Spec Sheet - The Reynolds Company
Contents
1. GuardPLC 1800 G uardPLC 200 0 No Requirements Fulfilled Yes No Comment Is this a safety input Is the error message processed in the application program VALUE 0 and CHANNEL STATUS 0 Is this a digital input If no go to 6 Is the hysteresis for the digital inputs configured correctly GuardPLC 1800 and 2000 Is line control pulse testing used for this input Is this an analog input If no go to 15 unipolar 0 10V DC unipolar 0 10V DC 1755 IF8 only unipolar 0 20mA bipolar 10V DC 1755 IF8 only Is the voltage input terminated or programmed for application fault handling Do the ranges of the sensors set fit the channel configuration Are the unused analog inputs short circuited Are the error code system signals for the used input channels evaluated in the logic Has the Al Ox Used signal been configured properly for used and unused analog inputs Is this input a counter Function Pulse counter Function Encoder Gray code ao aj oO om Has a safety encoder sensor been provided for this input Rockwell Automation Publication 1753 RM002D EN P July 2010 39 Chapter 3 Notes 40 GuardPLC Controller and GuardPLC 1 02. GuardPLC 16 8 DC 1 0 Module Digital Output 16 1 pole X 1753 IB16X0B8 8 2 pole X GuardPLC 2000 DIO Module l 1755 IB24X0B16 Digital Output 16 X X o 2000 CO Module Digital Output 4 X X GuardPLC 2000 AO Module 1755 0F8 Analog Output 8 X X ary ae Module Relay Output 8 X X GuardPLC Analog Input Output 2 Module 1753 IF8X0F4 Analog Output i X 1 Relay outputs cannot be used as pulsed outputs 2 The analog outputs may be used only as safety related outputs if the output values are read back to safety related analog inputs and evaluated in the user program The GuardPLC safety output modules are written to once in every cycle The output signals are read back and compared with the output data given by the application logic For outputs 0 is the safety state or an open relay contact Three testable semi conductor switches have been integrated in series into the safety output modules Thus the second independent switch off required for safety technical reasons has been integrated on the output module This integrated safety switch off safely shuts down all channels of the output module de energized condition if an error occurs In addition the watchdog WD signal from the CPU module also affects the safety switch off The cessation of the WD signal results in the immediate transition to the safety state This function is effective only for all digital outputs and relay outputs of the controller 4
3. This manual contains new and updated information Changes throughout this revision are marked by change bars as shown to the right of this paragraph New and Upd ated This table contains the changes made to this revision Information Topic Page Updated PFD and PFH data tables 15 Added Functional Verification Tests section Zi Added Project Verification Test section 22 Updated EN954 1 to ISO 13849 1 various Changed Cat 4 to PLe Cat 4 various Rockwell Automation Publication 1753 RM002D EN P July 2010 3 Summary of Changes 4 Rockwell Automation Publication 1753 RM002D EN P July 2010 Preface Safety Concept for GuardPLC Controllers and GuardPLC 1 0 GuardPLC Central Functions GuardPLC Controller and GuardPLC 1 0 Module Input Channels GuardPLC Controller and GuardPLC 1 0 Output Channels Table of Contents Purpose ot This Mattia disci rcnaiasiniededwmarausderyageracensnen 9 List of Abbreviations ci ve608si0ktiddwbuwed eddbdatanoitadaeteduade 10 Additional Resources 4 csc04i bel iadesuderisddiadaobclviedaniawed 11 Chapter 1 SCAR ON ih55 siekalouaditia a E E E ies 14 Introduction t Safety 1 55 chcw byesgue i putsa daen au aiea ed 14 Safety Coens ceca ceiouwsadeiadannseeennitecrawle neues 17 Safe Tieg hcuds wuss seh ier dae Mahar SERA EEE 20 Functional Verification Tests sacsy cndbxaveveindeeracsseueeperarees 21 Project Verification Tests ictinouadiudetsiedeswabddatexedadscnteces 22 Chapter 2 Chapt
4. 12 38 21 08 6 655234E 05 6 189071E 09 99 7161 1753 IF8XOF4 35 01 17 75 8 575442E 05 5 159597E 09 99 7760 1753 0W8 34 16 59 41 2 240516E 05 1 730251E 09 99 7905 1 The PFD and PFH data is based on a functional verification test interval of 10 years 2 The PFD and PFH data is based on a functional verification test interval of 3 years The safety functions consisting of a safety loop input processor output and communication between GuardPLC modules fulfill the above requirements in any combination These requirements are also met by the GuardPLC distributed I O modules Safety requirements including PFD and PFH for the DeviceNet Safety Scanner are in Chapter 5 Safety requirements including PFD and PFH for the DeviceNet Safety I O are in Chapter 6 Rockwell Automation Publication 1753 RM002D EN P July 2010 Safety Requirements Safety Concept for GuardPLC Controllers and GuardPLC 1 0 Chapter 1 The following safety requirements must be followed when using the safety PES of the GuardPLC system Hardware Configuration There are product independent and product dependent hardware configurations for the GuardPLC system Product Independent Use only GuardPLC hardware and software that appear in the GuardPLC version list available at hetp www rockwellautomation com products certification safety Use RSNetWorx for DeviceNet software version 6 0 or later to confi
5. Cat 4 according to ISO 13849 1 IMPORTANT You must read and understand the safety concepts and requirements presented in this manual prior to operating a GuardPLC controller based safety system Rockwell Automation Publication 1753 RM002D EN P July 2010 9 List of Abbreviations The following table defines terms or abbreviations used in this manual Term Definition 1002 One Out of Two Safety Architecture Consists of 2 channels connected in parallel such that either channel can process the safety function Thus a dangerous failure would have to occur in both channels before a safety function failed on demand 2003 Two out of Three Safety Architecture Consists of 3 channels connected in parallel with a majority voting arrangement for the output signals such that the output state is not changed if only 1 channel gives a result that disagrees with the other 2 channels CRC Cyclic Redundancy Check A number derived from and stored or transmitted with a block of data in order to detect corruption EMC Electromagnetic Compatibility EN European Norm The official European Standard EPROM Erasable Programmable Read only Memory ESD Electrostatic Discharge HFT Hardware Fault Tolerance HSP High speed Safety Protocol IEC nternational Electrotechnical Commission Standard AC ID edia Access Identifier A node s address on a network or subnet OT ultiple Error Occurrence Time F ean Time to Fai
6. In case of a module fault all outputs are switched off Both faults are indicated via the FAULT indicator External Short circuit or Overload Module tests can still be performed even when there is a short circuit at an output It is not necessary to switch off via a safety shut down The total current draw of the module is monitored If the threshold is exceeded all channels of the output module are set to the Safety state 0 If an error occurs the output in accordance with the rules of the closed circuit principle is set to zero voltage Outputs continue to be monitored at intervals of several seconds to determine if the overload is still present When normal state resumes outputs are re connected to the load Line Control Safety digital outputs can be cycled with the safety digital inputs of the same system to allow short circuit or line break monitoring using Emergency Stop devices according to Ple Cat 4 in ISO 13849 1 See Line Control on page 31 IMPORTANT This operation is not permissible for configurable digital inputs like those on the GuardPLC 1800 controller Therefore the type of line control described above cannot be configured for GuardPLC 1800 controllers ATTENTION Pulsed outputs must not be used as safety related AN outputs for example for the control of safety related actuators because they are not safety rated Rockwell Automation Publication 1753 RM002D EN P July 2010 Safety related Two p
7. You must provide a Customer Support case number call the phone number above to obtain one to your distributor to complete the return process Outside United States Please contact your local Rockwell Automation representative for the return procedure Documentation Feedback Your comments will help us serve your documentation needs better If you have any suggestions on how to improve this document complete this form publication RA DU002 available at http www rockwellautomation com literature Rockwell Otomasyon Ticaret A S Kar Plaza Ig Merkezi E Blok Kat 6 34752 erenk y stanbul Tel 90 216 5698400 www rockwellautomation com Power Control and Information Solutions Headquarters Americas Rockwell Automation 1201 South Second Street Milwaukee WI 53204 USA Tel 1 414 382 2000 Fax 1 414 382 4444 Europe Middle Fast Africa Rockwell Automation Vorstlaan Boulevard du Souverain 36 1170 Brussels Belgium Tel 32 2 663 0600 Fax 32 2 663 0640 Asia Pacific Rockwell Automation Level 14 Core F Cyberport 3 100 Cyberport Road Hong Kong Tel 852 2887 4788 Fax 852 2508 1846 Publication 1753 RM002D July 2010 Supersedes Publication 1753 RM002C EN P September 2008 Copyright 2010 Rockwell Automation Inc All rights reserved Printed in the U S A
8. control flows 3 Complete functional test of the logic See the next section Check the Created Application Program Check the Application Program To check your application program for adherence to the specific safety function you must generate a suitable set of test cases covering the specification As a rule the independent test of each input and the important links from the application side should suffice RSLogix Guard PLUS software and the measures defined in this safety manual are designed to prevent the generation of a semantic and syntactically correct code that contains undetected systematic errors You must also generate a suitable test set for the numeric evaluation of formulas Equivalent range tests are acceptable These are tests within the defined value ranges at the range limits or using invalid value ranges Select the test cases to prove the validity of the calculation The necessary number of test cases depends on the formula used and must comprise critical value pairs However active simulation with sources cannot be omitted as it is the only means of detecting correct wiring of the sensors and actuators and of testing the system configuration 78 Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC Controller Operating System Chapter 7 Create a Back up Program Follow these steps when creating a back up program 1 Print out the application program to compare the logic to the specific
9. Against Manipulation 82 Checklist for the Creation of an Application Program 83 Softwa re for Gu ard PLC The software for the GuardPLC safety automation systems is arranged in these three blocks Controllers and 1 0 ie J perating system Modules e Application program Programming tool RSLogix Guard PLUS software according to IEC 61131 3 The operating system is loaded in the central unit of the GuardPLC controller and should be used in the valid TUV certified form required for safety related applications Rockwell Automation Publication 1753 RM002D EN P July 2010 75 Chapter 7 GuardPLC Controller Operating System 76 The application program must be created by using the RSLogix Guard PLUS programming tool and must contain the specific equipment functions to be performed by the automation module Parameters for the operating function are also entered into the system using RSLogix Guard PLUS software The application program is translated into machine code with the code generator This machine code is transferred via an Ethernet network interface into the Flash EPROMs of the GuardPLC 1200 1600 1800 controllers and the CPU module of the GuardPLC 2000 controller respectively The essential functions of the operating system and their correlation to the application program are shown in the following table Functions of the Operating System Cyclical processing of the application program Connections to the App
10. Current output DIP switch positions checked 3 Have unused analog voltage outputs been left open 14 Have unused analog current outputs been short circuited 15 Is a safety actuator planned for this output 52 Rockwell Automation Publication 1753 RM002D EN P July 2010 Chapter 5 Chapter Introduction Overview GuardPLC DeviceNet Safety Scanner This chapter gives information about the GuardPLC DeviceNet Safety Scanner included in a GuardPLC Safety System Topic Page Overview 53 Certification 54 Safety Requirements for DeviceNet Safety Scanner 54 User Verification Procedure 59 Safety Lock with Password Protection 60 Error Reaction 61 Status Indicators 62 Reaction Times 63 Connection Status 63 DeviceNet Scanner Configuration Checklist 63 Before operating a GuardPLC safety system containing a DeviceNet safety scanner you must read understand and follow the installation operation and safety information provided in the publications provided in the following table The DeviceNet safety scanner provides DeviceNet access for GuardPLC controllers via High speed Safety Protocol HSP The safety scanner supports standard DeviceNet Master and Slave connections as well as DeviceNet safety originator and target connections Catalog Number Description Installation User Manual Instructions 1753 DNSI DeviceNet Safety Scanner 1753 IN009 1753 UM002 for GuardPLC In addition there are th
11. D n 4 gt DOx s 1 switch only on 1753 IB8XOB8 Rockwell Automation Publication 1753 RM002D EN P July 2010 47 Chapter4 GuardPLC Controller and GuardPLC 1 0 Output Channels Relay Outp uts in the The information in this section applies to the relay outputs of the 1753 OW8 1753 OW8 Module module Test Routines The modules are automatically tested during operation These are the essential test functions Read back of the output signal of the switching amplifiers before the relays e Test the switching of the relays with positively guided contacts e Test the integrated redundant safety shutdown The operating voltage of the entire system is monitored de energizing all outputs at an undervoltage of lt 13V At the 1753 OW8 module the outputs are equipped with three safety relays two relays with positive guided contacts and one MSR type enabling the outputs to be used in safety shutdowns Reaction To Error If a faulty signal is detected all contact outputs of the module are set to the safety 0 state via the safety switches in accordance with the closed circuit principle This is also indicated by the FAULT diagnostic status indicator Figure 10 Relay Outputs in the 1753 OW8 1 0 Bus WD L SE S ems e ee BRA ezz Be 3 iF x 8 Aa L Z 48 Rockwell Automation Publication 1753 RM002D EN P July 2010 Analog Outputs in the 1753 IF8XOF4 GuardPLC Controller a
12. Downloading of an application program is monitored Once download is complete the application program starts and the cyclical process of the routine begins executing Rockwell Automation Publication 1753 RM002D EN P July 2010 Technical Safety for the Application Program Chapter 8 Force Inputs and Outputs Forcing means activation of values for the hardware inputs or outputs independent of the actual value of a signal from the linked process or the result of the program logic The only distributed I O module that can be configured for forcing is 1753 IB20XOB8 A ATTENTION Forcing is permissible only upon consultation with the approving board in charge of site acceptance The person in charge must make sure that sufficient technical safety process monitoring is carried out by other technical and structural measures during forcing Switches or Function Default Setting for Parameters Value Safety Operation Forcing allowed M Enables the Force function OFF ON Stop on force Stops the CPU after exceeding the ON ON Timeout Force time Forcing activated Forcing active OFF ON Remaining Force Time limit in seconds that Forces may 0 Time in sec Time be active 1 This setting cannot be changed during operation with a locked PES Forcing can be limited by time The maximum force time is given in seconds For forcing without a time limit set the Remaining Force Time to 1 A The Forcing allowed s
13. Function Module Application Signals X Only on program level CONSTANT VAR X Only within function CONSTANT module VAR_INPUT X Input variable VAR_OUTPUT X Output variable 1 Signals are variables that can either be attached to hardware or used as flags on the program level 2 Constants cannot be overwritten by the application program for example switching point Rockwell Automation Publication 1753 RM002D EN P July 2010 Functions of the Application Program Technical Safety for the Application Program Chapter 8 The essential characteristic is the encapsulation of the functions into self created function modules Thus a program can be clearly structured in modules function modules Every module can be seen individually and the final complex function results from linking these modules into a larger module or ultimately into a program Programming is not subjected to any restrictions imposed by hardware The functions of the application program are freely programmable When programming follow the closed circuit current principle for the physical inputs and outputs Only components that comply with IEC 61131 3 and their corresponding functional requirements may be used with the logic e Appropriate logical and or arithmetic functions are used by the application program regardless of the closed circuit principle of the physical inputs and outputs e The I O module uses the closed circuit principle that requires t
14. G G G G G G G G 1755 0F8 uardPLC 2000 Analog Output Module 0 0 0 uardPLC 2000 Digital 1 0 Module 0 0 0 1755 PB720 GuardPLC 2000 Power Supply Module Rockwell Automation Publication 1753 RM002D EN P July 2010 13 Chapter 1 Safety Concept for GuardPLC Controllers and GuardPLC 1 0 Certification Introduction to Safety Topic Page Certification 14 Introduction to Safety 14 Safety Requirements i Safety Times 20 Certificate No 968 EZ164 10 09 TUV Rheinland Group TUV Industrie Service GmbH Automation Software and Informatinstechnologie Safety restrictions can be found in this manual See Safety Requirements on page 17 For a listing of TUV certified product and software versions refer to http www rockwellautomation com products certification safety The Programmable Electronic System PES for the Allen Bradley GuardPLC system is safety related based on the 1002 microprocessor structure for one central module These controllers are safety rated up to and including Safety Integrated Level SIL 3 according to IEC 61508 and PLe Cat 4 according to ISO13849 1 except for the 1754 L28BBB which is safety rated up to and including Safety Integrity Level SIL 3 according to IEC 61508 and Category 4 according to EN 954 Safety tests are based on the safety standards current at the time of certification These safety tests consist of test routines that are run during the ent
15. Guard PLUS software to read the current operating system version Verification is required See the checklist on page 83 The operating systems process the application program in cycles The following functions described in simplified form are executed e Read input data e Process logic functions programmed according to IEC 61131 3 Write output data In addition there are the following essential functions e Comprehensive self tests e Tests of the I O modules while in operation Data transfer e Diagnostics This section details what you need to do when programming using the software Safety Concept of RSLogix Guard PLUS Software The safety concept of RSLogix Guard PLUS software warranties that e the programming system works correctly meaning that programming system errors can be detected e the user applies the programming system correctly and therefore user operating errors can be detected Rockwell Automation Publication 1753 RM002D EN P July 2010 71 Chapter7 GuardPLC Controller Operating System For the initial start up of a safety PES or after a modification of the application program the safety of the entire system must be checked by a complete functional test These three steps must be carried out 1 Double compilation of the application program followed by comparison of the code versions Configuration CRC of the CPU 2 Check the correct encoding of the application based on the data and
16. Protective Extra Low Voltage Rockwell Automation Publication 1753 RM002D EN P July 2010 23 Chapter2 GuardPLC Central Functions Functional Desc ription of The central processing unit of the GuardPLC controllers consists of the the Central Processing Unit following function blocks Figure 1 Display of the Function Blocks Using GuardPLC 2000 Controller FB1 _ Ethernet FB2 Features of the central module are listed below Two cycle synchronous microprocessors uP1 and uP2 Each microprocessor has its own memory RAM 1 and RAM 2 Testable hardware comparators for all external access of both microprocessors The watchdog WD is set to the safety state in case of an error Flash EPROM Ss of the program memory for the operating system and application program suitable for a minimum of 100 000 programming cycles Data memory in SRAM Static RAM Multiplexer for the connection of I O bus Dual Port RAM DPR Buffering for SRAMs via batteries Interface for data exchange between the GuardPLC controllers and programming software PC based on Ethernet Additional interfaces for data exchange by field bus System condition indicated by status indicators I O bus logic for the connection with I O modules Safety watchdog WD Power supply module monitor testable 3 3V DC SV DC system voltage 24 Rockwell Automation Publication 1753 RM002D EN P July 2010 Self test Routines GuardPLC Central Functions Chapter 2
17. Pulses IEC EN61000 4 5 Surge 1 KV 0 5 KV IEC EN 61000 6 4 Noise Emission Tests EN50011 Class A Emission test Radiated conducted Rockwell Automation Publication 1753 RM002D EN P July 2010 109 Chapter A Specifications Power Supp ly Conditions The most important parameters and tests for power supply conditions are listed in the following table IEC EN 61131 2 Paragraph 6 3 7 6 3 7 1 1 Verification of DC Power Supply Characteristics Voltage range test 24V DC 20 25 19 2 30 0V 6 3 7 2 1 Momentary interruption immunity test DC PS2 10 ms 6 3 7 4 1 Reversal of DC power supply polarity test 6 3 7 5 1 Back up duration withstand test Test B 1000 h Lithium battery is used for back up The power supply must meet one of the following standards e IEC 61131 2 e Safety Extra Low Voltage EN60950 SELV e Protective Extra Low Voltage EN60742 PELV 110 Rockwell Automation Publication 1753 RM002D EN P July 2010 Appendix B Use in Central Fire Alarm Systems All GuardPLC systems with analog inputs can be used for control and indicating equipment in accordance with DIN EN 54 2 and NFPA 72 The user program must fulfill the functional requirements established for central fire alarm systems by the standards cited above IMPORTANT DeviceNet Safety I O modules are not appropriate for safety systems The required maximum cycle time of 10 seconds DIN EN 54 2
18. TIP Ownership also applies to outputs An output or output assembly can only have one owner which is the first originator to establish a valid connection to the output or output assembly You can return the module to the out of box condition by selecting the Reset Safety Device from the Device menu in RSNetWorx for DeviceNet software If there are multiple tools being used within the facility or on the network you must use passwords to prevent unintended configuration changes Configuration Signature The Configuration Signature uniquely identifies a particular module configuration It is comprised of a checksum ID and the date and time that the configuration was created The Configuration Signature is used in several operations e During download from a configuration tool the Configuration Signature provides you with a means to check that the device and the configuration tool agree on the information downloaded e During connection establishment the originator and the target devices use the Configuration Signature to ensure that both devices are using the expected configuration Rockwell Automation Publication 1753 RM002D EN P July 2010 69 Chapter6 DeviceNet Safety 1 0 for the GuardPLC Control System The Configuration signature is made up of ID number Date and Time zixl Parameters l V0 Data EDS File General Safety Safety Configuration Safety 1 0 This safety device is not safety locked After you have conf
19. The most important self test routines for the safety GuardPLC controller s central processing unit and the interface to the I O level are described in the following sections Microprocessor Test The following items are checked during the microprocessor test e All used commands and addressing modes Write condition of the flags and the commands controlled by flags e Write condition and the cross linking of the registers Test Memory Sectors The operating system the application program the constants and parameters and the variable data are stored in every central processing unit in both processor sectors and are tested by a hardware comparator Fixed Memory Sectors The operating system application program and parameter sector are each filed in one memory They are secured by write protection and a CRC test RAM Test The RAM sectors particularly stuck at and cross coupling are tested with a Write Read test Watchdog Test The watchdog is switched off if it is not triggered by the two CPUs within a defined time window The same applies if the test of the hardware comparators fails A separate test determines whether the watchdog signal is able to switch off Test of the 1 0 Bus Within the System The connection between the CPU and the related I O points or I O modules is checked Rockwell Automation Publication 1753 RM002D EN P July 2010 25 Chapter2 GuardPLC Central Functions GuardPLC Controllers and 1 0 Modu
20. for DeviceNet Safety Communication Configuring Communication Chapter 9 The system reaction time is the amount of time from a safety related event as input to the system until the system is in the Safety state Each of the times listed is variably dependent on factors such as the type of DeviceNet Safety I O modules and instructions used in the program Faults within the system can also have an effect upon the reaction time of the system Between PES and DeviceNet Safety 1 0 Modules The worst case reaction time between changing a value on the first DeviceNet Safety I O module and the reaction of the outputs of the second DeviceNet Safety I O module can be calculated as follows TR input path output path where Tp Worst case Reaction Time input path t4 tg tc output path tp tg tp WDZ Watchdog Time ta Reaction time of DeviceNet Safety input node tg Reaction time of DeviceNet Safety connection to input node tc 2x WDZprs tp Max Scanner Response Time tg Reaction time of DeviceNet Safety connection to output node tp Time of DeviceNet Safety output node An example of using an 1791DS IB8XOB8 ta 16 2 ms setting time of ON OFF delay time ta 16 2 ms 0 6 12 ms ta 16 2 ms 0 t4 16 2 ms tz CRTL 24 ms default 12 ms in normal operation The CRTL is based on 6 ms RPI timeout multiplier of 2 network delay multiplier of 200 You can find these values in RSNetWorx Adv
21. for central fire alarm systems can be achieved with GuardPLC systems whose cycle times can be measured in milliseconds Similarly the required 1 second safety time error response time can also be achieved if necessary According to EN 54 2 the fire alarm system has to be in the fault report state within 100 seconds aftert he HIMatrix system has received the fault report The fire alarms are connected using the open circuit principle with line control for the detection of short circuits and line breaks The digital and analog inputs of the GuardPLC 1800 and the analog inputs of the GuardPLC 2000 1755 IF8 module can be used See the application example below Figure 16 Wiring of Fire Alarms Example eee Sensor Supply Reol Mn Mn Reference Pole L I M Fire alarm Rgoy Terminating resistor on the last sensor of the loop R Limitation of the maximum permitted current in the loo L P p Rshunt Measuring resistor Rockwell Automation Publication 1753 RM002D EN P July 2010 111 Chapter B Use in Central Fire Alarm Systems 112 For the application the resistance of Rgor Ry and R hunt Should be calculated based on the sensors used and the number of sensors per alarm loop The required data is contained in the relevant specifications from the sensor manufacturer The alarm outputs used for activating lamps sirens and horns are operated using the open circuit principle These outputs must be monitored
22. line control digital inputs 31 digital outputs 44 Maintenance Override document 19 manipulation protection against 82 mechanical conditions 108 MOT 20 multiple error occurrence time 20 0 operation mode of the operating system 77 output channels analog output module safety related 50 block diagram 51 general 50 reaction to error 51 test routines 50 digital outputs 43 block diagram 43 reaction in case of error 44 48 test routines 43 general safety information 42 overview 42 P parameterizing the automation module 80 peer to peer communication 98 PFD calculations 15 56 PFH calculations 15 56 power supply 23 power supply conditions 110 probability of failure on demand 15 probability of failure per hour 15 production rate 101 Proof Test Interval 56 pulsed outputs 44 reaction time DeviceNet safety communication 97 DeviceNet safety scanner 63 GuardPLC 21 safety 1 0 73 ReceiveTMO 98 101 relay outputs 48 ResendTMO 101 S Safety Functions DeviceNet Safety 1 0 68 Safety Output 73 safety 1 0 checklist 74 configuration signature 69 reaction time 73 safety lock with password protection 72 status indicators 73 safety input checklist 38 safety introduction 14 safety output checklist 52 safety policy general safety information 14 safety times 20 safety requirements communication 19 hardware configuration 17 maintenance override 19 programming 18 safety scanner certification 54 configurati
23. modules on DeviceNet Instructions publication 1791DS INO01 networks Guard I 0 DeviceNet Safety Modules User Manual publication 1791DS Information on configuration and programming on DeviceNet networks for UMO01 ArmorBlock and CompactBlock Guard Safety 1 0 Modules GuardPLC Certified Function Blocks Basic Suite Safety Reference Manual Information on programming with GuardPLC Certified Function Blocks publication 1753 RMO001 CompactBlock Guard 1 0 DeviceNet Safety Modules Installation Instructions Information on Installing 1791DS IB8XOBV4 modules publication 1791DS IN002 ArmorBlock Guard 1 0 DeviceNet Installation Instructions publication Installing ArmorBlock Guard 1 0 modules on DeviceNet networks 1732DS IN001 Industrial Automation Wiring and Grounding Guidelines publication 1770 4 1 In depth information on grounding and wiring Allen Bradley programmable controllers Application Considerations for Solid State Controls publication SGI 1 1 A description of important differences between solid state programmable controller products and hard wired electromechanical devices National Electrical Code Published by the National Fire Protection Association of Boston MA An article on wire sizes and types for grounding electrical equipment Allen Bradley Industrial Automation Glossary publication AG 7 1 A glossary of industrial automation terms and abbreviations If you would like a manual
24. pulsed outputs must begin at DO1 01 and must be directly sequential Figure 4 Digital Input Monitoring E configurable 5 2000 us a configurable 5 2000 us time TI T2 The FAULT indicator on the front plate of the controller module flashes the inputs are set to 0 and an error code is generated when these faults occur Short circuit between two parallel connections Reversal of two connections e Ground fault on one of the lines e Line break or opening of the contacts when one of the Emergency OFF switches is pressed 32 Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC Controller and GuardPLC 1 0 Module Input Channels Chapter 3 Analog Inputs The items listed in the following section apply to all of the analog input channels listed in the Overview on page 28 if no specific module is named General IMPORTANT The safety related accuracy is the guaranteed accuracy of the analog input without error reaction of the module This value should be taken into account when the safety functions are configured In the eight analog input channels available in each module the incoming signals are converted into an INTEGER value in 12 bit resolution This value can then be used in the application program The following input values are possible for the GuardPLC 1800 controller Number of Polarity Current Voltage Value Range In Accuracy Input Channels Application 8 sin
25. safety I O subnets from office subnets in your environment At this stage the serial interfaces should only be use for non safety related purposes Refer to Safety Concept of RSLogix Guard PLUS Software on page 77 for more information e Equipment connected to communication devices should feature safe electrical isolation e Your application should monitor the status bits associated with safety network connections Since connections often recover automatically make sure this occurrence does not result in an unsafe machine state Your application should drive safety outputs to their safe state when the connection faults or goes idle Safety outputs remain in the safe state until a manual reset occurs This prevents unexpected output transitions from low to high when a connection recovers from a faulted or idle state Maintenance Override When using Maintenance Override follow the requirements of the most recent version of the Maintenance Override document from the TUV homepage http www tuy fs com TUV Rheinland If necessary the operator must consult the acceptance department responsible for the application to determine the administrative requirements to provide access protection for the system Rockwell Automation Publication 1753 RM002D EN P July 2010 19 Chapter 1 Safety Concept for GuardPLC Controllers and GuardPLC 1 0 Safety Times 20 Individual errors that may lead to a dangerous operating condition are dete
26. types of documentation are e Interface declaration e Variable list Logic e Definition of data types e Configurations for system modules and system parameters e I O variable cross reference e Code generator information Network configuration Documentation is a component of a functional acceptance of a site subject to approval by an approving board for example TUV The functional acceptance refers only to the application function not to the safety modules and controllers that are type tested In the case of sites subject to acceptance you should involve the approval authorities in the project as early as possible In the HSP Signal Connection dialog boxes in RSLogix Guard PLUS software signals that are transferred over safety connections are shown in white text on a red background Signals transferred over a standard connection are shown in blue text on a gray background The colorization applies only to the Connect Signals dialog boxes available from the HSP protocol context menu We recommend that you use a naming convention to visually distinguish between standard and safety signals in the programming environment For example use a prefix of std_ for any signals that are standard and a prefix of safe_ for any signals that are safety related IMPORTANT Any safety tags that appear in the Standard Connect Signals window must be treated as standard values in your application Any standard tags that appear in the
27. 010 Use in Central Fire Alarm Systems Chapter B GuardPLC systems that are used as central fire alarm systems must have a redundant power supply Precautions must also be in place to guard against power supply failure Transition between the main and backup power supply must be without interruption Voltage dips of up to 10 ms are permitted When there is a fault in the system the system variables specified in the user program are written by the operating system enabling error signalling for errors detected by the system In the event of an error zero signals are applied to the channels of faulty safety inputs and all the channels of faulty safety outputs are switched off Rockwell Automation Publication 1753 RM002D EN P July 2010 113 ChapterB Use in Central Fire Alarm Systems 114 Rockwell Automation Publication 1753 RM002D EN P July 2010 Symbols Used 35 Numerics AL35 1755 OF8 analog outputs 50 1002 14 2 pole digital outputs 45 47 A additional resources 11 analog inputs overview 33 reaction in case of fault 35 test routines 35 analog outputs 1753 IF8XOF4 49 1755 OF8 50 51 analog outputs of 1755 OF8 reaction to error 51 test routines 50 application program basis of programming 86 checklist 83 considerations for DeviceNet safety data 95 functions of application program 89 program documentation 95 technical safety 85 variable declaration and I O naming 87 C central module functional descripti
28. 1 0 Module Input Channels Ch apter Introduction This chapter gives information about GuardPLC controllers and GuardPLC I O module input channels Topic Page Overview 28 General Information on GuardPLC Safety Input Modules 29 Safety of Sensors Encoders and Transmitters 29 Digital Inputs 29 Analog Inputs 33 Counter Module 36 Checklist for Safety Inputs 38 Rockwell Automation Publication 1753 RM002D EN P July 2010 27 Chapter3 GuardPLC Controller and GuardPLC 1 0 Module Input Channels Overview 28 See the table below for an overview of GuardPLC controller input capabilities Controller Module Type Quantity Safety Electrically Related Isolated Digital Input 20 X GuardPLC 1200 Controller 24 bit Counter 2 X GuardPLC 1600 Controller Digital Input 20 X Digital Input 24 X GuardPLC 1800 Controller 24 bit Counter 2 X Analog Input 8 X GuardPLC 16 point DC Input Digital Input 16 X Module 1753 IB16 GuardPLC 20 8 DC 1 0 Module Digital Input 20 X 1753 IB20X0B8 GuardPLC 8 8 DC 1 0 Module 1753 Digital Input 8 X IB8XOB8 GuardPLC 16 8 DC 1 0 Module Digital Input 16 X 1753 IB16X0B8 GuardPLC 2000 DIO 1755 a IB24X0B16 Digital Input 24 X X GuardPLC 2000 CO 1755 HSC 24 bit Counter 2 X X GuardPLC 2000 Al 1755 IF8 Analog Input 8 GuardPLC Analog Input Output Analog Input 8 X _ Module 1753 IF8XOF4 Ro
29. 2 Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC Controller and GuardPLC 1 0 Output Channels Chapter 4 In addition the respective channel status signals can be evaluated in the application program Figure 8 Example Block Diagram of Digital Outputs Using AB DIO of the GuardPLC 2000 System I O Bus WD 16 channels Test The illustration above does not represent the specifications of the related module Digital Outp uts for Non relay output modules have these types of digital outputs Non relay Output Modules Test Routines The modules are automatically tested during operation These are the essential test functions Read back of the output signal of the output amplifiers The switching threshold for a read back 0 signal is 2V The diodes provided prevent feedback of signals e Check the integrated double safety switches e Low supply voltage protection If the supply voltage drops below 13V you cannot turn on any outputs e Digital outputs are turned off for a maximum of 200 us each 200 x 10E 6 s at a minimum interval of 20 seconds Rockwell Automation Publication 1753 RM002D EN P July 2010 43 Chapter 4 44 GuardPLC Controller and GuardPLC 1 0 Output Channels Reaction to Error The following conditions may occur as a result of errors Faults If an output fault is detected the affected output of the module is set to a safety de energized state via the safety switches
30. 8 F EUT Power supply unconnected and 0 C 55 C 32 F 131 F EUT 6 3 4 4 Cyclic damp heat resistance test 25 C 55 C 77 F 131 F 95 relative humidity EUT power supply unconnected Mechanical Conditions The most important parameters and tests for mechanical conditions are listed in the following table IEC EN 61131 2 Paragraph 6 3 5 Mechanical Tests Vibration test operating 5 9 Hz 3 5 mm 9 150 Hz 1g 6 3 5 1 Immunity vibration test 10 150 Hz 1g EUT operating 10 cycles per axis 6 3 5 2 Immunity shock test 15g 11 ms EUT operating 2 cycles per axis 108 Rockwell Automation Publication 1753 RM002D EN P July 2010 EMC Conditions Specifications Chapter A The most important parameters and tests for EMC conditions are listed in the following tables IEC EN 61131 2 Noise Immunity Tests Chapter 6 3 6 2 6 3 6 2 1 ESD test 4 KV contact 8 kV air discharge EC EN61000 4 2 6 3 6 2 2 RFI test 10 V m EC EN61000 4 3 26Mkz to 1GHz 80 AM 6 3 6 2 3 Burst tests 2 KV Power supply 1 KV Signal lines EC EN61000 4 4 6 3 6 2 4 Damped oscillatory wave immunity test 1 KV EC EN61000 4 12 1 See List of Abbreviations on page 10 2 See List of Abbreviations on page 10 IEC EN 61000 6 2 Noise Immunity Tests IEC EN61000 4 6 Radio frequency common mode 10V 150 KHz 80 MHz AM IEC EN61000 4 3 900 MHz
31. Conditions 110 The GuardPLC controllers were developed to meet the following standards for the EMC climate and environment regulations Standard IEC EN61131 2 Description Programmable Controllers Part 2 Equipment requirements and tests IEC EN61000 6 2 EMC Part 6 2 Generic Standards Immunity for Industrial Environments IEC EN61000 6 4 EMC Generic Emission Standard Industrial Environments When using GuardPLC controllers and I O modules in safety applications the following criteria must be met e Protection Class II according to IEC EN61131 2 Pollution Degree II e Altitude lt 2000 m e IP20 Enclosure for Standard Applications An alternate enclosure may be required depending upon the standards relevant to your application Rockwell Automation Publication 1753 RM002D EN P July 2010 107 ChapterA Specifications Climatic Conditions following table IEC EN 61131 2 Paragraph 6 3 4 The most important parameters and tests for climatic conditions are listed in the Climatic Tests Temperature operating 0 60 C 32 140 F Test limits 10 70 C 14 158 F Storage Temperature 40 85 C 40 185 F Battery only 30 C 22 F 6 3 4 2 Dry heat and cold resistance test 70 C 25 C 158 F 13 F 96h EUT Power supply unconnected 6 3 4 3 Change of temperature resistance and immunity test 25 C 70 C 13 F 15
32. Controller Operating System Chapter 7 Checkl ist for the Creation of Use the following checklist to maintain safety technical aspects when an App lication Program programming and before and after loading the new or modified program Checklist for Creation of an Application Program Safety Manual GuardPLC Systems Company Site Project definition File definition Archive number Notes Checks Yes No Comment Creation Before a Modifica tion Are the configuration of the PES and the application program created with safety in mind Are programming guidelines used for the creation of the application program Are functionally independent sections of the program encapsulated in functions and function modules Were only safety signals used for all safety functions Are HSP and DeviceNet Connection Status Bits monitored Does each safety signal source correction also via communication reach the user program Is each safety output signal correctly configured and is the output signal connected to a physical output channel After a Modification Before Loading Has a review of the application program with regard to the binding system specification been carried out by a person not involved in the program creation Has the result of the review been documented and released date signature Hav
33. Module Input Channels Rockwell Automation Publication 1753 RM002D EN P July 2010 Chapter 4 GuardPLC Controller and GuardPLC 1 0 Output Channels Chapter Introduction This chapter gives information about GuardPLC 1200 and GuardPLC 2000 output modules Topic Page S Overview of GuardPLC Output Modules 42 General Safety Information on GuardPLC Safety Outputs 42 Digital Outputs for Non relay Output Modules 43 Safety related Two pole Digital Outputs 45 Relay Outputs in the 1753 OW8 Module 48 Analog Outputs in the 1753 IF8XOF4 49 Analog Outputs in the 1755 OF8 Module 50 Checklist for Safety Outputs 52 Rockwell Automation Publication 1753 RM002D EN P July 2010 41 Chapter4 GuardPLC Controller and GuardPLC 1 0 Output Channels Overview of GuardPLC Output Modules General Safety Information on GuardPLC Safety Outputs See the table below for an overview of GuardPLC output capabilities Controller Module Type Quantity Safety Electrically related Isolated GuardPLC 1200 Digital Output 8 X GuardPLC 1600 Controller Digital Output 8 X GuardPLC 1800 Controller Digital Output 8 X GuardPLC 16 point DC Output Digital Output 16 X Module 1753 0B16 GuardPLC 20 8 DC 1 0 Module Digital Output 8 X 1753 IB20X0B8 GuardPLC 8 8 DC 1 0 Module Digital Output 8 1 pole X 1753 IB8X0B8 2 2 pole
34. P July 2010 59 Chapter5 GuardPLC DeviceNet Safety Scanner S afety Lock with Password The configuration of the safety scanner can be protected by the use of an optional Protection 60 password Download Safety reset Safety lock and Safety unlock are password protected When applying functional safety restrict access to qualified authorized personnel who are trained and experienced The safety lock function with passwords is provided by the Safety Device Verification Wizard in RSNetWorx for DeviceNet software You are responsible for controlling access to the safety system including password use and handling After configuration data has been downloaded and verified the configuration data within the module can be protected using RSNetWorx for DeviceNet software Run the Safety Verification Wizard to lock the scanner ce Verification Wizard Welcome to the Safety Device Venticabon Wizard fee Tht div ieee you very the configuenion cf the siey gee devion on vou Derice network Ubon cunubetor yout Orvices 1a Oe salette aia Honbeuing cath the wire make ore ke eee and upbad yous nasart bea tha safely devices oa your nekvork for correct operation Note Tha wiaty dimana wedlination faas nret mupperted by all safely davions Foe moon wicerwten corak your harduara documentos or contact yout hardrawe voador If you forget a password you can reset passwords using the Vendor Password Contact Rockwell Automati
35. Safety Connections Property tab to 2x50 tc 100 ms tp 8 ms tg 24 ms fault 12 ms normal Rockwell Automation Publication 1753 RM002D EN P July 2010 103 Chapter9 Configuring Communication tp 6 2 ms relay response time tp 6 2 ms 0 th 6 2 ms Worst case Reaction Times System Reaction Time with no faults Tp 16 2 12 100 8 12 6 2 Tr 154 4 ms System Reaction Time with a single fault TpgR 16 2 24 100 8 12 6 2 Tr 166 4 ms System Reaction Time with all faults Tgr 16 2 24 100 8 24 6 2 Tr 178 4 ms 7 RSLogix Guard RSNetWorx SRE RSNetWorx sea I og 58 ES e ees Es ees p os og Sod os 2o0 5 ES ZS S25 aa bag fot p pesei NE pl Sat NG ae l xT TE OSs SE w cc NE BRE ui oe Ne 5 O 5 Sag 5 oS ba TE a A P AL ee ee A A 5 v N 1791DS 1791DS input 1753 DNSI GuardPLC 1753 DNSI CR A A A A A J pao a gt No ee a vV Sp lt a o a w w The basic equation is A B C D E F System Reaction Time TR The 2 x WDT term is valid as long as the scanner s Scanner Receive Timeout is set to the same value as the controller s Watchdog Timeout System Reaction Time with No Faults Input 2 x Expected Packet Interval 2 x Watchdog Timeout Max Scanner Reaction Time 2 x Expected Packet Interval Output 104 Rockwell Automation Publication 1753 RM002D EN P July 2010 Configuring Communication Ch
36. Safety Reference Manual AB Allen Bradley GuardPLC Controller Systems Catalog Numbers 1753 1754 and 1755 Allen Bradley Rockwell Software Automation Important User Information Solid state equipment has operational characteristics differing from those of electromechanical equipment Safety Guidelines for the Application Installation and Maintenance of Solid State Controls publication SGI 1 1 available from your local Rockwell Automation sales office or online at http www rockwellautomation com literature describes some important differences between solid state equipment and hard wired electromechanical devices Because of this difference and also because of the wide variety of uses for solid state equipment all persons responsible for applying this equipment must satisfy themselves that each intended application of this equipment is acceptable In no event will Rockwell Automation Inc be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment The examples and diagrams in this manual are included solely for illustrative purposes Because of the many variables and requirements associated with any particular installation Rockwell Automation Inc cannot assume responsibility or liability for actual use based on the examples and diagrams No patent liability is assumed by Rockwell Automation Inc with respect to use of information circuits equipment or software d
37. US Hardware Management software manually stops forcing The controller remains in the RUN state because the timeout was not reached and the Stop on Force Timeout switch was not set The force value is saved in the CPU If the CPU moves from RUN to STOP the Forcing activated switch is deactivated to prevent the controller from being started with active forcing Online Test The Online Test function allows the online test OLT fields to be used within the application logic for displaying and for forcing signals and variables during operation of the controller If Then The Online Test allowed switch is set in the The values of signals or variables can be controller properties displayed and forces in the OLT fields The forced value is only valid until a function in the logic overwrites the value The Online Test allowed switch is not set inthe The values of signals or variables may be controller properties displayed in the OLT fields but they cannot be changed The default for Online Test allowed switch is set Consult the online help for RSLogix Guard PLUS software for more information about the OLT fields Rockwell Automation Publication 1753 RM002D EN P July 2010 Technical Safety for the Application Program Chapter 8 Prog ram Documentation for You can print out the documentation of a project using RSLogix Guard PLUS Safety Applications Considerations for DeviceNet Safety Data software The most important
38. When used as a quick up down counter the signals of the impulse input and the counter direction are necessary in the application A reset can be accomplished only via the user program The 1755 HSC module features 4 or 8 bit encoder resolution In the GuardPLC 1200 and 1800 controller the encoder has a resolution of 3 or 6 bit Reset is possible Linking two independent 4 bit inputs to one 8 bit input for example in the 1755 HSC is effected exclusively by the program Switching is not available in this instance Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC Controller and GuardPLC 1 0 Module Input Channels Chapter 3 The encoder function monitors the change of the bit pattern at the input channels The bit patterns pending at the channels are directly transferred to the application program The programming software displays a decimal figure corresponding to the bit pattern Depending on the application this figure can be converted into BCD code Test Routines When the counter is operated as an encoder in the Gray code only one input bit may be modified at a time If there are faulty codes the operating system sets a corresponding channel status signal Reaction In Fault Condition If an error is detected in the counter section of the module the error message must be evaluated in the application program The respective channel status signal must be considered You can configure an error reac
39. and monitoring of the signals must be programmed in the application program Refer to IEC 61511 1 Clause 11 4 and Table 5 for information on achieving the necessary SIL The items listed in the following section apply to all of the digital input channels listed in the Overview on page 28 if no specific module is named General The digital inputs are read once in every cycle and values are stored internally The inputs are tested cyclically for safety function Input signals whose pulse width is shorter than two times the scan time are not processed Rockwell Automation Publication 1753 RM002D EN P July 2010 29 Chapter 3 30 GuardPLC Controller and GuardPLC 1 0 Module Input Channels Test Routines The online test routines perform a walking input test to check whether the input channels are able independent of the pending input signals to make a through connection of both signal levels L and H signal This functional test is executed with every input signal reading The 0 signal safety state is processed in the application program for every error in the input module Because the PES has been designed to the closed circuit current principle a 0 signal is processed for the digital inputs in case of error See page 14 for an explanation of the closed circuit current system principle Reaction To Error If the test routines detect an error in digital inputs a 0 signal is processed in the application program for
40. andard Protocols 0 cece cece cece eee e eee e ee eneeeaeenees 98 Peer to peer Safety Communication via GuardPLC Ethernet 98 High speed Safety Protocol c ssvccecserswcssewinerveeteteeaeadases 102 Reaction Times for DeviceNet Safety Communication 103 Appendix A Chapter Introduction oicisacidasngedcioue deanaieredersaternenns 107 Climatic Conditions 1 0 0 0 ccc ccc ccc e cece cece cence eaeeneeaes 108 Mechanical Conditions 0 0 cece cece cece eee ee eneeeaeees 108 EMC Conditions asss ciceccieeciadiagantee adh diswdadiyoaapeenna doce 109 Power Supply Conditions dcstcacdaenediwdeeedstusaaicesendeyes 110 Appendix B E EEE E rasa a tee cates aleve it acectueserty avers autucuard E EE TETT 111 lbs tye E E E E Lacie te wee T 115 Rockwell Automation Publication 1753 RM002D EN P July 2010 7 Table of Contents 8 Rockwell Automation Publication 1753 RM002D EN P July 2010 Preface Read this preface to familiarize yourself with the rest of the manual It provides information concerning e the purpose of this manual list of abbreviations e additional resources Purp ose of This Manual This manual explains how the GuardPLC Control System including the GuardPLC controllers and distributed I O DeviceNet safety scanner and DeviceNet safety I O can be used in safety applications up to and including SIL 3 according to IEC 61508 and applications up to and including Performance Level e Category
41. apter 9 System Reaction Time with a Single Fault Input Max CRTL 2 x Watchdog Timeout Max Scanner Reaction Time 2 x Expected Packet Interval Output System Reaction Time with Multiple Faults Input CRTL1 2 x Watchdog Timeout Max Scanner Reaction Time CRTL2 Output Peer to peer Reaction Time 2 WOT mal and fault Max Scanner EPI normal CRTL fault 2 WOT mal and fault A N A a Y a A F Y Y v lt a o a The basic equation is A B C D System Reaction Time TR The 2 x WDT term is valid as long as the scanner s Scanner Receive Timeout is set to the same value as the controllers Watchdog Timeout System Reaction Time with No Faults 2 x Watchdog Timeout Max Scanner Reaction Time 2 x Expected Packet Interval 2 x Watchdog Timeout Tp 2x30 10 20 2x30 Tp 150 ms System Reaction Time with a Single Fault 2 x Watchdog Timeout Max Scanner Reaction Time Max CRTL 2 x Watchdog Timeout Tr 2x30 10 40 2x30 Tp 170 ms Rockwell Automation Publication 1753 RM002D EN P July 2010 105 Chapter9 Configuring Communication Notes 106 Rockwell Automation Publication 1753 RM002D EN P July 2010 Appendix A Specifications Ch apter Introduction This chapter gives information about climate mechanical and EMC environmental regulations Topic Page Climatic Conditions 108 Mechanical Conditions 108 EMC Conditions 109 Power Supply
42. are fully and clearly satisfied during system configuration or start up an individual checklist for controlling the requirements can be filled in for every single safety output channel in a system This checklist can also be used as documentation on the correlation of external wiring to the application program Check List for Configuration Programming and Start up of Safety Manual GuardPLC Systems Site Loop definition Safety output channels in the GuardPLC 1200 GuardPLC 1800 GuardPLC 1600 GuardPLC 2000 No Requirements Fulfilled Comment Yes No 1 Is this output channel a safety output 2 Is the error message processed in the application program 3 Has the signal AO 0x Used been configured properly for used and unused analog outputs 4 Is this a digital output If no go to 10 5 Is the channel load corresponding to the maximum permissible value 6 ls load of system module corresponding to the maximum permissible value 7 Are RC circuits provided on the control elements 8 Has the actuator been connected according to specifications 9 Is this output used exclusively for line control pulse testing 10 Is this an analog output 11 Voltage outputs DIP switch positions checked 12
43. asis for the check of correct transformation into the program The presentation of the specification depends on the application task to be carried out This can be combinatory logic sequential controls step controls digital or analog sensors actuators Combinatory Logic Cause effect diagram Logic of the link with functions and function modules Function blocks with specified characteristics 86 Rockwell Automation Publication 1753 RM002D EN P July 2010 Variable Declaration and I 0 Naming Technical Safety for the Application Program Chapter 8 Sequential Controls Step Controls e Verbal descriptions of the steps with step conditions and actuators to be controlled Flow charts e Matrix or table form of stepped conditions and the actuators to be controlled e Definition of marginal conditions for example operating modes and EMERGENCY STOP The I O concept of the system must contain the analysis of field circuits that is the type of sensors and actuators Sensors Digital or Analog e Signal in normal operation closed circuit principle for digital sensors life zero for analog sensors e Signals for error e Determination of redundancies required for technical safety reasons 1oo2 2003 See the Safety of Sensors Encoders and Transmitters section page 29 e Discrepancy monitoring and reaction Actuators e Position and activation in normal operation e Safety reaction positioning when switchi
44. ation 1753 RM002D EN P July 2010 67 Chapter6 DeviceNet Safety I 0 for the GuardPLC Control System Typical Safety Functions of This section describes the module s safety functions DeviceNet Safety 1 0 Modules 68 Safe State The following is treated as the safety state by safety I O modules e Safety outputs OFF Output data to network OFF Figure 14 Safety State Representation DeviceNet Output to Network OFF Status Input Output OFF The DeviceNet safety I O modules should be used for applications that are in the safety state when the safety output turns OFF and the output data to the network turns OFF Diagnostics DeviceNet safety I O modules perform self diagnostics when the power is turned ON and periodically during operation If a diagnostic failure is detected the safety outputs and output data to the network are turned OFF Commission Safety Devices You must commission all safety devices with the MAC ID SNN and communication rate if necessary before their installation on the safety network Rockwell Automation Publication 1753 RM002D EN P July 2010 DeviceNet Safety 1 0 for the GuardPLC Control System Chapter 6 Ownership A module can only be configured by one originator or by a tool which automatically becomes the configuration owner for that module No other device can send configuration data to the module unless the module is first returned to the out of box condition
45. ation test interval of up to 10 years Other components of the system such as Safety I O modules sensors and actuators may have shorter functional verification test intervals The controller should be included in the functional verification testing of the other components in the safety system IMPORTANT Your specific applications determine the timeframe for the functional verification test interval However this is mainly related to Safety 1 0 modules and field instrumentation Rockwell Automation Publication 1753 RM002D EN P July 2010 21 Chapter 1 Safety Concept for GuardPLC Controllers and GuardPLC 1 0 Project Verification Test 22 Project verification includes required functional verification tests of fault routines input and output channels to ensure that the safety system operates properly To perform a functional verification test on the GuardPLC controller you must perform a full test of the application You must toggle each sensor and actuator involved in every safety function From a controller perspective this means toggling the I O point going into the controller not necessarily the actual activators Be sure to test all shutdown functions since these functions are not typically exercised during normal operation Also be aware that a functional verification test is only valid for the specific application tested If the controller is moved to another application you must also perform startup and functional verif
46. ations 2 Compile the application program to generate the Configuration CRC of the CPU 3 Note the version of the Configuration CRC of the CPU by verifying the set of CRCs a Select a controller in the RSLogix G uard PLUS software Hardware Management Window b Use the About Configuration context menu to display versions The important versions to verify include e rootcpu config Configuration CRC of the CPU This indicates the overall configuration portion of the CPU that is safety related e rootcom config that indicates the overall configuration portion of the COM that is not safety related e root config indicates the entire configuration including the remote I O modules CPU and COM 4 Back up the project and make note of the user program name Configuration CRC of the CPU and date it This does not replace the user s documentation requirements 5 Create a backup of every controller Program Identification The application program is clearly identified by the top level root config Controller Overview The related backup can thus be clearly determined The identification of a backup should contain the configuration CRC of the controller To make sure that the backup is unmodified first compile the backup and then compare this newly generated code version with the code version of the program loaded in the controller The comparison can be displayed by using RSLogix Guard PLUS software Rockwell Automatio
47. blication 1753 RM002D EN P July 2010 97 Chapter9 Configuring Communication Standard Protocols Peer to peer Safety Communication via GuardPLC Ethernet 98 Apart from the local input output signals signal values and statuses can also be exchanged via a data link with another system for example Modbus OPC and Profibus To achieve this the variables are declared in the Protocols area using RSLogix Guard PLUS software This data exchange can be read write Signals mapped to data points connected via standard protocols may only be used in standard application functions not safety functions They may also used in the application program ATTENTION Any data imported from standard sources may not be used for the safety functions of the application program GuardPLC controllers communicate safely with one another and with the programming software via GuardPLC Ethernet network ATTENTION You must make sure that the network utilized for Peer to peer communication is sufficiently protected against manipulation protection against hackers for example The methods and extent of protective measures must be coordinated with the approving board Monitoring of safety communication must be configured in the Peer to peer Editor by specifying the Receive Timeout Receive TMO If safety signals cannot be imported received within the Receive TMO they are reset to their user configurable initial values in the PES The value of
48. ckwell Automation Publication 1753 RM002D EN P July 2010 General Information on GuardPLC Safety Input Modules Safety of Sensors Encoders and Transmitters Digital Inputs GuardPLC Controller and GuardPLC 1 0 Module Input Channels Chapter 3 The GuardPLC safety input modules can be used both for safety and standard inputs The GuardPLC safety input modules have a diagnostic status indicator quick error detection and error localization In addition status messages can be evaluated in the application program I O errors stored in the diagnostic buffer can be read via RSLogix Guard PLUS software Safety input modules are automatically submitted to a high grade cyclical self test in the GuardPLC controller during operation These test routines are TUV approved and help the high integrity operation of the respective module When an error is detected a 0 signal is sent to the application and a detailed error message can be generated If there are minor failures in the module that do not affect the safety function user diagnostic information is not generated In a Safety application the sensors and the PES must meet the same target SIL In this case the safety sensors encoders or transmitters can be directly connected to the inputs of the PES If no sensors encoders or transmitters with the required SIL are available sensors encoders or transmitters can still be connected However the connection
49. cted by the self tests and trigger defined error reactions that transfer the faulty modules into the Safety state within the safety time of the PES The following sections describe self test safety times Fault Tolerance Time FTT See DIN VDE 0801 Appendix A1 2 5 3 The fault tolerance time is an attribute of the process and describes the time span in which faulty signals can be tolerated in the process without a dangerous condition occurring If the fault condition lasts longer than the FTT the faulty signals can create a dangerous condition Safety Time of the PES The safety time is the time within which the PES while in RUN mode must react after an internal error has occurred Seen from the process side the safety time is the maximum amount of time in which the safety system must react reaction time to a change in the input signals or module or component failure Multiple Error Occurrence Time MOT The occurrence time for multiple faults is the period of time in which the probability for the occurrence of multiple faults which in combination are critical to safety is sufficiently low The multiple fault occurrence time is defined at 24 hours in the operating system Rockwell Automation Publication 1753 RM002D EN P July 2010 Functional Verification Tests Safety Concept for GuardPLC Controllers and GuardPLC 1 0 Chapter 1 GuardPLC Reaction Time The maximum reaction time of working GuardPLC systems is twice t
50. d from sample construction surveys You must create the application program by using the RSLogix Guard PLUS programming tool for personal computers using the Windows XP Windows NT or Windows 2000 operating system RSLogix Guard PLUS software contains these features e Input function block editor monitoring and documentation e Variables with symbolic names and variable types BOOL and UINT e Assignment of the controllers GuardPLC 1200 1600 1800 or 2000 controllers Code generator translation of the application program into machine code e Hardware configuration e Communication configuration Rockwell Automation Publication 1753 RM002D EN P July 2010 85 Chapter8 Technical Safety for the Application Program General Procedure The general procedure for programming the GuardPLC control systems for technical safety applications is listed below Specify the control function Write the application program Compile the application program with the C code generator Translate the C code twice and compare the results Generate an error free executable program Verify and validate The program can then be tested by the user and the PES can initiate safety operation Basis of Programming The application program should be easy to understand easy to trace easy to change easy to test The control task should be available as a specification or a performance specification This documentation forms the b
51. dex 73 Checklist for DeviceNet Safety I O Modules 0006 74 Chapter 7 Chapter Introduction icckicceictieieebanrieubiGekabhiadaeasenaaeds 75 Software for GuardPLC Controllers and I O Modules 75 Technical Safety for the Operating Systet scacseeasascrancecaneues 77 Operating Mode and Functions of the Operating System 77 Technical Safety for Programming cccnscacencavensdacncdvuseewecees 77 Parameters of the Automation Systemic lt s0s lt ssviess neces vege nees 80 QUICHE uc cudite eran cone ue iee conee uaa enaeoa pea vreneaesunanedes 81 Protection Against Manipulation i iscrssesseaenieesucre es secessesns 82 Checklist for the Creation of an Application Program 83 Chapter 8 Introduction sessies araneko tedd iaie ia shanieetbassaneRageeayes 85 General Proced te ae tccsnriiiiianenie rie n oai 86 Basis of Programinine ncisicsecriereregaateneroatenetounepas aves 86 Variable Declaration and I O Naming isitcdicdicaiieaaedthine o dcdesaiasintindessioets 87 Functions of the Application Program ns avseandeegegu esas denen tues 89 Program Documentation for Safety Applications 06 95 Considerations for DeviceNet Safety Data 0 0 c cee eee 95 6 Rockwell Automation Publication 1753 RM002D EN P July 2010 Configuring Communication Specifications Use in Central Fire Alarm Systems Index Table of Contents Chapter 9 Introduction serre a E oo E ERER 97 St
52. e peer to peer connection to be lost If the requirement is not met the availability of a peer to peer connection is available in a network that is free of collisions and faults However the CPU safety is not affected TIP The maximum permitted value for Receive TMO depends on the application process and is set in the peer to peer editor together with the maximum expected response time and the profile Rockwell Automation Publication 1753 RM002D EN P July 2010 99 Chapter 9 100 Configuring Communication Calculating Worst case Reaction Time Reaction times are calculated the following ways Between PES and GuardPLC distributed I O modules Between PES1 and PES2 Between PES and GuardPLC Distributed 1 0 Modules The worst case reaction time between changing a transmitter of the first distributed I O module and the reaction of the outputs of the second distributed I O module can be calculated as follows TR input path output path where Tp Worst Case Reaction Time input path t t2 t3 ty output path ts t t7 WDZ Watchdog Time Receive TMO Receive MO from I O 1 to PES Receive TMO Receive MO from PES to I O 2 t 2x WDZyo 1 t2 0 ms if Production Rate 0 normal condition otherwise Receive MO WDZy o 1 t3 Receive TMOj o 1 t4 2x WDZpgs ts Receive TMO t 0 ms if Production Rate 0 normal condition otherwise Receive TMO WDZpgs t7 2x WDZj0 2 Roc
53. e RSLogix Guard PLUS software Control Panel equal to 1 17 Is the maximum Communication Time Slice value on the Resource Configuration dialog in RSLogix Guard PLUS Hardware Management greater than or equal to the maximum Communication Time Slice value reported on the Statistics tab of the RSLogix Guard PLUS Control Panel 18 Is the Watchdog Time WDZ value on the Resource Configuration dialog greater than or equal to the maximum Cycle Time value reported on the Statistics tab of the RSLogix Guard PLUS control panel 19 Is the Safety Time value on the Resource Configuration dialog greater than twice the Watchdog Time Value Rockwell Automation Publication 1753 RM002D EN P July 2010 65 Chapter 5 20 GuardPLC DeviceNet Safety Scanner Checklist for Configuration Programming and Startup of DeviceNet Safety Scanner Is the Scanner Receive Timeout setting on the GuardPLC tab in RSNetWorx for DeviceNet equal to the WDZ time of the controller 21 Is the HSP connection establishment setting auto manual properly configured and managed if applicable for the application After adjusting all reaction time parameters based on statistics gathered during verification 22 For each input output chain does the sum of the reaction times of all network links and modules traversed yield a
54. e all force markers been removed before safety mode Was a backup of the complete program created before loading a program in the PES Has the user program been compiled twice with a subsequent comparison of both CPU configuration CRCs After a Modification After Loading Were a sufficient number of tests carried out for the safety relevant logical linking including 1 0 and for all mathematical calculations Was all force information reset before safety operation Do the settings of enable switches correspond to the settings for maximum specified protection Verify that the CPU and scanner operating systems and the CRC are official licensed versions approved by TUV Rockwell Automation Publication 1753 RM002D EN P July 2010 83 Chapter 7 Notes 84 GuardPLC Controller Operating System Rockwell Automation Publication 1753 RM002D EN P July 2010 Chapter 8 Technical Safety for the Application Program Introduction This chapter gives information about technical safety for the application program Topic Page General Procedure 86 Basis of Programming 86 Variable Declaration and 1 0 Naming 87 Functions of the Application Program 89 Program Documentation for Safety Applications g5 Considerations for DeviceNet Safety Data 95 The following sections contain defaults rules and requirements develope
55. e automatic time based SNN is generally adequate for most applications If you assign SNNs manually take care to ensure that system expansion does not result in duplication of SNN and node address combinations ATTENTION If a safety project is copied to another project AN intended for a different hardware installation and that installation may reside within the same routable safety system the SNN must be changed to ensure that the SNN is not repeated Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC DeviceNet Safety Scanner Chapter 5 User Verification Procedure Since RSNetWorx for DeviceNet software is not an SIL 3 certified application the configuration values resulting from user operations and software computation are not considered to be of high integrity until the download read back and user testing is complete Complete these steps to guarantee safety 1 Assign SSN and configure devices using RSNetWorx for DeviceNet software 2 Read back and print out the configuration from the device i C En Compare the printed configuration to the configuration from RSNetWorx for DeviceNet software Compare printed values read back to application requirements Test the application Lock the device if errors do not occur Correct the configuration if errors occur Repeat these steps until all DeviceNet safety nodes are verified and locked Rockwell Automation Publication 1753 RM002D EN
56. e following essential functions e Comprehensive self tests e Data transfer over DeviceNet Safety Network e Diagnostics Rockwell Automation Publication 1753 RM002D EN P July 2010 53 Chapter5 GuardPLC DeviceNet Safety Scanner Certification Safety Requirements for DeviceNet Safety Scanner Certificate No 968 EZ 200 00 05 TUV Rheinland Group TUV Industrie Service GmbH Automation Software and Informatinstechnologie The DeviceNet Safety Scanner is typed approved and certified for use in applications up to and including SIL 3 according to IEC 61508 and applications up to and including Cat 4 according to ISO 13849 1 For configuring DeviceNet Safety Scanner use RSNetWorx for DeviceNet software version 6 00 or later The High speed Safety Protocol HSP allows the exchange of safety and standard data between the DeviceNet safety scanner and GuardPLC 1600 and 1800 controllers The DeviceNet safety scanner and GuardPLC controller interchange safety input and output data and standard input and output data tables Safety application data tables are protected from standard data Safety and Standard Data In order to understand how to use data signals from the safety scanner in your GuardPLC application logic you must know e whether the signal data is regarded as safety or standard data by the end device e whether the signal data was transferred over a safety connection or a standard connection The following table d
57. e internally stored output signals of the intelligent module 1755 OF8 AB AO Ifa discrepancy is detected the faulty output channel is switched off via the two safety switches and the module failure is reported via the FAULT indicator The error code signal enables the user to provide additional fault handling in the application program For the worst case reaction time of the analog outputs add double the watchdog time WDZcpy x 2 of the controller to double the watchdog time of the output module WDZ Ao pC X 2 See the specifications for the worst case reaction time Figure 11 Example Block Diagram of Analog Outputs Using 1755 0F8 1 0 Bus AD Microcontroller i AD Microcontroller a WA O9 amp ERR RUN voltage current iP alee switch over O Q 8 output channels 01 02 This illustration does not represent the specifications of the related module TIP The value of an analog output depends on the scaling factor selected in RSLogix Guard PLUS Rockwell Automation Publication 1753 RM002D EN P July 2010 51 Chapter4 GuardPLC Controller and GuardPLC 1 0 Output Channels Checkl ist for S afety Outp uts Use the following checklist for system configuration programming and start up Company of safety outputs It may be used as a planning draft as well as a proof If used as a planning draft the checklist can be saved as a record of the plan To make sure that the requirements
58. e reaction time of each DeviceNet safety connection suitable for the application Are application signals correctly applied to device signals within RSLogix Guard PLUS Hardware Management software Is your site selected naming convention applied to application signals mapped to standard device signals correctly and consistently Refer to page 55 for more information Did the scanner accept the configuration signature download by RSNetWorx for DeviceNet software Did the GuardPLC controller accept the compiled application with matching HSP signature 64 Does your application logic monitor the HSP and DeviceNet connection status bits Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC DeviceNet Safety Scanner Checklist for Configuration Programming and Startup of DeviceNet Safety Scanner After compiling and downloading the configuration into the GuardPLC controller and scanner Chapter 5 11 Have all of the application to device signal mappings been verified functionally 12 Did the RSLogix Guard PLUS software compilation process calculation of the HSP signature match the value provided by RSNetWorx for DeviceNet software in the ssf file 13 Has the system been run long enough under typical use for the statistics reported in RSLogix Guard PLUS and RSNetWor
59. eean 52 Rockwell Automation Publication 1753 RM002D EN P July 2010 5 Table of Contents GuardPLC DeviceNet Safety Scanner DeviceNet Safety 1 0 for the GuardPLC Control System GuardPLC Controller Operating System Technical Safety for the Application Program Chapter 5 Chapter littoductOtiesi is icsrc sexes eta eadberieda onaiuesse tes 53 OVerviEW caauiasdcdsocyataglaas sar anaE AD E EAE ARNA 53 Certificati 0 25as srnhing beepeseatapuentoeaneebaeeeeieeeekarsena 54 Safety Requirements for DeviceNet Safety Scanner 04 54 User Verification Proctduits lt stcceehauaniasdeatansexseeesscee ax 59 Safety Lock with Password Protection cee eeeee ee eens 60 Error Reaction gp iocisadestsoocuten besser iehsdesepebriasewerenicla 61 Status INdiCAtOTS c lt coscccundesesbenacaeyeospachenseenesanpenetaoss 62 Reaction TiM esoe cenet e Ee T E E ORE 63 Connection Status cendo terren e EEAS E E T EEN 63 DeviceNet Scanner Configuration Checklist nenesie 63 Chapter 6 Chapter Introd ctionicssssoecirsesixosss i testisa E nE ES KE 67 OVErVIEW si dunets nerina oeer EE OE ETE OOE EE EEEE 67 Typical Safety Functions of DeviceNet Safety I O Modules 68 Safety Considerations for I O Module Replacement 72 Safety lock with Password Protection 0 2 cee eee cence eee nee 72 Staris Idicato Sienie ssssanesded saanen iaia uaea an 73 Reaction TIME iccviecisivacedtaseberadantaeibenesdesteevronts
60. efines permitted uses of safety and standard signals based on connection and signal type End device Signal Connection Type Permitted Use in Application Definition Safety Safety Safety Standard Standard Standard Safety Standard Standard Standard IMPORTANT Only safety signal data transmitted over safety connections may be used as safety data in safety application logic 54 Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC DeviceNet Safety Scanner Chapter 5 Commission Safety Devices In the HSP signal connection dialogs in RSLogix Guard PLUS software signals that are transferred over safety connections are shown in white text on a red background Signals transferred over a standard connection are shown in blue text on a gray background The colorization applies only to the Connect Signals dialogs available from the HSP protocol context menu It is recommended that you use a naming convention to visually distinguish between standard and safety signals in the programming environment For example use a prefix of std_ for any signals that are standard and a prefix of safe_ for any signals that are safety related IMPORTANT Any safety tags that appear in the Standard Connect Signals window must be treated as standard values in your application Any standard tags that appear in the Safety Connect Signals window must be treated as standard For a signal to be regarded as a safety value in your a
61. er attodichiGtesis i oreepnoicieene nines eceietaagunesetas 23 Power Supply Module isis Si0 ccdagcedsurewqnddeseiendadiesaades 23 Functional Description of the Central Processing Unit 24 Self test Routines Jcdededeccsdivscadersduedisaxesdivietdctceasanes 25 GuardPLC Controllers and I O Modules Error Diagnostics 26 Chapter 3 Chapter Introduction s dexdicidahagenwbendideaekesseecnedeenieess 27 OVENI W ceea cashes r a aaa O at aa E wees 28 General Information on GuardPLC Safety Input Modules 29 Safety of Sensors Encoders and Transmitters 1 00064 ss000s0a0e0e 29 Digital INpW i co cccvsnsaniaraenshiatartdiwrerandndtanseanngeiaae ed 29 Analog NPU tc craiha dah teeren da cette tas E E EE 33 Counter Modtle si isccdccewatawaaitieectnw E we E NEEN EE 36 Checklist for Safety Laputssi0icccepeonavaekenvasvase sede dgeesens 38 Chapter 4 Chapter Introduction scirssiciecssersca neiseis ivawssseveeeees 41 Overview of GuardPLC Output Modules 0 e eee 42 General Safety Information on GuardPLC Safety Outputs 42 Digital Outputs for Non relay Output Modules 43 Safety related Two pole Digital Outputs 0 eee eee 45 Relay Outputs in the 1753 OW8 Module 0 eae 48 Analog Outputs in the 1753 IF8XOF4 0 cc0ceveceesveceeteces es 49 Analog Outputs in the 1755 OF8 Module 0 000 50 Checklist for Safety OUtpuiecswsbacaasusieerasanaratnerasaecm
62. escribed in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibited Throughout this manual when necessary we use notes to make you aware of safety considerations WARNING Identifies information about practices or circumstances that can cause an explosion in a hazardous environment which may lead to personal injury or death property damage or economic loss ATTENTION Identifies information about practices or circumstances that can lead to personal injury or death property damage or economic loss Attentions help you identify a hazard avoid a hazard and recognize the consequence SHOCK HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that dangerous voltage may be present BURN HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that surfaces may reach dangerous temperatures Pal al bale IMPORTANT Identifies information that is critical for successful application and understanding of the product Allen Bradley Rockwell Software Rockwell Automation TechConnect GuardPLC CompactBlock Guard I O ArmorBlock Guard I O RSNetWorx for DeviceNet RSLogix Guard PLUS and RSLinx are trademarks of Rockwell Automation Inc Trademarks not belonging to Rockwell Automation are property of their respective companies Summary of Changes
63. ety functions are configured The following input values are possible for the 1753 IF8XOF4 module Number of Accuracy Input Channels 8 Uni polar 0 10V DC 0 2000 2 8 Uni polar 0 4 20 mA 0 1000 1 2 0 20002 1 By external 250 Q shunt 2 By external 250 Q shunt All of the channels default to voltage mode On a channel by channel basis a shunt resistor can be added in parallel with the analog device if current mode is requested In current mode the 10 K resistor specified below is not required The 1755 IF8 AI module does not perform line monitoring Therefore in the event of a wire break an input signal continues to process In the event of an error line break the input voltage floats and the resulting value is not reliable The inputs must be terminated with a 10 KQ resistor parallel to the sensor The internal resistance of the source must be taken into account 34 Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC Controller and GuardPLC 1 0 Module Input Channels Chapter 3 Figure 5 Example Line Break Voltage Current Voltage Al IMPORTANT Unused analog input channels must be short circuited TIP For unused analog input channels the corresponding signal Al 0x Used must be set to the default value 0 FALSE Test Routines The analog values are processed in parallel via two multiplexers and two analog digital converters with 12 bit resolution The results are c
64. for line breaks and short circuits This can be accomplished by feeding back the output signals directly from the actuator to the inputs The current in the actuator should be monitored via an analog input with an appropriate shunt A series connection of a zener diode protects the input over voltage in case of a short circuit For explicit line break monitoring at de energized outputs DO a transmitter supply to the analog inputs is necessary as shown below For more information on line monitoring refer to the GuardPLC Controller Systems User Manual publication number 1753 UMO001 Figure 17 Example for line break and short circuit monitoring of digital outputs 26 4V Rez Field Terminal series Digital Output 1 Actuator LA 1 Field Terminal Z Rdiode I Rshunt a 12V L area for monitoring of line break and short circuit protective circuit in case of short circuit Visual display systems indicator light panels status indicator displays alphanumeric displays and audible alarms can all be controlled by the user program The routing of fault signals via input and output modules or to routing equipment must be accomplished by using the closed circuit current principle Fire alarms can be transmitted from one GuardPLC system to another by using the standard Ethernet communication available Any breakdown in communication must be signalled Rockwell Automation Publication 1753 RM002D EN P July 2
65. gle ended 0 10V DC 0 1000 2 0 2000 8 single ended 0 4 20 mA 0 5003 2 0 1000 1N4 0 1000216 0 2000 4 1 With scale factor 1000 selected in RSLogix Guard PLUS software 2 With scale factor 2000 selected in RSLogix Guard PLUS software 3 By external 250 Q shunt 4 By external 500 Q shunt 5 Accuracy is the guaranteed accuracy of the analog input without error reaction of the module This value must be considered when safety functions are configured Rockwell Automation Publication 1753 RM002D EN P July 2010 33 Chapter3 GuardPLC Controller and GuardPLC 1 0 Module Input Channels The 1755 IF8 AI module can be configured as either eight single ended channels or four differential channels No mixing is allowed The following input values are possible Number of Polarity Current Voltage Value Range In Accuracy Input Channels Application 8 single ended 10 10V DC 0 1000 1 0 20002 8 single ended 0 4 20 mA 0 500 8 1 0 1000014 0 10001218 0 2000 2 4 4 differential 10 10V DC 1000 1000 1 2000 2000 2 1 With scale factor 1000 selected in RSLogix Guard PLUS software 2 With scale factor 2000 selected in RSLogix Guard PLUS software 3 By external 250 Q shunt 4 By external 500 Q shunt 5 Accuracy is the guaranteed accuracy of the analog input without error reaction of the module This value must be considered when saf
66. gure the DeviceNet safety scanner and DeviceNet safety I O module Use RSLogix Guard PLUS programming software according to IEC 61131 3 for support in the creation of safety programs for GuardPLC controllers and GuardPLC I O modules Programming software is defined in IEC 61131 1 Follow the specifications listed in Appendix A Hardware modules and software components that are not fail safe but do not cause any adverse reactions can be used to process standard signals However they cannot be used to carry out safety tasks Use the closed circuit current principle in all external safety circuits connected to the system Rockwell Automation Publication 1753 RM002D EN P July 2010 17 Chapter 1 Safety Concept for GuardPLC Controllers and GuardPLC 1 0 Product Dependent Only equipment that can be safely isolated from the main power should be connected to the system The safe electrical isolation of the power supply must take place in the 24V DC power supply Only PELV or SELV compliant power supplies may be used See Appendix A or page 23 for details on power supply requirements ATTENTION Limit the use of standard devices in your GuardPLC AN application to standard critical components If you choose to use standard devices in a safety critical fashion you must ensure that the system design meets SIL 3 requirements Programming Requirements There are product independent and product dependent programming requirement
67. he PES Unlocking the PES means enabling functions and access to allow you to make changes to the safety system The controller must be in STOP mode in order to set the Main Enable switch to ON Activating Main Enable is not possible when the PES is running in RUN condition Deactivating Main Enable is possible while in RUN To restart following initialization of the CPU after power failure follow these steps to Unlock the PES 1 Set Main Enable switch to TRUE 2 Set Start Restart switch to TRUE 3 Start the application program 4 Then Lock the PES again See the Procedure for Locking the PES on page 91 Code Generation After input of the application program and completion of the I O assignments the code is generated forming the Configuration CRC of the Controller The Configuration CRC of the Controller is a signature of the entire configuration of the controller The output is a Hex code in 32 bit format All configurable or modifiable elements such as logic variables and switch settings are included Load and Start the Application Program The application program can only be downloaded to the controller if the controller is in STOP mode Downloading during RUN mode is not possible The configuration CRC of the root config is also created at this time It must be compiled twice and the configuration CRC must be identical in both compile cycles Only one application program can be loaded into the respective CPU
68. he PES means locking functions and access from the user during operation to prevent manipulation of the application program The extent of disabling actions depends on the safety requirements for the particular application of the PES Consult the approving board in charge of site acceptance for help in determining the safety requirements The only distributed I O module that can be locked is the 1753 IB20XOB8 Follow these procedure to lock the PES 1 The following attribute values must be set in the controller before compilation Attribute Value Main Enable True Autostart True False Start Restart allowed True Forcing allowed False application dependent Loading allowed True Test Mode allowed False Stop on Force Timeout True application dependent 2 After loading and starting you can modify the following switches in the controller in the following sequence a Start Restart allowed to FALSE and Loading allowed to FALSE b Main Enable to FALSE ATTENTION The following switches can be set at other values only upon consultation with the approving board Force Enable to TRUE Stop on Force Timeout to TRUE FALSE Start Restart allowed to TRUE Autostart to TRUE ATTENTION The Test Mode switch must never be set to TRUE for safety operation Rockwell Automation Publication 1753 RM002D EN P July 2010 91 Chapter 8 92 Technical Safety for the Application Program Procedure for Unlocking t
69. he cycle time of the system The cycle time of a system consists of the following items Reading local inputs Processing the application program e Writing local outputs e Testing routines e Communication for example GuardPLC Ethernet DeviceNet Safety Profibus Modbus networks In addition when considering the worst case for the entire system the switching times of the inputs and outputs must be taken into account When a network is used for communication data reaction times are affected Refer to Chapter 9 for reaction time calculations Watchdog Time of the CPU in the PES The watchdog time of the CPU depends on system configuration The watchdog time of the CPU is the maximum permissible time allowed for a RUN cycle cycle time If the cycle time exceeds the default watchdog time of the CPU the CPU goes into FAILURE STOP mode The watchdog time of the CPU must be a value between 2 ms and half the safety time of the PES The maximum permitted value is 5000 ms The default setting for controllers is 50 ms The default for distributed GuardPLC I O modules is 10 ms IEC 61508 requires the user to perform various functional verification tests of the equipment used in the system Functional verificaiton tests are performed at user defined times For example functional verification test intervals can be once a year once every 15 years or whatever timeframe is appropriate GuardPLC controllers have a functional verific
70. he safety state of the inputs and outputs to be 0 The logic in the controller does not rely on the closed circuit principle so you can determine the safety state for connections between function blocks to be 0 or 1 However we recommend that you use a safety state of 0 between function blocks Design and document the logic to simplify troubleshooting Use flow charts and write good documentation of the program logic This does not replace any of the documentation requirements for your applications Flow charts and logic documentation should be included if they are not already required by your documentation procedures e Any number of negations are permissible e The programmer must evaluate input output and logic module error signals Rockwell Automation Publication 1753 RM002D EN P July 2010 89 Chapter8 Technical Safety for the Application Program Safety Inputs and Outputs In an analog GuardPLC safety input module defined values can be further processed in the event of an error In a digital GuardPLC safety I O module the input is set to a 0 and the digital output module is switched off via the integrated safety switch off Parameters of the Application Program The parameters listed in the following table determine the behavior of the automation module while in operation and are set in the menu attributes of the controller Here the permissible actions are determined with the programming software in the safety o
71. hen the connection faults or goes idle and remains in the safe state until a manual reset occurs This prevents unexpected output transitions from low off to high on when a connection recovers from a faulted or idle state Rockwell Automation Publication 1753 RM002D EN P July 2010 n Chapter6 DeviceNet Safety I 0 for the GuardPLC Control System Safety Considerations for 1 0 Module Replacement Safety lock with Password Protection 72 The replacement of safety devices requires that the replacement device be configured properly and that the operation of the replacement device be user verified ATTENTION No safety function that includes any portion of the AN replaced module may be relied upon during the replacement and functional testing of the module When replacing a module you cannot automatically recover the configuration signature You need to set the Safety Network Number via RSNetWorx for DeviceNet software and re load the configuration Then drop and re establish the I O connection with the DeviceNet Safety Scanner module When applying functional safety restrict access to qualified authorized personnel who are trained and experienced The safety lock function with passwords is provided by the Safety Device Verification Wizard in RSNetWorx for DeviceNet software You are responsible for controlling access to the safety system including password handling For information on the safety lock feature or on setting a pass
72. ical specifications of the sensor and input are compatible Have you verified that the electrical specifications of the output and the actuator are compatible Are modules wired in compliance with PLe Cat 4 according to ISO 13849 1 if required Have you verified that test outputs are not used as safety outputs Are control diagnostics and alarming functions performed in sequence in application logic Are HSP and DeviceNet Connection Status Bits monitored in application logic Have you uploaded and compared the configuration of each module to the configuration sent by configuration tool Have you performed proof tests on the system and modules 1 For information on wiring your DeviceNet Safety I O module refer to the product documentation for your specific module 74 Rockwell Automation Publication 1753 RM002D EN P July 2010 Chapter 7 GuardPLC Controller Operating System Ch apter introduction This chapter gives information about the details of the GuardPLC controllers their operating system and RSLogix Guard PLUS software Topic Page Software for GuardPLC Controllers and 1 0 Modules 75 Technical Safety for the Operating System 71 Operating Mode and Functions of the Operating System 71 Technical Safety for Programming res Parameters of the Automation System 80 Forcing 81 Protection
73. ication testing on the controller in the context of its new application Rockwell Automation Publication 1753 RM002D EN P July 2010 Chapter Introduction Power Supply Module Chapter 2 GuardPLC Central Functions This chapter gives information about the power supply the CPU and self test routines for GuardPLC controllers Topic Page Power Supply Module 23 Functional Description of the Central Processing 24 Unit Self test Routines 25 GuardPLC Controllers and 1 0 Modules Error 26 Diagnostics The GuardPLC 1200 controller is a compact system that includes a CPU 20 digital inputs 8 digital outputs 2 counters and communication ports in a single package An external 24V DC power supply is required The GuardPLC 1600 and GuardPLC 1800 controller systems include an integrated CPU and on board I O as well as optional distributed I O An external 24V DC power supply is required The GuardPLC 2000 controller is a modular system in which a power supply module a CPU module and up to 6 local I O modules comprise the system The power supply transforms the system supply voltage from 24V to 3 3V DC 5V DC used for internal I O Bus The power supply used with the GuardPLC 1200 1600 or 1800 controllers must feature galvanic isolation since inputs and outputs are not electrically isolated from the processor In addition it must fulfill the requirements of IEC 61131 2 and SELV Safety Extra Low Voltage or PELV
74. igured fig the device run the Safety Device Verification Wizard to set the device to the safety locked state Safety Network Number faF20_0436_5A94 1 11 2005 1 36 45 466 PM Configuration Signature ID 7A68_A432 Copy Signature Date 1 11 2005 Time 1 37 19 566 PM Safety Network Number SNN Assignment When a new safety device is added to the network configuration a default SNN is automatically assigned via the configuration software as follows e Ifat least one safety device already exists in the DeviceNet network configuration subsequent safety additions to that network configuration are assigned the same SNN as the lowest addressed safety device e Ifno other safety devices exist in the DeviceNet network configuration a time based SNN is automatically generated by RSNetWorx for DeviceNet SNNs can be generated automatically via RSNetWorx for DeviceNet software or manually assigned by the user Refer to the DeviceNet Safety Scanner for GuardPLC User Manual publication number_1753 UM002 for information on managing the SNN Input and Output Line Conditioning DeviceNet safety I O modules provide pulse test and monitoring capabilities If the module detects a failure it sets the offending input or output to its Safety state and reports the failure to the controller The failure indication is made via the input or output point status and is maintained for a configurable amount of time or unti
75. ion time is the time from when an input signal is changed to when network data is sent The output reaction time is the time from when a network signal is received to when the state of output terminal is changed Some DeviceNet safety I O modules may support ON delay and OFF delay functions for input signals You must include OFF delay times when calculating system reaction time See page 103 for information on calculating reaction times For information on determining the input and output reaction times refer to the product documentation for your specific DeviceNet safety I O module Rockwell Automation Publication 1753 RM002D EN P July 2010 73 Chapter6 DeviceNet Safety I 0 for the GuardPLC Control System Checkl ist for Devi ceNet For programming or startup an individual checklist can be filled in for every S afety 0 M 0 dul es single safety input and output channel in a system This is the only way to make sure that the requirements are fully and clearly implemented This checklist can also be used as documentation on the connection of external wiring to the application program Checklist for DeviceNet Safety 1 0 Modules used in GuardPLC Systems Company Site Safety Function definition SIL input channels in the Notes Checks Yes Comment Have you followed installation instructions and precautions to conform to applicable safety standards Have you verified that the electr
76. ire operating phase The routines are guaranteed to the highest degree of integrity for existing systems making the PES suitable for the Safety Machinery Application Safety State The PES has been designed to the closed circuit current principle which requires that systems be designed so that the normally closed or on state of external sensors and actuators is the normal run condition The off or normally open state is the safe state This means that in the event of a fault or safety trip all inputs and outputs revert to the off current free voltage free state Rockwell Automation Publication 1753 RM002D EN P July 2010 Safety Concept for GuardPLC Controllers and GuardPLC 1 0 PFD and PFH Calculations Chapter 1 The average probability of a system to fail to satisfactorily perform its safety function on demand is called Probability of Failure on Demand PFD The probability of a system to have a dangerous failure occur per hour is called Probability of Failure per Hour PFH PFD and PFH calculations have been carried out for the GuardPLC controllers and GuardPLC I O system in accordance with IEC 61508 For SIL 3 IEC 61508 1 sets the following minimum PFD and PFH values Table 1 PFD and PFH Values Type SIL 3 value per IEC 61508 1 PFD 104 10 PFH 108 107 per hour Table 2 GuardPLC Controllers Module MTTF MTTFd PFD PFH Safe Failure in years in
77. kwell Automation Publication 1753 RM002D EN P July 2010 Configuring Communication Chapter 9 Between PES1 and PES2 The Worst case Reaction Time Tp maximum response time from the occurrence of an input signal change at PES to the reaction of the output signal at PES can be calculated as follows Tr ty tz t3 t4 where Tp Worst Case Reaction Time WDZ Watchdog Time ty x WDZpgs t 0 ms if Production Rate 0 normal condition otherwise Receive MO WDZpgs1 t3 Receive TMO t4 2x WDZpEs2 The Worst Case Reaction Time Tp depends on the application and must be coordinated with the approving board Tp can be read in the Worst Case column of the Peer to Peer Editor Terms Peer to peer communication uses the following terms Receive MO The monitoring time within which a valid response must be received Safety communication is terminated if the ReceiveT MO expires ResendIMO The monitoring time after which a transmission is repeated if its receipt has not been acknowledged Production Rate The minimum interval between two data transmissions Watchdog The maximum permissible duration of a run cycle Rockwell Automation Publication 1753 RM002D EN P July 2010 101 Chapter9 Configuring Communication High speed Safety Protocol Worst case Reaction Time The maximum response time from the occurrence of a physical input signal change until the reaction of the physical ou
78. l or unauthorized modifications to the safety system e A modification to the application program generates a new CRC version number These modifications can only be transferred to the PES via download PES must be in STOP e You must be logged in to the PES to access operating options e RSLogix Guard PLUS software features a password link to the PES upon user login e The link between programming software and PES is not necessary during RUN operation The requirements of the safety and application standards regarding the protection against manipulations must be observed The authorization of employees and the necessary protection measures are the responsibility of the operator ATTENTION To protect the password against unauthorized A access modify the default settings for both the login and password PES data is accessible only if the computer uses RSLogix Guard PLUS software and the application project is the currently running version back up maintenance The link between programming software and PES is necessary only for the download of the application program or for reading out variable status and performing a reboot of the controller to recover from a failure stop condition The programming software is not required for normal operation Disconnecting the programming software from the PES during standard operation protects against unauthorized access Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC
79. l the failure is repaired whichever comes first IMPORTANT Logic must be included in the application program to latch these 1 0 point failures and ensure proper restart behavior 70 Rockwell Automation Publication 1753 RM002D EN P July 2010 DeviceNet Safety I 0 for the GuardPLC Control System Chapter 6 DeviceNet Connection Loss This section describes input and output connection losses Input Connection If an input connection loss is detected the safety data is set to the defined safety state 0 The corresponding connection fault bits are set to one The application logic must react appropriately to all safety data from a DeviceNet safety connection being set to the safety state fault The scanner continuously attempts to reestablish the input connection Output Connection If an output connection is lost the connection is reported as faulted by the safety Scanner to the controller via the connection status bits The application logic must react appropriately to the connection fault and the output device must react appropriately to the loss of the connection and must perform its safety action The scanner continuously attempts to reestablish the output connection Your application should monitor the HSP and DeviceNet connection status bits Since connections often recover automatically make sure this occurrence does not result in an unsafe machine state Your application should drive safety outputs to their safe state w
80. les Error Diagnostics Reactions to Detected Errors in the CPU A hardware comparator within the central area constantly compares whether the data of microprocessor system 1 are identical to the data of microprocessor system 2 If this is not the case or if the test routines in the central area are negative the system automatically goes into FAILURE_STOP mode and the watchdog signal is switched off Input signals are no longer processed and outputs go to the de energized switched off condition Because the GuardPLC 1200 1600 and 1800 controllers are compact systems error diagnostics are summarized in a collective error status indicator Each GuardPLC distributed I O module has its own status indicator to display errors in case of module failures or faults in the external wiring providing a quick error diagnosis in case of module failure The evaluation of system variables that contain the status value of the I O or the CPU can also be monitored in the application program An error signal is transmitted only if the error does not impede communication with the CPU that is an evaluation via the CPU is still possible An extensive diagnostic record of system performance and faults is stored in the diagnostic memory of the CPU and the COM This record can be viewed in the programming software even after a system fault 26 Rockwell Automation Publication 1753 RM002D EN P July 2010 Chapter 3 GuardPLC Controller and GuardPLC
81. levant standards Configurable Digital Inputs The digital inputs of the GuardPLC 1800 controller operate according to the principle of analog inputs but are set to digital values by configuration of the operating points The test routines and safety functions of analog inputs explained on pages 33 36 also apply to the configurable digital inputs on the GuardPLC 1800 controller Line Control Line Control is an emergency short circuit and line break monitoring system of emergency stop devices which can be configured on GuardPLC 1600 systems with digital inputs This does not include configurable digital inputs TIP GuardPLC 1200 and GuardPLC 2000 systems require application programming for line control IMPORTANT This operation is not permissible for configurable digital inputs like those on the GuardPLC 1800 system Therefore the type of line control described above cannot be configured for GuardPLC 1800 controllers In addition digital outputs are connected to the digital inputs of the same system as shown in Emergency Off Switches on page 32 Rockwell Automation Publication 1753 RM002D EN P July 2010 31 Chapter3 GuardPLC Controller and GuardPLC 1 0 Module Input Channels Figure 3 Emergency Off Switches DO 1 2 Emergency OFF 1 K Emergency OFF 2 DI The digital outputs DO1 and DO2 are pulsed T1 and T2 below As a result the connections to the digital inputs are monitored The signals for the
82. lication Program Acts on variables function blocks Configuration of the automation module Fixed by the selection of the GuardPLC controller CPU test None 1 0 module tests depending on type Depends on the 1 0 modules used Reaction in error case Default setting Application program is responsible for process reaction Diagnostic status indicators None Diagnostic possibilities of I O and of the CPU Use of the system variables for error messages of the 1 0 and CPU Communication via Ethernet network interface or serial line Data exchange via COM serial is effected via a standard protocol no writing of relevant safety signal Programming software interface permissible actions Fixed in RSLogix Guard PLUS software Configuration of protection functions User login Rockwell Automation Publication 1753 RM002D EN P July 2010 Technical Safety for the Operating System Operating Mode and Functions of the Operating System Technical Safety for Programming GuardPLC Controller Operating System Chapter 7 Every licensed operating system is identified by its name To aid in identification the revision and CRC signature are provided The applicable versions of the operating system and the related signatures CRCs approved by TUV for safety automation systems are subject to revision controls and are documented on a list compiled in conjunction with TUV Use RSLogix
83. lure Fd ean Time to Dangerous Failure Non interacting Does not interfere or affect functions of the safety system PES Programmable Electronic System PFD Probability of Failure on Demand PFH Probability of Failure per Hour POU Program Organization Unit PS Programming System RFI Radio Frequency Interference SFF Safe Failure Fraction SIL Safety Integrity Level SNN Safety Network Number SRS System Rack Slot This number is used as the System ID Standard Any object task tag or program that is not marked as being a safety item TUV Technischer Uberwachungs Verein Technical Inspection Association UNID Unique Node Identifier WD Watchdog Time Rockwell Automation Publication 1753 RM002D EN P July 2010 Preface Additional Resources The table below provides a listing of publications that contain important information about GuardPLC controller systems Resource GuardPLC Controller Systems User Manual publication 1753 UM001 Description Information on configuration and operation for a GuardPLC Controller System Using RSLogix Guard PLUS Software with GuardPLC Controllers Programming Manual publication 1753 PM001 Procedural information on programming a GuardPLC Controller System with RSLogix Guard PLUS software CompactBlock Safety 1 0 Modules on DeviceNet Series 1791DS Installation Information on installing CompactBlock Safety 1 0
84. n Refer to the DeviceNet Safety Scanner for GuardPLC User Manual publication 1753 UM002 for information on status and error codes Status Indicators The scanner has three status indicators that let you monitor module DeviceNet network and High speed Protocol HSP status The evaluation of system variables that contain the status value of the scanner can also be monitored in RSNetWorx for DeviceNet software For a detailed description of the status indicators refer to the DeviceNet Safety Scanner for GuardPLC User Manual publication number 1753 UM002 62 Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC DeviceNet Safety Scanner Chapter 5 Reaction Times Connection Status DeviceNet Scanner Configuration Checklist The system reaction time is the amount of time from a safety related event as input to the system until the system is in the Safety state Refer to page 103 for reaction time information Your application should monitor the HSP and DeviceNet connection status bits Since connections often recover automatically make sure this occurrence does not result in an unsafe machine state Your application should drive safety outputs to their safe state when the connection faults or goes idle and remains in the safe state until a manual reset occurs This prevents unexpected output transitions from low to high when a connection recovers from a faulted or idle state IMPORTANT The DeviceNet connecti
85. n Publication 1753 RM002D EN P July 2010 79 Chapter7 GuardPLC Controller Operating System Parameters of the Automation System The following parameters determine the operating behavior of the automation system and are set in RSLogix Guard PLUS software The settings possible for safety operation are not inflexibly bound to a certain requirement class However they must be available to the applicable approving board for every implementation of the automation system Safety Parameter CPU Safety time in ms Setting for Safety Operation Depends on process Watchdog time in ms ax 50 of the safety time Start Restart Reset Off can only be set to OFF in RUN mode of the CPU Force Enable forcing Reset off Reset off Activate Peactivate forcing in Force Editor Window Main Enable modification of the safety parameters 1 Reset Off can only be set to OFF in RUN mode of the CPU Test Model Reset off 1 You cannot set this on distributed 1 0 modules except for 1753 IB20XOB8 Rockwell Automation Publication 1753 RM002D EN P July 2010 Forcing GuardPLC Controller Operating System Chapter 7 Forcing is only permissible after consulting the approving board responsible for site approval During forcing the person in charge must make sure sufficient safety technical monitoring of the process by other technical and structural measures The following forcing options are pos
86. n acceptable input output single fault reaction time for the associated safety function of the application 23 Have you executed the Safety Device Verification Wizard 24 66 Did you review and print the verification report for your records Rockwell Automation Publication 1753 RM002D EN P July 2010 Chapter 6 DeviceNet Safety 1 0 for the GuardPLC Control System Chapter Introduction This chapter gives information about the DeviceNet Safety I O Topic Page Overview 67 Typical Safety Functions of DeviceNet Safety I O Modules 68 Safety Considerations for I O Module Replacement 72 Safety lock with Password Protection 72 Status Indicators ig Reaction Time ia Checklist for DeviceNet Safety 1 0 Modules 74 Overvi ew Before operating a GuardPLC safety system containing DeviceNet safety I O modules you must read understand and follow the installation operation and safety information provided in the documentation for these products Refer to Additional Resources on page 11 Field safety I O modules can be connected to safety input and output devices allowing these devices to be controlled by a GuardPLC and DeviceNet safety scanner control system For safety data I O communication is performed through safety connections using the DeviceNet Safety Protocol logic is processed in the GuardPLC controller Rockwell Automation Public
87. nd GuardPLC 1 0 Output Channels Chapter 4 The analog outputs are written once every cycle and the values are saved internally All the outputs are non safety related but they can all be shut down safely To reach SIL 3 the outputs values must be read back via safety related analog inputs and evaluated in the application program There are also reactions to incorrect output values that must be specified Test Routines Both the safety switches for the shutdown of all four outputs of the module are automatically tested during operation Reaction to Error If a faulty signal is detected all contact outputs of the module are set to the Safety 0 state via the safety switches in accordance with the closed circuit principle This is also indicated by the FAULT diagnostic indicator The error code signal enables you to provide additional fault handling in the application program Rockwell Automation Publication 1753 RM002D EN P July 2010 49 Chapter4 GuardPLC Controller and GuardPLC 1 0 Output Channels Analog Outputs in the 1755 OF8 Module 50 The information in this section applies to the analog outputs of the 1753 OF8 module General The analog outputs on the 1755 OF8 GuardPLC 2000 AB AO module are written once per cycle and stored internally This functionality is tested by the module itself The analog output module can be configured for current or voltage output via DIP switches on the module ATTENTION Check
88. ng OFF or power failure The variable names and their data types are defined with the help of the variable declaration editors Symbolic names consisting of a maximum of 256 characters are assigned to all variables of the application program Symbolic I O names consisting of a maximum of 256 characters are also used for physical inputs and outputs The use of symbolic names instead of physical addresses has two essential advantages The equipment definitions of inputs and outputs can be used in the application program e Modifications of the signal assignment in the input and output channels have no effect on the application program Rockwell Automation Publication 1753 RM002D EN P July 2010 87 Chapter 8 Technical Safety for the Application Program Assignment of I O Names to Variable Names A list of the sensors and actuators in the system should serve as basis for the assignment of I O names names used for hardware assignment For practical reasons variable name and I O name should be the same The number of channels names per module depends on the type of module or system used The necessary diagnostic routines for safety I O modules or channels are automatically executed by the operating system Types of Variables Depending on the program organization unit POU either program function block or function module different types of variables can be defined as described below Program
89. niist ra This safety device is not safety locked After you have configured J the device run the Safety Device Verification Wizard to set the 4 7 device to the safety locked state Safety Network Number f2F20_0435_SA4 1 11 2005 1 36 45 466 PM Configuration Signature ID 84715372 Copy Signature Date fi 1172005 Time 3846 57 PM Unlock Password OK Cancel Apply Help Rockwell Automation Publication 1753 RM002D EN P July 2010 57 Chapter 5 GuardPLC DeviceNet Safety Scanner 58 Safety Network Number The Safety Network Number SNN is a unique number that identifies the safety network sub net The SNN in conjunction with the target s node address enables a target to determine with high integrity whether or not safety connection requests it receives have reached the correct destination Each end node within a DeviceNet safety control system must have a unique node identifier The unique node reference for a DeviceNet safety node is a combination of a SNN and the node address of the node It is used to precisely identify the intended target device during configuration and I O connection establishment Any device that originates a safety connection to another safety device must be configured with the SNN of the target device The assignment of a time based SNN is the default when adding a DeviceNet safety scanner or new DeviceNet safety I O modules IMPORTANT Th
90. o and the associated status bit is set to one The scanner automatically attempts to re establish any lost DeviceNet connections for which it is the originator When the connection is recovered the data is set to the values received from the producing node and the status bit is cleared When the safety scanner enters Configuration mode all the DeviceNet connections are terminated and eliminated The High speed Safety Protocol connection is terminated To restore connections download and verify a new configuration Failure of Diagnostic Tests Ifa diagnostic test fails all application processing is stopped and High speed Protocol DeviceNet safety and standard I O connections are terminated Rockwell Automation Publication 1753 RM002D EN P July 2010 61 Chapter5 GuardPLC DeviceNet Safety Scanner Status Indicators Options for viewing the DeviceNet safety scanner s status are listed in the following sections IMPORTANT Status indicators and alphanumeric displays are not reliable indicators for safety functions They should be used only for general diagnostics during commissioning or troubleshooting Do not attempt to use status indicators as operational indicators Alphanumeric Display When you apply power to the scanner the alphanumeric display cycles through the following information e Firmware revision e MACID e DeviceNet communication rate The scanner also displays status codes that provide diagnostic informatio
91. ole Digital Outputs GuardPLC Controller and GuardPLC 1 0 Output Channels Chapter 4 The information in this section applies to the two pole digital outputs of the 1753 IB16XOB8 and 1753 IB8XOB8 modules Test Routines for Two pole Digital Outputs The modules are automatically tested during operation These are the essential test functions Read back of the output signal of the switching amplifier The switching threshold for a read back signal is 2V Diodes are used to prevent a feedback of signals Check the integrated redundant safety shutdown e Performa shutdown test of the outputs within the multiple fault occurrence time for a max of 200 Us The minimum time between two tests is 20 seconds e Monitor line at two pole connection short circuit to L L short circuit between two pole connections 1753 IB16XOB8 only line break in one of the two pole lines 1753 IB16XOB8 only e Test L switch capability at two pole connection with line monitoring 1753 IB16XOB8 only Monitor the output current of the device The operating voltage of the entire system is monitored All outputs are de energized at an undervoltage of lt 13V One pole Two pole Connection The digital outputs can be configured as follows e Digital output with two pole connection with line monitoring e Digital output with two pole connection without line monitoring One pole positive switching digital output DO One pole negative
92. ompared In addition test values are switched on via digital analog converters and converted back again to digital values that are then compared with a default value When faults are detected the analog inputs are set to the 0 value in the application program Reaction In Case of Fault If the test routines for analog inputs detect an error a 0 value is processed for the faulty channel in the application program and the FAULT status indicator illuminates In addition a channel status signal greater than 0 is generated for the application program The analog input value must be interlocked with this status information allowing you to program additional fault handling in the applications and provide a means for evaluating the external wiring of the inputs Rockwell Automation Publication 1753 RM002D EN P July 2010 35 Chapter3 GuardPLC Controller and GuardPLC 1 0 Module Input Channels Counter Module 36 Figure 6 Block Diagram of Analog Inputs of the 1755 IF8 Analog Input Module 42925 1 0 Bus The illustration above does not represent the specifications of the related module The items listed in the sections starting on page 36 apply to the 1755 HSC module and to the GuardPLC 1200 and 1800 system digital counter input channels General Depending on the parameters in the application program the counter can be operated as a fast up down counter with 24 bit resolution or as an encoder in the Gray code
93. on 24 certifying body 14 checklist creation of an application program 83 DeviceNet safety scanner 63 safety I O modules 74 safety inputs 38 safety outputs 52 climatic conditions 108 closed circuit principle definition 14 code generation 92 communication DeviceNet safety 103 high speed 102 peer to peer 98 safety related 19 standard 98 102 conditions for use 107 climatic conditions 108 EMC conditions 109 mechanical conditions 108 power supply conditions 110 Index Configuration CRC of the Controller 92 configuration signature 57 69 counter module 36 block diagram 38 general 36 reaction in fault condition 37 test routines 37 digital outputs line control 44 reaction to error 44 48 test routines 43 E EMC conditions 109 error diagnostics 26 F fault tolerance time 20 forcing 81 FTT 20 functions of the operating system 77 G GuardPLC catalog numbers 13 HFT 56 high speed safety protocol 102 1 0 modules replacement 72 input modules analog inputs 33 block diagram 36 general information 33 reaction in case of fault 35 test routines 35 counter module 36 block diagram 38 general 36 reaction in fault condition 37 test routines 37 overview 28 safety related digital inputs 29 block diagram 30 general 29 reaction to error 30 test routines 30 safety related general information 29 introduction to safety 14 Rockwell Automation Publication 1753 RM002D EN P July 2010 115 Index 116 L
94. on Technical Support and provide the device s serial number and security code to obtain the vendor password Refer to the DeviceNet Safety Scanner for GuardPLC User Manual publication 1753 UM002 for information on the safety lock feature or on setting a password using RSNetWorx for DeviceNet software Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC DeviceNet Safety Scanner Chapter 5 Error Reaction This section describes how the module reacts to HSP and DeviceNet connection losses and diagnostic test failure HSP Connection Loss On the loss of HSP all producing DeviceNet safety connections are transitioned to the Idle mode resulting in the end device transitioning to its safety state All standard DeviceNet I O connections are likewise transitioned to Idle mode resulting in the standard nodes transitioning to their Idle state When the HSP connection is restored the DeviceNet safety and standard connections are returned to Run mode with normal data production The safety scanner closes the HSP connection whenever either an HSP error occurs or the safety scanner diagnostic reports an error Individual DeviceNet safety or standard connection errors do not cause the HSP connection to close and the associated status bit is set to one DeviceNet Connection Loss On the loss of a DeviceNet safety or standard connection the data associated with connections for which the scanner is the consumer are set to zer
95. on checklist 63 configuration signature 57 error reaction 61 reaction times 63 safety lock with password 60 safety network number 58 safety requirements 54 SFF and HFT calculations 56 status indicators 62 user verification procedure 59 safety signature PFD and PFH calculations 56 safety time of the PES 20 safety times fault tolerance time 20 multiple error occurrence time 20 reaction time 21 watchdog time of the CPU 21 selt test routines 25 CPU test 25 fixed memory sectors 25 1 0 bus 25 RAM test 25 reactions to detected errors in CPU 26 test memory sectors 25 watchdog test 25 SFF 56 software GuardPLC 1200 2000 safety related systems 75 specifications climatic 108 EMC 109 mechanical 108 power supply 110 Rockwell Automation Publication 1753 RM002D EN P July 2010 T technical safety application program 85 functions 89 general procedure 86 program documentation for safety relat ed applications 95 programming basis 86 variable declaration and PLT name input 87 technical safety for programming 77 check the created application program 78 Index creation of a backup program 79 safety concept of RSLogixGuard 77 technical safety for the operating system 77 terminology 10 101 Ww watchdog time 101 worst case reaction time calculations 101 definition 102 Rockwell Automation Publication 1753 RM002D EN P July 2010 117 Index 118 Rockwell Automation Publication 1753 RM002D EN P July 2010 Rock
96. on status bits are accurate only if the HSP connection is in the established state Use the checklist on the following page for configuration programming and startup of the DeviceNet safety scanner It may be used as a planning draft as well as a proof If used as a planning draft the checklist can be saved as a record of the plan To ensure that the requirements are fully and clearly satisfied during system configuration or start up an individual checklist for controlling the requirements can be filled in for every single safety output channel in a system Rockwell Automation Publication 1753 RM002D EN P July 2010 63 Chapter5 GuardPLC DeviceNet Safety Scanner Company Checklist for Configuration Programming and Startup of DeviceNet Safety Scanner Site Loop definition Requirements Fulfilled Yes Comment After adding one or more nodes to the netwo rk Is each DeviceNet safety node commissioned with a unique node reference combination of SNN and MAC ID that is unique within your entire network See page 58 for more information Is each DeviceNet safety target correctly configured Are the reaction times of each target known and suitable for the application After adding one or m ore connections Are the safety connection timing parameters suitable for the capacity of all CIP safety links traversed Is th
97. peration of the automation module and the safety parameters are preset Switch Function Default Setting for Satety Value Operation Main Enable The following switches parameters can be ON OFF modified during operation of the programming software Autostart Automatic start after initializing the CPU OFF ON OFF Restart Start Coldstart warmstart or hotstart using ON OFF programming software in the RUN or STOP condition Load Enable Load release for an application program ON ON Test Mode Test Mode allowed or forbidden OFF OFF allowed At Test Mode the program execution will be frozen or stopped The outputs remain actuated and the program execution can be done in single cycle steps Force Enable Activation of values for the PES inputs or OFF Determined by the outputs independent of the actual value of a approving board signal from the linked process or the result of the logic link Stop on Force Stop during operation of forcing time ON Determined by the Timeout approving board Additional switches and parameters can be preset for forcing See the Loading and Starting the Application Program section page 92 1 The setting of the values only applies when you are online 2 Setting to ON or OFF is application dependent 90 Rockwell Automation Publication 1753 RM002D EN P July 2010 Technical Safety for the Application Program Chapter 8 Procedure for Locking the PES Locking t
98. pplication the end device configuration must treat the signal as safety and be transferred over a DeviceNet safety connection Figure 12 Connect Signals Dialogs Safety Connect Signals Dialog Box Standard Connect Signals Dialog Box amp Standard Data Target Signal Connections Coni Delete Signal Defini Output Connection ie ae amp Safety Data Target Signal Connections Confi oj x Delete Signal Define Data Help Output Connection Input Connection OOL safe_p2ptarget Sign std_p2pslave You must commission all safety devices with the MAC ID and communication rate if necessary before their installation on the safety network MAC ID and communication rate settings for the DeviceNet safety scanner are made via RSNetWorx for DeviceNet software A scanner can be configured by only RSNetWorx for DeviceNet software that automatically becomes its configuration owner Rockwell Automation Publication 1753 RM002D EN P July 2010 55 Chapter 5 56 GuardPLC DeviceNet Safety Scanner PFD and PFH Calculations Component Functional Verification Test PFD Interval 1753 DNSI 10 years 9 3E 06 Component PFH 1753 DNS 5 61E 10 The Functional Verification Test interval is set at 10 years for the GuardPLC DeviceNet safety scanner The test does not apply to the DeviceNet safety I O module The DeviceNet safety scanner is based on a 1002 microprocessor sy
99. s for the GuardPLC system Product Independent Verify that the safety system variables are correctly configured for safety applications Pay particular attention to the maximum cycle time and the safety time Product Dependent e You must use RSLogix Guard PLUS software to program the GuardPLC controller e You must follow the guidelines listed on page 78 for initial startup or after a modification to the application program e You must perform a complete check of program logic to verify that logic correctly and fully addresses the functional and safety requirements in your application specification e You must re check the application as described above each time you make a modification e When a fault occurs in the fail safe input and output modules the error response of the system must be determined by the application program according to site specific safety criteria Rockwell Automation Publication 1753 RM002D EN P July 2010 Safety Concept for GuardPLC Controllers and GuardPLC 1 0 Chapter 1 Communication e The total response time of the system must not exceed the fault tolerance time when safety communication occurs between devices Safety data cannot be transferred over public networks for example the Internet e Ifthe data is transferred across company factory networks verify that sufficient protection is provided against manipulation For example use a firewall or router to separate the standard or
100. safety Connect Signals window must be treated as standard In order for a signal to be regarded as a safety value in your application the end device configuration must treat the signal as safety and be transferred over a DeviceNet safety connection Rockwell Automation Publication 1753 RM002D EN P July 2010 95 Chapter 8 Notes 96 Technical Safety for the Application Program Rockwell Automation Publication 1753 RM002D EN P July 2010 Chapter 9 Configuring Communication Introduction Topic Page Standard Protocols 98 Peer to peer Safety Communication via GuardPLC Ethernet 98 High speed Safety Protocol 102 Reaction Times for DeviceNet Safety Communication 103 Depending on the controller the following options are available for safety or standard protocols Modbus OPC Profibus DP and ASCII read only Controller GuardPLC 1200 GuardPLC 1600 GuardPLC 1800 GuardPLC 2000 1754 L28BBB 1753 L28BBBM 1753 L28BBBP 1753 L32BBBMBA 1753 L32BBBP8A 1755 L1 Communication GuardPLC Ethernet single port 4 port switch 4 port switch 4 port switch 4 port switch single port DeviceNet Safety X X X X RS 232 Ports 8 pin mini DIN 9 pin mini DIN RS 485 Ports 9 pin DIN 9 pin DIN Modbus RTU Slave X X _ PROFIBUS DP Slave X X ASCII Read Only X X X X X X Ethernet IP X X X X Rockwell Automation Pu
101. sible e Forcing can be prohibited by configuration If it is prohibited the PES no longer accepts force values defined specifically by the application In this case new force values can be set only after re enabling the force system A Select All can be effected via the Force Editor in RSLogix Guard PLUS software All displayed signals should be verified in the controller e All forced inputs or outputs can be reset by a STOP force command in the Force Editor in RSLogix Guard PLUS software All individual force values and switches are held in their current state Once you restart forcing they become active again More information about forcing can be found in the Using RSLogix Guard Plus Software with GuardPLC Controllers Programming Manual publication 1753 PMO001 General information about forcing can be found in the TUV document Maintenance Override To access the document on the Internet see these websites e TUV Product Service http www tuvasi com e TUV Rheinland hetp www tuv fs com Rockwell Automation Publication 1753 RM002D EN P July 2010 81 Chapter7 GuardPLC Controller Operating System Protection Against Manipulation 82 You in conjunction with the approving board must define what measures are applied to protect against manipulation Guard PLC Controllers and GuardPLC 1 0 Modules Protection mechanisms are integrated in the PES and in RSLogix Guard PLUS software to prevent unintentiona
102. stem for the control module SFF and HFT Calculations 1753 DNSI 98 0 1 Multiple Error Occurrence Time The occurrence time for multiple faults is the period of time in which the probability for the occurrence of multiple faults which in combination are critical to safety is sufficiently low Faults that do not directly affect the safety function of the system unless they occur in combination with another fault are detected within the Multiple Error Occurrence Time which is preset in the operating system of the safety scanner to eight hours Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC DeviceNet Safety Scanner Chapter 5 Configuration Signature The configuration signature uniquely identifies a particular module configuration It is comprised of a checksum ID and the date and time that the configuration was created The configuration signature is used in several operations e During download from a configuration tool the configuration signature provides you with a means to check that the device and the configuration tool agree on the information downloaded e During connection establishment the originator and the target devices use the Configuration Signature to ensure that both devices are using the expected configuration Figure 13 Configuration Signature LX 1753 DNSI DeviceNet Safety Scanner 2 x Input Output Summary GuardPLC General Safety Module Safety Connection Sca
103. switching digital output DO Rockwell Automation Publication 1753 RM002D EN P July 2010 45 Chapter 4 46 GuardPLC Controller and GuardPLC 1 0 Output Channels Two pole Connection ATTENTION The status signal of the line monitoring must be used to switch off the outputs DO DO in case of a fault for ISO 13849 1 PLe Cat 4 applications ATTENTION A short circuit between a negative switching output and L can cause a relay to switch on or another actuator to be switched into another operating state During monitoring time of line monitoring a 24 V voltage L reference pole is impressed at the load relay actuator so that the amount of electric energy is great enough to switch the load in another operating state ATTENTION When the module is configured for two pole operation a DI input may not be connected to a DO output This would prevent a detection of a line break ATTENTION Inductive loads must be connected with a protection diode on the load gt B Bie Reaction in the Event of an Internal Fault The module has negative switching outputs and positive switching outputs This section describes how they react to an internal fault Negative switching Outputs DO Ifa output fault is detected the affected output of the module is set to a safety de energized state via the safety switches In case of a module fault all outputs are switched off Both faults are indicated via the FAULT indicator Positive swi
104. tching Outputs DO Ifan output fault is detected the affected output of the module is set to a safety de energized state via the safety switches In case of a module fault all outputs are switched off Both faults are indicated via the FAULT indicator Rockwell Automation Publication 1753 RM002D EN P July 2010 L GuardPLC Controller and GuardPLC 1 0 Output Channels Chapter 4 External Short Circuit or Overload Performance If the output is short circuited to L L or an overload condition exists it is still possible to carry out tests on the module A safety shutdown is not required The total current consumption of the module is monitored If the threshold is exceeded all the channels of the output module are set to the safety 0 state In this state the outputs are cyclically checked in periods of several seconds if the overload is still present Once the short circuit or overload condition is corrected the outputs are activated according to the application program Figure 9 Two pole Digital Outputs in 1753 IB8XOB8 and 1753 IB16X0B8 Modules got Two pole Output E j Logic ale DO1 lt o e H v gt Current Connection Limiter L DOx to an 1 0 WD bus amp Seer Logic oe 7 Current Limiter gt gt U w Hop Tai i LL w
105. the faulty channel The FAULT indicator ERR on the GuardPLC 2000 controller is activated In addition to the signal value of the channel the corresponding channel status signal must be taken into account When using the channel status signal in the application program you have additional options to configure an error reaction in your program Figure 2 Example Block Diagram of Digital Inputs Using GuardPLC 2000 Controller 1 124 O 42920 1 0 Bus The illustration above does not represent the specifications of the related module Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC Controller and GuardPLC 1 0 Module Input Channels Chapter 3 Surge on Digital Inputs An EN61000 4 5 surge impulse can be read as a short time H signal caused by the short cycle time of the GuardPLC system To avoid errors of this type use one of the following preventative measures e Install shielded input lines to eliminate the effects of surges in your system e Use fault masking in your user program so that a signal must be present for at least two cycles before being evaluated Be aware that this increases the system s reaction time ATTENTION The mentioned measures can be neglected if surges in the system can be excluded by the construction of the plant The construction includes especially protection measures concerning overvoltage lightning strike earthing and wiring on base of manufacturers instructions and re
106. the input signal must be present longer than the Receive TMO or be monitored via loopback if each value has to be transferred A ATTENTION ReceiveTMO is a safety parameter Your application should monitor the GuardPLC Ethernet connection status Since connections often recover automatically make sure this occurrence does not result in an unsafe machine state Your application should drive safety outputs to their safe state when the connection faults or goes idle and remains in the safe state until a manual reset occurs This prevents unexpected output transitions from low to high when a connection recovers from a faulted or idle state Rockwell Automation Publication 1753 RM002D EN P July 2010 Configuring Communication Chapter 9 ReceiveTMO Receive MO is the monitoring time on PES during which a correct response must be received from PES TIP ReceiveIMO also applies in the reverse direction for example from PES to PES The ReceiveIMO safety related is part of the Worst Case Reaction Time TR The Receive TMO must be calculated and entered via the peer to peer editor If the communication partner does not receive a correct answer within the ReceiveT MO the safety related communication is closed and all signals imported over this communication channel are set to the initial values defined by you Receive TMO 2 x response time minimum If the requirement is met the loss of at least one data packet will not cause th
107. the switch settings before inserting the A module into the chassis and make sure that the settings in the application program coincide with the hardware configuration Configuring the hardware for current output and the application program for voltage output results in erroneous behavior of the module ATTENTION Unused analog voltage outputs must be left open Unused analog current outputs must be short circuited The analog output circuits contain current voltage monitoring read back and testing of parallel output circuits and two additional safety switches for the safe disconnection of the output circuit in the event of failure Thus the safe condition is achieved at an output current of 0 mA and an output voltage of OV DC Respectively two analog outputs are DC coupled to each other output 1 and 2 output 3 and 4 output 5 and 6 output 7 and 8 In addition the respective channel status signals can be evaluated in the application program Test Routines The module is automatically tested in operation These are the essential test functions e Safety 1002 A D Microprocessor system Double read back of output signals e Test for cross talk between the outputs e Check of the integrated safety switch off Rockwell Automation Publication 1753 RM002D EN P July 2010 GuardPLC Controller and GuardPLC 1 0 Output Channels Chapter 4 Reaction To Error The output signals are read back once per cycle and compared with th
108. tion in the logic and trigger it the with the channel status signal Rockwell Automation Publication 1753 RM002D EN P July 2010 37 Chapter3 GuardPLC Controller and GuardPLC 1 0 Module Input Channels Figure 7 Example Block Diagram of Counter Inputs Using 1755 HSC Module of the GuardPLC 2000 System Al Bl 4 C A2 B2 22 2 WD 0 Bus Counter Counter channel 2 channel 1 ERR RUN This display does not represent the specifications of the related module Checkl ist for S afety Inputs Use the checklist on the following page for system configuration programming and start up of safety inputs It may be used as a planning draft as well as a proof If used as a planning draft the checklist can be saved as a record of the plan To ensure that the requirements are fully and clearly satisfied during system configuration or start up an individual checklist for controlling the requirements can be filled in for every single safety output channel in a system This checklist can also be used as documentation on the connection of external wiring to the application program 38 Rockwell Automation Publication 1753 RM002D EN P July 2010 Company GuardPLC Controller and GuardPLC 1 0 Module Input Channels Chapter 3 Checklist for Configuration Programming and Startup of Safety Manual GuardPLC System Site Loop definition Safety input channels in the GuardPLC 1200 GuardPLC 1600
109. tput signal see the illustration below Data transfer is carried out by means of safety protocols Safety related In protocol Out oo PES lt _ _ PES The following characteristics of High speed Safety Protocol let it exchange device signal layouts between RSLogix Guard PLUS and RSNetWorx for DeviceNet software HSP Signature The High speed Signature is a read only value that represents the layout of the device signals exchanged between the GuardPLC controller and the DeviceNet safety scanner The HSP signature is calculated based on the layout of the device signals in RSNetWorx and is passed to RSLogix Guard PLUS software via the Scanner Signals File The HSP signature changes only when a modification occurs in the layout of the device signal exchanged between the controller and scanner Target Connections File The Target Connections file is a file used to pass target connection information for application signals you want to make available for read or write access by the GuardPLC controller to another safety originator or standard master on the DeviceNet network Scanner Signals File The Scanner Signals file defines the layout of the safety and standard device signals that the scanner makes available to the controller This file is generated by RSNetWorx for DeviceNet and sent to RSLogix Guard PLUS software 102 Rockwell Automation Publication 1753 RM002D EN P July 2010 Reaction Times
110. well Automation Support Rockwell Automation provides technical information on the Web to assist you in using its products At http www rockwellautomation com support you can find technical manuals a knowledge base of FAQs technical and application notes sample code and links to software service packs and a MySupport feature that you can customize to make the best use of these tools For an additional level of technical phone support for installation configuration and troubleshooting we offer TechConnect support programs For more information contact your local distributor or Rockwell Automation representative or visit http www rockwellautomation com support Installation Assistance If you experience a problem within the first 24 hours of installation review the information that is contained in this manual You can contact Customer Support for initial help in getting your product up and running United States or Canada 1 440 646 3434 Outside United States or Use the Worldwide Locator at http Awww rockwellautomation com support americas phone_en html or contact Canada your local Rockwell Automation representative New Product Satisfaction Return Rockwell Automation tests all of its products to ensure that they are fully operational when shipped from the manufacturing facility However if your product is not functioning and needs to be returned follow these procedures United States Contact your distributor
111. witch enables forcing to be permitted or forbidden within the CPU When Forcing allowed is set forcing is allowed The entered force values only become active if the relevant force switch is set for the data source ATTENTION Forcing without a time limit is only permissible after consultation with the approving board in charge of site acceptance When Forcing allowed is not set forcing is not possible Any force values entered remain in the system but have no effect After the force time has elapsed or if forcing is stopped the signals being forced revert to control by the user program If Then The Stop on Force Timeout switch is set in the controller properties The controller transitions to the STOP mode when the force time expires The signals being forced revert to control by the user program The Stop on Force Timeout switch is not set in the controller properties Rockwell Automation Publication 1753 RM002D EN P July 2010 The controller does not stop when the force time expires The signals being forced revert to control by the user program Chapter 8 Technical Safety for the Application Program 94 If the force time is exceeded the logic can determine whether the CPU goes to STOP or the force value is no longer valid allowing standard operation to proceed Exceeding the force time always has effects on the application program Pressing the Stop button in the Force Editor found in RSLogix Guard PL
112. word using RSNetWorx for DeviceNet software refer to the DeviceNet Safety Scanner for GuardPLC User Manual publication 1753 UMO002 After configuration data has been downloaded and verified the configuration data within the module can be protected using RSNetWorx for DeviceNet software Run the Safety Device Verification Wizard to lock the module Figure 15 Safety lock Application Process RSNetWorx for DeviceNet Software Configuration Lock Operation DeviceNet Network Configuration Data Download Configuration Data CompactBlock Guard 1 0 Module Rockwell Automation Publication 1753 RM002D EN P July 2010 DeviceNet Safety 1 0 for the GuardPLC Control System Chapter 6 Status Indicators Reaction Time The DeviceNet safety I O modules include status indicators Status Indicators For details on status indicator operation refer to the product documentation for your specific module IMPORTANT Status indicators are not reliable indicators for safety functions They should be used only for general diagnostics during commissioning or troubleshooting Do not attempt to use status indicators as operational indicators Status Data In addition to input and output data some DeviceNet safety I O modules support status data to monitor the I O circuits You can create an application program to monitor these variables and take appropriate action Refer to your module s product documentation The input react
113. x for DeviceNet software to be meaningful 14 Is the Max Scanner Response Time setting on the GuardPLC controller tab in RSNetWorx for DeviceNet software greater than the maximum value reported by the statistics feature 15 Have you set the Controller Receive Timeout as indicated in either 15a or 15b 15a For environments with electrical noise characteristics that do not require HSP retires for example default Controller Resend Timeout of 0 is acceptable Is the Controller Receive Timeout setting on the HSP Properties dialog in RSLogix Guard PLUS software greater than or equal to the maximum response time reported on the HSP Protocol tab of the control panel 15b Controller Resend Timeout must be set greater than zero HSP retries are necessary due to an electrically noisy environment Is the Controller Resend Timeout setting on the HSP Properties dialog in RSLogix Guard PLUS software greater than or equal to the maximum response time reported on the HSP Protocol tab of the control panel Is the Controller Receive Timeout setting on the HSP Properties dialog in RSLogix Guard PLUS software greater than or equal to N 1 times the Controller Resend Timeout where N retries are desired 16 Is the number of communication time slices reported on the Statistics tab of th
114. years Fraction GuardPLC 1200 19 84 n a 1 451664E 04 3 094950 E9 99 8779 Controllers GuardPLC 1600 17 69 102 44 4 158987E 05 3 926815E 09 99 8626 Controllers GuardPLC 1800 14 58 84 45 5 460105E 05 5 665043E 09 99 8636 Controllers 1 The PFD and PFH data is based on a functional verification test interval of 10 years Table 3 GuardPLC 2000 Module MTTF MTTFd PFD PFH Safe Failure in years in years Fraction Chassis 704 66 1409 32 4 195800E 06 8 10000E 11 99 9500 Lit 44 03 122 78 4 884170E 05 4 36713E 09 99 7699 iFa 73 12 252 52 1 746768E 05 4 14836E 09 99 6233 Hscl 45 33 239 18 5 993297E 05 3 28725E 09 99 6623 IB24X0B16 34 28 352 58 3 710908E 05 1 09636E 09 99 874 oral 94 26 250 23 2 682039E 05 1 83623E 09 99 8899 pB720 20 73 980 88 6 028484E 06 1 16380E 10 99 9892 1 The PFD and PFH data is based on a functional verification test interval of 10 years Rockwell Automation Publication 1753 RM002D EN P July 2010 15 Chapter 1 16 Safety Concept for GuardPLC Controllers and GuardPLC 1 0 Table 4 GuardPLC 1 0 Module MTTF MTTFd PFD PFH Safe in years in years Failure Fraction 1753 IB16 45 02 98 48 3 684285E 05 2 772601E 09 99 7946 1753 0B16 15 22 77 84 3 625669E 05 3 902687E 09 99 7734 1753 IB20X0B8 20 48 63 50 5 107536E 05 4 247003E 09 99 7681 1753 IB8X0B8 19 02 22 55 4 603845E 05 6 581646E 09 99 7908 1753 IB16X0B8
115. you can e download a free electronic version from the Internet at http literature rockwellautomation com e purchase a printed manual by contacting your local Allen Bradley distributor or Rockwell Automation sales office Rockwell Automation Publication 1753 RMO002D EN P July 2010 11 Preface 12 Rockwell Automation Publication 1753 RM002D EN P July 2010 Chapter 1 Safety Concept for GuardPLC Controllers and GuardPLC 1 0 This chapter introduces you to the safety concept for the following GuardPLC products Catalog Number Description 1753 DNSI DeviceNet Safety Scanner for GuardPLC 1753 IB16 uardPLC 16 point Input Module 1753 IB20X0B8 uardPLC 1 0 Module 1753 IB8XOB8 uardPLC 1 0 Module 1753 IB16X0B8 uardPLC 1 0 Module 1753 IF8XOF4 uardPLC Analog 1 0 Module 1753 L28BBBM uardPLC 1600 controller with Modbus Communication 1753 L28BBBP uardPLC 1600 controller with Profibus DP Communication 1753 L32BBBM 8A uardPLC 1800 controller with Modbus Communication 1753 0B16 uardPLC 16 point Output Module 1753 OW8 uardPLC Relay Output Module 1754 L28BBB uardPLC 1200 Controller 1755 A6 uardPLC 2000 1 0 Chassis 1755 L1 uardPLC 2000 Controller 1755 HSC uardPLC 2000 High Speed Counter Module 1755 IB24X0B16 1755 IF8 uardPLC 2000 Analog Input Module G G G G G G G G 1753 L32BBBP 8A GuardPLC 1800 controller with Profibus DP Communication G
Download Pdf Manuals
Related Search