manualshive.com logo in svg

Allen-Bradley 1756-L61S ControlLogix 5561S, Reference Manual

Share
Download
Allen-Bradley 1756-L61S ControlLogix 5561S Reference Manual Download Page 52

52

Rockwell Automation Publication 1756-RM093J-EN-P - April 2018

Chapter 6

Safety Application Development

Basics of Application 
Development and Testing

The application program for the intended SIL 3 system should be developed by 
the system integrator or a user trained and experienced in safety applications. The 
developer must follow good design practices:

Use functional specifications, including flow charts, timing diagrams, and 
sequence charts.

Perform a review of safety task logic.

Perform application validation.

Table 9 - Controller Modes

Controller 
Mode

Safety Task Status

Safety

(1)

(up to and including)

Comments
(A valid program has been downloaded to the controller.)

Program

Unlocked
No signature

I/O connections established

Safety Task logic is not being scanned.

Run

Unlocked
No signature

(Development purposes 
only)

Forcing allowed

Online editing allowed

Safety memory is isolated, but is unprotected (read/write).

Safety Task logic is being scanned.
Primary and partner controllers process logic, cross-compare logic outputs. Logic outputs are 
written to safety outputs.

Run

Locked
No signature

PLd/Cat. 3
Control reliable 
SIL 2

New forces are not allowed. Existing forces are maintained.

Online editing is not allowed.

Safety memory is protected (read only)

Safety task logic is scanned.

Primary and partner controllers process logic, cross-compare logic outputs. Logic outputs are 
written to safety outputs.

Run

Unlocked
With signature

Ple/Cat. 4
Control reliable
SIL 3

Forces are not allowed. (They must be removed to generate a safety task signature.)

Online editing is not allowed.

Safety memory is protected (read only).

Safety task logic is scanned.

Primary and partner controllers process logic, cross-compare logic outputs. Logic outputs are 
written to safety outputs.

Safety task signature is unprotected and can be deleted by anyone who has access to the controller.

Run

Locked
With signature

Ple/Cat. 4
Control reliable
SIL 3

Forces are not allowed. (They must be removed to generate a safety task signature.)

Online editing is not allowed.

Safety memory is protected (read only).

Safety task logic is scanned.

Primary and partner controllers process logic, cross-compare logic outputs. Logic outputs are 
written to safety outputs.

Safety task signature is protected. Users must enter the unlock password to unlock the controller 
before they can delete the safety task signature.

(1) To achieved this level, you must adhere to the safety requirements defined in this publication.

Summary of Contents for 1756-L61S ControlLogix 5561S

Page 1: ...GuardLogix Controller Systems Catalog Numbers 1756 L61S 1756 L62S 1756 L63S 1768 L43S 1768 L45S RSLogix 5000 Version 20 and earlier Safety Reference Manual OriginalInstructions...

Page 2: ...nformation circuits equipment or software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibited T...

Page 3: ...ime 18 Safety Task Period and Safety Task Watchdog 19 Contact Information if Device Failure Occurs 19 Chapter2 GuardLogixControllerSystem 1756 GuardLogix Controller Hardware 21 Primary Controller 22 S...

Page 4: ...rol in Standard Tasks 1756 GuardLogix controllers only 41 SIL 3 Safety the Safety Task 41 Safety Task Limitations 41 Safety Task Execution Details 43 Use of Human to machine Interfaces 44 Precautions...

Page 5: ...Faults 69 AppendixA SafetyInstructions Safety Application Instructions 71 Metal Form Safety Application Instructions 72 Safety Instructions 73 Additional Resources 74 AppendixB SafetyAdd OnInstructio...

Page 6: ...cklist for GuardLogix Controller System 89 Checklist for Safety Inputs 91 Checklist for Safety Outputs 92 Checklist for Developing a Safety Application Program 93 AppendixE GuardLogixSystemsSafetyData...

Page 7: ...rstand the safety concepts and requirements presented in this manual prior to operating a GuardLogix controller based safety system UnderstandingTerminology The following table defines terms used in t...

Page 8: ...nstruction set Guard I O DeviceNet Safety Modules User Manual publication 1791DS UM001 Provides information on using Guard I O DeviceNet Safety modules Guard I O EtherNet IP Safety Modules User Manual...

Page 9: ...ive Logix Import Export Reference Manual publication 1756 RM084 Provides information on using the RSLogix 5000 Import Export utility Industrial AutomationWiring and Grounding Guidelines publication 17...

Page 10: ...10 Rockwell Automation Publication 1756 RM093J EN P April 2018 Preface Notes...

Page 11: ...trolLogix in SIL 2 Applications Reference Manual publication 1756 RM001 In either case do not use SIL 2 or standard tasks and variables to build up safety loops of a higher level The safety task is th...

Page 12: ...e a functional verification test interval of up to 20 years Other components of the system such as safety I O modules sensors and actuators may have shorter functional verification test intervals The...

Page 13: ...ected while operating outside the function Figure 1 Typical SIL Function 1756 DNB To Plant wide Ethernet Network SIL 3 GuardLogix System Programming Software HMI Read only Access to SafetyTags Overall...

Page 14: ...ty I O modules on DeviceNet networks Forthemostcurrentlistofcertifiedseriesandfirmwarerevisions seethesafetycertificateathttp www rockwellautomation com products certification safety 1791DS IN001 1791...

Page 15: ...A N A N A 1784 SD1 1 GB Secure Digital SD Card for 1756 L7xS controllers 1784 SD2 2 GB Secure Digital SD Card for 1756 L7xS controllers 1 This version or later 2 RSLogix 5000 software version 15 does...

Page 16: ...nce per year in the Low Demand mode or greater than once per year in High Demand Continuous mode The Safety Integrity Level SIL value for a Low Demand safety related system is directly related to orde...

Page 17: ...u must take into account the specific requirements of your application including proof test and diagnostic test intervals Safety Integrity Level SIL Compliance Distribution and Weight The GuardLogix c...

Page 18: ...llowing reaction times Each of the times listed above is variably dependent on factors such as the type of I O module and instructions used in the program SafetyTask ReactionTime The safety task react...

Page 19: ...be less than or equal to the safety task period The safety task watchdog time is set in the task properties window of RSLogix 5000 software This value can be modified online regardless of controller...

Page 20: ...20 Rockwell Automation Publication 1756 RM093J EN P April 2018 Chapter 1 Safety Integrity Level SIL Concept Notes...

Page 21: ...create the SIL 3 capable controller They are described in the following sections Both the primary controller and safety partner perform power up and run time functional diagnostic tests of all safety...

Page 22: ...ther the result is a major non recoverable controller fault For information on how to respond to this situation see article 63983 in the Rockwell Automation Knowledgebase The safety partner is configu...

Page 23: ...act GuardLogix safety controllers and standard CompactLogix components suitable for safety applications see GuardLogix System Components on page 14 CIP Safety Protocol Safety related communication bet...

Page 24: ...System GuardLogix System Communication Modules 1756 1756 ENBT 1756 EN2T R 1756 EN2F or 1756 EN3TR EtherNet IP bridge module 1734 AENT POINT I O Ethernet Adapter 1756 DNB DeviceNet bridge module 1756 C...

Page 25: ...olNetNetwork ControlNet bridge modules let the GuardLogix controller produce and consume safety tags over ControlNet networks to other GuardLogix controllers or remote CIP Safety I O networks Figure 6...

Page 26: ...used to create test and debug application logic Initially only relay ladder logic is supported in the GuardLogix safety task See Appendix A for information on the set of logic instructions available...

Page 27: ...nd controlled by the GuardLogix controller For safety data I O communication is performed through safety connections using the CIP Safety protocol safety logic is processed in the GuardLogix controlle...

Page 28: ...ecific module On or Off delay Function Some CIP Safety I O modules may support On delay and Off delay functions for input signals Depending upon your application you may need to include Off delay On d...

Page 29: ...controlled by one controller Each safety input module is also owned by a single controller however safety input data can be shared consumed by multiple GuardLogix controllers Safety I O Configuration...

Page 30: ...ureExists This setting instructs the GuardLogix controller to automatically configure a safety module only when the safety task does not have a safety task signature and the replacement module is in a...

Page 31: ...oller s configuration ATTENTION EnabletheConfigureAlways featureonlyiftheentireroutableCIP Safety control system is not being relied on to maintain SIL 3 behavior during the replacement and functional...

Page 32: ...32 Rockwell Automation Publication 1756 RM093J EN P April 2018 Chapter 3 CIP Safety I O for the GuardLogix Control System Notes...

Page 33: ...tem The system is isolated such that there are no other connections into the system For example because the system below cannot be interconnected to another CIP Safety system through a larger plant wi...

Page 34: ...rk subnet must be unique Figure 9 CIP Safety Example with MoreThan One SNN Each CIP Safety device must be configured with an SNN Any device that originates a safety connection to another safety device...

Page 35: ...allation within the same routable CIP Safety system Considerations for Assigning the Safety Network Number SNN The assignment of the SNN is dependent upon factors including the configuration of the co...

Page 36: ...afety I O module produces data to two GuardLogix controllers at the same time You can do this for a maximum of 16 controllers Refer to the GuardLogix Controllers User Manual publication 1756 UM020 or...

Page 37: ...nality as other 1768 L4x CompactLogix controllers What differentiates 1756 and 1768 GuardLogix controllers from standard controllers is that they provide a SIL 3 capable safety task However a logical...

Page 38: ...afety rated devices is that SIL 2 is generally single channel while SIL 3 is typically dual channel When using Guard safety rated I O red modules which is required in the safety task SIL 2 safety inpu...

Page 39: ...lers User Manual publication 1768 UM002 SIL2SafetyInputs CompactBlock Guard I O 1791 series ArmorBlock Guard I O 1732 series and POINT Guard I O 1734 series safety input modules support single channel...

Page 40: ...ettings on theTest Output tab Input DelayTime User input based on field device characteristics IMPORTANT The onboard pulse test outputs T0 Tx are typically used with field devicesthathave mechanicalco...

Page 41: ...controllers that support the safety task The safety task cannot be deleted GuardLogix controllers support a single safety task Within the safety task you can use multiple safety programs composed of...

Page 42: ...imum of 500 ms and cannot be modified online Make sure that the safety task has enough time to finish before it is triggered again Safety task watchdog timeout a non recoverable safety fault in the Gu...

Page 43: ...ng of safety task execution This means that even though the I O RPI can be faster than the safety task period the data does not change during safety task execution The data is read only once at the be...

Page 44: ...e information on how HMI devices fit into a typical SIL loop see Figure 1 on page 13 Use sound techniques in the application software within the HMI and controller IMPORTANT While safety unlocked and...

Page 45: ...tor who makes changes in a safety related system via an HMI is responsible for the effect of those changes on the safety loop You must clearly document variables that are to be changed You must use a...

Page 46: ...ata points only Similar to the controller program the HMI software needs to be secured and maintained for SIL level compliance after the system has been validated and tested Safety Programs A safety p...

Page 47: ...invalid data type to be included when the user defined or Add On defined type is already referenced directly or indirectly by a safety tag Invalid tags created by using with the New Tag or Tag Propert...

Page 48: ...chronize standard and safety actions IMPORTANT Any controller scoped safety tag is readable by any standard routine but the update rate is based on the execution of the safety task This means that saf...

Page 49: ...ontrollers Resource Description Logix5000 Controllers Design Considerations Reference Manual publication 1756 RM094 Provides information on managing tasks and the effects of task execution and timing...

Page 50: ...50 Rockwell Automation Publication 1756 RM093J EN P April 2018 Chapter 5 Characteristics of SafetyTags the SafetyTask and Safety Programs Notes...

Page 51: ...gramming and naming rules You perform a critical analysis of the application and use all possible measures to detect a failure You confirm all application downloads via a manual check of the safety ta...

Page 52: ...2 New forces are not allowed Existing forces are maintained Online editing is not allowed Safety memory is protected read only Safety task logic is scanned Primary and partner controllers process log...

Page 53: ...Figure 15 Commission the System Specify the Control Function Create Project Online Create Project Offline Attach to Controller and Download Test the Application Program Generate SafetyTask Signature...

Page 54: ...controlled including the following Input definitions Output definitions I O wiring diagrams and references Theory of operation Matrix or table of stepped conditions and the actuators to be controlled...

Page 55: ...ogram modes online or offline edits upload and download and informal testing that is required to get an application running properly in preparation for the Project Verification test Generate the Safet...

Page 56: ...number of test cases depends on the formulas used and must comprise critical value pairs Active simulation with sources field devices must also be included as it is the only way to verify that the sen...

Page 57: ...n Instruction See Appendix B Safety Add On Instructions for information on creating and using safety Add On Instructions in SIL 3 applications The steps below illustrate one method for confirming the...

Page 58: ...ns safety I O and safety task signature However safety locking alone does not satisfy SIL 3 requirements No aspect of safety can be modified while the controller is in the safety locked state When the...

Page 59: ...If there is no safety task signature and the controller is safety unlocked you can perform online edits to your safety routines Pending edits cannot exist when the controller is safety locked or when...

Page 60: ...the project on the controller If the signatures do not match or the controller is safety locked without a safety task signature you must first unlock the controller before attempting to update the con...

Page 61: ...orized specially trained personnel make program edits they assume the central safety responsibility while the changes are in progress These personnel must also maintain safe application operation When...

Page 62: ...fety lock and safety task signature features of the GuardLogix controller See Generate the Safety Task Signature on page 55 and Lock the GuardLogix Controller on page 58 for more information For detai...

Page 63: ...t Valid No Yes No Yes Online Edit Attach to Controller Test the Application Program Make Desired Modifications to Standard Logic Any Safety Changes Yes No Delete Safety Application Signature Make Desi...

Page 64: ...64 Rockwell Automation Publication 1756 RM093J EN P April 2018 Chapter 6 Safety Application Development Notes...

Page 65: ...can view the status of safety tag connections You can also determine current operating status by interrogating various device objects It is your responsibility to determine what data is most appropria...

Page 66: ...ating system sets the associated output status to faulted The output module de energizes the outputs Table 10 Safety Connection Status RunMode Status ConnectionFaulted Status Safety Connection Operati...

Page 67: ...ation Instructions Safety Reference Manual publication 1756 RM095 Get System Value GSV and Set SystemValue SSV Instructions The GSV and SSV instructions let you get GSV and set SSV controller system d...

Page 68: ...fault Standard task and safety task execution stops and Safety I O transitions to the safe state Recovery from a nonrecoverable controller fault requires a download of the application program Nonrecov...

Page 69: ...the safe state and the producer of safety consumed tags commands the consumers to place them in a safe state If a recoverable safety fault is overridden in the controller scoped fault handler only st...

Page 70: ...70 Rockwell Automation Publication 1756 RM093J EN P April 2018 Chapter 7 Monitor Status and Handle Faults Notes...

Page 71: ...h as an E stop light curtain or gate switch DCST Dual Channel Input StopWithTest Monitors dual input safety devices whose main purpose is to provide a stop function such as an E stop light curtain or...

Page 72: ...porary automatic disabling of the protective function of a light curtain using four sensors arranged sequentially before and after the light curtain s sensing field Table 12 RSLogix 5000 Software Vers...

Page 73: ...value 14 LEQ LessThan Or EqualTo Test whether one value is less than or equal to a second value 14 LES LessThan Test whether one value is less than a second value 14 MEQ Masked Comparison for Equal Pa...

Page 74: ...t controller status information 14 1 The length operand must be a constant when the COP instruction is used in a safety routine The length of the source and thedestination must be the same 2 Refer to...

Page 75: ...gnature of high integrity Add On Instructions and also a SIL 3 safety instruction signature for use in safety related functions up to and including SIL 3 Creating and Using a Safety Add On Instruction...

Page 76: ...yTask Signature if it exists Go back to original test project To Create a Safety Add On Instruction Create or Open a Project Create modify Application Import Safety Add On Instruction Download To Use...

Page 77: ...ons and may be required for regulated industries Use it when your application calls for a higher level of integrity The instruction signature consists of an ID number and timestamp that identifies the...

Page 78: ...s all possible execution paths through the logic including the valid and invalid ranges of all input parameters Development of all safety Add On Instructions must meet IEC 61508 Requirements for softw...

Page 79: ...re You cannot import a safety Add On Instruction while online If you import an Add On Instruction with an instruction signature into a project where referenced Add On Instructions or User Defined Type...

Page 80: ...system may be required before the system is approved for operation An independent third party validation is required for IEC 61508 SIL 3 Additional Resources For more information on using Add On Instr...

Page 81: ...Time The following sections provide information on calculating the Logix System Reaction Time for a simple input logic output chain and for a more complex application using produced consumed safety ta...

Page 82: ...f the safety input module connection RPI 3 Safety Task Period plus Safety Task Watchdog time 4 Safety Output Connection Reaction Time Limit Read from the Module Properties dialog box in RSLogix 5000 s...

Page 83: ...ime Limit 5 Safety Task Period plus Safety Task Watchdog time for Controller B 6 Safety Output Connection Reaction Time Limit 7 Safety output module reaction time To aid you in determining the reactio...

Page 84: ...on time Each input channels On Off and Off On delay settings Safety Input Connection ReactionTime Limit Input module settings for Requested Packet Interval RPI Timeout Multiplier Delay Multiplier The...

Page 85: ...nnection times out and the input and output data are placed in the safe state OFF To view or configure these settings follow these steps 1 In the configuration tree right click your I O module and cho...

Page 86: ...safety task is a periodic timed task You select the task priority and watchdog time via the Task Properties Safety Task dialog box in your RSLogix 5000 project To access the safety task period and wa...

Page 87: ...ing Produced ConsumedTag Data To view or configure safety tag connection data follow these steps 1 In the configuration tree right click Controller Tags and choose Edit tags 2 In the Tag Editor right...

Page 88: ...ion Also consult the product documentation for your specific module for reaction times associated with CIP Safety I O modules Resource Description GuardLogix Controllers User Manual publication 1756 U...

Page 89: ...checklists can be saved as a record of the plan The checklists on the following pages provide a sample of safety considerations and are not intended to be a complete list of items to verify Your parti...

Page 90: ...rate period 4 Is the system response time in proper relation to the process tolerance time 5 Have probability PFD PFH values been calculated according to the system s configuration 6 Have you performe...

Page 91: ...L Input Channels Number Input Module Requirements Fulfilled Comment Yes No 1 Have you followed installation instructions andprecautions to conform to applicable safety standards 2 Have you performed f...

Page 92: ...unction Definition SIL Output Channels Number Output Module Requirements Fulfilled Comment Yes No 1 Have you followed installation instructions and precautions to conform to applicable safety standard...

Page 93: ...tructions listedin Appendix Aas suitablefor safety application programming 5 Does the safety application program clearly differentiate between safety and standard tags 6 Are only safety tags used for...

Page 94: ...94 Rockwell Automation Publication 1756 RM093J EN P April 2018 Appendix D Checklists for GuardLogix Safety Applications Notes...

Page 95: ...ules User Manual publication 1791DS UM001 Data for Rockwell Automation machinery safety products is now available in the form of a library file to be used with the Safety Integrity Software Tool for t...

Page 96: ...Systems Safety Data PFH Values The data in Table 16 applies to proof test intervals up to and including 20 years Table 16 PFH Calculations Cat No Description PFH 1 Hour 1756 L6xS and 1756 LSP GuardLo...

Page 97: ...a feature of the I O modules called Combined Status which presents the status of all of the input channels in a single boolean variable Another boolean variable represents the status of all the output...

Page 98: ...to safety state Example Rungs 2 and 3 Are the inputs used to drive safety application instructions Can Circuit Reset be used for operator intervention Is input fault information required for diagnosti...

Page 99: ...1InputsFaulted U Node31 I Pt00Data U Node31 I Pt01Data 4 Node30InputsFaulted L Node30 I Pt01Data L Node30 I Pt03Data U Node31 I Pt11Data Node 30 is an 8 point input 8 point output combination module N...

Page 100: ...L Node31Input01 L Node31Input03 Node31 I Pt00Data Node31Input00 Node31Input01 Node31Input11 Node31 I Pt01Data Node31 I Pt11Data Node 30 is an 8 point input 8 point output combination module Node 31 is...

Page 101: ...ogic to set outputs to a safety state Example Rung 2 Write logic to unlatch output failure Example Rung 1 Write logic to latch output failure Example Rung 0 Done 0 Node30 I OutputStatus L Node30Output...

Page 102: ...102 Rockwell Automation Publication 1756 RM093J EN P April 2018 Appendix F RSLogix 5000 Software Version 14 and Later Safety Application Instructions Notes...

Page 103: ...Dual channel Inputs standard side of 1756 GuardLogix controllers You must implement clear and easily identifiable separation between both input channels and adhere to all existing SIL 2 requirements...

Page 104: ...ence Manual publication 1756 RM001 Follow all rules for 1794 FLEX I O modules as defined in the FLEX I O System with ControlLogix for SIL 2 Safety Reference Manual publication 1794 RM001 TransferringS...

Page 105: ...as GuardLogix produced safety tags to comply with the dual channel requirements of EN 50156 Create produced safety tags with the SIL 2 outputs that your application requires GuardLogix produced consu...

Page 106: ...g SIL 2 and SIL 3 safety functions within the safety task All available safety application instructions may be used SIL 3 safety input modules that is Guard I O modules may be used with single channel...

Page 107: ...ration The configuration signature is made up of an ID number date and time Instruction Signature The instruction signature consists of an ID number and date timestamp that identifies the contents of...

Page 108: ...nal routines Safety Add On Instruction An Add On Instruction that can use safety application instructions In addition to the instruction signature used for high integrity Add On Instructions safety Ad...

Page 109: ...eriodic timed task Safety Task Period The period at which the safety task executes Safety Task Reaction Time The sum of the safety task period plus the safety task watchdog This time represents the wo...

Page 110: ...e programs that execute based on a certain criteria Once a task is triggered activated all of the programs assigned scheduled to the task execute in the order in which they are displayed in the contro...

Page 111: ...erview 22 checklist GuardLogix controller system 26 88 program development 91 SIL 3 inputs 89 SIL 3 outputs 90 CIP Safety protocol definition 105 overview 23 routable system 33 commissioning life cycl...

Page 112: ...y task 66 O offline edits 60 online definition 105 online editing 57 60 output delay time 28 overlap definition 105 ownership 29 P partnership definition 105 peer to peer communication 24 pending edit...

Page 113: ...location 22 safety program 45 definition 107 safety routine 45 definition 107 safety tags 46 definition 107 valid data types 46 safety task definition 107 execution 42 overview 41 priority 84 reactio...

Page 114: ...114 Rockwell Automation Publication 1756 RM093J EN P April 2018 Index Notes...

Page 115: ......

Page 116: ...obal support direct dial page Literature Library Installation Instructions Manuals Brochures and Technical Data http www rockwellautomation com global literature library overview page Product Compatib...

Reviews:

No comments

Brands by name

Popular brands

Load more brands