GuardLogix 5570 Controller Systems Safety Reference
Contents
1. SIL Output Channels Number Output Device Requirements ila Comment Yes No 1 Have you followed installation instructions and precautions to conform to applicable safety standards 2 Have you performed project verification tests on the devices 3 a you uploaded and compared the configuration of each device to the configuration sent by configuration tool 4 Have you verified that test outputs are not used as safety outputs C 5 Are devices wired in compliance with PLe Cat 4 according to ISO 13849 1 2 6 Have you verified that the electrical specifications of the output and the actuator are compatible C 1 For information on how to wire your safety 1 0 device refer to the product documentation for your specific device 90 Rockwell Automation Publication 1756 RM099C EN P May 2015 Checklist for Developing a Safety Application Program Checklists for GuardLogix Safety Applications application program Appendix D Use the following checklist to help maintain safety when create or modify a safety Checklist for GuardLogix Application Program Development Company Site Project Definition Fulfilled Number Application P2. Accessing Produced Consumed Tag Data Appendix D Checklist for GuardLogix Controller System Checklist for Safety Lapis sis stucot5 tc is aie tnain gen ote tasdtiee vind Seninineds Checklist for Safety Outplits 0 2i 2ccscps2ityaatu ee soasedd Rhed Checklist for Developing a Safety Application Program Appendix E PFD Valves o s0 0y etd adda EO peehbhenlees PRE Valtaesi fete tte eh tt a et arth Appendix F De energize to Trip System Use Connection Status Data to Initiate a Fault Programmatically Appendix G SIL 2 Dual Channel Inputs standard side of GuardLogix COUEO UCTS oranda Gt ole cee ee Se oars BG une ans oa beeen SIL 2 Outputs Using SIL 3 Guard I O Output Modules SIL 2 Outputs Using 1756 or 1794 SIL 2 Output Modules Safety Functions Within the 1756 GuardLogix Safety Task Glossary Index Rockwell Automation Publication 1756 RM099C EN P May 2015 Studio 5000 Environment Preface Topic Page Studio 5000 Environment 9 Terminology 10 Additional Resources 10 This manual is intended to describe the GuardLogix 5570 controller system which is type approved and certified for use in safety applications up to and including SIL CL 3 according to IEC 61508 and IEC 62061 safety applications up to and including Performance Level PLe Category 4 according to ISO 13849 1 Use this manual if you are responsible for the development operation or maintenance of a GuardLogix 5570
3. CIP Safety 1 0 Module on Ethernet Network Actuator ij L e e e e e e e e e e e e e e e e e e e e e e e SIL 3 Compact GuardLogix System Rockwell Automation Publication 1756 RM099C EN P May 2015 15 Chapter1 Safety Integrity Level SIL Concept Guard Logix System The tables in this section list SIL 3 certified GuardLogix components and non C ompon ents SIL 3 certified components that can be used with SIL 3 GuardLogix systems For the most current list of GuardLogix controller and CIP Safety I O devices certified series and firmware versions see http www rockwellautomation com products certification safety firmware versions are available at http support rockwellautomation com ControlFLASH Table 2 SIL 3 certified GuardLogix Components Related Documentation Installation Device Type Cat No Description Instructions User Manual 1756 L71S Controller with 2 MB standard 1 MB safety memory 1756 paee 1756 L72S _ Controller with 4 MB standard 2 MB safety memory primary controller manae Facllaniib Olli aan AMID cP hase e With Studio 5000 environment version ControlLogix5570S 1756 L73S Controller with 8 MB standard 4 MB safety memory wa 21 or later 1756 UMO22 1756 L73SXT Controller XT with 8 MB standard 4 MB safety memory With RSLogix 5000 software version 20 1756 GuardLogix 1756 L7SP Safety partner and earlier 1756 UM
4. On Off and Off On delay settings for each input channel if applicable Safety Input Connection Reaction Time Limit Safety Task Period and Safety Task Watchdog Input device settings for e Requested Packet Interval RPI e Timeout Multiplier e Delay Multiplier The amount of network communication traffic The EMC environment of the system Safety Task Period setting Safety Task Watchdog setting The number and execution time of instructions in the safety task Any higher priority tasks that may pre empt safety task execution Produced Consumed Safety Connection Reaction Time Limit Consumed tag settings for e RPI Timeout Multiplier e Delay Multiplier The amount of network communication traffic The EMC environment of the system Output Connection Reaction Time Limit Safety Task Period setting Output device s settings for e Timeout Multiplier Delay Multiplier The amount of network communication traffic The EMC environment of the system Output module delay Output module reaction time The following sections describe how to access data or settings for many of these factors Accessing Guard 1 0 Input Module Delay Time Settings To configure input module delay time in the Logix Designer application follow these steps 1 In the configuration tree right click your Guard I O module and choose Properties 2 Click the Input Configuration tab
5. 82 Rockwell Automation Publication 1756 RM099C EN P May 2015 Reaction Times Appendix C 3 Adjust the input delay time as required for your application Module Properties Enet_Safety 1791ES IB8XOBV4 1 1 BBE Safety Module Info Internet Protocol Port Configuration Input Configuration Test Output Output Configuration 4 gt Type p Equivalent Point Operation Te Input Delay Time ms iscrepancy Point Mode Time ms 10 Safety Safety Sourke off 20n On 20ff None vy None v o Single X Single A 0 Not Used Not Used 0 4 NotUsed Not Used None vy None gt None gt _ None gt ujo Jon jo ro Jo Single None gt None y 0 Not Used Not Used o o lo o o o lal bale balh ale Palo belo Dale ikl o jojojojojojo al hal hal hal hal hal ba be lala le le leleballs Input Error Latch Time I 10 ms Status Offline ok Cancel C Help gt Access Input and Output Safety Connection Reaction Time Limit The Connection Reaction Time Limit is defined by these three values Value Requested Packet Interval RPI Description How often the input and output packets are placed on the wire network Timeout Multiplier The Timeout Multiplier is essentially the number of retries before timing out Network Delay Multiplier The Network Delay Multiplier accounts for any known delays on the
6. Attach to Controller and Download est the Application Program Generate Safety Task Signature l Safety Validation Independent Review Project Valid Yes Lock the Controller Rockwell Automation Publication 1756 RM099C EN P May 2015 61 Chapter6 Safety Application Development Notes 62 Rockwell Automation Publication 1756 RM099C EN P May 2015 Monitoring System Status Chapter 7 Monitor Status and Handle Faults Monitoring System Status GuardLogix System Faults 66 The GuardLogix architecture provides you with many ways of detecting and reacting to faults in the system The first way that you can handle faults is to make sure you have completed the checklists for your application see Appendix D You can view the status of safety tag connections You can also determine current operating status by interrogating various device objects It is your responsibility to determine what data is most appropriate to initiate a shutdown sequence CONNECTION_STATUS Data The first member of the tag structure associated with safety input data and produced consumed safety tag data contains the status of the connection This member is a pre defined data type called CONNECTION_STATUS Figure 17 Data Type Dialog Box MEE Name MyProducedConsumedS afetyT ype Description ONNECTION_STATUS DINT Rockwell Automation Publication 1756 RM099C EN P
7. Safety Task logic is being scanned Primary and partner controllers process logic cross compare logic outputs Logic outputs are written to safety outputs Run Locked PLd Cat 3 New forces are not allowed Existing forces are maintained No signature Control reliable Online editing is not allowed SILCL2 Safety memory is protected read only Safety task logic is scanned Primary and partner controllers process logic cross compare logic outputs Logic outputs are written to safety outputs Run Unlocked Ple Cat 4 Forces are not allowed They must be removed to generate a safety task signature With signature Control reliable e Online editing is not allowed SILCL3 Safety memory is protected read only Safety task logic is scanned e Primary and partner controllers process logic cross compare logic outputs Logic outputs are written to safety outputs Safety task signature is unprotected and can be deleted by anyone who has access to the controller Run Locked Ple Cat 4 Forces are not allowed They must be removed to generate a safety task signature With signature Control reliable Online editing is not allowed SILCL3 Safety memory is protected read only Safety task logic is scanned Primary and partner controllers process logic cross compare logic outputs Logic outputs are written to safety outputs Safety task signature is protected Users must enter the unlock password to unlock the controller before
8. Input Configuration Test Output Major Fault On Controller If Connection Fails While in Run Mode Requested Packet Inhibit Interval RPI ms Connection a Safety Oupa 20 Module Fault Status Offline Cancel Apply Help The device is inhibited whenever the check box is checked Ifa communication device is inhibited all downstream devices are also inhibited The following rules apply to changing your safety application program in the Logix Designer application e Only authorized specially trained personnel can make program edits These personnel should use all supervisory methods available for example using the controller keyswitch and software password protections e When authorized specially trained personnel make program edits they assume the central safety responsibility while the changes are in progress These personnel must also maintain safe application operation e When editing online you must use an alternate protection mechanism to maintain the safety of the system e You must sufficiently document all program edits including the following Authorization Impact analysis Execution Test information Revision information e Ifonline edits exist only in the standard routines those edits are not required to be validated before returning to normal operation e You must make sure that changes to the standard routine with respect to timing and tag mapping are acceptable t
9. application development basics 50 application program changing 59 See program burner related safety functions 101 C certifications 18 changing your application program 59 Chapter 49 chassis catalog numbers 17 hardware overview 22 Rockwell Automation Publication 1756 RM099C EN P May 2015 Index checklist GuardLogix controller system 25 88 program development 91 SIL3 inputs 89 SIL3 outputs 90 CIP Safety protocol definition 105 overview 22 routable system 33 commissioning life cycle 51 communication modules catalog numbers 17 hardware overview 23 configuration signature 29 connection status 64 CONNECTION_ STATUS data type 63 control and information protocol definition 10 control function specification 52 ControlNet bridge module hardware overview 23 D DeviceNet Safety communication overview 24 DeviceNet scanner interface module hardware overview 23 diagnostic coverage definition 10 EN50156 101 EN954 1 CAT 4 9 13 EtherNet IP communication overview 23 EtherNet IP communication interface module hardware overview 23 European norm definition 10 faults nonrecoverable controller faults 66 nonrecoverable safety faults 66 overriding 66 recoverable 67 106 firmware revisions 17 forcing 58 G get system value GSV definition 10 109 Index 110 GSV instructions 65 Guard 1 0 modules SIL 2 applications 103 hard faults recovery 66 human to machine
10. 107 recoverable faults 67 106 reliability burden 19 requested packet interval definition 106 range 42 RSLogix 5000 software 17 S safety application instructions definition 106 safety certifications and compliances 18 safety concept assumptions 49 safety consumed tags safety network number 35 safety functions CIP Safety 1 0 27 Safety Output 28 safety instruction signature 76 definition 106 Safety Integrity Level SIL compliance distribution and weight 19 function example 16 policy 13 20 Safety Integrity Level SIL 3 certification Logix components 16 TUV Rheinland 14 user responsibilities 14 Safety Integrity Level 3 SIL 3 certification 9 13 76 safety network number 34 definition 106 manual assignment 34 out of box modules 36 safety consumed tags 35 safety partner definition 106 hardware overview 22 location 22 safety program 45 definition 107 safety routine 45 definition 107 safety tags 46 definition 107 valid data types 46 safety task definition 107 execution 42 overview 41 priority 84 reaction time 20 107 watchdog time 84 safety task period 20 definition 107 limitations 41 overview 20 safety task signature definition 107 deleting 54 generating 53 restricted operations 54 safety task watchdog 20 definition 107 modifying 20 overview 20 setting 20 timeout 41 safety locking 56 default 56 passwords 56 restricted operations 56 Secure Digital SD card 17 set system variable SSV in
11. May 2015 63 Chapter 7 64 Monitor Status and Handle Faults The first two bits of the CONNECTION_STATUS data type contain a device s RunMode and ConnectionFaulted status bits The following table describes the combinations of the RunMode and ConnectionFaulted states Table 8 Safety Connection Status RunMode ConnectionFaulted A Status Status Safety Connection Operation 1 Run 0 Valid Data is actively being controlled by the producing device The producing device is in Run mode 0 Idle 0 Valid The connection is active and the producing device is in the Idle state The safety data is reset to zero 0 Idle 1 Faulted The safety connection is faulted The state of the producing device is unknown The safety data is reset to zero 1 1 Invalid state cannot be automatically configured to fault the controller if a connection is lost and the system transitions to the safe state Therefore if you need to detect a device fault to be sure that the system maintains SIL 3 you must monitor the Safety 1 0 CONNECTION_STATUS bits and initiate the fault via program logic i ATTENTION Safety 1 0 connections and produced consumed connections Input and Output Diagnostics Guard I O modules provide pulse test and monitoring capabilities If the module detects a failure it sets the offending input or output to its safety state and reports the failure to the controller The failure indication is made via input or output s
12. Differentiate between Standard and Safety Chapter 5 Characteristics of Safety Tags the Safety Task and Safety Programs Topic Page Differentiate between Standard and Safety 37 SIL 2 Safety Applications 38 SIL 3 Safety the Safety Task 41 Use of Human to machine Interfaces 43 Safety Programs 45 Safety Routines 45 Safety Tags 46 Because it is a Logix series controller both standard non safety related and safety related components can be used in the GuardLogix control system You can perform standard automation control from standard tasks within a GuardLogix project GuardLogix controllers provide the same functionality as other ControlLogix series controllers What differentiates GuardLogix controllers from standard controllers is that they provide a SIL 3 capable safety task However a logical and visible distinction is required between the standard and safety related portions of the application The Logix Designer application provides this differentiation via the safety task safety programs safety routines safety tags and safety I O devices You can implement both SIL 2 and SIL 3 levels of safety control with the safety task of the GuardLogix controller Rockwell Automation Publication 1756 RM099C EN P May 2015 37 Chapter5 Characteristics of Safety Tags the Safety Task and Safety Programs SIL 2 Safety Applications 38 You can perform SIL 2 safety control by using the GuardLogix controller
13. May 2015 Table of Contents CIP Safety and the Safety Network Number Characteristics of Safety Tags the Safety Task and Safety Programs Safety Application Development Chapter 4 Routable CIP Safety Control System 2 cess eee eee ee eee 33 Unique Node Reference cs See xiaeenses oe sioen Senet 34 Safety Network Number 3542555252240040322sac500ea 2o2eece ne 34 Considerations for Assigning the Safety Network Number SNN 35 Safety Network Number SNN for Safety Consumed Tags 35 Safety Network Number SNN for Out of box Devices 36 Safety Network Number SNN for Safety Device with a Different Configuration Owicts um diya ts sob otrerk teieaa a eaner ey cael 36 Safety Network Number SNN When Copying a Safety Project 36 Chapter 5 Differentiate between Standard and Safety 0 2 c ee eee 37 SIE Safety Applications eseeton aE EE sees Sensis 38 SIL 2 Safety Control in the Safety Tasksi 222 cos 00 04 43 eh00sae ee 38 SIL 2 Safety Control in Standard Tasks oo cccuctmaseadeneons 40 SIL 3 Safety the Safety Task nusnseueennenreerre rererere l Safety Task Vamittations ay sherpf ia es ee ae ei 41 Safety Task Execution Details 2o105 a2 suanae ket sy ceteaednanamee 42 Use of Human to miachine Interfaces o n 5 tale ian eh been ees 43 PRCCAUtIONS oas e a arsed Meet O E E a ea a E a 43 Accessing Safety related Systems cccesescusyesnk sve ve esiens 44 Safety Programs i tit c
14. No All Tests Pass Yes y Record Safety Task Signature y Safety Validate Project Project Valid Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Add On Instructions Appendix B Create Add On Instruction Test Project You must create a unique test project specifically to create and test the safety Add On Instruction This project must be a separate and dedicated project to minimize any unexpected influences Follow the guidelines for projects that are described in Create the Project on page 53 Create a Safety Add On Instruction For guidance in how to create Add On Instructions refer to the Logix5000 Controllers Add On Instruction Programming Manual publication 1756 PM010 Generate Instruction Signature The instruction signature lets you quickly determine if the instruction has been modified Each Add On Instruction can have its own signature The instruction signature is required when an Add On Instruction is used in safety related functions and can sometimes be required for regulated industries Use it when your application calls for a higher level of integrity The instruction signature consists of an ID number and time stamp that identifies the contents of the Add On Instruction at a given point in time Once generated the instruction signature seals the Add On Instruction which prevents it from being edited while the signature is in place This
15. On Instruction is valid and you can continue with the validation of your application Rockwell Automation Publication 1756 RM099C EN P May 2015 77 AppendixB Safety Add On Instructions Additional Resources 78 Test the Application Program This step consists of any combination of Run and Program mode online or offline program edits upload and download and informal testing that is required to get an application to run properly Project Verification Test Perform an engineering test of the application including the safety system See Project Verification Test on page 54 for more information on requirements Safety Validate Project An independent third party review of the safety system may be required before the system is approved for operation An independent third party validation is required for IEC 61508 SIL 3 For more information on how to use Add On Instructions refer to these publications Resource Description Logix5000 Controllers Add On Instructions Programming Manual publication 1756 PM010 Provides information on how to plan create use import and export Add On Instructions in RSLogix 5000 applications Import Export Project Components Programming Manual publication 1756 PM019 Contains detailed information on how to import and export project components Rockwell Automation Publication 1756 RM099C EN P May 2015 Appendix C Reaction Times System Reaction Time Logix Syst
16. System Protocol User Protocol Major Faults Minor Faults Date Time Advanced Fie Safety Memory Safety Application Unlocked Safety Lock Unlock Safety Status Safety Signature Generate e ID none Co Date ae Time Delete When replacing Safety 1 0 Configure Only When No Safety Signature Exists C Configure Always OK Cancel Apply Help Configure Only When No Safety Signature Exists This setting instructs the GuardLogix controller to configure a safety device only when the safety task does not have a safety task signature and the replacement device is in an out of box condition meaning that a safety network number does not exist in the safety device If the safety task has a safety task signature the GuardLogix controller configures only the replacement CIP Safety I O device if the following is true e The device already has the correct safety network number e The device electronic keying is correct e The node or IP address is correct Rockwell Automation Publication 1756 RM099C EN P May 2015 CIP Safety 1 0 for the GuardLogix Control System Chapter 3 Configure Always The GuardLogix controller always attempts to configure a replacement CIP Safety I O device if the device is in an out of box condition meaning that a safety network number does not exist in the replacement safety device and the node number and I O device keying matches the controller s configuration Safety co
17. contact Customer Support for initial help in getting your product up and running United States or Canada 1 440 646 3434 Outside United States or Canada Use the Worldwide Locator at http www rockwellautomation com rockwellautomation support overview page or contact your local Rockwell Automation representative New Product Satisfaction Return Rockwell Automation tests all of its products to help ensure that they are fully operational when shipped from the manufacturing facility However if your product is not functioning and needs to be returned follow these procedures United States Contact your distributor You must provide a Customer Support case number call the phone number above to obtain one to your distributor to complete the return process Outside United States Please contact your local Rockwell Automation representative for the return procedure Documentation Feedback Your comments will help us serve your documentation needs better If you have any suggestions on how to improve this document complete this form publication RA DU002 available at http www rockwellautomation com literature Rockwell Automation maintains current product environmental information on its website at http www rockwellautomation com rockwellautomation about us sustainability ethics product environmental compliance page Rockwell Otomasyon Ticaret A S Kar Plaza Is Merkezi E Blok Kat 6 34752 erenk y stanbul T
18. data and parameters For more information on how HMI devices fit into a typical SIL loop see Figure 1 on page 15 Use sound techniques in the application software within the HMI and controller Rockwell Automation Publication 1756 RM099C EN P May 2015 43 Chapter 5 Characteristics of Safety Tags the Safety Task and Safety Programs Accessing Safety related Systems HMI related functions consist of two primary activities reading and writing data Reading Parameters in Safety related Systems Reading data is unrestricted because reading doesn t affect the behavior of the safety system However the number frequency and size of the data being read can affect controller availability To avoid safety related nuisance trips use good communication practices to limit the impact of communication processing on the controller Do not set read rates to the fastest rate possible Changing Parameters in Sil rated Systems A parameter change in a safety related loop via an external that is outside the safety loop device for example an HMI is allowed only with the following restrictions e Only authorized specially trained personnel operators can change the parameters in safety related systems via HMIs e The operator who makes changes in a safety related system via an HMI is responsible for the effect of those changes on the safety loop e You must clearly document variables that are to be changed e You must use a
19. displays the fault status and all device data is set to the safe state 0 For information on how to use GuardLogix safety application instructions see Appendix F of this manual and the GuardLogix Safety Application Instructions Safety Reference Manual publication 1756 RM095 Get System Value GSV and Set System Value SSV Instructions The GSV and SSV instructions let you get GSV and set SSV controller system data stored in device objects When you enter a GSV SSV instruction the programming software displays the valid object classes object names and attribute names for each instruction Restrictions exist for using the GSV and SSV instructions with safety components IMPORTANT The safety task cannot perform GSV or SSV operations on standard attributes The attributes of safety objects that can be written by the standard task are for diagnostic purposes only They do not affect safety task execution For more information on which safety attributes are accessible via GSV and SSV instructions refer to the GuardLogix 5570 Controllers User Manual publication 1756 UM022 For general information on using GSV and SSV instructions refer to the Logix5000 Controllers General Instructions Reference Manual publication 1756 RM003 Rockwell Automation Publication 1756 RM099C EN P May 2015 65 Chapter7 Monitor Status and Handle Faults GuardLogix System Faults 66 Faults in the GuardLogix system fall into these three categor
20. element PFH for each safety loop in the simple example system that is shown in the PFH Example sum the PFH values for each component in the loop The PFH Equations by Safety Loop table provides a simplified example of PFH value calculations for each safety loop that is shown in the PFH Example illustration Table 4 PFH Equations by Safety Loop For This Loop Sum the PFH Values of These Components Total PFH for loop 1 1791DS IB12 GuardLogix controller 1791DS IB4X0X4 Total PFH for loop 2 1791DS IB8X0B8 GuardLogix controller 1791DS IB4X0X4 When calculating PFH values you must take into account the specific requirements of your application including test intervals The GuardLogix controller and I O system can conservatively be assumed to contribute 10 of the reliability burden A SIL 3 system may need to incorporate multiple inputs for critical sensors and input devices as well as dual outputs connected in series to dual actuators dependent on SIL assessments for the safety related system Figure 3 Reliability Burden Sensor 10 of the PFD O a eS SS SS SS SS SS SS SS 7 nat Controller Output E Module Module 50 of the PFD The system reaction time is the amount of time from a safety related event as an input to the system until the system sets corresponding outputs to their safe state Faults within the system can also affect the r
21. from within the safety task The safety task is a periodic timed task with a user selectable task priority and watchdog In most cases it is the controller s top priority and the user defined program watchdog must be set to accommodate fluctuations in the execution of the safety task Safety Task Limitations You specify both the safety task period and the safety task watchdog The safety task period is the period at which the safety task executes The safety task watchdog is the maximum time that is allowed from the start of safety task scheduled execution to its completion For more information on the safety task watchdog see Appendix C Reaction Times The safety task period is limited to a maximum of 500 ms and cannot be modified online Make sure that the safety task has enough time to finish before it is triggered again Safety task watchdog timeout a nonrecoverable safety fault in the GuardLogix controller occurs if the safety task is triggered while it is still executing from the previous trigger See Chapter 7 Monitor Status and Handle Faults for more information Rockwell Automation Publication 1756 RM099C EN P May 2015 41 Chapter5 Characteristics of Safety Tags the Safety Task and Safety Programs Safety Task Execution Details The safety task executes in the same manner as standard periodic tasks with the following exceptions e The safety task does not begin executing until the primary controller and sa
22. instructions see Appendix A ATTENTION To preserve SIL 3 you must make sure that your safety logic does not attempt to read or write standard tags Rockwell Automation Publication 1756 RM099C EN P May 2015 45 Chapter5 Characteristics of Safety Tags the Safety Task and Safety Programs Safety Tags 46 The GuardLogix control system supports the use of both standard and safety tags in the same project However the programming software operationally differentiates standard tags from safety tags Safety tags have all of the attributes of standard tags with the addition of mechanisms to provide SIL 3 data integrity Table 6 Valid Data Types for Safety Tags AUX_VALVE_CONTROL BOOL CAM_PROFILE CAMSHAFT_MONITOR B_CONTINUOUS_MODE B_CRANKSHAFT_POS_MONITOR B_INCH_MODE B_SINGLE_STROKE_MODE CONFIGURABLE_ROUT CONNECTION_STATUS e CONTROL COUNTER e DCA_INPUT DC_MONITOR DC_START DCL_STOP DC_STOP_TEST DC_STOP_TEST_LOCK DC_STOP_TEST_MUTE DINT DIVERSE_INPUT EIGHT_POS_MODE_SELECTOR EMERGENCY_STOP ENABLE_PENDANT EXT_ROUTINE_CONTROL EXT_ROUTINE_PARAMETERS BD_BIT_FIELD_DISTRIBUTE FBD_CONVERT FBD_COUNTER FBD_LOGICAL BD_MASK_EQUAL BD_MASKED_MOVE FBD_TIMER FIVE_POS_MODE_SELECTOR INT LIGHT_CURTAIN MAIN_VALVE_CONTROL MANUAL_VALVE_CONTROL faa 7m n MUTING_FOUR_SENSOR_BIDIR MUTING_TWO_SENSOR_ASYM MUTING_TWO_SENSOR_SYM MOTION_INSTRUCTION PHASE PHASE_INSTR
23. interfaces use and application 43 45 1 0 modules replacement 29 31 IEC 61508 Safety Integrity Level 3 SIL 3 certification 9 13 76 inhibiting a module 58 installing a controller 21 instruction signature 75 definition 105 interface HMI use and application 43 45 ISO 13849 1 9 13 L ladder logic safety instructions 70 Logix components SIL 3 certified 16 Logix system reaction time calculating 80 M mapping tags 47 memory card 17 nonrecoverable controller faults 66 105 nonrecoverable safety faults 66 105 restarting the safety task 66 0 offline edits 60 online definition 105 online editing 57 60 output delay time 28 overlap definition 105 ownership 29 Rockwell Automation Publication 1756 RM099C EN P May 2015 P partnership definition 105 peer to peer communication 23 pending edits 57 Performance Level definition 10 period task definition 106 PLe 9 13 power supplies 17 hardware overview 22 primary controller definition 106 hardware overview 22 probability of failure on demand PFD 18 19 definition 10 probability of failure per hour PFH 18 19 definition 10 program checklist 91 download 56 editing life cycle 61 indentification 53 offline editing 60 online editing 60 upload 57 verification 54 project confirmation 55 project verification test 54 78 proof tests 14 Q qualifying standard data 47 reaction time calculating for system 79 safety task 20 system 19
24. logic A safety tag has all the attributes of a standard tag except that the GuardLogix controller provides mechanisms that are certified to SIL 3 to help protect the integrity of their associated data They can be program scoped or controller scoped A safety task has all the attributes of a standard task except that it is valid only in a GuardLogix controller and that it can schedule only safety programs Only one safety task can exist in a GuardLogix controller The safety task must be a periodic timed task The period at which the safety task executes The sum of the safety task period plus the safety task watchdog This time is the worst case delay from any input change that is presented to the GuardLogix controller until the processed output is available to the producing connection A value which is calculated by the firmware that uniquely represents the logic and configuration of the safety system It is used to verify the integrity of the safety application program during downloads to the controller The maximum time that is allowed from the start of safety task execution to its completion Exceeding the safety task Watchdog triggers a nonrecoverable safety fault Any object task tag program and so on that is not marked as being a safety related item As used in this document standard controller refers generically to a ControlLogix controller A method of addressing that provides an ASCII interpretation of the tag n
25. of a recoverable fault that is not recovered Ifa recoverable safety fault is overridden in the controller scoped fault handler only standard tasks keep running If the fault is not overridden the standard tasks are also shut down ATTENTION Overriding the safety fault does not clear it If you override the safety fault it is your responsibility to prove that doing so maintains SIL 3 Rockwell Automation Publication 1756 RM099C EN P May 2015 67 Chapter7 Monitor Status and Handle Faults Notes 68 Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Instructions For the latest information see our safety certificates at Appendix A http www rockwellautomation com products certification safety Table 9 and Table 10 list the safety application instructions that are certified for use in SIL 3 applications Table 9 General Safety Application Instructions Mnemonic Name Purpose Certification CROUT Configurable Redundant Output Controls and monitors redundant outputs BG TUV DCA Dual Channel Input Analog TUV integer version Monitors two analog values for deviation and range tolerance DCAF Dual Channel Input Analog floating point version DCS Dual Channel Input Stop Monitors dual input safety devices whose main purpose is to provide a stop function such as an E BG stop light curtain or gate switch TUV DCST Dual Channel Input Stop With T
26. planning guides the checklists can be saved as a record of the plan The checklists on the following pages provide a sample of safety considerations and are not intended to be a complete list of items to verify Your particular safety application can have additional safety requirements for which we have provided space in the checklists TIP Make copies of the checklists and keep these pages for future use Rockwell Automation Publication 1756 RM099C EN P May 2015 87 AppendixD Checklists for GuardLogix Safety Applications Checklist for GuardLogix Controller System Checklist for GuardLogix System Company Site Safety Function Definition Number System Requirements Fulfilled Yes No Comment 1 Are you using only the components that are listed in SIL 3 certified GuardLogix Components on page 16 and on the http www rockwellautomation com products certification safety site with the corresponding firmware release 2 Have you calculated the system s safety response time for each safety chain 3 Does the system s response time include both the user defined safety task program watchdog software watchdog time and the safety task rate period 4 Is the system response time in proper relation to the process tolerance time 5 Have probability PFD PFH values been calculated
27. they can delete the safety task signature 1 To achieved this level you must adhere to the safety requirements defined in this publication Basics of Application Development and Testing 50 We recommend that the application program for the intended SIL CL3 system be developed by the system integrator or a user trained and experienced in safety applications The developer must follow good design practices e Use functional specifications including flow charts timing diagrams and sequence charts e Perform a review of safety task logic e Perform application validation Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Application Development Chapter 6 The flowchart below shows the steps required for commissioning a GuardLogix system The items in bold text are explained in the following sections Commissioning Life Cycle Figure 15 Commission the System Specify the Control Function Create Project Create Project Online Offline Attach to Controller and Download Test the Application Program _ _______ Generate Safety Task Signature Project Verification Test Make required modifications Delete Safety Task Signature Yes Confirm the Project Record Safety Task Signature Fill out the Safety Checklists in Appendix D Safety Validation Independent Review Project Valid Yes Lock the Controller End Rockwell Autom
28. verification testing on the controller in the context of its new application program Confirm the Project You must print or view the project and compare the uploaded safety I O and controller configurations safety data and safety task program logic to make sure that the correct safety components were downloaded tested and retained in the safety application program If your application program contains a safety Add On Instruction that has been sealed with an instruction signature you must also compare the instruction signature date time and safety instruction signature to the values you recorded when you sealed the Add On Instruction See Appendix B Safety Add On Instructions for information on creating and using safety Add On Instructions in SIL 3 applications The steps below illustrate one method for confirming the project 1 With the controller in Program mode save the project 2 Answer Yes to the Upload Tag Values prompt 3 With the Logix Designer application offline save the project with a new name such as Offlineprojectname ACD where projectname is the name of your project This is the new tested master project file 4 Close the project 5 Move the original project archive file out of its current directory You can delete this file or store it in an archival location This step is required because if the Logix Designer application finds the projectname ACD in this directory it will correlate it with the co
29. wire When these delays occur timeouts can be avoided using this parameter By adjusting these values you can adjust the Connection Reaction Time Limit To view or configure these settings follow these steps 1 In the configuration tree right click your safety I O device and choose Properties 2 Click the Safety tab General Connection Safety Module Into Input Configuration Test Output Output Configuration Connection Requi Type Safety Input Safety Output Interval RPI ms ested Packet Connection Reaction Max Observed Time Limit ms Network Delay ms Advanced Rockwell Automation Publication 1756 RM099C EN P May 2015 83 Appendix C 84 Reaction Times 3 Click Advanced to open the Advanced Connection Reaction Time Limit dialog box Advanced Connection Reaction Time Lim x Configuring the Safety Task Period and Watchdog The safety task is a periodic timed task You select the task priority and watchdog time via the Task Properties Safety Task dialog box in your Logix Designer project To access the safety task period and watchdog time settings right click the Safety Task and choose Properties amp Task Properties Safety lask The priority of the safety task is not a safety concern as the safety task watchdog monitors if the task is interrupted by higher priority task Rockwell Automation Publication 1756 RM099C EN P May 2015 R
30. 020 safety partner ControlLogix557SP 1756 L7SPXT _ Safety partner XT 1756 GuardLogix 1756 L61S Controller with 2 MB standard 1 MB safety memory primary controller a 1756 L62S Controller with 4 MB standard 1 MB safety memory Controllogix53605 1756 L63S Controller with 8 MB standard 3 75 MB safety memory N A 1756 UM020 1756 GuardLogix 1756 LSP Safety partner safety partner ControlLogix55SP 1768 Compact GuardLogix 1768 L43S Controller with support for two 1768 modules nya 1768 UM002 Gaia 1768 L45S Controller with support for four 1768 modules CIP Safety 1 0 modules on 1791DS IN001 DeviceNet networks 1791DS IN002 1791DS UM001 For the most current list of certified series and firmware versions see the 1732DS IN001 Tp cafe Nmndiiacan Safety certificate at CIP Safety 1 0 modules on Sc TEI 1791ES IN001 1791ES UMOO1 EtherNet IP networks http www rockwellautomation com products certification safety POINT Guard 1 0 modules wa 1734 UM013 Kinetix 5500 servo drives For the most current list of certified series and firmware versions see the 2198 IN001 2198 UM001 catalog numbers that end in safety certificate at ERS2 http www rockwellautomation com products certification safety Kinetix 5700 servo drives For the most current list of certified series and firmware versions see the 2198 UM002 safety certificate at http www rockwellautomation com products certification safety PowerFlex 52
31. 2a eset sy ni ri ennie bh eau eye area eas 45 Safety ROUtINGS aeee cuits recs A wees A ESNE 45 Safety Lage r Gio eh a kainate bese eae pueda Sevier eae as 46 Standard Tags in Safety Routines tag mapping 47 Chapter 6 Safety Concept Assumptions iitoe2 doses Wad ede ee OS Ss 49 Basics of Application Development and Testing 5 50 Commissioning Life Cycle aie io deeck chat ue cemiis 36 eae eles 51 Specification of the Control Puietionies 2 04se lt ss e gaged es 52 Create the ProOjECt puspitasari ANA N putea a aa 53 Test the Application Program s ssrsrsrrrrerererrsrers 53 Generate the Safety Task Signature sce ciccia ne care vewinte nd datecs 53 Project Verification Test 245 045 hsaas sie need wadide das pares 54 Confirm the Project crr tnortmemee striate op A E ninety 55 Safety Validation siuewe te tane Delehanty 56 Lock the GuardLogix Controlletin ts sis 0a sa dee ceeee ets res 56 Downloading the Safety Application Program 0 0005 56 Uploading the Safety Application Program 00 2 cee 57 Online Editing ssri terriera cums wune ove teas rae EEREN 57 Storing and Loading a Project from Nonvolatile Memory 58 Force Ula Peeee eee a ae eee a Se ey OUR e S ene eee rr 58 Inhibit a Devices erge eei scene y bua dates Mint ate nranerd 58 Editing Your Safety Application wisciiess ses as dia edeseteeeee snes 59 Rockwell Automation Publication 1756 RM099C EN P May 201
32. 5 Monitor Status and Handle Faults Safety Instructions Safety Add On Instructions Reaction Times Table of Contents Performing Offline Editss jucscivs cede ea Saad As pay eee eHNGN Ss 60 Performing Online Edits 2 ccutncaa eidvalea en aiacteteduatetanannn 60 Modification Impact ests oni ianncactincctact alan evi wees 60 Chapter 7 Monitoring System StAtUs 13 texeged eeniaarriae ak erent aed facaiy 63 CONNECTION STATUS Data 2 o2c deinde re essed ts 63 Input and Output Disenosticss c d saaeveenensae ce races 64 I O Device Connection Status 35426 Siang danewecynes ob caer 64 De energize to Trip System isis sar acmranadeowersseeswi anes 65 Get System Value GSV and Set System Value SSV Instructions 65 GuardLogix System Faults i ictac cia isai oad a iadicese ree esas 66 Nonrecoverable Controller Faults eceeceeeeeeees 66 Nontecoverable Safety Faults22 2 020 eicuds tecugia ee asda eee 66 Recoverable Paulisusy eats Pateaen cigs Met EEE t 67 Appendix A ei ate Bee allele bd ae UR eel ch eta LL aO 69 Appendix B Create and Use a Safety Add On Instruction 0 ee eee 73 Create Add On Instruction Test Project os co ceainnes nave ketiete 75 Create a Safety Add On Instiuction ws1 es eoesenedetaescnees 75 Generate Instruction Signature soos ckiaaasatdedya bees Reese 75 Download and Generate Safety Instruction Signature 76 SIL 3 Add On Instruction Qualification Test 0 0005 7
33. 5 Safety Output Device Delay Reaction Time Limit Reaction Time Limit Device Delay CIP Safety Network The Logix System Reaction Time for any simple input to logic to output chain consists of these five components 1 Safety input device reaction time plus input delay time if applicable 2 Safety Input Connection Reaction Time Limit Read from the Module Properties dialog box in the Logix Designer application this value is a multiple of the safety input device connection RPI 3 Safety Task Period plus Safety Task Watchdog time 4 Safety Output Connection Reaction Time Limit Read from the Module Properties dialog box in the Logix Designer application this value is a multiple of the safety task period 5 Safety output device reaction time To aid you in determining the reaction time of your particular control loop a Microsoft Excel spreadsheet is available in the Tools folder of the Studio 5000 environment DVD 80 Rockwell Automation Publication 1756 RM099C EN P May 2015 Reaction Times Appendix C Logic Chain Using Produced Consumed Safety Tags Figure 21 Logix System Reaction Time for Input to Controller A Logic to Controller B Logic to Output Chain 4 P C Safety Connection Reaction Time Limit Ethernet Switch Ethernet Network Ethernet Network 3 Safety Task Period 5 Safety Task Period Safety Task Watchdog Safety Task Watchdog GuardLogix Controller A DeviceNet M
34. 6 Confirm the Projects cnici nece iaa s ene ase esse ee 76 Safety Validate Add On Instructions s esees esseere eea 77 Create Signature History Entry kris cise aniitas Beas eeaein TF Export and Import the Safety Add On Instruction 77 Verify Safety Add On Instruction Signatures 006 77 Test the Application Progratmcis isk s Gisiwdd snr vensont ated 78 Project Verification Testsic A ewery edd a wwe sand Nineteen eoeners 78 Safety Validate Project a2s ci0se rio ena calwes vessel a 78 Additional Resources sencese iene tere O aE 78 Appendix C System Reaction TiMe s 2 063002 enn eena cided sad pore cre 79 Logix System Reaction Time ssusssunssserrenrrrerrrrrrrren 79 Simple Input logic output Chalirs lt i cl ccsnkiees ae tageteusls 80 Logic Chain Using Produced Consumed Safety Tags 81 Factors Affecting Logix Reaction time Components 82 Accessing Guard I O Input Module Delay Time Settings 82 Access Input and Output Safety Connection Reaction Time Limit 83 Rockwell Automation Publication 1756 RM099C EN P May 2015 7 Table of Contents Checklists for GuardLogix Safety Applications GuardLogix Systems Safety Data RSLogix 5000 Software Version 14 and Later Safety Application Instructions Using 1794 FLEX 1 0 Modules and 1756 SIL 2 Inputs and Outputs with 1756 GuardLogix Controllers to Comply with EN 50156 Configuring the Safety Task Period and Watchdog
35. 7 Adjustable For the most current list of certified series and firmware versions see the 520 UM002 Frequency AC Drives safety certificate at http www rockwellautomation com products certification safety 1 Certified for use with RSLogix 5000 software version 14 and versions 16 through 20 1756 L61S 1756 L62S 1756 L63S and 1756 LSP controllers are not supported in the Studio 5000 Logix Designer application Certified for use with RSLogix 5000 software versions 18 through 20 1768 L43S and 1768 L45S controllers are not supported in the Studio 5000 Logix Designer application 3 These publications are available from Rockwell Automation by visiting http www rockwellautomation com literature See user manual for installation instructions 16 Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Integrity Level SIL Concept Chapter 1 Table 3 Components Suitable for Use with 1756 GuardLogix Controller Safety Systems Related Documentation Installation Device Type Cat No Description Series Revision Instructions User Manual 1756 A4 4 slot chassis 1756 A7 7 slot chassis 1756 A10 10 slot chassis B N A 1756 A13 13 slot chassis Chassis 1756 A17 17 slot chassis 1756 IN005 N A 1756 A4LXT 4 slot XT chassis B N A 1756 A5XT 5 slot XT chassis 1756 A7XT 7 slot XT chassis 756 A7LXT 7 slot XT chassis 1756 PA72 Power supply AC C 1756 P
36. 9 AppendixF RSLogix 5000 Software Version 14 and Later Safety Application Instructions Notes 100 Rockwell Automation Publication 1756 RM099C EN P May 2015 SIL 2 Dual Channel Inputs standard side of GuardLogix controllers Appendix G Using 1794 FLEX 1 0 Modules and 1756 SIL 2 Inputs and Outputs with 1756 GuardLogix Controllers to Comply with EN 50156 Topic Page SIL 2 Dual Channel Inputs standard side of GuardLogix controllers 101 SIL 2 Outputs Using SIL 3 Guard 1 0 Output Modules 103 SIL 2 Outputs Using 1756 or 1794 SIL 2 Output Modules 103 Safety Functions Within the 1756 GuardLogix Safety Task 104 Dual channel configuration is required for compliance in certain safety related applications including burner related safety functions These examples provide guidelines for satisfying EN50156 SIL 2 dual channel requirements with 1 and 2 year proof test intervals You must implement clear and easily identifiable separation between both input channels and adhere to all existing SIL 2 requirements as defined in Using ControlLogix in SIL 2 Applications publication 1756 RM001 Figure 27 SIL 2 Dual Channel Inputs Example F Channel A Channel B Voltage Transmitter A Voltage Transmitter B Rockwell Automation Publication 1756 RM099C EN P May 2015 101 AppendixG Using 1794 FLEX 1 0 Modules and 1756 SIL 2 Inputs and Outputs with 1756 GuardLogix Controllers to Comply with EN 50156 SIL 2 In
37. B72 Power supply DC C 1756 PA75 Power supply AC B Power supply N A 1756 IN005 N A 1756 PB75 Power supply DC B 1756 PAXT XT power supply AC B 1756 PBXT XT power supply DC B 1756 ENBT EtherNet IP bridge A 3 006 1756 EN2T A 2 005 1756 EN2F A 2 005 1756 EN2TR C 10 007 ENET IN002 ENET UM001 756 EN3TR B 10 007 1756 EN2TXT XT EtherNet IP bridge copper C 5 007 Communication 1756 EN2TRXT C 10 006 modules 1734 AENT POINT 1 0 Ethernet adapter A 3 001 1734 IN590 1734 UMO11 1756 DNB DeviceNet bridge A 6 002 DNET IN001 DNET UM004 1756 CN2 ControlNet bridge A 12 001 1756 CN2R ControlNet bridge redundant media A 12 001 CNET IN005 CNET UM001 1756 CN2RXT XT ControlNet bridge redundant media B 20 020 oi RSLogix 5000 software for GuardLogix 5560 controllers 142 i XXXX j Programming RSLogix 5000 software for GuardLogix 5570 XT controllers N A 20 N A Consult online software help 9324 xxxx Studio 5000 environment for GuardLogix 5570 XT controllers 21 Memory cards 1784 CF128 128 MB CompactFlash Card for GuardLogix 5560 controllers 1784 SD1 1 GB Secure Digital SD Card for GuardLogix 5570 controllers N A N A N A N A 1784 SD2 2 GB Secure Digital SD Card for GuardLogix 5570 controllers 1 This version or later 2 RSLogix 5000 software version 15 does not support GuardLogix safety controllers 3 These publications are available from Rockwell Automation by visiting http www rockwellautomation com literature You can
38. ES IB8X0BV4 CIP Safety 8 point input 4 bi polar output module 4 17E 06 1 04E 05 2 09E 05 1734 IB8S series A CIP Safety 8 point input module 4 23E 06 1 06E 05 2 11E 05 4 23 05 1734 IB8S series B CIP Safety 8 point input module 4 36E 06 1 09E 05 2 18E 05 4 36E 05 1734 OB8S series A CIP Safety 8 point output module 4 27E 06 1 07E 05 2 13E 05 4 27E 05 1734 0B85 series B CIP Safety 8 point output module 4 32E 06 1 08E 05 2 16E 05 4 32E 05 1734 E4S CIP Safety 4 point analog input module 4 7E 07 1 2E 06 2 4E 06 4 8E 06 single channel operation 1734 IE4S CIP Safety 4 point analog input module 3 2E 07 8 1E 07 1 6E 06 3 3E 06 dual channel operation 1 This data is for single and dual channel operation 2 The 20 year PFD data for this product applies only to product with a manufacture date code of 2009 01 01 January 1 2009 or later See the product label for the date code CATNO Allen Bradiey SERIES DATE CODE 1791DS IB8XOB8 A D ART NO 10000041926 VER 00 Rockwell Automation Publication 1756 RM099C EN P May 2015 93 AppendixE GuardLogix Systems Safety Data PFH Values The data below applies to proof test intervals up to and including 20 years Table 15 PFH Calculation Cat No Description PFH 1 Hour 1756 L7xS and 1756 L7SP GuardLogix controller 1 2E 09 1756 L7xSXT and 1756 L7SPXT GuardLogix XT controller 1 2E 09 1791DS IB12 CIP
39. Logix5000 control system ControlNet Modules in Logix5000 Control Systems User Manual publication CNET UM001 Provides information on how to use the 1756 CNB module in Logix5000 control systems Logix5000 Controllers Execution Time and Memory Use Reference Manual publication 1756 RM087 Provides information on estimating the execution time and memory use for instructions Logix Import Export Reference Manual publication 1756 RM084 Provides information on how to use he Logix Designer Import Export utility Industrial Automation Wiring and Grounding Guidelines publication 1770 4 1 Provides general guidelines for installing a Rockwell Automation industrial system Product Certifications website http www ab com Provides declarations of conformity certificates and other certification details You can view or download publications at http www rockwellautomation com literature To order paper copies of technical documentation contact your local Allen Bradley distributor or Rockwell Automation sales representative Rockwell Automation Publication 1756 RM099C EN P May 2015 11 Preface Notes 12 Rockwell Automation Publication 1756 RM099C EN P May 2015 SIL 3 Certification Chapter 1 Safety Integrity Level SIL Concept Topic Page SIL 3 Certification 13 Proof Tests 14 GuardLogix Architecture for SIL 3 Applications 15 GuardLogix System Components 16 GuardLogix Certi
40. May 2015 9 Preface Terminology Table 1 Terms and Definitions The following table defines terms that are used in this manual Abbreviation Full Term Definition 1002 One out of Two Identifies the programmable electronic controller architecture cP Common Industrial Protocol An industrial communication protocol that is used by Logix5000 based automation systems on EtherNet IP ControlNet and DeviceNet communication networks CIP Safety Common Industrial Protocol Safety SIL 3 rated version of CIP Certified DC Diagnostic Coverage The ratio of the detected failure rate to the total failure rate EN European Norm The official European Standard GSV Get System Value ladder logic instruction that retrieves specified controller status information and places it in a destination ag PC Personal computer Computer that is used to interface with and control a Logix based system via the Studio 5000 environment PFD Probability of Failure on Demand The average probability of a system to fail to perform its design function on demand PFH Probability of Failure per Hour The probability of a system to have a dangerous failure occur per hour PL Performance Level ISO 13849 1 safety rating SNN Safety Network Number A unique number that identifies a section of a safety network SSV Set System Value A ladder logic instruction that sets controller system data Standard Any object task tag p
41. Monitors eight safety inputs to control one of the eight outputs that correspond to the active input e BG e TUV AVC Auxiliary Valve Control Controls an auxiliary valve that is used with a main valve TUV MVC Main Valve Control Controls and monitors a main valve e BG e TUV MMVC Maintenance Manual Valve Used to manually drive a valve during maintenance operations BG Control TUV Routines in the safety task can use these ladder logic safety instructions Table 11 Ladder Logic Safety Instructions Type Mnemonic Name Purpose Array File LLO File Fill Fill the element of an array with the Source Value while leaving the source value unchanged psc File Search and Compare Compare the value in an array element by element size Size In Elements Find the size of a dimension of an array XIC Examine If Closed Enable outputs when a bit is set XIO Examine If Open Enable outputs when a bit is cleared OTE Output Energize Set a bit Sii OTL Output Latch Set a bit retentive OTU Output Unlatch Clear bit retentive ONS One Shot Triggers an event to occur one time OSR One Shot Rising Triggers an event to occur one time on the false to true rising edge of change of state OSF One Shot Falling Triggers an event to occur one time on the true to false falling edge of change of state TON Timer On Delay Time how long a timer is enabled TOF Timer Off Delay Time how long a timer is disabled fe RTO Retentive
42. SIL 3 capable controller They are described in the following sections Both the primary controller and safety partner perform power up and runtime functional diagnostic tests of all safety related components in the controller For details on status indicator operation refer to the GuardLogix 5570 Controllers User Manual publication 1756 UM022 IMPORTANT Status indicators are not reliable indicators for safety functions Use them only for general diagnostics during commissioning or troubleshooting Do not attempt to use status indicators to determine operational status For a list of GuardLogix safety controller catalog numbers see Table 2 on page 16 For a list of standard ControlLogix components suitable for safety applications see Table 3 on page 17 Rockwell Automation Publication 1756 RM099C EN P May 2015 21 Chapter2 GuardLogix Controller System CIP Safety Protocol 22 Primary Controller The primary controller is the processor that performs standard and safety control functions and communicates with the safety partner for safety related functions in the GuardLogix control system The primary controller consists of a central processor I O interface and memory Safety Partner To satisfy SIL 3 requirements a safety partner must be installed in the slot immediately to the right of the primary controller The safety partner is a co processor that provides redundancy for safety related functions in the system The p
43. Safety 12 point input module 5776 11 1791DS IB16 CIP Safety 16 point input module 4 96E 10 1791DS IB8X0B8 CIP Safety 8 point input 8 point output module 5776 11 1791DS IB4X0W4 CIP Safety 4 point input 4 point relay output module 9 03E 09 1791DS IB8X0BV4 CIP Safety 8 point input 4 bi polar output module 5 02E 10 1732DS IB8XOBV4 1732DS IB8 CIP Safety 8 point input module 4 96E 10 1791ES IB16 CIP Safety 16 point input module 4 98E 10 1791ES IB8X0BV4 CIP Safety 8 point input 4 bi polar output module 5 04E 10 1734 1B85 series A CIP Safety 8 point input module 5 10E 10 1734 1B85 series B CIP Safety 8 point input module 5 27E 10 1734 OB8S series A CIP Safety 8 point output module 5 14E 10 1734 OB85S series B CIP Safety 8 point output module 5 20E 10 1734 IE4S CIP Safety 4 point analog input module single channel operation 5 6E 11 CIP Safety 4 point analog input module dual channel operation 3 9E 11 1 The PFH data for this product applies only to product with a manufacture date code of 2009 01 01 January 1 2009 or later See the product label for the date code 94 Rockwell Automation Publication 1756 RM099C EN P May 2015 De energize to Trip System Use Connection Status Data to Initiate a Fault Programmatically Appendix F RSLogix 5000 Software Version 14 and Later Safety Application Instructions Topic Page De energize to Trip System 95 Use Connection Status Data to Initiate a Fault Programmatically 95 When usi
44. Safety Reference Manual Allen Bradley GuardLogix 5570 Controller Systems Catalog Numbers 1756 L71S 1756 L72S 1756 L73S 1756 L73SXT 1756 L7SP 1756 L7SPXT 1756 L72EROMS Studio 5000 Logix Designer Applications Original Instructions Allen Bradley Rockwell Software Automation Important User Information Read this document and the documents listed in the additional resources section about installation configuration and operation of this equipment before you install configure operate or maintain this product Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes laws and standards Activities including installation adjustments putting into service use assembly disassembly and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice If this equipment is used in a manner not specified by the manufacturer the protection provided by the equipment may be impaired In no event will Rockwell Automation Inc be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment The examples and diagrams in this manual are included solely for illustrative purposes Because of the many variables and requirements associated with any particular installation Rockwell Automation Inc cannot assume responsibility or liability fo
45. Safety system IMPORTANT If you assign an SNN manually take care to make sure that system expansion does not result in duplication of SNN and node address combinations A verification error occurs if your project contains duplicate SNN and node address combinations Considerations for Assigning The assignment of the SNN is dependent upon factors including the thes afety Network Number configuration of the controller or CIP Safety I O device SNN Safety Network Number SNN for Safety Consumed Tags When a safety controller that contains produced safety tags is added to the I O Configuration tree the SNN of the producing controller must be entered The SNN can be copied from the producing controller s project and pasted into the new controller being added to the I O Configuration tree See the GuardLogix 5570 Controllers User Manual publication 1756 UM022 for information on how to copy and paste an SNN Rockwell Automation Publication 1756 RM099C EN P May 2015 35 Chapter 4 36 CIP Safety and the Safety Network Number Safety Network Number SNN for Out of box Devices Out of box CIP Safety I O devices do not have an SNN The SNN is set when a configuration is sent to the device by the GuardLogix controller that owns the device IMPORTANT To add a CIP Safety 1 0 device to a configured GuardLogix system the SNN is present in the GuardLogix controller the replacement CIP Safety 1 0 device must have the correct SNN appl
46. Timer On Accumulate time CTU Count Up Count up CTD Count Down Count down RES Reset Reset a timer or counter 70 Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Instructions Appendix A Table 11 Ladder Logic Safety Instructions Type Mnemonic Name Purpose EQU Equal To Test whether two values are equal GEQ Greater Than Or Equal To Test whether one value is greater than or equal to a second value GRT Greater Than Test whether one value is greater than a second value Compare LEQ Less Than Or Equal To Test whether one value is less than or equal to a second value LES Less Than Test whether one value is less than a second value MEQ i Comparison for Pass source and compare values through a mask and test whether they are equal qua NEQ Not Equal To Test whether one value is not equal to a second value LIM Limit Test Test whether a value falls within a specified range CLR Clear Clear a value cop Copy Copy a value Move MOV Move Copy a value MVM Masked Move Copy a specific part of an integer SswpB Swap Byte Rearrange the bytes of a value AND Bitwise AND Perform bitwise AND operation f NOT Bitwise NOT Perform bitwise NOT operation oel OR Bitwise OR Perform bitwise OR operation XOR Bitwise Exclusive OR Perform bitwise exclusive OR operation JMP Jump To Label Jump over a section of logic that does not always need to b
47. UCTION REAL REDUNDANT_INPUT REDUNDANT_OUTPUT SAFETY_MAT SERIAL_PORT_CONTROL SFC_ACTION SFC_STEP SFC_STOP SINT STRING THRS_ ENHANCED TIMER TWO_HAND_RUN_STATION The Logix Designer application prevents the direct creation of invalid tags in a safety program Ifinvalid tags are imported they cannot be verified IMPORTANT applications Aliasing between standard and safety tags is prohibited in safety Tags that are classified as safety tags are either controller scoped or program scoped Controller scoped safety tags can be read by either standard or safety logic or other communication devices but can be written to only by safety logic or another GuardLogix safety controller Program scoped safety tags are accessible only by local safety routines These are routines that reside within the safety program Tags that are associated with Safety I O and produced or consumed safety data must be controller scoped safety tags IMPORTANT Any controller scoped safety tag is readable by any standard routine but the update rate is based on the execution of the safety task Thus safety tags are updated at the safety task periodic rate which is different from standard tag behavior Rockwell Automation Publication 1756 RM099C EN P May 2015 Characteristics of Safety Tags the Safety Task and Safety Programs Chapter 5 Standard Tags in Safety Routines tag mapping Controller scoped standard tags can be mapped i
48. according to the system s configuration C 6 Have you performed all appropriate project verification tests L 7 Have you determined how your system will handle faults L 8 Does each network in the safety system have a unique SNN C 9 Is each CIP Safety device configured with the correct SNN L 10 Have you generated a safety task signature L 11 Have you uploaded and recorded the safety task signature for future comparison 12 After a download have you verified that the safety task signature in the controller matches the recorded L C safety task signature 13 Do you have an alternate mechanism in place to preserve the safety integrity of the system when making online edits 14 Have you considered the checklists for using SIL inputs and outputs which are listed on pages 89 and 90 C 88 Rockwell Automation Publication 1756 RM099C EN P May 2015 Checklists for GuardLogix Safety Applications Appendix D Checklist for Safety Inputs For programming or startup an individual checklist can be completed for every SIL input channel in a system This method is the only way to make sure that the requirements are fully and clearly implemented This checklist can also be used as documentation on the connection of external wiring to the application program Input Checklist for GuardLogix System Company Site Safety Function Definition SIL Input Ch
49. afety Application Instructions be sure to configure your safety input modules as single not equivalent or complementary These instructions provide all dual channel functionality necessary for PLd Cat 3 or PLe Cat 4 safety functions See the GuardLogix Safety Application Instruction Set Reference Manual publication 1756 RM095 SIL 2 Safety Control in Standard Tasks Because of the quality and amount of diagnostics that are built into the ControlLogix series of controllers you can perform SIL 2 safety functions from within standard tasks This is also true for GuardLogix controllers 40 Rockwell Automation Publication 1756 RM099C EN P May 2015 SIL 3 Safety the Safety Task Characteristics of Safety Tags the Safety Task and Safety Programs Chapter 5 To perform SIL 2 safety control within a GuardLogix standard task you must abide by requirements that are defined in the Using ControlLogix in SIL 2 Applications Safety Reference Manual publication 1756 RMO01 Creation of a GuardLogix project automatically creates a single safety task The safety task has these additional characteristics e GuardLogix controllers are the only controllers that support the safety task e The safety task cannot be deleted e GuardLogix controllers support a single safety task e Within the safety task you can use multiple safety programs that are composed of multiple safety routines e You cannot schedule or execute standard routines
50. ame The worst case time from a safety related event as input to the system or as a fault within the system until the time that the system is in the safe state System Reaction Time includes sensor and activator Reaction Times and the Controller Reaction Time Rockwell Automation Publication 1756 RM099C EN P April 2015 107 Glossary task A scheduling mechanism for executing a program A task provides scheduling and priority information for a set of one or more programs that execute based on a certain criteria Once a task is triggered activated all programs assigned scheduled to the task execute in the order in which they are displayed in the controller organizer timeout multiplier This value determines the number of messages that can be lost before declaring a connection error valid connection Safety connection is open and active with no errors 108 Rockwell Automation Publication 1756 RM099C EN P April 2015 Numerics 1734 AENT 17 23 1756 A10 17 1756 A13 17 1756 A17 17 1756 A4 17 1756 A5XT 17 1756 A7 17 1756 A7XT 17 1756 CN2 17 23 1756 CN2R 17 23 1756 CN2RXT 17 23 1756 DNB 17 23 1756 EN2F 17 23 1756 EN2T 17 23 1756 EN2TR 23 1756 EN2TXT 17 23 1756 EN3TR 23 1756 ENBT 17 23 1756 PB72 17 1756 PB75 17 1768 CNB 23 1768 CNBR 23 1768 ENBT 23 1784 CF128 17 1784 SD1 17 1784 SD2 17 A Add On Instruction certify 73 instruction signature 75 safety instruction signature 76 agency certifications 18
51. annels Fulfilled Number Input Device Requirements Comment Yes No Have you followed installation instructions and precautions to conform to applicable safety standards Have you performed project verification tests on the system and devices Are control diagnostics and alarm functions performed in sequence in application logic Have you uploaded and compared the configuration of each device to the configuration sent by configuration tool Are devices wired in compliance with PLe Cat 4 according to ISO 13849 1 HDi wm AeA wj N Have you verified that the electrical specifications of the sensor and input are compatible 1 For information on how to wire your CIP Safety 1 0 device refer to the product documentation for your specific device Rockwell Automation Publication 1756 RM099C EN P May 2015 89 AppendixD Checklists for GuardLogix Safety Applications Checklist for Safety Outputs For programming or startup an individual requirement checklist must be completed for every SIL output channel in a system This method is the only way to make sure that the requirements are fully and clearly implemented This checklist can also be used as documentation on the connection of external wiring to the application program Output Checklist for GuardLogix System Company Site Safety Function Definition
52. ata TE CL JE QU Node30 1 Pt03Data L gt Rockwell Automation Publication 1756 RM099C EN P May 2015 97 AppendixF RSLogix 5000 Software Version 14 and Later Safety Application Instructions Figure 24 Ladder Logic Example 2 Node 30 is an 8 point input 8 point output combination module Node 31 is a 12 point input module If the input status is not OK then latch the inputs faulted indication Node30 1 InputStatus Node30InputsFaulted 0 4 E CL Node31 l CombinedStatus Node31InputsFaulted I F CL J E QU If the raising edge of the fault reset signal is detected and the input status is OK then unlatch the inputs faulted indication FaultReset InputFaultResetOneShot Node30 1 InputStatus Node30InputsF aulted 1 a LONS a UD Node31 l CombinedStatus Node31lnputsFaulted i U gt F QW If the inputs do not have a fault then write the input tag values to the internal representations of the inputs Node30inputsFaulted Node30 1 Pt00Data Node30lnput00 2 4 E JE CD Node30 1 Pt01Data Node30Input01 LE C Node30 1 Pt07Data Node30Input07 q E C If the inputs do not have a fault then write the input tag values to the internal representations of the inputs Nodesiinputsraulted Node31 1 Pt00Data Node31Input00 3 a f J E C gt Node31 1 Pt01Data Node31Input01 JE Node31 1 Pt11Data Node31Input11 q E C If the inputs faulted indication is true then set the interna
53. ation Publication 1756 RM099C EN P May 2015 51 Chapter 6 52 Safety Application Development Specification of the Control Function You must create a specification for your control function Use this specification to verify that program logic correctly and fully addresses your application s functional and safety control requirements The specification may be presented in a variety of formats depending on your application However the specification must be a detailed description that includes the following if applicable Sequence of operations Flow and timing diagrams Sequence charts Program description Program print out Written descriptions of the steps with step conditions and actuators to be controlled including the following Input definitions Output definitions I O wiring diagrams and references Theory of operation Matrix or table of stepped conditions and the actuators to be controlled including the sequence and timing diagrams Definition of marginal conditions for example operating modes and EMERGENCY STOP The I O portion of the specification must contain the analysis of field circuits that is the type of sensors and actuators Sensors Digital or Analog Signal in standard operation dormant current principle for digital sensors sensors OFF means no signal Determination of redundancies required for SIL levels Discrepancy monitoring and visualization including your diagn
54. bility to prove that doing so maintains SIL 3 Rockwell Automation Publication 1756 RM099C EN P May 2015 Monitor Status and Handle Faults Chapter 7 Recoverable Faults Controller faults caused by user programming errors in a safety program trigger the controller to process the logic contained in the project s safety program fault handler The safety program fault handler provides the application with the opportunity to resolve the fault condition and then recover ATTENTION You must provide proof to your certifying agency that automatic recovery from recoverable faults maintains SIL 3 When a safety program fault handler does not exist or the fault is not recovered by it the controller processes the logic in the controller scoped fault handler terminating safety program logic execution and leaving safety I O connections active but idle IMPORTANT When the execution of safety program logic is terminated due to a recoverable fault that is not handled by the safety program fault handler the safety 1 0 connections are closed and reopened to reinitialize safety connections If user logic is terminated as a result of a recoverable fault that is not recovered safety outputs are placed in the safe state and the producer of safety consumed tags commands the consumers to place them in a safe state TIP When using safety 1 0 for standard applications safety 1 0 will be commanded to the safe state if user logic is terminated as a result
55. clear comprehensive and explicit operator procedure to make safety related changes via an HMI e Changes can be accepted in a safety related system only if the following sequence of events occurs a The new variable must be sent twice to two different tags that is both values must not be written to with one command b Safety related code that executes in the controller must check both tags for equivalency and make sure they are within range boundary checks c Both new variables must be read back and displayed on the HMI device d Trained operators must visually check that both variables are the same and are the correct value e Trained operators must manually acknowledge that the values are correct on the HMI screen that sends a command to the safety logic which allows the new values to be used in the safety function In every case the operator must confirm the validity of the change before they are accepted and applied in the safety loop e Test all changes as part of the safety validation procedure Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Programs Safety Routines Characteristics of Safety Tags the Safety Task and Safety Programs Chapter 5 e Sufficiently document all safety related changes that are made via the HMI including the following Authorization Impact analysis Execution Test information Revision information e Changes to the safety related system must com
56. controller based safety system that uses the Studio 5000 Logix Designer application version 21 000 or later You must read and understand the safety concepts and the requirements that are presented in this manual before operating a GuardLogix 5570 controller based safety system For safety requirements related to GuardLogix 5570 controllers in RSLogix 5000 projects refer to the GuardLogix Controllers Safety Reference Manual publication 1756 RM093 The Studio 5000 Automation Engineering amp Design Environment combines engineering and design elements into a common environment The first element in the Studio 5000 environment is the Logix Designer application The Logix Designer application is the rebranding of RSLogix 5000 software and continues to be the product to program Logix5000 controllers for discrete process batch motion safety and drive based solutions rockwell Software Studio 5000 Create nd Explore New Project Existing Project Help From Import Sample Project Release Notes From Sample Project From Upload About Recent Projects B Sept_test Integrated_Motion_Co August_2012 The Studio 5000 environment is the foundation for the future of Rockwell Automation engineering design tools and capabilities The Studio 5000 environment is the one place for design engineers to develop all elements of their control system Rockwell Automation Publication 1756 RM099C EN P
57. e User Manual publication 520 UM002 Provides information on how to install and use PowerFlex 527 drives Using ControlLogix in SIL 2 Applications Safety Reference Manual publication 1756 RM001 Logix5000 General Instruction Set Reference Manual publication 1756 RM003 Describes requirements for using ControlLogix controllers and GuardLogix standard task in SIL 2 safety control applications Provides information on the Logix5000 Instruction Set Logix Common Procedures Programming Manual publication 1756 PM001 Provides information on programming Logix5000 controllers including how to manage project files organize tags program and test routines and handle faults Logix5000 Controllers Add On Instructions Programming Manual publication 1756 PM010 10 Provides information on how to create and use standard and safety Add On Instructions in Logix applications Rockwell Automation Publication 1756 RM099C EN P May 2015 Resource ControlLogix System User Manual publication 1756 UM001 Preface Description Provides information on how to use ControlLogix controllers in nonsafety applications DeviceNet Modules in Logix5000 Control Systems User Manual publication DNET UM004 EtherNet IP Modules in Logix5000 Control Systems User Manual publication ENET UM001 Provides information on how to use the 1756 DNB module in a Logix5000 control system Provides information on how to use the 1756 ENBT module in a
58. e a fault condition exists If the actual input state is required for troubleshooting while the input failure is latched use the logic shown in Ladder Logic Example 2 This logic uses internal tags that represent the inputs to be used in the application logic While the input failure is latched the internal tags are set to their safety state While the input failure is not latched the actual input values are copied to the internal tags Use the Output Fault Latch and Reset Flowchart to determine which rungs of application logic in Ladder Logic Example 3 on page 99 are required Rockwell Automation Publication 1756 RM099C EN P May 2015 95 AppendixF RSLogix 5000 Software Version 14 and Later Safety Application Instructions Figure 22 Input Fault Latch and Reset Flow Chart Does this safety function require operator intervention after a safety input failure Are the inputs used to drive safety application instructions Make sure that you select Can Circuit Reset be used for operator Manual Reset for the safety intervention application instruction No Write logic to latch input failure Example Rung 0 Write logic to set inputs to safety state Example Rungs 2 and 3 Is input fault information required for diagnostic purposes Write logic to latch input failure Example Rung 0 Write logic to unlatch input failure Example Rung 1 No Are any inputs used in an
59. e executed skips to referenced label instruction LBL Label Labels an instruction so that it can be referenced by a JMP instruction JSR Jump to Subroutine Jump to a separate routine RET Return Return the results of a subroutine Program SBR Subroutine Pass data to a subroutine Control TND Temporary End Mark a temporary end that halts routine execution MCR Master Control Reset Disable every rung in a section of logic AFI Always False Instruction Disable a rung NOP No Operation Insert a placeholder in the logic ADD Add Add two values cpr Compute Perform the arithmetic operation that is defined in the expression SUB Subtract Subtract two values MUL Multiply Multiply two values Math DIV Divide Divide two values Compute MOD Modulo Determine the remainder after one value is divided by a second value SQR Square Root Calculate the square root of a value NEG Negate Take the opposite sign of a value ABS Absolute Value Take the absolute value of a value vo asv Get System Value Get controller status information ssv4 Set System Value Set controller status information 1 Supported only on 1756 L7xS and 1756 L7xSXT controllers For the data type REAL a floating point format is supported for safety routines on 1756 L7xS and 1756 L7xSXT controllers 2 Advanced operands like SIN COS and TAN are not supported in safety routines 3 The length operand must be a constant when the COP instruction is used in a safety routine The length of the source and the destina
60. eaction Times Appendix C Accessing Produced Consumed Tag Data To view or configure safety tag connection data follow these steps 1 In the configuration tree right click Controller Tags and choose Edit tags 2 In the Tag Editor right click the name of the tag and choose Edit Properties 3 Click Connection al Open Configuration 4 Click the Safety tab Consumed Tag Connection Rockwell Automation Publication 1756 RM099C EN P May 2015 85 AppendixC Reaction Times 5 Click Advanced to view or edit the current settings Advanced Connection Reaction Time Limit Configuration Requested Packet Interval RPI 20 ms 1 500 Timeout Multiplier 25 1 4 Network Delay Multiplier 200 of RPI 10 600 Connection Reaction Time Limit B0 0 ms Cancel Help See the GuardLogix 5570 Controllers User Manual publication 1756 UM022 for more information 86 Rockwell Automation Publication 1756 RM099C EN P May 2015 Appendix D Checklists for GuardLogix Safety Applications Topic Page Checklist for GuardLogix Controller System 88 Checklist for Safety Inputs 89 Checklist for Safety Outputs 90 Checklist for Developing a Safety Application Program 91 The checklists in this appendix are required to plan program and startup a SIL 3 certified GuardLogix application They can be used as planning guides and during project verification testing If used as
61. eaction time of the system The system reaction time is the sum of the following reaction times Sensor Input Safety Task Output Actuator Reaction Reaction Reaction Reaction Reaction Time Time Time Time Time Each of the reaction times is variably dependent on factors such as the type of I O device and instructions that are used in the program Rockwell Automation Publication 1756 RM099C EN P May 2015 19 Chapter1 Safety Integrity Level SIL Concept Contact Information If Device Failure Occurs 20 Safety Task Reaction Time The safety task reaction time is the worst case delay from any input change that is presented to the controller until the processed output is set by the output producer It is less than or equal to the sum of the safety task period and the safety task watchdog Safety Task Period and Safety Task Watchdog The safety task period is the interval at which the safety task executes The safety task watchdog time is the maximum permissible time for safety task processing If safety task processing time exceeds the safety task watchdog time a nonrecoverable safety fault occurs in the controller and outputs transition to the safe state off automatically You define the safety task watchdog time which must be less than or equal to the safety task period The safety task watchdog time is set in the task properties window of the Logix Designer app
62. el 90 216 5698400 www rockwellautomation com Power Control and Information Solutions Headquarters Americas Rockwell Automation 1201 South Second Street Milwaukee WI 53204 2496 USA Tel 1 414 382 2000 Fax 1 414 382 4444 Europe Middle East Africa Rockwell Automation NV Pegasus Park De Kleetlaan 12a 1831 Diegem Belgium Tel 32 2 663 0600 Fax 32 2 663 0640 Asia Pacific Rockwell Automation Level 14 Core F Cyberport 3 100 Cyberport Road Hong Kong Tel 852 2887 4788 Fax 852 2508 1846 Publication 1756 RM099C EN P May 2015 Supersedes Publication 1756 RM099B EN P November 2014 Copyright 2015 Rockwell Automation Inc All rights reserved Printed in the U S A
63. em Reaction Time 79 System Reaction Time To determine the system reaction time of any control chain you must add up the reaction times of all of components of the safety chain System Reaction Time Sensor Reaction Time Logix System Reaction Time Actuator Reaction Time Figure 19 System Reaction Time System Reaction Time 7 CC 1 ane Input Reaction 1 SafetyTask Output Reaction Actuator l r Time L pi Reaction Time 1 Time m Reaction Time l M o am o amo Logix System Reaction Time Input Device Input Connection Safety Task Period Output Connection Output Device gt Delay gt Reaction Time Limit gt Reaction Time Limit gt I Delay 1 l Safety Task Watchdog l We oe E ee lee i o e o an o an o am o J N SY Loew Logix System Reaction Time The following sections provide information on how to calculate the Logix System Reaction Time for a simple input logic output chain and for a more complex application by using produced consumed safety tags in the logic chain Rockwell Automation Publication 1756 RM099C EN P May 2015 79 AppendixC Reaction Times Simple Input logic output Chain Figure 20 Logix System Worst case Reaction Time for Simple Input to Logic to Output 3 Safety Task Period Safety Task Watchdog GuardLogix Controller Communication Module 1 Safety Input 2 Safety Input Connection 4 Safety Output Connection
64. emory IMPORTANT If you unlock the controller and initiate a load from nonvolatile memory the safety lock status passwords and safety task signature will be set to the values contained in nonvolatile memory once the load is complete All data contained in an I O produced or consumed safety tag including CONNECTION_STATUS can be forced while the project is safety unlocked and no safety task signature exists However forces must be uninstalled not just disabled on all safety tags before the safety project can be safety locked or a safety task signature can be generated You cannot force safety tags while the project is safety locked or when a safety task signature exists TIP You can install and uninstall forces on standard tags regardless of the safety locked or unlocked state You cannot inhibit or uninhibit CIP Safety I O devices or producer controllers if the application program is safety locked or a safety task signature exists Follow these steps to inhibit a specific safety I O device 1 In the Logix Designer application right click the device and choose Properties 2 On the Module Properties dialog box click the Connection tab Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Application Development Chapter 6 Editing Your Safety Application 3 Check Inhibit Connection and click Apply E Module Properties Dnetscanner 1791DS IB12 A 1 1 lolx General Connection Satey Module Info
65. er is safety unlocked e The controller has no safety forces or pending online safety edits e The safety task status is OK Rockwell Automation Publication 1756 RM099C EN P May 2015 53 Chapter 6 54 Safety Application Development Once application program testing is complete you must generate the safety task signature The programming software automatically uploads the safety task signature after it is generated IMPORTANT To verify the integrity of every download you must manually record the safety task signature after initial creation and check the safety task signature after every download to make sure that it matches the original You can delete the safety task signature only when the GuardLogix controller is safety unlocked and if online the keyswitch is in the REM or PROG position When a safety task signature exists the following actions are not permitted within the safety task e Online or offline programming or editing of safety components e Forcing Safety I O e Data manipulation except through routine logic or another GuardLogix controller Project Verification Test To check your application program for adherence to the specification you must generate a suitable set of test cases covering the application The set of test cases must be filed and retained as the test specification You must include a set of tests to prove the validity of the calculations formulas used in your application logic Equivalen
66. er systems for use in safety related applications up to SIL CL 3 in which the de energized state is considered to be the safe state All examples that are related to I O included in this manual are based on achieving de energization as the safe state for typical Machine Safety and Emergency Shutdown ESD Systems IMPORTANT As the system user you are responsible for the following e The setup SIL rating and validation of any sensors or actuators that are connected to the GuardLogix system e Project management and functional test e Access control to the safety system including password handling e Programming the application and the device configurations in accordance with the information in this safety reference manual and the GuardLogix 5570 Controllers User Manual publication 1756 UM022 When applying Functional Safety restrict access to qualified authorized personnel who are trained and experienced The safety lock function with passwords is provided in the Logix Designer application For information on how to use the safety lock feature refer to the GuardLogix 5570 Controllers User Manual publication 1756 UM022 IEC 61508 requires you to perform various proof tests of the equipment that is used in the system Proof tests are performed at user defined times For example proof test intervals can be once a year once every 15 years or whatever time frame is appropriate GuardLogix 5570 controllers have a proof test interval of
67. erview GuardLogix Controller System Chapter 2 Program GuardLogix 5570 controllers by using the Studio 5000 Logix Designer application Use the Logix Designer application to define the location ownership and configuration of I O devices and controllers and create test and debug program logic Only relay ladder logic is supported in the GuardLogix safety task See Appendix A for information on the set of logic instructions available for safety projects Authorized personnel can change a safety program but only by using one of the processes that are described in Editing Your Safety Application on page 59 Rockwell Automation Publication 1756 RM099C EN P May 2015 25 Chapter2 GuardLogix Controller System Notes 26 Rockwell Automation Publication 1756 RM099C EN P May 2015 Chapter 3 CIP Safety 1 0 for the GuardLogix Control System Trice age Overview 27 Typical Safety Functions of CIP Safety 1 0 Devices 27 Reaction Time 28 Safety Considerations for CIP Safety 1 0 Devices 29 Overview Before operating a GuardLogix 5570 safety system that contains CIP Safety I O devices you must read understand and follow the installation operation and safety information that is provided in the publications that are listed in the SIL 3 certified GuardLogix Components tables on page 16 CIP Safety I O devices can be connected to safety input and output devices like sensors and actuators that let these devices be
68. est Monitors dual input safety devices whose main purpose is to provide a stop function such as an E BG stop light curtain or gate switch It includes the added capability to initiate a functional test ofthe e TUV stop device DCSTL Dual Channel Input Stop With Test Monitors dual input safety devices whose main purpose is to provide a stop function such as an E e BG and Lock stop light curtain or gate switch It includes the added capability to initiate a functional test ofthe TUV stop device It can monitor a feedback signal from a safety device and issue a lock request to a safety device DCSTM Dual Channel Input Stop With Test Monitors dual input safety devices whose main purpose is to provide a stop function such as an E T V and Mute stop light curtain or gate switch It includes the added capability to initiate a functional test of the stop device and the ability to mute the safety device DCM Dual Channel Input Monitor Monitors dual input safety devices BG TUV DCSRT Dual Channel Input Start Energizes dual input safety devices whose main function is to start a machine safely for example BG an enable pendant TUV SMAT Safety Mat Indicates whether the safety mat is occupied TUV THRSe Two Hand Run Station Enhanced Monitors two diverse safety inputs one from a right hand push button and one from a left hand BG push button to control a single output Features configurable channel to channel disc
69. ety Application Program 56 Uploading the Safety Application Program 57 Online Editing 57 Storing and Loading a Project from Nonvolatile Memory 58 Force Data 58 Inhibit a Device 58 Editing Your Safety Application 59 The safety concept assumes the following Rockwell Automation Publication 1756 RM099C EN P May 2015 If you are responsible for creating operating and maintaining the application you are fully qualified specially trained and experienced in safety systems You apply the logic correctly meaning that programming errors can be detected Programming errors can be detected by strict adherence to specifications programming and naming rules You perform a critical analysis of the application and use all possible measures to detect a failure You confirm all application downloads via a manual check of the safety task signature You perform a complete functional test of the entire system before the operational startup of a safety related system 49 Chapter 6 Safety Application Development Table 7 Controller Modes Controller Safety Task Status Safety Comments Mode up to and including Avalid program has been downloaded to the controller Program Unlocked 1 0 connections established No signature Safety Task logic is not being scanned Run Unlocked Development purposes Forcing allowed No signature only Online editing allowed Safety memory is isolated but is unprotected read write
70. fety partner have established their control partnership and the coordinated system time CST is synchronized However standard tasks begin executing as soon as the controller transitions to Run mode e Although the configurable range of the requested packet interval RPI for safety inputs and safety consumed tags is 6 500 ms safety input tags and safety consumed tags are updated only at the beginning of safety task execution This means that even though the I O RPI can be faster than the safety task period the data does not change during safety task execution The data is read only once at the beginning of the safety task execution e Safety input values are frozen at the start of safety task execution As a result timer related instructions such as TON and TOF will not update during a single safety task execution They will keep accurate time from one task execution to another but the accumulated time will not change during safety task execution ATTENTION This behavior differs from standard Logix task execution but is similar to PLC or SLC behavior e For standard tags that are mapped to safety tags the standard tag values are copied into safety memory at the start of the safety task and do not change during safety task execution e Safety output tag output and produced values are updated at the conclusion of safety task execution 42 Rockwell Automation Publication 1756 RM099C EN P May 2015 Use of Human to mach
71. fications 18 GuardLogix PFD and PFH Specifications 18 Safety Integrity Level SIL Compliance Distribution and Weight 19 System Reaction Time 19 Safety Task Period and Safety Task Watchdog 20 Contact Information If Device Failure Occurs 20 GuardLogix 5570 controller systems are type approved and certified for use in safety applications up to and including SIL CL3 according to IEC 61508 and IEC 62061 safety applications up to and including Performance Level PLe Category 4 according to ISO 13849 1 SIL requirements are based on the standards current at the time of certification IMPORTANT When the GuardLogix controller is in Run or Program mode and you have not validated the application program you are responsible for maintaining safe conditions In addition the standard tasks within GuardLogix controllers can be used either for standard applications or SIL 2 safety applications as described in the Using ControlLogix in SIL 2 Applications Reference Manual publication 1756 RM001 In either case do not use SIL 2 or standard tasks and variables to build up safety loops of a higher level The safety task is the only task that is certified for SIL 3 applications Use the Studio 5000 Logix Designer application to create programs for GuardLogix 5570 controllers Rockwell Automation Publication 1756 RM099C EN P May 2015 13 Chapter1 Safety Integrity Level SIL Concept Proof Tests The TUV Rheinland has approved GuardLogix 5570 controll
72. fill slots of a SIL 3 system chassis that are not used by the GuardLogix SIL 3 system with other ControlLogix 1756 modules that are certified to the Low Voltage and EMC Directives IMPORTANT ControlLogix XT system components are rated for extreme environmental conditions only when used properly with other Logix XT system components The use of ControlLogix XT components with traditional ControlLogix or GuardLogix system components nullifies extreme environment ratings To find the certificates for the Programmable Control ControlLogix Product Family refer to http www rockwellautomation com products certification ce Rockwell Automation Publication 1756 RM099C EN P May 2015 17 Chapter1 Safety Integrity Level SIL Concept GuardLogix Certifications GuardLogix PFD and PFH Specifications Sensor Sensor Sensor 18 1791DS IB12 1791DS IB8X0B8 The ControlLogix Controllers Technical Data publication 1756 TD001 lists the product specifications and the agency certifications for which the products are approved If a product has achieved agency certification it is marked as such on the product labeling See the Product Certification link at http www rockwellautomation com products certification for Declarations of Conformity Certificates and other certification details Safety related systems can be classified as operating in either a Low Demand mode or in a High Dema
73. ied before it is added to the CIP Safety network Safety Network Number SNN for Safety Device with a Different Configuration Owner When a CIP Safety I O device is owned by a different GuardLogix controller controller B and then is added to another GuardLogix project controller A project the Logix Designer application assigns the SNN based on the current project Because the current project controller A project is not the true configuration owner you need to copy the original SNN controller B project into the configuration in controller A s project This is easy to do with standard copy and paste commands The result is that the CIP Safety I O device produces data to two GuardLogix controllers at the same time You can do copy and paste for a maximum of 16 controllers Refer to the GuardLogix 5570 Controllers User Manual publication 1756 UM022 for information on how to change copy and paste safety network numbers Safety Network Number SNN When Copying a Safety Project hardware or in a different physical location and the new project is within the same routable CIP Safety system every SNN must be changed in the second system SNN values must not be repeated i ATTENTION Ifa safety project is copied for use in another project with different See the GuardLogix 5570 Controllers User Manual publication 1756 UM022 for information on how to change the SNN Rockwell Automation Publication 1756 RM099C EN P May 2015
74. ies e Nonrecoverable controller faults e Nonrecoverable safety faults e Recoverable faults For information on handling faults refer to the GuardLogix 5570 Controllers User Manual publication 1756 UM022 Nonrecoverable Controller Faults A nonrecoverable controller fault occurs if the controller s internal diagnostics fail Partnership is lost when a nonrecoverable controller fault occurs in either the primary controller or the safety partner causing the other to generate a nonrecoverable watchdog timeout fault Standard task and safety task execution stops and Safety I O transitions to the safe state Recovery from a nonrecoverable controller fault requires a download of the application program Nonrecoverable Safety Faults In the event of a non recoverable safety fault the controller logs the fault to the controller scoped fault handler and shuts down the safety task including Safety I O and safety logic To recover from a nonrecoverable safety fault safety memory is reinitialized either from the safety task signature happens automatically when you clear the fault or if no safety task signature exists via an explicit download of the safety project You can override the safety fault by clearing the fault log entry through the controller scoped safety fault handler This allows standard tasks to keep running ATTENTION Overriding the safety fault does not clear it If you override the safety fault it is your responsi
75. ify 16 which versions of RSLogix 5000 software support 1756 L61S 1756 L62S 1756 L635 1756 LSP 1768 L43S and 1768 L455 controllers and that those controllers are not supported in the Studio 5000 Logix Designer application Updated ControlNet illustration 24 Added Kinetix 5700 Servo Drives User Manual and PowerFlex 527 Adjustable 72 Frequency AC Drives User Manual to the important statement about using Motion Direct Commands Rockwell Automation Publication 1756 RM099C EN P May 2015 Summary of Changes Notes 4 Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Integrity Level SIL Concept GuardLogix Controller System CIP Safety 1 0 for the GuardLogix Control System Table of Contents Preface Studio 5000 Environment wii duren ctw bata ows ee nscale BRERA Chae SS Terminology resero teurniet kata TERI eave Sew eueAs cares Additional Resources acoeinas s bit atonare ard Botinanprortane Ikea arsthsate Rie oad rains Chapter 1 SILS Certification sss nse Sa ta ences ol ere Aes a ater ares Proof Bes tS se seccte ncn a aA n cadet artic a etter A nce meats GuardLogix Architecture for SIL 3 Applications 006 GuardLogix System Components ins wnecoed acs Seamer ehaeewer aces GuardLogix Certifications stviy aoc nS hey ecnedas qedsdn eee ge rntaers GuardLogix PFD and PFH Specifications xn inusesctoreyseiaes kaw ees Safety Integrity Level SIL Compliance Distribution and Weight Syste
76. ine Interfaces Characteristics of Safety Tags the Safety Task and Safety Programs Chapter 5 e The safety task responds to mode changes for example Run to Program or Program to Run at timed intervals As a result the safety task can take more than one task period but always less than two to make a mode transition IMPORTANT While safety unlocked and without a safety task signature the controller prevents simultaneous write access to safety memory from the safety task and communication commands As a result the safety task can be held off until a communication update completes The time that is required for the update varies by tag size Therefore safety connection and safety watchdog timeouts could occur For example if you make online edits when the safety task rate is set to 1 ms a safety watchdog timeout could occur To compensate for the hold off time due to a communication update add 2 ms to the safety watchdog time When the controller is safety locked or a safety task signature exists the situation that is described in this note cannot occur Follow these precautions and guidelines for using HMI devices in SIL rated GuardLogix systems Precautions You must exercise precautions and implement specific techniques on HMI devices These precautions include but are not restricted to the following e Limited access and security e Specifications testing and validation e Restrictions on data and access e Limits on
77. instruction with diverse inputs DIN or THRS Write logic to set safety state value when an input has a fault Example Rung 4 96 Rockwell Automation Publication 1756 RM099C EN P May 2015 RSLogix 5000 Software Version 14 and Later Safety Application Instructions Appendix F Figure 23 Ladder Logic Example 1 Node 30 is an 8 point input 8 point output combination module Node 31 is a 12 point input module If the input status is not OK then latch the inputs faulted indication Node30 l InpulStatus Node30InputsFaulted J E L Node31 LCombinedStatus Node31InputsFaulted L SE If the raising edge of the fault reset signal is detected and the input status is OK then unlatch the inputs faulted indication FaultReset InputFaultResetOneShot Node30 1 InputStatus Node30InputsFaulted TE ONS U J E L JT J E Node31 l CombinedStatus Node31lInputsFaulted JF U If the inputs have a fault then overwrite the input tags with safety state values Node30InputsFaulted Node30 1 Pt00Data J E iD J E pi Node30 1 Pt01Data N UW Node30 1 Pt07Data UD If the inputs have a fault then overwrite the input tags with safety state values Node31InputsFaulted Node31 1 Pt00Data J C U IC 2 Node31 1 Pt01Data UD Z Z Node31 1 Pt11Data U 2 If the inputs faulted indication is true then set the Diverse input values to their safety state 1 Node30InputsFaulted Node30 1 Pt01D
78. isting report in the Logix Designer application prints the instruction signature the time stamp and the safety instruction signature To print the report right click Add On Instruction in the Controller Organizer and choose Print gt Signature Listing Export and Import the Safety Add On Instruction When you export a safety Add On Instruction choose the option to include all referenced Add On Instructions and User Defined Types in the same export file By including referenced Add On Instructions you make it easier to preserve the signatures When importing Add On Instructions consider these guidelines e You cannot import a safety Add On Instruction into a standard project e You cannot import a safety Add On Instruction into a safety project that has been safety locked or one that has a safety task signature e You cannot import a safety Add On Instruction while online e Ifyou import an Add On Instruction with an instruction signature into a project where referenced Add On Instructions or User Defined Types are not available you may need to remove the signature Verify Safety Add On Instruction Signatures After you download the application project that contains the imported safety Add On Instruction you must compare the instruction signature value the date and time stamp and the safety instruction signature values with the original values you recorded before you exported the safety Add On Instruction If they match the safety Add
79. k or until they are manipulated by another task Periodic tasks always interrupt the continuous task The processor in a dual processor controller that performs standard controller functionality and communicates with the safety partner to perform safety related functions A fault which when properly handled by implementing the fault handling mechanisms that are provided by the controller does not force user logic execution to be ended When communicating over a network this value is the maximum amount of time between subsequent production of input data A set of logic instructions in one programming language such as a ladder diagram Routines provide executable code for the project in a controller Each program has a main routine You can also specify optional routines An Add On Instruction that can use safety application instructions In addition to the instruction signature used for high integrity Add On Instructions safety Add On Instructions feature a SIL 3 safety instruction signature for use in safety related functions Safety Instructions that provide safety related functionality They have been certified to SIL 3 for use in safety routines Any object task program routine tag or module that is marked as a safety related item The safety instruction signature is an ID number that identifies the execution characteristics of the safety Add On Instruction It is used to verify the integrity of the safety Add On Instructi
80. l representations of the Diverse inputs to their safety state 1 NodesoinputsFaulted Node31Input01 4 J E ci Node31Input03 CL 98 Rockwell Automation Publication 1756 RM099C EN P May 2015 RSLogix 5000 Software Version 14 and Later Safety Application Instructions Appendix F Figure 25 Output Fault Latch and Reset Flowchart Does this safety function require operator intervention after a safety output failure Is output fault information required for Write logic to latch output failure diagnostic purposes Example Rung 0 Write logic to set outputs to a safety state Example Rung 2 Write logic to latch output failure Example Rung 0 Write logic to unlatch output failure Example Rung 1 Figure 26 Ladder Logic Example 3 Node 30 is an 8 point input 8 point output combination module If the output status is not OK then latch the output faulted indication Node30OutputsFaulted Node30 1 OutputStatus L 0 JE If the raising edge of the fault reset signal is detected and the input status is OK then unlatch the inputs faulted indication FaultReset InputFaultResetOneShot Node30 1 OutputStatus Node30OutputsFaulted 1 aE LONS J E U Node30QutputsF aulted RedundantOutputTag 01 Node30 0 Pt00Data 4 aE RedundantOutputTag O2 Node30 0 Pt01Data JE C gt mace N 4 Rockwell Automation Publication 1756 RM099C EN P May 2015 9
81. les and 1756 SIL 2 Inputs and Outputs with 1756 GuardLogix Controllers to Comply with EN 50156 Appendix G SIL 2 Outputs Using SIL 3 Follow these guidelines for SIL 2 outputs Guard 1 0 Output Modules e Guard I O output modules that are used for SIL 2 safety outputs must be configured for dual channel operation e All Guard I O output modules are approved for use in SIL 2 applications 1732DS IBBKOBV4 1791ES IB8BXOBV4 1791DS IB8XOBV4 1791ES IBBXOBV4 1791DS IB4XxOW4 1791DS IB8XOB8 1734 OB8S SIL 2 Outputs Using 17560r When using these SIL 2 rated output modules you are required to configure your SIL 2 safety outputs as GuardLogix produced safety tags to comply with the 1794 SIL 2 Output Modules dual channel requirements of EN 50156 Create produced safety tags with the SIL 2 outputs that your application requires GuardLogix produced consumed safety tags require the first member to be allocated for diagnostics The first member of a produced consumed safety connection must be a data type called CONNECTION_STATUS This example shows a SIL 2 tag with two INT and two BOOL members Use these SIL 2 safety tags to control the 1756 or 1794 SIL 2 outputs directly Name za Alias For Base Tag Data Type Description External Access Constant Style SIL2_Outputs SIL_2 Produced Safety _ Readwrite D ESIL2 O utputs Connection_Status CONNECTION_S Ta Safe
82. lication 1756 QS001 Modification Impact Test Any modification enhancement or adaptation of your validated software must be planned and analyzed for any impact to the functional safety system All appropriate phases of the software safety lifecycle need to be carried out as indicated by the impact analysis At a minimum functional testing of all impacted software must be carried out All modifications to your software specifications must be documented Test results must also be documented Refer to IEC 61508 3 Section 7 8 Software Modification for detailed information Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Application Development Chapter 6 Figure 16 Online and Offline Edit Process Offline Edit Online Edit Attach to Controller Open Project Make Desired Modifications to Standard Logic Any Safety Changes Any Safety Changes Yes Unlock the Controller Test the Application Program Delete Safety Application Signature Modifications to Safety Logic Make Desired Modifications Attach to Controller and Download Confirm the Project Test the Application Program Make Required Modification Impact Test Modifications Tests Delete Safety Passed Application Signature Confirm the Project Cw Record Safety Application Signature Unlock the Controller Make Desired Modifications to Standard Delete Safety Logic Application Signature Make Desired i
83. lication This value can be modified online regardless of controller mode but it cannot be changed when the controller is safety locked or once a safety task signature is created If you experience a failure with any SIL 3 certified device contact your local Allen Bradley distributor to initiate the following actions e You can return the device to Rockwell Automation so the failure is appropriately logged for the catalog number that is affected and a record is made of the failure e You can request a failure analysis if necessary to try to determine the cause of the failure Rockwell Automation Publication 1756 RM099C EN P May 2015 GuardLogix 5570 Controller Hardware Chapter 2 GuardLogix Controller System Topic Page GuardLogix 5570 Controller Hardware 21 CIP Safety Protocol 22 Safety 1 0 Devices 23 Communication Bridges 23 Programming Overview 25 For a brief listing of components suitable for use in Safety Integrity Level SIL 3 applications see the table on page 16 For more detailed and up to date information see http www rockwellautomation com products certification safety When installing a GuardLogix 5570 controller follow the information in the GuardLogix 5570 Controllers User Manual publication 1756 UM022 The GuardLogix controller consists of a primary controller ControlLogix 557xS and a safety partner ControlLogix 557SP These two modules work in a 1002 architecture to create the
84. m Reaction Time vce oe secur ies es edad owed nas oe Safety Task Reaction Time 2s xan Seiraa tian ore staat cad Soares Safety Task Period and Safety Task Watchdog 44 Contact Information If Device Failure Occurs 00000e Chapter 2 GuardLogix 5570 Controller Hardware 00 c cece cee ees Primary Controller Mis st Suitcases pene tee a Safety Partie 27 6 sin a Ea E RAEE tan ay ESRA eo aot eens CHASSIS ia asco wnt EA R E ty aay tras sean eens Power Supplies lt i c242sceeitninedue td ce uch ee abet ead CIP Safety Protocol sive ee ad a eee as Safety I O Devices nein Sains t ma Sad te hav a trie a aa Communication BUUGES sulk diitdade Sokol clade aetedwee dade h clams Programming Overviews 206s aan see sans aes wadotua seat Ket ewan Chapter 3 ELVIS a halt aia tcl th Ah tae lah gen allt E a ia ote alt aha ta Typical Safety Functions of CIP Safety I O Devices Diagnostics aenn A EEREN EAA eases RERET Status Data ei a N E NN A Ea Status Indicators eie e oaa a deal E EAA On or Off delay Function 2 4 2205s see sb ede ia Reaction IMM 6 9 gs sachs he ewes Mee eae ao OR eee Tas ca ew Safety Considerations for CIP Safety I O Devices 04 Owners hips ee eine Seek nracke sno E ware ea touted Safety I O Configuration Sipnatntes ts sy sp iievuatiw shakeout Safety I O Device Replacement 2 2 62 itv iedviiveeseees ne rieas Rockwell Automation Publication 1756 RM099C EN P
85. monitored and controlled by the GuardLogix controller For safety data I O communication is performed through safety connections by using the CIP Safety protocol safety logic is processed in the GuardLogix controller Typical Safety Functions of The following is treated as the safe state by CIP Safety I O devices CIP Safety 1 0 Devices e Safety outputs OFF e Safety input data to controller OFF CIP Safety Network Safety Status eee Safety Safety Output OFF Input Data Use CIP Safety I O devices for applications that are in the safe state when the safety output turns OFF Rockwell Automation Publication 1756 RM099C EN P May 2015 27 Chapter3 CIP Safety 1 0 for the GuardLogix Control System Reaction Time 28 Diagnostics CIP Safety I O devices perform self diagnostics when the power is turned ON and periodically during operation If a diagnostic failure is detected safety input data to the controller and local safety outputs are set to their safe state OFF Status Data In addition to safety input and output data CIP Safety I O devices support status data to monitor device and I O circuit health See your device s product documentation for specific product capabilities Status Indicators The CIP Safety I O devices include status indicators For details on status indicator operation refer to the product documentation for your specific device On or Off delay Function Some CIP Safet
86. n you can create safety Add On Instructions Safety Add On Instructions let you encapsulate commonly used safety logic into a single instruction which makes it modular and easier to reuse Safety Add On Instructions use the instruction signature of high integrity Add On Instructions and also a SIL 3 safety instruction signature for use in safety related functions up to and including SIL 3 The flowchart on page 74 shows the steps that are required to create a safety Add On Instruction and then use that instruction in a SIL 3 safety application program The shaded items are steps unique to Add On Instructions The items in bold text are explained in the pages following the flowchart Rockwell Automation Publication 1756 RM099C EN P May 2015 73 AppendixB Safety Add On Instructions 74 Figure 18 Flowchart for Creating and Using Safety Add On Instructions C To use a Safety Add On Instruction D y Create or Open a Project E Yy D na j i Create modify Application y Yes i y p Test the Application Program 2 Change Mode to Program j y y Confirm Project i Make Required Modifications y Change Mode to Run Delete Safety Task Signature i f Download No Yes y y y y F Y Project Verification Test SS strate ses C y
87. n on making edits to your application program Rockwell Automation Publication 1756 RM099C EN P May 2015 57 Chapter6 Safety Application Development Storing and Loading a Project from Nonvolatile Memory Force Data Inhibit a Device 58 GuardLogix 5570 controllers support firmware upgrades and user program storage and retrieval by using a memory card In a GuardLogix system only the primary controller uses a memory card for nonvolatile memory When you store a safety project on a memory card Rockwell Automation recommends you select Remote Program as the Load mode that is the mode the controller enters following the load Prior to actual machine operation operator intervention is required to start the machine You can initiate a load from nonvolatile memory only under these conditions o Ifthe controller type specified by the project stored in nonvolatile memory matches your controller type e Ifthe major and minor revisions of the project in nonvolatile memory matches the major and minor revisions of your controller e Ifyour controller is not in Run mode Loading a project to a safety locked controller is allowed only when the safety task signature of the project stored in nonvolatile memory matches the project on the controller If the signatures do not match or the controller is safety locked without a safety task signature you must first unlock the controller before attempting to update the controller via nonvolatile m
88. nd Continuous mode IEC 61508 quantifies this classification by stating that the frequency of demands for operation of the safety system is no greater than once per year in the Low Demand mode or greater than once per year in High Demand Continuous mode The Safety Integrity Level SIL value for a Low Demand safety related system is directly related to order of magnitude ranges of its average probability of failure to satisfactorily perform its safety function on demand or simply probability of failure on demand PFD The SIL value for a High Demand Continuous mode safety related system is directly related to the probability of a dangerous failure occurring per hour PFH PFD and PFH values are associated with each of the three primary elements that constitute a safety related system the sensors the logic element and the actuators Within the logic element you also have input processor and output elements For PFD and PFH values and proof test intervals for Guard I O modules see Appendix E GuardLogix Systems Safety Data Figure 2 PFH Example GuardLogix Controller sie 1791DS IB4XOX4 Actuator Actuator Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Integrity Level SIL Compliance Distribution and Weight 40 of the _ gt PFD System Reaction Time Sensor Safety Integrity Level SIL Concept Chapter 1 To determine the logic
89. ng instructions from RSLogix 5000 software version 14 safety application instructions all inputs and outputs are set to zero when a fault is detected As a result any inputs that are monitored by one of the diverse input instructions Diverse Inputs or Two hand Run Station should have normally closed inputs that are conditioned by logic similar to the logic in Rung 4 of Ladder Logic Example 2 and Ladder Logic Example 3 on pages 98 and 99 The exact logic that is required is both application and input device dependent However the logic must create a safety state of 1 for the normally closed input of the diverse input instructions The following diagrams provide examples of the application logic that is required to latch and reset I O failures The examples show the logic necessary for input only modules and for input and output combination modules The examples use the Combined Status feature of the I O modules which presents the status of all input channels in one Boolean variable Another Boolean variable represents the status of all output channels This approach reduces the amount of I O conditioning logic that is required and forces the logic to shut down all input or output channels on the affected module Use the Input Fault Latch and Reset Flow Chart on page 96 to determine which rungs of logic are required for different application situations Ladder Logic Example 1 shows logic that overwrites the actual input tag variables whil
90. nto safety tags providing you with a mechanism to synchronize standard and safety actions for providing a reliable means to make sure that the data is used in an appropriate manner The use of standard data in a safety tag does not make it safety data You must not directly control a safety output with standard tag data This example illustrates how to qualify the standard data with safety data i ATTENTION When using standard data in a safety routine you are responsible Figure 14 Qualify Standard Data with Safety Data Safety Tag Mapping E x E Standard Tag Name ae B STDBooleanT ag MappedBooleanT ag Help Delete Row e MappedBooleariTag LatchOneShot Node38ComboModule Pt07Data Node30ComboModule 0 Pt03Data JE ONs 1 E QO m Node30ComboModule O Pt03Data JE Latch circuit to prevent automatic restart if the standard input Safety Output MappedTag is failed in a stuck at 1 state Safety Input Qualifier for Mapped Tag Rockwell Automation Publication 1756 RM099C EN P May 2015 47 Chapter5 Characteristics of Safety Tags the Safety Task and Safety Programs Notes 48 Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Concept Assumptions Chapter 6 Safety Application Development Topic Page Safety Concept Assumptions 49 Basics of Application Development and Testing 50 Commissioning Life Cycle 51 Downloading the Saf
91. ntrol system is not being relied on to maintain SIL 3 behavior during f ATTENTION Enable the Configure Always feature only if the entire routable CIP the replacement and functional testing of a device If other parts of the CIP Safety control system are being relied upon to maintain SIL 3 make sure that the controller s Configure Always feature is disabled It is your responsibility to implement a process to make sure proper safety functionality is maintained during device replacement Safety network when the Configure Always feature is enabled except while following the device replacement procedure in the GuardLogix5570 Controllers User Manual publication 1756 UM022 ATTENTION Do not place any devices in the out of box condition on any CIP Rockwell Automation Publication 1756 RM099C EN P May 2015 31 Chapter3 CIP Safety 1 0 for the GuardLogix Control System Notes 32 Rockwell Automation Publication 1756 RM099C EN P May 2015 Routable CIP Safety Control System Chapter 4 CIP Safety and the Safety Network Number Routable CIP Safety Control System Considerations for Assigning the Safety Network Number SNN 35 To understand the safety requirements of a CIP Safety control system including the safety network number SNN you must first understand how communication is routable in CIP control systems The CIP Safety control system represents a set of interconnected CIP Safety devices The routable sys
92. ntroller project and will not perform an actual upload 6 With the controller still in Program mode upload the project from the controller 7 Save the uploaded project as Onlineprojectname ACD where projectname is the name of your project 8 Answer Yes to the Upload Tag Values prompt 9 Use the Logix Designer Program Compare utility to perform these comparisons e Compare all of the properties of the GuardLogix controller and CIP Safety I O devices e Compare all of the properties of the safety task safety programs and safety routines e Compare all of the logic in the safety routines Rockwell Automation Publication 1756 RM099C EN P May 2015 55 Chapter6 Safety Application Development Downloading the Safety Application Program 56 Safety Validation An independent third party review of the safety system may be required before the system is approved for operation An independent third party certification is required for IEC 61508 SIL 3 Lock the GuardLogix Controller The GuardLogix controller system can be safety locked to help protect safety control components from modification However safety locking the controller is not a requirement for SIL 3 applications The safety lock feature applies only to safety components such as the safety task safety programs safety routines safety tags safety Add On Instructions safety I O and safety task signature However safety locking alone does not satisfy SIL 3 req
93. o your safety application e You can edit the logic portion of your program while offline or online as described in the following sections Rockwell Automation Publication 1756 RM099C EN P May 2015 59 Chapter 6 60 Safety Application Development Performing Offline Edits When offline edits are made to only standard program elements and the safety task signature matches following a download you can resume operation When offline edits affect the safety program you must revalidate all affected elements of the application as determined by the impact analysis before resuming operation The flowchart on page 61 illustrates the process for offline editing Performing Online Edits If online edits affect the safety program you must revalidate all affected elements of the application as determined by the impact analysis before resuming operation The flowchart on page 61 illustrates the process for online editing TIP Limit online edits to minor program modifications such as setpoint changes or minor logic additions deletions and modifications Online edits are affected by the safety lock and safety task signature features of the GuardLogix controller See Generate the Safety Task Signature on page 53 and Lock the GuardLogix Controller on page 56 for more information For detailed information on how to edit ladder logic in the Logix Designer application while online see the Logix5000 Controllers Quick Start pub
94. odule Ethernet Module GuardLogix Controller B DeviceNet Module Ethernet Module 1 Safety Input 2 Safety Input Connection 6 Safety Output Connection 7 Safety Output Device Delay Reaction Time Limit Reaction Time Limit Device Delay CIP Safety Network CIP Safety Network The Logix System Reaction Time for any input to controller A logic to controller B logic to output chain consists of these seven components Safety input device reaction time plus input delay time if applicable Safety Input Connection Reaction Time Limit Safety Task Period plus Safety Task Watchdog time for Controller A Produced Consumed Safety Connection Reaction Time Limit Safety Task Period plus Safety Task Watchdog time for Controller B Safety Output Connection Reaction Time Limit TOOR YS e p a a Safety output device reaction time To aid you in determining the reaction time of your particular control loop a Microsoft Excel spreadsheet is available in the Tools folder of the Studio 5000 environment DVD Rockwell Automation Publication 1756 RM099C EN P May 2015 81 AppendixC Reaction Times Factors Affecting Logix The Logix Reaction Time components that are described in the previous sections Reaction time Components can be influenced by a number of factors Table 13 Factors Affecting Logix System Reaction time These Reaction Time Components Input device delay Are Influenced by the Following Factors Input device reaction time
95. ols how the devices operate in the system From a control standpoint safety output devices can be controlled by only one controller Each safety input device is also owned by a single controller however safety input data can be shared consumed by multiple GuardLogix controllers Safety 1 0 Configuration Signature The configuration signature defines the device s configuration It can be read and monitored The configuration signature is used to uniquely identify a device s configuration When using a GuardLogix controller you do not have to monitor this signature The GuardLogix controller automatically monitors the signature Safety I 0 Device Replacement The replacement of safety devices requires that the replacement device be configured properly and that the replacement device s operation be user verified ATTENTION During replacement or functional testing of a device the safety of the system must not rely on any portion of the affected device Rockwell Automation Publication 1756 RM099C EN P May 2015 29 Chapter 3 30 CIP Safety 1 0 for the GuardLogix Control System Two options for I O device replacement are available on the Safety tab of the Controller Properties dialog box in the Logix Designer application e Configure Only When No Safety Signature Exists e Configure Always Figure 7 Safety 1 0 Replacement Options fs Controller Properties SD_safetycontroller oj xj General Serial Port
96. on during downloads to the controller Safety I O has most of the attributes of standard I O except it features mechanisms that are certified to SIL 3 for data integrity Uniquely identifies a network across all networks in the safety system The end user is responsible is responsible for assigning a unique number for each safety network or safety subnet within a system The safety network number constitutes part of the Unique Node Identifier UNID The processor in a dual processor controller that works with the primary controller to perform safety related functions 106 Rockwell Automation Publication 1756 RM099C EN P April 2015 safety program safety routine safety tags safety task safety task period safety task reaction time safety task signature safety task watchdog standard component standard controller symbolic addressing system reaction time Glossary A safety program has all the attributes of a standard program except that it can be scheduled only in a safety task The safety program consists of zero or more safety routines It cannot contain standard routines or standard tags A safety routine has all the attributes of a standard routine except that it is valid only in a safety program and that it consists of one or more instructions suitable for safety applications See Appendix A for a list of Safety Application Instructions and standard Logix Instructions that can be used in safety routine
97. on how to generate a safety task signature and safety locking the safety task refer to the GuardLogix 5570 Controllers User Manual publication 1756 UM022 SIL 2 Safety Inputs CompactBlock Guard I O 1791 series ArmorBlock Guard I O 1732 series and POINT Guard I O 1734 series safety input modules support single channel SIL 2 safety input circuits Because these modules are also rated for SIL 3 operation mixing SIL 2 and SIL 3 circuits on the same module is allowed provided you follow these guidelines These two wiring examples show how to wire SIL 2 safety circuits to Guard I O safety input modules These examples use onboard test sources T0 Tx that are resident on all 1791 and 1732 safety input modules Figure 11 Input Wiring Guard I O modules group inputs in pairs to facilitate Cat 3 Cat 4 and SIL 3 safety functions For use in Cat 1 Cat 2 and SIL 2 safety functions module inputs should still be used in pairs as illustrated Two SIL 2 safety functions are shown wired to inputs I0 and I1 using test sources TO and T1 respectively Figure 12 Input Wiring in Pairs Rockwell Automation Publication 1756 RM099C EN P May 2015 39 Chapter5 Characteristics of Safety Tags the Safety Task and Safety Programs For Cat 1 Cat 2 and SIL 2 safety functions the Guard I O safety modules need specific configurations within the GuardLogix project In this example inputs 0 1 6 7 8 9 10 and 11 a
98. on of the Rockwell Automation Publication 1756 RM099C EN P May 2015 Uploading the Safety Application Program Online Editing Safety Application Development Chapter 6 offline project all match those contained in the target GuardLogix controller and the controller s safety task status is OK IMPORTANT If the safety task signature does not match and the controller is safety locked you must unlock the controller to download In this case downloading to the controller deletes the safety task signature As a result you must revalidate the application ATTENTION The USB port is intended for temporary local programming purposes only and not intended for permanent connection If the GuardLogix controller contains a safety task signature the safety task signature will be uploaded with the project This means that any changes to offline safety data will be overwritten as a result of the upload If there is no safety task signature and the controller is safety unlocked you can perform online edits to your safety routines TIP You cannot edit standard or safety Add On Instructions while online Pending edits cannot exist when the controller is safety locked or when there is a safety task signature Online edits may exist when the controller is safety locked However they may not be assembled or cancelled TIP Online edits in standard routines are unaffected by the safety locked or unlocked state See page 59 for more informatio
99. on to another safety device must be configured with the SNN of the target device If the CIP Safety system is in the start up process before the functional safety testing of the system the originating device can be used to set the unique node reference into the device The SNN used by the system is a 6 byte hexadecimal number The SNN can be set and viewed in one of two formats time based or manual When the Rockwell Automation Publication 1756 RM099C EN P May 2015 CIP Safety and the Safety Network Number Chapter 4 time based format is selected the SNN represents a localized date and time When the manual format is selected the SNN represents a network type and a decimal value from 1 9999 Figure 10 SNN Formats xi x Format Format Generate C Time based 9 4 2012 1 31 16 589 PM C Manual Manual Backplane Decima Backplane 8389 Decimal Number Number 3409_03F9_676D Hex Copy 0001_0000_270F Hex Copy Paste Paste Cancel Help Cancel Help The assignment of a time based SNN is automatic when you create a GuardLogix safety controller project and add new CIP Safety I O devices Manual manipulation ofan SNN is required in the following situations e Ifsafety consumed tags are used e Ifthe project consumes safety input data from a device whose configuration is owned by some other safety device e Ifa safety project is copied to a different hardware installation within the same routable CIP
100. ostic logic Actuators Position and activation in standard operation normally OFF Safe reaction positioning when switching OFF or power failure Discrepancy monitoring and visualization including your diagnostic logic Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Application Development Chapter 6 Create the Project The logic and instructions used in programming the application must be the following e Easy to understand e Easy to trace e Easy to change e Easy to test Review and test all logic Keep safety related logic and standard logic separate Label the Program The application program is clearly identified by one of the following e Name e Date e Revision e Any other user identification Test the Application Program This step consists of any combination of Run and Program modes online or offline edits upload and download and informal testing that is required to get an application running properly in preparation for the Project Verification test Generate the Safety Task Signature The safety task signature uniquely identifies each project including its logic data and configuration The safety task signature is composed of an ID identification number date and time You can generate the safety task signature if all of the following conditions are true e The Logix Designer application is online with the controller e The controller is in Program mode e The controll
101. otor control center to alert people to potential Arc Flash Arc Flash will cause severe injury or death Wear proper Personal Protective Equipment PPE Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment PPE gt gt gt Allen Bradley ArmorBlock CompactBlock CompactLogix ControlFLASH ControlLogix ControlLogix XTT FactoryTalk FLEX Guard I O GuardLogix GuardLogix XT Kinetix Logix5000 POINT Guard I O POINT I O PowerFlex Rockwell Automation Rockwell Software RSLogix SLC SmartGuard Studio 5000 Studio 5000 Automation Engineering amp Design Environment and Studio 5000 Logix Designer are trademarks belonging to Rockwell Automation Inc ControlNet DeviceNet and EtherNet IP are trademarks of ODVA Trademarks not belonging to Rockwell Automation are property of their respective companies New and Updated Information Summary of Changes This manual contains new and updated information Changes throughout this revision are marked by change bars as shown to the right of this paragraph This table contains the changes made in this revision Topic Page Added Kinetix 5700 servo drive user manual and PowerFlex 527 AC drive user 10 manuals to the Additional Resources Added Kinetix 5700 Servo Drives and PowerFlex 527 Adjustable Frequency AC 16 Drives to list of GuardLogix system components Added information to the table of GuardLogix system components to ident
102. ply with IEC 61511 standard on process safety section 11 7 1 Operator Interface requirements e Changes to the safety related system must comply with IEC 62061 for machine safety e The developer must follow the same sound development techniques and procedures that are used for other application software development including the verification and testing of the operator interface and its access to other parts of the program In the controller application software create a table that is accessible by the HMI and limit access to required data points only e Similar to the controller program the HMI software needs to be secured and maintained for SIL level compliance after the system has been validated and tested A safety program has all of the attributes of a standard program except that it can be scheduled only in the safety task A safety program can also define program scoped safety tags A safety program can be scheduled or unscheduled A safety program can contain only safety components All routines in a safety program are safety routines A safety program cannot contain standard routines or standard tags Safety routines have all of the attributes of standard routines except that they can exist only in safety programs One safety routine can be designated as the main routine Another safety routine can be designated as the fault routine Only safety certified instructions may be used in safety routines For a listing of safety
103. pplications Notes 92 Rockwell Automation Publication 1756 RM099C EN P May 2015 Appendix E GuardLogix Systems Safety Data PFD Values PFH Values The following examples show probability of failure on demand PFD and probability of failure per hour PFH values for GuardLogix 1002 SIL 3 systems that use Guard I O modules Mission time for GuardLogix controllers and Guard I O modules is 20 years PFD Values Table 14 Calculated PFD by Proof Test Interval Calculated PFD Cat No Description 2 Years 5 Years 10 Years 20 Years 17 520 hours 43 800 hours 87 600 hours 175 200 hours 1756 L7xS and 1756 L7SP GuardLogix controller 5 7E 06 1 5E 05 3 5E 05 8 9E 05 1756 L73SXT and 1756 L7SPXT GuardLogix XT controller 5 7E 06 1 5E 05 3 5E 05 8 9E 05 1791DS 1B12 CIP Safety 12 point input module 4 73E 07 1 18E 06 2 35E 06 4716 062 1791DS IB16 CIP Safety 16 point input module 4 11E 06 1 03E 05 2 06E 05 4 11E 05 1791DS IB8X0B8 CIP Safety 8 point input 8 point output module 4 73E 07 1 18E 06 2 35E 06 4716 062 1791DS IB4X0W4 CIP Safety 4 point input 4 point relay output module 2 21E 05 7 05E 05 1 92E 04 5886 042 1791DS IB8X0BV4 CIP Safety 8 point input 4 bi polar output module 4 16E 06 1 04E 05 2 08E 05 4 16E 05 1732DS IB8X0BV4 1732DS IB8 CIP Safety 8 point input module 4 11E 06 1 03E 05 2 06E 05 4 11E 05 1791ES IB16 CIP Safety 16 point input module 4 13E 06 1 03E 05 2 06E 05 1791
104. pu t Data 8 Controller Controller_L73S A Controller Tags Controller Fault Handler Always keep channel A and channel B input pe Power Up Handler P Tasks data separate This example illustrates one o Maintask method to separate channel A and channel B 2 SB mainProgram_ __ i i r 3 ct Chn_A_Logic 7 data in your application Program Tags Ee 4_Discrete L faArProcess _ J Follow all rules for 1756 I O modules and 3 n_B_Logic 1794 FLEX I O modules as defined in the B pee Using ControlLogix in SIL 2 Applications Safety Reference Manual publication 1756 GB SafetyPragram RM001 Buas IMPORTANT Do not perform safety specific functions within these routines Safety evaluation must be handled within the 1756 GuardLogix safety task Transferring SIL 2 Data Into the Safety Task To transfer channel A and channel B SIL 2 safety data into the GuardLogix safety task use the safety tag mapping functionality in the Logix Designer application The tag names that are used here are for example purposes Implement and follow naming conventions that are appropriate for your application Safety Tag Mapping Chn A Data Chn A_SIL2_Data Chm B_Data Chn_B_SIL2_Data he zl Delete Row TIP To use the safety tag mapping feature select Map Safety Tags from the Logic menu in the Logix Designer application 102 Rockwell Automation Publication 1756 RM099C EN P May 2015 Using 1794 FLEX 1 0 Modu
105. r actual use based on the examples and diagrams No patent liability is assumed by Rockwell Automation Inc with respect to use of information circuits equipment or software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibited Throughout this manual when necessary we use notes to make you aware of safety considerations WARNING Identifies information about practices or circumstances that can cause an explosion in a hazardous environment which may lead to personal injury or death property damage or economic loss ATTENTION Identifies information about practices or circumstances that can lead to personal injury or death property damage or economic loss Attentions help you identify a hazard avoid a hazard and recognize the consequence gt gt IMPORTANT Identifies information that is critical for successful application and understanding of the product Labels may also be on or inside the equipment to provide specific precautions SHOCK HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that dangerous voltage may be present BURN HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that surfaces may reach dangerous temperatures ARC FLASH HAZARD Labels may be on or inside the equipment for example a m
106. r safety demand requirements low IEC 61511 or high ISO 13849 e Consider test intervals diagnostics and proof testing that is needed to satisfy application requirements e Identify and justify with proper documentation any fault exclusions that are used IMPORTANT Ifa combination of SIL 2 and SIL3 safety functions are used simultaneously within the safety task you must prevent SIL 2 input signals from directly controlling SIL 3 safety functions Use specific safety task programs or routines to separate SIL 2 and SIL 3 safety functions Within the safety task the Logix Designer application includes a set of safety related ladder logic instructions GuardLogix controllers also feature application specific SIL 3 rated safety instructions All of these logic instructions can be used in CAT 1 4 and SIL 1 3 safety functions Rockwell Automation Publication 1756 RM099C EN P May 2015 Characteristics of Safety Tags the Safety Task and Safety Programs Chapter 5 For SIL 2 only safety a safety task signature is not required However ifany SIL 3 safety functions are used within the safety task a safety task signature is required For SIL 2 applications we recommend that you safety lock the safety task once testing is completed Locking the safety task enables more security features You can also use FactoryTalk Security and Logix Designer routine source protection to limit access to safety related logic For more information
107. re part of a Cat 1 2 or SIL 2 safety function Inputs 2 and 3 as well as 4 and 5 are part of a Cat 3 Cat 4 or SIL 3 safety function Figure 13 Input Configuration E Module Properties ENet_1 1791ES IB16 A 1 1 Test Source o f On On Off 0 Single pa 0 af Safety Pulse Test z 0 J 6 F 1 B gt Safety Pulse Test 1 x 6 2 os 2 Equivalent zl 10 a Safety x None x 122 a 3 a gt Satety x None vy 123 o 4 Equivalent zi 10 a Safety Pulse Test v 2 6 2 os B gt Safety Pulse Test 3 vl 6 2 oa 6 Single a 0 Safety Pulse Test z 0 Ji 6 os 7 B Safety Pulse Test 1 xl 6 3 oz 8 Single E 0 Not Used _x None gt 6 3 om 9 a Not Used x None gt 6 3 oa _10 Single E 0 Not Used x None gt 03 og 44 a Not Used None v 03 oag Field Value Type Single Discrepancy Time N A Point Mode Safety Pulse Test Test Source Set values based on how the field device is physically wired to the module To make sure the test source is properly enabled open and view settings on the Test Output tab Input Delay Time User input based on field device characteristics IMPORTANT The onboard pulse test outputs TO Tx are typically used with field devices that have mechanical contacts If a safety device that has electronic outputs is used to feed safety inputs they must have the appropriate safety ratings IMPORTANT If you are using GuardLogix S
108. repancy TUV time and enhanced capability for bypassing a two hand run station TSAM Two Sensor Asymmetrical Muting Automatically disables the protective function of a light curtain temporarily by using two muting T V sensors that are arranged asymmetrically TSSM Two Sensor Symmetrical Muting Automatically disables the protective function of a light curtain temporarily by using two muting T V sensors that are arranged symmetrically FSBM Four Sensor Bidirectional Muting Automatically disables the protective function of a light curtain temporarily by using four sensors T V that are arranged sequentially before and after the sensing field of the light curtain Rockwell Automation Publication 1756 RM099C EN P May 2015 69 AppendixA Safety Instructions Table 10 Metal Form Safety Application Instructions Mnemonic Name Purpose Certification CBCM Clutch Brake Continuous Mode Used for press applications where continuous operation is desired e BG e TUV CBIM Clutch Brake Inch Mode Used for press applications where minor slide adjustments are required such as press setup e BG e TUV CBSSM Clutch Brake Single Stoke Mode Used in single cycle press applications e BG e TUV CPM Crankshaft Position Monitor Used to determine the slide position of the press e BG e TUV CSM Camshaft Monitor Monitors motion for the start stop and run operations of a camshaft e BG e TUV EPMS Eight position Mode Selector
109. restriction includes rung comments tag descriptions and any instruction documentation that was created When the instruction is sealed you can perform only these actions e Copy the instruction signature e Create or copy a signature history entry e Create instances of the Add On Instruction e Download the instruction e Remove the instruction signature e Print reports Rockwell Automation Publication 1756 RM099C EN P May 2015 75 AppendixB Safety Add On Instructions When an instruction signature has been generated the Logix Designer application displays the instruction definition with the seal icon add on Instructions ree A Parameters and Local FA Logic IMPORTANT If you plan to protect your Add On Instruction by using the source protection feature in the Logix Designer application you must enable source protection before you generate the instruction signature Download and Generate Safety Instruction Signature When a sealed safety Add On Instruction is downloaded for the first time a SIL 3 safety instruction signature is automatically generated The safety instruction signature is an ID number that identifies the execution characteristics of the safety Add On Instruction SIL 3 Add On Instruction Qualification Test Safety Add On Instruction SIL 3 tests must be performed in a separate dedicated application to make sure unintended influences are minimized You must follow a well designed test plan and perform a unit
110. rimary controller configures the safety partner Only one download of the user program to the primary controller is required The operating mode of the safety partner is controlled by the primary controller Chassis The chassis provides the physical connections between modules and the 1756 GuardLogix system Any failure though unlikely would be detected as a failure by one or more of the active components of the system Therefore the chassis is not relevant to the safety discussion GuardLogix XT controllers must use a ControlLogix XT chassis to achieve the extreme environment rating Power Supplies No extra configuration or wiring is required for SIL 3 operation of the ControlLogix power supplies Any failure would be detected as a failure by one or more of the active components of the GuardLogix system Therefore the power supply is not relevant to the safety discussion GuardLogix XT controllers must use a ControlLogix XT power supply to achieve the extreme environment rating Safety related communication between GuardLogix controllers takes place via produced and consumed safety tags These safety tags use the CIP Safety protocol which is designed to preserve data integrity during communication For more information on safety tags see Chapter 5 Characteristics of Safety Tags the Safety Task and Safety Programs Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety 1 0 Devices Communication Bridge
111. rk CIP Safety 1 0 Module CIP Safety 1 0 Module CIP Safety 1 0 Module Ss DeviceNet Network CIP Safety 1 0 Module Controller B 1756 PB75 1756 EN2T 1756 L73S 1756 L7SP 1756 L72S 1756 L7SP 1756 DNB 1756 EN2T Controller A Rockwell Automation Publication 1756 RM099C EN P May 2015 23 Chapter 2 24 GuardLogix Controller System TIP Peer to peer safety communication between two GuardLogix controllers in the same chassis is also possible via the backplane Backplane wn a N N 2 3 ji Ke Ke Lo LO 1756 L72S 1756 L7SP DeviceNet Safety Network DeviceNet bridges let the GuardLogix controller control and exchange safety data with CIP Safety I O modules on a DeviceNet network Figure 5 Communication via a DeviceNet Bridge 1756 L7SP 1756 L72S 1756 DNB DeviceNet IP Safety 1 0 Module Network IP Safety 1 0 Module ControlNet Network ControlNet bridges let the GuardLogix controller produce and consume safety tags over ControlNet networks to other GuardLogix controllers or remote CIP Safety I O networks Figure 6 Communication via a ControlNet Bridge ControlNet Network Controller A Controller B 1756 PB75 1756 L73S 1756 L7SP 1756 L73S 1756 L7SP 1756 DNB 1768 CN2 1756 CN2 CIP Safety 1 0 Module DeviceNet Network CIP Safety 1 0 Module Rockwell Automation Publication 1756 RM099C EN P May 2015 Programming Ov
112. rogram or component in your project that is not a safety related item that is standard controller refers generically to a ControlLogix or CompactLogix controller Additional Resources These documents contain more information about related products from Rockwell Automation Resource GuardLogix 5570 Controllers User Manual publication 1756 UM022 Description Provides information on how to install configure program and use GuardLogix 5570 controllers in Studio 5000 Logix Designer projects GuardLogix Safety Application Instruction Set Reference Manual publication 1756 RM095 Provides information on the GuardLogix Safety Application instruction set Guard 1 0 DeviceNet Safety Modules User Manual publication 1791DS UM001 Provides information on how to use Guard 1 0 DeviceNet safety modules Guard 1 0 EtherNet IP Safety Modules User Manual publication 1791ES UM001 Provides information on how to use Guard 1 0 EtherNet IP safety modules POINT Guard 1 0 Safety Modules User Manual publication 1734 UM013 Provides information on how to install and use POINT Guard I 0 modules Kinetix 5500 Servo Drives User Manual publication 2198 UM001 Provides information on how to install and use Kinetix 5500 servo drives Kinetix 5700 Servo Drives User Manual publication 2198 UM002 Provides information on how to install and use Kinetix 5700 servo drives PowerFlex 527 Adjustable Frequency AC Driv
113. rogram Requirements Comment Yes No 1 Are you using version 21 or later of Logix Designer application the GuardLogix system programming tool 2 Were the programming guidelines in Chapter 6 followed during creation of the safety application program 3 Does the safety application program contain only relay ladder logic 4 Does the safety application program contain only those instructions that are listed in Appendix A as suitable for safety application programming 5 Does the safety application program clearly differentiate between safety and standard tags 6 Are only safety tags used for safety routines 7 Have you verified that safety routines do not attempt to read from or write to standard tags 8 Have you verified that no safety tags are aliased to standard tags and vice versa 9 Is each safety output tag correctly configured and connected to a physical output channel C 10 Have you verified that all mapped tags have been conditioned in safety application logic 11 Have you defined the process parameters that are monitored by fault routines 12 Have you sealed any safety Add On Instructions with an instruction signature and recorded the safety instruction signature 13 Has the program been reviewed by an independent safety reviewer if required 14 Has the review been documented and signed L Rockwell Automation Publication 1756 RM099C EN P May 2015 91 AppendixD Checklists for GuardLogix Safety A
114. roller power to be cycled from off to on The user program is not preserved and must be re downloaded A fault which even though properly handled by the fault handling mechanisms that are provided by the safety controller and implemented by the user ends all safety task processing and requires external user action to restart the safety task Situation where you are monitoring modifying the program in the controller When a task periodic or event is triggered while the task is still executing from the previous trigger The primary controller and safety partner must both be present and the hardware and firmware must be compatible for partnership to be established A change to a routine that has been made in the Logix Designer application but has not yet been communicated to the controller by accepting the edit Rockwell Automation Publication 1756 RM099C EN P April 2015 105 Glossary periodic task primary controller recoverable fault requested packet interval RPI routine safety add on instruction safety application instructions safety component safety instruction signature safety I O safety network number SNN safety partner A task that is triggered by the operating system at a repetitive period Whenever the time expires the task is triggered and its programs are executed Data and outputs that are established by the programs in the task retain their values until the next execution of the tas
115. s GuardLogix Controller System Chapter 2 For information on CIP Safety I O devices for use with GuardLogix controllers see Chapter 3 Table 5 lists the communication interface modules available to facilitate communication over EtherNet IP DeviceNet and ControlNet networks via the CIP Safety protocol Table 5 Communication Interface Modules by System GuardLogix System Communication Modules 1756 e 1756 ENBT 1756 EN2T R 1756 EN2F or 1756 EN3TR EtherNet IP bridge e 1734 AENT POINT 1 0 Ethernet adapter e 1756 DNB DeviceNet bridge 1756 CN2 ControlNet bridge 1756 CN2R Redundant ControlNet bridge 1756 XT e 1756 EN2TXT 1756 EN2TRXT EtherNet IP bridge XT copper e 1756 CN2RXT Redundant XT ControlNet bridge 1768 ENBT 1734 AENT POINT 1 0 Ethernet adapter 1768 CNB 1768 CNBR 1768 IMPORTANT Due to the design of the CIP Safety control system CIP Safety bridge devices like the bridges listed in the table are not required to be SIL 3 certified EtherNet IP Network Peer to peer safety communication between GuardLogix controllers is possible via the EtherNet IP network through the use of EtherNet IP bridges An EtherNet IP bridge lets the GuardLogix controller control and exchange safety data with CIP Safety I O devices on an EtherNet IP network Figure 4 Peer to peer Communication via EtherNet IP Bridges and the EtherNet IP Network Ethernet Switch EtherNet IP Network EtherNet IP Netwo
116. s safety task Because GuardLogix controllers are part of the ControlLogix series of processors you can perform SIL 2 safety control with a GuardLogix controller by using standard tasks or the safety task This capability provides unique and versatile safety control options as most applications have a higher percentage of SIL 2 safety functions than SIL 3 safety functions SIL 2 Safety Control in the Safety Task The GuardLogix safety task can be used to provide SIL 2 and SIL 3 safety functions If SIL 3 safety functions need to be performed simultaneously with SIL 2 safety functions you must fulfill the requirements that are defined in the SIL 3 Safety the Safety Task Safety Programs and Safety Routines sections of this chapter as well as the SIL 2 requirements that are listed in this section SIL 2 Safety Logic From a GuardLogix safety control perspective the biggest difference between SIL 2 and SIL 3 safety rated devices is that SIL 2 is generally single channel while SIL 3 is typically dual channel When using Guard safety rated I O red modules which is required in the safety task SIL 2 safety inputs can be single channel which can reduce complexity and the number of modules that are necessary It is up to the safety system designer to implement all safety functions properly Consideration must be given to the following e Field device selection properly select identify and mitigate all device faults e Conside
117. struction 65 signature history 77 SIL2 EN50156 101 Rockwell Automation Publication 1756 RM099C EN P May 2015 Index software changing your application program 59 Studio 5000 environment 17 system reaction time 19 calculating 79 T tags produced consumed safety data 46 Safety 1 0 46 see also safety tags terminology 10 timeout multiplier 82 definition 108 U unique node reference defined 34 Ww watchdog time 84 X XT components 17 111 Index Notes 112 Rockwell Automation Publication 1756 RM099C EN P May 2015 Rockwell Automation Support Rockwell Automation provides technical information on the Web to assist you in using its products At http www rockwellautomation com support you can find technical and application notes sample code and links to software service packs You can also visit our Support Center at https rockwellautomation custhelp com for software updates support chats and forums technical information FAQs and to sign up for product notification updates In addition we offer multiple support programs for installation configuration and troubleshooting For more information contact your local distributor or Rockwell Automation representative or visit http www rockwellautomation com services online phone Installation Assistance If you experience a problem within the first 24 hours of installation review the information that is contained in this manual You can
118. t range tests are acceptable These are tests within the defined value ranges at the limits or in invalid value ranges The necessary number of test cases depends on the formulas used and must comprise critical value pairs Active simulation with sources field devices must also be included as it is the only way to verify that the sensors and actuators in the system are wired correctly Verify the operation of programmed functions by manually manipulating sensors and actuators You must also include tests to verify the reaction to wiring faults and network communication faults Project verification includes tests of fault routines and input and output channels to be sure that the safety system operates properly To perform a project verification test on the GuardLogix controller you must perform a full test of your application You must toggle each sensor and actuator involved in every safety function From a controller perspective this means toggling the I O point going into the controller not necessarily the actual activators Be sure to test all shutdown functions because these functions are not typically exercised during normal operation Also be aware that a project verification test is valid only for the specific application tested If the controller is moved to another application you must also perform start up and project Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Application Development Chapter 6
119. table CIP Safety control system must have a unique node reference The unique node reference is a combination of a safety network number SNN and the node address of the node Safety Network Number The safety network number SNN is assigned automatically by the software or manually by you Each CIP Safety network that contains safety I O nodes must have at least one unique SNN Each chassis that contains one or more safety devices must have at least one unique SNN Safety network numbers that are assigned to each safety network or network subnet must be unique TIP Multiple SNNs can be assigned to a CIP Safety subnet or a chassis that contains multiple safety devices However for simplicity we recommend that each CIP Safety subnet have one and only one unique SNN This recommendation also applies for each chassis Figure 9 CIP Safety Example with More Than One SNN 1756 L71S 1756 L7SP 1756 DNB CIP Safety 1 0 CIP Safety 1 0 SNN_2 34 Switch Switch Z BEE S S e ajz 8 8 8 SmartGuard SNN_1 SNN_3 SNN_5 CIP Safety 1 0 CIP Safety 1 0 CIP Safety 1 0 LF CIP Safety 1 0 SNN_7 CIP Safety 1 0 CIP Safety 1 0 SNN_4 SNN_6 Each CIP Safety device must be configured with an SNN Any device that originates a safety connecti
120. tatus and is maintained for a configurable amount of time after the failure is repaired IMPORTANT You are responsible for providing application logic to latch these 1 0 failures and to make sure the system restarts properly 1 0 Device Connection Status The CIP Safety protocol provides status for each I O device in the safety system If an input connection failure is detected the operating system sets all device inputs to their de energized safety state and the associated input status to faulted If an output connection failure is detected the operating system sets the associated output status to faulted The output device de energizes the outputs IMPORTANT You are responsible for providing application logic to latch these 1 0 failures and to make sure the system restarts properly Rockwell Automation Publication 1756 RM099C EN P May 2015 Monitor Status and Handle Faults Chapter 7 De energize to Trip System GuardLogix controllers are part of a de energize to trip system which means that zero is the safe state Some but not all safety I O device faults cause all device inputs or outputs to be set to zero safe state Faults associated to a specific input channel result in that specific channel being set to zero for example a pulse test fault that is specific to channel 0 results in channel 0 input data being set to the safe state 0 If a fault is general to the device and not to a specific channel the combined status bit
121. tem represents the extent of potential mis routing of packets from an originator to a target within the CIP Safety control system The system is isolated such that there are no other connections into the system For example because the system in Figure 8 cannot be interconnected to another CIP Safety system through a larger plant wide ethernet backbone it illustrates the extent of a routable CIP Safety system Figure 8 CIP Safety System Example Router Switch Switch Firewall mee SHAE 2 5 35 3 g s e 2 8 ES i a ie 8 8 SmartGuard L CIP Safety 1 0 CIP Safety 1 0 CIP Safety 1 0 CIP Safety 1 0 L_ CIP Safety 1 0 CIP Safety 1 0 CIP Safety 1 0 CIP Safety 1 0 1 The router or firewall is configured to limit traffic Rockwell Automation Publication 1756 RM099C EN P May 2015 33 Chapter4 CIP Safety and the Safety Network Number Router Firewall Unique Node Reference The CIP Safety protocol is an end node to end node safety protocol The CIP Safety protocol allows the routing of CIP Safety messages to and from CIP Safety devices through non certified bridges switches and routers To prevent errors in non certified bridges switches or routers from becoming dangerous each end node within a rou
122. test of the safety Add On Instruction that exercises all possible execution paths through the logic including the valid and invalid ranges of all input parameters Development of all safety Add On Instructions must meet IEC 61508 Requirements for software module testing which provides detailed requirements for unit testing Confirm the Project You must print or view the project and manually compare the uploaded safety I O and controller configurations safety data safety Add On Instruction definitions and safety task program logic to make sure that the correct safety components were downloaded tested and retained in the safety application program See Confirm the Project on page 55 for a description of one method for confirming a project 76 Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Add On Instructions Appendix B Safety Validate Add On Instructions An independent third party review of the safety Add On Instruction may be required before the instruction is approved for use An independent third party validation is required for IEC 61508 SIL 3 Create Signature History Entry The signature history provides a record for future reference A signature history entry consists of the instruction signature the name of the user the time stamp value and a user defined description Up to six history entries can be stored You must be offline to create a signature history entry TIP The Signature L
123. tion must be the same 4 See the GuardLogix 5570 Controllers User Manual publication 1756 UM022 for special considerations when using the GSV and SSV instructions 5 The event instruction triggers a scan of the standard task Rockwell Automation Publication 1756 RM099C EN P May 2015 71 Appendix A 72 Safety Instructions IMPORTANT Ifyou are using Motion Direct Commands with a Kinetix 5500 or K5700 servo drive or a PowerFlex 527 drive see the following publications for information on how to use this feature in safety applications e Kinetix 5500 Servo Drives User Manual publication 2198 UM001 e Kinetix 5700 Servo Drives User Manual publication 2198 UM002 e PowerFlex 527 Adjustable Frequency AC Drive User Manual publication 520 UM002 See these publications for more information Table 12 Additional Resources Resource Description Provides more information on the safety application instructions GuardLogix Safety Application Instruction Set Reference Manual publication 1756 RM095 Contains detailed information on the Logix Logix5000 Controllers General Instructions Reference Manual instruction set publication 1756 RM003 Rockwell Automation Publication 1756 RM099C EN P May 2015 Create and Use a Safety Add On Instruction Appendix B Safety Add On Instructions Topic Page Create and Use a Safety Add On Instruction 73 Additional Resources 78 With the Logix Designer applicatio
124. ty Read Write SIL2_Outputs SIL2_Tempa INT Safety Read w ite Decimal H SIL2_0utputs SIL2_TempB INT Safety Read write Decimal SIL2_Outputs SIL2_Valve1 BOOL Safety Read Write Binary SIL2_Outputs SIL2_Valve2 BOOL Safety Read Write Binary TIP In this example a consumer for the produced tag is not shown The connection status shows a fault if you don t configure a consumer However in this type of configuration you are not required to monitor the connection status of the produced tag so the fault is not a concern Follow all rules for 1756 I O modules and 1794 FLEX I O modules as defined in the Using ControlLogix in SIL 2 Applications Safety Reference Manual publication 1756 RMO001 Rockwell Automation Publication 1756 RM099C EN P May 2015 103 AppendixG Using 1794 FLEX 1 0 Modules and 1756 SIL 2 Inputs and Outputs with 1756 GuardLogix Controllers to Comply with EN 50156 Safety Functions Within the a a guidelines for using SIL 2 and SIL 3 safety functions within the 1756 GuardLogix Safety Task T S e All available safety application instructions can be used e SIL CL3 safety input modules that is Guard I O modules can be used with single channel configuration for SIL 2 safety functions e Use of the safety task signature and safety locking the application is recommended IMPORTANT You must not use SIL 2 data to control a SIL 3 output directly 104 Rockwell Automation Publication 1756 RM099C EN P May 2015 add on instr
125. uction assemble edits cancel edits CIP Safety protocol configuration signature instruction signature nonrecoverable controller fault nonrecoverable safety fault online overlap partnership pending edit Glossary The following terms and abbreviations are used throughout this manual For definitions of terms that are not listed here refer to the Allen Bradley Industrial Automation Glossary publication AG 7 1 An instruction that you create as an add on to the Logix instruction set Once defined an Add On Instruction can be used like any other Logix instruction and can be used across various projects An Add On Instruction is composed of parameters local tags logic routine and optional scan mode routines You assemble edits when you have made online edit changes to the controller program and want the changes to become permanent because you can test untest or cancel the edits Action that is taken to reject any unassembled online edit changes A network communication method that is designed and certified for transport of data with high integrity A unique number that identifies the configuration of a device The configuration signature is composed of an ID number date and time The instruction signature consists of an ID number and date timestamp that identifies the contents of the Add On Instruction definition at a given point in time A fault that forces all processing to be ended and requires cont
126. uirements No aspect of safety can be modified while the controller is in the safety locked state When the controller is safety locked the following actions are not permitted in the safety task e Online or offline programming or editing e Forcing safety I O e Data manipulation except through routine logic or another GuardLogix controller e Creating or editing safety Add On Instructions e Generating or deleting the safety task signature The default state of the controller is safety unlocked You may place the safety application in a safety locked state regardless of whether you are online or offline and regardless of whether you have the original source of the program However no safety forces or pending safety edits may be present Safety locked or unlocked status cannot be modified when the keyswitch is in the RUN position To provide an additional layer of protection separate passwords may be used for safety locking or unlocking the controller Passwords are optional Upon download application testing is required unless a safety task signature exists IMPORTANT To verify the integrity of every download you must manually record the safety task signature after initial creation and check the safety task signature after every download to make sure that it matches the original Downloads to a safety locked GuardLogix controller are allowed only if the safety task signature the hardware series and the operating system versi
127. up to 20 years Other components of the system such as safety I O devices sensors and actuators can have shorter proof test intervals Include the controller in the functional verification testing of the other components in the safety system IMPORTANT Your specific applications determine the time frame for the proof test interval However this is mainly related to safety 1 0 devices and field instrumentation Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Integrity Level SIL Concept Chapter 1 Guard Logix Architecture for The following illustration shows a typical SIL function including the following SIL3 Applications e The overall safety function e The GuardLogix portion of the overall safety function e How other devices for example HMI are connected while operating outside the function Figure 1 Typical SIL Function Programming Software HMI Read only Access to Safety Tags To Plant wide Ethernet Network E Overall Safety Function CIP Safety j Je VOModule l 2 J FS J Actuator rt J DR 3 tele J H Sensor f 1756 EN2T CIP Safety 1 0 Module CIP Safety 1 0 Module on Ethernet ee Network CIP Safety a ie re ee 4
128. y I O devices can support On delay and Off delay functions for input signals Depending upon your application you may need to include Off delay On delay or both when you calculate system reaction time See Appendix C for information on system reaction time The input reaction time is the time from when the signal changes on an input terminal to when safety data is sent to the GuardLogix controller The output reaction time is the time from when safety data is received from the GuardLogix controller to when the output terminal changes state For information on how to determine the input and output reaction times refer to the product documentation for your specific CIP Safety I O device See Appendix C for information on how to calculate the system reaction time Rockwell Automation Publication 1756 RM099C EN P May 2015 Safety Considerations for CIP Safety 1 0 Devices CIP Safety 1 0 for the GuardLogix Control System Chapter 3 You must commission all devices with a node or IP address and communication rate if necessary before their installation on a safety network Ownership Each CIP Safety I O device in a GuardLogix system is owned by one GuardLogix controller Multiple GuardLogix controllers and multiple CIP Safety I O devices can be used without restrictions in chassis or on networks as needed When a controller owns an I O device it stores the device s configuration data as defined by the user This configuration contr
Download Pdf Manuals
Related Search