ControlLogix SIL2 System Configuration Using RSLogix
Contents
1. Analog Input Module A z 3 Analog Input Module B Input Values from i Input Values from Termination board Induced Termination board Induced Reference Voltages Reference Voltages c rs 5 g Reference iS LO 2 7 Voltages S aA 28 A RZ o J a 7 i D p T t gt 1 ee el I WS 1 OAM ees AMA Terminal Block 1 Terminal Block 2 Terminal Block 1 Terminal Block 2 Row C Row C Row B Row B T l Output from 1756 0B16D Module Pair _ l to Trigger Reference Tests 1 On Two wire Transmitters Operating 24V dc in 4 20 mA Current Mode Lopas es te liege e i SE l l Lo oS l 122 l ba Sy are ee l Doim Dashed line represents the preferred method of wiring that is the use of two sensor wiring Note that this graphic represents only one of several possible field device inputs Publication 1756 AT010B EN P October 2008 35 Chapter 2 36 Fault tolerant System Hardware Analog Input Termination Board Applies Reference Voltage to Each Channel www klinkmann com As depicted the output from the 1756 OB16D module pair triggers the analog input termination board to switch from the field device voltages to the reference voltages Each channel has a specific reference voltage applied This table shows each channel and corre2. 7 i 7 1 R O mma Wo ofo o 0 mre woo oo o l ajf 0 Ho ffo a 10 Ho Jo B B B IOB JHB lt 1 1 m 1 fol gl a g 6 16 4 6 46 06 eT D D p 2 DD D A a oO i R W co CI 1492 Cable 1492 Cable 1492 Cable 1492 Cable 1492 Cable 1492 Cable 9 z E T Gsi 3 1756 OB16D Output 5 Termination Board g a Module Pair 1 Z amp 2 Module A Relay ModuleBRelay 2 3 6 Module Pair 2 2 Module A Relay Module B Relay Module Pair 3 Module A Relay Module B Relay Publication 1756 ATO10B EN P October 2008 151 8 2011 i KLINKMANN Chapter B SIL2 Fault tolerant Topology www klinkmann com KLINKMANN 152 Publication 1756 ATO10B EN P October 2008 www klinkmann com About This Appendix About Faults and Overall Fault tolerance Publication 1756 ATO10B EN P October 2008 Appendix C Fault tolerant System Limitations This appendix describes the limitations of the fault tolerant system Topic Page About Faults and Overall Fault tolerance 153 Detecting System side Versus Field side Faults 153 Limits of Fault detection from the 1756 OB16D 153 Termination Board Module Pair Faults 154 The ControlLogix fault tolerant has been designed to identify system faults and in most cases continue to operate in the event of those faults However the fault t
3. A h Input Module A Input Module B Input X Point Value 1 On Input X Point Value 1 On 1492 Cable to 1756 IB32 Module A 1492 Cable to 1756 IB32 Module B Diodes L Diodes ZN ZN Normally closed Relay Terminal Block A Terminal Block B Output from 1756 0B16D OO to Trigger Transition Test De energize to Trip 0 Off 24V de Field Device Publication 1756 ATO10B EN P October 2008 Note that this graphic represents only one of several possible field device inputs During normal operation that is when a diagnostic test is not in progress the primary function of the termination board is to route one de energize to trip sensor to the same two duplicate input points one on each module of the 1756 IB32 pair As shown in the diagram above 24V dc field power is routed through the normally closed relay It then passes through a fuse and to the sensors connected to wiring terminals A and B The on off status is then routed through the isolating diodes and through the cables that connect the termination board to the input modules 27 Chapter 2 Fault tolerant System Hardware www klinkmann com 28 1756 1B32 DC Input Termination Board and Transition Tests In the fault tolerant system diagnostic tests are carried out on the 1756 IB32 module pair These diagnostic tests are called transition t
4. Cable from Ou 1756 0B1 6D Termination Board IMPORTANT You must disable pulse tests on outputs of the 1756 OB16D module pair that are connected to input termination boards 41 Chapter 2 42 Fault tolerant System Hardware www klinkmann com 1756 0B16D Output Termination Board Relay Control To control relays on the 1756 OB16D termination board use at least two SIL2 certified output modules The SIL2 certified modules available for use are listed here e 1756 OB16I 1756 OB8EI e 1756 OB32 1756 OB16D The 1756 OBxx modules must be placed in the same chassis as L the 1756 0B16D module whose relay it is controlling For example a 1756 0Bxx module in chassis A should be placed and connected to control the relay of a 1756 0B16D one of the module pair module in chassis A Use of 1756 0B16D Modules for Relay Control If you use two 1756 OB16D modules to control the relays of an output termination board make these considerations IMPORTANT Do not use the two 1756 0B16D modules used to control the output relays as a module pair IMPORTANT If you use 1756 0B16D modules to control the output termination board relays you must disable pulse testing for those output points Failing to disable pulse testing on output points designated to control termination board relays may result in unintended and potentially hazardous disconnects Because you must use the 1756 OBxx
5. Some of these tags are used when constructing the main routine while others are used to specify diagnostic behavior within the subroutines Publication 1756 ATO10B EN P October 2008 75 Chapter4 Configuring the Fault tolerant System wenw kllnkmann con Edit ModulePair Tags After you have created your module pair tags you must edit the resulting tags in order to specify the behavior of the diagnostic subroutine For each type of module pair used a different group of tag values must be edited Some of the module pair tags require that values specified in this manual be used The tags that have specific required values are described in the sections titled Required 1750 XXXX ModulePair Tag Values For other module pair tag values Rockwell Automation recommends values However depending on your application you may choose to use values other than those provided in this manual These tag values are described in the Recommended 1756 XXXX Tag Values sections No matter which module pair type you are using you must enter or edit all of the tag values required and recommended described here Use the section specific to your module pair as a reference when editing the module pair tags For section See page Editing 1756 IB32 ModulePair Tags 77 Required 1756 IB32 ModulePair Tag Values 78 Recommended 1756 IB32 ModulePair Tag Values 78 Editing 1756 IF16 ModulePair Tags 79 Required
6. SR 0 Jump To Subroutine Routine Name IF16_Diagnostics Input Par Pr1_Ch amp 2 1 Input Par Prd_ChA 3 Input Par Pr1_ChB 3 1 Input Par Prd _ChB 3 C Input Par ChasPr1_Slot2_IF16 1 Input Par ChasPr1_Slot2_IF16 10 Input Par ChasPr1_Slot2_IF16 0 Return Par ChasPr1_Slot2_IF16 10 Return Par ChasPr1_Slot2_IF16 0 ChasPr1_Slot2_IF16 10 Run_ReferenceTest ChasPr1_Slot3_OB16DI Data JSR instruction for 1756 IF16 module pair 2 SR 1 Jump To Subroutine Routine Name IF16_Diagnostics Input Par Pr2_ChA 2 1 Input Par Pr2_ChA 3 C Input Par Pr2_ChB 3 1 Input Par Pr2_ChB 3 C Input Par ChasPr2_Slot2_IF16 Input Par ChasPr2_Slot2_IF16 10 Input Par ChasPr2_Slot2_IF16 0 Return Par ChasPr2_Slot2_IF1610 Return Par ChasPr2_Slot2_IF16 0 ChasPr2_Slot2_IF16 10 Run_ReferenceTest ChasPr2_Slot3_OB16D 1 Data End 94 Publication 1756 ATO10B EN P October 2008 www klinkmann com Configuring the Fault tolerant System Chapter 4 Editing the 1756 0B16D Call_Code Subroutine This section describes how to edit the 1756 OB16D Call_Code subroutine for fault tolerant applications To edit the 1756 OB16D Call_Code subroutine complete these tasks Task TRage Copy and Paste Rungs for Fach 1756 0B16D Module Pair T935 Edit JSR Parameters for the 1756 OB16D Module Pair 102 Edit Elements of the 1756 0B16D Call Code Routine 97 Copy and Paste Rungs for Each 1756 0B16D Module
7. Tags Values During Values After Values After Values After Values After Normal Operation Module B Fault Module A Fault Faults Corrected Circuit Reset No Faults Detected Detected and Fault Reset ConnectionFault_Module_A 0 0 0 0 0 ConnectionFault_Module_B 0 0 0 0 0 Chnl_OK_Module_A 1 at each channel 1 at each channel 0 at affected 1 at each channel 1 at each channels channel Chnl_OK_Module_B 1 at each channel 0 at affected 0 at affected 1 at each channel 1 at each channels channels channel ChnlFlt_Reffest_Module_A 0 at each channel 0 at each channel 1 at affected 0 at each channel 0 at each channels channel ChnlFlt_Reffest_Module_B 0 at each channel 1 at affected 1 at affected 0 at each channel 0 at each channels channels channel Chni_Miscompare_Status 0 at each channel 0 at each channel 0 at each 0 at each channel 0 at each channel channel Data From modules A and B From module A As set for fault As set for fault From modules A values values and B ModulePair_Good 1 0 0 1 1 Module_Pair_1001 0 1 0 0 0 ModulePair_Faulted 0 0 1 0 0 Module_A_Faulted 0 0 1 0 0 Module_B_Faulted 0 1 1 0 0 Run_1001_Countdown Preset Counting down Preset Preset Preset 128 Publication 1756 AT010B EN P October 2008 www klinkmann com Additional Resources Resource ControlLogix Digital 1 0 Modules User Manual publication 1756 UM058 Troubleshooting a Fault tol
8. ChasPri_Slot3_0B16D ChasPr1_Slot3_OB16D 1 ChasPr1_Slot3_0B16D 10 ChasPr1_Slot3_0B16D 10 PulseT est_Chni_Select ChasPr1_Slot3_0B16D 10 PulseT est_Interval_PerChnl ChasPr1_Slot3_0B16D 10 TimeToRun_1001 ChasPr1_Slot3_0B16D 10 OneShot_Bits ChasPri_Slot3_08616D 10 PulseTest_Settinas ChasPr1_Slot3_0B16D 10 PulseT estResult_Module_A ChasPr1_Slot3_0B16D 10 PulseT estResult_Module_B E hasPr1_Slot3_0816D 10 CircuitReset E hasPr1_Slot3_0B16D 10 FaultReset E hasPr1_Slot3_0B16D 10 Run_PulseT est E hasPr1_Slot3_08616D 10 ConnectionFault_Module_ amp hasPr1_Slot3_0B16D 10 ConnectionFault_Module_B ChasPri_Slot3_0B16D 10 ChniI_OK_Module_A 4 ChasPr1_Slot3_0B16D 10 ChniI_OK_Module_B ChasPr1_Slot3_0B616D 10 ChniFit_PulseT est_Module_ amp ChasPr1_Slot3_0B16D 10 ChniFit_PulseT est_Module_B ChasPr1_Slot3_0B16D 10 Chni_Grounded_Module_4 E H ChasPri_Slot3_0816D 10 Chnl_Grounded_Module_B H ChasPr1_Slot3_0816D 10 Chni_H wFail_Module_A Ei Hl ChasPr1_Slot3_0816D 10 Chnl_H wFail_Module_B ChasPri_Slot3_0B16D 10 Chni_NoLoadOrDCY_Module_A E ChasPr1_Slot3_0B16D 10 Chni_NoLoadOmDCY _Module_B ChasPri_Slot3_0B16D 0 hasPr1_Slot3_0B16D 0 ModulePair_Good hasPr1_Slot3_0B16D 0 ModulePair_1o001 hasPr1_Slot3_0B16D 0 ModulePair_Faulted hasPr1_Slot3_0B16D 0 Module_4 Faulted hasPr1_Slot3_0B16D 0 Module_B_Faulted ChasPr1_Slot3_0B16D 0 Run_1001_Countdown hasPri_Slot3_0B16D 0 Relay_Module_4 hasPr1_Slot3_0B816D 0 Relay_Mod
9. Device Publication 1756 AT010B EN P October 2008 In addition to the identical duplicate remote I O chassis the fault tolerant system also requires the use of specialized I O termination boards Each module pair is connected to a specialized termination board Each termination board is wired to field devices such as sensors and actuators Remote 1 0 Chassis with Termination Boards 1 0 Chassis A 1 0 Chassis B Device Device 17 Chapter 1 18 The Fault tolerant System Configuration wenw kllnkmann cone How Remote I O Interacts with Termination Boards The specialized termination boards have several functions related to remote I O The following are functions that all three types of termination boards provide e Simplified connections from field devices to like modules in both chassis of the duplicate remote I O chassis e Electrical isolation to prevent module channels from interfering with each other In addition to the functions described above functions specific to each type of I O module are also provided The following table identifies and describes I O module specific functions 1 0 Module specific Functions 1 0 Module Type Function Input module Executes diagnostic tests initiated by the control program The tests help the system verify that the input modules are working as expected Output module On board relays provide a secondary method of disconnect between the 1 0 modu
10. One example of a possible difference between fail safe and fault tolerant programming is shown in this example Example Fail safe versus Fault tolerant Program Rung Fail safe IB32_Module_Pair ModulePair_1001 shutdown IF16_Module_Pair ModulePair_1001 OB16D_Module_Pair ModulePair_1001 Fault tolerant IB32_Module_Pair ModulePair_Faultted shutdown IF16_Module_Pair ModulePair _Faulted OB16D_Module_Pair ModulePair _Faulted In the fail safe rung any faulted module results in a system shutdown even if though the second module of the pair is still functioning properly As demonstrated in the fault tolerant rung the system shuts down only if both modules of the pair are faulted If one module of the pair continues to function properly that is the module pair is operating 1001 the system continues to carry out the safety function When programming a fail safe system reference the Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 for more fail safe programming techniques Publication 1756 AT010B EN P October 2008 161 AppendixD Frequently Asked Questions aw luininannccon If am configuring a fail safe system what parameters should specify in the SIL2 Add On Instructions for the input module pairs Specify the same input parameters for the input module pairs as those shown in Chapter 4 page 57 for the fault tolerant system If I am configurin
11. Fault tolerant Compared to Other SIL2 Configurations Other ControlLogix SIL2 configurations fail safe and high availability are not fault tolerant Fail safe Configuration In the fail safe system if a fault occurs anywhere in the system that is in the controller communications or I O an Emergency Shutdown ESD occurs The fail safe configuration is further described in Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RMO001 and is not shown here High availability Configuration In the high availability configuration the controller and communication chassis are fault tolerant but the remote I O is not In the high availability configuration if a fault occurs in either the primary or secondary chassis the system can continue to carry out the safety function If a fault occurs in the remote I O chassis of the high availability configuration the system fails to safe See the High availability Configuration graphic for a depiction of the division between the fault tolerant and the fail safe portions of the high availability configuration 14 Publication 1756 ATO10B EN P October 2008 8 2011 wwwe hlinkmann com The Fault tolerant System Configuration Chapter 1 Fault tolerant Controllers and Communications Overall Safety Loop Sensor H For example if a fault occurs in the controller of the primary chassis the safety system can continue to operate despite the fault H
12. 1756 47 0 1756 CNBR D Prt_Ch 1 1756 1B32 B Pr1_Ch4_Slot1 f 2 1756 1F16 Pr1_Cha_Slot2 i 3 1756 0B16D Pri_Ch4_Slot3 J 4 1756 0B16D Prt_Ch4_Output_RelayControl f 21756 CNBR D Pr1_ChB 1756 Backplane 1756 47 0 1756 CNBR D Pr1_ChB i 1 17564B32 B Pri_ChB_Slot1 J 2 1756 1F16 Pr1_ChB_Slot2 3 1756 0B16D Pr1_ChB_Slot3 J 4 1756 OB16D Pr1_ChB_OutputB_RelayControl ChasPr1_Slot2_IF16 IF16_ModulePair ChasPr1_Slot2_IF 16 1 FM amp h ChasPr1_Slot2_IF16 10 IFAB_InQut H ChasPr1_Slot2_IF16 0 6 3 8 1 0 Configuration 1756 Backplane 1756 47 fa 0 1756 L63 SIL210 9 3 1756 CNBR D Cnetl H a ControlNet 11756 CNBR D Pri_Ch4 1756 Backplane 1756 47 J 0 1756 CNBR D Prt_Ch 1 1756 1B32 B Pr1_Ch4_Slot1 f 2 1756 1F16 Pr1_Cha_Slot2 i 3 1756 0B16D Pri_Ch4_Slot3 4 1756 0B16D Pri_Ch4_OutputA_RelayControl 6 f 21756 CNBR D Pr1_ChB 1756 Backplane 1756 47 0 1756 CNBR D Pri _ChB ff 1 17564B32 B Pri_ChB_Slot1 J 2 1756 1F16 Pr1_ChB_Slot2 f 3 1756 0B16D Pr1_ChB_Slot3 i 4 1756 0B16D Pri_ChB_OutputB_RelayControl ChasPr1_Slot3_OB16D FA ChasPr1_Slot3_0B16D 1 ChasPr1_Slot3_OB16D 10 amp ChasPr1_Slot3_0B16D 0 OB16D_ModulePair OB16D_In OB16D_InOut
13. Routine Name IB32_Diagnostics Input Par Rung that initiates the transition Input Par test when the bit is on Input Par Input Par Input Par Pri_Ch amp 1 1 Prd _ChB 1 ChasPr1_Slot1_IB32 ChasPr1_Slot1_IB3210 ChasPr1_Slot1_IB32 0 Return Par ChasPr1_Slot1_IB32 10 Return Par ChasPr1_Slot1_IB32 0 ChasPr1_Slot1_IB32 1O Run_TransitionTest If the Run_TransitionTest bit for the module pair is on an output of the 1756 0B16D mo ChasPr1_Slot3_OB16D Data 4 dule pair that triggers the transition test is turned on You must edit the Examine On instruction so that it references the Run_TransitionTest tag for the module pair You must also specify which point of the 1756 OB16D module pair opens the normally closed relay on the 1756 IB32 termination board This is how the transition test of the module pair is initiated 88 Publication 1756 ATO10B EN P October 2008 8 2011 www klinkmann com Configuring the Fau It tolerant System Chapter 4 Publication 1756 ATO10B EN P October 2008 Example of IB32_Call_Code with Completed Edits This example depicts how the completed IB32_Call_Code subroutine would appear if four 1756 IB32 module pairs were used in the fault tolerant system Example IB32_Call_Code Subroutine with Four Module Pairs JSR instruction for 1756 IB32 module pair 1 Jump To Routine Name Input Par Input Par Input Par Input Par Input Par ISR Subroutine IB32_Diag
14. boards Each type of module pair input and output has different requirements for termination board relay control 1756 1B32 Input Termination Board Relay Control In order to establish high availability for the execution of transition tests the relay on the DC input termination boards is controlled by an output from the 1756 OB16D module pair The signal from this output is used to initiate transition tests DC Input Termination Board Relay Control Chassis A Input Module A 1756 OB16D To Control nput Module Relay Chassis B Input Module B 1756 0B16D To Control Input Module Relay fo 8 ee o q o XE m rome o g itty d DC Input Termination Board b 1756 0B16D Termination Board Input Relay Control Connection IMPORTANT You must disable pulse tests on outputs of the 1756 OB16D module pair that are connected to input termination boards 40
15. the same channel on to two separate input modules of the pair Two sensor wiring should be used when two sensor signals are routed through the board to the same two separate channels one on each module of the pair One and Two Sensor Wiring One sensor Wiring Two sensor Wiring A B A B i O Pn Termination i Termination i Board Board gd Single Sensor SensorA Sensor B The default of DIP switches on the termination board is to one sensor wiring You may choose to use a combination of one and two sensor wiring on the analog termination board IMPORTANT If you use one sensor wiring you must configure the 1756 IF16 module pair reference tests to occur more frequently than the safety response time of your application For information about configuring the reference tests see the section Recommended 1756 IF16 ModulePair Tag Values on page 80 Use the diagrams below as a reference when using the DIP switch to set one or two sensor wiring 1492 TAIFM16 F 3 Analog Input Termination Board DIP Switch Designations Channels Channels Channels Channels 012 3 4567 8 9 10 11 12 13 14 15 Each channel set at one sensor wiring On One Sensor i Off Two Sensor 33 Chapter 2 34 Fault tolerant System Hardware www klinkmann com 1756 IF16 Module Pair Reference Tests The 1756 IF16 diagnostic tests are called reference tests The results
16. www klinkmann com Chapter 5 About This Chapel van enh a 8 eee oo ee we ee 105 Programming the Main Routine auauua naaa 105 Relationship Between Main Routine and Diagnostic Subroutines om acces feos aaa 106 Basic Input Output Programming 106 I and O Data in Fault tolerant Programming 106 Example Input Output Rung 107 Module Pair Fault to Result in System Shutdown 108 Fault Reset Programming pc pack cee phe OR ee A 109 Circuit Reset Programming 00 0000 111 Circuit Reset Programming Considerations 111 Programming for a Demand on the System 113 Demand Made Through a 1756 IB32 Module Pair 113 Demand Made Through a 1756 IF16 Module Pair 114 Power up Sequence 1 os cad hea REE ee oe we ea Ra 115 Additional Resources sk a Sk a ep ORE RAY 116 Chapter 6 AROUSAL lt kc ha he eed ede Yh RGAE eae ee 117 Identifying a Faulted Module Pair 9 sx0 owas we 118 Example of Programming to Identify a Faulted Module Pair ok oink Goede ood Ga e eaad 120 Identifying a Faulted Module nnana 0 sda ans aw ded eo 121 Replacing a Faulted 1756 IB32 Module 121 1756 IB32 ModulePair Tags to Identify the Type of Module Fault 0 3s 4 40 ence Gvas daw tes Paes 122 1756 IF16 ModulePair Tags to Identify the Type of Module Fault gacads oc soe ee RE RO 123 1756 OB16D ModulePair Tags to Identify the Type of Module Fault i eto oh
17. 1756 IF16 ModulePair Tag Values 80 Recommended 1756 IF16 ModulePair Tag Values 80 Editing 1756 OB16D ModulePair Tags 82 Required 1756 0B16D ModulePair Tag Values 83 Recommended 1756 0B16D ModulePair Tag Values 83 76 Publication 1756 ATO10B EN P October 2008 www klinkmann com Tag values required See the Required 1756 IB32 ModulePair Tag Values for values Tag values recommended See the Recommended 1756 IB32 ModulePair Tag Values for recommended values and descriptions Do not edit these tags values they are set by main routine and diagnostic subroutine when the program is running Publication 1756 ATO10B EN P October 2008 Configuring the Fault tolerant System Chapter 4 Editing 1756 IB32 ModulePair Tags Once the 1756 IB32_ModulePair tags have been generated these tags specific to the 1756 IB32 module pair result Located within this group of tags are those you must edit in order to specify system behavior for the 1756 IB32 module pair ChasPr1_Slot1_ IB32 IB32_ModulePair ChasPr1_Slott_1B321 IB32_In E Chasrl_ Slt IB221Sley Ips Select DNT Decimal H Chair S0 B32 IMisconpare Test Lmt DINT Decimal ChasPr1_Slott_IB32 10 B32 Indu FE OhaiPr_ Slt B3210 ModePai God Teshi __ DINT Decimal EE Chast S101 183210 ModkdePai 1o01 Teste DINT Decimal EE ChesP So JB32IO TineToRun tool IMER Decimal E ChesPr 5101 183210 TianstiorTest Lon Dely TIMER Decimal EE ChesPA
18. 2 e RSLogix 5000 software version 15 or later e Routines specific to each type of module pair used While the fault tolerant routines can be used with RSLogix 5000 software version 15 or later if you are using RSLogix 5000 software version 16 or later you may instead choose to use specialized Add On Instructions available from Rockwell Automation For more information about the SIL2 fault tolerant Add On Instructions see the ControlLogix SIL2 Fault tolerant Configuration Application Technique manual publication 1756 AT012 That manual contains information specific to the configuration and use of the SIL2 fault tolerant Add On Instructions 21 Chapter 1 Additional Resources Resource The Fault tolerant System Configuration www klinkmann com Description ControlLogix Redundancy System User Manual publication 1756 UM523 This user manual explains how to design install configure and troubleshoot a redundant ControlLogix system Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 This safety reference manual provides information regarding ControlLogix components for use in SIL2 applications Topics include hardware software and programming components ControlLogix Fault tolerant SIL2 Configuration Using Add On Instructions Application Technique publication 1756 ATO12 The application technique manual describes how to configure and program a fault tolera
19. Block A Terminal Block B Output from 1756 0B16D OO Module Pair to Trigger De energize to Trip Transition Test 1 On 24V de Field Device Note that this graphic represents only one of several possible field device inputs Publication 1756 ATO10B EN P October 2008 29 30 inkmann com Chapter 2 Fault tolerant System Hardware wew kllnkmann con 1756 IF16 Analog Input Termination Board The specialized analog input termination boards have these hardware features e On board fusing with status indicators e Easy to use wiring terminals e On board reference voltages and solid state switches for diagnostic tests e Pre wired cables for use from termination board to I O module e DIP switch selection for easy use of one or two sensor wiring Analog Input Termination Board for Use with 1756 IF16 Input Modules DIP switches used to specify the use 1 or 2 sensors On board Fuses Port for 1492 ACABLEXXXUA I Pre wired Cable Port for 1492 ACABLEXXXUA e Pre wired Cable Oj O00 OOOO 000000000 90000000000 09 DUPOWPOOOOP VKO DLW OPWWOOOOEP VV 8 FISOHHHPISHHHHHHGGOO GOHGOGOHGHGHGGHHHHHSs9g E DODODYSOOOGOSSSSSOY OQDOBDOOVHIDOOIOSOO Wiring Terminals for Field Devices Publication 1756 ATO10B EN P October 2008
20. JO PulseTestResult_Module_4 0 Specify the Run_PulseTestResult_Module_A tag for your 1756 0B16D module pair Specify the MSG tag EXERR for the 1756 OB16D module in chassis B Move Source Pr1_ChasB_Slot3_MSG EXERR 16 0000_0000 Dest ChasPr1_Slot3_OB16D 10 PulseTestResultt_Module_A 0 Specify the Run_PulseTestResult_Module_ tag for your 1756 0B16D module pair 98 Publication 1756 ATO10B EN P October 2008 wynidinkmann com Configuring the Fault tolerant System Chapter 4 2 In the second and third rungs for the module pair edit the instruction tags as described in this graphic These rungs contain programming that initiates the power disconnect of a faulted 1756 OB16D module Specify the Relay_Module_A tag for Specify the output point that controls the termination your 1756 OB16D module pair board relay for module A of your module pair ChasPr1_Slot3_OB16D 0 Relay_Module_A4 Pr1_Ch4 4 0 Data 13 Specify the Relay_Module_B tag for Specify the output point that controls the termination your 1756 OB16D module pair board relay for module B of your module pair ChasPr1_Slot3_OB16D 0 Relay_Module_B Pr1_ChB 4 0 Data 13 3 In the first rung edit the MSG instructions to use data specific to your 1756 OB16D module pair You must edit each of the two MSG instructions Edit one MSG instruction to message module A and the other to message module B of the 1756 OB16D module pair To edit a MS
21. Operation Analog Input Module A A 7 Analog Input Module B Input Values from Field Devices Input Values from Field Devices All configured for 0 5V operation All configured for 0 5V operation Solid state switch controlled by DC output E Reference E Voltages amp C2 E S z es 22 DIP Switch for Sensor a S Wiring aa 2 z t Precision 249 Q 4a Resistor l e W ps 1 Terminal Block 1 Terminal Block 2 Terminal Block 1 Terminal Block 2 Row C Row C Row B Row B Output from 1756 0B16D Module Pair Trigger Reference Two wire Transmitters Operating 24V de Tests 0 Off in 4 20 mA Current Mode aa w Lg 5E 2 ize JAE el Igi ES are Dashed line represents the preferred method of wiring that is the use of two sensor wiring Note that this graphic represents only one of several possible field device inputs 32 Publication 1756 ATO10B EN P October 2008 Publication 1756 ATO10B EN P October 2008 8 2011 www klinkmann com Fault tolerant System Hardware Chapter 2 One sensor or Two sensor Wiring Option The DIP switches located at the top of the analog input termination board are used to specify one or two sensor wiring One sensor wiring should be used when one field sensor signal is being routed to
22. Pair To add a JSR instruction for a module pair complete the following steps 1 Open the Subroutine_Call_Code routine specific to the module pair type The example program ladder logic displays sanphk_O816D_Modee Pall IO Rer_PukeTest samp k _OB160_Modik Pair D ComectooFait Modtk A sanpk_O816D_Modtk Fall 10 OwSiot 6 amp 2 AS f NS sample_ODIGD_ModikPalr 10 Comectoarautt Modtk 0 sampk_O01G0_Modtle PakO OrSiot Om 3 nso smpe AMAN Moda PakeTar MSN OM smok ONIO _ModA_PrikeTes WISG ER snpk _O810_Modik PakO Corroto Fa Modit A Tipe Urcortg ed EN Message Cortot sampk O81160 _Moda PreTesmss J EON ona Tipe Vrcorsg ima tN Message Cortot samp _O81GD_Modd_PaeTest30 E CON CERD smpb ARIN Modh _PrkeTa MSh ON smp AMAN Modi Pair N FautRecet smok O8160_Modb_PiieTes MSG ER smpk OBID _ModikPak IO Cortot Fat Moduk_ amp Dest smpk O0I0_ModikPak IO PikeTes Mesit Mode A oe Mov Sou spk O8160_ModE_PikeTes MSG EXERR am Vert sapr Vuwo moeras piee rermesin moies es SANPR_VOWOL_MOTHE FAIL KEBE MONE A ti mpk _O0160_Modik PakO Reny Modek_o Fi r Publication 1756 AT010B EN P October 2008 Jump ToSwrortee Rote Name O8160_O bg noete hpitPar saapk_OB8 6D_ModA_npridats hprtPar sampk_O8 6D_Mood_nprtbats hprtPar sampk_O8160_Hod4_Ouprtdats hpttPar samp _O8160_Mod8_Ovprtbats aprtear sampe UTU onkrar nprtear fanpe_O8HU_MootE FAI s
23. Parameters Parameter Use Tag Description Input Par ModuleAName X System generated input I tags for module A of the pair Input Par ModuleBName X System generated input I tags for module B of the pair Input Par ModulePairName ModulePair input I tags that contain module pair behavior data for both modules of the pair Input Par ModulePairName lO Tags that contain module pair diagnostic status data for the module pair Input Par ModulePairName O Tags containing the reconciled data that is Publication 1756 ATO10B EN P October 2008 resulting data that has been processed by the diagnostic subroutine for the module pair 87 Chapter4 Configuring the Fault tolerant System 1756 IB32 Module Pair Tags for Use as J Parameter Use Tag Return Par ModulePairName 0 www klinkmann com SR Parameters Description Tags that contain module pair diagnostic status data for the module pair Return Par ModulePairName O Tags containing the reconciled data that is resulting data that has been processed by the diagnostic subroutine for the module pair Edit Other Rung Elements for the 1756 IB32 Module Pair For each 1756 IB32 module pair you must also edit the branch associated with the JSR instruction module pair s transition test when Other IB32 Subroutine Elements to Edit Jump To This branch simply initiates the the transition test bit is on SR Subroutine
24. Publication 1756 AT010B EN P October 2008 8 2011 www klinkmann com Fault tolerant System Hardware Chapter 2 1756 IF16 Analog Input Termination Board Switch Control In order to establish high availability for the execution of reference tests the switch on the analog input termination boards is controlled by an output from the 1756 OB16D module pair The signal from this output is used to initiate reference tests Analog Input Termination Board Relay Control Chassis A Analog Input 1756 OB16D To Control Module A nput Module Relay N mi FF meta Cable to Input Module Cable to DC Input Termination Board aca E E SEERD Publication 1756 AT010B EN P October 2008 Input Module ay Chassis B Analog Input 1756 0B16D To Control Module B Input Module Re 1 M o sj af ot a a i H E L 70 Cable from Output Module n Output to Control Switch on Termination Board
25. RSLogix 5000 software to program Logix5000 controllers ControlLogix Controllers User Manual publication 1756 UM001 This manual explains the general use of ControlLogix controllers ControlLogix Redundancy System User Manual publication 1756 UM523 This user manual explains how to design install configure and troubleshoot a redundant ControlLogix system Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 This safety reference manual provides information regarding ControlLogix components for use in SIL2 applications Topics include hardware software and programming components You can view or download Rockwell Automation publications at http literature rockwellautomation com To order paper copies of technical documentation contact your local Rockwell Automation distributor or sales representative Publication 1756 ATO10B EN P October 2008 63 Chapter 3 64 Fault tolerant Program Elements www klinkmann com Publication 1756 ATO10B EN P October 2008 www klinkmann com Chapter 4 About This Chapter Before You Begin Publication 1756 ATO10B EN P October 2008 Configuring the Fault tolerant System This chapter describes procedures for configuring your fault tolerant system Topic Page Before You Begin 65 Add the Remote 1 0 Chassis to the I O Configuration Tree 67 About System generated Tags 71 Specify
26. Re ceo ROH ob ASH IO 124 Using Resets ici oka dadaaw asa dtedh aaa be ha R wane 125 When to Use the Fault Reset 2 6444 dso edi d Sb ooo545 45 125 When to Use Circuit Resets 4s 2484 c4540eeenamena 125 Examples of Faults and Resulting Tag Values 126 1756 IB32 Module Pair One Module Faulted 126 1756 IF16 Module Pair One Module Faulted and Removed noaua ae Fee GS VE eee RAY 127 1756 IF16 Module Pair Two Modules Faulted 128 Additional Resources 6 0 0 0 ces 129 Publication 1756 ATO10B EN P October 2008 www klinkmann com SIL2 Remote 1 0 Fault tolerance Tags SIL2 Fault tolerant Topology Fault tolerant System Limitations Frequently Asked Questions Publication 1756 ATO10B EN P October 2008 Table of Contents Appendix A About This Appendix a 24 e528 win deu oo eR Ree ee we ae 131 1756 IB32 ModulePair Tags o oo aaua aaa 131 1756 IB32 ModulePair Tags for System Behavior 131 1756 IB32 Module Status Tags 0064564464444 133 1756 IB32 ModulePair Tags for Use in Programming 135 1756 IB32 Hidden Tags Not for Use 136 1756 IF16 ModulePair Tags 5 4 cox base eee eS Ra EO 137 1756 IF16 ModulePair Tags for System Behavior 137 1756 IF16 Module Status Tags onono aoaaa aaa 138 1756 IF16 ModulePair Tags for Use in Programming 141 1756 IF16 Hidden Tags Not for Use 142 1756 OB1GD Module Pair Tags ici deed werd e ce eee 143 1756 OB16D ModulePai
27. Rockwell Automation publications at http literature rockwellautomation com To order paper copies of technical documentation contact your local Rockwell Automation distributor or sales representative Publication 1756 ATO10B EN P October 2008 45 Chapter 2 46 Fault tolerant System Hardware www klinkmann com Publication 1756 ATO10B EN P October 2008 www klinkmann com Chapter 3 About This Chapter Overview of the Program Elements Publication 1756 ATO10B EN P October 2008 Fault tolerant Program Elements This chapter describes some of the elements of the fault tolerant program provided by Rockwell Automation The concepts of this chapter should be understood before you configure your system Topic Page Overview of the Program Elements 47 Main Routine 47 Diagnostic Subroutines 48 Call_Code Subroutines 49 Function of the Program Elements 50 Program Elements Provided 51 States of the System 52 IB32_Diagnostics Subroutine 55 IF16_Diagnostics Subroutine 57 IF16_RefCal Subroutine 59 OB16D_Diagnostics Subroutine 60 Data Flow Between Program Elements 62 Additional Resources 63 The following sections provide an overview of the main elements used in the programming for a SIL2 certified fault tolerant system Main Routine The main routine of the program is user programmed based on the requirements for the SIL2 system being implemented It uses data processed
28. Safety_Input_Select Description Use to select or deselect the inputs that are used for safety functions Value 1 at each point Required or Recommended Required Miscompare_Test_Limit Defines the number of times a miscompare between points is permitted before a fault is declared 40 Recommended 10 ModulePair_Good_Testinterval Time in ms between transition tests The program uses this value when the module pair is without faults 86400000 24 hours Recommended 10 ModulePair_1001_TestInterval Time in ms between transition tests if the module pair is operating in a 1001 configuration The program uses this value when a fault is present on one module of the pair 3600000 1 hour Recommended 10 TimeToRun_1001 PRE User defined time in ms for the 1001 countdown timer that is the repair time 28800000 8 hours Recommended 10 Transition Test_Low_Delay PRE Amount of time in ms delayed to allow the inputs to transition from high to low before checking the results of the transition test The amount of time to delay should be determined by adding your program scan time to the NUT For example if your total program scan time is 80 ms and your NUT is 20 ms you should set your TransitionTest_Low_Delay value to 100 ms 100 2 Recommended 10 TransitionTest_High_Delay PRE Amount of time in ms delayed to allow inputs to transition to high before normal
29. accessed or altered You cannot see these tags however in order to avoid potential conflicts within the program you should not create tags with the same names When creating tags for your application do not use these tags names 1756 0B16D Tags Unavailable for Use e DataCompareTestEn e L Scrl4 e OneShot_Bits e QualityMask1 e QualityMask2 e FaultResetTimer 147 8 2011 i KLINKMANN Appendix A SIL2 Remote 1 0 Fault tolerance Tags www klinkmann com KLINKMANN 148 Publication 1756 ATO10B EN P October 2008 www klinkmann com Appendix B SIL2 Fault tolerant Topology About This Appendix This appendix provides considerations for use when planning your fault tolerant I O system It also includes an example layout of fault tolerant system Topic Page Planning Considerations 149 1756 OB16D Module Pair Arrangement 151 Planning Considerations Remember these considerations when planning and laying out your fault tolerant system Fault tolerant System Planning Considerations For module type Make these considerations 1756 IB32 module pair e Use 1492 CABLEXXXZ cables to connect the 1756 IB32 module pair to the input termination board e Connect one 1756 0B16D module pair output point to the termination board wiring terminal This output point is used to control the relay on the DC input termination board This output point because it controls the relay on the termination board triggers transition tests on
30. and outputted by the diagnostic subroutines to determine system behavior For more information about programming the main routine see Chapter 5 Programming the Fault tolerant System on page 47 47 Chapter 3 48 Fault tolerant Program Elements www klinkmann com Diagnostic Subroutines The program supplied by Rockwell Automation contains diagnostic subroutines that must be used to monitor process and reconcile data from the input and output module pairs The data that the subroutines produce is used in the main routine Fully programmed diagnostic subroutines are provided in the program and must be run for each module pair in system For each type of I O module certified for use in the SIL2 fault tolerant system a diagnostic subroutine is provided Module specific Diagnostic Subroutines Module Cat No Diagnostic Subroutine Name 1756 IB32 IB32_Diagnostics 1756 IF 16 IF16_Diagnostics 1756 0B16D 0B32_Diagnostics These subroutines are visible in the configuration tree however because these diagnostic subroutines are protected you cannot access or alter them Diagnostic Features of Subroutines The specialized application programming developed by Rockwell Automation executes all of the diagnostic checks and tests described in Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 Additionally the specialized application programming executes tests that are specific only
31. are applied to input channels and the IF16_Diagnostic subroutine verifies that the values returned by the input module match those applied within the deadband required tag values ModulePair tag values provided Rockwell Automation that must be used and are not application dependant Where required tag values are specified no other values may be used safety integrity level SIL A SIL is a level in the IEC rating system used to specify the safety integrity requirements of a safety related control system SIL1 is the lowest level and SIL4 is the highest For more information about SIL specifications see IEC publication 61508 1 General Requirements SIL See safety integrity level SIL 165 Glossary 166 www klinkmann com stuck at one condition Also called stuck at high this is a condition where a digital input point cannot change from the value of 1 or high to 0 dow system generated tags Tags that are created by RSLogix 5000 software when you configure your I O configuration tree test state In the fault tolerant system this is the state where diagnostic tests that is transition tests or reference tests are being carried out and the program is operating on last known and verified data transition test A type of diagnostic test that is run on the inputs of the 1756 IB32 DC input modules During the transition test the termination board changes the input point values from 1 ON to 0 O
32. data to the diagnostic subroutine for each module pair e other programming that initiates diagnostic tests that is transition and reference tests for the module pair Publication 1756 ATO10B EN P October 2008 49 www klinkmann com Chapter3 Fault tolerant Program Elements Function of the Program Elements When configured and programmed properly the program elements function as depicted here Overview of Fault Tolerant Program Main Routine Module Status Data IB32 Subroutine_Call_Code JSR for 1756 1832 Input IB32_Diagnostics or Module Pair 1 Parameters p o Module JSR ere Status Data JSR Module Pair Z pean E Module Status Data IF16 Subroutine_Call_Code JSR for 1756 IF16 ingit Module Pair 1 npu IF16_Diagnostics Parameters Subroutine JSR for 1 Processes Data Module Pair 2 OB16D Subroutine_Call_Code JSR for 1756 0B16D Input a 0B16D_Diagnostics Module Pair 1 Parameters Subroutine JSR f Processes Data or Module Pair 2 50 Publication 1756 AT010B EN P October 2008 8 2011 www klinkmann com Fault tolerant Program Elements Chapter 3 Program Elements Provided The fault tolerant program you receive from Rockwell Automation provides all of the elements described above The following graphic shows how these elements will appear in the RSLogix 5000 configu
33. expired annunciates that the user defined repair time has elapsed The repair time is specified in tag TimeToRun_lool The system will continue to run ina 1001 configuration after the repair time has elapsed The value in the tag FaultReset can be toggled to restart the timer Module status When the system is operating in a 1001 configuration the OB16D_Diagnostics subroutine provides module status information that is useful for troubleshooting the faulted module When operating in a 1001 state the pulse test frequency does not increase in the same manner that transition and reference tests do for the input modules The pulse test continues to be carried out at the frequency specified in the tag PulseTest_Interval_PerChnl 61 Chapter 3 Fault tolerant Program Elements Data Flow Between Program Elements 62 www klinkmann com It is important for you to understand how data flows in the fault tolerant program especially as you complete your system configuration and programming This graphic below provides a view of how data flows and is processed by the fault tolerant program elements Within the fault tolerant system data from the both input modules of a pair is processed by the diagnostic subroutines It is processed and made available in controller tags as one tag that reflects the values provided by both module pairs called reconciled data The data made available by the input diagnostic subroutine is
34. in the module data tags 1756 IB32 module data tags fault values are 0 and 1756 IF16 fault values are those specified in the ModulePair tags ChnlValues_at_Fault Using the circuit reset if programmed as described in Chapter 5 in the section titled Circuit Reset Programming on page 111 the faulted data values are cleared and the system uses the sensor data from the modules Publication 1756 ATO10B EN P October 2008 125 Chapter 6 Examples of Faults and Resulting Tag Values Troubleshooting a Fault tolerant System www klinkmann com These examples show how the ModulePair tags appear before and after a certain module fault occurs Each column of the tables indicates what action has taken place The tags listed in the rows of the columns indicate the tag values after the action has occurred 1756 1B32 Module Pair One Module Faulted In this example module A of the 1756 IB32 module pair has a stuck at one condition caused by an internal short The stuck at one condition is detected during the next transition test This table shows which tags values change from the time the transition test detects the fault to the point when the fault is cleared and the system is operating using data from the repaired module Tag Values After a Stuck At One Condition Detected on a 1756 1B32 Module Tag Values During Values After Values After Values After Normal Operation Fault Detected Faults Repa
35. is assumed by Rockwell Automation Inc with respect to use of information circuits equipment or software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibited Throughout this manual when necessary we use notes to make you aware of safety considerations Identifies information about practices or circumstances that can cause an explosion in a hazardous environment which may lead to personal injury or death property damage or economic loss IMPORTANT Identifies information that is critical for successful application and understanding of the product Identifies information about practices or circumstances that can lead to personal injury or death property damage or economic loss Attentions help you identify a hazard avoid a hazard and recognize the consequence ATTENTION TNA awa Labels may be on or inside the equipment for example a drive or motor to alert people that dangerous voltage may be present PTET Er vai Labels may be on or inside the equipment for example a drive or motor to alert people that surfaces may reach dangerous temperatures gt gt eiie Allen Bradley ControlLogix TechConnect RSLogix 5000 RSNetWorx for ControlNet Rockwell Automation and RSLinx are trademarks of Rockwell Automation Inc Trademarks not belonging to Rockwell Automation are property of their respectiv
36. maximum pulse test width and is specified in 100 us increments 20 2 ms 10 PulseTest_Settings 8 Tag Name 10 PulseTest_Chnl_Select Sets the amount of time in 100 us increments for the delay between the end of the pulse test and the declaration of a fault 20 2 ms Recommended 1756 0B16D ModulePair Tag Values In these tags the values listed are recommended but not required You may choose to alter these values to suit your application however you must enter a value for each of the tags listed Description Use to enable or disable the execution of pulse tests on points of the output module pair Value 1 Pulse test enabled 0 Pulse test disabled 10 PulseTest_Interval_PerChnl PRE Time in ms between pulse tests on individual output points The total time it takes for pulse tests to be carried out on all points of the module pair is this value multiplied the number of outputs This is true even when pulse tests are disabled for any of the points For example when the 5 s is the PulseTest_Interval_PerChnl value the total time required for all of the outputs to be pulse tested is 80 seconds that is 16 points x 5s 80s 5000 5 s 10 TimeToRun_1001 PRE Preset value for the 1001 countdown timer in ms 28800000 8 hour Pulse tests must be disabled for outputs used to trigger diagnostic tests that is transition or reference tests on input module pairs and outputs used t
37. may use any of the I O modules listed in the Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 SIL2 Diagnostic Subroutine Requirements No If you are using the diagnostic subroutines you can use only the I O modules listed in Chapter 2 on page 21 This section answers frequently asked questions specific to the programming requirements of fault tolerant and fail safe systems Unlike the previous frequently asked question sections these questions are specific to the use of the diagnostic subroutines and being so the answers are not categorized Can use the diagnostic subroutines to implement a SIL fail safe system Yes As long as you use the diagnostic subroutines with the required hardware you can use the diagnostic subroutines to implement a fail safe system If you use the diagnostic subroutines to implement a fail safe system you must adapt your program to go to the safe state in the event of a fault For more information about programming for a fail safe system see the next question Publication 1756 ATO10B EN P October 2008 www klinkmann com Frequently Asked Questions Appendix D How is programming for a fail safe system different than programming for a fault tolerant system The difference between fail safe and fault tolerant programming is in the programmed response to a fault in the system There are multiple possibilities for system responses to faults that may occur
38. module pairs and outputs used to control relays on output termination boards Publication 1756 ATO10B EN P October 2008 143 8 2011 i KLINKMANN Appendix A SIL2 Remote 1 0 Fault tolerance Tags www klinkmann com KLINKMANN 1756 0B16D Module Status Tags The module status tags are used in several ways Uses include e in the main routine to determine system behavior e in the subroutine to detemine and report module pair status e in conjunction with HMI and other indicators of system status 1756 OB16D Module Status Tags Tag Name Description ConnectionFault_Module_A Indicates the status of the connection to module A 1 Connection lost 0 Connection good ConnectionFault_Module_B Indicates the status of the connection to module B 1 Connection lost 0 Connection good Chnl_OK_Module_A Bit level indicators of what points are operating without fault on module A 1 Point is functional 0 Point is faulted Chnl_OK_Module_B Bit level indicators of what points are operating without fault on module B 1 Point is functional 0 Point is faulted ChnlFit_PulseTest_Module_A Bit level indicators of points on module A that have failed the pulse test 1 Point faulted 0 Point is not faulted ChnlFlt_PulseTest_Module_B Bit level indicators of points on module B that have failed the pulse test 1 Point faulted 0 Point is not faulted Chnl_Grounded_Module_A Bit level indicators that i
39. of time in ms delayed to allow the 500 4 Recommended M f changes are made to the ChniCompare_Deadband or to the ReferenceTest_Deadband tag values after the ini the controller then you must press fault reset so that the IF16_RefCal subroutine is carried out and the new de are not implemented into the program until the IF16_RefCal subroutine is run 2 Unused safety input channels cannot be used for any other purposes that is they cannot be used as nonfault unused channels for voltages of 0 5V and then jumper or ground unused channels to keep channel values wi inputs to transition to the field signal values before normal operation is resumed This value should be equal or greater than your analog module pair s RTS rate tial fault tolerant program is downloaded to and running on adband values are implemented The changes to these tags olerant 1 0 channels We recommend that you configure hin range 3 The value of four is strongly recommended in order to avoid nuisance trips as well as to provide a timely safety response If you choose to specify a value lower than four your system may experience nuisance trips However you may choose to lower the value in order to decrease amount of time between a fault and the system response Setting a value larger then four is not recommended as the response to a fault may be too long for most safety applications 4 When specifying your SwitchToRefValue_Delay and SwitchToSignal_
40. or Two sensor Wiring Option 33 1756 IF16 Module Pair Reference Tests 34 1756 OB16D Diagnostic Output Termination Board Features 37 Normal Operation of the 1756 OB16D Diagnostic Output Termination Board naasa 4444844454445 38 Diagnostic Tests and the 1756 OB16D Output Termination Board 4 02 4 ab des a eae eh ae eR 39 Termination Board Relay Control naana aaaea 40 1756 IB32 Input Termination Board Relay Control 40 1756 IF16 Analog Input Termination Board Switch Control oaaae 29 wedged Se hAR Rae be Re 41 1756 OB16D Output Termination Board Relay Control 42 Input Module Diagnostic Test Control 44 Hardware and Programming 6 Ga eee es oR EES 44 Additional Resources 5 64 64544 dS HER ARE OE H OSA EESS 45 Table of Contents Fault tolerant Program Elements www klinkmann com Chapter 3 About This Chapter n aasa aaaea keen Chek ea eee 47 Overview of the Program Elements sia hos ee eee ean 47 Main ROUNE sss eres ee Sade aa an ka i ode SA 47 Diagnostic Subroutines ace ba RAKE eR 48 Diagnostic Features of Subroutines 48 Call Code Subroutines 045 4 ib Roe oboe oe d h EES 49 Function of the Program Elements 50 Program Elements Provided spy 4 are Mie ed Reet ere LESS 51 States of the System p a505 4358 supe eR eR ERR he Oe Ow A 52 N tmal tM Gig oan e e 6 Oh eee Od ee aS 52 Test Staten ont aei VSG e ee EA eee ees wee 52 lo
41. pair you must edit the JSR parameters and other elements of the rungs Publication 1756 ATO10B EN P October 2008 91 Chapter 4 About the Data Used b S Data from module inputs Data specified for system ehavior Data from diagnostic ubroutine 92 Configuring the Fault tolerant System www klinkmann com Edit JSR Parameters for the 1756 IF16 Module Pair The JSR instruction for the 1756 IF16 diagnostic routine uses six input parameters and two return parameters You must edit these parameters so that the tags specific to your 1756 IF16 module pairs are used Also remember to edit a JSR instruction for each 1756 IF16 module pair in your system For example if your system has two 1756 IF16 module pairs you must edit each of the two JSR instructions to use parameters specific to one 1756 IF16 module pair 1756 IF16 Module Pair JSR Parameters SR Jump To Subroutine Routine Name IF16_Diagnostics Pri_ChA 2 1 Pr1_ChA 3 C Pr1_ChB 3 1 About the Tags Used The tags used for these input parameters are system generated tags that were created when you configured your 1756 IF16 modules The tags used for these input parameters are the tags that were generated when you created the ModulePair type tags The diagnostic subroutine returns data to these tags that were generated when you created the ModulePair type tags Use the following table as a reference when editing your 1756 IF16 JSR p
42. results in all points going to zero low If you remove a swing arm even in a 1001 state where a point level fault exists all of the unfaulted points go to zero low Then because the unfaulted points that continue to be compared by the subroutine go to zero low a shutdown due to a miscompare occurs For more information about repairing or replacing a 1756 IB32 module that has point level faults see Replacing a Faulted 1756 IB32 Module on page 121 e one module of the pair is faulted due to a communication fault and the system is operating using only data from the unfaulted module 1001 Due to a Point or Channel Fault Module A Module B No Compare Points 0 and 31 Faulted OK lt j fie q 0K gt O Points 1 30 OK Points 0 31 OK ROOOAFOO OOOOATROOOD No Compare gt Point Comparison Publication 1756 ATO10B EN P October 2008 53 Chapter 3 54 Fault tolerant Program Elements www klinkmann com Faulted State If one or more point or channel level faults is present on both modules of a pair a faulted state occurs and the system shutsdown The faulted state occurs even if the faulted points or channels between module pair are different Faulted Due to Faults on Each Module of the Pair Module A Module B Point 2 Faulted Point 0 Faulted OOO OAFORBOO OOOOAFOOOR Publication 1756 ATO10B EN P October 2008 www klinkmann com Fault tolerant Program Elements Chapte
43. that is the I Data tags for each module pair are cleared of the faulted state data and reset to use the sensor data of the modules This programming restarts the outputs and therefore the system The reset of 10 CircuitReset tag for the 1756 IB32 and 1756 IF16 modules results in ModulePair O data once again reflecting sensor data from the input modules The reset of 10 CircuitReset for the 1756 OB16D module results in ModulePair O tags once again reflecting the system requested values of the outputs Circuit Reset Programming Considerations When programming your circuit reset input these considerations must be made e Use an input point that is not a part of the fault tolerant module pair inputs that is use an input module that is separate from the fault tolerant system e Program the circuit reset for all of the module pairs by using an Output Energize OTE instruction with each ModulePair 10 CircuitReset tag e You do not need to program the circuit reset to be anti tie down as the programming is already present in the diagnostic subroutines Use this example as a reference when programming your fault reset input Publication 1756 ATO10B EN P October 2008 111 Chapter5 Programming the Fault tolerant System www klinkmann com Specify the point of a standard input module connected to the circuit reset button as Circuit_Reset Pri_Ch amp 5 1 Data 10 gt 112 Circuit Reset Programming Use
44. that provide the operational status of individual modules within the module pair ModulePair tags Tags of a User defined Data Type UDT created specifically for fault tolerant SIL2 applications The ModulePair tags are used to specify diagnostic behavior program system responses and monitor the status of the I O modules Publication 1756 ATO10B EN P October 2008 www klinkmann com Publication 1756 ATO10B EN P October 2008 Glossary nonfault tolerant SIL2 certified modules Modules that are certified for use in SIL2 systems for example fail safe and high availability but are not certified for use in fault tolerant systems normal state Also call normal operation this term denotes the state of the system or module when diagnostic tests are not being carried out nor are any of the modules faulted for example when the system is operating lool recommended tag values ModulePair tag values that Rockwell Automation provides recommended values for However you may choose to specify different values based upon your application redundant controller chassis A set of chassis that contain controllers and communication modules that constantly check each other and function as backups for each other if a fault occurs on the controller or communication modules reference test A type of diagnostic test that is run on the inputs of the 1756 IF16 analog input modules During the reference test reference voltages
45. the Recommended 1756 0B16D ModulePair Tag Values for recommended values and descriptions Tag values required See the Required 1756 0B16D ModulePair Tag Values for these values Do not edit these tag values they are set by the main routine and diagnostic subroutine when the program is running 82 Editing 1756 0B16D ModulePair Tags Once the 1756 OB16D_ModulePair tags have been generated these tags specific to the 1756 OB16D module pair result Located within this group of tags are those you must edit in order to specify system behavior for the 1756 OB16D module pair E ChasPri_Slot3_OB16D ChasPr1_Slot3_OB16D 1 amp ChasPr1_Slot3_OB16D Safety_Outputs_Select of DINT ChasPr1_Slot3_0B16D 1 Data of int ChasPr1_Slot3_O0B16D 10 C5 E ChasPri _ Slot3_0B16D 10 PulseT est_Chni_Select ChasPr1_Slot3_0B16D 10 PulseT est_Interval_PerChnl e w H ChasPri _Slot3_0816D I10 TimeToRun_1001 EH ChasPr1 _Slot3_0B16D 10 OneShot_Bits ChasPr1_Slot3_0B16D 10 PulseT est_Settings ChasPr1_Slot3_0B16D 10 PulseTestResult_Module_A ChasPr1_Slot3_0B16D 10 PulseT estResult_Module_B 9 9 ZZ 33 ias hasPr1_Slot3_0B16D 10 CircuitReset BOOL E E hasPr1_Slot3_0B16D 10 FaultReset E hasPr1_Slot3_0B16D 10 Run_PulseT est hasPr1_Slot3_0B16D 10 ConnectionF ault_Module_A hasPr1_Slot3_0B16D 10 ConnectionF ault_Module_B E ChasPr1 _Slot3_0B16D 10 Chni_OK_Modul
46. the tags that were generated when you created the ModulePair type tags for the 1756 0B16D module pair The diagnostic subroutine returns data to these tags that were generated when you created the ModulePair type tags The diagnostic subroutine returns data to these system generated tags that were created when you configured your 1756 0B16D modules Use the following table as a reference when editing your 1756 OB16D JSR parameters 1756 0B16D Module Pair Tags for Use as JSR Parameters Parameter Tag Description Input Par ModuleAName X System generated input I tags for module A of the pair Input Par ModuleBName X System generated input I tags for module B of the pair Input Par ModuleAName X 0 System generated output 0 tags for module A of the pair Input Par ModuleBName X 0 System generated output 0 tags for module B of the pair Input Par ModulePairName ModulePair input I tags that contain module pair behavior specification data for both modules of the pair Input Par ModulePairName lO ModulePair tags that contain diagnostic status data for both modules of the pair Input Par ModulePairName O Tags containing data outputed from the diagnostic subroutine Return Par ModulePairName lO ModulePair tags that contain diagnostic status data for both modules of the pair Publication 1756 ATO10B EN P October 2008 www klinkmann com Next Steps Additional Resources Re
47. the 1756 IB32 module pair 1756 IF16 module pair e Use 1492 ACABLEXXXUA cables to connect the 1756 IF16 module pair to the analog input termination board e Connect one 1756 0B16D module pair output point to the termination board wiring terminal This output point is used to control the switch on the analog input termination board This output point because it controls the termination board switch is used to trigger reference tests on the 1756 IF16 module pair Publication 1756 ATO10B EN P October 2008 149 www klinkmann com Chapter B SIL2 Fault tolerant Topology Fault tolerant System Planning Considerations For module type Make these considerations 1756 OB16D module pair e Use 1492 CABLEXXXZ cables to connect the 1756 OB16D module pair to an output termination board e Use two 1756 OBXX2 modules to control relays on the output termination board Connect an output from a 1756 OBXX2 module to the termination board This output point is used to control the relay for 1756 OB16D module A Connect another 1756 OBXX output point to control the relay for 1756 OB16D module B This arrangement requires that two 1756 OBXX output modules be used Each 1756 OBXX module controls a termination board relay of a 1756 0B16D module in the module pair e Place the 1756 OBXX module in the same chassis as the 1756 0B16D module whose relay it is controlling That is the 1756 OBXX module used to control the relay for 1756 OB16D module A m
48. the status of the module pair on a Control Tower or similar device Example of Module Pair Status Programming If all three module pairs are operating normally without any faults the green indicator Control Tower is lighted ChasPr1_Slot1_IB32 0 ModulePair_Good ChasPr1_Slot2_IF16 0 ModulePair_Good ChasPr1_Slot3_OB16D 0 ModulePair_Good Pr1_Ch amp 5 1 Data 0 rs If any module pair is operating 1001 a yellow light on the Control Tower is lighted ChasPr1_Slot1 _IB32 0 ModulePair_1001 Pri_ChA 5 1 Data 1 ChasPr1_Slot2_IF16 0 ModulePair_1001 ChasPr1_Slot3_OB16D 0 ModulePair_1001 If a module pair is faulted a red light on the Control Tower is lighted ChasPr1_Slot1 _IB32 0 ModulePair_Fautted Pri_ChA 5 1 Data 2 ChasPr1_Slot2_IF16 0 ModulePair_Fautted ChasPr1_Slot3_OB16D 0 ModulePair_Fautted 120 Publication 1756 ATO10B EN P October 2008 www klinkmann com Identifying a Faulted Module Publication 1756 ATO10B EN P October 2008 Troubleshooting a Fault tolerant System Chapter 6 In order to identify a faulted module you should examine these tags Each of these tags is created when you create the ModulePair data type tags for any of the three module types ModulePair Tags Used to Identify a Faulted Module Tag Indicates O Module_A_Faulted The fault status of module A 1 Module A faulted 0 Module A functioning properly O Module_B_Faulted The fault status of module B 1 Mod
49. to allow the inputs to transition to the 500 reference values before checking the results of the reference test This value should be equal or greater than your analog module pair s RTS rate 10 SwitchToSignal_Delay PRE Amount of time in ms delayed to allow the inputs to transition to the 500 field signal values before normal operation is resumed This value should be equal or greater than your analog module pair s RTS rate O f changes are made to the ChnICompare_Deadband or to the ReferenceTest_Deadband tag values after the initial fault tolerant program is downloaded to and running on the controller then you must press fault reset so that the IF16_RefCal subroutine is carried out and the new deadband values are implemented The changes to these tags are not implemented into the program until the IF16_RefCal subroutine is run 2 When specifying your SwitchToRef_Delay and SwitchToSignal_Delay values remember that the system is functioning on the last known verified data during these periods If an input connected to the module pair changes it will not be processed until the total time of these two values has expired and the system has stopped using the last known verified data Publication 1756 ATO10B EN P October 2008 81 Chapter4 Configuring the Fault tolerant System wenw kllnkmann con Tag values required See the Required 1756 OB16D ModulePai Tag Values for values Tag values recommended See
50. up Sequence 115 Additional Resources 116 After you have added and configured your JSR instructions and other subroutine elements you can write the program to control the system in the Main Routine This section provides some guidelines and tips for programming the system It describes some of the many methods you might use to initiate a shutdown of the system in the event of a module pair fault Also described are some programming methods that might be used to control the system response to a demand on the safety system However these are only guidelines and suggestions as you are responsible for programming the SIL2 system according to your application requirements 105 Chapter5 Programming the Fault tolerant System www ilinkmann com Basic Input Output Programming 106 Relationship Between Main Routine and Diagnostic Subroutines The Main Routine is where you program the system to use data processed and provided by the diagnostic subroutines While the diagnostic subroutines provide module pair and individual module status data the program in the Main Routine is what assesses and causes the system response to that data Basic input to output programming for I O modules in the fault tolerant system varies very little than that for a nonfault tolerant system The only difference is in the use of ModulePair tags that appear slightly different than typical system generated tags J and 0 Data in Fault tolerant Pr
51. use a standard output module to control the relays of that board as described in Chapter 2 on page 38 This is because the outputs of the 1756 OB16D module cannot be used to control its own relays SIL2 Diagnostic Subroutine Requirements Yes If you are using the diagnostic subroutines you must use a standard output module to control the relays of the 1756 OB16D termination board as described in Chapter 2 on page 38 This is because the outputs of the 1756 OB16D modules cannot be used to control their own relays Do always have to use the specialized 1 0 termination boards SIL2 General Requirements No You are not required to use termination boards if you are not using the diagnostic subroutines However if you choose not to use them you are responsible for the comparable hardware and programming described in the Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 SIL2 Diagnostic Subroutine Requirements Yes If you are using the diagnostic subroutines you must use the specialized I O termination boards described in Chapter 2 Publication 1756 ATO10B EN P October 2008 159 Appendix D Frequently Asked Questions About Fail safe and Fault tolerant Programs 160 www klinkmann com Can use 1 0 modules other than the 1756 IB32 1756 IF16 and 1756 0B16D modules SIL2 General Requirements Yes If you are implementing a SIL2 system without using the diagnostic subroutines you
52. used designated as safety inputs 0 at unused points 1 Points of the 1756 IB32 module pair not used in the fault tolerant system and not specified as safety inputs cannot be used for any other purpose Recommended 1756 IB32 ModulePair Tag Values In these tags the values listed are recommended but not required You may choose to alter these values to suit your application however you must enter a value for each of the tags listed Tag Name Description Value Miscompare_Test_Limit The number of subsequent program scans where a miscompare between points may 4 occur before a fault is registered The value of four is strongly recommended in order to avoid nuisance trips as well as to provide a timely safety response If you choose to specify a value lower than four your system may experience nuisance trips However you may choose to lower the value in order to decrease amount of time between a fault and the system response Setting a value larger then four is not recommended as the response to a fault may be too long for most safety applications 10 ModulePair_GoodTestinterval Time in ms between transition tests when no module faults are present 86400000 24 hours 10 ModulePair_1001 TestInterval Time in ms between transition tests when the system is running in a 1001 3600000 configuration 1 hour 10 TimetoRun_1001 PRE Preset value for 1001 countdown timer in ms 28800000 8 hours O0 TransitionTest_Low
53. 0B16D Pri_Ch4_Output4_FRelayControl i 2 1756 CNBR D Pri_ChB 1756 Backplane 1756 47 f 0 1756 CNBR D Prt_ChB 1 1756 1B32 B Pri_ChB_Slot1 2 1756 IF16 Pri_ChB_Slot2 f 3 1756 0B16D Pri_ChB_Slot3 4 1756 0B16D Pri_ChB_OutputB_RelayControl oj 70 Publication 1756 AT010B EN P October 2008 wynuidinkmann com Configuring the Fault tolerant System Chapter 4 About System generated Tags For each module you configure the system generates tags for the module are created These tags are also referred to as module defined tags To view these tags open the Controller Tags folder System generated Tags Resulting From 1 0 Configuration a E i m E m a The data in these tags is sensor data from the I O modules and is used by the diagnostic subroutines as specified in the JSR instructions of the Call_Codes to compare point and channel values The data from the I O modules is also used when the subroutines complete diagnostic tests and checks Publication 1756 AT010B EN P October 2008 71 Chapter4 Configuring the Fault tolerant System Specifying Diagnostic Subroutine Behavior 72 www klinkmann com In order to specify the behavior of the diagnostic subroutines complete these tasks Task Page Create ModulePair Tags 73 Edit ModulePair Tags 76 About ModulePair Tags Tags of typ
54. 1 for use in SIL2 applications Topics include hardware software and programming components 116 You can view or download Rockwell Automation publications at http literature rockwellautomation com To order paper copies of technical documentation contact your local Rockwell Automation distributor or sales representative Publication 1756 ATO10B EN P October 2008 san Chapter 6 Troubleshooting a Fault tolerant System About This Chapter This chapter explains recommended procedures for troubleshooting a fault tolerant system It also contains examples of status information that may result when faults are present in the system Topic Page Identifying a Faulted Module Pair 118 Identifying a Faulted Module 121 Example of Programming to Identify a Faulted Module Pair 120 Identifying a Faulted Module 121 Replacing a Faulted 1756 IB32 Module 121 1756 IB32 ModulePair Tags to Identify the Type of Module Fault 122 1756 IF16 ModulePair Tags to Identify the Type of Module Fault 123 1756 0B16D ModulePair Tags to Identify the Type of Module Fault 124 Using Resets 125 When to Use the Fault Reset 125 When to Use Circuit Reset 125 Examples of Faults and Resulting Tag Values 126 1756 IF16 Module Pair Two Modules Faulted 128 Publication 1756 AT010B EN P October 2008 117 Chapter6 Troubleshooting a Fault tolerant System Identifying a Faulted Module Pair 118 www klinkman
55. 1756 0B16D Call_ Code subroutine edit MSG instructions 99 1756 0B16D Call_Code subroutines edit 95 103 add JSR rung 95 rung elements 97 1756 OB16D diagnostic output termination board diagnostic tests and 39 features 37 function during normal operation 38 1756 0B16D module pair diagnostic subroutines 60 status tags 124 1756 0B16D module pair chassis example of 151 1756 0B16D ModulePair tags 143 147 editing 82 for module status 144 for programming 146 for system behavior 143 hidden 147 1756 0B16D modules properties 70 1756 0B16D outputs used to control input diagnostic tests 44 1001 state 53 C Call_Code subroutines edit the 1756 IB32 85 89 add JSR rung 85 edit rung elements 88 JSR parameters 87 edit the 1756 IF16 90 94 add JSR rung 90 edit rung elements 93 JSR parameters 92 edit the 1756 OB16D 95 103 add JSR rung 95 edit rung elements 97 editing 84 103 element in the fault tolerant program 49 channel comparision deadbands in normal operation 80 channel voltages reference test 36 channel level programming 106 chassis pair output module chassis 151 167 Index 168 chassis pairs identical duplicates 17 in fault tolerant configurations 16 limits 16 naming conventions 68 termination board use with 17 circuit reset 111 when to use 125 CNBR add to program 66 configurations fail safe 14 fault tolerant 15 16 high availability 14 SIL2 certified 13 configuring the system 65 103 add a CNBR 66 add the remot
56. 1756 IF16 ModulePair Tag Values for recommended values and descriptions Do not edit these tag values they are set by the main routine and diagnostic subroutine when the program is running Publication 1756 ATO10B EN P October 2008 Editing 1756 IF16 ModulePair Tags Once the 1756 IF16_ModulePair tags have been generated these tags specific to the 1756 IF16 module pair result Located within this group of tags are those you must edit in order to specify system behavior for the 1756 IF16 module pair ChasPrt_Slot2_IF16 IF16 ModulePair ChasPr1_Slot2_IF16 F amp n ChasPrt_Slot2_IF16 Satety_Inputs_Select Dm ChasPrt_Slot2_IF16 1 ChniCompare_Deadband REAME _ E ChasPri_Slot2_IF16 ReferenceTest_Deadband Reang _ E ChasPrl_Slot2_IF16 1 ChniValues_at_Fault REAME E ChasPri_Slot2_IF16 Miscompare_Test_Limit DM ChasPrt_Slot2_IF16 10 IFAB_InQut H ChasPri_Slot2_IF16 10 ModulePair_Good_Testinterval DINT E ChasPri_Slot2_IF16 10 ModulePair_1001_Testinterval DINT H ChasPri_Slot2_IF16 10 TimeToRun_1001 TIMER E ChasPri_Slot2_IF16 10 SwitchT oRefalue_Delay JTMER E ChasPri_Slot2_IF16 10 SwitchToSignal_Delay TMERR P hesa so F160 l O oa E oren SFE OFRO OO O oa FF thetPt_Sio2 IFI6IO Run Refereneete foor F thesPrt_SiIFI6I0 CornecionFaut ModieA Boo hesPrt_SiIF16I0 CornecionFauk Modie 8 oo BiChesPrt_
57. 32 Module Pair The JSR instruction for the 1756 IB32 diagnostic routine uses four input parameters and two return parameters You must edit these parameters so that the tags specific to your 1756 IB32 module pair are used Also remember to edit a JSR instruction for each 1756 IB32 module pair in your system For example if your system has four 1756 IB32 module pairs you must edit each of the four JSR instructions to use parameters specific to one 1756 IB32 module pair 1756 IB32 Module Pair JSR Parameters About the Data Used SR Jump To Subroutine Routine Name Input Par Input Par Input Par Data from module inputs gt Data specified for system behavior Input Par Input Par Data from diagnostic return Far subroutine IB32_Diagnostics Pri_Ch4 1 1 Pr1_ChB 1 1 ChasPr1_Slot1_IB32 1 ChasPr1_Slot1 1532 0 ChasPr1_Slot1_IB32 0 Return Par ChasPr1_Slot1_IB32 0 About the Tags Used The tags used for these input parameters are system generated input I tags that were created when you configured your 1756 IB32 modules The tags used for these input parameters are the tags that were generated when you created the ModulePair type tags for your 1756 IB32 modules The diagnostic subroutine returns data to these tags that were generated when you created the ModulePair type tags Use the following table as a reference when editing your 1756 IB32 JSR parameters 1756 IB32 Module Pair Tags for Use as JSR
58. 756 L63 SIL210 J 3 1756 CNBR D Crett lds ControlNet f 11756 CNBR D Pri_ChA 5 6 1756 Backplane 1756 47 0 1756 CNBR D Pr1_Cha B 1 175618328 Pri_Ch _Slot1 A 2 1756 3 REE e Click Apply to accept the changes f Click OK to close the dialog box You have completed edits to your MSG instruction After you have edited the MSG instructions they should appear as shown here SG Type CIP Generic Message Control Pri_Ch amp _MSG SG Type CIP Generic Message Control Pr1_ChB_MSG 101 Chapter 4 About the Data Used Data from module inputs Data specified for system behavior Data from diagnostic subroutine 102 Configuring the Fault tolerant System www klinkmann com Edit JSR Parameters for the 1756 0B16D Module Pair The JSR instruction for the 1756 OB16D diagnostic subroutine uses six input parameters and four return parameters You must edit these parameters so that the tags specific to your system are used 1756 0B16D Module Pair JSR Parameters SR Jump To Subroutine Routine Name OB816D_Diagnostics Pr1_ChA 3 1 Prd _ChB 1 1 Prd_ChA 3 0 ChasPr1_slots_OBT6D 1 ChasPr1_Slot3_OB16D 10 Input Par Input Par Input Par Return Par About the Tags Used The tags used for these input parameters are system generated both input and output I and 0 tags that were created when you configured your 1756 OB16D modules The tags used for these input parameters are
59. ControlLogix SIL2 System Configuration Using RSLogix 5000 Subroutines Application Technique Catalog Numbers 1756 and 1492 Rockwell ALLEN BRADLEY e ROCKWELL SOFTWARE Automation PTA IN TTI Fa Ba RE EO fn nnan eee www klinkmann com sawwidinieianncein Important User Information Solid state equipment has operational characteristics differing from those of electromechanical equipment Safety Guidelines for the Application Installation and Maintenance of Solid State Controls publication SGI 1 1 available from your local Rockwell Automation sales office or online at http literature rockwellautomation com describes some important differences between solid state equipment and hard wired electromechanical devices Because of this difference and also because of the wide variety of uses for solid state equipment all persons responsible for applying this equipment must satisfy themselves that each intended application of this equipment is acceptable In no event will Rockwell Automation Inc be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment The examples and diagrams in this manual are included solely for illustrative purposes Because of the many variables and requirements associated with any particular installation Rockwell Automation Inc cannot assume responsibility or liability for actual use based on the examples and diagrams No patent liability
60. Delay values remember that the system is functioning on the last known verified data during these periods If an input connected to the module pair changes it will not be processed until the total time of these two values has expired and the system has stopped using the last known verified data 138 1756 IF16 Module Status Tags The module status tags are used in several ways Uses include e in the main routine to determine system behavior e in the subroutine to detemine and report module pair status e in conjunction with HMI and other indicators of system status Publication 1756 ATO10B EN P October 2008 www klinkmann com 1756 IF16 Module Status Tags Tag Name ConnectionFault_Module_A SIL2 Remote 1 0 Fault tolerance Tags Appendix A Description Indicates the status of the connection to module A 1 Connection lost 0 Connection good ConnectionFault_Module_B Indicates the status of the connection to module B 1 Connection lost 0 Connection good Chnl_OK_Module_A Bit level indicators of what channels are operating without fault on module A 1 Channel is functional 0 Channel is faulted Chnl_OK_Module_B Bit level indicators of what channels are operating without fault on module B 1 Channel is functional 0 Channel is faulted ChnlFit_Reflest_Module_A Bit level indicators of channels on module A that have failed the reference test 1 Channel faulted 0 Cha
61. FF The IB32_Diagnostics subroutine verifies that points transitioned from 1 to 0 properly Publication 1756 ATO10B EN P October 2008 Numerics 1756 1B32 Call_Code subroutines edit 85 89 add JSR rung 85 edit rung elements 88 JSR parameters 87 1756 I1B32 DC input termination board features 26 figure of normal operation 27 figure of transition test 29 function normal operation 27 function transition test 28 1756 IB32 module pair demand programming 113 diagnostic subroutines 55 identity a module fault 122 1756 IB32 ModulePair tags 131 136 editing 77 for system behavior 131 for use in programming 135 hidden 136 module status tags 133 1756 IB32 modules properties 68 replacement 121 1756 IF16 analog input termination board DIP switches for wiring options 33 features 30 figure of normal operation 32 figure of reference test 35 function normal operation 31 function reference tests 34 reference tests 34 two wire transmitters with 31 wiring options 33 1756 IF16 Call_Code subroutines edit 90 94 add JSR rung 90 edit rung elements 93 JSR parameters 92 1756 IF16 module pair demand programming 114 diagnostic subroutines 57 identify a module fault 123 status tags 123 transmitters required 25 wiring options 33 1756 IF16 ModulePair tags 137 142 editing 79 for module status 138 for programming 141 for system behavior 137 hidden 142 Publication 1756 ATO10B EN P October 2008 Index 1756 IF16 modules properties 69
62. G instruction complete these steps a Specify the MESSAGE tag you created for the module If you need to create MESSAGE tags see the section titled Adding MESSAGE Tags on page 84 SG Type Uncontigure EN Message Control Pr4 _Chas4 _Slot3_MSG X Pr1_ChasA_Slot3_MSG Pri_ChasB_Slot3_MSG Pri _ChB 1 Pri_ChB 1 1 Pr1_ChB 2 AAA Publication 1756 ATO10B EN P October 2008 99 8 2011 Chapter4 Configuring the Fault tolerant System iinkmann com MLINKMANN b Click the View Tag Configuration button located to the right of the Message Control tag Message Message Control ChasPr1_Slot3_OB16D c In the Configuration tab specify these properties Property Value Message Type CIP Generic Service Type Pulse Test Source Element PulseTest_Settings a ModulePair tag a CIP Generic ha Pulse Test ChasPri_Slot3_0B16 w ei TE hasPr1 _Slot3 _0B16D 0 PulseTestResult_Modi hs m po hasPr1_Slot3_OB16D 10 PulseTestResutt_Module_B hasPr1_Slot3_OB16D 10 CircuitReset BOOL hasPr1_Slot3_OB16D 10 FauttReset ontro Hogan 100 Publication 1756 AT010B EN P October 2008 www www klinkmann com Configuring the Fault tolerant System Chapter 4 Publication 1756 AT010B EN P October 2008 d In the Communication tab browse to the 1756 OB16D module Pri_Ch4_Slot3 Mi Message Path Browser E E Actal a 0 1
63. ModulePair type See 1756 1832 pag835 1756 IF16 page 90 1756 0B16D page 95 Publication 1756 AT010B EN P October 2008 www klinkmann com 1756 IB32 Call_Code Sj Tasks MainTask amp MainProgram 1B32_Module_Pair A Program Tags B 1B32_Diagnostics IB32_Subroutine_Call_Code Configuring the Fault tolerant System Chapter 4 Editing the 1756 IB32 Call_Code Subroutine This section describes how to edit the 1756 IB32 Call_Code subroutine for fault tolerant applications To edit the 1756 IB32 Call_Code subroutine complete these tasks Task Page Copy and Paste a JSR Rung for Each 1756 IB32 Module Pair 85 Edit JSR Parameters for the 1756 IB32 Module Pair 87 Edit Other Rung Elements for the 1756 IB32 Module Pair 88 Copy and Paste a JSR Rung for Each 1756 IB32 Module Pair To add a JSR instruction run for 1756 IB32 module pair complete the following steps 1 Open the IB32_Call_Code routine The example program ladder logic displays Input Par Input Par Input Par Return Par Return Par Jump To Subroutine Routine Name IB32_Diagnostics Input Par sample_IB32_Mod4_InputData Input Par sample_IB32_ModB_InputData JSR sample_IB32_ModulePair sample_IB32_ModulePair IO sample_IB32_ModulePair O sample_IB32_ModulePair IO sample_IB32_ModulePair O sample_IB32_ModulePair O Run_TransitionTest sample_OB16D_ModulePair Data 15 lt E
64. S10 183210 TianstionTest Hoh Deby TIMER Decal Charl Sit JB3210 CieutRest eoor Decimal EOhesPA Sit B3210 Faes DL Decimal Chait 5101 63210 Run Teste 00L Decimal F ChesP Sior 13210 ComecirFauMoie A B00L Decimal Chair Slt JB3210 ComnecionFaut Moule 8 BOOL Decimal E ChesP Sot JB3210 CheL OK Mode A NT Decimal EE ChasPl Slit B32I0 ChiLOK Mode 8 DNT Decimal EE Chair Slt B3210 Ch StuekAtOne Mod DINT Decimal EE Ches S1011 1B3210 Chni Suckine Nod DINT Decimal EE Chas_ Slit I62210 ChMiconpae Staus DINT Decimal B2 ChasPr1_Slott_1B32 0 ChasPri_Slot1_IB32 0 Data DNT Decimal Chi Se J320 NoddePai Good BOOL Deca Chai S520 Modai Toot 00L Decima CheiP_Se J320 oddePen Fated BOOL Decima ChiP_S B320 Modde A Fated BOOL Decima Chai Sk B320 Nodde B Fated BOOL Deca H ChasPri_Slott _1832 0 Run_1001_Countdown DINT Decimal For more information about the tags generated by the ModulePair data type see Appendix A on page 105 You must specify both the required and recommend values for certain tags as described here 77 Chapter4 Configuring the Fault tolerant System wen kllnkmann cone Required 1756 IB32 ModulePair Tag Values In this tag for the 1756 IB32 module pair the value listed must be specified for each point Tag Name Description Value Safety_Inputs_Select Any 1756 IB32 module pair inputs used in the fault tolerant system are 1 at each point
65. Sio2 IFI6I0 Chr OK Modea omr Chest S12 1F1610 Chn OK Modes om EH Chas 5102 1F1610 0hni Ft PefTes Moaea font F ChesP Slo IFIGIO ChoFLReTex ModdeB fomT ChesP Slo IFIGIO ChnLMiconpae Stas omt Either semo OOOO O O OR O Besso Feo O Oo g Ches slo 1F160 ModuePai God poo FF chasPrt slo2 F160 MoauePar toot oo hesr Sio2 IFIGOModiePsi Fated eoo fFehasPr slo F160 Modde A Fated eoa Cheah S2 IFIG0Modde 6 Fated eoo H ChasPri_Slot2_IF16 0 Run_1001_Countdown DM Decimal Float Float Float Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Float Decimal Decimal Decimal Decimal Decimal Decimal For more information about the tags generated by the ModulePair data type see Appendix A on page 105 You must specify both the required and recommend values for certain tags as described here 79 Chapter4 Configuring the Fault tolerant System wen kllnkmann cone Required 1756 IF16 ModulePair Tag Values In this tag for the 1756 IF16 module pair values must be specified for each channel based upon whether the channel is used or unused Tag Name Description Value Safety_Inputs_Select Enter 1 for any analog input channel being used 1 in each channel used 0 in each unused channel Unused safety input channels cannot be used for any other purposes that is they cannot be used as non
66. System cenerated Tags n 45 wacew ee ee ee 71 Specifying Diagnostic Subroutine Behavior 72 About ModulePair Tags n on anana a 72 Create ModulePair Tags noana anaana 73 Edit ModulePair Tags santas aaa 76 Editing 1756 IB32 ModulePair Tags 77 Editing 1756 IF16 ModulePair Tags 79 Editing 1756 OB16D ModulePair Tags 82 Adding MESSAGE Tags 00 cc ween eee eens 84 Editing the Call Code Subroutines 645 244 449s 09424 84 Editing the 1756 IB32 Call_Code Subroutine 85 Copy and Paste a JSR Rung for Each 1756 IB32 Module Pair 85 Edit JSR Parameters for the 1756 IB32 Module Pair 87 Edit Other Rung Elements for the 1756 IB32 Module Pair 88 Editing the 1756 IF16 Call_Code Subroutine 90 Copy and Paste a JSR Rung for Each 1756 IF16 Mod le Valley sse bay Spe oe oe es OEE HS EE GSS 90 Edit JSR Parameters for the 1756 IF16 Module Pair 92 Edit Other Rung Elements for the 1756 IF16 Module Pair 93 Editing the 1756 OB16D Call_Code Subroutine 95 Copy and Paste Rungs for Each 1756 OB16D Module Pair 95 Edit Elements of the 1756 OB16D Call_Code Routine 97 Edit JSR Parameters for the 1756 OB16D Module Pair 102 Next Step g ii a eeii ania ea ee Sha go ee a a aah Ree aac 103 Additional Resources 0 00000 0000 a 103 7 Table of Contents Programming the Fault tolerant System Troubleshooting a Fault tolerant System
67. _Delay PRE Amount of time in ms delayed to allow the inputs to transition from high to low 100 before checking the results of the transition test The amount of time to delay should be determined by adding your program scan time to the NUT For example if your total program scan time is 80 ms and your NUT is 20 ms you should set your TransitionTest_Low_Delay value to 100 ms O TransitionTest_High_Delay PRE Amount of time in ms delayed to allow inputs to transition to high before normal 100 7 operation is resumed after a transition test The amount of time to delay should be determined by adding your program scan time to the NUT For example if your total program scan time is 80 ms and your NUT is 20 ms you should set your TransitionTest_Low_Delay value to 100 ms 1 When specifying your TransitionTest_Low_Delay and TransitionTest_High_Delay values remember that the system is functioning on the last known verified data during these periods If an input connected to the module pair changes for example if an E stop is pressed it will not be processed until the total time of these two values has expired and the system has stopped using the last known verified data 78 Publication 1756 AT010B EN P October 2008 www klinkmann com Configuring the Fault tolerant System Chapter 4 Tag value required See the Required 1756 IF16 ModulePair Tag Values for value Tag values recommended See the Recommended
68. a module pair fault that causes the system not to use data from that module pair Fault Type A miscompare between any two points on the module pair Faulted module pair occurs because The system cannot detect a stuck at zero stuck at low condition Therefore any zero low point condition is processed as a demand on the safety system 1756 IF16 with the use of two sensor wiring A miscompare between any two channels of the module pair occurs and continues to occur after a reference test is successfully carried out on the module pair The reference test indicates that the analog input modules are functioning properly However the miscompare of channels continues to be detected by the system after the reference test A hardware failure exists The failure is likely to either be at on one of the two sensors or on the analog input termination board 1756 IF16 A failure of the reference test due to incorrect If the correct reference voltages are not detected reference voltages there is a fault either on the termination board or with the outputs from the 1756 0B16D module pair that trigger the reference test 1756 0B16D Diagnostics of the 1756 OB16D module identify a short Because the shorted wiring is related to the output of condition in the wiring from the termination board to the load both 1756 OB16D modules a module pair fault occurs 1756 IB32 1756 IF16 Both modules of a pair fail diagnosti
69. ags Used to Specify System Behavior Tag Name Description Value Required or Safety_Output_Select Recommended Use to select or deselect the channel inputs that are 1 at each point Required used for safety functions 10 PulseTest_Chnl_Select Use to enable or disable the execution of pulse tests 1 at each point Recommended on points of the output module pair 1 Pulse test enabled 0 Pulse test disabled 10 PulseTest_Interval_PerChnl PRE Time in ms between pulse tests on individual 5000 5 s Recommended output points The total time it takes for pulse tests to be carried out on all points of the module pair is this value multiplied the number of outputs This is true even when pulse tests are disabled for any of the points For example when the 5 s is the PulseTest_Interval_PerChnl value the total time required for all of the outputs to be pulse tested is 80 seconds 10 TimeToRun_1001 PRE User defined time in ms for the 1001 countdown 28800000 8 hours Recommended timer that is the repair time 10 PulseTest_Settings 4 Sets the maximum pulse test width and is specified 20 2 ms Required in 100 us increments 10 PulseTest_Settings 8 Sets the amount of time in 100 us increments for 20 2 ms Required the delay between the end of the pulse test and the declaration of a fault 1 Pulse tests must be disabled for outputs used to trigger diagnostic tests on input
70. air_Good Status bit that indicates that both modules of the module pair are functioning properly 1 Module pair functioning properly 0 Fault present on one or both modules 133 Appendix A 134 SIL2 Remote 1 0 Fault tolerance Tags 1756 IB32 Module Status Tags Tag Name O ModulePair_1001 www klinkmann com Description Status bit that indicates the module pair is operating 1001 1 Operating 1001 0 Either both modules of pair are OK or are faulted that is not in 1001 operation O ModulePair_Faulted Status bit indicates that both modules of the module pair have at least one fault The system has failed to safe 1 Both modules of pair faulted 0 Both modules of pair OK O Module_A_Faulted Status bit indicates that module A of the pair has at least one fault 1 Module A faulted 0 Module A OK O Module_B_Faulted Status Bit indicating that module B of the module pair has at least one fault 1 Module B faulted 0 Module B OK 0 Run_1001_Countdown Indicates the time remaining on the 1001 countdown timer The value is determined using the TimeToRun_1001tag value and is shown in seconds Publication 1756 ATO10B EN P October 2008 www klinkmann com Publication 1756 ATO10B EN P October 2008 SIL2 Remote 1 0 Fault tolerance Tags Appendix A 1756 IB32 ModulePair Tags for Use in Programming These tags are to be used in either the main routine or in call code
71. akes place Entered in percentage of engineering units ChniValues_at_Fault 16 Sets the channel values to be used in the event 0 Recommended of a faulted module pair These values should be entered in engineering units Miscompare_Test_Limit Defines the number of times a miscompare 48 Recommended between channels is permitted before a fault is declared 10 ModulePair_Good_Testinterval PRE Time in ms between transition tests The 86400000 24 hours Recommended program uses this value when the module pair is without faults 10 ModulePair_1001_TestInterval PRE Time in ms between Transition Tests if the 3600000 1 hour Recommended module pair is operating in a 1001 configuration The program uses this value when a fault is present on one module of the pair 10 TimeToRun_1001 PRE User defined time in ms for the 1001 28800000 8 hours Recommended Publication 1756 ATO10B EN P October 2008 countdown timer that is the repair time 137 Appendix A SIL2 Remote 1 0 Fault tolerance Tags www klinkmann com 1756 IF16 ModulePair Tags Used to Specify System Behavior Tag Name Description Value Required or Recommended 10 SwitchToRefValue_Delay PRE Amount of time in ms delayed to allow the 500 Recommended inputs to transition to the reference values before checking the results of the reference test This value should be equal or greater than your analog module pair s RTS rate 10 SwitchToSignal_Delay PRE Amount
72. amp O0 160_Muute PaO saamphe_O8 160 Moik Pali 10 sample_OD16D_Muutk Fatt Rel sampik OBIGO Modh Oprosti Retr Par sampk OBIGO Modi Orprostis Empe UBU MOI NEBENT sampik _OB1GD_Modl_RetCoatol 95 Chapter4 Configuring the Fault tolerant System wew kllnkmann con 2 Copy rungs 0 2 and paste them below rung 2 3 Repeat step 2 until each 1756 OB16D module pair has a set of the three rungs in the Call_Code subroutine After you have completed creating a set of rungs for each 1756 OB16D module pair you must then edit each module pairs set of rungs 96 Publication 1756 ATO10B EN P October 2008 wwwe hlinkmann com Configuring the Fault tolerant System Chapter 4 Edit Elements of the 1756 0B16D Call_ Code Routine After you have added rung sets for each module pair and entered parameters in each module pair s JSR instruction you must edit other elements of call_code subroutine program Complete these steps to edit the other elements of the call_code subroutine for each 1756 OB16D output module pair 1 In the first rung edit the instruction tags as described in the graphics that follow The programming contained in the first rung initiates the 1756 OB16D module pair s pulse test and moves the data related to the completed pulse test into the 1756 OB16D diagnostic subroutines UA When specifying OneShot_Bits use only OneShot_Bits 2 and 3 Use the Run_PulseTest tag for your 1756 OB16D Use the Conne
73. an OTE instruction for each module pair in your system In each OTE specify the ModulePair 10 circuitReset tag ChasPr1_Slot1 _IB32 10 CircuttReset ChasPr1_Slot2_IB321O CircuitReset ChasPr1_Slot3_IB32 10 CircuitReset ChasPr1_Slot4_IB3210 CircuittReset ChasPr1_Slot3_OB16D O CircuitReset Publication 1756 ATO10B EN P October 2008 www ki wwwe hlinkmann com Programming the Fault tolerant System Chapter 5 Programming foraDemand You o include iea a oe a sma the system These sections provide examples and explanations o on the System programming for a demand on the system Demand Made Through a 1756 IB32 Module Pair This example shows a method of programming for a shutdown when a demand is placed on the system through the 1756 IB32 module pair Note that this example is for an 1756 IB32 module pair where all 32 inputs are in use As it is shown if any of the digital inputs goes to low a demand the system de energizes Example of Demand on the System from an 1756 IB32 Module Pair EQ SAFETY _DEMAND Not Equal Source A ChasPr1_Slot1_IB32_1 0 Data 0 Source B 1 Reset One_Shot_1 SAFETY _DEMAND SAFETY _OUTPUT i SAFETY _OUTPUT Publication 1756 ATO10B EN P October 2008 113 Chapter5 Programming the Fault tolerant System wenw kllnkmann con Demand Made Through a 1756 IF16 Module Pair These examples show methods of programming for a shutdown when a demand is p
74. arameters Tags for Use as 1756 IF16 JSR Parameters Parameter Use Tag Description Input Par ModuleAName X System generated input I tags for module A of the pair Input Par ModuleAName X C System generated configuration C tags for module A of the pair Input Par ModuleBName X System generated input I tags for module B of the pair Input Par ModuleBName X C System generated configuration C tags for module B of the pair Input Par ModulePairName ModulePair input I tags that contain module pair behavior specification data for both modules of the pair Input Par ModulePairName lIO Tags that contain module pair diagnostic status data for the module pair Input Par ModulePairName O Tags containing the reconciled data that is resulting data that has been processed by the diagnostic subroutine for the module pair Publication 1756 ATO10B EN P October 2008 www klinkmann com Configuring the Fault tolerant System Chapter 4 Tags for Use as 1756 IF16 JSR Parameters Parameter Return Par Use Tag ModulePairName 0 Description Tags that contain module pair diagnostic status data for the module pair Return Par ModulePairName O Tags containing the averaged input data that is resulting data that has been processed by the diagnostic subroutine for the module pair Edit Other Rung Elements for the 1756 IF16 Module Pair For the 1756 IF16 module pair y
75. at help establish fault tolerance These components are briefly described here and further described in later chapters Hardware A complete ControlLogix fault tolerant system including the redundant controller chassis duplicate remote I O chassis and the specialized termination boards should be configured similar to that shown below For more information about the hardware required see Chapter 2 Fault tolerant System Hardware on page 25 Fault tolerant Configuration Secondary Chassis ControlNet Analog Input Termination Board Field Device 20 Digital Input Termination Board Field Device 1 0 Chassis B Digital Output Termination Board Field Device Publication 1756 AT010B EN P October 2008 www klinkmann com Publication 1756 ATO10B EN P October 2008 The Fault tolerant System Configuration Chapter 1 Software and Programming The programming and debugging tool required for use with the ControlLogix fault tolerant system is RSLogix 5000 software version 15 or later Also required are specialized routines developed by Rockwell Automation The use of these specialized routines are specific only to the fault tolerant SIL2 configuration IMPORTANT A fault tolerant system configured as described in this manual is SIL2 compliant only when these components are used e Hardware specified in Chapter
76. blication 61508 1 General Requirements 11 www klinkmann com Preface Additional Resources The following resources should also be consulted when configuring a ControlLogix system for SIL2 certification Resource Description Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 This safety reference manual provides information regarding ControlLogix components for use in SIL2 applications Topics include hardware software and programming components ControlLogix Controllers User Manual publication 1756 UM001 This manual explains the general use of ControlLogix controllers ControlLogix Redundancy System User Manual publication 1756 UM523 This user manual explains how to design install configure and troubleshoot a redundant ControlLogix system Functional safety of electrical electronic programmable electronic safety related systems IEC 61508 IEC 61508 describes terms component requirements process requirements and techniques for SIL2 applications Publication 1756 ATO10B EN P October 2008 san Chapter 1 The Fault tolerant System Configuration About This Chapter This chapter explains how the fault tolerant configuration differs from the fail safe and high availability configurations and provides a brief overview of the fault tolerant configuration and application Topic Page Fault Tolerance and ControlLogix 13 Cont
77. c tests that is transition tests or reference tests simultaneously Either A A hardware failure in the system caused both modules to fail the diagnostic tests For example if the 1756 OB16D outputs used to control the input termination board relays are damaged or the switches of the analog input termination board fail B Faults exist on both modules of the pair and have been identified by the diagnostic tests 1756 IB32 1756 1F 16 and 1756 0B16D 154 Both modules of the pair have any type of fault or fault condition These are example conditions e Module A has a point fault and module B has a connection failure e Module A has a no load condition at one point and module B has a point with a shorted condition Fault conditions on both modules indicate that the system cannot safely run 1001 or 1002 and significant repairs should be made Publication 1756 ATO10B EN P October 2008 www klinkmann com Appendix D Frequently Asked Questions About This Appendix This section answers frequently asked questions specific to ControlLogix SIL2 systems and diagnostic subroutines Topic Page About Redundant Chassis hs About 0 157 About Fail safe and Fault tolerant Programs 160 About Redundant Chassis These questions are specific to the use of redundant chassis in a SIL2 system Answers for each of these frequently asked questions are categorized based on the use of the diagnostic subrou
78. ch module of the pair is faulted mi 122 Publication 1756 AT010B EN P October 2008 www klinkmann com Troubleshooting a Fault tolerant System Chapter 6 1756 IF16 ModulePair Tags to Identify the Type of Module Fault The ModulePair data type for the 1756 IF16 module provides tags that can help identify these types of faults e Connection and communication faults e Channels on the module faulted for example due to a miscompare or over under range e Channels faulted as determined during the reference test These are the tags that contain the 1756 IF16 module status data and can be used to determine the type of module fault 1756 IF16 Module Status Tags ChasPr1_Slot2_IF16 ChasPr1_Slot2_IF16 1 ChasPr1_Slot2_IF16 10 ChasPr1_Slot2_IF16 10 ModulePairGood_Testlnterval ChasPr1_Slot2_IF16 10 ModulePair_1oo01_TestInterval ChasPr1_Slot2_IF16 10 TimeToRun_1001 ChasPr1_Slot2_IF16 10 SwitchT oRef alue_Delay ChasPr1_Slot2_IF16 10 SwitchT oSignal_Delay eee f Use to identify a connection fault E i hasPr1_Slot2_IF16 10 CircuitReset hasPr1_Slot2_ F16 10 FaultReset hasPr1_Slot2_IF16 10 Run_ReferenceT est hasPr1_Slot2_1F16 10 ConnectionFault_Module_A hasPr1_Slot2_1F16 10 ConnectionFault_Module_B ChasPr1_Slot2_IF16 10 Chni_OK_Module_ amp ChasPr1_Slot2_IF16 10 Chni_OK_Module_B Use to identify a channel fault ChasPr1_Slot2_IF16 10 ChniFit_RefT est_Module_A ChasPr1_Slot2_IF16 10 C
79. ched from open to closed re applying power to the sensors 1 To achieve fault tolerance diagnostic tests for the input module pair should be triggered only by outputs from the 1756 OB16D module pair In addition 1756 OB16D module outputs that are being used to trigger the diagnostic tests should have pulse tests disabled For more information about disabling pulse tests for outputs see Edit ModulePair Tags on page 76 Publication 1756 ATO10B EN P October 2008 www klinkmann com Fault tolerant System Hardware Chapter 2 While this transition occurs the specialized program continues to control the system based upon the last known and verified data from the modules IMPORTANT The transition test detects only stuck at one conditions Any zero or low condition on any point of the module pair is recognized by the controller as a demand on the safety system This graphic depicts the function of the input termination board during a transition test Digital Input Module Termination Board Functions During Transition Test Both input modules register change from 1 to 0 On to Off a A q Input Module A Input Module B Input X Point Value 0 Off Input X Point Value 0 Off 1492 Cable to 1756 IB32 Module A 1492 Cable to 1756 IB32 Module B ZN Normally closed Relay Opens Terminal
80. comprehensive reference of ControlLogix SIL2 information Other publications and resources outlined in the Additional Resources table on page 12 should also be consulted and used as references when configuring a ControlLogix SIL2 safety application This publication is intended for use only by individuals who have extensive knowledge of safety applications SIL policies programmable control systems and ControlLogix products Do not use this publication if you do not fully understand these concepts The following writing conventions are used in this publication Text that is Identifies Italic A variable that you replace with your own text or value courier Example programming code shown in a monospace font so you can identify each character and space In addition to the textual conventions described note that underlined text chapter title references section title references table title references and page numbers function as hyperlinks in the electronic version of this publication The International Electrotechnical Commision IEC has defined Safety Integrity Levels SILs in IEC publication 61508 Concepts and terms explained in this reference manual are based upon publication 61508 A SIL is a level in the IEC rating system used to specify the safety integrity requirements of a safety related control system SIL1 is the lowest level and SIL4 is the highest For more information about SIL specifications see IEC pu
81. ctionFault_Module_A Use OneShot_Bits 2 tag for module pair tag for your module pair your module pair ChasPr1_Slot3_OB16D lO Run_PulseTest ChasPr1_Slot3_OB16D lO ConnectionFautt_Module_ amp ChasPr1_Slot3_OB16DIO OneShot_Bits 2 ons ChasPr1_Slot3_OB16DJO ConnectionFaut_Module_B ChasPr1_Slot3_OB16DJO OneShot_Bits 3 ons PO Use the ConnectionFault_Module_B Use OneShot_Bits 3 tag for your module pair tag for your module pair You edit the MSG instructions contained at the end of this rung during step 3 of this procedure Publication 1756 ATO10B EN P October 2008 97 Chapter4 Configuring the Fault tolerant System wenw kllnkmann con Specify the MSG tags DN and ER for the Specify the MSG tags DN and ER for the 1756 OB16D module in chassis A 1756 OB16D module in chassis B Pr1_Chas4_Slot3_MSG DN Pr1_ChasB_Slot3_MSG DN Pr1_Chas4_Slot3_MSG ER Pr1_ChasB_Slot3_MSG ER ChasPr1_Slot3_OB16D IO ConnectionFautt_Module_ amp ChasPr1_Slot3_OB16D 1O ConnectionFault_Module_B Specify the ConnectionFault_Module_A tag for Specify the ConnectionFault_Module_B tag for your your 1756 0B16D module pair 1756 OB16D module pair Specify the Run_PulseTest tag for your 1756 OB16D module pair ChasPr1_Slot3_OB16D IO Run_PulseTest Specify the MSG tag EXERR for the 1756 OB16D module in chassis A Ov Move Source Pr1_Chas4 _Slot3_MSG EXERR 16 0000_0000 Dest ChasPr1_Slot3_OB16D
82. e 1 0 chassis 67 configure the remote 1 0 chassis 67 configure the remote 1 0 modules 67 prepare redundant controller chassis 65 resulting I O configuration tree 70 resulting system generated tags 71 specify I O module properties 68 start with program 66 considerations for planning 149 controller chassis 156 ControlLogix fault tolerance 14 SIL2 configurations 13 D data and 0 in the program 106 flow in program 62 use in program 106 deadbands channel comparision 80 for reference tests 36 demand programming 113 for 1756 IB32 module pair 113 for 1756 IF16 module pair 114 diagnostic subroutines element in the fault tolerant program 48 50 features of 48 IB32_Diagnostics subroutine 55 1001 56 normal operation 55 test 56 www klinkmann com IF16_Diagnostics subroutine 57 1001 58 normal operation 57 test 58 main routine and 106 OB16D_Diagnostics subroutine 60 1001 61 normal operation 60 diagnostic tests 1756 IB32 module pair 28 1756 IF16 module pair 34 1756 0B16D module pair 39 control of 44 reference tests 34 transition tests 28 DIP switches on analog termination board 33 E Edit 97 elements of the fault tolerant program Call_Code subroutines 49 data flow between 62 diagnostic subroutines 48 figure of in software 51 functions 50 main routine 47 F fail safe diagnostic subroutines and 160 programming 161 fail safe configuration about 14 fault programming circuit reset 111 module pair 108 reset
83. e 34 Publication 1756 ATO10B EN P October 2008 www klinkmann com Publication 1756 ATO10B EN P October 2008 www klinkmann com Riga tel 371 6738 1617 klinkmann klinkmann lv remote I O modules add to the program 67 approved modules 25 chassis configuration 16 configure in program 67 termination boards and 18 remote I O modules configure in the program 67 replace faulted 1756 IB32 module 121 resets use of after faults 125 S SIL about 11 explanation of levels 11 SIL2 configurations ControlLogix 13 software requirements 21 states 1001 53 faulted 54 normal 52 test 52 subroutines Call_Code about 49 editing 84 diagnostic about 48 IF16_RefCal 59 system states 52 54 system generated tags 71 T tags 1756 IF16 module status 123 1756 0B16D module status 124 create ModulePair 73 edit ModulePair 76 fault reset programming 110 MESSAGE add 84 use in 1756 OB16D Call_Code 99 module status 119 Helsinki tel 358 9 540 4940 automation klinkmann fi Yekaterinburg Samara tel 7 846 273 95 85 samara klinkmann spb ru tel 7 343 376 5393 yekaterinburg klinkmann spb ru Vilnius Tallinn tel 372 668 4500 klinkmann est klinkmann ee tel 370 5 215 1646 post klinkmann It St Petersburg tel 7 812 327 3752 klinkmann klinkmann spb ru moscow klinkmann spb ru ModulePair 72 edit for 1756 IB32 77 edit for 1756 IF16 79 edit for 1756 OB16D 82 used to identify faulted modules 121 ModulePair cr
84. e Manual publication 1756 RM001 This safety reference manual provides information regarding ControlLogix components for use in SIL2 applications Topics include hardware software and programming components ControlLogix Digital 1 0 Modules User Manual Provides information about digital I O modules including features configuration and publication 1756 UM058 Publication 1756 ATO10B EN P October 2008 troubleshooting You can view or download Rockwell Automation publications at http literature rockwellautomation com To order paper copies of technical documentation contact your local Rockwell Automation distributor or sales representative 103 Chapter4 Configuring the Fault tolerant System wenw kllnkmann con 104 Publication 1756 ATO10B EN P October 2008 www klinkmann com Chapter 5 About This Chapter Programming the Main Routine Publication 1756 ATO10B EN P October 2008 Programming the Fault tolerant System This chapter describes suggested methods for programming the fault tolerant system Topic Page Programming the Main Routine 105 Basic Input Output Programming 106 and 0 Data in Fault tolerant Programming 106 Example Input Output Rung 107 Module Pair Fault to Result in System Shutdown 108 Fault Reset Programming 109 Circuit Reset Programming 111 Demand Made Through a 1756 IB32 Module Pair 113 Demand Made Through a 1756 IF16 Module Pair 114 Power
85. e ModulePair are user defined data types created by Rockwell Automation specifically for fault tolerant SIL2 applications For each module type that is 1756 IB32 1756 IF16 and 1756 OB16D a ModulePair data type is available Once each ModulePair tag is created a group of tags that are used to specify the behavior in the module pair s diagnostic subroutine are available For more information about the tags available for each module pair see step 2 of the section Create ModulePair Tags Publication 1756 ATO10B EN P October 2008 wwwe hlinkmann com Configuring the Fault tolerant System Chapter 4 Create ModulePair Tags 1 In the Edit tab of the Controller Tags folder add a tag for each module pair in the system J ChasPr1_Slott_IB32 F ChasPr1_Slot2_IF16 ChasPr1_Slot3_OB16D 14 gt Monitor Tags Edit Tags TIP When creating your module pair tags use naming conventions that will allow you to easily identify the chassis pair module pair and module type For example the module pair tag examples in this manual use the following naming convention Creo Chassis Pair Slot No Module Type Creating tags with easy to understand indentifiers helps when programming and troubleshooting the system Publication 1756 ATO10B EN P October 2008 73 Chapter4 Configuring the Fault tolerant System aye idinkmann com 74 2 In the Data Type column of each tag s
86. e companies www klinkmann com Updated Information Publication 1756 ATO10B EN P October 2008 Summary of Changes Revision B of this publication contains the new or updated information listed in this table New or Updated Information in This Publication Description Chapter Pages Software and program requirements for the fault tolerant Chapter 1 21 system Enhanced descriptions of system states and added Chapter 3 52 55 graphics Updated graphics for consistency with the most recent Chapter 4 65 103 version of the SIL2_IO_Fault_Tolerant program Call_Code subroutine JSR parameters additional input Chapter 4 85 103 parameters for each module pair are shown and described Programming for a demand examples updated Chapter 5 105 116 Added information about 1756 IB32 module replacement Chapter 6 117 130 Appendix of frequently asked questions added Chapter D 155 162 Corrections to topics and page number references Index 167 163 New or updated information in this manual is indicated with a change bar as seen to the right of this paragraph except for changes to the index 8 2011 Summary of Changes www klinkmann com 4 Publication 1756 ATO10B EN P October 2008 www klinkmann com The Fault tolerant System Configuration Fault tolerant System Hardware Publication 1756 ATO10B EN P October 2008 Table of Contents Preface About This Publication 244 44 44 04444 ce
87. e_A ChasPr1_Slot3_0B16D 10 ChniI_OK_Module_B 4 ChasPr1_Slot3_0B16D 10 ChniFit_PulseT est_Module_A ChasPr1_Slot3_0B16D 10 ChniFit_PulseT est_Module_B ChasPr1_Slot3_0B16D 10 Chni_Grounded_Module_A 0 0 9 090 0 09 090 o H ChasPri_Slot3_0B16D 10 Chnl_Grounded_Module_B ChasPr1_Slot3_0B16D 10 Chni_HWwFail_Module_A ChasPr1_Slot3_0B16D 10 Chni_HwFail_Module_B il ChasPr1_Slot3_0B16D 10 Chni_NoLoadOrDC _Module_A ChasPr1_Slot3_0B16D 10 Chni_NoLoadOrDC _Module_B ChasPr1_Slot3_0B16D 0 hasPr1_Slot3_0B16D 0 ModulePair_Good 0 hasPr1_Slot3_0816D 0 ModulePair_1001 hasPr1_Slot3_0B16D 0 ModulePair_Faulted hasPr1_Slot3_0B16D 0 Module_A_Faulted hasPr1_Slot3_0B16D 0 Module_B_Faulted hasPr1_Slot3_0B16D 0 Relay_Module_B 0 For more information about the tags generated by the ModulePair data type see Appendix A on page 105 You must specify both the required and recommend values for certain tags as described here Publication 1756 AT010B EN P October 2008 www klinkmann com Tag Name Safety_Outputs_Select Required 1756 0B16D ModulePair Tag Values Configuring the Fault tolerant System Chapter 4 These values are required for 1756 OB16D module pair tags Description For fault tolerant 1 0 all 1756 OB16D module pair outputs are designated as safety outputs Value 1 for all points used or unused 10 PulseTest_Settings 4 Sets the
88. eate 73 system generated 71 used to identify faulted module pair 118 user defined data types 72 termination boards about 26 and I O modules 25 approved 25 0 specific functions 18 interaction with 1 0 18 relay control 40 43 input termination board relay control 40 output termination board relay con trol 41 required 159 used with chassis pairs 17 test state 52 The 30 transition tests 1756 OB16D outputs and 28 about 28 figure of termination board during 29 function of termination board during 28 intervals between 28 34 35 purpose 28 termination board during 28 35 transmitters for use with 1756 IF16 module pair 25 troubleshooting identify faulted module pair 118 identity faulted modules 121 troubleshooting a system 117 128 two sensor wiring 33 two wire transmitters use with 1756 IF16 modules 31 U user defined data types create ModulePair tags 73 ModulePair tags 72 Rockwell_Software_RSLogix 5000_ControlLogix_SIL2_System_en_0811 pdf Moscow tel 7 495 641 1616 Kiev tel 38 044 495 33 40 klinkmann klinkmann kiev ua Minsk tel 375 17 200 0876 minsk klinkmann com
89. ehee 404508 4045 11 Who Should Use This Publication a u lt 44 s45 4000000 11 GONVENUONS a e hae ola Pale a Wik oe E HR ae E 11 ADOUC SIE py eed Maeda kt a aoe ds a eR waa bred 11 Additional Resources noaua auaa Gk RA k RS eG oR S 12 Chapter 1 About This Chapel ed 2 been eV hbase ea ee ees Rees 13 Fault Tolerance and ControlLogix 2 04s e244 yee wean ne ee 13 ControlLogix System SIL2 Configurations 13 About Fault tolerant Systems 000000005 14 Fault tolerant Compared to Other SIL2 Configurations 14 Fault tolerant System Configuration 16 Remote I O Configuration 2 454562 804450ae bea 16 The Complete ControlLogix Fault tolerant System 20 HardwWale 6 22 04 6 the Wee ee GOS Bab Heese eee DER 20 Software and Programming onto Hon ee hae ee 21 Additional Resources sagas sce pe ee i ema ste a 22 Chapter 2 ABOU TMG Chapter mep ee hal eed be Sk Be eae eee RSS 25 Approved I O Modules and Termination Boards 25 About the Specialized Termination Boards 26 1756 IB32 DC Input Termination Board Features 26 Normal Operation of 1756 IB32 DC Input Termination Board diag vot a uaaa Pod we one RES 27 1756 IB32 DC Input Termination Board and Transitiori Tests eo earr Bea Se HRS ena nead RAG OE OS 28 1756 IF16 Analog Input Termination Board 30 Normal Operation of the 1756 IF16 Analog Input Termination Board eaten dle ead ea a Ree bee 31 One sensor
90. em Hardware Chapter 2 1756 0B16D Diagnostic The specialized output termination boards have these hardware 2 feat Output Termination Board Features e Easy to use wiring terminals e Relays to provide secondary method of power disconnect for each output module connected e Pre wired cables for use from termination board to I O module e On board blocking diodes isolate output points Diagnostic Output Termination Board for Use with 1756 0B16D Input Modules Port for Port for 1492 CABLEXXXZ 1492 CABLEXXXZ Pre wired Cable Pre wired Cable Normally open Relay Normally open Relay 60000000000000000 DIDHSSSOSHBDOSSOS Wiring Terminals Publication 1756 ATO10B EN P October 2008 37 Chapter 2 Fault tolerant System Hardware www klinkmann com 38 Normal Operation of the 1756 0B16D Diagnostic Output Termination Board During normal operation the primary function of the 1756 OB16D output termination board is to connect the same two output points each from one module of the pair to a single load The output termination board also provides isolation for each channel through the use of diodes A normally open relay is held closed by a nonfault tolerant DC output from the system While the relay is closed power to each 1756 OB16D module of the pair is provided Diagnostic Output Terminati
91. erant System Chapter 6 Description Provides information about digital I O modules including features configuration and troubleshooting Logix5000 Common Programming Procedures Programming Manual publication 1756 PM001 The programming manual describes common techniques and methods for using RSLogix 5000 software to program Logix5000 controllers ControlLogix Controllers User Manual publication 1756 UM001 Explains the general use of ControlLogix controllers ControlLogix Redundancy System User Manual publication 1756 UM523 Explains how to design install configure and troubleshoot a redundant ControlLogix system Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 Provides information regarding ControlLogix components for use in SIL2 applications Topics include hardware software and programming components You can view or download Rockwell Automation publications at http literature rockwellautomation com To order paper copies of technical documentation contact your local Rockwell Automation distributor or sales representative Publication 1756 ATO10B EN P October 2008 129 Chapter6 Troubleshooting a Fault tolerant System wenw kllnkmann con Notes 130 Publication 1756 ATO10B EN P October 2008 www klinkmann com Appendix A SIL2 Remote 0 Fault tolerance Tags About This Appendix This appendix provides tag names purposes and va
92. es are either O ModulePair_Faulted If both the modules of the pair are faulted Depending on your application a status of 1 at this tag may initiate a shutdown 1 Both modules of the pair faulted 0 Module pair functioning properly or in a 1001 configuration O Module_A_Faulted The fault status of module A 1 Module A faulted 0 Module A functioning properly O Module_B_Faulted The fault status of module B 1 Module B faulted 0 Module B functioning properly 0 Run_1001_Countdown Indicates the time remaining on the 1001 countdown timer The value is determined using the TimeToRun_1001tag value and is shown in seconds 1 A no load condition can be detected only if it is between the termination board and the output module Publication 1756 ATO10B EN P October 2008 145 Appendix A SIL2 Remote 0 Fault tolerance Tags www klinkmann com 1756 0B16D ModulePair Tags for Use in Programming These tags are to be used in either the main routine or in call code programs Your program uses the data in these tags to determine system behavior For example your call code routine should examine the Run_ReferenceTest tag If the value of this tag is at 1 a transition test is run on the module pair 1756 0B16D Tags for Use in Programming Tag Name 10 OneShot_Bits Description This tag is used in the Subroutine_Call_Code to initiate the pulse test 10 PulseTestResults_Module_A U
93. ests The transition tests verify that the input points of the 1756 IB32 module pair are able to transition from on to off when required Transition Test Intervals Transition tests are programmed in the specialized program supplied by Rockwell Automation They occur at a user specified intervals based upon the requirements of the SIL2 application If there are no faults present on the 1756 IB32 module pair the system operates using the test interval specified in the tag ModulePair_Good_TestInterval If the system is operating using only data from one module of the pair that is in a 1001 state the transition tests occur more frequently as specified in the tag ModulePair_1001_ TestInterval This table shows the test interval tags and the recommended interval values Transition Test Interval Tags Tag Name Recommended Value ModulePair_Good_TestInterval 86 400 000 24 hours ModulePair_1001_ Testlnterval 3 600 000 1 hour Termination Board During Transition Tests During the transition test an output from a diagnostic output module pair triggers the normally closed relay of the 1756 IB32 input termination board to open Thus power is temporarily removed from the field sensors Each point is checked for an off status If the point did not transition to off then that point is identified by the program as stuck at one and is processed as a fault If the points transition successfully then the normally closed relay is swit
94. fault 109 fault reset 109 when to use 125 fault tolerance ControlLogix system and 14 fault tolerance and ControlLogix 13 21 faulted module pair example programming to identify 120 tags to identify 118 faulted state 54 faults cause of input diagnostic test failures 44 Publication 1756 ATO10B EN P October 2008 fault tolerant about 14 configuration 15 configuration compared to others 15 configuration description 16 program elements 47 51 fault tolerant program start configuration 66 fault tolerant system O modules for use in 25 planning considerations 149 termination boards for use in 25 fault tolerant system configuring 65 103 add a CNBR 66 add remote 0 chassis 67 prepare redundant controller chassis 65 remote I O chassis 67 remote 1 0 modules 67 specify I O module properties 68 start with program 66 H hardware configurations and fault tolerance 157 1 0 chassis configurations 155 high availability configuration about 14 figure of 15 1 0 configuration tree after configuration 70 1 0 in fault tolerant configurations 16 1 0 module faults use of reset to clear 125 programming to identify faulted 121 1 0 module properties specify 68 1 0 modules approved for fault tolerant system 25 input required 158 output required 158 standard 1 0 160 standard output required 159 termination boards functions 18 Publication 1756 ATO10B EN P October 2008 Index 1B32_Diagnostics subroutine 1001 56 about 55 no
95. fault tolerant 1 0 channels We recommend that you configure unused channels for voltages of 0 5V and then jumper or ground unused channels to keep channel values within range Recommended 1756 IF16 ModulePair Tag Values In these tags the values listed are recommended but not required You may choose to alter these values to suit your application however you must enter a value for each of the tags listed Tag Name Description Value ChnICompare_Deadbanq 16 Defines the deadband when the same two channels of the pair are 0 05 at each E compared during normal operation channel that is 5 The value is entered as a percentage of the engineering or scaled units For example in an application where e High Voltage 5 V e Low Voltage 0 V e High Engineering 200 e Low Engineering 0 Defining a channel comparison deadband of 0 05 results in the channel comparison being considered a match if the values are within 10 units of each other ReferenceTest_Deadband 16 Defines the deadband when during a reference test the channel 0 05 at each value is compared to the reference voltages channel that is 5 The value is entered as a percentage of the engineering or scaled units For example in an application where High Voltage 5 V Low Voltage 0 V High Engineering 200 Low Engineering 0 Defining a channel comparison deadband of 0 05 results in a the channel comparison being considered a match
96. g a fail safe system what parameters should specify in the JSR for the 1756 0B16D output modules If you are using an 1756 OB16D module pair specify the same parameters as those shown in Chapter 4 page 65 for the fault tolerant system e If you are using a single 1756 OB16D module that is not a module pair with the diagnostic subroutines in a fail safe system the required input parameters reflect the use of only one module For each set of input parameters that requires the use of a tag from each module of the pair specify the same tag for the one 1756 OB16D module This graphic shows an example of how the JSR is configured if only one 1756 OB16D module is used Parameters for 1756 0B16D Single module Use SR Jump To Subroutine Routine Mame OB16D Diagnostics Input Par Fail Sate Chassis 3 1 Input Par Fail Sate Chassis 3 1 Input Par Fail Sate Chassie 3 0 Input Par Fail Sate Chassie 3 0 Input Par OBER Single Input Par OBER Single Input Par OBER Single o Return Par OBIBD Single Return Par OBER Single o Return Far Fail Sate Chassie 3 0 Return Par Fail Sate Chassis 3 0 162 Publication 1756 ATO10B EN P October 2008 Glossary EEMNEMANN www klinkmann com Publication 1756 AT010B EN P October 2008 These terms are used throughout this manual lool state Describes the state of the system when a channel module or chassis of a pair within the SIL2 system is faulted and the system is operating using
97. gs This table identifies the transition test tags and their default values Transition Test Interval Tags Tag Name Default Value ModulePair_Good_TestInterval 86400000 24 hours ModulePair_lool_TestInterval 3600000 1 hour Transition tests are also described in Chapter 2 in the section titled 1756 IB32 DC Input Termination Board and Transition Tests on page 28 1001 1756 1B32 Module Pair When the module pair is running in a 1001 configuration at least one point of one of the modules in the pair is faulted The system then runs using data only from the remaining unfaulted points of the module and the other unfaulted module When the 1756 IB32 module pair is running in a 1001 configuration the diagnostic subroutine carries out the tasks listed in this table System Tasks for 1756 IB32 1001 State Task Description Countdown timer starts When the system begins operating in the 1001 state the diagnostic subroutine starts a timer that when expired annunciates that the user defined repair time has elapsed The repair time is specified in tag TimeToRun_lool The system will continue to run in a 1001 configuration after the repair time has elapsed To reset the timer toggle the FaultReset bit Transition test frequency When the system is running in a 1001 configuration the increases diagnostic subroutine carries out transition tests on the remaining module more frequently The frequency of the transition te
98. h chassis so the configuration of I O modules in each chassis is identical IMPORTANT The order of the modules in the configuration tree and the module properties of both modules in the pair must be identical In order to create identical duplicate chassis you may find it TIP S A l easier to create the first chassis in this example chassis A and then copy and paste it into the second chassis in this example chassis B If you use this method of creating your duplicate chassis verify that you have edited the parameters of the pasted configuration so that they are specific to that chassis Publication 1756 ATO10B EN P October 2008 67 Chapter4 Configuring the Fault tolerant System www klinkmann com Vendor Allen Bradley Parent Pri_Ch4 TIP When configuring your I O modules use naming conventions that will allow you to easily identify the chassis pair individual chassis and module location For example the 1 0 configuration examples in this manual use the following naming convention PD Chalo Chassis Pair Chasis Module Location Creating tags with easy to understand identifiers helps when programming and troubleshooting the system IMPORTANT Specify these module properties when adding and configuring 1 0 modules 1756 IB32 Module Properties New Module A 7 xi Type 1756 IB32 B 32 Point 10 31 2 DC Input Name Pri_ChA_Sloti Slot Description E Comm Format Revisi
99. hniFit_RefT est_Module_B ChasPr1_Slot2_IF16 10 Chni_Miscompare_Status ChasPr1_Slot2_IF16 0 ChasPr1_Slot2_IF16 0 Data Use to identify which module of the pair is faulted L hasPr1_Slot2_1F16 0 ModulePair_Good hasPr1_Slot2_1F16 0 ModulePair_1oo1 hasPr1_Slot2_1F16 0 ModulePair_Faulted hasPr1_Slot2_IF16 0 Module_A Faulted hasPr1_Slot2_IF16 0 Module_B_Faulted ChasPr1_Slot2_IF16 0 Run_1o01_Countdown Publication 1756 ATO10B EN P October 2008 Chapter 6 Troubleshooting a Fault tolerant System www klinkmann com Use to identify a connection fault Use to identify channels that failed the pulse tests Use to identify a module that is likely shorted to ground Use to identify a module hardware failure Use to identify a no load wire off or a sho to 24 V DC condition Use to identify which module of the pair is i faulted 124 1756 0B16D ModulePair Tags to Identify the Type of Module Fault The ModulePair data type for the 1756 OB16D module provides tags that can help identify these types of faults e Connection and communication faults e No load conditions detects no load conditions only between the output module and termination board e Points stuck at low e Points stuck at high e Other hardware failures These are the tags that contain the 1756 OB16D module status data and can be used to determine the type of module fault 1756 0B16D Module Status Tags
100. icates the communication fault Output validation After the diagnostic condition of the output module pair is determined the subroutine sends the requested output state to the module pair or an individual module when in a 1001 configuration Output data echo and actual output value comparison The subroutine compares the value returned by the diagnostic output module s data echo to the commanded value of the output bit Output module relay control In the event of a faulted output module the 1756 OB16D diagnostic subroutine identifies the faulted module and initiates a power disconnect by setting the Re Lay_Module tag to 0 As a result of the Call_Code programming power is then disconnected from the faulted module using the 1756 OB16D termination board relay Publication 1756 ATO10B EN P October 2008 www klinkmann com Fault tolerant Program Elements Chapter 3 Publication 1756 ATO10B EN P October 2008 1001 1756 0B16D When the module pair is running in a 1001 configuration one of the modules in the pair has been shut down and the system is running on information from only the remaining Cunfaulted module When the 1756 OB16D module pair is running in a 1001 configuration the tasks listed in this table are carried out System Tasks for 1756 OB16D 1001 State Task Description Countdown clock When the system begins operating in the 1001 state the diagnostic subroutine starts a timer that when
101. if the values are within 10 units of each other ChnlValues_at_Fault 16 Sets the channel values that are used by fault tolerant system in the 0 event of both modules of the pair faulting These values should be entered in engineering units 80 Publication 1756 ATO10B EN P October 2008 www klinkmann com Configuring the Fault tolerant System Chapter 4 Tag Name Description Value Miscompare_Test_Limit The number of subsequent program scans where a miscompare between points may occur before a fault is registered The value of four is strongly recommended in order to avoid nuisance trips as well as provide a timely safety response If you choose to specify a value lower than four your system may experience nuisance trips However you may choose to lower the value in order to decrease amount of time between a fault and the system response Setting a value larger then four is not recommended as the response to a fault may be too long for most safety applications 10 ModulePair_GoodTestinterval PRE Time in ms between transition tests when no module faults are present 86400000 24 hours 10 ModulePair_1001Testinterval PRE Time in ms between transition tests when the system is running ina 1001 configuration 3600000 1 hour 10 TimetoRun_1001 PRE Preset value for 1001 countdown timer in ms 28800000 8 hours 0 SwitchToRefValue_Delay PRE Amount of time in ms delayed
102. iguration any time after your initial start up you must press fault reset in order to implement the new configuration parameters Publication 1756 ATO10B EN P October 2008 69 Chapter4 Configuring the Fault tolerant System wenw kllnkmann con 1756 0B16D Module Properties New Module E Type 1756 OB16D 16 Point 19 2 30 DC Diagnostic Output Vendor Allen Bradley Parent Pri_Ch Name Pri_Cha _Slot3 Slot E 3 Description Zz Comm Format Full Diagnostics Output Data E Module Properties Pri_ChA 3 1756 0B16D 3 1 Revision E fi 4 Electronic Enable Diag Latching IV Open Module Properties EEN EXER EN EWEN EE kalcak lka kakala la VIVIVIIA m Communications Failure If communications fail in Leave outputs in Program Made state Program Mode Change outputs to Fault Mode state Status Offline Property Value Comm Format Full Diagnostics Output Data Enable Diag Latching Do not enable uncheck boxes Once your chassis have been configured your I O configuration tree should be similar to the one below amp 1 0 Configuration 1756 Backplane 1756 47 fa 0 1756 L63 SIL2I0 A 3 1756 CNBR D Cnet J ControlNet 11756 CNBR D Pri _Ch 1756 Backplane 1756 47 8 0 1756 CNBR D Pri _Ch f 1 1756 1B32 B Pr1_Ch4_Slot1 fj 2 1756 IF16 Pri_Ch4_Slot2 fj 3 1756 OB16D Pri_Ch4_Slot3 4 1756
103. ing Diagnostic Subroutine Behavior 72 About ModulePair Tags 72 Create ModulePair Tags 73 Edit ModulePair Tags 76 Editing the 1756 IB32 Call_Code Subroutine 85 Editing the 1756 IF16 Call_Code Subroutine Editing the 1756 0B16D Call_Code Subroutine Next Steps Additional Resources Before you begin configuring your system using the program supplied by Rockwell Automation you should prepare your redundant controller chassis and network For more information about how to prepare you redundant controller chassis see the ControlLogix Redundancy System User Manual publication 1756 UM523 TIP We recommend that you configure and program your fault tolerant system offline After you have completed and verified your program use RSNetWorx for ControlNet software to configure your redundant ControlNet network When your ControlNet network is configured download the program and go online with the controller 65 Chapter4 Configuring the Fault tolerant System Begin with the Fault tolerant 1 0 Program 66 www klinkmann com To begin the configuration of your fault tolerant system you must open the fault tolerant I O program titled SIL2_IO_Fault_Tolerant using RSLogix 5000 software version 15 or greater In this program a SIL2 certified controller is present in the configuration tree Depending on your system you may need to change the program to specify the contr
104. ired Circuit Reset No Faults and Fault Reset ConnectionFaut_Module A Jo h oo it ConnectionFault_Module_B 0 0 0 N A Chnl_OK_Module_A 1 at each point 0 at affected points 1 at each point N A Chnl_OK_Module_B 1 at each point 1 at each point affected 1 at each point N A Chnl_Miscompare_Status 0 at each point 0 at each point 0 at each point N A ChnlFlt_StuckAtOne_Module_A 0 1 at each point affected 0 N A ChnlFlt_StuckAtOne_Module_B 0 0 0 N A Data From modules A and B From module B From modules Aand B yal ModulePair_Good 1 0 1 N A Module_Pair_1001 0 1 0 N A ModulePair_Faulted 0 0 0 N A Module_A_Faulted 0 1 0 N A Module_B_Faulted 0 0 0 N A Run_1001_Countdown Preset Counting down Preset N A 1 Circuit reset is not needed in this case because the system did not stop using data from the module pair 126 Publication 1756 AT010B EN P October 2008 www klinkmann com Troubleshooting a Fault tolerant System Chapter 6 1756 IF16 Module Pair One Module Faulted and Removed In this example module B of the 1756 IF16 module pair has a fault caused by an internal short The tag value changes are shown after the fault is identified by the reference test when the module is removed for repair and after the module has been replaced and the faults reset Tag Values After Faulted Channel Detected on a 1756 IF16 Module Tags Values During Normal Values After Values After Val
105. laced on the system through one channel of the 1756 IF16 module pair Depending on your application your programming may use different but similar programming than that shown here Example of Greater Than and Less Than Instructions to Detect Demand on 1756 IF16 Module Pair RT ES SAFETY _DEMAND Greater Than 4 gt B Source A ChasPr1_Slot3_IF16 0 Data 0 0 0 3 5 Less Than 4 lt B Source A ChasPr1_Slot3_IF16 0 Data 0 0 0 2 Source B Source B Reset One_Shot_1 SAFETY _DEMAND SAFETY _OUTPUT e Iy SAFETY_OUTPUT 114 Publication 1756 AT010B EN P October 2008 www klinkmann com Power up Sequence Publication 1756 ATO10B EN P October 2008 Programming the Fault tolerant System Chapter 5 Once you have completed your system programming you should configure your ControlNet network and download the project to the controller After you put the controller into Run mode or you turn on a controller with a fault tolerant program loaded there is a sequence of power up steps that you must carry out These steps are explained below 1 Wait five seconds to allow I O data to be read and established After you have applied power or put the controller into Run mode the 1756 OB16D module pair faults This behavior is programmed into the fault tolerant system in order to protect personnel and machinery from sudden output 2 Press fault reset to clear the faults of the 1756 OB16D m
106. les and their power source For more information about the specialized I O termination boards see Fault tolerant System Hardware Chapter 2 Publication 1756 ATO10B EN P October 2008 www klinkmann com The Fault tolerant System Configuration Chapter 1 Despite a fault in chassis A the rest of the safety system continues to operate Publication 1756 ATO10B EN P October 2008 Remote 0 Fault Handling In the event of a fault in a module or device in one chassis for example chassis A the fault tolerant system will continue to operate using only the module or device in the other duplicate chassis chassis B and the unfaulted modules in chassis A The system will carry out the safety function until the faulted module in chassis A is repaired or until a fault occurs on the corresponding module in chassis B If a fault in chassis B occurs and chassis A is already faulted the system fails to safe Fault Handling with Remote 1 0 Primary Chassis Remote I O Chassis A o ma ControlNet Remote I O Chassis B Secondary Chassis al oO z r a a Ss ControlNet r 19 Chapter1 The Fault tolerant System Configurati The Complete ControlLogix Fault tolerant System Primary Chassis 8 2011 www klinkmann com on The complete ControlLogix system is comprised of several components th
107. lication 1756 RMO01 Publication 1756 ATO10B EN P October 2008 43 Chapter 2 Fault tolerant System Hardware Input Module Diagnostic Test Control Hardware and Programming 44 www klinkmann com Control of the input diagnostic tests that is the transition and reference tests is achieved through the use of 1756 OB16D outputs routed through the 1756 OB16D termination board Because the 1756 OB16D outputs are used to control the diagnostic tests any fault that results in the shutdown of the 1756 OB16D module pair will result in the failure of the next transition or reference tests for the input modules This is due to the inability of the disconnected outputs to initiate the diagnostic tests For more information about the control of input diagnostic tests see these sections e 1756 IB32 Input Termination Board Relay Control page 40 e 1756 IF16 Analog Input Termination Board Switch Control page 41 In order to achieve fault tolerance you must use the hardware described in this chapter as well as the program supplied by Rockwell Automation The program its elements and configuration are described in the chapters titled Fault tolerant Program Elements on page 25 and Configuring the Fault tolerant System on page 65 Publication 1756 ATO10B EN P October 2008 www klinkmann com Additional Resources Resource 1756 IB32 Termination Board Installation Instructions publication 41063 290 01 Fault tolerant Sys
108. lues for each type of I O module available for use in the ControlLogix SIL2 fault tolerant system Use this appendix as a reference when programming your SIL2 fault tolerant system Topic Page 1756 IB32 ModulePair Tags 131 1756 IB32 ModulePair Tags for System Behavior 131 1756 IB32 Module Status Tags 133 1756 IB32 ModulePair Tags for Use in Programming 135 1756 IB32 Hidden Tags Not for Use 136 1756 IF16 ModulePair Tags 137 1756 IF16 ModulePair Tags for System Behavior 137 1756 IF16 Module Status Tags 138 1756 IF16 ModulePair Tags for Use in Programming 141 1756 IF16 Hidden Tags Not for Use 142 1756 0B16D Module Pair Tags 143 1756 OB16D ModulePair Tags for System Behavior 143 1756 OB16D Module Status Tags 144 1756 OB16D ModulePair Tags for Use in Programming 146 1756 OB16D Hidden Tags Not for Use 147 1756 1B32 ModulePair Tags The tags provided in the following tables are used to configure spec ify and monitor 1756 IB32 DC input module behavior in a Control Logix fault tolerant system 1756 IB32 ModulePair Tags for System Behavior You must enter values for each these 1756 IB32 ModulePair tags For some tags the value specified is required For others the values are recommended Publication 1756 ATO10B EN P October 2008 131 Appendix A SIL2 Remote 0 Fault tolerance Tags www klinkmann com 1756 IB32 ModulePair Tags Used to Specify System Behavior Tag Name
109. module in the same chassis as the 1756 OB16D module whose relay it is controlling you may want to group all of your 1756 OB16D modules in designated output chassis pairs Doing so will reduce the number of 1756 OBxx you must use to control output relays See Appendix on page 149 for more information Publication 1756 ATO10B EN P October 2008 www kii wynuidinkmann com Fault tolerant System Hardware Chapter 2 1756 OBxx Modules to Control 1756 OB16D Termination Board Relays Chassis A Chassis B 1756 OBxx to Control 1756 0B16D 1756 OBxx to Control 1756 0B16D Relay for Module A Module A Relay for Module B Module B Li AONI L 191 x m em 5 a of ds sdf dso omj 7 or a d d d a T a aie SOOGHPSHH VHHHHGSHG9G Output connection from 1756 OBxx Output connection from 1756 OBxx modules to control relay modules to control relay For more information about SIL2 certified output modules see Using ControlLogix in SIL2 Applications Safety Reference Manual pub
110. module specifications Bul 1492 Fused Term Module for use in SIL2 Safety Shutdown Appl w 2 1756 IB32 publication 41603 290 01 Provides wiring schematics and installation instructions for the termination board ControlLogix Voltage Current Input Module Installation Instructions publication 1756 IN039 Provides wiring diagrams step by step installation instructions and module specifications Bul 1492 Fused Term Module for use in SIL2 Safety Shutdown Appl w 2 1756 IF16D publication 41063 292 01 Provides wiring schematics and installation instructions for the termination board ControlLogix DC 19 2 30V Diagnostic Output Module publication 1756 IN058 Provides wiring diagrams step by step installation instructions and module specifications Bul 1492 Fused Term Module for use in SIL2 Safety Shutdown Appl w 2 1756 0B16D publication 41063 291 01 Provides wiring schematics and installation instructions for the termination board ControlLogix Digital 1 0 Modules User Manual publication 1756 UM058 Provides information about digital I O modules including features configuration and troubleshooting Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 This safety reference manual provides information regarding ControlLogix components for use in SIL2 applications Topics include hardware software and programming components You can view or download
111. n e Point or points fail to transition from one to zero during transition test for example due to an internal short These are the tags that contain the 1756 IB32 module status data and can be used to determine the type of module fault 1756 IB32 Module Status Tags ChasPri_Slot1_ IB32 ChasPr1_Slot1_IB32 ChasPr1_Slotl_IB32 10 f4 ChasPr1_Slot1_IB32 10 ModulePair_Good_TestInterval ChasPr1_Slotl_IB32 10 ModulePair_1o01_Testinterval ChasPr1_Slot1_IB32 10 TimeT oRun_1oo1 ChasPr1_Slott_IB32 10 TransitionT est_Low_Delay ChasPr1_Slotl_IB32 10 TransitionT est_High_Delay ChasPr1_Slott_IB32 10 CircuitReset ChasPr1_Slott_IB32 10 FaultReset amp hasPr1_Slot1_IB32 10 Run_TransitionT est hasPr1_Slot1_IB32 10 ConnectionF ault_Module_A E hasPri_Sloti _1B32 10 ConnectionF ault_Module_B ChasPr1_Slot1 _1632 10 Chnl_O0K_Module_ H ChasPr1_Slot1_1B32 10 Chni_0K_Module_B H ChasPri_Slot1 _1B832 10 ChnlFlt_StuckAt0ne_Module_A 4 ChasPr1_Slot1_IB32 10 ChniFit_StuckA amp tOne_Module_B f ChasPr1_Slotl_IB32 10 Chni_Miscompare_Status ChasPr1_Slott_IB32 0 4 ChasPr1_Slot1_IB32 0 Data hasPr1_Slot1_IB32 0 ModulePair_Good hasPr1_Slott_IB32 0 ModulePair_1o001 hasPr1_Slot1_IB32 0 ModulePair_Faulted hasPri_Slot1_IB32 0 Module_AFaulted hasPr1_Slot1_IB32 0 Module_B_Faulted f ChasPr1_Slot1_IB32 0 Run_1001_Countdown Use to identify a connection fault Use to identify point faults Use to identify whi
112. n com In order to identify a faulted module pair you should examine these tags Each of these tags is created when you create the ModulePair data type tags for any of the three module types ModulePair Tags Used to Identify a Fault on the Module Pair Tag O ModulePair_Good Indicates If both modules of the pair are functioning without faults 1 Both modules are functioning properly 0 A fault is present on one or both modules of the pair O ModulePair_1001 If the module pair is operating in a 1001 configuration that is only one module of the pair is functioning properly 1 Module pair is operating in a 1001 configuration 0 Both modules are either OK or faulted and not 1001 O ModulePair_Faulted If both the modules of the pair are faulted Depending on your application a status of 1 at this tag may initiate a shutdown 1 Both modules of the pair faulted 0 Module pair functioning properly or in a 1001 configuration 0 Run_1001_ Countdown The time remaining on the TimeToRun1001 timer if the module pair is operating in a 1001 configuration Publication 1756 ATO10B EN P October 2008 www klinkmann com Publication 1756 ATO10B EN P October 2008 Troubleshooting a Fault tolerant System Chapter 6 These are the module pair status tags as they appear in the Controller Tags list ModulePair Status Tags for Each Module Type 1756 IB32 Module Pair Status Tags ChasPr1_Slott_IB32 0 Da
113. n_1001_Countdown Indicates the time remaining on the 1001 countdown timer The value is determined using the TimeToRun_1001tag value and is shown in seconds Publication 1756 ATO10B EN P October 2008 www klinkmann com Publication 1756 ATO10B EN P October 2008 SIL2 Remote 1 0 Fault tolerance Tags Appendix A 1756 IF16 ModulePair Tags for Use in Programming These tags are to be used in either the main routine or in call code programs Your program uses the data in these tags to determine system behavior For example your call code routine should examine the Run_ReferenceTest tag If the value of this tag is at 1 a reference test is run on the module pair 1756 IF16 Tags for Use in Programming Tag Name 0 Data X Description During normal operation this array of channel values are the reconciled values of the two channels of the module pair If the system is operating 1001 this array of channel values contains only the channel values of the unfaulted module 10 CircuitReset Using programming in the Main Routine this bit is reset manually and restarts the outputs after a fault or demand on the system 10 FaultReset Using programming in the Main Routine this bit is reset manually and resets the module status tags after a fault or demand on the system 10 Run_ReferenceTest Used in the IF16_Subroutine_Call_Code this tag value is a precondition for a DC output that is connected to the
114. nd Publication 1756 AT010B EN P October 2008 85 Chapter4 Configuring the Fault tolerant System wenw kllnkmann con 2 Copy the rung provided and paste it ISR Jump To Subroutine Routine Name IB32_Diagnostics Input Par sample_IB32_Mod4_InputData Input Par sample_IB32_ModB_InputData Input Par sample _IB32_ModulePair Input Par sample_IB32_ModulePair lO Input Par sample_IB32_ModulePair O Return Par sample_IB32_ModulePair O Return Par sample_IB32_ModulePair O Copied Rung sample_IB32_ModulePair O Run_TransitionTest sample_OB16D_ModulePair Data 15 Jump To Subroutine Routine Name IB32_Diagnostics Input Par sample_IB32_Mod4_InputData Input Par sample_IB32_ModB_InputData Input Par sample_IB32_ModulePair Input Par sample_IB32_ModulePair lO Input Par sample _IB32_ModulePair O Return Par sample_IB32_ModulePair IO Return Par sample_IB32_ModulePair O Pasted Rung sample_IB32_ModulePair O Run_TransitionTest sample_OB16D_ModulePair Data 15 _ _ 3 Repeat steps 1 2 until there is a JSR instruction rung for every 1756 IB32 input module pair in the system After you have created a JSR instruction rung for each input module pair you must edit the JSR parameters and other elements of the rungs 86 Publication 1756 ATO10B EN P October 2008 www klinkmann com Configuring the Fault tolerant System Chapter 4 Edit JSR Parameters for the 1756 IB
115. nderstand that your placement of I O directly affects the availability and fault tolerance of the SIL2 system For an illustration of this concept see Hardware Configurations and Fault tolerance on page 157 Am required to use redundant controller chassis SIL2 General Requirements No You may use a redundant or non redundant controller chassis configuration for your SIL2 system However like the use of redundant I O the use of redundant controller chassis increases the availability and fault tolerance of the SIL system For an illustration of this concept see Hardware Configurations and Fault tolerance on page 157 SIL2 Diagnostic Subroutine Requirements No The diagnostic subroutines can be used with either the redundant or non redundant controller chassis configurations The choice to use redundant controller and communication chassis is not affected by the use of the diagnostic subroutines because those instructions are used to program for only I O Publication 1756 ATO10B EN P October 2008 www klinkmann com Frequently Asked Questions Appendix D More About SIL2 Hardware Configurations and Fault tolerance This illustration can be used as a reference when determining how to configure your SIL2 hardware to meet the requirements for your SIL2 system s fault tolerance and availability Hardware Configurations and Fault tolerance ree of fault tolet Single chassis Chassis 1 Chassis 1 redundant Chas
116. ndicate what points are at 0 and cannot change to 1 stuck at low condition 1 Point stuck at low 0 Point able to change Chnl_Ground_Module_B Bit level indicators that indicate what points are at 0 and cannot change to 1 stuck at low condition 1 Point stuck at low 0 Point able to change 144 Publication 1756 ATO10B EN P October 2008 www klinkmann com SIL2 Remote 1 0 Fault tolerance Tags Appendix A 1756 OB16D Module Status Tags Tag Name Chnil_HWFail_Module_A Description Status bit that indicates a hardware failure on the point of the module 1 Point faulted 0 Point is not faulted Chnl_HWFail_Module_B Status bit that indicates a hardware failure on the point of the module 1 Point faulted 0 Point is not faulted Chnl_NoLoadOrDCV_Module_A Indicates if the point is faulted due to a no load or Dc 1 Point has no load 0 Point has load Chnil_NoLoadOrDCV_Module_B Indicates if the point is faulted due to a no load or Dc 1 Point has no load 0 Point has load O ModulePair_Good If both modules of the pair are functioning without faults 1 Both modules are functioning properly 0 A fault is present on one or both modules of the pair O ModulePair_1001 If the module pair is operating in a 1001 configuration that is only one module of the pair is functioning properly 1 Module pair is operating in a 1001 configuration 0 Both modul
117. nfigured in duplicate identical pairs The duplicate chassis must be identical in the modules used as well as the location and configuration of the modules Each I O module in the chassis pair should have an exactly identical module in the same slot of the other chassis of the duplicate pair Your ControlLogix fault tolerant system may use any number of identical duplicate remote I O chassis within the limits of your controller Within the identical duplicate remote I O chassis are the I O modules certified for use in the SIL2 system Because chassis are configured identically each module in chassis A should have duplicate in chassis B The duplicate I O modules one each chassis are referred to as module pairs Publication 1756 ATO10B EN P October 2008 www klinkmann com The Fault tolerant System Configuration Chapter 1 The concept of identical duplicate remote I O chassis is depicted in the graphic below In this publication the duplicate remote I O chassis are identified by an uppercase letter For example Chassis A and Chassis B would indicate a duplicate remote I O chassis pair Identical Duplicate Remote 1 0 Chassis Identical Duplicate Chassis Chassis A Chassis B Module Pair Module Pair Module Pair Module Pair Module Pair Module Pair Module Pair ControlNet Diagnostic Output DC Input Modules Analog Input Modules Diagnostic Output DC Input Modules Analog Input Modules Modules Modules Modules
118. ng conventions 73 to identify faulted 1756 IB32 modules 122 to identify faulted 1756 IF16 modules 123 to identify faulted module pair 118 to identify faulted modules 121 modules identify faulted 121 MSG instruction edit in 1756 OB16D Call_Code 99 MSG instructions properties for 100 naming conventions chassis pair and modules 68 ModulePair tags 73 normal state 52 0 0B16D_Diagnostics subroutine 1001 61 www klinkmann com about 60 normal operation 38 60 one sensor wiring 33 output module pair chassis configuration 151 outputs and diagnostic tests 44 P planning considerations 149 point level programming 106 program elements figure of in software 51 program elements 47 63 Call_Code subroutines 49 data flow between 62 diagnostic subroutines 48 functions 50 main routine 47 program the main routine 105 116 programming circuit reset 111 example to identify faulted module pair 120 fault reset 109 for demand 113 on 1756 IB32 module pair 113 on 1756 IF16 module pair 114 for module pair 108 software requirements 21 to identify faulted modules 121 use of and O data 106 programming the main routine 105 115 reconciled input data 107 redundant controller chassis configure in fault tolerant program 65 required 156 reference test calibration logic 59 reference tests 34 36 analog termination board and 34 channel voltages applied 36 deadbands for 36 figure of analog input termination board during 35 purpos
119. nnel is not faulted ChnlFit_RefTest_Module_B Bit level indicators of channels on module B that have failed the reference test 1 Channel faulted 0 Channel is not faulted Chn _Miscompare_Status Bit level indicators that show what channels of the module pair do not match each other miscompare 1 Channel status between modules is different 0 Channel status is the same ModulePair_Good Status bit that indicates that both modules of the module pair are functioning properly 1 Module pair functioning properly 0 Fault present on one or both modules ModulePair_1001 Publication 1756 ATO10B EN P October 2008 Status bit that indicates the module pair is operating 1001 1 Operating 1001 0 Either both modules of pair are OK or are faulted that is not in 1001 operation 139 Appendix A 140 SIL2 Remote 1 0 Fault tolerance Tags 1756 IF16 Module Status Tags Tag Name ModulePair_Faulted www klinkmann com Description Status bit indicates that both modules of the module pair have at least one fault The system has failed to safe 1 Both modules of pair faulted 0 Both modules of pair OK Module_A_Faulted Status bit indicates that module A of the pair has at least one fault 1 Module A faulted 0 Module A OK Module_B_Faulted Status bit indicating that module B of the module pair has at least one fault 1 Module B faulted 0 Module B OK Ru
120. nostics Pr1_Ch amp 2 1 Pr1_ChB 2 1 ChasPr1_Slot1_IB32 1 ChasPr1_Slot1_IB32 10 ChasPr1_Slot1_IB32 0 Return Par ChasPr1_Slot1_IB3210 Return Par ChasPr1_Slot1_IB32 0 ChasPr1_Slot1_IB32 10 Run_TransitionTest ChasPr1_Slot3_OB16D Data 4 JSR instruction for 1756 IB32 module pair 2 JE gt Jump To Input Par Input Par Input Par Input Par Input Par ChasPr2_Slot1_IB32 10 Run_TransitionTest Routine Name Return Par ChasPr2_Slot1 1532 10 Return Par ChasPr2_Slot1_IB32 0 JSR Subroutine 1B32_Diagnostics Pr2_ChA 2 1 Pr2_ChB 2 1 ChasPr2_Slot1_IB32 1 ChasPr2_Slot1_IB32 10 ChasPr2_Slot1_IB32 0 ChasPr2_Slot3_OB16D Data 4 JSR instruction for 1756 IB32 module pair 3 JE Jump To Routine Name Input Par Input Par Input Par Input Par Input Par lt gt ISR Subroutine 1B32_Diagnostics Pr3_Ch amp 1 1 Pr3_ChB 1 1 ChasPr3_Slot1_IB32 1 ChasPr3_Slot1_IB3210 ChasPr3_Slot1 _IB32 0 Return Par ChasPr3_Slot1 1832 0 Return Par ChasPr3_Slot1_IB32 0 ChasPr3_Slot1_IB32 10 Run_TransitionTest ChasPr3_Slot3_OB16D Data 4 JSR instruction for 1756 IB32 module pair 4 1E Jump To Routine Name Input Par Input Par Input Par Input Par Input Par gt ISR Subroutine 1B32_Diagnostics Pr4_ChAst 1 Pr4_ChB 1 1 ChasPr4_Slot1_IB321 ChasPr4_Slot1_IB3210 ChasPr4_Slot1_IB32 0 Return Par ChasPr4_Slo
121. nt SIL2 system using specialized Add On Instructions available from Rockwell Automation Logix5000 Controllers Add On Instructions publication 1756 PM010 This programming manual describes Add On Instructions and their use in RSLogix 5000 software 22 You can view or download Rockwell Automation publications at http literature rockwellautomation com To order paper copies of technical documentation contact your local Rockwell Automation distributor or sales representative Publication 1756 ATO10B EN P October 2008 www klinkmann com Notes Publication 1756 ATO10B EN P October 2008 The Fault tolerant System Configuration Chapter 1 23 Chapter 1 24 The Fault tolerant System Configuration www klinkmann com Publication 1756 ATO10B EN P October 2008 www klinkmann com Chapter 2 About This Chapter Approved 1 0 Modules and Termination Boards Publication 1756 ATO10B EN P October 2008 Fault tolerant System Hardware This chapter describes the use of the remote I O and termination boards including their features and functions in a ControlLogix fault tolerant system Topic Pae Approved 1 0 Modules and Termination Boars n a About the Specialized Termination Boards 26 1756 IB32 DC Input Termination Board Features 26 Normal Operation of 1756 IB32 DC Input Termination Board 27 1756 IB32 DC Input Termination Board and Transi
122. nt System www klinkmanh com When the fault reset bit is toggled these tag values are reset 1756 IB32 ModulePair Tags Reset by the 10 FaultReset Bit e ConnectionFault_Module_A e ConnectionFault_Module_B e Chnl_OK_Module_A e Chnl_OK_Module_B e ChnlFit_StuckAtOne_Module_A e ChnlFit_StuckAtOne_Module_B e Module_Pair_Good e Module_Pair_1oo1 e Module_A_Faulted e Module_B_Faulted e Run_lool_Countdown 1756 IF16 ModulePair Tags Reset by the 10 FaultReset Bit e ConnectionFault_Module_A e ConnectionFault_Module_B e Chnl_OK_Module_A e Chnl_OK_Module_B e ChnlFlt_RefTest_Module_A e ChnlFlt_RefTest_Module_B e Module_Pair_Good e Module_Pair_lool e Module_A_Faulted e Module_B_Faulted e Run_lool_Countdown 1756 OB16D ModulePair Tags Reset by the I10 FaultReset Bit e ConnectionFault_Module_A e ConnectionFault_Module_B e Chnl_OK_Module_A e Chnl_OK_Module_B e ChnlFit_PulseTest_Module_A e ChnlFlt_PulseTest_Module_B e Chnl_Grounded_Module_A e Chnl_Grounded_Module_B e Chnl_ HWFail_Module_A e Chn HWFail_Module_A e Chnl_NoLoadOrDCV_Module_A e Chnl_NoLoadOrDCV_Module_B 110 Publication 1756 AT010B EN P October 2008 KLINKMANN wwii KLINKMANN sir kinkmann com Programming the Fault tolerant System Chapter 5 Circuit Reset Programming In the fault tolerant system a circuit reset is a manual control used to restart inputs and outputs after a system shutdown has occurred When a circuit reset occurs the data tags for the module pair
123. o control relays on output termination boards Publication 1756 ATO10B EN P October 2008 83 Chapter4 Configuring the Fault tolerant System Adding MESSAGE Tags Editing the Call_Code Subroutines 84 www klinkmann com The OB16D_Call_Code subroutine uses MSG instructions to initiate the pulse tests for the module pair The MSG instructions require the use of MESSAGE tags Later in the configuration you will edit the MSG instructions to use the tags you create here You must add a MESSAGE tag for each 1756 OB16D module of each module pair in your system For example if you have three 1756 OB16D module pairs in your system you need six tags of the MESSAGE type To add a MESSAGE tag create the tag in the Controller Tags list and specify the MESSAGE data type Pri_Chas4_Slot3_MSG MESSAGE Pr1_ChasB_Slot3_MSG MESSAGE bh y You must edit the Call_Code subroutines to call the diagnostic subroutines for each module pair in your system This section describes the steps required to edit the Call_Code subroutines for each type of module pair that is the 1756 IB32 1756 IF16 and 1756 OB16D module pairs To edit the Call_Code subroutines simply copy and paste the sample rungs provided and specify the ModulePair tags that correspond to the module pairs in your system See the section specific to your module pair type for information about editing the Call_Code Subroutines For
124. odule pair This reset clears the module pair faults and applies power to the 1756 OB16D module pair outputs via the 1756 OBxx modules 3 Press circuit reset to set the 1756 OB16D module pair outputs to their commanded state 4 Press fault reset to carry out the reference calculations and to verify that all faults of the input modules have been cleared After completing these steps your fault tolerant system is online and fully operational For more information about the fault reset and circuit reset see these sections e Fault Reset Programming on page 10 e Circuit Reset Programming on page 111 115 Chapter5 Programming the Fault tolerant System wenw kllnkmann con Additional Resources Resource Logix5000 Common Programming Procedures Programming Manual publication 1756 PM00 Description The programming manual describes common techniques and methods for using 1 RSLogix 5000 software to program Logix5000 controllers ControlLogix Controllers User Manual publication 756 UM001 This manual explains the general use of ControlLogix controllers ControlLogix Redundancy System User Manua publication 1756 UM523 This user manual explains how to design install configure and troubleshoot a redundant ControlLogix system Using ControlLogix in SIL2 Applications Safety This safety reference manual provides information regarding ControlLogix components Reference Manual publication 1756 RM00
125. odulePair sample_IF16_ModulePair IO sample_IF16_ModulePair O sample_OB16D_ModulePair Data 14 wo Publication 1756 ATO10B EN P October 2008 www hlinkmann com Configuring the Fault tolerant System Chapter 4 2 Copy the rung provided and paste it JSR 0 Jump To Subroutine Routine Name IF16_Diagnostics Input Par sample_IF16_ModA4_InputData Input Par sample_IF16_ModA amp _ContigData Input Par sample_IF16_ModB_InputData Copied Rung Input Par sample_IF16_ModB_ContigData Input Par sample_IF16_ModulePair Input Par sample_IF16_ModulePair lO Input Par sample_IF16_ModulePair O Return Par sample_IF16_ModulePair lO Return Par sample_IF16_ModulePair O sample_IF16_ModulePair O Run_ReferenceTest sample_OB16D_ModulePair Data 14 _ SR Jump To Subroutine Routine Name IF16_Diagnostics Input Par sample_IF16_ModA4_InputData Input Par sample_IF16_ModA amp _ConfigData Input Par sample_IF16_ModB_InputData Input Par sample_IF16_ModB_ConfigData Input Par sample_IF16_ModulePair Input Par sample_IF16_ModulePair lO Input Par sample_IF16_ModulePair O Return Par sample_IF16_ModulePair lO Return Par sample_IF16_ModulePair O Pasted Rung sample_IF16_ModulePair JO Run_ReferenceTest sample_OB16D_ModulePair Data 14 _ 3 Repeat steps 1 2 until there is a JSR instruction rung for every 1756 IF16 input module pair in the system After you have created a JSR instruction rung for each input module
126. of the reference tests are used by the application program to verify that the analog modules are capable of accurately reading analog data values While the test is carried out by the termination board the control program continues to run on last known data that is the most recent data validated by the program Reference Test Intervals Reference tests are programmed in the specialized program supplied by Rockwell Automation They occur at a user specified intervals based upon the requirements of the SIL2 application If there are no faults present on the 1756 IF16 module pair the system operates using the test interval specified in the tag ModulePair_Good_TestInterval If the system is operating using only data from one module of the pair that is in a 1001 state the reference tests occur more frequently as specified in the tag ModulePair_1001_TestInterval Reference test intervals are specified in these ModulePair tags Reference Test Tags Tag Name Recommended Value ModulePair_Good_TestInterval 86 400 000 24 hours ModulePair_1001_ Testlnterval 3 600 000 1 hour Publication 1756 ATO10B EN P October 2008 www ki wynidinkmann com Fault tolerant System Hardware Chapter 2 Termination Board During Reference Tests When a reference test is initiated the analog termination board functions as depicted below 1492 TAIFM16 F 3 Analog Input Termination Board During Reference Test
127. ogramming When completing basic input to output programming remember that the use of module pair tags and the system generated tags differs because of the I and O data designations For system generated tags I and O identifies the data s relationship to the module For ModulePair tags I and O identifies the data s relationship to the diagnostic subroutine In nonfault tolerant programming a typical input to output rung is programmed as shown Typical Nonfault tolerant Input Output Rung ModuleName Data ModuleName 0 Data from input module to output module In fault tolerant programming a typical input to output rung is programmed using the ModulePair tags It appears to be significantly different from the nonfault tolerant rung because the I and O tags are used in reverse order Typical Fault tolerant Digital Input Output Rung ModulePairName 0 Data ModulePairName I Data from input module pair diagnostic subroutine to output module pair diagnostic subroutine e Publication 1756 AT010B EN P October 2008 www ki wwwe hlinkmann com Programming the Fault tolerant System Chapter 5 Typical Fault tolerant Analog Input Output Rung onl ModulePairName I Data Source A ModulePairName O Data to output module pair diagnostic subroutine Source B For more information about how data is processed and used in the fault tolerant program see Chapter 3 Fault tolerant Program Elements Exam
128. ol Stat 6 24 bt ee hw eee 44 hy eee Ae Ri Oe e 53 Faulted State sh conid AG DAG EASED eK EERE AS RES 54 IB32_Diagnostics Subroutine as ine ee eee ae eK 55 Normal Operation 1756 IB32 Module Pair 55 Test 1756 IB32 Module Palit 6 cs 440g 2 be bw bee eRw Ss 56 1001 1756 IB32 Module Pair 6 ieee ce waycasaeaa 56 IF16_Diagnostics Subroutine 54 x24 sds adsaex eae eye 57 Normal Operation 1756 IF16 Module Pair 57 Test 1756 IF16 Module Pair nona anaana aaa 58 1o01 1756 IF16 Module Pair nannaa aaa 58 IF16_RefCal Subroutine nnaou aaa 59 OB16D_Diagnostics Subroutine o nananana aaaea 60 Normal Operation 1756 OB16D 60 166 1756 OB16D 2 4484 been ets weed ee sue due 61 Data Flow Between Program Elements 62 The Fault tolerant Program 5 3 40 544 4654445050434 644 63 Additional Resources hi CRE eh RI oe ae 63 Publication 1756 ATO10B EN P October 2008 www klinkmann com Configuring the Fault tolerant System Publication 1756 ATO10B EN P October 2008 Table of Contents Chapter 4 About This Chapter us eee esd weed en eee need ee eae 65 Before You Begin 0 0 0 ee ees 65 Begin with the Fault tolerant I O Program 66 Adding a CNB or CNBR to the Controller Chassis 66 Configuring Remote I O Chassis 4 4 00 2424 04 hea doe 67 Add the Remote I O Chassis to the I O Configuration Wiese o4o4540dceye ase dead chek hws 67 About
129. olerant system does have limitations These limitations are described in this appendix Detecting System side Versus Field side Faults The ControlLogix fault tolerant system can detect only system side faults System side faults are those that occur within the hardware of the ControlLogix SIL2 certified fault tolerant system This means that any fault that occurs beyond the fault tolerant system hardware cannot be detected Limits of Fault detection from the 1756 0B16D Termination Board The 1756 OB16D termination board is not able to detect if a no load condition exists on the outputs that extend from the termination board to a device The ControlLogix fault tolerant system can detect a shorted wire condition between the termination board and the field device The system is also able to detect if a wire off condition exists between the output module and termination board 153 Appendix C Module Pair Faults Module Pair Type 1756 IB32 Fault tolerant System Limitations www klinkmann com When certain faults occur on the fault tolerant system the system programming recognizes those faults as a faulted module pair even if the fault is present only on one module of the pair Depending on your application and main routine programming these module pair faults may result in a system shutdown This table describes module pair faults that may occur in the fault tolerant system It also describes why the fault is identified as
130. oller you are using in your system Controller Configuration in Program Supplied by Rockwell Automation amp 1 0 Configuration 1756 Backplane 1756 47 fa 0 1756 L63 SIL210 Adding a CNB or CNBR to the Controller Chassis In order to configure your remote I O chassis you must first add a CNB or CNBR module to the chassis configuration provided Specify the module properties required for your redundant system CNBR D in Controller Chassis E 140 Configuration 1756 Backplane 1756 47 fa 0 1756 L63 SIL210 H i 3 1756 CNBR D _CNet_Net1 o Publication 1756 AT010B EN P October 2008 wwwe hlinkmann com Configuring the Fault tolerant System Chapter 4 Configuring Remote 1 0 To configure the remote I O chassis you must add the remote I O Chassis chassis and their modules to the I O configuration tree Add the Remote 1 0 Chassis to the 1 0 Configuration Tree To add your chassis and remote I O to the configuration tree complete these steps 1 Add two CNB or CNBR modules to the network and specify the Comm Format as None Specify the other module properties according to your system configuration 1 0 Configuration 1756 Backplane 1756 47 fa 0 1756 L63 SIL210 E 1 1756 CNBR D CNet_Net1 G a ControlNet fl 1 1756 CNBR D CNet_Netl G fl 2 1756 CNBR D Pri_Ch 1756 Backplane 1756 47 B i 31756 CNBR D Pri_ChB 1756 Backplane 1756 47 2 Add I O modules to eac
131. on a fi 4 I Open Module Properties 68 Electronic Ke E Module Properties Pri_ChA 1 1756 IB32 B 3 1 General Connection Module Info Configuration Backplane Status Offline Property Comm Format Enable Change of State a xI d z E v x lt lt lt Value Input Data Input Filter Time Must be identical between the two modules of the pair Publication 1756 ATO10B EN P October 2008 wwwe hlinkmann com Configuring the Fault tolerant System Chapter 4 1756 IF16 Module Properties New Module ee xi Type 1756 IF16 16 Channel Non lsolated Voltage Current Analog Input Vendor Allen Bradley Parent Pri_Ch Name Pri_Ch Slot2 Slot 2 4 Description z Comm Format Float Data Single Ended Mode No Alarm EN ies a 2 1756 IF16 1 1 Revision ia f Electron E Module Properties Pri_Ch General Connection Module Info Configuration Calibration Backplane Input Range OVto5 hd MV Open Module Properties Sensor Offset joo Digital Filter 0 ms High Signal High Engineering E Y 1 100 Low Signal Low Engineering 0 y jo RTS fioo ms Module Filter 3 dB Status Offline Cancel Apply Help Property Value Comm Format Float Data Single Ended Mode No Alarm Input Range 0 V 5 V for each channel scaling is permitted IMPORTANT If you edit the 1756 IF16 module conf
132. on Board Functions q i Diagnostic Output Module A Diagnostic Output Module B 1492 Cable Port 1492 Cable Port Relay to Control Diodes szDiodes Relay to Control Module A sb aE odule B Output Wiring Termina s Output from 1756 0Bxx Single Load Output from 1756 0Bxx Module 1 Module 1 Publication 1756 AT010B EN P October 2008 www klinkmann com Publication 1756 ATO10B EN P October 2008 Fault tolerant System Hardware Chapter 2 Diagnostic Tests and the 1756 0B16D Output Termination Board Because the 1756 OB16D modules have on board diagnostic features the only interaction between the output termination board and diagnostic tests occurs if a module fails a diagnostic test If the diagnostic tests find a module fault power is disconnected from the faulted module by opening the normally open relay on the output termination board The disconnect is triggered by an output of a designated 1756 OBxx module For more information about the 1756 OBxx modules and disconnects see the section titled 1756 IF16 Analog Input Termination Board Switch Control on page 41 39 Chapter 2 Fault tolerant System Hardware www klinkmann com Termination Board Relay Both the input module pairs and the output module pairs require the Control use of output points to control some actions of the termination
133. onfiguration s possible 1756 IB32 DC Input The specialized digital input termination boards catalog number Termination Board Features 1492 TIFM40F F24A 2 have these hardware features e On board fusing with status indicators e Easy to use wiring terminals e Relay for diagnostic tests e Pre wired cables for use from termination board to I O module DC Input Termin Connector for 1492 CABLEXXXZ Pre wired Cable ation Board for Use with 1756 1B32 Input Modules Connector for 1492 CABLEXXXZ Pre wired Cable BSeseooscecseccesessh l ictetatatevstetatnerintsiaesteiaiei ia ial Relay DOO J FOOD OQO T ae ae a On board Fuses OOODOODOGO SIGYOIHGHSGHHHSHHHSS GH HGYPHHHGHHHHGHHSHHHHSISG9 ISSSQSBSQUHSSISVDHHSIGS PSSHSSYGVIHSYISHSISSOOS Wiring Term 26 inals for Field Devices Publication 1756 ATO10B EN P October 2008 www klinkmann com Fault tolerant System Hardware Chapter 2 Normal Operation of 1756 IB32 DC Input Termination Board During normal operation the digital input termination board functions as shown in the diagram below 1492 TIFM40F F24A 2 Digital Input Termination Board Normal Operation
134. onflicts within the program you should not create tags with the same names When creating tags for your application do not use these tags names e DataCompareCounter e L_Scr_a e QualityMask1 e QualityMask2 e OneShot_Bits e TransitionTestInterval e FaultResetTimer e Fault e Data e Good2Go 136 Publication 1756 ATO10B EN P October 2008 www klinkmann com 1756 IF16 ModulePair Tags SIL2 Remote 1 0 Fault tolerance Tags Appendix A The tags provided in the following tables are used to configure spec ify and monitor 1756 IF16 analog input module behavior in a Control Logix fault tolerant system 1756 IF16 ModulePair Tags for System Behavior You must enter values for each these 1756 IF16 ModulePair tags For some tags the value specified is required For others the values are recommended 1756 IF16 ModulePair Tags Used to Specify System Behavior Tag Name Description Value Required or Recommended Safety_Input_Select Enter 1 for any analog input channel being 1 at each channel used Required used 2 0 at each unused channel ChnICompare_Deadband Specifies the deadband when the data from 0 05 at each channel Recommended E two inputs is compared Entered in percentage that is 5 of engineering units Referencelest Deadband Specifies the deadband between the 0 05 at each channel Recommended reference voltage and actual value when a that is 5 reference test t
135. only data from the unfaulted channels module of the pair or chassis of the pair Call Code subroutine A subroutine provided in the SIL2_IO_Fault_Tolerant program It is used to call the diagnostic subroutine for each module pair chassis pair A set of two remote I O chassis used in the SIL2 fault tolerant system Each chassis of the pair contains a set of I O modules that exactly match each other in both their type of modules 1756 IB32 1756 IF16 and 1756 OB16D and their order within the chassis diagnostic subroutine behavior The manner in which the diagnostic subroutines function in the system Behaviors of the subroutines that can be specified include the amount of time the system operates 1001 the amount of time between diagnostic tests the frequency of diagnostic tests and the number of times a miscompare occurs before a fault is declared diagnostic subroutine A subroutine provided in the SIL2_IO_Fault_Tolerant program It carries out a variety of tests and checks on the I O module pairs and provides data that describes module status The diagnostic subroutine is locked and therefore cannot be altered duplicate identical chassis pairs A chassis pair that is configured so the type of modules 1756 IB32 1756 IF16 and 1756 OB16D the order of modules and the module properties are identical between each chassis of the pair emergency shutdown ESD When certain faults occur in the fault tolerant SIL2 sys
136. operation is resumed after a transition test The amount of time to delay should be determined by adding your program scan time to the NUT For example if your total program scan time is 80 ms and your NUT is 20 ms you should set your TransitionTest_Low_Delay value to 100 ms 1002 Recommended 1 The value of four is strongly recommended in order to avoid nuisance trips as well as to provide a timely safety response If you choose to specify a value lower than four your system may experience nuisance trips However you may choose to lower the value in order to decrease amount of time between a fault and the system response Setting a value larger then four is not recommended as the response to a fault may be too long for most safety applications 2 When specifying your TransitionTest_Low_Delay and TransitionTest_High_Delay values remember that the system is functioning on the last known verified data during these periods If an input connected to the module pair changes for example if an E stop is pressed it will not be processed until the total time of these two values has expired and the system has stopped using the last known verified data 132 Publication 1756 ATO10B EN P October 2008 www klinkmann com Publication 1756 ATO10B EN P October 2008 SIL2 Remote 1 0 Fault tolerance Tags Appendix A 1756 IB32 Module Status Tags The module status tags provide diagnostic information for the module pair These tag
137. order to reset ModulePair fault bits in the program after a fault has been corrected you must use programming to toggle the fault bit that is the IO FaultReset tag for the module pair affected In many applications this programming uses an input connected to a pushbutton When programming your fault reset input these considerations must be made e Use an input point that is not a part of the fault tolerant module pair inputs that is use an input module that is separate from the fault tolerant system e Program the fault reset for each of the module pairs by using an Output Energize OTE instruction for each module pair s I0 FaultReset tag e You do not need to program the fault reset to be anti tie down as the programming is already present in the diagnostic subroutines Use this example as a reference when programming your fault reset input Fault Reset Programming Example Specify the point of a standard input module Use an OTE instruction for each module pair in your system In each OTE specify connected to the fault reset button the ModulePair 1o FaultReset tag Fault Reset Pri _ChA 5 1 Data 5 gt ChasPr1_Slot1 1532 0 FauttReset ChasPr1_Slot2_IF16 JO FauttReset ChasPr1_Slot6_IB32 0 FauttReset ChasPr1_Slot3_OB16D JO FauttReset This programming results in the module status tags being reset to pre fault values Publication 1756 ATO10B EN P October 2008 109 Chapter5 Programming the Fault tolera
138. ou must also edit the corresponding branch This branch simply initiates the module pair s reference test when the Run_ReferenceTest bit is on Other IF16 Subroutine Elements to Edit Logic that initiates the reference test when the bit is on If the Run_Reference Test bit for the module pair is on ChasPr1_Slot2_IF16 0 Run_ReferenceTest ChasPri_Slot3_OB16D Data 6 Jump To Subroutine Routine Name IF16_Diagnostics Input Par Prd _ChA 2 1 Input Par Pr1_ChA 3 C Input Par Pr1_ChB 3 1 Input Par Pr1_ChB 3 C Input Par ChasPr1_Slot2_IF16 1 Input Par ChasPr1_Slot2_IF1610 Input Par ChasPr1_Slot2_IF16 0 Return Par ChasPr1_Slot2_IF16 10 Return Par ChasPr1_Slot2_IF16 0 SR an output of the 1756 0B16D module pair is turned on to trigger the reference test Edit the Examine On instruction so that it references the Run_ReferenceTest tag for the module pair You must also specify which point of the 1756 OB16D module pair activates the reference voltages on the analog input termination board Publication 1756 ATO10B EN P October 2008 93 Chapter4 Configuring the Fault tolerant System wen kllnkmann con Example of IF16_Call_Code with Completed Edits This example depicts how the completed IF16_Call_Code subroutine would appear if two 1756 IF16 module pairs were used in the fault tolerant system Example IF16_Call_Code Subroutine with Two Module Pairs JSR instruction for 1756 IF16 module pair 1
139. owever if a fault occurs in the remote I O chassis on the right side of the diagram the system fails to safe High availability Configuration Fail safe Remote 1 0 Actuator ControlNet Secondary chassis ControlNet Fault tolerant Configuration The fault tolerant configuration provides more fault tolerance than the high availability configuration because remote I O chassis are also configured to be fault tolerant Fault tolerance in a SIL2 certified ControlLogix system is achieved by the use of redundant controller and communication chassis redundant remote I O chassis specialized I O termination boards and special application programming Publication 1756 ATO10B EN P October 2008 15 Chapter1 The Fault tolerant System Configuration ww ilinkmann con Fault tolerant System Configuration The ControlLogix fault tolerant system configuration uses some elements from the high availability configuration and other elements that are specific only to the fault tolerant configuration In a fault tolerant configuration the controller and communication chassis are configured as specified for the high availability configuration see the left side of High availability Configuration graphic The fault tolerant configuration differs from the high availability configuration because of the remote I O configuration Remote 1 0 Configuration In a fault tolerant configuration the remote I O chassis are co
140. pecify the module specific ModulePair data type ma LA ChasPr1_Slot3_OB16D hy g Select Data Type 5 7 BI Select Data Type Dim 2 Dim QUTPUT_COMPENSATION PHASE PHASE_INSTRUCTION nD Dim 2 Pa r7 Publication 1756 AT010B EN P October 2008 wwwe hlinkmann com Configuring the Fault tolerant System Chapter 4 After you have created the tags using the ModulePair data type these tags and structures result Each ModulePair tag should correspond to one module pair in your system Configuration Tree Module Pair Tags 3 8 1 0 Configuration 3 1756 Backplane 1756 47 fa 0 1756 L63 SIL210 3 1756 CNBR D Cnetl as ControlNet I 5 1 1756 CNBR D Pri_Ch 1756 Backplane 1756 47 s EZO Ge ant ChasPrt_Slot1_1B32_1 1832 ModulePair i 2 17564F16 Pr1_Ch Slot2 ChasPr1_Slot1 _1B32_1 1 iB32hn 3 1756 0816D Pri_Ch _Slot3 5 4 1756 0B16D Pri_Ch4_Output4_RelayControl _E ChasPri_Sloti 18321 10 IBS Int 1756 Backplane 1756 47 5 0 1756 CNBR D Pri_ChB 1 1756 1B32 B Pri_ChB_Slott 5 2 1756 IF16 Pr1_ChB_Slot2 5 3 1756 0B16D Pri_ChB_Slot3 5 4 1756 0B16D Pri_ChB_OutputB_RelayControl 2 8 1 0 Configuration 1756 Backplane 1756 47 fa 0 1756 L63 SIL210 S 3 1756 CNBR D Chet H a ControlNet 11756 CNBR D Pri_Ch4 1756 Backplane
141. ple Input Output Rung This is an example of the basic input output rung in a fault tolerant program Example of Input Output Rung Reconciled input point data from modules Data to corresponding points on the output module A and B of the module pair from input pair goes to the output diagnostic routine diagnostic subroutine J ChasPr1_Slot1_IB32 0 Data 4 ChasPr1_Slot3_OB16D Data 1 Publication 1756 ATO10B EN P October 2008 107 Chapter 5 Programming the Fault tolerant System www klinkmann com Module Pair Fault to Result Some fault tolerant applications may require that the system shutdown in System Shutdown 108 in the event of a fault at any module pair For example in your application if both modules of 1756 IB32 module pair is faulted the resulting safe state for the system may be a total system shutdown If your application requires a shutdown when both modules of a module pair are faulted use programming similar to that shown here Use a branch with an Examine On instruction for each module pair ChasPr1_Slot1_IB32_1 0 ModulePair_Fautted Shutdown ChasPr1_Slot3_IF16 0 ModulePair_Fautted ChasPr1_Slot4_OB16D 0 ModulePair_Faulted Reset One_Shot_1 SAFETY_INPUTS_OK SAFETY_DEMAND SAFETY _OUTPUT e l m e SAFETY_OUTPUT Publication 1756 AT010B EN P October 2008 www ki www hlinkmann com Programming the Fault tolerant System Chapter 5 Fault Reset Programming In
142. programs Your program uses the data in these tags to determine system behavior For example your call code routine should examine the Run_TransitionTest tag If the value of this tag is at 1 a transition test is run on the module pair 1756 IB32 Tags for Use in Programming Tag Name 0 Data Description During normal operation these input bits are the reconciled values of two points on the module pair During 1001 operation these input bits contain data from the unfaulted module of the pair 10 CircuitReset Using programming in the Main Routine this bit is set manually and clears the 0 value from the data tags and causes the sensor values from the input modules to be used after a fault or demand on the system 10 FaultReset Using programming in the Main Routine this bit is set manually and resets the module status tags after a fault or demand on the system 10 Run_TransitionTest Used in the B32_Subroutine_Call_Code this tag value is a precondition for the DC output that controls the relay on the module pair s termination board 135 8 2011 i KLINKMANN Appendix A SIL2 Remote 1 0 Fault tolerance Tags www klinkmann com KLINKMANN 1756 IB32 Hidden Tags Not for Use Similar to the inability to access the diagnostic subroutines there are tags within the program provided by Rockwell Automation that cannot be accessed or altered You cannot see these tags however in order to avoid potential c
143. r 3 IB32_Diagnostics Subroutine Publication 1756 ATO10B EN P October 2008 The 1756 IB32 diagnostic subroutine completes the following tasks when in the states identified Normal Operation 1756 IB32 Module Pair When in normal operation the IB32_Diagnostics subroutine carries out the tasks listed in this table System Tasks for 1756 IB32 Normal State Task Connection verification Description The subroutine verifies that the communication connections are functioning properly If there is a fault in a module connection the tags ConnectionFault_Module_A and ConnectionFault_Module_B indicate the communication fault Point value comparisons The diagnostic subroutine constantly compares the corresponding point values from the module pair If a miscompare occurs between the data points the subroutine initiates the transition test Dual point reconciliation After the diagnostic subroutine compares the two point values one from each module of the pair the two values are reconciled into one bit for use in the main routine Initiates transition tests When a miscompare occurs between points or when the transition test interval expires the diagnostic subroutine initiates the transition tests 55 Chapter 3 56 Fault tolerant Program Elements www klinkmann com Test 1756 IB32 Module Pair Transition tests occur at intervals specified by the user or according to the default settin
144. r Tags for System Behavior 143 1756 OB16D Module Status Tags 144 1756 OB16D ModulePair Tags for Use in Programming 146 1756 OB16D Hidden Tags Not for Use 147 Appendix B About This Appendix so 4hpnade dad an ecactewan ad 149 Planning Considerations 2 vege eh ee we od ee Se ee 149 Appendix C About This Appendix 5 64620 5 ae 4 4du4 e Rao ed RO 153 About Faults and Overall Fault tolerance 153 Detecting System side Versus Field side Faults 153 Limits of Fault detection from the 1756 OB16D Termination Bo td ea ddd et eh 0 9 465 OSES Bede nen PEEKS SHS 153 Module Pair Faults 4460409044 88ee 4 ERE BOS RE RRR 154 Appendix D About This Appendix oko i640 s s Owe ao we ee ee we 155 About Redundant Chassis 0 0 0000 eee 155 POM ION a weiss oe sks amp ising ah bas Gore Gok aea e edo ee ae aS 157 About Fail safe and Fault tolerant Programs 160 Glossary Index 9 8 2011 Table of Contents www klinkmann com 10 Publication 1756 ATO10B EN P October 2008 www klinkmann com Preface About This Publication Who Should Use This Publication Conventions About SIL Publication 1756 ATO10B EN P October 2008 This publication provides techniques and guidelines for configuring a SIL2 certified ControlLogix fault tolerant system This publication provides only recommendations for how to configure a fault tolerant system for SIL2 compliance and is not a
145. ration tree Program Elements in RSLogix 5000 Configuration Tree a Tasks The Subroutine Call Code contains a JSR instruction and other logic that is used to call the module speciflc diagnostic subroutine The call code must be edited to suit your module pair configuration i C3 Each module type has a diagnostic subroutine that has been programmed by Rockwell Automation and cannot be altered Publication 1756 ATO10B EN P October 2008 MainT ask E3 MainProgram Program the main routine according to your A Program Tags application Ea MainRoutine IB32_Module_Pair A Program Tags IB32_Subroutine_Call_Code B IB32_Diagnostics IF16_Module_Pair A Program Tags E IF16_Subroutine_Call_Code B IF16_Diagnostics IF16_RefCal OB16D_Module_Pair A Program Tags EES OB16D_Subroutine_Call_Code B OB16D_Diagnostics 51 Chapter3 Fault tolerant Program Elements States of the System 52 www klinkmann com To understand how the system diagnostics function you should understand various states of the system as described in these sections e Normal State see page 52 e Test State see page 52 e lool State see page 53 e Faulted State see page 54 Normal State During the normal state e no transition or reference test is being carried out e no faults exist in the module pair e no demand on the system is present Normal Operation Diagram Module A Module B All poin
146. rmal operation 55 test 56 identical duplicate remote 1 0 chassis about 17 figure of 17 required 155 IF16_Diagnostics subroutine 1001 58 about 57 normal operation 57 test 58 IF16_RefCal purpose of 59 input termination board function during transition test 28 35 input output programming 106 J JSR parameters for 1756 IB32 module pair 87 for 1756 IF16 module pair 92 L limits on chassis pairs 16 main routine data use in 106 diagnostic subroutines and 106 element in the fault tolerant program 47 programming 105 115 MESSAGE tags add to the program 84 use in 1756 OB16D Call_Code 99 module pairs example programming to identify faulted 120 fault programming 108 identify faulted 118 use resets to clear faults 125 module properties 1756 IB32 modules 68 1756 IF16 modules 69 1756 OB16D modules 70 specify in program 68 module status tags listed 119 169 Index 170 module tags 71 ModulePair tags 1756 IF16 module status 123 1756 OB16D module status 124 about 72 edit 76 83 editing 1756 IB32 tags 77 1756 IF16 tags 79 1756 OB16D tags 82 example 1756 IF16 fault values 127 128 for 1756 IB32 131 136 for programming 135 hidden 136 module status tags 133 system behavior 131 for 1756 IF16 137 142 for module status 138 for programming 141 hidden 142 system behavior 137 for 1756 OB16D 143 147 for module status 144 for programming 146 for system behavior 143 hidden 147 for module status 119 nami
147. rolLogix System SIL2 Configurations 13 About Fault tolerant Systems 14 Fault tolerant Compared to Other SIL2 Configurations 14 Fault tolerant System Configuration 16 Remote 1 0 Configuration 16 Additional Resources 22 Fault Tolerance and This section briefly describes the newly certified fault tolerant configuration ControlLogix ControlLogix System SIL2 Configurations The following ControlLogix system configurations are certified for use in SIL2 applications and are described further in the Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RMO01 e Fail safe e High availability e Fault tolerant The fault tolerant configuration is the most recent to be made available Publication 1756 ATO10B EN P October 2008 13 Chapter1 The Fault tolerant System Configuration wenw kllnkmann con About Fault tolerant Systems IEC publication 61508 4 defines fault tolerance as the ability of a functional unit to continue to perform a required function in the presence of faults or errors While not completely fault tolerant the ControlLogix SIL2 system is described as fault tolerant because it is able to tolerate a majority of faults that may occur in the system In the unlikely event of a fault where the safety system cannot carry out the safety application the system fails to safe For more information about the limits of the fault tolerant system see Fault tolerant System Limitations on page 153
148. s are used in several ways in the fault tolerant system Uses include e in the main routine to determine system behavior e in the subroutine to determine and report module pair status e in conjunction with HMI and other indicators of system status 1756 IB32 Module Status Tags Tag Name 10 ConnectionFault_Module_A Description Indicates the status of the connection to module A 1 Connection lost 0 Connection good 10 ConnectionFault_Module_B Indicates the status of the connection to module B 1 Connection lost 0 Connection good 10 Chnl_OK_Module_A Bit level indicators of what points are operating without fault on module A 1 Point is functional 0 Point is faulted 10 Chnl_OK_Module_B Bit level indicators of what points are operating without fault on module B 1 Point is functional 0 Point is faulted 10 ChnlFit_StuckAtOne_Module_A Bit level indicators of points on module A that are stuck at one after the transition test 1 Point is stuck at one 0 Point is functional 10 ChnlFit_StuckAtOne_Module_B Bit level indicators of points on module B that are stuck at one after the transition test 1 Point is stuck at one 0 Point is functional 10 ChnI_Miscompare_Status Bit level indicators that show what points of the module pair do not match each other miscompare 1 Point status between modules is different 0 Point status is the same O ModuleP
149. sed as a Dest parameter in MOV instructions of the Subroutine_Call_Code and is where module pulse test results are stored 10 PulseTestResults_Module_B Used as a Dest parameter in MOV instructions of the Subroutine_Call_Code and is where module pulse test results are stored 10 CircuitReset Using programming in the Main Routine this bit is reset manually and restarts the outputs after a fault or demand on the system 10 FaultReset Using programming in the Main Routine this bit is reset manually and resets the module status tags after a fault or demand on the system 10 Run_PulseTest This tag is examined in the OB16D_Subroutine_Call_Code and used as a precondition for the MSG instruction that initiates the Pulse Test Relay_Module_A This tag is examined in the OB16D_Subroutine_Call_Code and used as a precondition for the DC output that disconnects the power via the relay for module A Relay_Module_B This tag is examined in the OB16D_Subroutine_Call_Code and used as a precondition for the DC output that disconnects the power via the relay for module B Publication 1756 ATO10B EN P October 2008 www klinkmann com Publication 1756 ATO10B EN P October 2008 SIL2 Remote 1 0 Fault tolerance Tags Appendix A 1756 0B16D Hidden Tags Not for Use Similar to the inability to access the diagnostic subroutines there are tags within the program provided by Rockwell Automation that cannot be
150. sis 1 redundant controller controller controller controller 1 0 communication communication communication Chassis 2 Chassis 2 redundant Chassis 2 redundant eremote 0 controller controller communication communication Chassis A Chassis A redundant eremote 0 remote 0 Chassis B redundant eremote 0 About 1 0 This sections answers frequently asked questions specific to the use of I O modules and peripherals with the diagnostic subroutines in the SIL2 system Answers for each of these frequently asked questions are categorized based on the use of the diagnostic subroutines If you are See the answers labeled Not using the diagnostic subroutines to program your system SIL2 General Requirements Using the diagnostic subroutines to program your system SIL2 Diagnostic Subroutine Requirements Publication 1756 ATO10B EN P October 2008 157 Appendix D 158 Frequently Asked Questions www klinkmann com Am required to use input module pairs SIL2 General Requirements Yes If you are configuring a ControlLogix SIL2 compliant system without the diagnostic subroutines you still have to use input module pairs See the Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 for lists of available SIL2 hardware and usage considerations SIL2 Diagnostic Subroutine Requirements Yes If you are using the diagnostic subroutines you are required to use inp
151. source Logix5000 Common Programming Procedures Programming Manual publication 1756 PM001 Configuring the Fault tolerant System Chapter 4 1756 0B16D Module Pair Tags for Use as JSR Parameters Parameter Tag Description Return Par ModulePairName O Tags containing data outputed from the diagnostic subroutine Return Par ModuleAName O Data output from the diagnostic subroutine for module A Return Par ModuleBName 0 Data output from the diagnostic subroutine for module B You have completed edits to the Call_Code subroutine for a 1756 OB16D module pair If necessary for your system repeat steps 1 3 for all of your 1756 OB16D module pairs After you have completed the configurations specifications and edits described in this chapter your next step is to program the SIL2 system Main Routine See Programming the Fault tolerant System on page 89 for more information about programming the main routine Description The programming manual describes common techniques and methods for using RSLogix 5000 software to program Logix5000 controllers ControlLogix Controllers User Manual publication 1756 UM001 This manual explains the general use of ControlLogix controllers ControlLogix Redundancy System User Manual publication 1756 UM523 This user manual explains how to design install configure and troubleshoot a redundant ControlLogix system Using ControlLogix in SIL2 Applications Safety Referenc
152. sponding reference voltage 1756 IF16 Reference Voltages Channel No Reference Voltage 0 4 8 and 12 5 6V 1 5 9 and 13 3 3V 2 6 10 and 14 2 0V 3 7 11 and 15 0 0V The program verifies that the 1756 IF16 analog input channels correctly read the reference values within 5 the default value as specified in the ReferenceTest_Deadband X tag Analog Input Module Reference Test Analog Input Module A Specialized Application Program i Channels 0 4 8 and 12 tested for 5 6V 5 Channels 1 5 9 and 13 tested for 3 3V 5 o Channels 2 6 10 and 14 tested for 2 0V 5 Channels 3 7 11 and 15 tested for 0 0V 5 h Channels 0 4 8 and 12 tested for 5 6V 5 gt p Channels 1 5 9 and 13 tested for 3 3V 5 Channels 2 6 10 and 14 tested for 2 0V 5 Channels 3 7 11 and 15 tested for 0 0V 5 Analog Input Module B 1 To achieve fault tolerance diagnostic tests for the input module pair should be triggered only by outputs from the 1756 OB16D module pair In addition 1756 0B16D module outputs that are being used to trigger the diagnostic tests should have pulse tests disabled For more information about disabling pulse tests for outputs see Edit ModulePair Tags on page 76 Publication 1756 ATO10B EN P October 2008 www ki wynuidinkmann com Fault tolerant Syst
153. st is user defined however the default is once per hour The the transition test frequency is specified in the ModulePairlool_TestInterval tag Module status updated When the system is operating in a 1001 configuration the 1B32_Diagnostics subroutine provides module status information that is useful for troubleshooting the faulted module Publication 1756 ATO10B EN P October 2008 www klinkmann com Fault tolerant Program Elements Chapter 3 IF16 Diagnostics The 1756 IF16 diagnostic subroutines carry out these tasks when in the states identified Subroutine Normal Operation 1756 IF16 Module Pair When in normal operation the IF16_Diagnostic subroutine carries out the tasks listed in this table System Tasks for 1756 IF16 Normal State Task Connection verification Description The subroutine verifies that the communication connections are functioning properly If there is a fault in the connection to a module the tags ConnectionFault_Module_A and ConnectionFault_Module_B indicate the communication faults Channel value comparisons The diagnostic subroutine constantly compares the corresponding channel values from the module pair The two channel values one from each module must be within the user defined deadband range of each other The default deadband range is 5 of the full scaling range Dual channel reconciliation If the two channels are within the deadband of each other the s
154. t1 1532 10 Return Par ChasPr4_Slot1_IB32 0 ChasPr4_Slot1_IB32 10 Run_TransitionTest ChasPr4_Slot3_OB16D IDeta 4 J gt 89 Chapter4 Configuring the Fault tolerant System 1756 IF16 Call_Code o 3 68 IF16_Module_Pair A Program Tags IF16_Subroutine_Call_Code B IF16_Diagnostics 2 IF16_RefCal 90 www klinkmann com Editing the 1756 IF16 Call_Code Subroutine This section describes how to edit the 1756 IF16 Call_Code subroutine for fault tolerant applications To edit the 1756 IF16 Call_Code subroutine complete these tasks Task Page Copy and Paste a JSR Rung for Each 1756 IF16 Module Pair 90 Edit JSR Parameters for the 1756 IF16 Module Pair 92 Edit Other Rung Elements for the 1756 IF16 Module Pair 93 Copy and Paste a JSR Rung for Each 1756 IF16 Module Pair To add a JSR instruction rung for a module pair complete the following steps 1 Open the IF16_Call_Code routine The example program ladder logic displays Jump To Input Par Input Par Input Par Input Par Input Par Input Par Input Par sample_IF16_ModulePair IO Run_ReferenceTest Routine Name IF16_Diagnostics Return Par sample_IF16_ModulePair lO Return Par sample_IF16_ModulePair O JSR Subroutine sample _IF16_ModA _InputData sample _IF16_ModA_ConfigData sample_IF16_ModB_InputData sample_IF16_ModB_ConfigData sample_IF16_M
155. ta hasPr1_Slot1_IB32 0 ModulePair_Good hasPr1_Slot1_1B32 0 ModulePair_1oo1 hasPr1_Slott_IB32 0 ModulePair_Faulted hasPri_Slot1_IB32 0 Module_A_Faulted hasPr1_Slot1_IB32 0 Module_B_Faulted fe ChasPri_Slott_IB32 0 Run_1o01_Countdown 1756 IF16 Module Pair Status Tags ChasPri_Slot2_IF16 0 Data hasPr1_Slot2_IF16 0 ModulePairGood hasPri_Slot2_IF16 0 ModulePair_1o01 hasPri_Slot2_IF16 0 ModulePair_Faulted hasPr1_Slot2_IF16 0 Module_A_Faulted hasPri_Slot2_IF16 0 Module_B_Faulted e ChasPr1_Slot2_IF16 0 Run_1001_Countdown 1756 0B16 Module Pair Status Tags ChasPr1_Slot3_OB16D 0 hasPri_Slot3_OB16D 0 ModulePairGood hasPr1_Slot3_0B16D 0 ModulePair_1oo01 asPr1_Slot3_0B16D 0 ModulePair_Faulted hasPr1_Slot3_0B16D 0 Module_A_Faulted asPr1_Slot3_0B16D 0 Module_B_Faulted gt ChasPr1_Slot3_0B16D 0 Run_1o001_Countdown 119 Chapter6 Troubleshooting a Fault tolerant System wenw kllnkmann con Example of Programming to Identify a Faulted Module Pair When troubleshooting your fault tolerant system after a fault on a module pair has occurred you may choose to examine module status tags by going online with the controller or by programming an HMI or similar notification system to annunciate and identify the faulted module pair This example shows one method of programming so that the status of the module pair is displayed Programming similar to that shown here may be used to demonstrate
156. tem the inputs and outputs must be programmed to reach their safe state which is commonly de energized This de energizing is referred to as an emergency shutdown fail safe configuration A SIL2 configuration where a fault anywhere in the safety system results in a system shutdown that is the system fails to safe 163 Glossary 164 www klinkmann com fault tolerance The ability of a functional unit to continue to perform a required function in the presence of faults or errors For more information see IEC publication 61508 4 fault tolerant configuration A ControlLogix system that is configured so that the system can continue to carry out the safety function even when certain faults occur The fault tolerant system is comprised of redundant controller chassis duplicate remote I O chassis and I O termination boards high availability configuration A ControlLogix system that is configured so that some types of faults can be tolerated The high availability configuration is comprised of redundant controller chassis and remote I O module pair A set of two I O modules each placed in one chassis of a chassis pair Module pairs are I O modules that are identical both in type 1756 IB32 1756 IF16 or 1756 OB16D and in their configuration within the programming software module pair status tags ModulePair tags that provide the operational status of the module pair module status tags ModulePair tags
157. tem Hardware Chapter 2 Description Provides a description of installation procedures and a wiring diagram for the 1756 IB32 termination board 1756 IF16 Termination Board Installation Instructions publication 41063 292 01 Provides a description of installation procedures and a wiring diagram for the 1756 IF16 termination board 1756 OB16D Termination Board Installation Instructions publication 41063 291 01 Provides a description of installation procedures and a wiring diagram for the 1756 0B16D termination board ControlLogix 32 Point DC 10 31 2V Input Module Series B Installation Instructions publication 1756 INO27 Provides installation procedures and a wiring diagram for 1756 IB32 digital input module ControlLogix Voltage Current Input Module Installation Instructions publication 1756 IN039 Provides installation procedures and a wiring diagram for 1756 IF16 analog input module ControlLogix DC 19 2 30V Diagnostic Output Module Installation Instructions publication 1756 IN058 Provides installation procedures and a wiring diagram for 1756 OB16D diagnostic output module ControlLogix Chassis Series B Installation Instructions publication 1756 IN080 Provides installation procedures for ControlLogix chassis ControlLogix 32 Point DC 10 31 2V Input Module Series B Install Instructions publication 1756 IN027 Provides wiring diagrams step by step installation instructions and
158. termination board of the 1756 IF16 module pair 141 8 2011 i KLINKMANN Appendix A SIL2 Remote 1 0 Fault tolerance Tags www klinkmann com KLINKMANN 1756 IF16 Hidden Tags Not for Use Similar to the inability to access the diagnostic subroutines there are tags within the program provided by Rockwell Automation that cannot be accessed or altered You cannot see these tags however in order to avoid potential conflicts within the program you should not create tags with the same names When creating tags for your application do not use these tags names 1756 IF16 Tags Unavailable for Use e ReferenceTestEn e DataCompareTestEn e ReferenceTestReq e RefCalReq e VRefs 16 e ReferenceTestInterval e DataCompareCounter 16 e L Scrl4 e ChannelFaultsStore1 e ChannelFaultsStore2 e OneShot_Bits e QualityMask1 e QualityMask2 e CheckforIF16ModuleFault e FaultResetTimer e Module_Insertion_Delay 142 Publication 1756 ATO10B EN P October 2008 www klinkmann com 1756 O0B16D Module Pair Tags SIL2 Remote 1 0 Fault tolerance Tags Appendix A The tags provided in the following tables are used to configure spec ify and monitor 1756 OB16D output module behavior in a Control Logix fault tolerant system 1756 0B16D ModulePair Tags for System Behavior You must enter values for each these 1756 OB16D ModulePair tags For some tags the value specified is required For others the values are recommended 1756 0B16D ModulePair T
159. test e Implements channel scaling values set during the configuration of the 1756 IF16 module pair The programming contained in the IF16_RefCal subroutine is carried out only when initiated in these situations e A system start up that is when power is applied or the controller is put into Run mode At this time the reference calculations are carried out on all of the 1756 IF16 module pairs e After connections are lost and then re established on an 1756 IF16 module pair Only the 1756 IF16 module pair that lost connection will be recalculated e When the fault reset button is pressed The logic provided with the subroutine carries out a reference calculation on all of the 1756 IF16 module pairs any time fault reset is pressed The IF16_RefCal subroutine cannot be edited but it is available for viewing Publication 1756 ATO10B EN P October 2008 59 Chapter3 Fault tolerant Program Elements 0B16D_Diagnostics Subroutine 60 www klinkmann com The 1756 OB16D diagnostic subroutines carry out the following tasks when in the states identified Normal Operation 1756 0B16D When in normal operation the OB16D_Diagnostics subroutine carries out the tasks listed in this table System Tasks for 1756 OB16D Normal State Task Connection verification Description The subroutine verifies that the communication connections are functioning properly If a there is a fault in the connection the tag Connect ionFault ind
160. timer that when expired annunciates that the user defined repair time has elapsed The repair time is specified in tag TimeToRun_lool The system will continue to run ina 1001 configuration after the repair time has elapsed The value in the tag FaultReset can be toggled to restart the timer Reference test frequency increases When the system is running in a 1001 configuration the diagnostic subroutine carries out reference tests on the remaining module more frequently The frequency of the reference test is user defined however the default is once per hour The the reference test frequency is specified in the ModulePair_lool_TestInterval tag Module status updates When the system is operating in a 1001 configuration the IF16_Diagnostics subroutine provides module status information that is useful for troubleshooting the faulted module Publication 1756 ATO10B EN P October 2008 www klinkmann com Fault tolerant Program Elements Chapter 3 IF16 RefCal Subroutine In addition to the diagnostic subroutine provided for the 1756 IF16 E module pair another subroutine called IF16_RefCal is also provided The IF16_RefCal subroutine carries out logic that completes these tasks e Verifies that all input channels of the 1756 IF16 module pair are reading reference values properly e Establishes reference values for each channel that are used by the 1756 IF16 diagnostic subroutine for comparison during the reference
161. tines If you are See the answers labeled Not using the diagnostic subroutines SIL2 General Requirements to program your system Using the diagnostic subroutines to SIL2 Diagnostic Subroutine Requirements program your system Am required to use redundant duplicate I 0 chassis SIL2 General Requirements No If you are configuring any ControlLogix SIL2 compliant system you do not have to configure your remote I O into redundant duplicate chassis To achieve SIL2 compliance you may choose to use any of the hardware configurations described in the Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RMO001 It is important to understand that your placement of I O directly affects the availability and fault tolerance of the SIL2 system For an illustration of this concept see Hardware Configurations and Fault tolerance on page 157 Publication 1756 ATO10B EN P October 2008 155 Appendix D 156 Frequently Asked Questions www klinkmann com SIL2 Diagnostic Subroutine Requirements No You may use several different SIL2 certified configurations of your remote I O with the diagnostic subroutines However the use of redundant remote I O chassis provides the highest level of availability compared to other SIL2 hardware configurations You may also choose to place I O in non redundant chassis remote from the controller or in the same chassis as the controller It is important to u
162. tion Tests 28 1756 IF16 Analog Input Termination Board 30 Normal Operation of the 1756 IF16 Analog Input Termination Board 31 1756 IF16 Module Pair Reference Tests 34 1756 OB16D Diagnostic Output Termination Board Features 37 Normal Operation of the 1756 OB16D Diagnostic Output Termination 38 Board Termination Board Relay Control 40 1756 1B32 Input Termination Board Relay Control 40 1756 IF16 Analog Input Termination Board Switch Control 41 1756 0B16D Output Termination Board Relay Control 42 Input Module Diagnostic Test Control 44 Additional Resources 45 Only three I O modules are approved for use in the ControlLogix fault tolerant system In addition to the approved I O modules specialized termination boards must be used in a fault tolerant system SIL2 approved 1 0 Modules and Termination Boards 1756 IF 16 Analog Input Module 1492 TAIFM16 F 3 1756 0B16D Diagnostic DC Output Module 1492 TIFM40F 24 2 Ifyou are using 1756 IF16 analog input modules in your system only two wire transmitters may be used 25 Chapter 2 Fault tolerant System Hardware www klinkmann com About the Specialized Termination Boards The specialized I O termination boards 1492 TIFM40F F24A 2 1492 TAIFM16 F 3 and 1492 TIFM40F 24 2 are crucial to the implementation of a ControlLogix fault tolerant system The functionality of these boards coupled with the application program developed by Rockwell Automation make fault tolerant I O c
163. to the fault tolerant configuration This table lists the diagnostic features and tests used in a SIL2 system as well as where a description of the feature or test can be found Diagnostic Features of Diagnostic Subroutines For the feature or test See the description at Module level fault reporting Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 Data echo communication check Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 Field side output verification Using ControlLogix in SIL2 Applications Safety Reference Manual publication 1756 RM001 Pulse testing in the diagnostic output Using ControlLogix in SIL2 Applications Safety module Reference Manual publication 1756 RM001 Publication 1756 ATO10B EN P October 2008 www ki www hlinkmann com Fault tolerant Program Elements Chapter 3 Diagnostic Features of Diagnostic Subroutines For the feature or test See the description at Input comparison 1B32_Diagnostics Subroutine on page 55 and IF16_Diagnostics Subroutine on page 57 Connection verification Tag descriptions at Appendix A on page 131 Transition tests 1756 1B32 DC Input Termination Board and Transition Tests on page 28 Reference tests 1756 IF16 Module Pair Reference Tests on page 34 Call_Code Subroutines Each module pair Call_Code subroutine contains e a JSR instruction that sends and receives
164. ts at 1 All points at 1 COO OdFrOOOO OO0O004FOO0OOQ0OQO 4 Point Comparison Test State The test state is specific only to the 1756 IB32 and 1756 IF16 modules During the test state e a transition or reference test is being carried out e the system runs on input data from just before the test began e no demand on the system is present A demand made through the module pair being tested is not processed by the SIL2 system until the test is complete This is because the system operates on input data from just before the diagnostic test while the diagnostic test is carried out For more information about transition and reference tests see Chapter 2 page 28 and page 34 Publication 1756 ATO10B EN P October 2008 Fault tolerant Program Elements www klinkmann com Chapter 3 1001 State The state when either e A point level or channel level fault is present on one module of the pair During this state one or more points of one module of the pair are faulted The system operates by using data from the unfaulted module and all of the unfaulted points of the module with a fault The diagram titled 1001 Due to a Point or Channel Fault below illustrates this concept IMPORTANT If your input module has one or more point or channel level faults the input diagnostic subroutines continue to use data from the unfaulted points or channels of that module in comparisons Removing the swing arm of a 1756 IB32 module
165. ues After Operation No Faults Fault Detected Module B Removed Module B Replaced and Fault Reset ConnectionFault_Module_A 0 0 0 0 ConnectionFault_Module_B 0 0 1 0 Chnl_OK_Module_A 1 at each channel 1 at each channel 1 at each channel 1 at each channel Chnl_OK_Module_B 1 at each channel 0 at affected channel 0 at each channel 1 at each channel ChnIFlt_Reffest_Module_A 0 0 at each channel 0 at each channel 0 at each channel ChnlFlt_Reflest_Module_B 0 1 at affected channels 0 at each channel 0 at each channel ChnI _Miscompare_Status 0 0 at each channel 0 at each channel 0 at each channel Data From modules A and B From module A From module A From modules A and B ModulePair_Good 1 0 0 1 Module_Pair_1001 0 1 1 0 ModulePair_Faulted 0 0 0 0 Module _A_Faulted 0 0 0 0 Module_B_Faulted 0 1 1 0 Run_1001_Countdown Preset Counting down Counting down Preset Publication 1756 AT010B EN P October 2008 127 Chapter 6 Troubleshooting a Fault tolerant System www klinkmann com 1756 IF16 Module Pair Two Modules Faulted In this example a fault occurs on module B of the module pair Then while operating 1001 module A faults as well The table shows the progression of tag values through the initial fault on module B through the circuit reset Tag Values After 1756 IF16 Module Pair Faulted
166. ule B faulted 0 Module B functioning properly Once you have used the tags listed above to identify a faulted module there are additional tags you can view to determine what type of fault exists on the module Each module type uses different tags to identify the type of fault Use the section specific to your module to determine which type of fault exists on the module Replacing a Faulted 1756 IB32 Module If your 1756 IB32 module pair is operating 1001 at a point level that is one module of the pair has a faulted point and the other module is fully functional removing the swing arm of the module with 1 31 faulted points causes your system to fail to safe due to a miscompare The miscompare occurs because data from the unfaulted points of the module continue to be used and checked by the diagnostic subroutine Removing the swing arm results in the remaining unfaulted points going low 0 and a miscompare of data occurs IMPORTANT To avoid a shutdown due to a miscompare remove the entire 1756 IB32 module from the chassis before removing the swing arm 121 Chapter6 Troubleshooting a Fault tolerant System ww itinkmann com 1756 IB32 ModulePair Tags to Identify the Type of Module Fault The ModulePair data type for the 1756 IB32 module provides tags that can help identify these types of faults e Connection and communication faults e Points on the module faulted for example a miscompare or stuck at one conditio
167. ule_B Publication 1756 ATO10B EN P October 2008 KLINKMANN Ww ki KLINKMANN ji kinkmann com Troubleshooting a Fault tolerant System Chapter 6 Using Resets After you have finished troubleshooting and repairing a faulted module condition you must reset the system so that the faults are cleared and the system operates using the data from the repaired module Depending on the type of fault and the configuration the system is running in you may be required to reset both the fault status tags and the data tags by using the circuit reset When to Use the Fault Reset After you have repaired or replaced the faulted module or corrected any other issues that might cause a module fault you must use the Fault Reset button If you program the Fault Reset button as instructed in Chapter 5 in the section titled Fault Reset Programming page 109 pressing the fault reset button results in all of the module fault status tags being reset However module data tags are not reset If your system was operating in a 1001 configuration at the module fault the fault reset is the only action you need to take in order to enable the system to use data from the newly repaired module When to Use Circuit Reset If both modules of the pair are faulted you must use the circuit reset after using the fault reset Because the fault reset clears only the module fault status tags the faulted values are still present
168. used in programming in the main routine Based upon the reconciled input value the system specifies what the value of the outputs are set at The output value specified is then processed by the output diagnostic subroutine The diagnostic subroutine calculates and specifies what the value of each output point should be Data and the Typical Fault tolerant Input Output Rung a 3 a 4 Data from Data from O Data to Output 0 Data to Output Input Module A Input Module B Module A Module B Y Input Diagnostic Subroutine Output Diagnostic Subroutine ModulePairName O Data ModulePairName Data from input diagnostic subroutine to output diagnostic subroutine Program Rung of the Main Routine Publication 1756 ATO10B EN P October 2008 www klinkmann com Fault tolerant Program Elements Chapter 3 The Fault tolerant Program Once you understand the elements of the fault tolerant program and how they function together you are ready to configure and program your main routine Use Chapter 4 Configuring the Fault tolerant System and Chapter 5 Programming the Fault tolerant System as references when configuring and programming your fault tolerant system Additional Resources Resource Logix5000 Common Programming Procedures Programming Manual publication 1756 PM001 Description The programming manual describes common techniques and methods for using
169. ust be placed in chassis A of the chassis pair The 1756 OBXX module used to control the relay for 1756 0B16D module B must be placed in chassis B of the chassis pair Because the standard 1756 OBXX module must be in the same chassis as the 1756 OB16D module whose relay it is controlling consider placing all of your 1756 OB16D modules together in the same chassis in order to reduce the number of standard 1756 OBXX modules required in your system 1 Pulse tests must be disabled on 1756 OB16D output points used to control input relays or switches 2 For information about which 1756 OBXX modules can be used to control the relays on the output module termination board see Chapter 2 1756 0B16D Output Termination Board Relay Control page 42 3 If using 1756 OB16D modules to control the relays of your 1756 OB16D module pairs you must disable pulse testing on the points used for relay control 150 Publication 1756 ATO10B EN P October 2008 KLINKMANN wwii KLINKMANN Wii kinkmann com SIL2 Fault tolerant Topology Chapter B 1756 0B16D Module Pair Arrangement
170. ut module pairs Both the 1756 IB32 and 1756 IF16 input modules must be used as module pairs in order for the diagnostic subroutine to function as programmed Am required to use 1756 0B16D module pairs SIL2 General Requirements No If you are configuring any ControlLogix SIL2 compliant system you do not have to use 1756 OB16D module pairs The use of module pairs is required only when your system requires the highest level of availability and fault tolerance SIL2 Diagnostic Subroutine Requirements No The use of 1756 OB16D module pairs establishes a higher level of fault tolerance but is not required for the use of the diagnostic subroutines Depending on your application you may choose to use an independent 1756 OB16D module instead If you are using the diagnostic subroutines then you must use at least one 1756 OB16D module in a manner similar to that described in this manual For information about editing input parameters for a single 1756 OB16D module see this question e If I am configuring a fail safe system what parameters should I specify in the JSR for the 1756 OB16D output modules on page 162 Publication 1756 ATO10B EN P October 2008 www klinkmann com Frequently Asked Questions Appendix D Am required to use a standard output module to control the output relays of the 1756 0B16D termination board SIL2 General Requirements Yes If you are using the 1756 OB16D output termination boards you must
171. www klinkmann com Publication 1756 ATO10B EN P October 2008 Fault tolerant System Hardware Chapter 2 Normal Operation of the 1756 IF16 Analog Input Termination Board During normal operation that is when a diagnostic test is not in progress the primary purpose of the analog termination board is to route 2 wire transmitters to input channels one on each module of the pair The analog termination board provides the capability to wire one or two sensors to each input channel For more information about one and two sensor wiring see the section titled One sensor or Two sensor Wiring Option on page 33 Two wire transmitters operate in 4 20 mA current mode powered by 24V dc The 4 20 mA signals are converted to voltage by the on board precision 249 Q resistor The voltage is then routed to the same two duplicate input channels one on each module of the 1750 IF16 pair Each 1756 IF16 module is configured for 0 5V operation The application program supplied by Rockwell Automation then compares the two channel values to each other and verifies that the values are within the user defined deadband value The two channels values are then averaged and made available for use by the program 31 inkmann com Chapter 2 Fault tolerant System Hardware wew kllnkmanh con During normal operation the analog input termination board functions as depicted in this diagram 1492 TAIFM16 F 3 Analog Input Termination Board Normal
172. ystem averages the two values and provides a single reconciled value in a word for use in the main routine If the two channel values are not within the deadband range then the diagnostic subroutine initiates a reference test to determine which module of the pair is faulted Reference tests initiated Publication 1756 ATO10B EN P October 2008 When the two channels of a module pair are not within deadband range of each other or when the reference test interval expires the diagnostic subroutine initiates the reference test 57 Chapter 3 58 Fault tolerant Program Elements www klinkmann com Test 1756 IF16 Module Pair Reference tests occur at intervals specified by the user or according to the default settings Reference tests are also described in Chapter 2 in the section titled 1756 IF16 Module Pair Reference Tests on page 34 1001 1756 I1F16 Module Pair When the module pair is running in a 1001 configuration at least one channel of one of the modules in the pair is faulted The system then runs using only data from the remaining unfaulted channels of the module and the other unfaulted module When the 1756 IF16 module pair is running in a 1001 configuration the diagnostic subroutine carries out the tasks listed in this table System Tasks for 1756 IF16 1001 State Task Description Countdown timer starts When the system begins operating in the 1001 state the diagnostic subroutine starts a
Download Pdf Manuals
Related Search