Allen-Bradley Compact GuardLogix 5380 Original Instructions Manual Download Page 48

Page: 48 / 116

Rockwell Automation Publication 1756-RM012B-EN-P - April 2018

Chapter 6

Safety Application Development

Basics of Application

Development and Testing

We recommend that a system integrator or a user who is trained and

experienced in safety applications develops the application program for the

intended SIL 2 or SIL 3 system. The developer must follow good design

practices:

• Use functional specifications, including flowcharts, timing diagrams,

and sequence charts.

• Perform a review of safety task logic.
• Perform application validation.

Table 1 - Effect of Controller Modes on Safety Execution

Controller Mode

Controller Behavior

Program

• Safety input and output connections are established and maintained:

– Safety input tags are updated to reflect safety input values.

• Safety Task logic is not being scanned.

Test

• Safety input and output connections are established and maintained:

– Safety input tags are updated to reflect safety input values.

• Safety Task logic is being scanned.

Run

• Safety input and output connections are established and maintained:

– Safety input tags are updated to reflect safety input values.

– The controller sends “run” safety output packets.

• Safety Task logic is being scanned.

• All safety task process logic, cross-compare logic outputs. Logic outputs are written to safety outputs.

Table 2 - Safety Application Status

Safety Task

Status

Safety

(1)

(up to and including)

Controller Behavior

Unlocked
No signature

Only for development

purposes

• Safety I/O forces can be present.

• Safety I/O forces can be modified.

• Safety online editing is allowed.

• Safety memory is isolated, but is unprotected (read/write).

Locked
No signature

Only for development

purposes

• Safety I/O forces are not allowed (forces of Safety I/O must be removed before locking is possible).

• Online editing of the safety task is not allowed.

• Safety memory is protected (read only).

Unlocked
With signature

SIL 3/PLe/Cat. 4
Control reliable

• Safety I/O forces are not allowed. (Forces of Safety I/O must be removed before generating a signature is possible.)

• Online editing of the safety task is not allowed.

• Safety memory is protected (read only).

• Safety signature allows recovery from a Nonrecoverable Safety Fault without redownloading.

• Safety signature is unprotected and anyone who has access to the controller can delete it.

Locked
With signature

SIL 3/PLe/Cat. 4
Control reliable

• Safety I/O forces are not allowed.

• Online editing of the safety task is not allowed.

• Safety memory is protected (read only).

• Safety signature allows recovery from a Nonrecoverable Safety Fault without redownloading.

• Safety signature is protected. You must enter the unlock password to unlock the controller before you can delete the

safety signature.

(1) To achieve this level, you must adhere to the safety requirements defined in this safety reference manual.

Summary of Contents for Compact GuardLogix 5380

Page 1: ...756 L8SPK 5069 L306ERMS2 5069 L306ERS2 5069 L310ERMS2 5069 L310ERS2 5069 L320ERMS2 5069 L320ERS2 5069 L320ERS2K 5069 L320ERMS2K 5069 L330ERMS2 5069 L330ERS2 5069 L330ERS2K 5069 L330ERMS2K 5069 L340ERM...

Page 2: ...nformation circuits equipment or software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibited T...

Page 3: ...GuardLogix Controller System GuardLogix 5580 Controller Hardware 15 Primary Controller 16 Safety Partner 16 Chassis 16 Power Supply 16 Compact GuardLogix 5380 Controller Hardware 17 Power Supply 18 N...

Page 4: ...Modules 40 Use of Human Machine Interfaces 42 Precautions 42 Access to Safety related Systems 43 Safety Programs 44 Safety Routines 44 Safety Tags 45 Standard Tags in Safety Routines Tag Mapping 46 Ch...

Page 5: ...erable Safety Faults in the Safety Application 67 View Faults 68 Fault Codes 68 Safety Partner Fault 68 AppendixA Safety Instructions Safety Instructions 69 AppendixB Create and Use a Safety Add On In...

Page 6: ...View the Input and Output Safety Connection Reaction Time Limits 84 Configure the Safety Task Period and Watchdog 86 Access Produced Consumed Tag Data 86 AppendixD Checklists for GuardLogix Safety Ap...

Page 7: ...ix 5580 or Compact GuardLogix 5380 controller based safety system Summary of Changes This manual contains new and updated information as indicated in the following table Terminology This section defin...

Page 8: ...ibes how to install the 5069 OBV8S module Compact 5000 Digital and Safety I O Modules User Manual publication 5000 UM004 Describes how to use Compact 5000 digital and safety I O modules including how...

Page 9: ...If Device Failure Occurs 14 Controller System IEC 61508 IEC 62061 ISO 13849 1 Type approved and certified for use in safety applications up to and including Suitable for use in safety applications up...

Page 10: ...x 5580 and Compact GuardLogix 5380 controllers have a useful life of 20 years no proof test required Other components of the system such as safety I O devices sensors and actuators can have different...

Page 11: ...tside the function Figure 1 Example SIL 3 System OK Logix55L8SP NET LINK RUN REM RUN PROG FORCE SD OK Logix5584ES DCINPUT 5069 OBV8S COUNTER 5069 HSC2xOB4 DC INPUT 5069 IB16 DC OUTPUT 5069 OB16 5069 I...

Page 12: ...T 5069 IB16 DC OUTPUT 5069 OB16 5069 IB8S OUTPUT 5069 OBV8S COUNTER 5069 HSC2xOB4 DC INPUT 5069 IB16 DC OUTPUT 5069 OB16 5069 IB8S OUTPUT Compact I O Actuator Sensor 5069 AEN2TR Compact 5000 I OModule...

Page 13: ...system until the time that the system is in the safe state This worst case definition includes the effects of asynchronous communications and multiple potential faults occurring within the system Actu...

Page 14: ...s than or equal to the safety task period The safety task watchdog time is set in the task properties window of the Studio 5000 Logix Designer application This value can be modified online regardless...

Page 15: ...at is used with a safety partner is up to SIL 3 For the most current list of GuardLogix controller and Safety I O devices certified series and firmware revisions see the safety certificates at http ww...

Page 16: ...is a major non recoverable controller fault For information on how to respond to this situation see article 63983 in the Rockwell Automation Knowledgebase For SIL 2 requirements do not install a safet...

Page 17: ...tomation com global certification overview page Controller Cat No Compact GuardLogix 5380 controller 5069 L306ERMS2 5069 L306ERS2 5069 L310ERMS2 5069 L310ERS2 5069 L320ERMS2 5069 L320ERS2 5069 L320ERS...

Page 18: ...I O power must be connected to a catalog number 5069 FPD module Network Communication This section provides examples of network communication configurations EtherNet IP Network The GuardLogix 5580 co...

Page 19: ...OD NET MOD NET MOD NET 2 1 1 1 4 I O I O 6 5 10 2 1 2 1 2 1 1 I O A 6 5 10 1 I O B 6 5 10 1 I O A 6 1 I O B 6 5 10 5 10 UFB UFB A UFB B UFB A UFB B D D D D D D MF A MF B MF A MF B D D MBRK MOD NET 2 1...

Page 20: ...GuardLogix DC INPUT 5069 IB16 DC OUTPUT 5069 OB16 5069 IB8S OUTPUT 5069 OBV8S COUNTER 5069 HSC2xOB4 DC INPUT 5069 IB16 DC OUTPUT 5069 OB16 5069 IB8S OUTPUT 5069 OBV8S COUNTER 5069 HSC2xOB4 DC INPUT 50...

Page 21: ...NS LOCK 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 IN PWR OUT PWR 1791DS CompactBlock Guard I OModule DeviceNet Network 1732DSArmorBlock Guard I O Module 1732DSArmorBlock Guard I O Module 1791DS CompactBlock Gu...

Page 22: ...o define the location ownership and configuration of I O devices and controllers and create test and debug program logic Only ladder diagram is supported in the GuardLogix safety task See Appendix A o...

Page 23: ...ol safety logic is processed in the GuardLogix controller Typical Safety Functions of Safety I O Devices The following is treated as the safe state by Safety I O devices Safety outputs OFF Safety inpu...

Page 24: ...t signals In some applications you must include off delay on delay or both when you calculate system reaction time For example the On to Off delay filter helps to filter out noise that affects the inp...

Page 25: ...oller controls safety output devices One controller also owns each safety input device However safety input data can be shared consumed by multiple GuardLogix controllers Safety I O Configuration Sign...

Page 26: ...erly configured and that the operation of the replacement device is verified Two options for I O device replacement are available on the Safety tab of the Controller Properties dialog box in the Studi...

Page 27: ...ce electronic keying is correct The node or IP address is correct To set the proper safety network number SNN when a controller safety signature exists a manual action is required to download the prop...

Page 28: ...inSIL2orSIL 3behavior during the replacement and functional testing of a device See Routable CIP Safety System on page 30 IfotherpartsoftheSafetycontrolsystemarebeingreliedupontomaintainSIL2 or SIL 3...

Page 29: ...ique Node ID or UNID Every CIP Safety device must have a UNID value assigned to each CIP Safety capable port Safety Network Numbers SNN Communications within a control system travel over subnets that...

Page 30: ...for Assigning SNNs When creating controller projects the Studio 5000 Logix Designer application generates an SNN value automatically whenever it recognizes a new subnet that contains CIP Safety devic...

Page 31: ...S Switch Switch 5069 L320E RS2 1732DS IB6 1732ES IB16 1732DS IBSXOBV4 1791ES IB16 1756 L71S 1756 DNB 1756 L7SP 1756 EN2T 1756 L84ES 1756 L81ES SNN_1 1756 Backplane SNN_2 SNN_3 SNN_5 5069 Backplane SNN...

Page 32: ...a new SNN is generated for the first CIP Safety device on that subnet We recommend that you assign each controller SNN to the already established SNN for the subnet This allows the Studio 5000 Logix...

Page 33: ...NNs generated by the software are always unique to the project whether generated by project creation or IP mode change Devices that are created directly under the controller port default to having the...

Page 34: ...ng user manuals for information on how to change the SNN ControlLogix 5580 and GuardLogix 5580 Controllers User Manual publication 1756 UM543 CompactLogix 5380 Controllers User Manual publication 5069...

Page 35: ...PORTANT Toadd aCIPSafety I Odevice toaconfiguredGuardLogixsystem theSNNis present in the GuardLogix controller the replacement CIP Safety I O device must have the correct SNN applied before it is adde...

Page 36: ...36 Rockwell Automation Publication 1756 RM012B EN P April 2018 Chapter 4 CIP Safety and Safety Network Numbers Notes...

Page 37: ...ollers also provide a SIL 2 or SIL 3 capable safety task However a logical and visible distinction is required between the standard and safety related portions of the application The Studio 5000 Logix...

Page 38: ...ctuations in execution time which can allow a lower setting for the safety task watchdog which improves the reaction time of the safety system Safety Task Limitations You specify both the safety task...

Page 39: ...imer related instructions such as TON and TOF are not updated during a safety task execution They keep accurate time from one task execution to another but the accumulated time is not changed during s...

Page 40: ...devices are typically required for SIL 3 IMPORTANT While safety unlocked and without a safety signature the controller helps prevent simultaneous write access to safety memory from the safety task and...

Page 41: ...s Safety Time greater than 600 ms the typical safety I O pulse test interval or the demand rate must be less than one demand per minute for example one per hour CompactBlock Guard I O 1791 series Armo...

Page 42: ...curity Specifications testing and validation Restrictions on data and access Limits on data and parameters For more information on how HMI devices fit into a typical SIL loop see GuardLogix Architectu...

Page 43: ...oop You must clearly document variables that are to be changed You must use a clear comprehensive and explicit operator procedure to make safety related changes via an HMI Changes can be accepted in a...

Page 44: ...data points Similar to the controller program the HMI software is secured and maintained for SIL level compliance after the system has been validated and tested Safety Programs A safety program has t...

Page 45: ...the direct creation of invalid tags in a safety program If invalid tags are imported they cannot be verified Tags that are classified as safety tags are either controller scoped or program scoped Eit...

Page 46: ...iable means to make sure that the data is used in an appropriate manner The use of standard data in a safety tag does not make it safety data You must not directly control a safety output with standar...

Page 47: ...l application downloads via a manual check of the safety signature You perform a complete functional test of the entire system before the operational startup of a safety related system This test inclu...

Page 48: ...le 2 Safety Application Status Safety Task Status Safety 1 up to and including Controller Behavior Unlocked No signature Only for development purposes Safety I O forces can be present Safety I O force...

Page 49: ...e mechanisms that may affect the executable software when the Studio 5000 Logix Designer application is used in a manner other than what is specified in the product documentation You must verify that...

Page 50: ...of the Safety Function on page 51 Create the Project on page 52 Online Create the Project on page 52 Offline Attach to Controller and Download Test the Application Program on page 52 Generate the Saf...

Page 51: ...which includes the following Input definitions Output definitions I O wiring diagrams and references Theory of operation Matrix or table of stepped conditions and the actuators to be controlled includ...

Page 52: ...edits upload and download and informal testing that is required to get an application running properly in preparation for the Project Validation test Generate the Safety Signature The safety signatur...

Page 53: ...d within the safety task Online or offline programming or editing of safety components Forcing safety I O Data manipulation of safety components except through routine logic or another GuardLogix cont...

Page 54: ...start up and project validation on the safety application in the context of the new sensors actuators wiring networks and control system physical equipment Confirm the Project You must print or view...

Page 55: ...GuardLogix controller and CIP Safety I O devices Compare all properties of the safety task safety programs and safety routines Compare all logic in the safety routines 10 Verify that all controller a...

Page 56: ...are optional For more information about the safety lock feature see the user manual for the controller ControlLogix 5580 and GuardLogix 5580 Controllers User Manual publication 1756 UM543 CompactLogix...

Page 57: ...ry card match the major and minor revisions of your controller If your controller is not in Run mode Loading a project to a safety locked controller is allowed only when the safety signature of the pr...

Page 58: ...s for editing safety logic online If the controller is locked with safety edits you must unlock the controller to assemble or cancel the edits For safety routines the controller cannot be locked when...

Page 59: ...ty of the system You must sufficiently document all program edits which include the following Authorization Impact analysis Execution Test information Revision information If online edits exist only i...

Page 60: ...der Logic in the Studio 5000 Logix Designer application while online see the Logix5000 Controllers Quick Start publication 1756 QS001 Modification Impact Test Any modification enhancement or adaptatio...

Page 61: ...anges Yes No Delete Safety Application Signature Make Desired Modifications to Safety Logic Attach to Controller and Download Make Desired Modifications to Standard Logic Attach to Controller and Down...

Page 62: ...62 Rockwell Automation Publication 1756 RM012B EN P April 2018 Chapter 6 Safety Application Development Notes...

Page 63: ...System Status You can view the status of safety tag connections You can also determine current operating status by interrogating various device objects It is your responsibility to determine what data...

Page 64: ...onnectionFaulted Status Safety Connection Operation 1 Run 0 Valid The producing device is actively controlling the data The producing device is in Run mode 0 Idle 0 Valid The connection is active and...

Page 65: ...ystem GuardLogix controllers are part of a de energize to trip system which means that zero is the safe state Some but not all safety I O device faults cause all device inputs or outputs to be set to...

Page 66: ...ication 1756 RM003 Safety Faults Faults in the GuardLogix 5580 and Compact GuardLogix 5380 system can be Recoverable controller faults Nonrecoverable controller faults Nonrecoverable safety faults in...

Page 67: ...fety protocol connections are closed and reopened to reinitialize them Safety outputs are placed in the safe state and the producer of safety consumed tags commands the consumers to place them in a sa...

Page 68: ...in the slot next the Safety Primary these actions occur On the Safety Partner the OK status indicator flashes red The controller logs a Type 14 Code 12 minor fault that indicates that the controller i...

Page 69: ...or gate switch It includes the added capability to initiate a functional test of the stop device It can monitor a feedback signal from a safety device and issue a lock request to a safety device DCST...

Page 70: ...output and has a 500 ms inputs inconsistent timeout value ROUT Redundant Output Monitors the state of one input to control and monitor two outputs DIN Diverse Input Monitors two diverse safety inputs...

Page 71: ...ion for a JMP instruction JSR Jump to Subroutine Jump to a separate routine RET Return Return the results of a subroutine SBR Subroutine Accept data that is passed to a subroutine by the JSR instructi...

Page 72: ...motor or axis to detect movement of more than a defined amount in the unintended direction SBC Safe Brake Control The Safe Brake Control SBC instruction Controls safety outputs that actuate a brake Se...

Page 73: ...SIL 3 Figure 20 on page 74 shows the steps that are required to create a safety Add On Instruction and then use that instruction in a safety application program The shaded items are steps unique to Ad...

Page 74: ...Signature Go Off line Delete safety signature if it exists Return to original test project To Create a Safety Add On Instruction Create or Open a Project Create modify Application Export and Import th...

Page 75: ...times be required for regulated industries Use it when your application calls for a higher level of integrity The instruction signature consists of an ID number and time stamp that identifies the cont...

Page 76: ...instruction signature the name of the user the time stamp value and a user defined description Up to six history entries can be stored You must be offline to create a signature history entry Exportand...

Page 77: ...ontinue with the validation of your application Test the Application Program This step consists of any combination of Run and Program mode online or offline program edits upload and download and infor...

Page 78: ...78 Rockwell Automation Publication 1756 RM012B EN P April 2018 Appendix B Create and Use a Safety Add On Instruction Notes...

Page 79: ...following equations determine the Connection Reaction Time Limit Input Connection Reaction Time Limit Input RPI x Timeout Multiplier Network Delay Multiplier Output Connection Reaction Time Limit Safe...

Page 80: ...afety task period If the corresponding Connection Time Reaction Limit is not satisfactory you can adjust the safety task period via the Safety Task Properties dialog box See System Reaction Time on pa...

Page 81: ...roduced consumed safety tags in the logic chain Simple Input logic output Chain This section describes the Logix system reaction time for any simple input to logic to output chain Figure 25 Logix Syst...

Page 82: ...ed Consumed Safety Tags This section describes the Logix system reaction time for any input to controller A logic to controller B logic to output chain Figure 26 Logix System Reaction Time for Input t...

Page 83: ...ultiplier Network Delay Multiplier The amount of network communication traffic 1 1 Network traffic and EMC create a lower limit for the values you can successfully use for Timeout Multiplier and Netwo...

Page 84: ...tion Reaction Time Limits The following three values define the Connection Reaction Time Limit CRTL If you adjust these values then you can adjust the Connection Reaction Time Limit If a valid packet...

Page 85: ...ur safety I O device and choose Properties 2 Click the Safety tab 3 Click Advanced to open the Advanced Connection Reaction Time Limit dialog box IMPORTANT The Timeout Multiplier and Network Delay Mul...

Page 86: ...access the safety task period and watchdog time settings right click the Safety Task and choose Properties The priority of the safety task is not a safety concern as the safety task watchdog monitors...

Page 87: ...fety tab click Advanced 5 You can view or edit the current settings in the Advanced dialog box See the following for more information ControlLogix 5580 and GuardLogix 5580 Controllers User Manual publ...

Page 88: ...88 Rockwell Automation Publication 1756 RM012B EN P April 2018 Appendix C Reaction Times Notes...

Page 89: ...be saved as a record of the plan The checklists on the following pages provide a sample of safety considerations and are not intended to be a complete list of items to verify Your particular safety ap...

Page 90: ...he safety task rate period 4 Is the system response time in proper relation to the process safety time 5 Have probability PFD PFH values been calculated for each safety function 6 Have you performed a...

Page 91: ...dLogix System Company Site Safety Function Definition SIL Input Channels Number Input Device Requirements Fulfilled Comment Yes No 1 Have you followed installation instructions and precautions to conf...

Page 92: ...Checklist for GuardLogix System Company Site Safety Function Definition SIL Output Channels Number Output Device Requirements Fulfilled Comment Yes No 1 Have you followed installation instructions and...

Page 93: ...andard tags 6 Are only safety tags used for safety routines 7 Have you verified that safety routines do not attempt to read from or write to standard tags 8 Have you verified that no safety tags are a...

Page 94: ...94 Rockwell Automation Publication 1756 RM012B EN P April 2018 Appendix D Checklists for GuardLogix Safety Applications Notes...

Page 95: ...dditional Resources on page 8 Useful Life The useful life of GuardLogix controllers is 20 years Safety Data For I O devices safety data including PFD and PFH values see the manuals for those products...

Page 96: ...hr 7 24E 07 6 61E 07 7 33E 07 Dangerous Failure Rate D failures hr 7 10E 07 6 61E 07 7 33E 07 Dangerous Detected Failure Rate DD failures hr 7 10E 07 6 54E 07 7 26E 07 Dangerous Undetected Failure Rat...

Page 97: ...of all output channels This approach reduces the amount of I O conditioning logic that is required and forces the logic to shut down all input or output channels on the affected module Use the Input F...

Page 98: ...et inputs to safe state Example Rungs 2 and 3 Are the inputs used to drive safety application instructions Can Circuit Reset be used for operator intervention Is input fault information required for d...

Page 99: ...ta 3 Node31InputsFaulted U Node31 I Pt00Data U Node31 I Pt01Data 4 Node30InputsFaulted L Node30 I Pt01Data L Node30 I Pt03Data U Node31 I Pt11Data Node 30 is an 8 point input 8 point output combinatio...

Page 100: ...ulted L Node31Input01 L Node31Input03 Node31 I Pt00Data Node31Input00 Node31Input01 Node31Input11 Node31 I Pt01Data Node31 I Pt11Data Node 30 is an 8 point input 8 point output combination module Node...

Page 101: ...o Write logic to set outputs to a safe state Example Rung 2 Write logic to unlatch output failure Example Rung 1 Write logic to latch output failure Example Rung 0 Done 0 Node30 I OutputStatus L Node3...

Page 102: ...102 Rockwell Automation Publication 1756 RM012B EN P April 2018 Appendix F Studio 5000 Logix Designer Application Version 31 or Later Safety application Instructions Notes...

Page 103: ...ed the ability to test untest or cancel the edits Average frequency of a dangerous failure PFH The probability of a system to have a dangerous failure occur per hour cancel edits Action that is taken...

Page 104: ...en a task periodic or event is triggered while the task is still executing from the previous trigger partnership The primary controller and safety partner must both be present in SIL 3 and the hardwar...

Page 105: ...se in safety related functions safety application instructions Safety Instructions that provide safety related functionality They have been certified to SIL 2 or SIL 3 for use in safety routines safet...

Page 106: ...The safety task must be a periodic timed task safety task period The period at which the safety task executes safety task reaction time The sum of the safety task period plus the safety task watchdog...

Page 107: ...order in which they are displayed in the controller organizer test edits Once online edits have been accepted there are two versions of user logic residing in controller memory The Test Edits command...

Page 108: ...108 Rockwell Automation Publication 1756 RM012B EN P April 2018 Glossary Notes...

Page 109: ...Safety protocol definition 106 clear fault 67 commissioning lifecycle 50 communication network 18 Compact GuardLogix controller 17 power supply 18 concept safety integrity level SIL 9 configuration s...

Page 110: ...le delay time setting 84 GuardLogix chassis 16 control system safety I O 23 controller 15 controller system checklist 90 power supply 16 primary controller 16 safety application checklist 89 safety pa...

Page 111: ...process 61 on delay function 24 online definition 104 online edit 58 60 process 61 out of box device SNN 35 output diagnostics 64 reaction time 24 safetyconnectionreactiontimelimit CRTL 84 output faul...

Page 112: ...safety controller 37 safety data 95 safety function safety I O 23 specification 51 safety I O configuration signature 25 device replacement 26 GuardLogix control system 23 module 40 safety function 23...

Page 113: ...ce 65 status data 24 status indicator 24 63 store project from memory card 57 Studio 5000 Logix Designer application safety application instruction 97 system de energize to trip 65 GuardLogix controll...

Page 114: ...114 Rockwell Automation Publication 1756 RM012B EN P April 2018 Index...

Page 115: ......

Page 116: ...ineer http www rockwellautomation com global support direct dial page Literature Library Installation Instructions Manuals Brochures and Technical Data http www rockwellautomation com global literatur...

Search results

Summary of Contents for Compact GuardLogix 5380

Reviews:

Related manuals for Compact GuardLogix 5380

Brands by name

Popular brands

Allen-Bradley Compact GuardLogix 5380, Original Instructions Manual

Search results

Summary of Contents for Compact GuardLogix 5380

Reviews:

Related manuals for Compact GuardLogix 5380

Brands by name

Popular brands