0 relay output module 1794 IE8 FLEX 1 0 analog input module 1794 IN100 1794 UM002 1794 IHI FLEX 1 0 isolated analog input module 1794 IN038 1794 UM008 1794 FLEX 1 0 XT isolated analog input module 1794 IN129 1794 UM008 1794 IF4ICFXT FLEX 1 0 isolated analog input module 1794 IN130 1794 UM008 1794 F2XOF21 FLEX 1 0 isolated analog input output module 1794 IN039 1794 UM008 1794 IF2XOF2IXT FLEX 1 0 isolated analog input output module 1794 IN129 1794 UM008 1794 0E4 FLEX 1 0 analog output module 1794 IN100 1794 UM002 1794 0F4I FLEX 1 0 isolated analog output module 1794 037 1794 UM008 1794 IT8 FLEX 1 0 Thermocouple input module 1794 IN021 1794 UM007 Rockwell Automation Publication 1756 RM001L EN P July 2014 115 Appendix B 116 SIL 2 certified ControlLogix System Components Table 9 FLEX 1 0 Components For Use in the SIL 2 System
46. Module Input Module Q 3 1794 TB3G 1794 TB3G OOgOOOOOOOOPDOOOO OBOE OOO OOO 82 Rockwell Automation Publication 1756 RM001L EN P July 2014 FLEXI O Modules Chapter 6 Wiring the RTD Input Module In addition to following the Requirements When Using FLEX I O Analog Input Modules on page 77 and before wiring the module consider the following application guideline RTDs cannot be wired in parallel without severely affecting their accuracy Two sensors must be used Figure 51 FLEX 1 0 Analog RTD Module Wiring RID 1794 IRB RTD 1794 IR8 Input Module Input Module 1794 TB3T 1794 TB3T e 3 wire RTD Thermocouple Thermocouple RTD mV RTD mV T 1794 IRT8 Input Module 1794 1RT8 Input Module 502 000000000000 600000000000 OZOOOOOOOOOOOOOO 1794 Tp3G OZCODDOCOODOCOO0 OOOOQSOOOOOOOOO 0000090000000000 i 4 wire RTD Two three or four wire RTDs can be used as applicable to the associated RTD input module Rockwell Automation Publication 1756 RM001L EN P July 2014 83 Chapter6 FLEX 1 0 Modules Using 1794 Analog A single analog output module along with an analog input module for Output Modules monitoring is required to achieve SI
47. application are both module on different ControlNet nodes 6 When wiring an analog input module in Voltage mode are transmitter grounds tied together L 7 When wiring an analog input module in Current mode are loop devices placed properly L 8 When wiring thermocouple modules in parallel have you wired to the same channel on each module as shown in C Figure 33 on page 64 9 When wiring two RTD modules are two sensors used as shown in Figure 34 on page 65 Rockwell Automation Publication 1756 RM001L EN P July 2014 141 AppendixE Checklists Checklist for SIL Outputs The following checklist is required for planning programming and start up of SIL outputs It may be used as a planning guide as well as during proof testing If used as a planning guide the checklist can be saved as a record of the plan For programming or start up an individual requirement checklist must be filled in for every single SIL output channel in a system This is the only way to make sure that the requirements are fully and clearly implemented This checklist can also be used as documentation on the connection of external wiring to the application program Output Check List for ControlLogix System Company Site Loop definition SIL output channels in the No All
48. each module type a graphical representation can best provide an overview of the many SIL 2 certified ControlLogix I O modules This figure shows the SIL 2 certified ControlLogix I O modules Each type digital or analog is described in greater detail throughout the rest of this chapter Rockwell Automation Publication 1756 RMO01L EN P July 2014 49 Figure 17 Types of SIL 2 certified 1 0 Modules SIL 2 Certified ControlLogix 1 0 Modules ControlLogix 1 0 Modules 1756 Digital 1 0 Modules 1756 Analog 1 0 Modules Diagnostic Digital Standard Digital Modules Modules Input Modules Output Modules Input Modules Output Modules Input Modules Output Modules including including including including including including 1756 1F16 1756 0 6 1756 IA8D 1756 0A8D 1756 14161 1756 0A16l 1 2 1756 IB16D 1756 0B16D 1756 18161 1756 08161 1756 IFGI 1756 OF8H 1756 16150 1756 0B16E 1756 IF8 1756 1832 1756 0832 1756 IF8H 1756 1 16150 1756 0 8 1756 IR6l 1756 0W16l 1756 0X8l 1756 IT6l 1756 16 IMPORTANT Some catalog numbers have suffix This indicates a version of the product that has conformal coating These versions have the same SIL 2 certification as the non K versions For more information on which products have conformal coating go to http ab com rockwellautoma
49. either case you must determine whether the use of 1 or 2 sensors is appropriate to fulfill SIL 2 requirements Figure 47 FLEX 1 0 Analog Input Module Wiring Two Sensor Wiring Example Input 1 Input 2 2 plana e der ame Input 5555555555555555 5555555555555555 COM 56656000000000090 24 0 0000000000000000 E Input 1 Input 2 LL E Input asss COM 65555555556585688 el 424V L99980000000000d00 EEUU ete 0000000000000000 0000000000000000 1 SENSOR 43366A Note 1 Both sensors are monitoring the same safety application 80 Wiring the Single ended Input Module in Voltage Mode In addition to following the Requirements When Using FLEX I O Analog Input Modules on page 77 make sure you use the correct documentation to wire the module Figure 48 FLEX 1 0 Analog Input Module Wiring in Voltage Mode
50. event ofa controller failure This is similar in concept to the function of the external relay or redundant outputs required to make sure a de energized state is achieved for an ESD system should a failure occur for example a shorted output driver that would prevent this from normally occurring The system knows it has a failure but the failure state requires an independent means to maintain control and either remove power or provide an alternate path to maintain power to the end actuator Rockwell Automation Publication 1756 RM001L EN P July 2014 SIL Policy Chapter 1 If the application cannot tolerate an output that can fail shorted energized then an external means such as a relay or other output must be wired in series to remove power when the fail shorted condition occurs See Wiring ControlLogix Digital Output Modules on page 54 for more information If the application cannot tolerate an output that fails open de energized then an external means such as a manual override or output must be wired in parallel See Figure 1 The user must supply the alternative means and develop the application program to initiate the alternate means of removing or continuing to supply power in the event the main output fails This manual override circuit is shown in Figure 1 It is composed of a hard wired set of contacts from a selector switch or push button One normally open contact provides for the bypass of power from the controller outp
51. field data values right on the module allowing for easy examination of status bits to initiate a fault For example the 1756 IF8 module can be configured with user defined alarm values that when exceeded will set a status bit on the module which is then sent back to the controller You can examine the state of these bits to initiate a fault as shown in Figure 59 Figure 59 High Alarm Bit to Trigger Fault Ch1HAlarmA Ch1HAlarmB Module A Module B Fault mmo gt Fault Alarm to Operator In the example above the High Alarm bits for channels 1 and 2 are being examined for a condition to initiate a fault During operation as the analog input module processes analog signals from the field sensors if the value exceeds the user defined value for High Alarm the alarm bit is set and a fault is declared It is your responsibility to determine appropriate behavior when a fault is present Rockwell Automation Publication 1756 RM001L EN P July 2014 101 Chapter8 Faults in the ControlLogix System Additional Resources 102 The ControlLogix architecture provides the user many ways of detecting and reacting to faults in the system Various device objects can be interrogated to determine the current operating status Additionally modules provide run time status of their operation and of the process Resource Logix5000 Controllers General Instructions Reference Manual publication 1756 RM003
52. follow SIL 2 output guidelines This module also must be considered during PFD analysis for each safety function The relay used should be a signal grade relay using r4 Actuator bifurcated or similar grade contacts The relay can be Secondary located in a position to remove power to a single Output actuator or can remove power to multiple actuators depending on the granularity needed 43376 70 Rockwell Automation Publication 1756 RM001L EN P July 2014 Using 1756 HART Analog Output Modules ControlLogix 1 0 Modules Chapter 5 The Highway Addressable Remote Transducer HART analog modules should be used according to the same considerations as other analog output modules For an illustration of how to wire the HART analog output modules see Wiring the HART Analog Output Modules on page 71 IMPORTANT HART protocol must not be used for safety related data Wiring the HART Analog Output Modules Make sure you review the considerations in Wiring ControlLogix Analog Output Modules on page 69 use the correct documentation listed in Appendix B as a reference when wiring the module Figure 39 HART Output Analog Module Wiring nput Module Output Module Output Module a 8 6 EE Actuator 0 Ch0 HC Ch0 EN C
53. following occurs Configu ration Input data changes on the input module e The data is transmitted to the controller via the network communication modules The controller runs its program scan and reacts to the data change including sending new data to the output module via the network communication modules The output module behavior changes based on the new data received from the controller Figure 61 Remote Chassis Configuration of Digital or Analog Modules Network Network Controller dala AA Input Input Output Output Communication Communication Module Module Module Module Module Module L Calculating Worst case The formulas for calculating worst case reaction times with no system faults or errors differ slightly for digital or analog I O modules as shown in the following Reaction Time ien For Digital Modules Use this formula to determine worst case reaction time for digital modules in local or remote configurations Worst Case Reaction Time with no faults or errors Input Module Delay Input Filter Time Input Module RPI x 4 8 16 100 ms SIL 2 Task Period SIL 2 Task Watchdog Output Module RPI x 4 8 16 gt 100 ms Output Module Delay Module delay times are listed in the ControlLogix I O Modules Specifications Technical Data publication 1756 TD002 1 Multiply the module RPI by 4 then 8 then 16 and so on until the result is at least 100 ms
54. located with the other output module data For example an output module at local slot 3 will have Local 3 O and Local 3 1 where 3 O are outputs and 3 I are inputs Again it is your responsibility to establish the course of action appropriate for your safety application When used with standard ControlLogix output modules the data echo validates the integrity of communication up to the system side of the module but not to the field side When you use this feature with diagnostic output modules you can verify the integrity from the controller to the output terminal on the module Diagnostic output modules contain circuitry that performs field side output verification Field side output verification informs you that commands received by the module are accurately represented on the power side of the module s switching devices In other words for each output point this feature confirms that the output is ON when it is commanded to be ON or OFF when commanded to be OFF Rockwell Automation Publication 1756 RM001L EN P July 2014 Output Commands from Controller 8 gt Standard ControlLogix 1 0 Information Data Echo validation from System side 4 4 Field side Output Verification Pulse Test e Additional Field Side Status Plus No Load Detection e Information Provided by 4 e Diagnostic Output Modules e e Actuator e _ Pulse Test Software Features of the ControlLogix SIL 2 Syste
55. parameters for example RPI filter values are identical e For FLEX input modules both module are on different ControlNet nodes 2 For the standard input modules is the Communication Format set to one of the Input Data choices 3 For the diagnostic input modules is the Communication Format set to Full Diagnostics Input Data 4 For the diagnostic input modules are all diagnostics enabled on the module 5 For the diagnostic input modules are enabled diagnostic bits monitored by fault routines 6 For the diagnostic input modules is the connection to remote modules a direct connection 140 Rockwell Automation Publication 1756 RMO01L EN P July 2014 Checklists Appendix E Input Module Check List for ControlLogix System No Additional Analog Input Module Only Requirements Yes No Comment 1 Is the Communication Format set to Float Data 2 Have you calibrated the modules as often as required by your application 3 Are you using ladder logic to compare the analog input data on two channels to make sure there is concurrence within an acceptable range and that redundant data is used properly 4 Have you written application logic to examine bits for any condition that may cause a fault and appropriate fault routines to handle the fault condition m 5 M FLEX 1 0 analog input modules are wired in the same
56. programmed solid state control system These are examples of specific functions e I O control e Logic Timing e Counting e Report generation e Communication e Arithmetic Data file manipulation The ControlLogix controller consists of a central processor I O interface and memory Operating Modes The controller performs power up and run time functional tests The tests are used with user supplied application programs to verify proper controller operation Rockwell Automation Publication 1756 RMO01L EN P July 2014 39 Chapter3 C ontrolLogix Controllers Chassis and Power Supplies A three position keyswitch on the front of the controller governs ControlLogix system operational modes The following modes are available e Run e Program Remote This software enabled mode can be Program or Run Figure 16 Keyswitch in Run Mode Logix557x RUNE NEN 10 EH Rs232 NEN MEE 0K RUN REM PROG 1756 L6x 1756 L7x When a SIL 2 certified ControlLogix application is operating in the Run mode the controller keyswitch must be in the RUN position and the key removed Requirements for Use Consider these requirements when using a SIL 2 certified ControlLogix controller All components such as input and output modules for each safety function must be owned by the specific controller performing the
57. required 60 Rockwell Automation Publication 1756 RM001L EN P July 2014 ControlLogix 1 0 Modules Chapter 5 In general good design practice dictates that each of the two transmitters must be wired to input terminals on separate modules such that the channel values may be validated by comparing the two within an acceptable range Special consideration must be given in applying this technique depending on the type of module being used Wiring the Single Ended Input Module in Voltage Mode Make sure you review the considerations in Using 1756 Analog Input Modules on page 58 use the correct documentation listed in Additional Resources on page 11 to wire the module tie all leads ofthe transmitters together when operating in single ended Voltage mode Figure 28 shows how to wire an analog input for use in Voltage mode Figure 28 ControlLogix Analog Input Module Wiring in Voltage Mode 8 8 6 8 0 Voltage Transmitter 0 Ch0 Voltage C Transmitter B L i 43368 Rockwell Automation Publication 1756 RM001L EN P July 2014 61 Chapter 5 62 ControlLogix 1 0 Modules Figure 29 shows how to wire a SIL 2 transmitter to two analog input modules configured for voltage mode Figure 29 ControlLogix Analog Input Module Wiring in Voltage Mode
58. the appropriate output signal to an actuator The system response time is the sum of the following Input hardware delays Input filtering e I O and communication module RPI settings e Controller program scan times Output module propagation delays Redundancy system switchover times applicable in duplex systems Each of the times listed is variably dependent on factors such as the type of I O module and instructions used in the logic program For examples of how to perform these calculations see Appendix A Reaction Times of the ControlLogix System For more information on the available instructions and for a full description of logic operation and execution see the following publications Logix5000 Controllers General Instruction Set Reference Manual publication 1756 RM003 ControlLogix System User Manual publication 1756 UM001 The worst case reaction time of a duplex system is different than a simplex system The redundancy system has a longer reaction time because of the following There are a series of cross loading operations that continuously occur between the primary and secondary controllers Cross loading fresh data at the end of each program scan increases scan time To minimize scan time by reducing cross loading overhead you can plan your project more efficiently for example minimize the use of SINT INT and single tags and use arrays and user defined data structures Generally the prima
59. the configured range of the analog input and output that is range and the result is stored that is delta This delta value is then added to and subtracted from the monitoring analog input channel the results define an acceptable High and Low limit of deviation The analog Output Feedback is then compared to these limits to determine if the output are working properly Rockwell Automation Publication 1756 RMO01L EN P July 2014 85 Chapter6 FLEX 1 0 Modules 86 The outputs OK bit preconditions a Timer run that is preset to accommodate an acceptable fault response time and any communication filtering or output lags in the system If the monitoring input value and the Output Feedback miscompare for longer than the preset value a fault is registered with a corresponding alarm Figure 52 Monitoring an Analog Output with an Analog Input Outputs OK LIM Low Limit A Timer MULT ADD SUB Range Delta Delta Tolerance Monitoring input Monitoring input Delta High Limit Low Limit Output Echo High Limit C D Outputs OK Timer Done C O Outputs Faulted Outputs Faulted Alarm to Operator The control diagnostics and alarming functions must be performed in sequence When wiring two analog output modules in the same application make sure Both modules use identical configuration The same controller owns both modules The two analog output modules must be on
60. the system For more information on using HMI see Chapter 9 Use of Human to Machine Interfaces on page 103 For controllers that are not part of the SIL 2 safety function use listen only connections to monitor SIL 2 I O modules You must not use the Quick Connect feature when using a Ethernet communication for SIL 2 safety I O Only SIL 2 devices or other devices that provide non interference should write to SIL 2 controllers The only exception to this is the use of HMI devices For more information on how to use HMI in the safety loop see Chapter 9 Use of Human to Machine Interfaces on page 103 Peer to Peer Communication Peer to peer communication via a ControlNet or EtherNet IP network is Requirements 46 permitted when these requirements are met Non SIL 2 controllers can read data from SIL 2 controllers by directly reading the data via a message instruction or by consuming data from a SIL 2 controller that is configured to produce data Controllers within the safety loop can be configured to consume safety data from other safety controllers within the safety loop IMPORTANT Always monitor connection status when consuming safety data from another controller Use this connection status to take appropriate Safety action if necessary consume non safety data from outside the safety loop such as a reset signal produce data to controllers outside the safety loop by using a write message MSG or pro
61. to a FLEX I O module as shown Module7 Module6 Module5 Module4 Module3 Module2 Module1 Module 0 The following rungs generate a fault if the keyswitch on the front of the controller is switched from the RUN position Figure 58 Keyswitch State Operation mode Change Logic GSV Class CONTROLLERDEVICE Attribute STATUS Destination KEYSTATE KEYSTATE 13 Fault Alarm to Operator Fault Rockwell Automation Publication 1756 RM001L EN P July 2014 Examining an 1756 Analog Input Module s High Alarm Faults in the ControlLogixSystem Chapter 8 In Figure 58 on page 100 the Get System Value GSV instruction interrogates the STATUS attribute of the CONTROLLERDEVICE object and stores the result in a word called KEYSTATE where bits 12 and 13 define the state of the keyswitch as shown in Table 4 Table 4 Keyswitch State Bits Description Keyswitch in Run position Keyswitch in Program position Keyswitch in Remote position If bit 13 is ever ON then the keyswitch is not in the RUN position Examining bit 13 of KEYSTATE for an ON state will generate a fault It is your responsibility to determine appropriate behavior when a fault is present For more information on the accessing the CONTROLLERDEVICE object see the Logix5000 Controllers General Instructions Reference Manual publication 1756 RM003 ControlLogix analog modules perform processing and comparison of
62. type of FLEX I O output module used there are a number of general application considerations that you must follow when applying these modules in a SIL 2 application Proof tests Periodically a System Validation test must be performed Manually or automatically test outputs to make sure that all outputs are operational and not stuck in the ON or OFF state Outputs must be cycled from ON to OFF or OFF to ON Figure 43 Testing Outputs Application Logic Output Fault I Em Output Bit Monitoring Input A ED Output Bit Monitoring Input Timer done Fault Alarm Operator The control diagnostics and alarming functions must be performed in sequence Use external relays to disconnect actuator power if output de energization is critical To make sure outputs will de energize you must wire an external method that can remove power from the actuator if a short or other fault is detected Test outputs at specific times to make sure they are operating properly The method and frequency of testing is determined by the type of module e Wire sensors to separate input points on two separate modules that are on different network nodes e Monitor the network status bits for the associated module and make sure that appropriate action is invoked via the application logic by these status bits Rockwell Automation Publication 1756 RM001L EN P July 2014 75 Chapter
63. your process running if a problem occurs with one of those chassis When a failure occurs in the primary chassis control switches to the secondary controller The switchover can be monitored so that the system notifies the user when it has occurred In this case that is when a switchover takes place we recommend that you replace the failed controller within the mean time to restoration MTTR for your application If you are using controller redundancy in a SIL 2 application you must perform the proof test on the primary controller and on the secondary controller TIP If you are concerned about the availability of the secondary controller if the primary controller fails it is good engineering practice to implement a Switchover periodically for example once per proof test interval For more information on switchovers in ControlLogix redundancy systems and ControlLogix redundancy systems in general see these redundancy system manuals ControlLogix Standard Redundancy System User Manual publication 1756 UM523 ControlLogix Enhanced Redundancy System User Manual publication 1756 UM535 Rockwell Automation Publication 1756 RM001L EN P July 2014 29 Chapter1 51 Policy Reaction Times Reaction Times in Redundancy Systems 30 The response time of the system is defined as the amount of time it takes for a change in an input condition to be recognized and processed by the controller s logic program and then to initiate
64. 0 1 00E 08 5 00E 09 80 2 00E 09 3 00E 09 1 60 08 1178 1 00E 10 4 41E 07 unit 0 1794 TBNF A FLEX 1 0 NEMA fused terminal 100 000 00 1 00E 08 5 00E 09 80 2 00E 09 3 00E 09 1 60E 08 1178 1 00E 10 4 41E 07 base unit 0 1492 TIEM4OF A DC Input Termination Board 7 779 000 1 03E 07 7 90E 08 F24A 2 277 Analog Input Termination Board 11 362 000 Non interference only 7 04E 08 Not Applicable 1 03E 07 Not Applicable 1492 TIEMA0F A DC Output Termination Board 10 127 000 7 90E 08 7 04E 08 24 2 4 Calculated MTBF and PFD by FM Average of 1756 A4 A7 10 A13 and A17 chassis Suitable for use only in applications requiring compliance to IEC 61508 1999 Edition 1 EA to 61508 2010 9 A Failure Rate 1 MTBF 10 Demand rate must be less than 10 per year SIL 2 rated for non interference in the chassis Data not required within a safety function For the latest official approved firmware versions consult the Revision Release List Certificate Number 968 EZ 35 xx xx available at http www rockwellautomation com rockwellautomation certification safety page MTBF measured in hours unless calculated as noted Field return values January 2012 Calculations performed on a per module basis Rockwell Automation Publication 1756 RMO01L EN P July 2014 1 Some catalog numbers have a K suffix This indicates a version of the product that has conformal coating The
65. 0 3 MTBF N AM Fraction Adu Naa Tee1001 PFD 3 SFF 1756 IB16ISOE 2 007 ControlLogix isolated V DC 11 537 760 8 67E 08 4 33E 08 80 1 73 08 2 60 08 3514 6 93 08 1 52 1 39E 07 2346 8 71E 10 7 64E 06 Sequence Of Events input module 1756 1832 3 005 ControlLogix V DC input module 10 462 329 9 56E 08 4 78E 08 80 1 91E 08 2 87E 08 3514 1 53 07 2346 9 62E 10 8 43E 06 1756 IF8 1 005 ControlLogix analog 8 699254 1 15E 07 5 75 08 80 2 30E 08 3 45 08 3514 9 20 08 2 30 08 2 02E 04 1 84E 07 2346 1 16E 09 1 01E 05 module 1756 IF8H 1 002 ControlLogix HART analog input 1 291 978 7 74 07 3 87 07 80 1 55E 07 2 32 07 3514 6 19E 07 1 55 07 1 36 03 1 24 06 2346 8 12E 09 7 02E 05 module 1756 IF16 A 1 005 ControlLogix analog inpu 4 592 506 2 18E 07 1 09E 07 80 4 35E 08 6 53 08 3514 1 74E 07 4 35 08 3 83E 04 3 48E 07 2346 2 21E 09 1 93E 05 module 1756 IF16H A 1 002 ControlLogix HART analog input 442 914 2 26E 06 1 13E 06 80 4 52 07 6 77E 07 3514 1 81 06 4 52 07 3 97 03 3 61E 06 2346 2 58E 08 2 17E 04 module 1756 IF6CIS 1 013 ControlLogix isolated analog 2 654 080 3 77E 07 1 88 07 80 7 54E 08 1 13 07 3514 3 01 07 7 54 08 6 62E 04 6 03E 07 2346 3 86E 09 3 36E 05 input module 1756 IF6l 1 013 ControlLogix isolated analog 4 176
66. 0 Demand rate must be less than 10 per year Common Terms Safe Failure Fraction du SFF 8096 8 00E 10 8096 2 00E 09 80 2 00E 09 80 2 00E 09 80 2 00E 09 80 3 82E 09 80 2 00E 09 80 2 00E 09 Non interference only Ma 1 20 3 00 3 00 3 00 3 00 5 73 3 00 E 09 E 09 E 09 E 09 E 09 E 09 E 09 3 00 E 09 1001 Configuration Spurious Trip Rate PFH 10 8770 8770 8770 8770 8770 8770 8770 8770 STR Not allowed for 1001 configurations 7 04 08 7 90 08 0 00E 00 Rockwell Automation Publication 1756 RM001L EN P July 2014 Not Applicable Spurious Trip Rate STR 6 40E 09 1 60E 08 1 60E 08 1 60E 08 1 60E 08 3 06E 08 1 60E 08 1 60E 08 1 03E 07 7 04 08 0 00E 00 1002 Configuration 5850 5850 5850 5850 5850 5850 5850 5850 PFH prp 00 11 8 77E 07 gt 1 00E 10 2 19E 06 100 10 2 19E 06 1 00E 10 2 19E 06 00E 10 2 19E 06 1 92E 10 4 20E 06 100 10 2 19 06 1 00E 10 2 19 06 Not Applicable 1 Some catalog numbers have a K suffix This indicates a version of the product that has conformal coating These K versions have the same SIL 2 certification as the non K versions For more information on which products have conformal coating go to http ab com rockwellautomation com 133 AppendixC PFD
67. 00 08 5 00E 09 80 2 00E 09 3 00 09 3514 60 08 2346 1 00E 10 8 79E 07 base unit 0 1492 TIFM40F C Input Termination Board 7 719 001 1 03E 07 03E 07 F24a 2 rut Analog Input Termination Board 11 362 000 Non interference only 7 04E 08 Not Applicable 7 04E 08 Not Applicable 1492 TIEMA0F A C Output Termination Board 10 127 000 7 90E 08 7 90E 08 24 2 1 Some catalog numbers have a K suffix This indicates a version of the product that has conformal coating These K versions have the same SIL 2 certification as the non K versions For more information on which products have conformal coating go to http ab com rockwellautomation com Average of 1756 A4 A7 10 A13 and A17 chassis Suitable for use only in applications requiring compliance to IEC 61508 1999 Edition 1 4 Calculated MTBF and PFD by FMEA to 61508 2010 511 2 rated for non interference in the chassis Data not required within a safety function For the latest official approved firmware versions consult the Revision Release List Certificate Number 968 EZ 35 xx xx available at http www rockwellautomation com rockwellautomation certification safety page MTBF measured in hours unless calculated as noted Field return values January 2012 Calculations performed on a per module basis 9 A Failure Rate 1 10 Demand rate must be less than 10 per year 128 Rockwell Automation Publication 1756 RM001L EN P July 2
68. 004 ControlLogix ontrolNe Calculated 1 97E 06 9 87 07 96 6 6 62E 08 9 21E 07 1478 14 communication module MTBF and PFD via FMEA 1756 CN2R 20 011 ControlLogix ontrolNe 1 096 299 9 12 07 4 56E 07 95 4 56E 08 4 10E 07 2200 redundant communication Not Applicable module 1756 N2R 125 004 ControlLogix ControlNe Calculated 1 97E 06 9 87 07 96 6 6 62E 08 9 21E 07 1478 14 redundant communication MTBF and module PFD via FMEA 1756 CN2RXT 20 011 ControlLogix XT ontrolNet 1 980 160 5 05 07 2 53E 07 95 2 53E 08 2 27E 07 2200 redundant communication module 1756 CN2RXT 25 004 ControlLogix XT ControlNet Calculated 1 97E 06 9 87 07 96 6 6 62E 08 9 21E 07 1478 14 redundant communication MTBF and module PFD via FMEA 1756 DHRIO 7 002 ControlLogix Data Highway Plus 2 503 396 2 00 7 59 07 Remote 1 0 Module 1756 DHRIOXT 7 002 ControlLogix XT Data Highway 2 503 396 2 00E 7 59E 07 Plus Remote 1 0 Module m Non interference only licabl Not applicable 1756 04887 D 12 005 ControlLogix DeviceNet 2 192 202 2 28 08 applicable 8 67 07 communication module 1756 ENBTO 4 008 ControlLogix EtherNet IP 2 088 198 239 9 10E 07 6 006 communication module 1756 EN2T 15 008 ControlLogix EtherNet IP 1312712 7 62E 07 3 81E 07 95 3 81E 08 3 43E 07 2200 3 81E 8 38E 04 communication module 1756 EN2T D 10 007 ControlLogix EtherNet IP 269 774 Non
69. 014 ControlLogix 1 0 Modules Chapter 5 Figure 22 ControlLogix Diagnostic 0utput Module Wiring 8 E Ve V L1 Sed Relays also C Ui a included as shown in pu position A to interrupt V Vel power on a per point basis This normally open contact held closed must represent the healthy operation of the controller and safety 10 Output LAH Actuator es modules Safety 1 0 status can be restricted to inputs directly affecting outputs on the specific module or this contact can represent the healthy status of all safety inputs and the controller The module used to control this relay must follow SIL 2 output guidelines This module must also be considered during PFD analysis for each safety function We recommend the use of a recognized safety relay or contactor dies Figure 23 Diagnostic Output Logic Application Logic Output Fault H 4 Data Echo Actuator L1 gt Data Echo Actuator Fault Lt Secondary Output Fault Alarm to J Operator Output Fault contact must represent module and channel diagnostics Timer Done Rockwell Automation Publication 1756 RM001L EN P July 2014 55 Chapter5 ControlLogix 1 0 Modules This normally open contact held closed must represent the healthy operation of the controller and safety 1 0 modules Safety 1 0 status can be restricted to inputs directly af
70. 014 PFD and PFH Calculations for a SIL 2 System Appendix C 5 year PFD Calculations Table 12 5 Year PFD Calculations The PFD calculations in this table are calculated for a 5 year proof test interval 43 800 hours and are specific to ControlLogix system components 5 Common Terms 1001 Configuration 1002 Configuration MeanTime i Safe i Cat No Firmware Description between Spurious Version Failure 9 Failure 10 3 MTBE pacion Adu Ma m Rate Tg PFH SFF 1756 AXX C ControlLogix chassis 22 652 010 4 41E 08 2 21 08 95 2 21 09 1 99 08 2200 4 19E 08 2 21E 09 4 86 05 1756 A4LXT B 4 slot ControlLogix XT chassis 1 069 120 9 35 07 4 68 07 95 4 68E 08 4 21E 07 2200 1756 A5XT C 5 slot ControlLogix XT chassis 734 420 1 36E 06 6 81E 07 95 6 81E 08 6 13E 07 2200 1756 A7LXT B 7 slot ControlLogix XT chassis 27 628 178 3 62E 08 1 81 08 95 1 81E 09 1 63E 08 2200 1756 A7XT C 7 slot ControlLogix XT chassis 1 081 600 9 25 07 4 62 07 95 4 62E 08 4 16E 07 2200 1756 PB72 C 18 32V DC 10A ControlLogix 31 561 095 3 17E 08 1 58 08 95 1 58E 09 1 43E 08 2200 power supply 1756 PA72 C 85 265V AC 1
71. 0A ControlLogix 18 336 146 5 45E 08 2 73E 08 95 2 73E 09 2 45E 08 2200 power supply 1756 PA75 B 85 265V AC 13A ControlLogix 18 693 044 5 35E 08 2 67E 08 95 2 67E 09 2 41E 08 2200 power supply 75W 1756 PA75R A 85 265V AC 13A Redundant 1412877 7 08E 07 3 54E 07 95 3 54 08 3 18 07 2200 ControlLogix power supply 1756 PB75 B 18 32V DC 13A ControlLogix 15 675 475 6 38E 08 3 19E 08 95 3 19E 09 2 87E 08 2200 power supply 1756 PB75R A 18 32V DC 13A Redundant 1 736 020 5 76 07 2 88E 07 95 2 88E 08 2 59E 07 2200 ControlLogix power supply 1756 PAXT B Not ControlLogix XT AC power supply 18 693 044 5 35E 08 2 67E 08 95 2 67E 09 2 41E 08 2200 Not Applicable 1756 PBXT Applicable c rolLogiXT DC power 1855260 5 39 07 269E 07 95 2 69 08 2 43E 07 2200 supply 1756 75 B 30 60V DC 13A ControlLogix 5 894 836 1 70E 07 8 48 08 95 8 48 09 7 63E 08 2200 power supply 1756 PH75 B 90 143V DC 13A ControlLogix 12 119 520 4 72E 07 2 36 07 95 2 36E 08 2 12E 07 2200 power supply 1756 PSCA A Redundant power supply 45 146 727 2 21E 08 1 11 08 95 1 11E 09 9 97E 09 2200 adapter 1756 PSCA2 A Redundant power supply 38 461 280 2 60E 08 1 30E 08 95 1 30 09 1 17 08 2200 adapter 1786 RPFS A ontrolNet Fiber repeater short 26 461 760 3 78E 08 1 89E 08 95 1 89E 09 1 70E 08 2200 1786 RPFM A ControlNet Fiber repeater 16 697 862 5
72. 1 0 chassis L llllllllllll lllllllllll l lllilu crlicxd Note 1 Multiple 1756 CNB or CNBR modules can be installed into the chassis as needed Other configurations are possible as long as they are SIL 2 approved Note 2 Two adapters are required for meeting SIL 2 as shown in the figure The adapters can be either ControlNet or Ethernet and must be from the list of approved products 22 Rockwell Automation Publication 1756 RM001L EN P July 2014 SIL Policy Chapter 1 Figure 9 Fail safe ControlLogix Configuration with FLEX 1 0 Modules on EtherNet IP Network HMI For Diagnostics and Visualization see special instructions in Chapter 9 for writing to safety related controllers in the safety loop Programming Software For SIL applications a programming terminal is not normally connected Plant wide Ethernet Serial lt Overall Safety Loop n w w m w w w m m m w w SIL 2 certified ControlLogix components portion of the overall safety loop DX he le 11794 2 as
73. 176 3 01 07 7 54E 08 3 32E 04 6 03 07 1178 3 81E 09 1 67E 05 input module 1756 IF6l 1 013 ControlLogix isolated analog 4 176 185 2 39 07 1 20 07 80 4 79 08 7 18 08 1762 1 92E 07 4 79E 08 2 11E 04 3 83 07 1178 2 41E 09 1 06 05 input module 1756 1 1650 2 007 ControlLogixV DC Sequence Of 2 150 720 4 65 07 2 32E 07 80 9 30E 08 1 39E 07 07 9 30 08 4 10E 04 2E 3 72 9 30E 7 07 1178 4 72E 09 2 07 05 Events input module o x 1756 1861 1 013 ControlLogix isolated RTD input 4 268 525 2 34 07 1 17E 07 80 4 69E 08 7 03 08 1762 3 75 07 1178 2 36E 09 1 04 05 module 1756 IT6l 1 013 ControlLogix isolated 3 957 824 2 53E 07 1 26E 07 80 5 05E 08 7 58E 08 1762 Not allowed for 1001 4 04 07 1178 2 55 09 1 12E 05 thermocouple input module configurations 1756 1612 1 013 ControlLogix isolated enhanced 2 720 046 3 68 07 1 84 07 80 735E 08 1 10 07 1762 5 88 07 1178 3 72 09 1 63E 05 thermocouple input module 1756 0416 3 002 ControlLogix V AC output 32 891 456 3 04E 08 1 52 08 80 6 08E 09 9 12 09 1762 2 43E 6 08E 4 86 08 1178 3 04E 10 1 34 06 module 1756 0A8D 3 003 ControlLogix V AC diagnostic 11 311 040 8 84E 08 4 42E 08 80 1 77E 08 2 65E 08 1762 7 07 1 77 1 41 07 1178 8 87 10 3 90E 06 outp
74. 25 high availability 24 connections direct 51 rack optimized 51 Control and Information Protocol CIP 9 control function specification 92 CONTROLLERDEVICE object 101 controllers requirements 40 ControlLogix analog input modules alarms 58 101 calibrate 58 ownership 60 wiring 60 analog output modules calibrate 67 ownership 69 wiring 69 digital input modules requirements 51 wiring 51 digital output modules requirements 53 wiring 54 RTD input modules wiring 64 thermocouple input modules wiring 64 ControlNet communication modules diagnostic coverage 44 ControlNet network 36 1756 communication modules 43 1756 components 44 cable 44 repeater module 44 coordinated system time 45 D data echo 34 53 145 Index 146 Data Highway Plus Remote 1 0 43 components 45 network 43 45 DCS See Distributed Control System DH See Data Highway Plus DHRIO See Data Highway Plus Remote 1 0 diagnostic coverage ControlNet communication modules 44 defined 9 digital input modules See ControlLogix digital input modules See FLEX 1 0 digital input modules digital output modules See ControlLogix digital output modules See FLEX 1 0 digital output modules direct connection 51 Distributed Control System 45 duplex configurations 17 enhanced availability 49 fault tolerant safety loop 25 fault tolerant systems 17 logic solver 17 safety loop 24 edit application program 97 98 emergency shutdown applications 13 14
75. 4 1756 thermocouple input modules 64 1794 analog input modules 80 1794 analog output modules 87 1794 digital input modules 74 1794 digital output modules 76 worst case reaction time 30 107 analog modules 110 digital modules 108 X XT components 115 ControlLogix 115 FLEX 1 0 115 116 Rockwell Automation Support Rockwell Automation provides technical information on the Web to assist you in using its products At http www rockwellautomation com support you can find technical and application notes sample code and links to software service packs You can also visit our Support Center at https rockwellautomation custhelp com for software updates support chats and forums technical information FAQs and to sign up for product notification updates In addition we offer multiple support programs for installation configuration and troubleshooting For more information contact your local distributor or Rockwell Automation representative or visit http www rockwellautomation com services online phone Installation Assistance If you experience a problem within the first 24 hours of installation review the information that is contained in this manual You can contact Customer Support for initial help in getting your product up and running United States or Canada 1 440 646 3434 Outside United States or Canada Use the Worldwide Locator at http www rockwellautomation com rockwellautomation support overview page or contact
76. 5 1756 0832 3 002 ControlLogix V DC output 2 681 316 3 73 07 1 86E 07 80 7 46E 08 1 12 07 8770 5 97 07 5850 3 95 09 8 50E 05 module 1756 0B8E A 3 002 ControlLogix V DC isolated 14 019 200 7 13E 08 3 57E 08 80 1 43 08 2 14 08 8770 1 14 07 5850 7 21E 10 1 58 05 electronic ally fused output module 1756 0X8l 3 002 ControlLogix isolated relay 6 059 635 1 65E 07 8 25E 08 80 3 30 08 4 95E 08 8770 2 64E 07 5850 1 69 09 3 68E 05 output module 1756 0W16l 3 002 ControlLogix isolated relay 13 695 899 7 30E 08 3 65 08 80 1 46 08 2 19E 08 8770 output module 1 17 07 5850 7 39 10 1 61E 05 1756 0F8 1 005 ControlLogix analog output 10 629 795 9 41E 08 4 70E 08 80 1 88E 08 2 82E 08 8770 1 51 07 5850 9 55 10 2 08E 05 module 1756 0F6VI 1 013 ControlLogix isolated analog 21 604 960 4 63E 08 2 31E 08 8096 9 26 09 1 39 08 8770 74 08 5850 4 66 10 1 02E 05 output module 1756 0F6CI 1 013 ControlLogix isolated analog 8 354 667 1 20 07 5 98E 08 80 2 39 08 3 59 08 8770 1 92 07 5850 1 22E 09 2 66E 05 output module 1756 0F8H 1 002 ControlLogix HART analog 5 118 187 1 95 07 9 77E 08 80 3 91E 08 5 86 08 8770 output module 3 13E 07 5850 2 01 09 4 37E 05
77. 5 Chapter2 Features of the ControlLogix SIL 2 System Communication 36 Several communication options are available for connecting with the ControlLogix SIL 2 system and for the exchange of data within the SIL 2 system Communication Ports A built in serial port is available on 1756 L6x controllers for download or visualization purposes only Do not use the serial port for any exchange of safety related data A built in USB port is available for program upload and download on 1756 L7x controllers ATTENTION The USB port is intended for temporary local programming purposes only and not intended for permanent connection WARNING Do not use the USB port in hazardous locations PP Refer to the ControlLogix System User Manual publication 1756 UM001 for information on making communication connections ControlNet Network The ControlNet network can be used to provide communication between the controller and remote I O chassis form the basis for communication in duplex redundant configurations To schedule the ControlLogix ControlNet network use RSNetWorx for ControlNet software For more information on ControlNet networks refer to ControlNet Network Configuration Guide publication CNET UMOOI Rockwell Automation Publication 1756 RM001L EN P July 2014 Electronic Keying of Modules in SIL 2 Applications Features of the ControllogixSIL2 System Chapter 2 EtherNet IP Network An EtherNet IP co
78. 514 7 63 07 2346 4 91 09 4 27 05 module 1794F2X0F21 I LEX 1 0 isolated analog input 8 464 844 1 18E 07 5 91E 08 80 2 36E 08 3 54 08 3514 89E 07 2346 1 19 09 1 04 05 output module 1794 IF2XOF2IXT A LEX 1 0 isolated analog 6 317 918 1 58 07 7 91E 08 80 3 17E 08 4 75E 08 3514 2 53E 07 2346 1 60 09 1 40 05 input output module 1794 IEAXOE2XT B LEX 1 0 XT analog input output 11 800 802 8 47E 08 4 24E 08 80 1 69E 08 2 54E 08 3514 36 07 2346 8 52 10 7 47E 06 module 1794 0E4 B LEX 1 0 analog output module 18 433 610 5 42E 08 2 71E 08 80 1 08 08 1 63E 08 3514 8 68 08 2346 5 44 10 4 78 06 1794 OE4XT B LEX 1 0 analog output 11 381 744 8 79E 08 4 39E 08 80 1 76E 08 2 64E 08 3514 41E 07 2346 8 83 10 7 75E 06 module Not allowed for 1001 1794 0F4I 1 LEX 1 0 analog output module 23 884 409 4 19E 08 2 09 08 80 8 37E 09 1 26E 08 3514 configurations 6 70E 08 2346 4 20 10 3 68E 06 1794 OF4IXT 1 LEX 1 0 analog output 5 493 902 1 82E 07 9 10 08 80 3 64 08 5 46 08 3514 2 91E 07 2346 1 84 09 1 61 05 module Rockwell Automation Publication 1756 RM001L EN P July 2014 127 AppendixC PFD and PFH Calculations for a SIL 2 System Table 11 2 Year PFD Calculations Common Terms 1001 Configuration 1002 Configuration MeanTime
79. 6 COM 52 FLEX 1 0 Modules 24V Wiring FLEX 1 0 Digital Output Modules When using standard output modules you must wire an output to an actuator and then back to an input to monitor the output s performance Figure 44 FLEX 1 0 Standard Output Module Wiring Standard Digital Output Module Wire output a to input Standard Digital Input Module t to verify the correct pan state of the output A O000000000000090 P LO000000000000000 OOOOOOOOOOOOODOO COM 6600000000000000 OOOOOOOOOOOQOO 24V DC 0000000000000000 Output B 43363 IMPORTANT Other configurations are possible as long they are SIL 2 approved Install a relay in position A or B This relay is controlled by another output in the ControlLogix FLEX 1 0 system If a short circuit or fault occurs on output modules the relay can disconnect power to the modules An isolated relay output module 1794 0W8 can be used for this purpose when it is connected to a different 1794 ACN15 or 1794 ACNR15 ControlNet Adapter module 76 Write application logic so that it generates a fault in the event of a miscompare between the requested state ofan output echo and the actual output state monitored by an inp
80. 6 L73X1 20012 Controllogix XT controller 8MB PFDvia 2 696 06 1 34E 06 96 1 01E 07 1 25 06 1661 20 055 FMEA 1756 1749 20 012 ControlLogix controller 16MB 2 69E 06 1 34 06 96 1 01E 07 1 25E 06 1661 20 055 1756 L75 20 012 ControlLogix controller 32 MB 2 69E 06 1 34 06 96 1 01E 07 1 25E 06 1661 2 91 06 1 01 07 2 20 03 20 055 Rockwell Automation Publication 1756 RM001L EN P July 2014 129 Appendix C PFD and PFH Calculations for a SIL 2 System Table 12 5 Year PFD Calculations Common Terms 1001 Configuration 1002 Configuration MeanTime i Safe Cat No Firmware Description between i a Version Failure 9 Failure 3 MTBF NM Adu Tegoot PFD 3 SFF 1756 CNB 11 005 ControlLogix ontrolNe 1 786 977 5 60 07 2 80E 07 95 2 80E 08 2 52 07 2200 5 32E 07 2 80E 08 6 16 04 communication module 1756 CNBR 11 005 ControlLogix ontrolNe 2 608 543 3 83 07 1 92E 07 95 1 92E 08 1 73E 07 2200 redundant communication module 1756 N2 B 20 011 ControlLogix ontrolNe 1 096 299 9 12 07 4 56E 07 95 4 56E 08 4 10E 07 2200 communication module 1756 CN2 25
81. 6 Le3xT 7 ControlLogix XT controller 1756 L73XT ControlLogix XT controller 1 Certified according to IEC 61508 1999 Edition 1 114 Rockwell Automation Publication 1756 RM001L EN P July 2014 1756 UM001 IMPORTANT SIL 2 certified ControlLogix System Components ControlLogix XT modules use the same firmware as traditional Appendix B ControlLogix components When obtaining firmware for ControlLogix XT modules download and use the firmware specific to each module For example if you are using a 1756 EN2TXT module in your system use SIL 2 certified firmware for the 1756 EN2T module For more information about ControlLogix XT module firmware revisions see the firmware release notes specific to the module ControlLogix XT module release notes are available at http www rockwellautomation com literature or http www rockwellautomation com support Table 9 FLEX 1 0 Components For Use in the SIL 2 System Cat No Description Related Documentation 1794 ACNR15 FLEX 1 0 ControlNet redundant media adapter 1794 IN128 1794 ACNR15XT FLEX I 0 XT ControlNet redundant media adapter 1794 AENT FLEX 1 0 EtherNet IP communication adapter 1794 IN082 1794 AENTR FLEX 1 0 EtherNet IP redundant communication adapter 1794 IN131 1794 AENTRXT FLEX 1 0 EtherNet IP redundant communication adapter 1794 1816 FLEX 1 0 input module 1794 IN093 1794
82. 75E 08 8770 2 53 07 5850 1 62 09 3 53E 05 input output module 1794 IE4XOE2XT FLEX 0 XT analog input output 11 800 802 8 47E 08 4 24E 08 80 1 69E 08 2 54E 08 8770 1 36E 07 5850 8 59 10 1 87E 05 module 1794 0E4 B NAT FLEX 1 0 analog output module 18 433 610 5 42E 08 2 71E 08 80 1 08E 08 1 63E 08 8770 8 68 08 5850 5 47 10 1 20 05 1794 0F4XT B FLEX 1 0 analog output 11 381 744 8 79E 08 4 39E 08 80 1 76E 08 2 64E 08 8770 141E 07 5850 8 91 10 1 94E 05 module Not allowed for 1001 1794 0F4I 1 FLEX 1 0 analog output module 23 884 409 4 19E 08 2 09E 08 80 8 37 09 1 26 08 8770 configurations 6 70E 08 5850 421E 10 9 22E 06 1794 OF4IXT FLEX 1 0 analog output 5493902 1 82 07 9 10 08 80 3 64 08 5 46 08 8770 2 91 07 5850 1 87 09 4 07E 05 module 132 Rockwell Automation Publication 1756 RM001L EN P July 2014 PFD and PFH Calculations for a SIL 2 System Appendix C Table 12 5 Year PFD Calculations Cat No 1794 TB3 1794 TB3G 1794 365 1794 35 1794 TB3T 1794 TB3TS 1794 TBN 1794 TBNF 1492 TIEMAOF 244 28 1492 TAIFM16 F 30 1492 TIFM40F 24 20 gt Series gt gt gt gt Firmware Version Not Applicable Not Applicable Description FLEX 1 0 termina FLEX 1 0 cage cla FLEX 1 0 spring c terminal base unit FLEX 1 0 termina FLEX 1 0 t
83. 9 3514 60 08 2346 1 00 10 8 79E 07 module 0 1794 A LEX I 0 XT 22 202 487 4 50E 08 2 25 08 80 9 01E 09 1 35E 08 3514 7 21 08 2346 4 52 10 3 96 06 10 0 6 24V DC input output module Not 1794 0B8E Applicable FLEX 1 0 24V DC electronically 100 000 00 1 00 08 5 00E 09 80 2 00E 09 3 00 09 3514 60E 08 2346 1 00E 10 8 79E 07 used output module 0 1794 OB8EPXT LEX 1 0 24V DC 14 771 049 6 77E 08 3 38E 08 80 1 35E 08 2 03E 08 3514 08 07 2346 6 80E 10 5 96E 06 electronically fused output module 1794 0B16 LEX 1 0 24V DC output module 54 322 632 1 84 08 9 20E 09 80 3 68 09 5 52E 09 3514 2 95E 08 2346 1 84 10 1 62E 06 1794 0B16 LEX 1 0 24V DC protected 100 000 00 1 00E 08 5 00E 09 80 2 00E 09 3 00 09 3514 Not allowed for 1001 60E 08 2346 1 00E 10 8 79E 07 output module 0 configurations 1794 OB16PXT LEX I 0 XT 26 709 401 3 74E 08 1 87 08 80 7 49 09 1 12 08 3514 5 99E 08 2346 3 75E 10 3 29E 06 Nat 24V DC protected output module Applicable P p 1794 0W8 A LEX 1 0 isolated relay output 29 088 895 3 44E 08 1 72E 08 80 6 88E 09 1 03E 08 3514 5 50E 08 2346 3 45E 10 3 02E 06 module 1794 0W8XT A LEX 1 0 XT isolated relay output 18 518 519 5 40E 08 2 70E 08 80 1 08E 08 1 62E 08 3514 8 64E 08 2346 5 42E 10 4 75E 06 module 1794 1 8 B i LEX 1 0 analog input module 18 914 770 5
84. 902 1 82 07 2 91 07 1178 1 83 09 8 05 06 module 122 Rockwell Automation Publication 1756 RM001L EN P July 2014 PFD and Calculations fora SIL2 System Appendix Table 10 1 Year PFD Calculations MeanTime Common Terms 1001 Configuration 1002 Configuration Cat No Firmware Description between Spurious 2 Version p Failure 9 Trip Rate Toe Pru prp MTBF STR wu 1794 FLEX 1 0 terminal base unit 250 000 00 4 00 09 8 00 10 1 20 6 40E 09 1178 4 00E 11 1 76 07 0 1794 TB3G A FLEX 1 0 cage clamp generic 100 000 00 1 00E 08 5 00E 09 80 2 00 09 3 00E 09 1 60 08 1178 1 00E 10 4 41E 07 terminal base unit 0 1794 TB3GS A FLEX 1 0 spring clamp generic 100 000 00 1 00E 08 5 00E 09 80 2 00E 09 3 00E 09 1 60E 08 1178 1 00E 10 4 41E 07 terminal base unit 0 1794 835 FLEX 1 0 terminal base unit 100 000 00 1 00E 08 5 00E 09 80 2 00 09 3 00E 09 1 60E 08 1178 1 00E 10 4 41E 07 Not 0 Not allowed for 1001 1794 TB3T Applicable FLEX1 0 temperature terminal 100 000 00 1 00E 08 5 00 09 80 2 00 09 3 00E 09 configurations 1 60 08 1178 1 00E 10 4 41E 07 base unit 0 1794 TB3TS A FLEX 1 0 spring clamp 52 312 000 1 91E 08 9 56E 09 80 3 82 09 5 73E 09 3 06 08 1178 1 91E 10 8 42E 07 temperature terminal base unit 1794 TBN A FLEX 1 0 NEMA terminal base 100 000 0
85. 95 4 62E 08 4 16 07 886 1756 PB72 C 18 32V DC 10A ControlLogix 31 561 095 3 17E 08 1 58 08 95 1 58E 09 1 43E 08 886 power supply 1756 PA72 C 85 265V AC 10A ControlLogix 18 336 146 5 45 08 2 73E 08 95 2 73E 09 2 45E 08 886 power supply 1756 PA75 B 85 265V AC 13A ControlLogix 18 693 044 5 35E 08 2 67E 08 95 2 67E 09 2 41E 08 886 power supply 75W 1756 PA75R A 85 265V 13A Redundant 1412877 7 08E 07 3 54E 07 95 3 54E 08 3 18E 07 886 ControlLogix power supply 1756 PB75 B 18 32V DC 13A ControlLogix 15 675 475 6 38 08 3 19E 08 95 3 19E 09 2 87E 08 886 power supply 1756 PB75R A 18 32V DC 13A Redundant 1 736 020 5 76 07 2 88E 07 95 2 88E 08 2 59E 07 886 ControlLogix power supply 1756 PAXT B Not ControlLogix XT AC power supply 18 693 044 5 35E 08 2 67E 08 95 2 67E 09 2 41E 08 886 Not Applicable 1756 PBXT Applicable trolLogi XT DC power 7 855 360 539 07 269E 07 95 2 69 08 2 43E 07 886 supply 1756 75 B 30 60V DC 13A ControlLogix 5 894 836 1 70 07 8 48E 08 95 8 48 09 7 63 08 886 power supply 1756 PH75 B 90 143V DC 13A ControlLogix 2 119 520 4 72 07 2 36 07 95 2 36 08 2 12 07 886 power supply 1756 PSCA A Redundant power supply 45 146 727 2 21 08 1 11E 08 95 1 11E 09 9 97E 09 886 adapter 1756 PSCA2 A Redundant power supply 38 461 280 2 60E 08 1 30E 08 95 1 30E 09 1 17E 08 886 adapte
86. ADD SUB Range Delta Delta Tolerance Monitoring input Monitoring input Delta High Limit Low Limit LIM Low Limit Output Echo C D OU Ok High Limit Fault Secondary Output Timer Done 72 Outputs Faulted Outputs Faulted C Alarm to Operator The control diagnostics and alarming functions must be performed in sequence Specify the Same Controller as the Owner The same controller must own both analog modules Wiring ControlLogix Analog Output Modules In general good design practice dictates that each analog output must be wired to a separate input terminal to make sure that the output is functioning properly Wiring the Analog Output Module in Voltage Mode Make sure you review the considerations in Considerations for Using Analog Output Modules on page 67 Use the correct documentation listed in Additional Resources on page 11 to wire the module Rockwell Automation Publication 1756 RM001L EN P July 2014 69 Chapter5 ControlLogix 1 0 Modules Figure 37 shows how to wire the 1756 OF8 module for use in Voltage mode Figure 37 ControlLogix Analog Output Module Wiring in Voltage Mode Analog Output Module Analog Input Module This normally open relay is controlled by the status of the rest of the ControlLogix a a system Ifa short circuit or fault occurs on the module the relay can disconnect 8 power
87. Chapter 8 Faults in the ControlLogix System Topic Detecting and Reacting to Faults Module Fault Reporting for Any ControlLogix or FLEX 1 0 Module Page 99 100 Checking Keyswitch Position with GSV Instruction 100 Examining an 1756 Analog Input Module s High Alarm Additional Resources 101 102 In addition to providing information on module fault reporting this chapter explains two example conditions that will generate a fault in a SIL 2 certified ControlLogix system Keyswitch changing out of Run mode High alarm condition on an analog input module The ControlLogix architecture provides many ways of detecting and reacting to faults in the system Various device objects can be interrogated to determine the current operating status Modules provide run time status of their operation and of the process that is executing You can configure a ControlLogix system to identify and handle faults including such tasks as developing a fault routine monitoring minor faults developing a power up routine creating a user defined major fault See the Logix5000 Controllers Common Procedures Programming Manual publication 1756 PM001 for more information It is your responsibility to determine what data is most appropriate for your application to initiate a shutdown sequence TIP To help handle faults make sure you have completed the input see Checklist for SIL Inputs on p
88. Detect anomalies Communicate to the controllers with enough stored power to allow for an orderly and deterministic shutdown of the system including the controller and I O modules IMPORTANT If you are using any of the 1756 Px75 power supplies with a 1756 L6x B or 1756 L7x B controller you must use the Series B version of the nonredundant power supplies that is 1756 Px75 B power supplies Redundant Power Supplies ControlLogix redundant power supplies can be used in SIL 2 certified applications In a redundant power supply configuration two power supplies are connected to the same chassis The power supplies share the current load required by the chassis and an internal solid state relay that can annunciate a fault Upon detection of a failure in one supply the other redundant power supply automatically assumes the full current load required by the chassis without disruption to installed devices The 1756 PSCA and 1756 PSCA2 redundant power supply chassis adapter modules connect the redundant power supply to the chassis Rockwell Automation Publication 1756 RMO01L EN P July 2014 41 Chapter3 C ontrolLogix Controllers Chassis and Power Supplies Recommendations for Using Power Supplies When using SIL 2 certified ControlLogix power supplies e follow the information provided in the product installation instructions wire the solid state fault relay on each power supply from an appropriate voltage source to an input poi
89. L 2 IMPORTANT We strongly recommended that you do not use analog outputs to execute the safety function that results in a safe state Analog output modules are slow to respond to an ESD command and are therefore not recommended for use ESD output modules The use of digital output modules and actuators to achieve the ESD de energized state is recommended Requirements When Using FLEX 1 0 Analog Output Modules Follow these general application considerations when applying the analog output modules in a SIL 2 application Proof tests Periodically a System Validation test must be performed Manually or automatically test outputs to make sure that all outputs are operational Channel data should be varied over the full operating range to make sure that the corresponding field signal levels vary accordingly Calibrate outputs periodically as necessary FLEX I O modules ship from the factory with a highly accurate level of calibration However because each application is different you are responsible for making sure their FLEX I O modules are properly calibrated for their specific application You can employ tests in application program logic to determine when a module requires recalibration For example to determine whether an output module needs to be recalibrated a user can determine a tolerance band of accuracy for a specific application You can then measure output values on multiple channels and compare those values to acce
90. LEX I O Modules 73 Using 1794 Digital Input Modules 73 Requirements When Using FLEX I O Digital Input Modules coc 73 Wiring FLEX I O Digital Input 7 Using 1794 Digital Output Module 75 Requirements When Using FLEX I O Digital Output Modules 75 Wiring FLEX I O Digital Output Modules 76 Using 1794 Analog Input Modules 77 Requirements When Using FLEX I O Analog Input Modules 77 Wiring FLEX I O Analog Input 80 Using 1794 Analog Output Modules 84 Requirements When Using FLEX I O Analog Output Modules 84 Wiring FLEX I O Analog Output 87 Chapter 7 Software for SIL 2 Related Systems 89 SIL 2 Programming saad ea obedece obese ere DE 89 Programming Languages so aus Ete 90 Programming Options 90 SECM dust eU teas da Rte RI pA eed LER AL MR 90 Basics of Application Program Development and Testing 91 Functional Specification Guidelines 92 Sensors digital or analog 93 MH 93 Creating the Application Program eic sar PUR VN die 93 Lopic
91. Offset o 0 Scaling ce High Signal High Engineering Notch Filter 60 Hz zl 10 0 v E 00 Digital Filter ms Low Signal Low Engineering 10 0 10 0 Status Offline Cancel Apply Help m Module Properties Report Local 2 1756 IF61 1 1 x General Connection Module Info Configuration Alarm Configuration Calibration Backplane Requested Packet Interval API fi 00 0 4 ms 25 0 750 0 ms Inhibit Module Major Fault On Controller If Connection Fails While in Run Mode Module Fault Status Offline Cancel Apply Help Refer to the ControlLogix Analog I O Module User Manual publication 1756 UM009 for information on setting filter and RTS values 1 Multiply the module RPI by 4 then 8 then 16 and so on until the result is at least 100 ms Rockwell Automation Publication 1756 RMO01L EN P July 2014 Appendix B SIL 2 certified ControlLogix System Components System components listed in this appendix are certified according to IEC 61508 2010 Edition 2 unless noted in the following tables Use only the series versions listed in Appendix C These tables list publications related to these components Publications are available from Rockwell Automation by visiting http www rockwellautomation com literature Table 5 SIL 2 certified ControlLogix Components Hardware 1756 A10 1756 A13 1756 A17 1756 750 Con
92. On Instructions refer to ControlLogix SIL 2 System Configuration Using SIL 2 Add On Instructions publication 1756 AT012 About the ControlLogix System The ControlLogix system is a modular programmable automation system with the ability to pre configure outputs and other responses to fault conditions As such a system can be designed to meet requirements for hold last state in the event ofa fault so that the system can be used in up to and including SIL 2 level Gas and Fire and other applications that require that output signals to actuators remain ON By understanding the behavior of the ControlLogix system for an emergency shutdown application you can incorporate appropriate system design measures to meet other application requirements These measures relate to the control of outputs and actuators which must remain ON to be in a safe state Other requirements for SIL 2 inputs from sensors software used and so on must also be met IMPORTANT When used in accordance with the information in this manual and the relevant safety standards the ControlLogix system is suitable for applications up to and incuding SIL 2 where the demand rate is no more than 10 times per year Gas and Fire Considerations Listed below are the measures and modifications related to the use of the ControlLogix system in Gas and Fire applications The use ofa manual override is necessary to make sure the operator maintain the desired control in the
93. Output Module Requirements Yes No Comment apply to both digital and analog output modules 1 Have you performed proof tests on the modules 2 Is Exact Match selected as the electronic keying option whenever possible 3 Is the RPI value set to an appropriate value for your application 4 Have you set up fault routines including comparing output data with a corresponding input point 5 If required have you used external relays in your application to disconnect module power if a short or other fault is detected on the module or isolated output in series 6 Is the control of the external relay implemented in ladder logic 7 Have you examined the Output Data Echo signal in application logic L 8 Are all outputs configured to de energize in the event of a fault or the controller entering Program mode L 9 Do two modules of the same type used in the same application use identical configurations 10 Does one controller own both modules if two of the same type are used in application L 11 Are control diagnostics and alarming functions performed in sequence in application logic L No Digital Output Module 0nly Requirements Yes No Comment 1 For the standard output modules is the Communication Format set to Output Data L 2 For standard output modules have you wired the outputs to a corresponding input to validate that the output is following its commanded state AE 3 For the diagnostic output modules are all diagnostics enabled on the
94. RSNetWorx for ControlNet software 36 RTD input module See ControlLogix RTD input module See FLEX 1 0 RTD input module S safety certifications 31 safety instrumentation system SIS safety task See SIL task safety watchdog 31 security via software 90 sensors 93 serial communication 36 port 36 SIL 1 applications 135 SIL2 certification 31 nonredundant system components 112 programming 89 safety data 47 SIL task 94 simplex configurations 17 safety loop 17 SIS See safety instrumentation system SIS software commissioning life cycle 96 forcing 94 general requirements 89 143 program changes 97 programming languages 90 RSLogix 5000 35 security 90 SIL 2 programming 89 SIL task program instructions 94 watchdog 31 switchover 29 30 31 Rockwell Automation Publication 1756 RM001L EN P July 2014 SynchLink modules 43 45 system PFD example 134 system validation test See proof test T tags 91 terminal base units FLEX 1 0 116 tests 1756 analog input modules 58 1756 analog output modules 67 1756 digital output modules 53 application logic 94 field devices 51 proof 28 pulse 35 thermocouple input module See ControlLogix thermocouple input module See FLEX 1 0 thermocouple input module V verify download and operation 95 W watchdog 31 wiring 1756 analog input modules 60 1756 analog output modules 69 1756 digital input modules 51 1756 digital output modules 54 1756 RTD input modules 6
95. Resources on page 11 to wire the module wire to same input channel on both modules When wiring thermocouples wire two in parallel to two modules Use the same channel on each module to make sure of consistent temperature readings Figure 33 on page 64 shows how to wire the 1756 IT6I module Figure 33 ControlLogix Analog Thermocouple Module Wiring Ch0 Cho Thermocouple A RTN RTN Thermocouple B 43370 Wiring the RTD Input Module Make sure you review the considerations in Using 1756 Analog Input Modules on page 58 use the correct documentation listed in Additional Resources on page 11 to wire the module use two sensors RTDs cannot be wired in parallel without severely affecting their accuracy Figure 34 shows how to wire the 1756 IR6I module 64 Rockwell Automation Publication 1756 RM001L EN P July 2014 ControlLogix 1 0 Modules Chapter 5 Figure 34 ControlLogix Analog RTD Module Wiring 8 8 8 RTD A Ch0 B Ch0 B RIN RTD 43371 Using 1756 HART Analog The Highway Addressable Remote Transducer HART analog modules should Input Modules be used according to the same considerations as other analog input modules IMPORTANT protocol must not be used
96. Rockwell Automation Publication 1756 RM001L EN P July 2014 Preface This safety reference manual is intended to do the following Describe the ControlLogix Control System components available from Rockwell Automation that are suitable for use in low demand and high demand no more than 10 demands per year safety related control up to and including SIL 2 applications Provide safety related information specific to the use of ControlLogix modules in SIL 2 systems including PFD calculations that need to be considered for SIL 2 certified systems Explain some possible SIL 2 certified system configurations Describe basic programming techniques for the implementation of ControlLogix SIL 2 certified systems with references and links to more detailed programming and implementation techniques IMPORTANT This manual describes typical SIL 2 implementations using ControlLogix equipment Keep in mind that the descriptions presented in this manual do not preclude other methods of implementing a SIL 2 compliant system by using ControlLogix equipment Other methods should be reviewed and approved by a recognized certifying body such as T V Rheinland Group Terminology This table defines abbreviations used in this manual Table 1 Abbreviations Used throughout This Reference Manual Abbreviation Full Term Definition IP Common Industrial A industrial communication protocol used by Logix5000 based automation P
97. Safety Reference Manual Allen Bradley Using ControlLogix in SIL 2 Applications Catalog Numbers 1756 L6x 1756 L7x Allen Bradley Rockwell Software Automation Important User Information Read this document and the documents listed in the additional resources section about installation configuration and operation of this equipment before you install configure operate or maintain this product Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes laws and standards Activities including installation adjustments putting into service use assembly disassembly and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice If this equipment is used in a manner not specified by the manufacturer the protection provided by the equipment may be impaired In no event will Rockwell Automation Inc be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment The examples and diagrams in this manual are included solely for illustrative purposes Because of the many variables and requirements associated with any particular installation Rockwell Automation Inc cannot assume responsibility or liability for actual use based on the examples and diagrams No patent liability is assumed by Rockwell Automation Inc with respect to use o
98. Terms 1001 Configuration 1002 Configuration i Safe 2 Cat No Firmware Description between i Spurious Spurious g Version 090 Teqon Trip Rate PERO Trip Rate T PFH 9 g MTBF Fraction 00 STR STR 3 SFF 1794 1816 FLEX 1 0 24V DC input module 179 506 15 5 57E 09 2 79E 09 80 1 11E 09 1 67 09 8770 8 91E 09 5850 5 58 11 1 22 06 8 Not 1794 1 16 Applicable FLEX 1 0 XT 35 587 189 2 81E 08 1 40E 08 80 5 62E 09 8 43E 09 8770 4 50E 08 5850 2 82E 10 6 18E 06 24V DC input module 1794 12 D FLEX 1 0 counter module 55 344 640 1 81E 08 9 03E 09 80 3 61E 09 5 42E 09 8770 2 89E 08 5850 1 81E 10 3 97 06 1794 2XT A E FLEX1 0 XT counter module 11 714128 854E 08 427E 08 80 1 71E 08 2 56E 08 8770 1 37 07 5890 8 65E 10 1 89 05 1794 4 4 FLEX 1 0 counter module 22 027 200 4 54E 08 2 27 08 80 9 08 09 1 36E 08 8770 7 26E 08 5850 4 57 10 1 00 05 1794 1 10 086 FLEX 1 0 24V DC input output 100 000 00 1 00E 08 5 00E 09 80 2 00E 09 3 00E 09 8770 1 60E 08 5850 1 00 10 2 19E 06 module 0 1794 A FLEX I 0 XT 22 202 487 4 50E 08 2 25 08 80 9 01E 09 1 35E 08 8770 7 21E 08 5850 4 54 10 9 92E 06 IB10XOB6XT 24V DC input output module Not 1794 088 Applicable FLEX 1 0 24V DC electronically 100 000 00 1 00 08 5 00 09 80 2 00E 09 3
99. actuators to the system Furthermore this is the only means of testing the system configuration Users should verify the correct programmed functions by forcing I O or by manual manipulation of sensors and actuators Verify the download of the application program and its proper operation A typical technique is to upload the completed program file and perform a compare of that file against what is stored in the programming terminal IMPORTANT memory cards to automatically transfer the safety application After a safety application is downloaded you must verify the download The AutoFlash firmware feature is not supported for SIL 2 safety applications and must not be used IMPORTANT Ifthe controller has a USB port it is intended for temporary local programming purposes only and not intended for permanent connection These are typical steps for performing a verification in RSLogix 5000 software 1 With the programming software not running rename the offline project Start the programming software upload the controller project and save it Open the compare tool and select both files 2 3 4 5 Start the compare operation Review the compare output results and verify that everything matches without error Project documentation differences will likely exist Save the compare results as part of the verification process Delete the upload file Rename the original project file change back to
100. age 140 and output see Checklist for SIL Outputs on page 142 checklists for their application Rockwell Automation Publication 1756 RM001L EN P July 2014 99 Chapter8 Faults in the ControlLogix System Module Fault Reporting for Any ControlLogix or FLEX 1 0 Module You must verify that all components in the system are operating properly This can be accomplished in ladder logic through the use of the Get System Value instruction GSV and an examination of the MODULE Object s Entry Status attribute for a running condition An example of how this might be done is shown in Figure 57 This method or something similar must be used to interrogate the health of each I O module in the system Figure 57 Example of Checking a Module s Health in Ladder Logic GSV AND NEQ s Check Entry Status to Obtain MODULE Object s Mask Off Lower 12 Bits Entry Status af Value de module is Fault gt Checking Keyswitch Position with GSV Instruction 100 For more information on the GSV instruction monitor the SlotStatusBits for the Input tag of the associated adapter The lower 8 bits of this tag correspond to the associated slot For example the tag Node3 L Slot1StatusBits is defined as follows Node 3 is the name given to the adapter this example a 1794 ACNRIS indicates the Input file SlotStatusBits is 32 bit value where the lower 8 bits correspond
101. agram of the example calculation shown below Cat No Description Calculated 1756 18160 ControlLogix V DC diagnostic input module 1 46E 06 1002 1756 EN2TR ControlLogix EtherNet IP communication module 1 0 chassis 6 11E 06 1002 Series C 1756 L72 ControlLogix controller 4 MB 4 50E 04 1001 1756 EN2TR ControlLogix EtherNet IP communication module controller chassis 6 11E 06 1002 Series C 1756 0B16D ControlLogix V DC diagnostic output module 4 97E 06 1002 Total safety loop PFD 4 69E 04 Percent of SIL 2 budget 4 6996 134 Rockwell Automation Publication 1756 RM001L EN P July 2014 Appendix D Using ControlLogix and FLEX 1 0 Modules in SIL 1 Applications Approved 1756 I O modules may be used in a 1001 architecture however you must follow the guidelines listed in Table 14 on page 138 If you plan to use 1794 FLEX I O modules in a SIL 1 1001 configuration in addition to following the guidelines in Table 14 you must also implement appropriate field diagnostics as defined below Field diagnostics must execute once every eight hours An output or other sensing device must be used to provide field power control to the digital inputs See the SIL 2 output guidelines in Chapter 5 ControlLogix I O Modules You must consider the time it takes a diagnostic to execute when determining the safety reaction time because safety demands will not be detectable if they occur during a diagnostic
102. ail Using 1794 Analog Input Modules 43364 To achieve SIL 2 two analog input modules are required Field sensors must be wired to channels on each module and compared within a deadband Whether one or two field sensors are required is dependent on the Probability of Failure on Demand PFD value of the sensor Requirements When Using FLEX 1 0 Analog Input Modules You must follow these general application considerations when applying these modules in a SIL 2 application Proof tests Periodically a System Validation test must be performed Manually or automatically test inputs to make sure that all inputs are operational Field signal levels should be varied over the full operating range to make sure that the corresponding channel data varies accordingly Rockwell Automation Publication 1756 RM001L EN P July 2014 77 Chapter 6 78 FLEX 1 0 Modules Calibrate inputs periodically as necessary FLEX I O modules ship from the factory with a highly accurate level of calibration However because each application is different you are responsible for making sure their FLEX I O modules are properly calibrated for their specific application You can employ tests in application program logic to determine when a module requires recalibration For example to determine whether an input module needs to be recalibrated a user can determine a tolerance band of accuracy for a specifi
103. alency and make sure they are within range boundary checks Both new variables must be read back and displayed on the HMI device Trained operators must visually check that both variables are the same and are the correct value Trained operators must manually acknowledge that the values are correct on the HMI screen that sends a command to the safety logic which allows the new values to be used in the safety function In every case the operator must confirm the validity of the change before they are accepted and applied in the safety loop Rockwell Automation Publication 1756 RM001L EN P July 2014 Use of Human to Machine Interfaces Chapter 9 Test all changes as part of the safety validation procedure Sufficiently document all safety related changes made via HMI including the following Authorization Impact analysis Execution Test information Revision information Changes to the safety related system must comply with IEC 61511 standard on process safety section 11 7 1 Operator Interface requirements The developer must follow the same sound development techniques and procedures used for other application software development including the verification and testing of the operator interface and its access to other parts of the program The controller application software should set up a table that is accessible by the HMI and limits access to required data points only Similar to the
104. and Instt etlohs dor oris eo dor PCR apasaq 93 Program Van sage so cesi eter crie baa Cp ueri utere Macias 93 Program Identification iis y Let eet hr ee FR ee ds 94 SIL Tdsk Program Insti cians cce od sei ust ke tee LR ie 94 FORRES eire qe ud ERIS e ad Rea d 94 Checking the Application Programm seines soe 94 Verify Download and Operation 95 Commissioning Life Oyel c once deoa e De qe p E CERA RE 96 Changing Your Application Program 97 Chapter 8 Detecting and Reacting to Faults 99 Module Fault Reporting for Any ControlLogix or Mod ler d e ed lae eda 100 Checking Keyswitch Position with GSV Instruction 100 Examining an 1756 Analog Input Module s High Alarm 101 Additional Resources 102 Rockwell Automation Publication 1756 RM001L EN P July 2014 7 Table of Contents Chapter 9 Use of Human to Machine InterfacesPrecautions 103 Accessing Safety related Systems 103 Reading Parameters in Safety related Systems 103 Changing Safety related Parameters in SIL rated Systems 104 Appendix A Reaction Times of the Local Chassis Configuration 107 ControlLogix System Remote Chassi
105. and PFH Calculations for a SIL 2 System Using Component Values To Calculate System PFD The system PFD value is calculated by totaling the PFD value of each component in the system To calculate a system PFD value use this equation e modA PFD modB PFD modC PFD system PFD where modX PFD is the PFD value for one component or module in the system When calculating your system PFD verify that all the components used in the system are totaled Example 1 year PFD Calculation for a ControlLogix System 1001 Configuration This example shows an example of a PFD calculation for a traditional ControlLogix system in a fail safe configuration This example system uses one chassis for the controller and a second chassis for the I O Table 13 Example of PFD Calculations for a Fail safe System 1001 Configuration Cat No Description Calculated 1756 18160 ControlLogix V DC diagnostic input module 1 46E 06 1002 1756 EN2TR ControlLogix EtherNet IP communication module 1 0 chassis 3 00 04 1001 Series C 1756 L72 ControlLogix controller 4 MB 4 50E 04 1001 1756 EN2TR ControlLogix EtherNet IP communication module controller chassis 3 00E 04 1001 Series C 1756 08160 ControlLogix V DC diagnostic output module 4 97E 06 1002 Total safety loop PFD 1 056E 03 Percent of SIL 2 budget 10 56 Example 1 year PFD Calculation for a ControlLogix System 1002 Configuration See Figure 6 on page 20 for a system di
106. ation module 1756 EN3TR 10 007 ControlLogix EtherNet IP 269 774 3 71E 06 communication module with fault tolerance 1756 RM B 3 003 ControlLogix redundancy 1 373 840 7 28 07 module Not applicable 1756 RM2 20 004 ControlLogix enhanced 250 182 4 00E 06 redundancy module 1756 RM2XT A 120 004 ControlLogix XT enhanced 250 182 4 00 06 redundancy module 1756 8 3 003 Controllogn XTredundancy 980 096 1 02F 06 module 1756 SYNCH 2018 ControlLogix SyncLink Module 6 932 640 1 05E 07 Not applicable 2 09E 07 Not applicable 1756 IA16l A 3 003 ControlLogix isolated V ACinput 20 801 920 4 81E 08 2 40E 08 9 61 09 1 44 08 1762 3 85E 08 9 61 09 4 24E 05 7 69E 08 1178 4 81E 10 2 12E 06 module 1756 IA8D A 3 003 ControlLogix diagnostic V AC 15 966 080 6 26E 08 3 13E 08 8096 1 25 08 1 88E 08 1762 5 01E 08 1 25 08 5 52 05 1 00 07 1178 6 28E 10 2 76E 06 input module 1756 18160 3 003 ControlLogix diagnostic V DC 30 228 640 3 31E 08 1 65 08 80 6 62 09 9 92 09 1762 2 65E 08 6 62E 09 2 91E 05 5 29E 08 1178 3 31E 10 1 46E 06 input module 1756 18161 3 003 ControlLogix isolated V DC input 81 443 094 1 23 08 6 14 09 2 46 09 3 68 09 1762 9 82E 09 2 46 09 1 08 05 1 96 08 1178 23 10 5 41E 07 module 120 Rockwell Automation Publication 1756 RM001L EN P July 2014 PFD and Calculations for a SIL 2 System Appendi
107. ay break source voltage as shown in Figure 26 on page 57 one controller must own both modules Wiring ControlLogix Digital Output Modules Diagnostic digital output modules and standard output modules have different wiring considerations Reference the module type considerations that apply to your system configuration Wiring Diagnostic Digital Output Modules Diagnostic output modules have circuitry that is not included in standard output modules Because of this feature you are not required to use an input module to monitor output status as is required with standard output modules Diagnostic output modules can be used as is in a SIL 2 application No special wiring considerations need be employed other than the wiring of the external relay or other measures to remove line power from the module in the event of a fault to make sure outputs will de energize if shorted In addition to referencing the Requirements When Using ControlLogix Digital Output Modules on page 53 for limited high demand applications testing of output modules that is the user turns the outputs ON and OFF to verify proper operation should be executed once every eight hours Note that high demand applications are limited to 10 demands per year for ControlLogix SIL 2 systems For more information on performing the pulse test see the ControlLogix Digital I O Modules User Manual publication 1756 UM058 Rockwell Automation Publication 1756 RM001L EN P July 2
108. back to an analog input to monitor the output s performance as shown in Figure 37 The application logic must examine the analog input feedback value associated with each analog output to make sure that the output from the controller was received correctly at the actuator The analog output value must be compared to the analog input that is monitoring the output to make sure the value is within an acceptable range for the application In the ladder diagram in Figure 36 a user defined percentage of acceptable deviation that is tolerance is applied to the configured range of the analog input and output and the result is stored that is delta This delta value is then added to and subtracted from the monitoring analog input channel the results define an acceptable high and low limit of deviation The analog Output Echo is then compared to these limits to determine if the output is working properly The output s OK bit preconditions a Timer run that is preset to accommodate an acceptable fault response time and any communication filtering or output lags in the system If the monitoring input value and the Output Echo miscompare for longer than the preset value a fault is registered with a corresponding alarm Rockwell Automation Publication 1756 RMO01L EN P July 2014 ControlLogix 1 0 Modules Chapter5 Figure 36 Monitoring an Analog Output with an Analog Input Outputs OK L Timer MULT
109. c application You can then measure input values on multiple channels and compare those values to acceptable values within the tolerance band Based on the differences in the comparison you could then determine whether recalibration is necessary Calibration and subsequent recalibration is not a safety issue However we recommend that each analog input be calibrated at least every 3 years to verify the accuracy of the input signal and avoid nuisance application shutdowns Compare analog input data and annunciate miscompares When wiring sensors to two inputs channels the values from those channels must be compared to each other for concurrence within an acceptable range for the application before actuating an output Any miscompare between the two inputs outside the programmed acceptable range must be annunciated as a fault In Figure 46 on page 79 a user defined percentage of acceptable deviation that is tolerance is applied to the configured input range of the analog inputs that is range and the result is stored that is delta This delta value is then added to and subtracted from one of the input channels the results define an acceptable High and Low limit of deviation The second input channel is then compared to these limits to determine if the input are working properly The input s OK bit preconditions a Timer run that is preset to accommodate an acceptable fault response time and any communication filtering lags in the s
110. compare input values for concurrence Figure 19 Logic Comparing Input Values or States Input A Input B No Faults The user program must also contain rungs to annunciate a fault in the event of a sustained miscompare between two points Figure 20 Rungs Annunciating a Fault Input A Input B ZA VA eT imer Input A Input B Timer preset in milliseconds to compensate for filter time and hardware delay differences Timer Done fi Fault J Fault Alarm to Operator The control diagnostics and alarming functions must be performed in sequence For more information on faults see Chapter 8 Faults in the ControlLogix System ControlLogix digital output modules are divided into two categories Diagnostic output modules Standard output modules These modules share many of the same inherent architectural characteristics However the diagnostic output modules incorporate features that allow diagnosing of field side failures including No Load loss of load reporting Blown Fuse reporting Output verify Output pulse test To achieve SIL 2 a standard output module must be wired back to an input module for monitoring Diagnostic digital output modules provide their own monitoring Rockwell Automation Publication 1756 RM001L EN P July 2014 ControlLogix 1 0 Modules Chapter 5 Requirements When Using ControlLogix Digital 0utput Modules Wiring the two typ
111. controller program the HMI software needs to be secured and maintained for SIL level compliance after the system has been validated and tested Rockwell Automation Publication 1756 RM001L EN P July 2014 105 Chapter9 Use of Human to Machine Interfaces Notes 106 Rockwell Automation Publication 1756 RMO01L EN P July 2014 Local Chassis Configuration Appendix A Reaction Times of the ControlLogix System Topic Page Local hassis Configuration 107 Remote hassis onfiguration 108 Calculating Worst case Reaction Time 108 The calculation formulas in this chapter can be used to calculate the worst case reaction times for a given change in input or fault condition and the corresponding output action Figure 60 shows an example system with digital or analog modules where the following occurs Field signal changes state e The data is transmitted to the controller The controller runs its program scan and reacts to the data change The controller transmits data to the output module The output module processes data from the controller and turns the output device on or off Figure 60 Local Chassis Configuration of Digital or Analog Modules Input Module Controller Output Module Rockwell Automation Publication 1756 RM001L EN P July 2014 107 AppendixA Reaction Times of the ControlLogix System Remote Chassis Figure 61 shows an example system where the
112. ct documentation listed in Additional Resources on page 11 to wire the module place devices correctly in the current loop You can locate other devices in an input channel current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops each module input is 250 ohms Figure 31 and Figure 32 show how to wire an analog input for use in Current mode Figure 31 ControlLogix Analog Input Module Wiring in Current Mode 3 8 6 6 Ch0 cho Current Source A Current Source B ho cho 43369 Figure 32 ControlLogix Analog Input Module Wiring for Isolated Channels in Current mode Cho Cho SIL 2 Transmitter Current Output Source cho Ch0 If you use single ended channels use a 1492 TAIFM16 F 3 termination board and two 1492 ACABLEOIOUA cables to split the current sensor into two single ended channels configured for Voltage mode Rockwell Automation Publication 1756 RM001L EN P July 2014 63 Chapter5 ControlLogix 1 0 Modules Wiring the Thermocouple Input Module Make sure you review the considerations in Using 1756 Analog Input Modules on page 58 use the correct documentation listed in Additional
113. dard Isolated Standard Isolated Output Module 1 Output Module 2 Input Module 8 4 Wire output point to 8 input point to verify the correct state of the c Co output V L1 VH gt Input Output Output V L2 w 43364 Rockwell Automation Publication 1756 RM001L EN P July 2014 57 Chapter5 ControlLogix 1 0 Modules Using 1756 Analog Input Modules 58 There are a number of general application considerations that you must make when using analog input modules in a SIL 2 application The following section describes those considerations specific to the use of analog input modules To achieve SIL 2 two analog input modules are required Field sensors must be wired to channels on each module and compared within a deadband Whether one or two field sensors are required is dependent on the Probability of Failure on Demand PFD value of the sensor Conduct Proof Tests Periodically perform a system validation test Manually or automatically test all inputs to make sure that they are operational Field signal levels should be varied over the full operating range to make sure that the corresponding channel data varies accordingly For more information see Proof Tests on page 28 Calibrate Inputs Analog input modules should be calibrated periodically as their use and application requires ControlLogix I O modules ship from the factory with a highl
114. duced connections Programming that verifies the correct reception of data must be used Rockwell Automation Publication 1756 RM001L EN P July 2014 ControlLogix Communication Modules Chapter4 Use of a device level ring DLR is required to produce and consume SIL 2 data on an EtherNet IP network If you are not using the ring capability of the 1756 EN2TR when producing or consuming SIL 2 safety data on an EtherNet IP network you must use two independent data paths between the SIL 2 devices For example to exchange SIL 2 data between two ControlLogix SIL 2 controllers you could use two produced connections sending data to two consume connections Each controller produces data to the other Additional Resources This table lists additional resources specific to the ControlLogix communication modules Cat No Module Description User Manual 1756 CNB ControlNet Communication Module CNET UM001 1756 CN2 1756 CNBR Redundant ControlNet Communication Module 1756 CN2R 1756 DHRIO Data Highway Plus Remote 1 0 Communication Interface Module 1756 UM514 1756 DNB DeviceNet Scanner Module DNET UM004 1756 ENBT Ethernet Communication Module ENET UM001 1756 EN2T 1756 EN2TR 1756 EN3TR 1756 EN2TRXT 1756 EN2TXT 1756 RM Redundancy Module 1756 UM535 1756 RM2 1756 SYNCH SynchLink Module 1756 UM521 You can view or download Rockwell Automation publications at http www rockwellautomation com literature Rockw
115. e 1756 EN2T Series 1 ControlLogix EtherNet IP communication module Some catalog numbers have K suffix This indicates a version of the product that has conformal coating These K versions have the same SIL 2 certification as the non K versions For more information on which products have conformal coating go to http ab com rockwellautomation com Use of any series B controller requires the use of the series B versions of the 1756 Px75 power supplies Certified according to IEC 61508 1999 Edition 1 Specified ControlNet repeaters may be used in SIL 2 applications See Chapter 4 ControlLogix Communication Modules for more information Rockwell Automation Publication 1756 RM001L EN P July 2014 113 AppendixB SIL2 certified ControlLogix System Components Table 7 SIL 2 certified ControlLogix Components 1756 Redundancy System Components Cat No 1756 1610 9 Description ControlLogix 2 MB controller 1756 1620 9 1756 632 9 ControlLogix 4 MB controller ControlLogix 8 MB controller 1756 1710 1756 1720 ControlLogix 2 MB controller ControlLogix 4 MB controller 1756 1730 1756 1740 ControlLogix 8 MB controller ControlLogix 16 MB controller 1756 1750 1756 CNB ControlLogix 32 MB controller ControlLogix ControlNet communication module 1756 CNBR 1756 2 ControlLogix redundant media ControlNet communication module ControlLogix ontrolNet c
116. e 1786 RPFM Medium distance Fiber Repeater Module 1786 RPFRL Long distance Fiber Repeater Module 1786 RPFRXL Extra long distance Fiber Repeater Module Use of the 1786 RPA adapter is required with all of the repeater modules listed Table 2 For More Information About Repeater Modules Publication Title ControlNet Fiber Media Planning and Installation Guide Publication Number CNET INOOT Planning for and installing ControlNet repeater modules Use of repeaters in safety applications TUV Report 968 EZ 968 EX 135 06 12 ControlNet Module Diagnostic Coverage All communication over the passive ControlNet media occur via CIP which verifies that at least one valid packet is seen during the greater of either 100 ms or 4 times the requested packet interval RPI Ifa valid packet is not seen during this period data transitions to the safe state Rockwell Automation Publication 1756 RMO01L EN P July 2014 ControlLogix Communication Modules Chapter 4 EtherNet IP Communication Use an EtherNet IP communication module catalog numbers 1756 EN2T Modules DeviceNet Scanner Module Data Highway Plus Remote 1 0 Module 1756 DHRIO SynchLink Module 1756 EN2TR and 1756 EN2T XT to connect controller chassis to remote I O make connections for visualization purposes establish connections between the programming terminal and controller IMPORTANT Useofa 1756 EN2TR or 1756 EN2TRXT is r
117. e failure fraction M Agq A Tce1901 channel equivalent down time Aq Aq x T 2 MRT Aq Ag MTTR DC diagnostic coverage common cause failure rate common cause failure rate dangerous 1001 Configuration spurious trip rate PFD1001 Md Agu x Tee PFH i001 Adu 1002 Configuration 51602 spurious trip rate 2 x A TGE1002 System equivalent down time Agu Ag x 74 3 Aggy Aq x PFD4992 2x 1 Bp X m 1 8 X haul x Tee X t Bp X Mq X MTTR 8x u X 1 2 2 2 x 1 Bp x Aga 1 8 x Agu x 1 8 x Agu X Tee The PFD and PFH values in this manual are calculated with formulas explained in IEC 61508 Part 6 Annex B Refer to IEC 61508 Part 6 for more information about calculating PFD values for your system 118 Rockwell Automation Publication 1756 RM001L EN P July 2014 PFD and PFH Calculations for a SIL 2 System Appendix C 1 Year PFD Calculations Table 10 1 Year PFD Calculations The PFD calculations in this table are calculated for a 1 year proof test interval 8760 hours and are specific to ControlLogix system components T Common Terms
118. e reading doesn t affect the operation or behavior of the safety system However the number frequency and size of the data being read can impact controller performance To avoid safety related nuisance trips use good communication practices to limit the impact of communication processing on the controller Do not set read rates to the fastest rate possible Rockwell Automation Publication 1756 RM001L EN P July 2014 103 Chapter 9 104 Use of Human to Machine Interfaces Changing Safety related Parameters in SIL rated Systems A parameter change in a safety related loop via an external that is outside the safety loop device for example an HMI is allowed only with the following restrictions Only authorized specially trained personnel operators can change the parameters in safety related systems via HMIs The operator who makes changes in a safety related system via an HMI is responsible for the effect of those changes on the safety loop You must clearly document variables that are to be changed You must use a clear comprehensive and explicit operator procedure to make safety related changes via an HMI Changes can only be accepted in a safety related system if the following sequence of events occurs The new variable must be sent twice to two different tags that is both values must not be written to with one command Safety related code executing in the controller must check both tags for equiv
119. ell Automation Publication 1756 RM001L EN P July 2014 SIL 2 certified ControlLogix System Components Table 6 SIL 2 certified ControlLogix Components 1756 Nonredundant Controllers 1 0 and Communication Modules Appendix B Related Cat No Description Documentation 1756 IR6l ControlLogix RTD input module 1756 1761 ControlLogix Thermocouple input module 1756 IT612 ControlLogix enhanced Thermocouple input module 1756 UM009 1756 0F8 ControlLogix analog output module 1756 0F6CI ControlLogix isolated analog output module 1756 0F6VI ControlLogix isolated analog output module 1756 OF8H ControlLogix HART analog output module 1756 UM533 1756 CNB ControlLogix ControlNet communication module 1756 CN2 ControlLogix ControlNet communication module 9 CNET UMOO1 1756 CN2R ControlLogix redundant media ControlNet communication module 1786 RPFS ontrolNet short distance fiber repeater module 1786 IN012 1786 RPFM ControlNet medium distance fiber repeater module 1786 IN011 1786 RPFRL ControlNet long distance fiber repeater module iein 1786 RPFRXL ControlNet extra long distance fiber repeater module 1786 RPA ControlNet repeater adapter 1786 IN013 1786 RPCD ControlNet Hub repeater module 1786 IN001 1756 EN2TR SeriesB ControlLogix redundant media EtherNet IP communication module ENET IN002 ENET UM001 1756 EN2TR Series C ControlLogix redundant media EtherNet IP communication modul
120. ell Automation Publication 1756 RMO01L EN P July 2014 47 Chapter4 C ontrolLogix Communication Modules Notes 48 Rockwell Automation Publication 1756 RM001L EN P July 2014 Overview of ControlLogix 1 0 Modules ControlLogix 1 0 Modules Chapter 5 Topic Page Overview of ControlLogix 1 0 Modules 49 Using 1756 Digital Input Modules 50 Using 1756 Digital Output Modules 52 Using 1756 Analog Input Modules 58 Using 1756 HART Analog Input Modules 65 Using 1756 Analog Output Modules 66 Using 1756 HART Analog Output Modules 7 IMPORTANT The programming information and examples in this chapter are provided to illustrate diagnostic and other logic related principles that must be demonstrated in SIL 2 application programs The principles and logic shown in this chapter can be encased in Add On Instructions for easier use If you are using a duplex configuration and certain 1 0 termination boards the programming explained in this chapter is available in Add On Instructions These Add On Instructions are certified by T V Refer to ControlLogix SIL 2 System Configuration Using SIL 2 Add On Instructions publication 1756 AT012 for more information At the most basic level there are two types of SIL 2 certified ControlLogix I O modules Digital I O modules Analog I O modules With each type however there are differences between specific modules Because the differences propagate to varying levels in
121. em This is the only way to make sure that the requirements were fully and clearly implemented This checklist can also be used as documentation on the connection of external wiring to the application program Input Module Check List for ControlLogix System Company Site Loop definition SIL input channels in the No All Input Module Requirements apply to both digital and analog input modules Yes No Comment 1 1 Exact Match selected as the electronic keying option whenever possible 2 5 the RPI value set to an appropriate value for your application 3 Are all modules owned by the same controller 4 Have you performed proof tests on the system and modules 5 Have you set up the fault routines 6 Are control diagnostics and alarming functions performed in sequence in application logic 7 For applications using FLEX 1 0 modules is the application logic monitoring one ControlNet status bit for the associated module and is appropriate action invoked via the application logic by these bits No Additional Digital Input Module Only Requirements Yes No Comment 1 When two digital input modules are wired in the same application do the following conditions exist L Both modules are owned by the same controller Sensors are wired to separate input points The operational state is ON Thenon operational state is OFF e Configuration
122. empera base unit base unit mp generic terminal base unit lamp generic base unit ure terminal FLEX 1 0 spring c lamp temperature terminal base unit FLEX 1 0 NEMA terminal base unit FLEX 1 0 NEMA fused terminal base unit DC Input Termination Board Analog Input Termination Board DC Output Termination Board MeanTime between Failure MTBF 250 000 00 0 100 000 00 0 100 000 00 0 100 000 00 0 100 000 00 0 52 312 000 100 000 00 0 100 000 00 0 7 779 000 11 362 000 10 127 000 M9 4 00 09 1 00E 08 1 00E 08 1 00E 08 1 00E 08 1 91E 08 1 00E 08 1 00E 08 Ag 2 00 09 5 00 09 5 00 09 5 00 09 5 00 09 9 56 09 5 00 09 5 00 09 Average of 1756 A4 A7 10 A13 and A17 chassis Suitable for use only in applications requiring compliance to IEC 61508 1999 Edition 1 4 Calculated MTBF and PFD by FMEA to 61508 2010 SIL 2 rated for non interference in the chassis Data not required within a safety function For the latest official approved firmware versions consult the Revision Release List Certificate Number 968 EZ 35 xx xx available at http www rockwellautomation com rockwellautomation certification safety page MTBF measured in hours unless calculated as noted Field return values January 2012 Calculations performed on a per module basis 9 A Failure Rate 1 MTBF 1
123. ent loop You can locate other devices in an output channels current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops Figure 54 Analog Output Wiring Example 1794 0E4 1794 IE8 SS Analog Input Module Analog Output i pooooooooooooooo dd 0000000000000000 EST 1794 183 1794 83 1794 1794 IFAI Isolated Analog Output Module Isolated Analog Input Module So oe el el oe eo POOOOOOOOOO ES 1794 TB3 ES 1794 183 Rockwell Automation Publication 1756 RM001L EN P July 2014 Software for SIL 2 Related Systems SIL 2 Programming Chapter 7 Requirements for Application Development Topic Software for SIL 2 Related Systems SIL 2 Programming Page 89 89 Programming Languages 90 Programming Options Security 90 90 Basics of Application Program Development and Testing 91 Functional Specification Guidelines Creating the Application Program 92 93 Forcing 94 Checking the Application Program Verify Download and Operation 94 95 Commissioning Life Cyde 96 Changing Your Application Program 97
124. equired to achieve SIL 2 in your application See Figure 3 on page 18 for an example See the examples in Figure 5 on page 19 Figure 6 on page 20 and Figure 12 on page 26 The 1756 DNB scanner module connects the controller to devices on a DeviceNet network You can use the 1756 DNB module to communicate only nonsafety data to devices outside of the safety loop The 1756 DHRIO module supports both Data Highway Plus and the Remote I O network of communication You can use the 1756 DHRIO module to communicate only nonsafety data to devices outside of the safety loop For example it may be used to communicate alarms to the Distributed Control System DCS The SynchLink module catalog number 1756 SYN CH is used for CST time propagation between multiple chassis for event recording The module can be used only outside of the safety loop It must not be used for any safety related activity in a SIL 2 certified ControlLogix system Rockwell Automation Publication 1756 RM001L EN P July 2014 45 Chapter4 0 Communication Modules General Requirements for Communication Networks Follow these requirements when using SIL 2 certified communication modules When installing ControlLogix communication modules carefully follow the information provided in the module s installation instructions DH can be used for communication to Human to Machine Interfaces HMI and for communicating with the nonsafety portion of
125. er 8 Faults in the ControlLogix System See the ControlLogix System User Manual publication 1756 UM001 for more information about setting the watchdog Diagnostic hardware and firmware functions as well as how you apply ControlLogix components enable the system to achieve CL SIL 2 compliance IMPORTANT You must implement these requirements or at minimum the intent of the requirements defined in this manual to achieve CL SIL 2 ControlLogix products referenced in this manual may have safety certifications in addition to the SIL certification If a product has achieved agency certification it is marked on the product label To view additional safety certifications for products go to http www ab com and click the Product Certifications link Rockwell Automation Publication 1756 RM001L EN P July 2014 31 Chapter1 SIL Policy Notes 32 Rockwell Automation Publication 1756 RMO01L EN P July 2014 Module Fault Reporting Chapter 2 Features of the ControlLogix SIL 2 System Topic Page Module Fault Reporting 33 Data Echo Communication Check 34 Pulse Test 35 Software 35 Communication 36 Electronic Keying of Modules in SIL 2 Applications 37 The diagnostic methods and techniques used in the ControlLogix platform let you configure and program ControlLogix controllers to perform checks on the total system including configuration wiring and performance as well as monitoring input sensors and output devices T
126. es of digital output modules differs depending on your application requirements these wiring methods are explained in detail in later sections However regardless of the type of ControlLogix output module used you must follow these general application requirements when applying these modules in a SIL 2 application Proof tests Periodically perform a system validation test Manually or automatically test all outputs to make sure that they are operational and not stuck in the ON or OFF state Outputs must be cycled from ON to OFF or OFF to ON For more information see Proof Tests on page 28 Examination of output data echo signal in application logic The application logic must examine the Data Echo value associated with each output point to make sure that the requested ON OFF command from the controller was received and acted upon by the module In Figure 21 a timer begins to increment for any miscompare between the controllers output and the module s Data Echo feedback The discrepancy timer must be set to accommodate the delay between the controller output data and the modules Data Echo response The time value chosen needs to consider various system RPIs and network latency If a miscompare exists for longer than that time a fault bit is set Figure 21 Data Echo Discrepancy Timer Logic Application Logic No Faults Actuator Output Bit Data Echo 4 CD Output Bit Data Echo LA Faul
127. es the user to perform various proof tests of the equipment used 28 in the system Proof tests are performed at user defined times for example proof test intervals can be once a year once every two years or whatever time frame is appropriate based on the SIL verification calculation and could include some of the following tests Test all safety application fault routines to verify that process parameters are monitored properly and the system reacts properly when a fault condition arises Rockwell Automation Publication 1756 RM001L EN P July 2014 SIL Policy Chapter 1 Test all digital input or output channels to verify that they are not stuck in the ON or OFF state Manually cycle inputs to make sure that all inputs are operational and not stuck in the ON state Manually test outputs that do not support runtime pulse testing The relays in the redundant power supplies must be tested to make sure they are not stuck in the closed state Users can automatically perform proof tests by switching ground open on input modules and checking to make sure all input points go to zero turn OFE Calibrate analog input and output modules to verify that accurate data is obtained from and used on the modules IMPORTANT Each specific application has its own time frame for the proof test interval Proof Testing with Redundancy Systems A ControlLogix redundancy system uses an identical pair of ControlLogix chassis to keep
128. examines the appropriate module fault channel fault and channel status bits and responds by initiating the appropriate fault routine Each module communicates the operating status of each channel to the controller during normal operation Application logic must examine the appropriate bits to initiate a fault routine for a given application For more information on faults see Chapter 8 Faults in the ControlLogix System on page 99 Program to Compare Analog Input Data When wiring sensors to two input channels on different modules the values from those channels must be compared to each other within the program for concurrence within an acceptable range for the application before an output is actuated Any miscompare between the two inputs outside the programmed acceptable range must be annunciated as a fault In Figure 27 a user defined percentage of acceptable deviation that is tolerance is applied to the configured input range of the analog inputs that is range and the result is stored that is delta This delta value is then added to and subtracted from one of the input channels the results define an acceptable High and Low limit of deviation The second input channel is then compared to these limits to determine if the inputs are working properly The input s OK bit preconditions a Timer run that is preset to accommodate an acceptable fault response time and any communication filtering lags in the system If the inputs miscom
129. f information circuits equipment or software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibited Throughout this manual when necessary we use notes to make you aware of safety considerations WARNING Identifies information about practices or circumstances that can cause an explosion in a hazardous environment which may lead to personal injury or death property damage or economic loss ATTENTION Identifies information about practices or circumstances that can lead to personal injury or death property damage or economic loss Attentions help you identify a hazard avoid a hazard and recognize the consequence P P IMPORTANT Identifies information that is critical for successful application and understanding of the product Labels may also be on or inside the equipment to provide specific precautions SHOCK HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that dangerous voltage may be present BURN HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that surfaces may reach dangerous temperatures ARCFLASH HAZARD Labels may be on or inside the equipment for example a motor control center to alert people to potential Arc Flash Arc Flash will cause severe injury or death Wear proper Personal Protective E
130. fecting outputs on the specific module or this contact can represent the healthy status of all safety inputs and the controller The module used to control this relay must follow SIL 2 output guidelines This module also must be considered during PFD analysis for each safety function 56 Co T Output the output VH IT Input Wiring Standard Digital Output Modules When using standard non diagnostic output modules you must wire each output to its field device and also to a system input to monitor the output s performance To verify output performance use one of these methods e Write logic to test the outputs ability to turn ON and OFF at power up At the proof test interval force the output ON and OFF and use a voltmeter to verify output performance For limited high demand applications testing of output modules that is the user turns the outputs ON and OFF to verify proper operation should be executed once every eight hours Note that high demand applications are limited to 10 demands per year for ControlLogix SIL 2 systems See Requirements When Using ControlLogix Digital Output Modules on page 53 Figure 24 ControlLogix Standard Output Module Wiring Standard Isolated Standard Isolated Output Module Input Module Wire output point to input point to verify V L1 Secondary the correct state of V L2 Output
131. fety and Standard Communication Overall Safety Loop 1756 EN2TR 1756 EN2TR Standard Communication DLR EtherNet IP 1756 EN2TR 1756 EN2TR EtherNet IP Standard Communication DLR Rockwell Automation Publication 1756 RM001L EN P July 2014 Overall Safety Loop Standard ommunication mg OLR Standard ommunication i B OLR dM 2 Controller Chassis 2 i 2 EtherNet IP 1794 AENTR s lt m pw oo 1794 AENTR lt z Di EtherNet IP eS imn a a i i ml umaq mm mi imn IMPORTANT Asshownin Figure 6 and Figure 7 standard devices can reside within an Figure 7 Fail safe ControlLogix EtherNet IP Configuration with FLEX 1 0 Modules Single DLR SIL Policy Chapter 1 Loop for Safety and Standard Communication EtherNet IP SIL 2 subnet provided the following requirements are met The EtherNet IP subnet topology must be DLR e The ControlLogix chassis must have two 1756 EN2TR modules Independent connection paths must be established for channels A and 1 0 through each ControlLogix chassis bridge module Channel A and Channel B 1 0 must reside in separate chassis or connected to separate adapters e Direct Internet connectivity must be limited to EtherNet IP bridge modules listed in
132. ffers different security features including password protection at varying levels of granularity throughout the application The description of these tools is too large in scope to list in detail here Contact your local Rockwell Automation representative for more information Rockwell Automation Publication 1756 RM001L EN P July 2014 Basics of Application Program Development and Testing Requirements for Application Development Chapter7 The controller keyswitch must be in the RUN position and the key removed during normal operating conditions Figure 55 Keyswitch in Run Mode Logix557x RUN NH EN ns232 BAT mm mm mm RUN FORCE SD OK RUN REM PROG O 1756 L6x 1756 L7x In RSLogix 5000 software version 18 and later you can set tags to be standard read only or constant values Read only blocks external devices for example HMIs and other controllers from changing a tag Constants block everything including user logic from changing a tag value All SIL 2 safety related tags should be set to read only Where possible configure SIL 2 safety tags as constant value tags The requirements of the safety and application standards regarding the protection against manipulations must be observed The authorization of employees and the necessary protection measures are
133. for safety related data Wiring the HART Analog Input Modules Make sure you review the considerations in Using 1756 Analog Input Modules on page 58 use the correct documentation listed in Additional Resources on page 11 to wire the module Rockwell Automation Publication 1756 RM001L EN P July 2014 65 Chapter5 ControlLogix 1 0 Modules Using 1756 Analog 0utput Modules 66 Figure 35 HART Input Analog Module Wiring Ch0 4 Ch0 4 Cho Ch0 D Sensor d D Sensor There are a number of general application considerations that you must make when using analog output modules in a SIL 2 application A single analog output module along with an analog input module for monitoring is required to achieve SIL 2 The following sections describe those considerations specific to the use analog output modules Rockwell Automation Publication 1756 RM001L EN P July 2014 ControlLogix 1 0 Modules Chapter 5 Considerations for Using Analog 0utput Modules IMPORTANT It is strongly recommended that you do not use analog outputs to execute the safety function that results in a safe state Analog output modules are slow to respond to an ESD command and are therefore not recommended for use ESD output modules The use of digital output modules and actuators to achieve the ESD de energized state is reco
134. functional and safety control requirements The specification may be presented in a variety of formats depending on your application The specification must include a detailed description that includes the following if applicable Sequence of operations Flow and timing diagrams Sequence charts Program description e Program print out Written descriptions of the steps with step conditions and actuators to be controlled including the following Input definitions Output definitions I O wiring diagrams and references Theory of operation Matrix or table form of stepped conditions and the actuators to be controlled including the sequence and timing diagrams Definition of marginal conditions for example operating modes EMERGENCY STOP and others The I O portion of the specification must contain the analysis of field circuits that is the type of sensors and actuators Rockwell Automation Publication 1756 RMO01L EN P July 2014 Creating the Application Program Requirements for Application Development Chapter7 Sensors digital or analog Signal in standard operation dormant current principle for digital sensors sensors OFF means no signal Determination of redundancies required for SIL levels Discrepancy monitoring and visualization including the users diagnostic logic Actuators Position and activation in standard operation normally OFF Safe reaction or position
135. h0 Actuator Rockwell Automation Publication 1756 RM001L EN P July 2014 71 Chapter5 ControlLogix 1 0 Modules Notes 72 Rockwell Automation Publication 1756 RM001L EN P July 2014 Chapter 6 FLEX 1 0 Modules Topic Page Overview of FLEX 1 0 Modules 73 Using 1794 Digital Input Modules 73 Using 1794 Digital 0utput Module 75 Using 1794 Analog Input Modules 77 Using 1794 Analog 0utput Modules 84 Overview of FLEX 1 0 Modules There are two types of SIL 2 certified FLEX I O modules Using 1794 Digital Input Modules Digital I O modules Analog I O modules FLEX I O modules are designed with inherent features that assist them in complying with the requirements of the 61508 Standard For example the modules all have a common backplane interface execute power up and runtime diagnostics and offer electronic keying To achieve SIL 2 two digital input modules must be used with field sensors wired to channels on each module The two channels must be compared by software before reconciling the data Requirements When Using FLEX 1 0 Digital Input Modules Regardless of the type of FLEX I O input module used there are a number of general application considerations that users must follow when applying these modules in a SIL 2 application Proof tests Periodically a system validation test must be performed Manually or automatically test inputs to make sure that all inputs a
136. imestamping of I O and diagnostic data also aid in diagnostics If an anomaly other than automatic shutdown is detected the system can be programmed to initiate user defined fault handling routines Output modules can turn OFF selected outputs in the event of a failure Diagnostic I O modules self test to make sure that field wiring is functioning Output modules use pulse testing to make sure output switching devices are not shorted Every module in the system is owned by one controller Multiple controllers can share data in addition to consuming data from non owned modules When a controller owns an I O module that controller stores the module s configuration data defined by the user this data dictates how the module behaves in the system Inherent in this configuration and ownership is the establishment of a heartbeat between the controller and module known as the requested packet interval RPI The RPI defines a time interval in which the controller and I O module must communicate with each other If for any reason communication cannot be established or maintained that is the I O module has failed the communication path is unavailable and so forth the system can be programmed to run specialized routines which can determine whether the system should continue functioning or whether the fault condition warrants a shutdown of the application For example the system can be programmed to retrieve the fault code
137. ing when switching OFF Discrepancy monitoring and visualization including the users diagnostic logic Consider the following when developing the application program logic Logic and Instructions The logic and instructions used in programming the application must be easy to understand easy to trace easy to change easy to test e well documented Program Language You must implement simple easy to understand e ladder e other IEC 61131 3 compliant language function blocks with specified characteristics We use ladder for example because it is easier to visualize and make partial program changes with this format Rockwell Automation Publication 1756 RMO01L EN P July 2014 93 Chapter7 Requirements for Application Development Program Identification The application program is clearly identified by one of the following e Name e Date e Revision Any other user identification information SIL Task Program Instructions The user application should contain a single SIL task composed of programs and routines The SIL 2 task must be the controllers top priority task and the user defined watchdog must be set to accommodate the SIL 2 task IMPORTANT Motion related functions are not allowed and must not be used IMPORTANT You must dedicate a specific task for safety related functions and set that task to the highest priority 1 SIL 2 safety logic and logic intended for use in non SIL 2 func
138. interference cal Not applicable communication module y Not Applicable 1756 EN2TR B 5 008 ControlLogix EtherNet IP 3 664 960 2 73 07 1 36 07 95 1 36E 08 1 23E 07 2200 1 36E 3 00E 04 communication module with fault tolerance 1756 EN2TR C 110 006 ControlLogix EtherNet IP Calculated 1 97E 06 9 87 07 96 6 6 62 08 9 21E 07 1478 14 3 82E 06 988 76 1 51E 09 3 19E 05 communication module with MTBF and fault tolerance PFD via 1756 EN2TRXT C 10 006 ControlLogix EtherNet IP RIS 1 97E 06 9 87E 07 96 6 6 62E 08 9 21E 07 1478 14 3 82E 06 988 76 1 51E 09 3 19E 05 communication module with fault tolerance 1756 EN2TXT 5 008 ControlLogix XT EtherNet I 1 300 000 7 69E 07 3 85E 07 95 3 85E 08 3 46E 07 2200 7 31E 07 3 85 08 8 46E 04 Not Applicable communication module 1756 EN2TXT D 10 007 ControlLogix XT EtherNet I 269 774 3 71E 06 communication module 1756 EN3TR 10 007 ControlLogix EtherNet IP 269 774 3 71E 06 communication module with fault tolerance 1756 RM B 3 003 ControlLogix redundancy 1 373 840 6 91E 07 module Not applicable Non interference only 1756 RM2 A 20 004 ControlLogix enhanced 250 182 4 00E 06 redundancy module 1756 RM2XT A 20 004 ControlLogix XT enhanced 250 182 4 00E 06 redundancy module 1756 RMXT 3003 Contrologix XT redundancy 980 096 9 69E 07 module 1756 SYNCH 2018 ControlLogix SyncLink Module 6 932 640 1 37 07 Not applicable 2 74 07
139. ip 1756 analog input modules 60 1756 analog output modules 69 1756 digital input modules 51 1756 digital output modules 54 P PADT See Programming and Debugging Tool parameters changing 104 reading 103 peer to peer communication 43 requirements 46 PFD See Probability of Failure on Demand position keyswitch 100 power supply 41 redundant 41 Probability of Failure on Demand PFD 1 year calculations 119 2 year calculations 124 5 year calculations 129 calculations 117 118 defined 10 values 118 produce and consume data 47 program changes 97 development life cycle 96 editing 97 edits 97 98 identification 94 language 90 93 logic 93 online 97 SIL 2 89 Programming and Debugging Tool PADT 14 89 defined 10 proof test 28 73 75 84 1756 analog input modules 58 1756 analog inputs 58 1756 analog output modules 67 1756 analog outputs 67 1756 digital inputs 51 1756 digital output modules 53 1756 digital outputs 53 redundancy systems 29 pulse test 35 reaction time 30 See also worst case reaction time reading parameters 103 repeater modules 44 reporting module faults 33 requested packet interval 33 response time 30 107 110 147 Index 148 routine source protection 90 RS AssetCentre 90 RSLogix 5000 software 35 commissioning life cycle 96 editing in 98 forcing 94 general requirements 89 143 program changes 97 programming languages 90 security 90 SIL 2 programming 89 SIL task program instructions 94
140. ller 1764699 Controllogix4 MBcontroller 1756 L63 6 ControlLogix 8 MB controller 1756 1717 ControlLogix 2 MB controller 1756 1730 ControlLogix 8 MB controller 1756 1747 ControlLogix 16 MB controller 1756 L75 ControlLogix 32 MB controller 1756 IA16l ControlLogix AC isolated input module 1756 IA8D ControlLogix AC diagnostic input module 1756 18160 ControlLogix DC diagnostic input module 1756 UM058 1756 1B161 ControlLogix DC isolated input module 1756 1832 ControlLogix DC input module 1756 IB16IS0E ControlLogix Sequence of Events module 1756 IH16IS0E 1756 UM528 ControlLogix Sequence of Events module 1756 0A161 ControlLogix AC isolated output module 1756 0A8D ControlLogix AC diagnostic input module 1756 0B16D ControlLogix DC diagnostic output module 1756 0B16E ControlLogix DC electronically fused output module 1756 08161 ControlLogix DC isolated output module 1756 UM058 1756 0B32 ControlLogix DC output module 1756 OB8EI ControlLogix DC isolated output module 1756 0W16l ControlLogix isolated relay output module 1756 0X8l ControlLogix isolated relay output module 1756 8 ControlLogix analog input module 1756 IF16 ControlLogix analog input module 1756 IF6I ControlLogix Isolated analog input module 156 UM002 1756 IF6CIS ControlLogix Isolated analog input module 1756 IF8H ControlLogix HART analog input module 1756 IF16H ControlLogix HART analog input module pe Rockw
141. ly 38 461 280 2 60E 08 1 30 09 adapter 1786 RPFS A ControlNet Fiber repeater short 26 461 760 3 78E 08 1786 RPFM A ControlNet Fiber repeater 16 697 862 5 99E 08 medium 1786 RPFRL A ControlNet Fiber repeater long 5 717 227 1 75 07 8 75E 09 1786 RPCD A ControlNet Hub repeater 28 654 080 3 49E 08 1 74 09 1786 ontrolNet repeater adapter 11 826 146 8 46E 08 4 23 09 1786 RPFRXL B ControlNet Fiber repeater extra 11 373 440 8 79E 08 4 40 09 long 1756 1617 20 012 ControlLogix controller 2MB 1 000 053 1 00E 06 5 00E 20 055 1756 1627 20 012 ControlLogix controller 4MB 1 034 830 9 66 07 4 83E 20 055 1756 L63 20 012 ControlLogix controller 8MB 1 055 910 9 47 07 20 055 1756 L63XT 20 012 ControlLogi XT controller 8MB 357 760 2 80 06 20 055 17564714 20 012 ControlLogix controller 2MB 2 69E 06 20 055 1 Not Applicable 1756 1727 20 012 ControlLogix controller 4MB 2 69E 06 20 055 1756 1738 20 012 ControlLogix controller 8MB Calculated 2 69 06 20 055 MTBF and 1756 L73X1 20012 Controllogix XT controller 8MB PFDvia 696 06 20 055 FMEA 1756 1747 20 012 ControlLogix controller 16MB 2 69E 06 20 055 1756 1754 20 012 ControlLogix controller 32MB 2 69E 06 20 055 Rockwell Automation Publication 1756 RM001L EN P July 2014 119 Appendix C PFD and PFH Calculations for a SIL 2 System Table 10
142. m Chapter 2 Figure 15 Output Module Behavior in the ControlLogix System Discrete diagnostic output modules feature called a pulse test can verify output circuit functionality without actually changing the state of the actuator connected to the output An extremely short duration pulse is directed to a particular output on the module The output circuitry will momentarily change its state long enough to verify that it can change state on demand The test pulse is extremely fast milliseconds and typically does not affect actuators Some actuators may have electronic front ends and be capable of detecting these fast pulses You can disable pulse testing if necessary The location ownership and configuration of I O modules and controllers is performed using RSLogix 5000 software The software is used for all creation testing and debugging of application logic When using the programming software you must remember these points e During normal control program controller in Run mode disconnect the programming terminal set the key switch to the RUN position remove the controller key from the key switch Authorized personnel may change an application program but only by using one of the processes described in Changing Your Application Program on page 97 Rockwell Automation Publication 1756 RM001L EN P July 2014 3
143. minor program modifications such as setpoint rung edit edits edits edits changes or ladder logic rung additions deletions and modifications IMPORTANT This option to change the e 2 657 application program is available for changes to ag 5 V 5 lt gt X relay ladder logic only You cannot use this method to change function block TER Re 5 programming For more detailed information on how to edit ladder logic while online see the Logix5000 Controllers Quick Start publication a lick the start pending rung edits button A copy is made of the rung you want to edit 1756 05001 b Change your application program as needed At this point the original program is still active in the controller Your program changes are made in the copied rungs Changes do not affect the outputs until you test program edits in step d Click the accept pending rung edits button Your program changes are verified and downloaded to the controller The controller now has the changed program and the original program However the controller continues to execute the original program You can see the state of the inputs and changes do not affect the outputs 2 d Click the test program edits button e Click Yes to test the edits Changes are now executed and affect the outputs the original program is no longer executed However if you are not satisfied with the result of testing the edits you can discard the new pr
144. mmended Conduct Proof Tests Periodically perform a system validation test Manually or automatically test all outputs to make sure that they are operational Field signal levels should be varied over the full operating range to make sure that the corresponding channel data varies accordingly For more information see Proof Tests on page 28 Calibrate Outputs Analog output modules should be calibrated periodically as their use and application requires ControlLogix I O modules ship from the factory with a highly accurate level of calibration However because each application is different you are responsible for making sure your ControlLogix I O modules are properly calibrated for your specific application You can employ tests in application program logic to determine when a module requires recalibration For example to determine whether an output module needs to be recalibrated you can determine a tolerance band of accuracy for a specific application You can then measure output values on multiple channels and compare those values to acceptable values within the tolerance band Based on the differences in the comparison you could then determine whether recalibration is necessary Calibration and subsequent recalibration is not a safety issue However we recommend that each analog output be calibrated at least every 3 years to verify the accuracy ofthe signal and avoid nuisance application shutdowns Use the Floating Point Data
145. mmunication module 1756 EN2T D 10 007 ControlLogix EtherNet 269 774 Non interference only Not applicable communication module Not Applicable 1756 EN2TR B 5 008 ControlLogix EtherNet 3 664 960 2 73 07 1 36 07 95 1 36E 08 1 23E 07 886 communication module with fault tolerance 1756 EN2TR C 10 006 ControlLogix EtherNet Calculated 1 97E 06 9 87E 07 96 6 6 62E 08 9 21E 07 597 25 1 91E 06 3 82E 06 401 50 1 40E 09 1 22 05 communication module with MTBF and fault tolerance PFD via 1756 EN2TRXT 10 006 ControlLogix EtherNet 1 97 06 9 87E 07 96 6 6 62 08 9 21E 07 597 25 1 91E 06 3 82E 06 401 50 1 40E 09 1 22 05 communication module with fault tolerance 1756 EN2TXT C 15 008 ControlLogix XT EtherNet IP 1 300 000 7 69E 07 3 85E 07 95 3 85E 08 3 46E 07 886 7 31 07 3 85 08 3 41E 04 Not Applicable communication module 1756 EN2TXT D 10007 ControlLogix XT EtherNet IP 269 774 3 71E 06 communication module 1756 EN3TR 10 007 ControlLogix EtherNet IP 269 774 3 71 06 communication module with fault tolerance 1756 RM 3 003 ControlLogix redundancy 1 373 840 6 91E 07 module Not applicable 1756 RM2 20 004 ControlLogix enhanced 250 182 100 06 redundancy module 1756 RM2XT A 120 004 ControlLogix XT enhanced 250 182 4 00E 06 redundancy module 1756 RMXT 3 003 Controllogix XT redundancy 980 096 9 69E 07 module 1756 SYNCH A 2 018 Con
146. module 4 For the diagnostic output modules are enabled diagnostic bits monitored by fault routines 5 For the diagnostic output modules is the Communication Format set to Full Diagnostics Output Data 6 For diagnostic output modules have you periodically performed a Pulse Test to make sure that the output is capable of change state 7 For diagnostic output modules is the connection to remote modules a direct connection 142 Rockwell Automation Publication 1756 RM001L EN P July 2014 Checklists Appendix E Output Check List for ControlLogix System No Analog Output Module Requirements Analog Only Yes No Comment 1 Is the Communication Format set to Float Data 2 Have you calibrated the modules as often as required by your application 3 When wiring an analog output module in Current mode are loop devices placed properly 4 Have you written application logic to examine bits for any condition that may cause a fault and appropriate fault routines to handle the fault condition Checklist for the Creation of The following checklist is recommended to maintain safety technical aspects when programming before and after loading the new or modified program an Application Program Checklist for Creation of an Application Program Safety Manual ControlLogix System Company Site Project definition File definition Archive number
147. ng http www rockwellautomation com literature Rockwell Automation Publication 1756 RMO01L EN P July 2014 About PFDand PFH Calculations Appendix PFD and PFH Calculations for a SIL 2 System Topic Page About PFD and PFH Calculations 117 Determine Which Values To Use 118 About the Calculations in This Manual 118 1 Year PFD Calculations 119 2 Year PFD Calculations 124 5 year PFD Calculations 129 Using Component Values To Calculate System PFD 134 Probability of failure on demand PFD is the SIL value for a safety related system as related directly to order of magnitude ranges of its average probability of failure to satisfactorily perform its safety function on demand IEC 61508 quantifies this classification by stating that the frequency of demands for operation of the safety system is no greater than once per year in the Low Demand mode PFD calculations are commonly used for process safety applications and applications where emergency stop devices ESDs are used Although PFD values are usually associated with each of the three elements making up a safety related system the sensors the actuators and the logic element they can be associated with each component of the logic element that is each module of a programmable controller Probability of failure per hour PFH is typically used to describe safety performance for high demand applications Because ControlLogix is suitable for high demand applica
148. nnection can be used to e download monitor and visualize the controller e connect to remote I O chassis EtherNet IP networks support messaging produced consumed tags and distributed I O See EtherNet IP Communication Modules on page 45 for details on using EtherNet IP modules in SIL 2 applications Ifa module in your SIL 2 certified ControlLogix system is replaced Exact Match keying is recommended Exact Match keying requires all keying attributes that is Vendor Product Type Product Code catalog number Major Revision and Minor Revision of the physical module and the module created in the software to match precisely before establishing communication If any attribute does not match precisely I O communication is not permitted with the module or with modules connected through it as in the case of a communication module For more information about electronic keying see the ControlLogix Digital I O Modules User Manual publication 1756 UM058 Rockwell Automation Publication 1756 RMO01L EN P July 2014 37 Chapter2 Features of the ControlLogix SIL 2 System Notes 38 Rockwell Automation Publication 1756 RM001L EN P July 2014 Chapter 3 ControlLogix Controllers Chassis and Power Supplies Topic ControlLogix Controllers ControlLogix Chassis ControlLogix Power Supplies Recommendations for Using Power Supplies ControlLogix Controllers The SIL 2 certified ControlLogix system is a user
149. nt in the ControlLogix system so that the application program can detect faults and react appropriately based on the your application requirements For more information about installing ControlLogix chassis and power supplies see the publications listed in Additional Resources on page 11 42 Rockwell Automation Publication 1756 RM001L EN P July 2014 Chapter 4 ControlLogix Communication Modules Topic Page Introduction to Communication Modules 43 ControlNet Modules and Components 44 EtherNet IP Communication Modules 45 DeviceNet Scanner Module 45 Data Highway Plus Remote 1 0 Module 1756 DHRIO 45 SynchLink Module 45 General Requirements for Communication Networks 46 Peer to Peer Communication Requirements 46 Additional Resources 47 Introduction to The communication modules in a SIL 2 certified ControlLogix system provide communication bridges from a ControlLogix chassis to other chassis or devices via the ControlNet and Ethernet networks These communication modules are Communication Modules available Network SIL 2 Modules ControlNet 1756 CNB 1756 CN2R 1756 CNBR 1756 CN2RXT 1756 00 EtherNet IP 1756 ENBT series 1756 EN2TR series e 1756 EN2T series e 1756 EN2TR series 1756 EN2T series D 1756 EN2TRYT series 1756 EN2TXT series 1756 EN3TR series 1756 EN2TXT series DD DeviceNet 1756 DNB Data Highway Plus Remote 100
150. of the failed module and make a determination based on the type of fault as to whether to continue operating Rockwell Automation Publication 1756 RM001L EN P July 2014 33 Chapter2 Features of the ControlLogix SIL 2 System Data Echo Communication Check 34 This ability of the controller to monitor the health of I O modules in the system and take appropriate action based on the severity of a fault condition gives the user complete control of the applications behavior It is your responsibility to establish the course of action appropriate to your safety application For more information on Fault Handling see Chapter 8 Faults in the ControlLogix System on page 99 Output data echo allows the user to verify that an ON OFF command from the controller was received by the correct output module and that the module will attempt to execute the command to the field device During normal operation when a controller sends an output command the output module receiving that command will echo the output command back to the controller upon its receipt This verifies that the module has received the command and will try to execute it By comparing the requested state from the controller to the data echo received from the module you can validate that the signal has reached the correct module and that the module will attempt to activate the appropriate field side device The echo data is technically input data from the output module and is
151. ogram by clicking on the untest program edits button if necessary If you untest the edits the controller returns to the original program f Click the assemble program edits button g Click Yes to assemble the edits The changes are the only program in the controller and the original program is discarded 3 Perform a partial proof test of the portion of the application affected by the program edits 4 Turn the controller key back to the RUN position to return the project to Run mode We recommend you upload the new program to your programming terminal to help ensure consistency between the application in the controller and on the programming terminal 5 Remove the key IMPORTANT If any changes are needed to the program in the safety loop they must be done in accordance with IEC 61511 1 paragraph 11 7 1 5 which states The Safety Instrumentation System SIS operator interface design shall be Such as to prevent changes to SIS application software Where safety information needs to be transmitted from the basic process control system BPCS to the SIS then systems should be used that can selectively allow writing from the BPCS to specific SIS variables Equipment or procedures Should be applied to confirm the proper selection has been transmitted and received by the SIS and does not compromise the safety function of the SIS 98 Rockwell Automation Publication 1756 RMO01L EN P July 2014 Detecting and Reacting to Faults
152. ogram on page 97 It is good engineering practice to keep safety related logic as simple and easy to understand as possible The preferred language for safety related functions is ladder logic followed by function block Structured text and sequential function chart are not recommended for safety related functions Pre programmed SIL 2 I O Add On Instructions can be used in RSLogix 5000 software version 20 or later If you choose to use Add On Instructions refer to ControlLogix SIL 2 System Configuration Using SIL 2 Add On Instructions publication 1756 AT012 Using the SIL 2 Add On Instructions greatly simplifies the programming required for a SIL 2 system However these instructions may not be suitable for use in all SIL 2 applications and system configurations You need to evaluate the suitability of a SIL 2 Add On Instruction that is used in a safety related function All Add On Instructions require the use of hardware termination boards The user must define what measures are to be applied for the protection against manipulation In the ControlLogix system and in the programming software protection mechanisms are available that help prevent unintentional or unauthorized modifications to the safety system The following tools may be employed for security reasons SIL 2 certified ControlLogix application Logix CPU Security Routine Source Protection FactoryTalk AssetCentre Each of these features or products o
153. ommunication module 1756 CN2R 1756 EN2T Series C ControlLogix redundant media ControlNet communication module ControlLogix EtherNet IP communication module 1756 EN2TR Series B 1756 EN2TR Series C ControlLogix redundant media EtherNet IP communication module Related Documentation 1756 UM001 005 001 ENET IN002 ENET UM001 1 Some catalog numbers have a K suffix This indicates a version of the product that has conformal coating These K versions have the same SIL 2 certification as the non K versions For more information on which products have conformal coating go to http ab com rockwellautomation com 2 Use of any series B controller requires the use of the series B versions ofthe 1756 Px75 power supplies or the redundant power supplies that is the 1756 Lx75R power supplies 3 Certified according to IEC 61508 1999 Edition 1 Table 8 SIL 2 certified ControlLogix XT System Components Cat No 1756 A4LXT 1756 A5XT 1756 A7XT 1756 A7LXT Related ControlLogix XT chassis 1756 1N005 1756 PAXT 1756 PBXT ControlLogix XT power supply 1756 CN2RXT ControlLogix XT ControlNet communication module 005 001 1756 2 Series ControlLogix XT EtherNet IP communication module ENET IN002 1756 EN2TRXT Series C ControlLogix XT EtherNet IP communication module for redundant Systems ENET UMOO1 175
154. ontrolLogix Digital Input Modules 51 Using 1756 Digital Output Modules 52 Requirements When Using ControlLogix Digital Output Modules ertet 53 Wiring ControlLogix Digital Output Modules 54 Using 1756 Analog Input Modules 58 Conduct Proof Tests 58 Calibratelpputss yy 58 Use the Floating Point Data Format 58 Program to Respond to Faults Appropriately 59 Program to Compare Analog Input Data 59 Configure 60 Specify the Same Controller as the Owner 60 Wiring ControlLogix Analog Input Modules 60 Using 1756 HART Analog Input Modules 65 Wiring the HART Analog Input 65 Using 1756 Analog Output Modules 66 Considerations for Using Analog Output Modules 67 Wiring ControlLogix Analog Output Modules 69 Using 1756 HART Analog Output Modules 71 Wiring the HART Analog Output Modules 71 Rockwell Automation Publication 1756 RMOO1L EN P July 2014 FLEX 1 0 Modules Requirements for Application Development Faults in the ControlLogix System Table of Contents Chapter 6 Overview of F
155. ormation on proof tests for 1 0 modules see Chapter 1 SIL Policy on page 13 Rockwell Automation Publication 1756 RM001L EN P July 2014 Requirements for Application Development Chapter7 Ch anging Your d following je apply to changing your application program in Application Program RSLogix 5000 software IMPORTANT You cannot make program edits while the program is online if the changes prevent the system from executing the safety function or if alternative protection methods are not in place Program edits are not recommended and should be limited For example minor changes such as changing a timer preset or analog setpoint are allowed Onlyauthorized specially trained personnel can make program edits These personnel should use all supervisory methods available for example using the controller keyswitch and software password protections Anyone making data or programming editsto an operational system assumes the central safety responsibility while the changes are in progress These personnel must also maintain safe application operation Prior to making any program edits you must perform an impact analysis by following the safety specification and other lifecycle steps described in Figure 56 on page 96 as if the edits were an entirely new program Users must sufficiently document all program edits including authorization impact analysis execu
156. ou use ControlLogix Enhanced BD Redundancy System Revision 20 54 or later To other safety related l 5 Controllogix and remote 1 0 l chassis I j i 5 E 6 l Z u a t Z tL RT SR CEPR h S a 2 To nonsafety related systems outside the ControlLogix ControlNet portion of the SIL 2 certified loop IMPORTANT The redundant duplex ControlLogix system in Figure 10 provides logic solver fault tolerance 24 Rockwell Automation Publication 1756 RM001L EN P July 2014 SIL Policy Chapter 1 Figure 10 shows a typical duplex SIL loop The figure also shows the following Overall safety loop ControlLogix portion of the overall safety loop How other devices for example HMI connect to the loop while operating outside the loop Duplex System Configuration This configuration of the ControlLogix system uses fully redundant controllers communication modules and remote I O devices to achieve enhanced availability Figure 11 Duplex System EtherNet IP Configuration Overall Safety Loop gt p rr r r s 4 ControlLogix Chassis Secondary Chassis SIL 2 certified ControlLogix Safety FE E I di 1 EtherNe
157. ously in this manual Analog output modules Analog output modules should be wired as described previously in this manual Analog input modules Only 1 module is required in a SIL1 application Periodic tests of the inputs should be performed as described previously in this manual 1 The user should be alerted to any detected output failures 2 test interval of module inputs must be specified according to application dependent standards For example according to EN50156 the time for fault detection and tripping must be less than or equal to the fault tolerance time 138 Rockwell Automation Publication 1756 RMO01L EN P July 2014 Checklist forthe ControlLogix System Checklists Topic Page Checklist for the ControlLogix System 139 Checklist for SIL Inputs 140 Checklist for SIL Outputs 142 Checklist for the Creation of an Application Program 143 Appendix E The following checklist is required for planning programming and start up of a SIL 2 certified ControlLogix system It may be used as a planning guide as well as during proof testing Ifused as a planning guide the checklist can be saved as a record of the plan Check List for ControlLogix System Company Site Loop definition No Fulfilled Comment Yes No 1 Are you only using the SIL 2 certified ControlLogix modules with the corresponding firmware relea
158. pare for longer than the preset value a fault is registered with a corresponding alarm Rockwell Automation Publication 1756 RM001L EN P July 2014 59 Chapter5 ControlLogix 1 0 Modules Figure 27 Comparison Logic for Two Analog Inputs Inputs OK Timer MULT ADD SUB Range Delta Delta Tolerance Input 1 Input 1 Delta High Limit Low Limit LIM Low Limit Input 2 C 2 Inputs OK High Limit Timer Done Analog Inputs Faulted Analog Inputs Faulted O Alarm to Operator The control diagnostics and alarming functions must be performed in sequence For more information on faults see Chapter 8 Faults in the ControlLogix System on page 99 Configure Modules When using identical modules configure the modules identically that is by using the same RPI filter values and so on When using different modules for improved diversity make sure the module s scaling of data does not introduce error or fault conditions Specify the Same Controller as the Owner The same controller must own both analog input modules You must use Analog Inputs Faulted as a safety status permissive in respective safety related outputs Wiring ControlLogix Analog Input Modules The wiring diagrams shown in this section apply to applications requiring two transmitters The type of transmitter along with the application requirements will determine whether one or two transmitters are
159. per year You should also consider system reaction capability as explained in Appendix A If your system must meet standard EN 50156 then you must also meet the requirements identified in the current version of EN 50156 To use FLEX I O or 1756 series I O modules in SIL 2 EN50156 applications you must use a GuardLogix controller Refer to the GuardLogix Safety Reference Manual publication 1756 093 IMPORTANT When using a GuardLogix controller with SIL 2 rated 1756 or 1794 1 0 you must also follow the requirements defined in this manual 16 Rockwell Automation Publication 1756 RM001L EN P July 2014 Typical SIL 2 Configurations SIL Policy Chapter 1 SIL 2 certified ControlLogix systems can be used in standard simplex or high availability duplex configurations For the purposes of documentation the various levels of availability that can be achieved by using various ControlLogix system configurations are referred to as simplex or duplex This table lists each system configuration and the hardware that is part of the systems safety loop System Configuration Safety Loop Includes Simplex Configuration on page 17 Single controller Single communication module Dual 1 0 modules Duplex Logic Solver Configurations on page 24 Dual controllers Dual communication modules e Dual I 0 modules Duplex System Configuration on page 25 Dual controllers Dual communication modules e Dual 1 0 mod
160. points Wire sensors to separate input points on two separate modules The use of two digital input modules is required regardless of the number of field sensors Field device testing Test field devices by cycling them The closer you can get to the device being monitored to perform the test the more comprehensive the test will be Proof tests Periodically perform a system validation test Manually or automatically test all inputs to make sure they are operational and not stuck in the ON or OFF state Inputs must be cycled from ON to OFF or OFF to ON For more information see Proof Tests on page 28 Wiring ControlLogix Digital Input Modules This diagram shows two examples of wiring digital inputs In either case the type of sensors being used will determine whether the use of 1 or 2 sensors is appropriate to fulfill SIL 2 requirements Figure 18 ControlLogix Digital Input Module Wiring Example O Power 8 Optional Relay A contact or output point to switch Input A1 Input B1 2 for One sensor Wiring Example e Sensor DAP Input A2 Input B2 e e Two sensor Wiring Example Sensor e Sensor 43366 Rockwell Automation Publication 1756 RM001L EN P July 2014 51 Chapter5 ControlLogix 1 0 Modules Using 1756 Digital Output Modules 52 Application logic is used to
161. ptable values within the tolerance band Based on the differences in the comparison you could then determine whether recalibration is necessary Calibration and subsequent recalibration is not a safety issue However we recommend that each analog output be calibrated at least every 3 years to verify the accuracy of the input signal and avoid nuisance application shutdowns Fortypical emergency shutdown ESD applications outputs must be configured to de energize When configuring any FLEX I O output module each output must be configured to de energize in the event ofa fault and in the event of the controller going into Program mode 84 Rockwell Automation Publication 1756 RM001L EN P July 2014 FLEXI O Modules Chapter 6 Wire outputs back to inputs and examine output data feedback signal You must wire an analog output to an actuator and then back to an analog input to monitor the output performance The use of feedback transmitters to verify an output s performance is acceptable The application logic must examine the Data Feedback value associated with each output point to make sure that the requested output command from the controller was received by the module The value must be compared to the analog input that is monitoring the output to make sure the value is in an acceptable range for the application In the ladder diagram in Figure 52 a user defined percentage of acceptable deviation that is tolerance is applied to
162. quipment PPE Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment PPE gt P P Allen Bradley ControlLogix ControlLogix X T ControlNet Data Highway Plus DeviceNet EtherNet IP FactoryTalk FLEX FLEX I O XT GuardLogix Logix 5000 Rockwell Software RSNetWorx and SynchLink are trademarks of Rockwell Automation Inc ControlNet DeviceNet and EtherNet are trademarks of the ODVA Trademarks not belonging to Rockwell Automation are property of their respective companies New and Updated Information Summary of hanges This manual contains new and updated information Changes throughout this revision are marked by change bars as shown to the right of this paragraph This table lists the major changes made with this revision Change Page Updated table listing communication modules in the Introduction to Communication Modules section 43 Updated Table 1 Year PFD Calculations 119 Updated Table 2 Year PFD Calculations 124 129 Updated Table 5 year PFD Calculations Rockwell Automation Publication 1756 RM001L EN P July 2014 Summary of Changes Notes 4 Rockwell Automation Publication 1756 RM001L EN P July 2014 Preface SIL Policy Features of the ControlLogix SIL 2 System ControlLogix Controllers Chassis and Power Supplies Table of Contents 9 11 Chapter 1 Introduction to Safety Integrity Level SIL
163. r 1786 RPFS A ontrolNet Fiber repeater short 26 461 760 3 78E 08 1 89E 08 95 1 89E 09 1 70E 08 886 1786 RPFM A ControlNet Fiber repeater 16 697 862 5 99E 08 2 99E 08 95 2 99E 09 2 69E 08 886 medium 1786 RPFRL A ControlNet Fiber repeater long 5 717 227 1 75 07 8 75 08 95 8 75E 09 7 87 08 886 1786 RPCD A ControlNet Hub repeater 28 654 080 3 49E 08 1 74 08 95 1 74E 09 1 57E 08 886 1786 RPA B ControlNet repeater adapter 11 826 146 8 46E 08 4 23E 08 95 4 23E 09 3 81 08 886 T786 RPFRXL ControlNet Fiber repeater extra 11 373 440 8 79E 08 4 40 08 95 4 40E 09 3 96E 08 886 long 1756 L61 20 012 ControlLogix controller 2MB 1 000 053 1 00 06 5 00E 07 95 5 00E 08 4 50E 07 886 20 055 1756 1629 20 012 ControlLogix controller 4MB 1 034 830 9 66 07 4 83E 07 95 4 83E 08 4 35E 07 886 20 055 1756 1630 20 012 ControlLogix controller 8MB 1 055 910 9 47 07 4 74E 07 95 4 74E 08 4 26E 07 886 20 055 1756 L63XT 20 012 ControlLogix XT controller 357 760 2 80E 06 1 40 06 95 1 40E 07 1 26E 06 886 20 055 1756 1719 20 012 ControlLogix controller 2MB 2 69E 06 1 34 06 96 1 01E 07 1 25E 06 670 ae Not Applicabl lot Applicable 1756 1728 20 012 ControlLogix controller 4MB 2 69E 06 1 34 06 96 1 01E 07 1 25E 06 670 T 20 055 1756 1737 20 012 ControlLogix controller 8MB Calcula
164. re operational and not stuck in the ON or OFF state Inputs must be cycled from ON to OFF or OFF to ON Wire sensors to separate input points on two separate modules that are on different network nodes Configuration parameters for example RPI filter values must be identical between the two modules Rockwell Automation Publication 1756 RM001L EN P July 2014 73 Chapter6 FLEX 1 0 Modules One Sensor Wiring Example Input COM 24V The same controller must own both modules e Monitor the network status bits for the associated module and ensure that appropriate action is invoked via the application logic by these status bits Wiring FLEX 1 0 Digital Input Modules The wiring diagrams in Figure 40 show two methods of wiring the digital input module In either case you must determine whether the use of 1 or 2 sensors is appropriate to fulfill SIL 2 requirements Figure 40 ControlLogix Digital Input Module Wiring 24V dc Optional relay contact Z to switch line voltage for periodic automated 00000000000000 ririrsrrsiununus testing 0000000000000006 1 SIL2 SENSOR DOOOOOOOOOOOOOOOO 0000000000000000 Two Sensor Wiring Example Input COM 24V Note 1 Both
165. requirements consist of mean time between failures MTBF probability of failure failure rates diagnostic coverage and safe failure fractions that fulfill SIL 2 criteria The results make the ControlLogix system suitable up to and including SIL 2 for demand rates up to and including ten demands per year The TUV Rheinland Group has approved the ControlLogix system for use in up to and including SIL 2 safety related applications in which the de energized state is typically considered to be the safe state All of the examples related to I O included in this manual are based on achieving de energization as the safe state for typical emergency shutdown ESD systems Life expectancy for the ControlLogix system components is 20 years IMPORTANT Keepin mind that a demand is an event where the safety function is executed A ControlLogix system can be configured to execute standard control as well as safety functions The demand rate is determined by how often the safety function is executed and not how often the control function is executed Rockwell Automation Publication 1756 RMO01L EN P July 2014 13 Chapter 1 SIL Policy Programming and Debugging Tool PADT For support in creation of programs the PADT Programming and Debugging Tool is required The PADT for ControlLogix is RSLogix 5000 software per IEC 61131 3 and this Safety Reference Manual For more information about programming a system by using optional pre developed Add
166. rotocol systems on EtherNet ControlNet and DeviceNet communication networks CL Claim Limit The maximum level that can be achieved DC Diagnostic Coverage The ratio of the detected failure rate to the total failure rate Demand safe state safety action initiated by the safety function A normal control action function is not a safety demand A safety demand occurs when safety conditions are met Typically this only occurs when standard control fails to perform its control function Demand Rate The expected rate per year that a safe state safety action will be executed by the safety function EN European Norm The official European Standard GSV Get System Value A ladder logic instruction that retrieves specified controller information and places it in a destination tag MTBF Mean Time Between Average time between failure occurrences Failures Rockwell Automation Publication 1756 RM001L EN P July 2014 9 Preface 10 Table 1 Abbreviations Used throughout This Reference Manual Abbreviation Full Term Definition MTTR Mean Time to Average time needed to restore normal operation after a failure has occurred Restoration PADT Programming and RSLogix 5000 software is used to program and debug a SIL 2 certified Debugging Tool ControlLogix application PC Personal Computer Computer used to interface with and control a ControlLogix system via the RSLogix 5000 software PFD Probability of Failure
167. routines publication 1756 012 Explains how to configure a SIL 2 certified system by using Add On Instructions provided by Rockwell Automation Logix5000 Controllers General Instruction Set Reference Manual publication 1756 RM003 Contains descriptions and use considerations of general instructions available for Logix5000 controllers ControlLogix System User Manual publication 1756 UM001 Explains how to use the ControlLogix controllers ControlLogix Standard Redundancy System User Manual publication 1756 UM523 Explains how to install configure and use a standard redundancy system ControlLogix Enhanced Redundancy System User Manual publication 1756 UM535 Explains how to install configure and use an enhanced redundancy system ControlLogix Digital 1 0 User Manual publication 1756 UM058 Provides information about the use of ControlLogix digital 1 0 modules ControlLogix Analog 1 0 Modules User Manual publication 1756 UM009 Provides information about the use of ControlLogix analog 1 0 modules Logix5000 Controllers Execution Time and Memory Use Reference publication 1756 RM087 Provides estimated execution times that can be used in worst case scenario calculations Logix5000 Controllers Common Procedures Programming Manual publication 1756 001 Explains a variety of programming related topics Industrial Automation Wiring and Grounding Guidelines publication 1770
168. ry controller in a duplex system has a 2096 slower response time than the controller in a simplex system Rockwell Automation Publication 1756 RM001L EN P July 2014 Safety Watchdog Safety Certifications and Compliances SIL Policy Chapter 1 The switchover between controllers slows system response The switchover time of a redundancy system depends on the network update time NUT of the ControlNet network For more information about switchover times in redundancy systems see one of these ControlLogix redundancy system user manuals ControlLogix Standard Redundancy System User Manual publication 1756 UM523 ControlLogix Enhanced Redundancy System User Manual publication 1756 UM535 IMPORTANT Toavoid nuisance trips you must account for the additional cross checking time of a duplex system when setting the watchdog time Configure the properties of the task used for safety correctly for your application Priority must be the highest priority task in the application lowest number Watchdog the value entered for the SIL 2 safety task must be large enough for all logic in the task to be scanned If the task execution time exceeds the watchdog time a major fault occurs on the controller Users must monitor the watchdog and program the system outputs to transition to the safe state typically the OFF state in the event of a major fault occurring on the controller For more information on faults see Chapt
169. s 39 Requiremebts for Use etsi saa SAT MID dE 40 ControlLogix Chassis oa issu ouai panei essa NEUE 41 ControlLogix Power Supplies ascen ene rre emere 4l Redundant Power Supplies 41 Recommendations for Using Power Supplies 42 Rockwell Automation Publication 1756 RM001L EN P July 2014 5 Table of Contents ControlLogix Communication Modules ControlLogix 1 0 Modules Chapter 4 Introduction to Communication Modules 43 ControlNet Modules and Components 44 ControlNet Cabling 44 Control Net Repeater aaa decane Tuis 44 ControlNet Module Diagnostic Coverage 44 EtherNet IP Communication Modulss 45 DeviceNet Scanner Module 45 Data Highway Plus Remote I O Module 1756 DHRIO 45 SynchLink Modules Seele de d DIEI Saa 45 General Requirements for Communication Networks 46 Peer to Peer Communication Requirements 46 Additional Resources zusenden lecce rte dl eu aos 47 Chapter 5 Overview of ControlLogix I O Modules 49 Using 1756 Digital Input Modules 50 Requirements When Using Any ControlLogix Digital Input Module iu ec oor ttes in e Cer uh ug 51 Wiring C
170. s Conhguration SEEN 108 Calculating Worst case Reaction Time 108 For Digital Modules 108 For Analog Modules 110 Appendix B SIL 2 certified ControlLogix ns 2202 111 System Components Appendix C PFD and PFH Calculations About PFD and Calculations 117 for a SIL 2 System Determine Which Values To Use 118 About the Calculations in This Manual 118 1 Year PFD Calculations 119 2 Year PFD Calculations 124 5 year PFD Calculations iyi cei metu eaa 129 Using Component Values To Calculate System PFD 134 Example 1 year PFD Calculation for a ControlLogix System 1oo1 Configuration ede e S 134 Example 1 year PFD Calculation for a ControlLogix System 1002 Configuration 134 Appendix D Using ControlLogix and FLEXI O eee ccc HH 135 Modules in SIL 1 Applications Appendix E Checklists Checklist for the ControlLogix System 139 Checklist for SIL Inputs 2 2 dee eet be 140 Checklist for SIL Outputs 142 Checklist for the Creation of an Application Program 143 a ia Nate Nae A a Na T dd EAR 145 8
171. safety function When installing ControlLogix controller refer to the user manual listed in Additional Resources on page 11 There are currently separate firmware revisions for standard and redundant operation For more information see Appendix B and the Revision Release List available at http www ab com from the Product Certifications link For more information on the ControlLogix controllers see the publications listed in the Additional Resources on page 11 40 Rockwell Automation Publication 1756 RMO01L EN P July 2014 ControlLogix Chassis ControlLogix Power Supplies ontrolLogix ontrollers Chassis and Power Supplies Chapter3 The ControlLogix 1756 Axx chassis provide the physical connections between controllers and I O modules The chassis itself is passive and is not relevant to the safety discussion because any physical failure would be unlikely under normal environmental conditions and would be manifested and detected as a failure within one or more of the active components When installing ControlLogix chassis follow the instructions provided in the product documentation ControlLogix power supplies are certified for use in SIL 2 applications No extra configuration or wiring is required for SIL 2 operation of the ControlLogix power supplies If an anomaly occurs in the supplied voltages the power supply immediately shuts down All ControlLogix power supplies are designed to perform these tasks e
172. se K versions have the same SIL 2 certification as the non K versions For more information on which products have conformal coating go to http ab com rockwellautomation com 123 AppendixC PFD and PFH Calculations for a SIL 2 System 2 Year PFD Qalculations The PFD calculations in this table are calculated for a 2 year proof test interval 17 520 hours and are specific to ControlLogix system components Table 11 2 Year PFD Calculations MeanTime Common Terms 1001 Configuration 1002 Configuration 1 Firmware between Safe Spurious Spurious B Catro Version Description 9 Failure p 10 ersion rar M AM meten Adu Ada Trip Rate Trip Rate Tg PFD 3 SFF 1756 AXX C ControlLogix chassis 22 652 010 4 41 08 2 21 08 95 2 21E 09 1 99E 08 886 4 19E 08 1756 A4LXT B 4 slot ControlLogix XT chassis 1 069 120 9 35 07 4 68E 07 95 4 68E 08 4 21E 07 886 8 89E 07 B 1756 A5XT C 5 slot ControlLogix XT chassis 734 420 1 36E 06 6 81E 07 95 6 81E 08 6 13E 07 886 1 29E 06 1756 A7LXT B 7 slot ControlLogix XT chassis 27 628 178 3 62E 08 1 81E 08 95 1 81E 09 1 63E 08 886 3 44E 08 B 75x C 7 slot ControlLogix XT chassis 1 081 600 9 25 07 4 62 07
173. se listed in Revision Release List available from the Product Certification link at http www ab com for your safety application 2 Have you calculated the system s response time 3 Does the system s response time include both the user defined SIL task program watchdog software watchdog time and the SIL task duration time 4 Is the system response time in proper relation to the process tolerance time L L 5 Have PFD values been calculated according to the system s configuration L 6 Have you performed all appropriate proof tests L 7 Have you defined your process parameters that are monitored by fault routines L L 8 Have you determined how your system will handle faults L 9 Have you taken into consideration the checklists for using SIL inputs and outputs listed on pages 140 and 142 L 1 For more information on the specific tasks in this checklist see the previous sections in the chapter or Chapter 1 SIL Policy on page 13 Rockwell Automation Publication 1756 RM001L EN P July 2014 139 AppendixE Checklists Checklist for SIL Inputs The following checklist is required for planning programming and start up of SIL inputs It may be used as a planning guide as well as during proof testing If used as a planning guide the checklist can be saved as a record of the plan For programming or start up an individual checklist can be filled in for every single SIL input channel in a syst
174. sensors are monitoring the same safety application 74 Input 1 Input 2 m Tusc uc ae M nta meer AET EE T 0000000000000000 O000000000000000 S N S 0 R DOOOOOOOOOOOOODOO 1 SENSOR 43366 Application logic can compare input values or states for concurrence Figure 41 Compare Input Values Input A Input B The user program must also contain rungs to annunciate a fault in the event of a sustained miscompare between two points Figure 42 Annunciate a Fault Input A Input B imer Input TUER Timer preset in milliseconds to compensate for filter time and hardware delay differences Timer Done gt Fault Alarm to Operator The control diagnostics and alarming functions must be performed in sequence Rockwell Automation Publication 1756 RM001L EN P July 2014 Using 1794 Digital Output Module FLEXI O Modules Chapter 6 To achieve SIL 2 the output module must be wired back to an input module for monitoring Requirements When Using FLEX 1 0 Digital Output Modules Regardless of the
175. separate FLEX I O rails They must not share the same FLEX adapter Monitor the network status bits for the associated module and make sure that appropriate action is invoked via the application logic by these status bits Rockwell Automation Publication 1756 RM001L EN P July 2014 FLEXI 0 Modules Wiring FLEX 1 0 Analog Output Modules Chapter 6 In general good design practice dictates that each analog output must be wired to a separate input terminal to make sure that the output is functioning properly Wiring the Analog Output Module in Voltage Mode You must wire analog outputs to an actuator and then back to an analog input to monitor the output performance Figure 53 Analog Input Module Wiring Example 1794 0E4 Analog Output Module Isolated Analog Output Module 1794 IE8 Analog Input 6 Isolated Analog Input Module 1794 TB3 Rockwell Automation Publication 1756 RM001L EN P July 2014 87 Chapter 6 88 FLEX 1 0 Modules Wiring the Analog Output Module in Current Mode In addition to following the Requirements When Using FLEX I O Analog Output Modules on page 84 consider the following application guideline before wiring the module in Current mode Place other devices in curr
176. t A Secondary Output Timer Done Fault Alarm to Operator O The control diagnostics and alarming functions must be performed in sequence For more information on faults see Chapter 8 Faults in the ControlLogix System Rockwell Automation Publication 1756 RM001L EN P July 2014 53 Chapter 5 54 ControlLogix 1 0 Modules Use of external relays to disconnect module power if output de energized state is critical To verify that outputs will de energize users must wire an external relay or other measure that can remove power from the output module ifa short or other fault is detected See Figure 22 on page 55 for an example method of wiring an external relay Test outputs at specific times to make sure they are operating properly The method and frequency of testing is determined by the requirements of the safety application For more information on testing diagnostic module outputs see page 54 For more information on testing standard module outputs see page 56 Fortypical emergency shutdown ESD application outputs must be configured to de energize When configuring any ControlLogix output module each output must be configured to de energize in the event of a fault and in the event of the controller going into Program mode For exceptions to the typical ESD applications see Chapter 1 SIL Policy on page 13 When wiring two digital output modules in series so that m
177. t IP non SIL 2 EtherNet IP connections l z is S J L Analog Input Digital Input Digital Output jermination Board Termination Board Termination Board a 41 Field Device Field Device Field Device xxr ee l Rockwell Automation Publication 1756 RM001L EN P July 2014 25 Chapter1 SIL Policy Figure 12 Duplex System EtherNet IP Fiber Configuration ControlLogix Chassis Secondary Chassis 1783 ETAP1F 1783 ETAP1F Fiber 1 InputChB JW Fiber I 1 0 Chassis A1 1 0 Chassis B1 P I I 1783 ETAPTF 1783 ETAP2F 1783 ETAPTF 1783 ETAP2F 1 0 Chassis A2 s Ommy Garey Omg Ooms 1783 ETAP 1783 ETAP 1783 ETAP Note All SIL 2 guidelines for 1756 or FLEX 1 0 modules remain the same Because channel A and channel B are two independent networks 1783 ETAP modules can be considered black channel equipment and do not need to be part of the SIL 2 system calculation 26 Rockwell Automation Publication 1756 RM001L EN P July 2014 SIL Policy Figure 13 Duplex System with Stratix Switches ControlLogix ControlLogix Chassis z 1756 EN2TR 1756 EN2TR 1756 EN2TR 1756 EN2TR Fiber wam Copper Chassis 1 Chassis 1B ec N z x un Output ChB 1756 EN2TR
178. ted 2 69E 06 1 34E 06 96 1 01 07 1 25E 06 670 20 055 MTBF and 1756 L73X1 20 012 ControlLogix XT controller 8MB PFD via 696 06 1 34E 06 96 1 01E 07 1 25E 06 670 20 055 FMEA 1756 1749 20 012 ControlLogix controller 16MB 2 69E 06 1 34 06 96 01 07 1 25E 06 670 20 055 1756 750 20 012 ControlLogix controller 32MB 2 69E 06 1 34 06 96 1 01E 07 1 25 06 670 20 055 124 Rockwell Automation Publication 1756 RMO01L EN P July 2014 PFD and Calculations for a SIL 2 System Appendix Table 11 2 Year PFD Calculations Common Terms 1001 Configuration 1002 Configuration MeanTime i Safe n Cat No Firmware Description between i Spurious Version Failure 9 Failure i i 10 MTBF Nha Fraction Nau Naa Tcg1oo1 ws PFD a SFF 1756 CNB 11 005 ControlLogix ControlNet 1 786 977 5 60 07 2 80E 07 95 2 80E 08 2 52E 07 886 5 32 07 2 80 08 2 48 04 communication module 1756 NBR E 11 005 ControlLogix ControlNet 2 608 543 3 83E 07 1 92E 07 95 1 92E 08 1 73E 07 886 redundant communication module 1756 CN2 20 011 ControlLogix ControlNet 1 096 299 9 12 07 4 56E 07
179. the original project name to maintain project documentation Rockwell Automation Publication 1756 RMO01L EN P July 2014 95 Chapter7 Requirements for Application Development Commissioning Life Cycle Figure 56 shows the steps required during application program development debugging and commissioning Figure 56 Application Development Life Cycle Generate Functional Specification Create Flow Diagram Y Create Timing Diagrams Y Establish Sequence of Operations Develop Project Develop Project 0nline 0ffline Review Program with Downloadi Independent Party 4 ownload to Controller Develop Test Plan Perform Validation Testing on all Logic Yes Tests Pass No Y Make more online edits amp accept edits or make more offline edits and download to No Determine what logic has been Changed or Affected Y erform Validation Testing on all Changed or Affected Logic Begin Normal Project Operation Download to Make project Controller changes Finish the Validation Test 1 You must periodically repeat the validation test also known as proof tests to make sure module inputs and outputs are functioning properly and as commanded by the Secure PADT application programming For more inf
180. the responsibility of the individuals starting and maintaining the SIL 2 safety system The application program is intended to be developed by the system integrator and or user The developer must consider general procedures for programming ControlLogix SIL 2 applications listed below this does not require independent third party review Specification of the SIL 2 safety control function including the following Specifications Flow and timing charts Engineering diagrams Sequence charts Program description Program review process e Writing the application program Checking by independent reviewer e Verification and validation Rockwell Automation Publication 1756 RM001L EN P July 2014 91 Chapter7 Requirements for Application Development Functional Specification Guidelines 92 All application logic must be independently reviewed and tested To facilitate reviews and reduce unintended responses developers should limit the set of instructions to basic Boolean ladder logic such as examine On Off Timers Counters and so on whenever possible This set should include instructions that can be used to accommodate analog variables such as the following e Limit tests e Comparisons e Math instructions For more information see Proof Tests on page 28 You must create a specification for your control function Use this specification to verify that program logic correctly and fully addresses your application s
181. tion test information revision information Multiple users cannot edit a program from multiple programming terminals simultaneously Changes to the safety application software in this case RSLogix 5000 software must comply with IEC 61511 standard on process safety section 11 7 1 Operator Interface requirements e When the ControlLogix controller keyswitch is in the RUN position controller is in Run mode you cannot make online edits You can edit the relay ladder logic portion of the safety program using one ofthe following methods described in Table 3 Rockwell Automation Publication 1756 RM001L EN P July 2014 97 Chapter 7 Requirements for Application Development Table 3 Methods of Changing Your Application Program Method Required Steps Controller Key Points to this Method Keyswitch Position Offline Perform the tasks described in the flow chart in Figure 56 on page 96 PROG You must re validate the entire application before returning to normal operation Online 1 Turn the controller key to the REM position REM The project remains online but operates in the 2 Usethe Online Edit Toolbar to start accept test and assemble your edits The toolbar is Shown remote Run mode When edits are completed below you are required to validate only the changed Start Accept Assemble Testprogram Untest i 1 21 limitedt pending pendingrung program edits program ONIE eS I di di di di
182. tion com For SIL 2 compliance when installing ControlLogix I O modules follow the procedures provided in the module s installation instructions For a full list of installation instructions for SIL 2 certified modules see Appendix B To achieve SIL 2 two digital input modules must be used with field sensors wired to channels on each module The two channels must be compared by software before reconciling the data Using 1756 Digital Input Modules ControlLogix digital input modules are divided into two categories e Diagnostic input modules e Standard input modules These modules share many of the same inherent architectural characteristics However the diagnostic input modules incorporate features that allow diagnosing of field side failures These features include broken wire that is wire off detection and in the case of AC Diagnostic modules loss of line power 50 Rockwell Automation Publication 1756 RMO01L EN P July 2014 ControlLogix 1 0 Modules Chapter 5 Requirements When Using Any ControlLogix Digital Input Module Regardless of the type of ControlLogix input module used you must follow these general application requirements when applying these modules in a SIL 2 application Ownership The same controller must own both modules Direct connection Always use direct connection with any SIL2 CL modules You must not use rack optimized connections in a SIL 2 application e Separate input
183. tions must be separate or everything in the task containing safety must be treated as safety related Forcing The following rules apply to forcing in a project You must remove forces on all SIL 2 tags and disable forcing before beginning normal operation for the project You must not force SIL 2 tags after validation is performed and during controller operation in Run mode IMPORTANT Forcing must not be used during normal operation as well as during final System test and validation Checking the Application To check safety related application logic for adherence to specific safety Pro gram functions you must generate a suitable set of test cases that cover the safety specification The set of test cases needs to be well written and filed as the test specification Suitable tests must also be generated for the numeric evaluation of formulas Equivalent range tests are acceptable These are tests within defined value ranges at the limits and outside the defined value ranges The test cases must be selected to prove the correctness of the calculation The necessary number of test cases depends on the formula used and must comprise critical value pairs 94 Rockwell Automation Publication 1756 RM001L EN P July 2014 Verify Download and 0peration Requirements for Application Development Chapter7 However active simulation with sources cannot be omitted as this is the only means of detecting correct wiring of the sensors and
184. tions up to and including 10 demands per year PFH values for those applications are provided Tables in this chapter present PFD and PFH values for ControlLogix and ControlLogix XT components that are evaluated by TUV Rockwell Automation Publication 1756 RM001L EN P July 2014 117 AppendixC PFD and PFH Calculations for a SIL 2 System Determine Which Values To Use IMPORTANT You are responsible for determining which of the values provided are appropriate for your SIL 2 certified system Determine which values to use based on the modules used your system and the system configuration Each of the PFD and PFH calculated values provided in this manual is based on the configuration that che module can be used in that is 1001 or 1002 e Communication and controller communication modules have PFD values specific to use in a lool configuration Input or output modules have PFD values specific to use a 1002 configuration About the Calculations in For the calculations presented in this chapter these values were used as the two This Manual application dependent variables e Mean time to restoration MTTR is ten hours Proof test interval Tj is listed for each table Common Terms failure rate 1 MTBF A rate of safe failures x 50 Aq rate of dangerous failures A x 5096 Aga dangerous detected failure rate M2 x DC Aqy dangerous undetected failure rate M2 1 DC SFF saf
185. to the module The module used to control this relay must follow SIL 2 output guidelines This module also must be a considered during PFD analysis for each Secondary safety function o C BL MEN The relay used should be a signal grade relay using bifurcated or similar grade contacts The relay can be located in a position to remove power to a single actuator or can remove power to multiple actuators depending on the granularity needed 43377 Wiring the Analog Output Module in Current Mode Make sure you review the considerations in Considerations for Using Analog Output Modules on page 67 use the correct documentation listed in Additional Resources on page 11 to wire the module place devices correctly in the current loop You can locate other devices in an output channels current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops each module output is 250 Q Figure 38 shows how to wire the 1756 OF8 module for use in Current mode Figure 38 ControlLogix Analog Output Module Wiring in Current Mode Analog Output Module Analog Input Module This normally open relay is controlled by the status of 4 4 the rest ofthe ControlLogix system If a short circuit or fault occurs on the module the relay can disconnect power to the module The module used to control this relay must
186. trolLogix AC power supply 1756 PB75 ControlLogix DC power supply 1756 PA75R ControlLogix AC redundant power supply 1756 PB75R ControlLogix DC redundant power supply 1756 IN005 1756 PA72 ControlLogix AC power supply 1756 PB72 ControlLogix DC power supply 1756 75 ControlLogix DC power supply 1756 PH75 ontrolLogix D power supply 1756 PSCA2 ControlLogix redundant power supply chassis adapter module 1 Some catalog numbers have a K suffix This indicates a version of the product that has conformal coating These K versions have the same SIL 2 certification as the non K versions For more information on which products have conformal coating go to http ab com rockwellautomation com 2 The 1756 PA75 A and 1756 PB75 A power supplies are no longer available However if your existing SIL 2 application uses these power supplies they are SIL 2 certified 3 Existing systems that use the 1756 PSCA and 1756 PSCA2 are SIL 2 certified However when implementing new SIL 2 certified systems or upgrading existing systems we recommend that you use the 1756 PSCA2 module if possible Rockwell Automation Publication 1756 RMO01L EN P July 2014 111 Appendix B 112 SIL 2 certified ControlLogix System Components Table 6 SIL 2 certified ControlLogix Components 1756 Nonredundant Controllers 1 0 and Communication Modules Related Cat No Description Documentation 56461708 Controllogix2MBcontro
187. trollogixSyncLink Module 6 932 640 1 37E 07 Notapplicable 2 74 07 Not applicable 1756 1 161 A 13 003 ControlLogix isolated V AC input 20 801 920 4 81E 08 2 40 08 80 9 61E 09 1 44 08 3514 3 85 08 9 61E 09 8 45E 05 7 69E 08 2346 4 82E 10 4 23E 06 module 1756 IA8D A 13 003 ControlLogix diagnostic V AC 15 966 080 6 26E 08 3 13E 08 80 1 25E 08 1 88E 08 3514 5 01E 08 1 25E 08 1 10 04 1 00E 07 2346 6 29E 10 5 52E 06 input module 1756 18160 13 003 ControlLogix diagnostic V DC 30 228 640 3 31E 08 1 65 08 80 6 62 09 9 92 09 3514 2 65E 08 6 62E 09 5 81E 05 5 29E 08 2346 3 32E 10 2 91E 06 input module 1756 18161 3 003 ControlLogix isolated V DCinput 81 443 094 1 23 08 6 14 09 80 2 46 09 3 68 09 3514 9 82 09 2 46 09 2 16 05 1 96E 08 2346 1 23E 10 1 08E 06 module Rockwell Automation Publication 1756 RM001L EN P July 2014 125 Appendix C PFD and PFH Calculations for a SIL 2 System Table 11 2 Year PFD Calculations Common Terms 1001 Configuration 1002 Configuration MeanTime i Safe Cat No Firmware Description hetween Spurious Spurious Version Failure 9 Failure i i 1
188. ulations 119 2 year PFD calculations 124 5 year PFD calculations 129 A actuators 93 Add 0n Instructions 49 90 alarms 1756 analog input modules 58 101 analog input modules See ControlLogix analog input modules See 1 0 analog input modules analog output modules See ControlLogix analog output modules See FLEX 1 0 analog output modules application program programming languages 90 SIL task program instructions 94 applications boiler 16 combustion 16 gas and fire 14 boiler applications 16 C cable ControlNet network 44 calculations 1 year PFD 119 2 year PFD 124 5 year PFD 129 explanation of 118 PFD 117 calibrate 1756 analog input modules 58 1756 analog output modules 67 1794 analog input modules 78 1794 analog output modules 84 certification 31 change parameters 104 channel status monitoring 59 68 chassis 41 chassis adapter 41 checklists 139 CIP See Control and Information Protocol CL SIL2 31 combustion applications 16 commissioning life cycle 96 Rockwell Automation Publication 1756 RM001L EN P July 2014 Index communication ControlNet components 44 data echo 34 Data Highway Plus Remote 1 0 components 45 EtherNet IP components 45 field side output verification 34 network 36 requirements 46 output data echo 53 SynchLink modules 45 compliances 31 components 1756 chassis 41 1756 power supply 41 FLEX 1 0 115 116 configurations fail safe 17 fault tolerant
189. ules e 0termination boards IMPORTANT The system user is responsible for the following tasks when any of the ControlLogix SIL 2 system configurations are used e The setup SIL rating and validation of any sensors or actuators connected to the ControlLogix control system e Project management and functional testing e Programming the application software and the module configuration according to the descriptions in this manual The SIL 2 portion ofthe certified system excludes the development tools and display human machine interface HMI devices these tools and devices must not be part of the safety loop Simplex Configuration In a simplex configuration the hardware used in the safety loop is programmed to fail to safe The failure to safe is typically an emergency shutdown ESD where outputs are de energized Figures 2 9 each show typical simplex SIL loops The figures show the following Overall safety loop ControlLogix portion of the overall safety loop SIL 2 I O modules in the safety loop must meet the requirements specified Chapter 5 ControlLogix I O Modules and Chapter 6 FLEX I O Modules Rockwell Automation Publication 1756 RM001L EN P July 2014 17 Chapter1 51 Policy Figure 2 Single chassis Configuration Actuator un c Standard Communication Figure 3 Fail safe ControlLogix EtherNet IP DLR Configuration Controller Chassis
190. ut channel see Figure 43 on page 75 The control diagnostics and alarming functions must be performed in sequence You can also wire a standard digital output module in series with an isolated relay output module in series with a critical actuator In the event that a failure is detected the output from both output modules must be set to OFF to guarantee the Output Loads de energize This is shown in Figure 45 on page 77 Rockwell Automation Publication 1756 RM001L EN P July 2014 COM 24V FLEX 1 0 Modules Chapter 6 Figure 45 ControlLogix FLEX 1 0 Standard Output Module Wiring with an Isolated Relay Module Standard Digital Isolated Relay Output Standard Digital Output Module Module Input Module Wire output point to input point to verify the correct state of the e output O000000000000000 9000000000000000 s 0M 55555555555885555 Output FMV Output Note 1 An external relay can be replaced with an isolated relay module that is mounted in another FLEX 1 0 r
191. ut directly to the actuator The other is a normally closed contact to remove or isolate the controller output An application program needs to be generated to monitor the diagnostic output modules for dangerous failures such as shorted or open output driver channels Diagnostic output modules must be configured to hold last state in the event of a fault A diagnostic alarm must be generated to inform the operator that manual control is required The faulted module must be replaced within the Mean Time to Restoration MTTR Any time a fault is detected the system must annunciate the fault to an operator by some means for example an alarm light Figure 1 Manual Override Circuit L2 or Ground Manual Override 9 43379 Alarm Rockwell Automation Publication 1756 RM001L EN P July 2014 15 Chapter1 SIL Policy Boiler and Combustion Considerations If your SIL 2 certified ControlLogix system is used in combustion related applications you are responsible for meeting appropriate safety standards including National Fire Protection Association NFPA standard NFPA 85 and 86 In addition you must provide a documented life cycle system safety analysis that addresses all the requirements of NFPA 85 related to Burner Management System Logic To comply with the requirements of IEC 61508 the safety demand rate must be no more than 10 demands
192. ut module 1756 0B16 A 3002 ControlLogix V DC diagnostic 8 884 374 1 13 07 5 63E 08 80 2 25 08 3 38E 08 1762 9 00 2 25 1 80 07 1178 1 13E 09 4 97 06 output module 08 9 2 68E 05 08 8 7 79E 05 08 2 25E 08 9 92E 05 1756 0B16E 3 003 ControlLogix V DC electronic ally 14 997 714 6 67E 08 3 33 08 80 1 33 08 2 00 08 1762 5 33E 08 1 33 08 5 87 05 1 07E 07 1178 6 68E 10 2 94E 06 fused output module 07 2 71 08 1 19E 04 07 7 46 08 3 29E 04 08 8 6 28E 05 o 1756 0B16 3 002 ControlLogix V DC isolated 7 388 160 1 35 07 6 77E 08 80 2 71 08 4 06E 08 1762 1 08 2 71E 2 17 07 1178 1 36E 09 5 98E 06 output module 1756 0832 3 002 ControlLogix V DC output 2 681316 3 73E 07 1 86E 07 80 7 46 08 1 12 07 1762 2 98 7 46E 5 97 07 1178 3 77E 09 1 66E 05 module 1756 088 3002 ControlLogix V DC isolated 14019200 7 13E 08 57 1 14 07 1178 7 15E 10 3 15E 06 electronic ally fused output module 1756 0X8l 3002 ControlLogix isolated relay 6 059 635 1 65E 07 E 07 8 1 45 04 2 64 07 1178 1 66E 09 7 29E 06 output module 1756 0W16l A 3 002 ControlLogix isolated relay 13 695 899 7 30E 08 output module E 08 6 43 05 1 17E 07 1178 7 32E 10 3 22E 06 1756 0F8 11 005 ControlLogix analog output 10 629 795 9 41E 08 1 51 07 1178 9 44E 10 4 15E 06 module
193. utomation NV Pegasus Park De Kleetlaan 12a 1831 Diegem Belgium Tel 32 2 663 0600 Fax 32 2 663 0640 Asia Pacific Rockwell Automation Level 14 Core F Cyberport 3 100 Cyberport Road Hong Kong Tel 852 2887 4788 Fax 852 2508 1846 Publication 1756 RM001L EN P July 2014 Supersedes Publication 1756 RM001K EN P March 2014 Copyright 2014 Rockwell Automation Inc All rights reserved Printed in the U S A
194. x Table 10 1 Year PFD Calculations Common Terms 1001 Configuration 1002 Configuration MeanTime 1 Firmware between Safe Spurious boire Version Description y9 Failure Trip Rate Trip Rate Te PFH prb E MrBr Fraction 1001 STR STR GE 3 SFF 1756 IB16ISOE 2 007 ControlLogix isolated V DC 11 537 760 8 67E 08 762 7 64E 05 1 39 07 1178 8 69 10 3 82E 06 Sequence 0f Events input module 1756 1 32 3 005 ControlLogixV DC input module 10 462 329 9 56E 08 762 1 53 07 1178 9 59E 10 4 22E 06 1756 IF8 A 1 005 ControlLogix analog input 8 699 254 1 15E 07 5 75E 08 80 2 30 08 3 45E 08 9 20E 08 2 30 08 1 01 04 1 84 07 1178 1 15E 09 5 08E 06 module 1756 IF8H 1 002 ControlLogix HART analog input 1 291 978 7 74 07 3 87E 07 80 1 55E 07 2 32E 07 1762 6 19E 1 55E 124E 06 1178 7 93E 09 3 47E 05 module 1756 IF16 1 005 ControlLogix analog input 4 592 506 2 18 07 1 09E 07 80 4 35E 08 6 53 08 1762 1 74 4 35E4 3 48 07 1178 2 19E 09 9 64 06 module 07 7 6 82E 04 E 07 8 1 92E 04 1756 IF16H A 1 002 ControlLogix HART analog input 442 914 2 26E 06 1 13E 06 80 4 52 07 6 77E 07 1762 1 81E 06 4 52 07 1 99 03 3 61 06 1178 2 42 08 1 04 04 module 1756 IF6CIS 1 013 ControlLogix isolated analog 2 654 080 3 77E 07 1 88 07 80 7 54 08 1 13E 07
195. y accurate level of calibration However because each application is different you are responsible for making sure your ControlLogix I O modules are properly calibrated for your specific application You can employ tests in application program logic to determine when a module requires recalibration For example to determine whether an input module needs to be recalibrated you can determine a tolerance band of accuracy for a specific application You can then measure input values on multiple channels and compare those values to acceptable values within the tolerance band Based on the differences in the comparison you could then determine whether recalibration is necessary Calibration and subsequent recalibration is not a safety issue However we recommend that each analog input be calibrated at least every three years to verify the accuracy ofthe input signal and avoid nuisance application shutdowns Use the Floating Point Data Format ControlLogix analog input modules perform on board alarm processing to validate that the input signal is within the proper range These features are only available in Floating Point mode To use the Floating Point Data format select the Floating Point Data format in the Module Properties dialog box Rockwell Automation Publication 1756 RM001L EN P July 2014 ControlLogix 1 0 Modules Chapter 5 Program to Respond to Faults Appropriately When programming the SIL 2 system verify that your program
196. your local Rockwell Automation representative New Product Satisfaction Return Rockwell Automation tests all of its products to help ensure that they are fully operational when shipped from the manufacturing facility However if your product is not functioning and needs to be returned follow these procedures United States Contact your distributor You must provide a Customer Support case number call the phone number above to obtain one to your distributor to complete the return process Outside United States Please contact your local Rockwell Automation representative for the return procedure Documentation Feedback Your comments will help us serve your documentation needs better If you have any suggestions on how to improve this document complete this form publication RA DU002 available at http www rockwellautomation com literature Rockwell Automation maintains current product environmental information on its website at http www rockwellautomation com rockwellautomation about us sustainability ethics product environmental compliance page Rockwell Otomasyon Ticaret A S Kar Plaza Is Merkezi E Blok Kat 6 34752 erenk y stanbul Tel 90 216 5698400 www rockwellautomation com Power Control and Information Solutions Headquarters Americas Rockwell Automation 1201 South Second Street Milwaukee WI 53204 2496 USA Tel 1 414 382 2000 Fax 1 414 382 4444 Europe Middle East Africa Rockwell A
197. ystem If the inputs miscompare for longer than the preset value a fault is registered with a corresponding alarm Rockwell Automation Publication 1756 RM001L EN P July 2014 FLEXI O Modules Chapter 6 Figure 46 Logic for Comparing Analog Input Data Inputs OK A Timer MULT ADD SUB Range Delta Delta Tolerance Input 1 Input 1 Delta High Limit Low Limit LIM Low Limit Input 2 C 2 Inputs OK High Limit Timer Done C Inputs Faulted Inputs Faulted Alarm to Operator The control diagnostics and alarming functions must be performed in sequence Configuration parameters for example RPI filter values must be identical between the two modules e The same controller must own both modules Wire sensors to separate input points on two separate modules that are on different network nodes Monitor the network status bits for the associated module and make sure that appropriate action is invoked via the application logic by these status bits Wire sensors to separate input channels on two separate modules that are on different network nodes Rockwell Automation Publication 1756 RMO01L EN P July 2014 79 Chapter6 FLEX 1 0 Modules One Sensor Wiring Example Wiring FLEX 1 0 Analog Input Modules The wiring diagrams in this section show two methods of wiring the analog input module In
Download Pdf Manuals
Related Search