manualshive.com logo in svg

Allen-Bradley 1756-L6 Series, Reference Manual, Page: 92 / 134

Share
Download
Allen-Bradley 1756-L6 Series Reference Manual Download Page 92

92

Rockwell Automation Publication 1756-RM001I-EN-P - May 2012

Chapter 9

Use of Human-to-Machine Interfaces

Changing Safety-related Parameters in SIL-rated Systems

A parameter change in a safety-related loop via an external (that is, outside the 
safety loop) device (for example, an HMI) is allowed only with the following 
restrictions:

Only authorized, specially-trained personnel (operators) can change the 
parameters in safety-related systems via HMIs.

The operator who makes changes in a safety-related system via an HMI is 
responsible for the effect of those changes on the safety loop.

You must clearly document variables that are to be changed.

You must use a clear, comprehensive, and explicit operator procedure to 
make safety-related changes via an HMI.

Changes can only be accepted in a safety-related system if the following 
sequence of events occurs.

a. The new variable must be sent twice to two different tags; that is, both 

values must not be written to with one command.

b. Safety-related code, executing in the controller, must check both tags 

for equivalency and make sure they are within range (boundary checks).

c. Both new variables must be read back and displayed on the HMI 

device.

d. Trained operators must visually check that both variables are the same 

and are the correct value.

e. Trained operators must manually acknowledge that the values are 

correct on the HMI screen that sends a command to the safety logic, 
which allows the new values to be used in the safety function.

In every case, the operator must confirm the validity of the change before 
they are accepted and applied in the safety loop.

Test all changes as part of the safety validation procedure.

Sufficiently document all safety-related changes made via HMI, including:

authorization.

impact analysis.

execution.

test information.

revision information.

Changes to the safety-related system, must comply with IEC 61511 
standard on process safety section 11.7.1 Operator Interface requirements.

Summary of Contents for 1756-L6 Series

Page 1: ...Using ControlLogix in SIL 2 Applications Catalog Numbers 1756 L6x 1756 L7x Safety Reference Manual Allen Bradley Motors ...

Page 2: ... to use of information circuits equipment or software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibited Throughout this manual when necessary we use notes to make you aware of safety considerations Allen Bradley Rockwell Software Rockwell Automation TechConnect ControlLogix ControlLogix XT Gu...

Page 3: ... supplies chapter Chapter 3 Moved information on operating modes and keyswitch positions to the controller chapter 31 Updated information on ControlLogix power supplies 33 34 Added more information on verifying the correct reception of data 38 Combined the chapters on general requirements for software applications and requirements for application development into one chapter and placed it ahead of...

Page 4: ...of Changes Updated publication links in the components appendix Appendix B Updated Probability of Failure on Demand PFD calculations including data for 1794 FLEX I O modules are now in the appendix Appendix C All checklists are now in an appendix Appendix D Change Page ...

Page 5: ...oof Tests 20 Proof Testing with Redundancy Systems 21 Reaction Times 22 Reaction Times in Redundancy Systems 22 Safety Watchdog 23 Safety Certifications and Compliances 23 Chapter2 FeaturesoftheControlLogixSIL2 System Module Fault Reporting 25 Data Echo Communication Check 26 Pulse Test 27 Software 27 Communication 28 Communication Ports 28 ControlNet Network 28 EtherNet IP Network 29 Electronic K...

Page 6: ...l Input Modules 41 Using 1756 Digital Output Modules 42 Requirements When Using ControlLogix Digital Output Modules 43 Wiring ControlLogix Digital Output Modules 44 Using Analog Input Modules 47 Conduct Proof Tests 47 Calibrate Inputs 48 Use the Floating Point Data Format 48 Program to Respond to Faults Appropriately 48 Program to Compare Analog Input Data 48 Configure Modules 49 Specify the Same ...

Page 7: ...opment and Testing 80 Functional Specification Guidelines 80 Sensors digital or analog 81 Actuators 81 Creating the Application Program 81 Logic and Instructions 81 Program Language 82 Program Identification 82 SIL Task Program Instructions 82 Forcing 82 Checking the Application Program 83 Verify Download and Operation 83 Commissioning Life Cycle 84 Changing Your Application Program 85 Chapter8 Fa...

Page 8: ...lculationsforaSIL2System About Probability of Failure on Demand PFD Calculations 107 About the Calculations in This Manual 107 Determine Which PFD Values To Use 108 1 Year PFD Calculations 108 2 Year PFD Calculations 112 5 year PFD Calculations 115 Using Component Values To Calculate System PFD 119 Example 1 year PFD Calculation for a ControlLogix System 119 AppendixD Checklists Checklist for the ...

Page 9: ...erence Manual Abbreviation Full Term Definition CIP Common Industrial Protocol A industrial communication protocol used by Logix5000 based automation systems on Ethernet ControlNet and Devicenet communication networks CL Claim Limit The maximum level that can be achieved DC Diagnostic Coverage The ratio of the detected failure rateto the total failure rate EN European Norm The official European St...

Page 10: ...ailable for Logix5000 controllers ControlLogix System User Manual publication 1756 UM001 Explains how to use the ControlLogix controllers ControlLogix Standard Redundancy System User Manual publication 1756 UM523 Explains how to install configure and use a standard redundancy system ControlLogix Enhanced Redundancy System User Manual publication 1756 UM535 Explains how to install configure and use...

Page 11: ... fulfill SIL 2 criteria The results make the ControlLogix system suitable up to and including SIL 2 The TÜV Rheinland Group has approved the ControlLogix system for use in up to and including SIL 2 safety related applications in which the de energized state is typically considered to be the safe state All of the examples related to I O included in this manual are based on achieving de energization...

Page 12: ...em for an emergency shutdown application you can incorporate appropriate system design measures to meet other application requirements These measures relate to the control of outputs and actuators which must remain ON to be in a safe state Other requirements for SIL 2 inputs from sensors software used and so on must also be met Gas and Fire Considerations Listed below are the measures and modifica...

Page 13: ...ton One normally open contact provides for the bypass of power from the controller output directly to the actuator The other is a normally closed contact to remove or isolate the controller output An application program needs to be generated to monitor the diagnostic output modules for dangerous failures such as shorted or open output driver channels Diagnostic output modules must be configured to...

Page 14: ... GuardLogix controller Refer to the GuardLogix Safety Reference Manual publication 1756 RM093 SIL Compliance Distribution and Weight The programmable controller may conservatively be assumed to contribute 10 of the reliability burden A SIL 2 system may need to incorporate multiple inputs for critical sensors and input devices as well as dual outputs connected in series to dual actuators dependent ...

Page 15: ...Simplex Configuration on page 16 Nonredundant controller Redundant communication modules Nonredundant remoteI O Duplex Logic Solver Configurations on page 18 Redundant controllers Redundant communication modules Nonredundant remoteI O Duplex fault tolerant System Configurationon page 19 Redundant controllers Redundant communication modules Redundant remote I O I O termination boards IMPORTANT Thes...

Page 16: ... EtherNet IP modules for SIL 2 safety loops Each redundant input must be routed through separate EtherNet IP communication modules The SIL 2 output and its secondary shutoff must be routed through the separate 1756 EN2TR EtherNet IP modules SIL 2 I O modules in the safety loop must meet the requirements specified in Chapter 5 ControlLogix I O Modules Figure 3 Fail safe ControlLogix Ethernet IP DLR...

Page 17: ...programming terminal is not normally connected HMI For Diagnostics and Visualization read only access to controllers in the safety loop To other safety related ControlLogix or FLEX I O remote I O chassis Overall Safety Loop Actuator Actuator 1794 FLEX I O Input Device DI1 ControlNet Input Device To other safety related ControlLogix or FLEX I O remote I O chassis Note 1 Multiple 1756 CNB or CNBR mo...

Page 18: ...mponents portion of the overall safety loop Programming Software For SIL applications a programming terminal is not normally connected HMI For Diagnostics and Visualization read only access to controllers in the safety loop Sensor Actuator ControlNet IMPORTANT You can also access a remote I O chassis via an EtherNet IP networkif you use ControlLogix Enhanced Redundancy System Revision 19 52 or lat...

Page 19: ...assis B ST ST DIAGNOSTIC O K 0 1 2 3 4 5 6 7 8 9 101112131415 DC INTPUT ST ST DIAGNOSTIC O K 0 1 2 3 4 5 6 7 8 9 101112131415 DC INTPUT ANALOG INTPUT CAL OK ANALOG INTPUT CAL OK ST ST DIAGNOSTIC O K 0 1 2 3 4 5 6 7 8 9 101112131415 DC OUTPUT ST ST DIAGNOSTIC O K 0 1 2 3 4 5 6 7 8 9 101112131415 DC OUTPUT ST ST DIAGNOSTIC O K 0 1 2 3 4 5 6 7 8 9 101112131415 DC INTPUT ST ST DIAGNOSTIC O K 0 1 2 3 4...

Page 20: ...COM OK I O Chassis A I O Chassis B ST ST DIAGNOSTIC O K 0 1 2 3 4 5 6 7 8 9 101112131415 DC INTPUT ST ST DIAGNOSTIC O K 0 1 2 3 4 5 6 7 8 9 101112131415 DC INTPUT ANALOG INTPUT CAL OK ANALOG INTPUT CAL OK ST ST DIAGNOSTIC O K 0 1 2 3 4 5 6 7 8 9 101112131415 DC OUTPUT ST ST DIAGNOSTIC O K 0 1 2 3 4 5 6 7 8 9 101112131415 DC OUTPUT ST ST DIAGNOSTIC O K 0 1 2 3 4 5 6 7 8 9 101112131415 DC INTPUT ST ...

Page 21: ...s in the primary chassis control switches to the secondary controller The switchover can be monitored so that the system notifies the user when it has occurred In this case that is when a switchover takes place we recommend that you replace the failed controller within the mean time to restoration MTTR for your application If you are using controller redundancy in a SIL 2 application you must perf...

Page 22: ...ControlLogix System For more information on the available instructions and for a full description of logic operation and execution see the following publications Logix5000 Controllers General Instruction Set Reference Manual publication 1756 RM003 ControlLogix System User Manual publication 1756 UM001 Reaction Times in Redundancy Systems The worst case reaction time of a duplex system is different...

Page 23: ... to transition to the safe state typically the OFF state in the event of a major fault occurring on the controller For more information on faults see Chapter 8 Faults in the ControlLogix System The task watchdog time must be 50 of the expected safety demand rate for each application See the ControlLogix System User Manual publication 1756 UM001 for more information about setting the watchdog Safet...

Page 24: ...24 Rockwell Automation Publication 1756 RM001I EN P May 2012 Chapter 1 SIL Policy Notes ...

Page 25: ...om non owned modules When a controller owns an I O module that controller stores the module s configuration data defined by the user this data dictates how the module behaves in the system Inherent in this configuration and ownership is the establishment of a heartbeat between the controller and module known as the requested packet interval RPI The RPI defines a time interval in which the controll...

Page 26: ...tate from the controller to the data echo received from the module you can validate that the signal has reached the correct module and that the module will attempt to activate the appropriate field side device The echo data is technically input data from the output module and is located with the other output module data For example an output module at local slot 3 will have Local 3O and Local 3I w...

Page 27: ...ses You can disable pulse testing if necessary Software The location ownership and configuration of I O modules and controllers is performed using RSLogix 5000 programming software The software is used for all creation testing and debugging of application logic When using the programming software you must remember these points During normal control program controller in Run mode disconnect the pro...

Page 28: ...ownload on 1756 L7x controllers Refer to the ControlLogix System User Manual publication 1756 UM001 for information on making communication connections ControlNet Network The ControlNet network can be used to provide communication between the controller and remote I O chassis form the basis for communication in duplex redundant configurations To schedule the ControlLogix ControlNet network use RSN...

Page 29: ...ed through the separate 1756 EN2TR EtherNet IP modules Electronic Keying of Modules in SIL 2 Applications If a module in your SIL 2 certified ControlLogix system is replaced it should be replaced with an identical module Use the Exact Match keying option whenever possible to enforce this requirement Exact Match keying requires all keying attributes that is Vendor Product Type Product Code catalog ...

Page 30: ...30 Rockwell Automation Publication 1756 RM001I EN P May 2012 Chapter 2 Features of the ControlLogix SIL 2 System Notes ...

Page 31: ...ming Counting Report generation communication Arithmetic Data file manipulation The ControlLogix controller consists of a central processor I O interface and memory Operating Modes The controller performs power up and run time functional tests The tests are used with user supplied application programs to verify proper controller operation Topic Page ControlLogix Controllers 31 ControlLogix Chassis...

Page 32: ...ed Outputs are only enabled in this mode Requirements for Use Consider these requirements when using a SIL 2 certified ControlLogix controller All components such as input and output modules for each safety function must be owned by the specific controller performing the safety function When installing ControlLogix controller refer to the user manual listed in Additional Resources on page 10 There...

Page 33: ...nd deterministic shutdown of the system including the controller and I O modules Redundant Power Supplies ControlLogix redundant power supplies can be used in SIL 2 certified applications In a redundant power supply configuration two power supplies are connected to the same chassis The power supplies share the current load required by the chassis and an internal solid state relay that can annuncia...

Page 34: ...tion instructions a power supply can be used if it meets the user defined PFD criteria wire the solid state fault relay on each power supply from an appropriate voltage source to an input point in the ControlLogix system so that the application program can detect faults and react appropriately based on the your application requirements For more information about installing ControlLogix chassis and...

Page 35: ...s The communication modules can also be used for expansion of I O to additional ControlLogix remote I O chassis Topic Page Introduction to Communication Modules 35 ControlNet Modules and Components 36 EtherNet IP Communication Modules 36 DeviceNet Scanner Module 37 Data Highway Plus Remote I O Module 1756 DHRIO 37 SynchLink Module 37 General Requirements forCommunication Networks 37 Additional Res...

Page 36: ... Repeater Module 1786 RPFRXL Extra long distance Fiber Repeater Module Use of the 1756 RPA adapter is required with all of the repeater modules listed ControlNet Module Diagnostic Coverage All communication over the passive ControlNet media occur via CIP which guarantees delivery of the data All modules independently verify proper transmission of the data EtherNet IP Communication Modules Use an E...

Page 37: ...H is used for CST time propagation between multiple chassis for event recording The module can be used only outside of the safety loop It must not be used for any safety related activity in a SIL 2 certified ControlLogix system General Requirements for Communication Networks Follow these requirements when using SIL 2 certified communication modules When installing ControlLogix communication module...

Page 38: ... producing or consuming SIL 2 safety data you must use two independent data paths between the SIL 2 devices For example to exchange SIL 2 data between two ControlLogix SIL 2 controllers you could use two produced connections sending data to two consume connections Each controller produces data to the other Additional Resources This table lists additional resources specific to the ControlLogix comm...

Page 39: ...56Digital Input Modules 40 Using 1756 Digital Output Modules 42 Using Analog Input Modules 47 Using HART Analog Input Modules 53 Using Analog Output Modules 54 Using HART Analog Output Modules 58 IMPORTANT The programming information and examples in this chapter are provided to illustrate diagnostic and other logic related principles that must be demonstrated in SIL 2 application programs The prin...

Page 40: ...odules These modules share many of the same inherent architectural characteristics However the diagnostic input modules incorporate features that allow diagnosing of field side failures These features include broken wire that is wire off detection and in the case of AC Diagnostic modules loss of line power 43372 SIL 2 Certified ControlLogix I O Modules 1756 Digital I O Modules 1756 Analog I O Modu...

Page 41: ...ield devices by cycling them The closer you can get to the device being monitored to perform the test the more comprehensive the test will be Proof tests Periodically perform a system validation test Manually or automatically test all inputs to make sure they are operational and not stuck in the ON or OFF state Inputs must be cycled from ON to OFF or OFF to ON For more information see Proof Tests ...

Page 42: ...t Modules ControlLogix digital output modules are divided into two categories Diagnostic output modules Standard output modules These modules share many of the same inherent architectural characteristics However the diagnostic output modules incorporate features that allow diagnosing of field side failures including No Load loss of load reporting Blown Fuse reporting Output verify Output pulse tes...

Page 43: ...ignal in application logic The application logic must examine the Data Echo value associated with each output point to make sure that the requested ON OFF command from the controller was received and acted upon by the module In Figure 15 a timer begins to increment for any miscompare between the controller s output and the module s Data Echo feedback The discrepancy timer must be set to accommodat...

Page 44: ...shown in Figure 20 on page 47 one controller must own both modules Wiring ControlLogix Digital Output Modules Diagnostic digital output modules and standard output modules have different wiring considerations Reference the module type considerations that apply to your system configuration WiringDiagnosticDigitalOutputModules Diagnostic output modules have circuitry that is not included in standard...

Page 45: ...erformance 43365 V L2 V L1 Output V L2 Thisnormally opencontact heldclosed mustrepresent the healthy operation of the controller and safety I O modules Safety I O status can be restricted to inputs directly affecting outputs on the specific module or this contact can represent the healthy status of all safety inputs and the controller The module used to control this relay must follow SIL 2 output ...

Page 46: ...the correct state of the output Input Standard Isolated Output Module 43363 V L2 Standard Isolated Input Module V L2 V L1 Output V L1 Actuator This normally open contact held closed must represent the healthy operation of the controller and safety I O modules Safety I O status can be restricted to inputs directly affecting outputs on the specific module or this contact can represent the healthy st...

Page 47: ... modules in a SIL 2 application The following section describes those considerations specific to the use of analog input modules To achieve SIL 2 two analog input modules are required Field sensors must be wired to channels on each module and compared within a deadband Whether one or two field sensors are required is dependent on the Probability of Failure on Demand PFD value of the sensor Conduct...

Page 48: ...cy of the input signal and avoid nuisance application shutdowns Use the Floating Point Data Format ControlLogix analog input modules perform on board alarm processing to validate that the input signal is within the proper range These features are only available in Floating Point mode To use the Floating Point Data format select the Floating Point Data format in the Module Properties dialog box Pro...

Page 49: ...ication filtering lags in the system If the inputs miscompare for longer than the preset value a fault is registered with a corresponding alarm Figure 21 Comparison Logic for Two Analog Inputs The control diagnostics and alarming functions must be performed in sequence For more information on faults see Chapter 8 Faults in the ControlLogix System on page 87 Configure Modules When using identical m...

Page 50: ...values may be validated by comparing the two within an acceptable range Special consideration must be given in applying this technique depending on the type of module being used WiringtheSingle EndedInputModuleinVoltageMode Make sure you review the considerations in Using Analog Input Modules on page 47 use the correct documentation listed in Additional Resources on page 10 to wire the module tie ...

Page 51: ...the voltage drops each module input is 250 ohms Figure 23 shows how to wire the 1756 IF8 module for use in Current mode Figure 23 ControlLogix Analog Input Module Wiring in Current Mode WiringtheThermocoupleInputModule Make sure you review the considerations in Using Analog Input Modules on page 47 use the correct documentation listed in Additional Resources on page 10 to wire the module wire to s...

Page 52: ...n Using Analog Input Modules on page 47 use the correct documentation listed in Additional Resources on page 10 to wire the module use two sensors RTDs cannot be wired in parallel without severely affecting their accuracy Figure 25 shows how to wire the 1756 IR6I module Figure 25 ControlLogix Analog RTD Module Wiring Thermocouple A Ch0 43370 Ch0 RTN RTN Thermocouple B RTD A Ch0 A 43371 Ch0 A RTN R...

Page 53: ...the same considerations as other analog input modules Wiring the HART Analog Input Modules Make sure you review the considerations in Using Analog Input Modules on page 47 use the correct documentation listed in Additional Resources on page 10 to wire the module Figure 26 HART Input Analog Module Wiring IMPORTANT HART protocol must not be used for safety related data Ch0 Ch0 Ch0 Ch0 Sensor Sensor ...

Page 54: ...ibration However because each application is different you are responsible for making sure your ControlLogix I O modules are properly calibrated for your specific application You can employ tests in application program logic to determine when a module requires recalibration For example to determine whether an output module needs to be recalibrated you can determine a tolerance band of accuracy for...

Page 55: ... controller going into Program mode For exceptions to the typical ESD applications see Chapter 1 SIL Policy on page 11 MonitorChannelStatus You must wire each analog output to an actuator and then back to an analog input to monitor the output s performance as shown in Figure 28 The application logic must examine the analog input feedback value associated with each analog output to make sure that t...

Page 56: ... alarming functions must be performed in sequence SpecifytheSameControllerastheOwner The same controller must own both analog modules Timer Done Timer Outputs Faulted Alarm toOperator Outputs OK ADD Delta Monitoring input High Limit MULT Range Tolerance Delta Outputs Faulted LIM Low Limit Output Echo High Limit Outputs OK SUB Delta Monitoring input Low Limit Secondary Output Fault ...

Page 57: ...d in Additional Resources on page 10 to wire the module place devices correctly in the current loop You can locate other devices in an output channel s current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops each module output is 250 Ω Figure 29 on page 58 shows how to wire the 1756 OF8 module for use in Current mode Actuator 43377...

Page 58: ... Module Analog Input Module This normally open relay is controlled by the status of the rest of the ControlLogix system If a short circuit or fault occurs on the module the relay can disconnect power to the module The module used to control this relay must follow SIL 2 outputguidelines Thismodulealsomust be considered during PFD analysis for each safety function The relay used should be a signal g...

Page 59: ...HART Analog Output Modules Make sure you review the considerations in Wiring ControlLogix Analog Output Modules on page 57 use the correct documentation listed in Appendix B as a reference when wiring the module Figure 30 HART Output Analog Module Wiring Ch0 Ch0 Ch0 Ch0 Actuator Actuator Allen Bradley Motors ...

Page 60: ...60 Rockwell Automation Publication 1756 RM001I EN P May 2012 Chapter 5 ControlLogix I O Modules Notes ...

Page 61: ...s When Using FLEX I O Digital Input Modules Regardless of the type of FLEX I O input module used there are a number of general application considerations that users must follow when applying these modules in a SIL2 application Proof tests Periodically for example once every several years a system validation test must be performed Manually or automatically test inputs to make sure that all inputs a...

Page 62: ...e a fault in the event of a sustained miscompare between two points Figure 33 Annunciate a Fault The control diagnostics and alarming functions must be performed in sequence Input 1 Input 2 Input COM 24V 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 24VDC SINK INPUT 1794 IB16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 24VDC SINK INPUT 1794 IB16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 24VDC SINK INPUT 1794 IB16 1...

Page 63: ...OFF or OFF to ON Figure 34 Testing Outputs The control diagnostics and alarming functions must be performed in sequence Use external relays to disconnect module power if output de energization is critical To make sure outputs will de energize you must wire an external method that can remove power from the actuator if a short or other fault is detected Test outputs at specific times to make sure th...

Page 64: ...In the event that a failure is detected the output from both output modules must be set to OFF to guarantee the Output Loads de energize This is shown in Figure 36 on page 65 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 24VDC SOURCE OUTPUT 1794 OB16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 24VDC SINK INPUT 1794 IB16 Standard Digital Output Module 43363 Standard Digital Input Module 24V COM Output Actuator I...

Page 65: ...dically for example once every several years a System Validation test must be performed Manually or automatically test inputs to make sure that all inputs are operational Field signal levels should be varied over the full operating range to make sure that the corresponding channel data varies accordingly 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 24VDC SINK INPUT 1794 IB16 1 2 3 4 5 6 7 8 9 10 11 12 13...

Page 66: ...ast every 3 years to verify the accuracy of the input signal and avoid nuisance application shutdowns Compare analog input data and annunciate miscompares When wiring sensors to two inputs channels the values from those channels must be compared to each other for concurrence within an acceptable range for the application before actuating an output Any miscompare between the two inputs outside the ...

Page 67: ...rs to separate input points on two separate modules that are on different network nodes Monitor the network status bits for the associated module and make sure that appropriate action is invoked via the application logic by these status bits Wire sensors to separate input channels on two separate modules that are on different network nodes Timer Done Timer Inputs Faulted Alarm to Operator Inputs O...

Page 68: ...o following the Requirements When Using FLEX I O Analog Input Modules on page 65 make sure you use the correct documentation to wire the module Figure 39 FLEX I O Analog Input Module Wiring in Voltage Mode Input 1 Input 2 Input COM 24V Input COM 24V Input 1 Input 2 SIL2 SENSOR SENSOR 43366A One Sensor Wiring Example Two Sensor Wiring Example SENSOR Note 1 Both sensors are monitoring the same safet...

Page 69: ...es in current loop You can locate other devices in an input channel s current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops each module input is 250 ohms Figure 40 FLEX I O Analog Input Wiring in Current Mode RET RET RET RET Current Source B Current Source B Current Source A Current Source A 1794 TB3 1794 TB3 1794 TB3 1794 TB3 17...

Page 70: ...ng application guideline Wire to the same input channel on both modules When wiring thermocouples wire two in parallel to two modules Use the same channel on each module to make sure of consistent temperature readings Figure 41 FLEX I O Analog Thermocouple Module Wiring Thermocouple Input Module Thermocouple Input Module Thermocouple RTD mV Input Module Thermocouple RTD mV Input Module 1794 TB3T 1...

Page 71: ...module for monitoring is required to achieve SIL 2 RTD Input Module RTD Input Module Thermocouple RTD mV Input Module Thermocouple RTD mV Input Module 1794 TB3T 1794 TB3T 1794 TB3G 1794 TB3G 1794 IR8 1794 IR8 1794 IRT8 1794 IRT8 4 wire RTD 3 wire RTD Two three or four wire RTDs can be used as applicable to the associated RTD input module IMPORTANT We strongly recommended that you do not use analog...

Page 72: ...ou can then measure output values on multiple channels and compare those values to acceptable values within the tolerance band Based on the differences in the comparison you could then determine whether recalibration is necessary Calibration and subsequent recalibration is not a safety issue However we recommend that each analog output be calibrated at least every 3 years to verify the accuracy of...

Page 73: ...m If the monitoring input value and the Output Feedback miscompare for longer than the preset value a fault is registered with a corresponding alarm Figure 43 Monitoring an AnalogOutput with an Analog Input The control diagnostics and alarming functions must be performed in sequence When wiring two analog output modules in the same application make sure Both modules use identical configuration The...

Page 74: ...e that the output is functioning properly WiringtheAnalogOutputModuleinVoltageMode You must wire analog outputs to an actuator and then back to an analog input to monitor the output performance Figure 44 Analog Input Module Wiring Example _ V RET _ V RET 1794 TB3 1794 IF4I Analog Output Module 1794 TB3 1794 IE8 Analog Input Module Isolated Analog Output Module Isolated Analog Input Module 1794 OF4...

Page 75: ...module in current mode Place other devices in current loop You can locate other devices in an output channel s current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops Figure 45 Analog Output Wiring Example _ _ 1794 TB3 1794 IF4I Analog Output Module 1794 TB3 1794 IE8 Analog Input Module Isolated Analog Output Module Isolated Analog...

Page 76: ...76 Rockwell Automation Publication 1756 RM001I EN P May 2012 Chapter 6 FLEX I O Modules Notes ...

Page 77: ...Logix system assumes that the programming software is installed correctly control system hardware is installed in accordance with product installation guidelines user application code user program uses common and good design practices a test plan is documented and adhered to including well understood proof test requirements and procedures a well designed validation process is defined and implement...

Page 78: ...y related functions Programming Options RSLogix 5000 software version 20 or later includes these options Routines and Add On Instructions to control termination boards for fault tolerant I O Pre programmed SIL 2 I O subroutines Pre programmed SIL 2 I O Add On Instructions If you choose to use any of those options see these publications specific to your application for information about programming...

Page 79: ...detail here Contact your local Rockwell Automation representative for more information The controller keyswitch must be in the RUN position and the key removed during normal operating conditions Figure 46 Keyswitch in Run Mode In RSLogix 5000 software version 18 and later you can set tags to be standard read only or constant values Read only blocks external devices for example HMIs and other contr...

Page 80: ... limit the set of instructions to basic Boolean ladder logic such as examine On Off Timers Counters and so on whenever possible This set should include instructions that can be used to accommodate analog variables such as limit tests comparisons math instructions For more information see Proof Tests on page 20 Functional Specification Guidelines You must create a specification for your control fun...

Page 81: ...n dormant current principle for digital sensors sensors OFF means no signal Determination of redundancies required for SIL levels Discrepancy monitoring and visualization including the user s diagnostic logic Actuators Position and activation in standard operation normally OFF Safe reaction or positioning when switching OFF Discrepancy monitoring and visualization including the user s diagnostic l...

Page 82: ...f programs and routines The SIL 2 task must be the controller s top priority task and the user defined watchdog must be set to accommodate the SIL 2 task Forcing The following rules apply to forcing in an RSLogix 5000 project You must remove forces on all SIL 2 tags and disable forcing before beginning normal operation for the project You must not force SIL 2 tags after validation is performed and...

Page 83: ...y the correct programmed functions by forcing I O or by manual manipulation of sensors and actuators Verify Download and Operation Verify the download of the application program and its proper operation A typical technique is to upload the completed program file and perform a compare of that file against what is stored in the programming terminal These are typical steps for performing a verificati...

Page 84: ...ing on all Logic Tests Pass BeginNormalProject Operation Make project changes Download to Controller Determine what logic has been Changed or Affected Perform Validation Testing on all Changed or Affected Logic Yes No No Verification okay Make more online edits accept edits ormake more offline edits and download to CTR Develop Test Plan ReviewProgramwith Independent Party FinishtheValidation Test1...

Page 85: ...must perform an impact analysis by following the safety specification and other lifecycle steps described in Figure 47 on page 84 as if the edits were an entirely new program Users must sufficiently document all program edits including authorization impact analysis execution test information revision information Multiple users cannot edit a program from multiple programming terminals simultaneousl...

Page 86: ...es to assemble the edits The changes are the only program in the controller and the original program is discarded 3 Perform a partial proof test of the portion of the application affected by the program edits 4 Turn the controller key back to the RUN position to return the project to Run mode We recommend you upload the new program to your programming terminal to ensure consistency between the app...

Page 87: ...re a ControlLogix system to identify and handle faults including such tasks as developing a fault routine creating a user defined major fault monitoring minor faults developing a power up routine See the Logix5000 Controllers Common Procedures Programming Manual publication 1756 PM001 for more information It is your responsibility to determine what data is most appropriate for your application to ...

Page 88: ...lotStatusBits for the Input tag of the associated adapter The lower 8 bits of this tag correspond to the associated slot For example the tag Node3 I Slot1StatusBits is defined as follows Node 3 is the name given to the adapter in this example a 1794 ACNR15 I indicates the Input file SlotStatusBits is a 32 bit value where the lower 8 bits correspond to a FLEX I O module as shown Checking Keyswitch ...

Page 89: ... field data values right on the module allowing for easy examination of status bits to initiate a fault For example the 1756 IF8 module can be configured with user defined alarm values that when exceeded will set a status bit on the module which is then sent back to the controller You can examine the state of these bits to initiate a fault as shown in Figure 50 Figure 50 High Alarm Bit to Trigger ...

Page 90: ...Logix5000 Controllers General Instructions Reference Manual publication 1756 RM003 Provides information on how to use specific instructions to get and set controller system data stored in device objects Logix5000 Controllers Common Procedures Programming Manual publication 1756 PM001 Provides information on controller fault codes including major and minor codes and on creating fault and power up r...

Page 91: ...hniques in the application software within the HMI and controller Accessing Safety related Systems HMI related functions consist of two primary activities reading and writing data Reading Parameters in Safety related Systems Reading data is unrestricted because reading doesn t affect the operation or behavior of the safety system However the number frequency and size of the data being read can imp...

Page 92: ...be sent twice to two different tags that is both values must not be written to with one command b Safety related code executing in the controller must check both tags for equivalency and make sure they are within range boundary checks c Both new variables must be read back and displayed on the HMI device d Trained operators must visually check that both variables are the same and are the correct v...

Page 93: ...pment including the verification and testing of the operator interface and its access to other parts of the program The controller application software should set up a table that is accessible by the HMI and limits access to required data points only Similar to the controller program the HMI software needs to be secured and maintained for SIL level compliance after the system has been validated an...

Page 94: ...94 Rockwell Automation Publication 1756 RM001I EN P May 2012 Chapter 9 Use of Human to Machine Interfaces Notes ...

Page 95: ...tal or analog modules where the following occurs Field signal changes state The data is transmitted to the controller The controller runs its program scan and reacts to the data change The controller transmits data to the output module The output module processes data from the controller and turns the output device on or off Figure 51 Local Chassis Configuration of Digital or Analog Modules Topic ...

Page 96: ... with no system faults or errors differ slightly for digital or analog I O modules as shown in the following sections The diagnostic test interval for ControlLogix modules is 8 hours which defines the worst case reaction time for ControlLogix SIL 2 For Digital Modules Use this formula to determine worst case reaction time for digital modules in local or remote configurations Worst Case Reaction Ti...

Page 97: ... the Configuration tab on the Module Properties dialog box in the programming software If the safe state in your application is low use the On Off Input Filter Time If the safe state in your application is high use the Off On Input Filter Time Figure 53 Digital Module Configuration Module RPI is configurable via the Connection tab Allen Bradley Motors ...

Page 98: ... 16 100 ms 1 SIL 2 Task Period SIL 2 Task Watchdog Output Module RPI x 4 8 16 100 ms 1 Output Module Delay Filter time and RTS are configurable via the Configuration tab on the Module Properties dialog box in the programming software Module RPI is configurable via the Connection tab Figure 54 Analog Module Configuration Refer to the ControlLogix Analog I O Module User Manual publication 1756 UM009...

Page 99: ...llogix Chassis 1756 IN005 1756 PA75 1 1 The 1756 PA75 A and 1756 PB75 A power supplies are no longer available However if your existing SIL2 application uses these power supplies they are SIL 2 certified AC Power Supply 1756 PB75 1 DC Power Supply 1756 PA75R AC Redundant Power Supply 1756 PB75R DC Redundant Power Supply 1756 PA72 AC Power Supply 1756 PB72 DC Power Supply 1756 PC75 DC Power Supply ...

Page 100: ...16ISOE Sequence of Events Module 1756 UM528 1756 IH16ISOE Sequence of Events Module 1756 OA16I AC Isolated Output Module 1756 UM058 1756 OA8D AC Diagnostic Input Module 1756 OB16D DC Diagnostic Output Module 1756 OB16I DC Isolated Output Module 1756 OB32 DC Output Module 1756 OB8EI DC Isolated Output Module 1756 OW16I Isolated Relay Output Module 1756 OX8I Isolated Relay Output Module 1756 IF8 Ana...

Page 101: ...odulecanbeusedtoconnectthesafetysystemtotheDataHighway Plus or RIO networks However the 1756 DHRIO module is not SIL 2 certified and cannot be used as part of the SIL 2 certified system It can be used only to connect nonsafety devices to thesafety system 4 The 1756 DNB module is included in this table because this module can be used to connect the safety system to DeviceNet networks However the 17...

Page 102: ...ntrolLogix 4 Mb Controller 1756 L63 1 ControlLogix 8 Mb Controller 1756 L71 1 ControlLogix 2 MB Controller 1756 L72 1 ControlLogix 4 MB Controller 1756 L73 1 ControlLogix 8 MB Controller 1756 L74 1 ControlLogix 16 MB Controller 1756 L75 1 ControlLogix 32 MB Controller 1756 RM Redundancy Module 1756 IN092 1756 UM535 1756 CNB ControlNet Communication Module CNET IN005 CNET UM001 1756 CNBR Redundant ...

Page 103: ...odule in your system use SIL 2 certified firmware for the 1756 EN2T module For more information about ControlLogix XT module firmware revisions see the firmware release notes specific to the module ControlLogix XT module release notes are available at http www rockwellautomation com literature or http www rockwellautomation com support Table 9 FLEX I O Components For Use in the SIL 2 System Cat No...

Page 104: ... 2OutputIsolatedAnalogCombo Module 1794 IN129 1794 UM008 1794 OE4 FLEX I O 4 Output Analog Module 1794 IN100 1794 UM002 1794 OF4I FLEX I O 4 Isolated Output Analog Module 1794 IN037 1794 UM008 1794 IT8 FLEX I O Thermocouple Input Module 1794 IN021 1794 UM007 1794 IR8 FLEX I O RTD Input Module 1794 IN021 1794 UM004 1794 IRT8 FLEX I O TC RTD Input Module 1794 IN050 1794 UM012 1794 IRT8XT FLEX I O XT...

Page 105: ...nal Base Unit 1794 TB3GS FLEX I O Spring clamp Gen Terminal Base Unit 1794 TBN FLEX I O NEMA Terminal Base Unit 1794 TBNF FLEX I O Fused NEMA Terminal Base Unit 1 Certain catalog numbers have a K suffix This indicates a conformally coated version of the product These K versions have the same SIL2 certification as the non K versions 2 These publications are available from Rockwell Automation by vis...

Page 106: ...106 Rockwell Automation Publication 1756 RM001I EN P May 2012 Appendix B SIL 2 certified ControlLogix System Components Notes ...

Page 107: ...ty related system the sensors the actuators and the logic element they can be associated with each component of the logic element that is each module of a programmable controller Tables in this chapter present PFD values for ControlLogix and ControlLogix XT components that are evaluated by TÜV About the Calculations in This Manual For the calculations presented in this chapter these values were us...

Page 108: ... ControlLogix XT chassis 27 628 178 3 619E 08 7 9448E 06 x 1756 A7XT B ControlLogix XT chassis 1 081 600 9 246E 07 2 0294E 04 x 1756 PB72 C ControlLogix DC power supply 31 561 095 3 168E 08 6 9548E 06 x 1756 PA72 C ControlLogix AC power supply 18 336 146 5 454E 08 1 1971E 05 x 1756 PA75 B ControlLogix AC power supply 18 693 044 5 350E 08 1 1742E 05 x 1756 PA75R ControlLogix AC redundant power supp...

Page 109: ... module 2 022 198 4 789E 07 1 0511E 04 1756 EN2T C ControlLogix EtherNet IP communication module 1 312 712 7 618E 07 1 6721E 04 1756 EN2TR B 6 ControlLogix redundant EtherNet IP communication module x 3 664 960 2 729E 07 5 9892E 05 1756 EN2TXT C 4 ControlLogix XT EtherNet IP communication module 1 300 000 7 692E 07 1 6885E 04 1756 RM B 7 ControlLogix System redundancy module 1 373 840 7 279E 07 1 ...

Page 110: ...FLEX I O ControlNet redundant adapter x 8 223 684 1 126E 07 1 39385E 07 1794 ACNR15XT D 4 FLEX I O XT ControlNet redundant adapter x 8 223 684 1 126E 07 1 39385E 07 1794 AENT B FLEX I O EtherNet IP adapter x 1 779 827 5 6185E 07 1 40305E 07 1794 AENTR 4 FLEX I O EtherNet IP redundant adapter x 1 268 070 7 886E 07 1 40799E 07 1794 AENTRXT 4 FLEX I O XT EtherNet IP redundant adapter x 1 268 070 7 88...

Page 111: ...erminal base unit 250 000 000 4E 09 1 39147E 07 1794 TB3G FLEX I O generic terminalbase unit 100 000 000 0 00000001 1 39159E 07 1794 TB3GS FLEX I O generic terminal base unit 100 000 000 0 00000001 1 39159E 07 1794 TB3S FLEX I O terminal base unit 100 000 000 0 00000001 1 39159E 07 1794 TB3T FLEX I O temperature terminal base unit 100 000 000 0 00000001 1 39159E 07 1794 TB3TS FLEX I O temperature ...

Page 112: ...E 07 7 4387E 05 1756 PH75 B ControlLogix DC power supply 2 119 520 4 718E 07 2 0689E 04 1756 PSCA 4 ControlLogix redundant power supply adapter 45 146 727 2 215E 08 9 7128E 06 1756 PSCA2 ControlLogix redundant power supply adapter 38 461 280 2 600e 08 1 1401E 05 1786 RPFS ControlNet fiber repeater short 26 461 760 3 779E 08 1 6571E 05 1786 RPFM ControlNet fiber repeater medium 16 697 862 5 989E 08...

Page 113: ...ule x 8 699 254 1 150e 07 1 47447E 07 1756 IF8H ControlLogix HART analog input module x 1 291 978 7 740E 07 1 50229E 07 1756 IF16 ControlLogix isolated analog input module x 4592506 2 177E 07 1 47866E 07 1756 IF16H 4 ControlLogix HART analog input module x 442 914 2 258E 06 1 57299E 07 1756 IF6CIS ControlLogix isolated sourcing analog input module x 2 654 080 3 768E 07 1 48526E 07 1756 IF6I Contro...

Page 114: ...6 output module x 54 322 632 1 84085E 08 1 47058E 07 1794 OB16P FLEX I O 16 protected output module x 100 000 000 0 00000001 1 47024E 07 1794 OB16PXT FLEX I O XT 16 protected output module x 1 139 840 8 77316E 07 1 50685R 07 1794 OW8 FLEX I O 8 relay output module x 29 088 895 3 43774E 08 1 47122E 07 1794 OW8XT FLEX I O XT 8 relay output module x 1 312 973 7 6163E 07 1 50175E 07 1794 IE8 B FLEX I ...

Page 115: ...or non interference in the chassis However I O is not for use within a safety function 8 Calculations for the redundant power supply are completed with the presumption that both power supplies fail simultaneously 9 MTBF measured in hours The values used here represent values available in January 2012 10 λ Failure Rate 1 MTBF Table 11 PFD Calculations 2 year for ControlLogix Component Cat No 1 2 De...

Page 116: ...ix 32 MB controller x 9 946 827 1 005E 07 2 2000E 03 1756 CNB E ControlLogix ControlNet communication module 1 786 977 5 596E 07 6 1305E 04 1756 CNBR E ControlLogix redundant ControlNet communication module 2 608 543 3 834E 07 4 1997E 04 1756 CN2 B 6 ControlLogix ControlNet communication module x 1 096 299 9 122E 07 9 9927E 04 1756 CN2R B 6 ControlLogix redundant ControlNet communication module x ...

Page 117: ...822E 07 1756 OA8D ControlLogix AC diagnostic output module x 11 311 040 8 841E 08 1 71405E 07 1756 OB16D ControlLogix DC diagnostic output module x 8 884 374 1 126E 07 1 71648E 07 1756 OB16E ControlLogix DC electronic fused output module x 14 997 714 6 668E 08 1 71186E 07 1756 OB16I ControlLogix DC isolated output module x 7 388 160 1 35352E 07 1 71879E 07 1756 OB32 ControlLogix DC output module x...

Page 118: ...18 914 770 5 28687E 08 1 71047E 07 1794 IE8XT B FLEX I O XT 8 analog input module x 1 959 360 5 10371E 07 1 75773E 07 1794 IF4I FLEX I O 4 isolated analog input module x 9 885 959 1 01154E 07 1 71533E 07 1794 IF4IXT 4 FLEX I O XT 4 isolated analog input module x 7 297 140 1 3704E 07 1 71896E 07 1794 IF4ICFXT 4 FLEX I O XT 4 isolated analog input module x 7 297 140 1 3704E 07 1 71896E 07 1794 IR8 F...

Page 119: ...000001 1 70618E 07 1794 TBNF FLEX I O fused terminal base unit 100 000 000 0 00000001 1 70618E 07 1 Refer to the Revision Release List available at http www ab com from the Product Certifications link 2 References a series A component if no other series is indicated by X 3 ThePFDcalculations ControlLogix chassisarecompleted using an arithmetic averageof theMTBFs for all five chassis types that is ...

Page 120: ...120 Rockwell Automation Publication 1756 RM001I EN P May 2012 Appendix C PFD Calculations for a SIL 2 System Notes ...

Page 121: ... listed onpage 20 with the corresponding firmware release listed in the table for your safety application 2 Have you calculated the system s response time 3 Does the system s responsetime include both the user defined SIL task program watchdog software watchdog time and the SIL task duration time 4 Is the system response time in proper relation to the process tolerance time 5 Have PFD values been ...

Page 122: ...of tests on the system and modules 5 Have you set up the fault routines 6 Are control diagnostics and alarming functions performed in sequence in application logic 7 For applications using FLEX I O modules is the application logic monitoring one ControlNet status bit for the associated module and is appropriate action invoked via the application logic by these bits No Additional Digital Input Modu...

Page 123: ... examine bits for any condition that may causea fault and appropriate fault routines to handle thefault condition 5 When two FLEX I O analog input modules are wired in the same application are both module on different ControlNet nodes 6 When wiring an analog input module in Voltage mode are transmitter grounds tied together 7 When wiring an analog input module in Current mode are loop devices plac...

Page 124: ...n your application to disconnect module power if a short or other fault is detected on the module or isolated output in series 6 Is the control of the external relay implemented in ladder logic 7 Have you examined the Output Data Echo signal in application logic 8 Are all outputs configured to deenergize in the event of a fault or the controller entering program 9 Do two modules of the same type u...

Page 125: ...nition File definition Archive number Notes Checks Yes No Comment Before a Modification Are the configuration of the ControlLogix system and the application program created on the basis of safety aspects Are programming guidelines used for the creation of the application program After a Modification Before Loading Has a review of the application program with regard to the binding system specificat...

Page 126: ...126 Rockwell Automation Publication 1756 RM001I EN P May 2012 Appendix D Checklists Notes ...

Page 127: ...alues 115 redundant 33 chassis adapter 33 1 year PFD values 108 2 year PFD values 112 5 year PFD values 116 checklists 121 CIP See Control and Information Protocol CL SIL 2 23 combustion applications 14 commissioning life cycle 84 communication ControlNet components 36 data echo 26 Data Highway Plus Remote I O components 37 EtherNet IP components 36 field side output verification 26 network 28 req...

Page 128: ...2 5 year PFD values 116 diagnostic coverage 36 ControlNet network 28 1756 communication modules 35 1756 components 36 cable 36 repeater module 36 coordinated system time 37 D data echo 26 43 Data Highway Plus Remote I O 35 1 year PFD values 109 2 year PFD values 113 5 year PFD values 116 components 37 network 35 37 DCS See Distributed Control System DeviceNet communication modules 1 year PFD value...

Page 129: ...ues 118 wiring 64 EN 50156 standard 14 EtherNet IP adapter 1 year PFD values 110 2 year PFD values 114 5 year PFD values 117 module fault reporting 62 63 64 66 72 RTD input modules 1 year PFD values 111 2 year PFD values 114 5 year PFD values 118 wiring 71 terminal base units 105 1 year PFD values 111 2 year PFD values 115 5 year PFD values 119 thermocouple input modules 1 year PFD values 111 2 ye...

Page 130: ...ean Time To Restoration N network update time 23 NFPA 85 14 NFPA 86 14 O operating modes 31 output data echo digital outputs and 43 ownership 1756 analog input modules 50 1756 analog output modules 56 1756 digital input modules 41 1756 digital output modules 44 P PADT See Programming and Debugging Tool parameters changing 92 reading 91 peer to peer communication 35 requirements 38 PFD See Probabil...

Page 131: ... 99 nonredundant system components 100 programming 77 safety data 38 SIL task 82 simplex configurations 15 safety loop 16 SIS See safety instrumentation system SIS software commissioning life cycle 84 forcing 82 general requirements 77 125 program changes 85 programming languages 78 RSLogix 5000 27 security 79 SIL 2 programming 77 SIL task program instructions 82 watchdog 23 switchover 21 22 23 Sy...

Page 132: ...132 Rockwell Automation Publication 1756 RM001I EN P May 2012 Index X XT components 103 ControlLogix 103 FLEX I O 103 104 ...

Page 133: ...Allen Bradley Motors ...

Page 134: ...oblem within the first 24 hours of installation review the information that is contained in this manual You can contact Customer Support for initial help in getting your product up and running New Product Satisfaction Return Rockwell Automation tests all of its products to ensure that they are fully operational when shipped from the manufacturing facility However if your product is not functioning...

Reviews:

No comments