Rockwell Automation Publication 1715-RM001A-EN-P - June 2019
19
Features of the ControlLogix SIL 2 System
Chapter 2
Writing Data
A parameter change in a safety-related loop via an external (that is, outside the
safety loop) device (for example, an HMI) is allowed only with the following
restrictions:
• The customer MOC procedure is followed.
• Only authorized, specially trained personnel (operators) can change the
parameters in safety-related systems via HMIs.
• The operator who changes a safety-related system via an HMI is
responsible for the effect of those changes on the safety loop.
• You must clearly document variables that need changed.
• You must use a clear, comprehensive, and explicit operator procedure to
make safety-related changes via an HMI (MOC Procedure).
• Changes can only be accepted in a safety-related system if the following
sequence of events occurs.
1.
The new variable must be sent twice to two different tags; that is, both
values must not be written to with one command.
2.
Safety-related code that executes in the controller, must check both tags for
equivalency and make sure that they are within range (boundary checks).
3.
Both new variables must be read back and displayed on the HMI device.
4.
Trained operators must visually check that both variables are the same and
are the correct value.
5.
Trained operators must manually acknowledge that the values are correct
on the HMI display that sends a command to the safety logic, which allows
the new values to be used in the safety function.
In every case, the operator must confirm the validity of the change before they are
accepted and applied in the safety loop.
The remainder of the steps need to follow IEC 61511 standard on process safety,
section 11.7.1 Operator Interface requirements.
IMPORTANT
The High-Speed Jog function is not allowed and must not be used in the
project.