Transcript
Using ControlLogix in SIL2 Applications 1756 Series
Safety Reference Manual
Important User Information
Solid state equipment has operational characteristics differing from those of electromechanical equipment. Safety Guidelines for the Application, Installation and Maintenance of Solid State Controls (Publication SGI-1.1 available from your local Rockwell Automation sales office or online at http://www.ab.com/manuals/gi) describes some important differences between solid state equipment and hard-wired electromechanical devices. Because of this difference, and also because of the wide variety of uses for solid state equipment, all persons responsible for applying this equipment must satisfy themselves that each intended application of this equipment is acceptable. In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment. The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams. No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual. Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc. is prohibited. Throughout this manual, when necessary we use notes to make you aware of safety considerations. WARNING
IMPORTANT
ATTENTION
Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.
Identifies information that is critical for successful application and understanding of the product. Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you: • identify a hazard • avoid a hazard • recognize the consequence
SHOCK HAZARD
Labels may be located on or inside the equipment (e.g., drive or motor) to alert people that dangerous voltage may be present.
BURN HAZARD
Labels may be located on or inside the equipment (e.g., drive or motor) to alert people that surfaces may be dangerous temperatures.
Summary of Changes
New and Revised Information
Change bars located in margins indicate updates and new information added to this revision. Table 1 lists the most significant new and revised information included in this release of this manual. Table.1 New and Revised Information Topic
Location
Components for Use in SIL2 Applications.
Table 1.1 on Page 1-8
Checklist for the ControlLogix System.
Page 2-8
Safety Certifications and Compliances
Page 1-12
Probability of Failure on Demand (PFD) calculations.
Table 1.2 on Page 1-14
Example PFD calculations.
Table 1.4 on Page 1-19
Probability of Undetected Dangerous Failure per Hour (PFH) calculations.
Table 1.3 on Page 1-17
Use of ControlNet repeaters in SIL2 systems.
Page 5-2
ControlLogix Diagnostic Output Module Wiring.
Figure 6.7 on Page 6-10
ControlLogix Standard Output Wiring
Figure 6.8on Page 6-11
General Considerations for the use of analog modules.
Page 6-20
ControlLogix Analog Module Wiring in Current Mode.
Figure 6.18 on Page 6-24
Security considerations for programming.
Page 8-4
Spurious Failure Estimates
Page D-1
Sample Probablity of Failure on Demand (PFD) Calculations
Page E-1
Probablity of Failure on Demand (PFD) Calculations in a SIL1 Application
Page F-2
Probability of Undetected Dangerous Page F-4 Failure Per Hour (PFH) Calculations in SIL1 Applications
iii
Publication 1756-RM001E-EN-P - November 2006
Summary of Changes
iv
Notes:
Publication 1756-RM001E-EN-P - November 2006
Preface
Introduction
This application manual is intended to describe the ControlLogix Control System components available from Rockwell Automation that are suitable for use in SIL2 applications. IMPORTANT
This manual describes typical SIL2 implementations using certified ControlLogix equipment. Keep in mind that the descriptions presented in this manual do not preclude other methods of implementing a SIL2-compliant system using ControlLogix. Other methods may include TUV-approved application-certified architectures, or the use of the FLEX I/O system as described in FLEX I/O System with ControlLogix for SIL2 reference manual, publication 1794-RM001.
Manual Set-Up2006
This manual is designed to make clear how the ControlLogix Control System can be SIL2-certified. Table Preface.1 lists the information available in each section.
Table Preface.1 If you need this information:
See this section:
Introduction to the SIL policy and how that policy relates to the ControlLogix system, including:
Chapter 1, SIL Policy
• typical SIL2 configurations–both non-redundant and redundant • proof test descriptions • complete list of SIL2-certified ControlLogix components • probability of failure on demand (PFD) and probability of dangerous failure occurring per hour (PFH) calculations for SIL2-certified components with a 1 year proof test interval Brief overview of all the components present in the SIL2-certified ControlLogix system, including:
Chapter 2, The ControlLogix System
• fault reporting • fault handling • module diagnostics • checklist for a SIL2-certified ControlLogix system
v
Description of the ControlLogix power supplies and chassis used in a SIL2-certified ControlLogix system and recommendations on using these components.
Chapter 3, ControlLogix System Hardware
Description of the ControlLogix controllers used in the SIL2-certified ControlLogix system, including the 1784-CG64 CompactFlash card and recommendations on using the controllers.
Chapter 4, ControlLogix Controller
Description of the ControlLogix communications modules used in the SIL2-certified ControlLogix system and recommendations on their use in SIL2-certified system.
Chapter 5, ControlLogix Communications Modules
Publication 1756-RM001E-EN-P - November 2006
Preface
vi
Table Preface.1 If you need this information:
See this section:
Description of the ControlLogix I/O modules used in the SIL2-certified ControlLogix system, including:
Chapter 6, ControlLogix I/O Modules
• use of both digital and analog I/O modules • I/O module fault reporting • usage considerations • wiring diagrams • checklist for I/O modules in a SIL2-certified ControlLogix system Description of how the ControlLogix detects, and reacts to, faults. Specifically, this section describes the following two example conditions that generate a fault in a SIL2-certified system:
Chapter 7, Faults in the ControlLogix System
• keyswitch changing out of RUN mode • high alarm condition on an analog input module Guidelines for application development in RSLogix 5000 as they relate to SIL2-certified systems. The guidelines include:
Chapter 8, General Requirements for Application Software
• suggestions of good design practices • checking the application program • identifying the program • forcing • security • checklist for the creation of an application program Description of technical safety requirement in SIL2-certified ControlLogix applications. The following topics are described in this section: • general programming procedures
Chapter 9, Technical SIL2 Requirements for the Application Program
• SIL task/program instructions • available programming languages • commissioning lifecycle • method to change an application program • forcing Description of the precautions and techniques that should be used with HMI devices as they are used in SIL2-certified ControlLogix applications, including:
Chapter 10, Use and Application of Human to Machine Interfaces
• information about changing parameters in a safety-related loop • information about changing parameters in a non-safety-related loop Calculation methods for worst case reaction time for a given change in input or a fault condition and the corresponding output action.
Appendix A, Response Times in ControlLogix
Self-testing in a ControlLogix system and more information about user-programmed responses.
Appendix B, System Self-Testing and User-Programmed Responses
Additional information on handling faults.
Appendix C, Additional Information on Handling Faults in the ControlLogix System
Publication 1756-RM001E-EN-P - November 2006
Preface
vii
Table Preface.1 If you need this information:
See this section:
Spurious failure rates based on field returns.
Appendix D, Spurious Failure Estimates
Additional PFD calculations based on proof test intervals of 2 years and 4 years.
Appendix E, Sample Probability of Failure on Demand (PFD) Calculations
Using ControlLogix in SIL1 applications
Appendix F, Using ControlLogix in SIL1 Applications
Understanding Terminology
The following table defines acronyms used in this manual. Table Preface.2 List of Acronyms Used Throughout the Safety Application Manual Acronym:
Full Term:
Definition:
CIP
Control and Information Protocol
A messaging protocol used by Logix5000™ systems. It is a native communications protocol used on ControlNet™ communications networks, among others.
DC
Diagnostic Coverage
The ratio of the detected failure rate to the total failure rate.
EN
European Norm.
The official European Standard
GSV
Get System Value A ladder logic output instruction that retrieves specified controller status information and places it in a destination tag.
MTBF
Mean Time Average time between failure occurrences. Between Failures
MTTR
Mean Time to Restoration
PADT
Programming and RSLogix 5000 software used to program and Debugging Tool debug a SIL2-certified ControlLogix application.
PC
Personal Computer
Computer used to interface with, and control, a ControlLogix system via RSLogix 5000 programming software.
PFD
Probability of Failure on Demand
The average probability of a system to fail to perform its design function on demand.
PFH
Probability of Failure per Hour
The probability of a system to have a dangerous failure occur per hour.
Average time needed to restore normal operation after a failure has occurred.
Publication 1756-RM001E-EN-P - November 2006
Preface
viii
Notes:
Publication 1756-RM001E-EN-P - November 2006
Table of Contents Chapter 1 SIL Policy
Introduction to SIL . . . . . . . . . . . . . . . . . . . . . . . Typical SIL2 Configurations . . . . . . . . . . . . . . . . . Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prooftesting with Redundancy Systems . . . . . . SIL2-Certified ControlLogix System Components . . Safety Certifications and Compliances . . . . . . . . . Hardware Designs and Firmware Functions . . . . . Difference Between PFD and PFH . . . . . . . . . . . . SIL Compliance Distribution and Weight . . . . . . . Other Agency Certifications . . . . . . . . . . . . . . . . . Response Times . . . . . . . . . . . . . . . . . . . . . . . . . Response Times in Redundancy Systems. . . . . Program Watchdog Time in ControlLogix System . Contact Information When Device Failure Occurs.
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
1-1 1-4 1-6 1-7 1-8 1-12 1-12 1-12 1-20 1-21 1-21 1-22 1-23 1-23
Chapter 2 The ControlLogix System
General Overview of ControlLogix Platform . . . Overview of the ControlLogix Architecture. . . . Module Fault Reporting . . . . . . . . . . . . . . . Fault Handling. . . . . . . . . . . . . . . . . . . . . . Data Echo Communication Check. . . . . . . . Pulse Test . . . . . . . . . . . . . . . . . . . . . . . . . Software . . . . . . . . . . . . . . . . . . . . . . . . . . Communications . . . . . . . . . . . . . . . . . . . . Other Unique Features that Aid Diagnostics Checklist for the ControlLogix System . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
2-1 2-2 2-3 2-3 2-4 2-5 2-6 2-6 2-7 2-8
Introduction to the Hardware . . . . . . . . . . . . . . ControlLogix Chassis . . . . . . . . . . . . . . . . . . . . . ControlLogix Power Supplies. . . . . . . . . . . . . . . Non-Redundant Power Supply . . . . . . . . . . . Redundant Power Supply . . . . . . . . . . . . . . . Recommendations for System Hardware Use . . . Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . Power Supplies . . . . . . . . . . . . . . . . . . . . . . Related ControlLogix Hardware Documentation .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
3-1 3-2 3-2 3-2 3-3 3-3 3-3 3-4 3-4
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
4-1 4-1 4-2 4-2
Chapter 3 ControlLogix System Hardware
Chapter 4 ControlLogix Controller
ix
Introduction to the Controller . . . . . . CompactFlash Card . . . . . . . . . . . Recommendations for Controller Use . Related Controller Documentation . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
Publication 1756-RM001E-EN-P - November 2006
Table of Contents
x
Chapter 5 ControlLogix Communications Modules
Introduction to Communication Modules . . . . . . . . . . ControlNet Bridge Module. . . . . . . . . . . . . . . . . . . . . ControlNet Cabling . . . . . . . . . . . . . . . . . . . . . . . ControlNet Repeater. . . . . . . . . . . . . . . . . . . . . . . ControlNet Module Diagnostic Coverage. . . . . . . . Ethernet Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ethernet Versus ControlNet . . . . . . . . . . . . . . . . . . . . Data Highway Plus - Remote I/O. . . . . . . . . . . . . . . . SynchLink. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Recommendations for Communications Modules Use . Related Communications Modules Documentation . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
5-1 5-2 5-2 5-2 5-2 5-3 5-3 5-4 5-4 5-4 5-5
Chapter 6 ControlLogix I/O Modules
Publication 1756-RM001E-EN-P - November 2006
Overview of ControlLogix I/O Modules . . . . . . . . . . . . . . . 6-1 Module Fault Reporting for any ControlLogix I/O Module. . 6-4 Using Digital Input Modules . . . . . . . . . . . . . . . . . . . . . . . 6-5 General Considerations when using Any ControlLogix Digital Input Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Wiring ControlLogix Digital Input Modules. . . . . . . . . . . . . 6-6 Using Digital Output Modules . . . . . . . . . . . . . . . . . . . . . . 6-7 General Considerations when using Any ControlLogix Digital Output Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 Wiring ControlLogix Digital Output Modules . . . . . . . . . . . 6-10 Diagnostic Digital Output Modules . . . . . . . . . . . . . . . . 6-10 Standard Digital Output Modules . . . . . . . . . . . . . . . . . 6-11 Using Analog Input Modules . . . . . . . . . . . . . . . . . . . . . . . 6-13 General Considerations when using Any ControlLogix Analog Input Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 Wiring ControlLogix Analog Input Modules . . . . . . . . . . . . 6-16 Wiring the Single-Ended Input Module in Voltage Mode 6-16 Wiring the Single-Ended Input Module in Current Mode 6-17 Wiring the Thermocouple Input Module . . . . . . . . . . . . 6-18 Wiring the RTD Input Module . . . . . . . . . . . . . . . . . . . 6-19 Using Analog Output Modules. . . . . . . . . . . . . . . . . . . . . . 6-20 General Considerations when using Any ControlLogix Analog Output Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20 Wiring ControlLogix Analog Output Modules . . . . . . . . . . . 6-23 Wiring the Analog Output Module in Voltage Mode . . . 6-23 Wiring the Analog Output Module in Current Mode . . . 6-24 Checklist for SIL Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25 Checklist for SIL Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26
Table of Contents
xi
Chapter 7 Faults in the ControlLogix System
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Checking Keyswitch Position with GSV Instruction . . . . . . . 7-2 Examining an Analog Input Module’s High Alarm. . . . . . . . 7-3
Chapter 8 General Requirements for Application Software
Software for SIL2-Related Systems . . . . . . . . . . . . . . . . . . . SIL2 Programming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Safety Concept of the ControlLogix system . . . . . . . . . . General Guidelines for Application Software Development . Check the Created Application Program . . . . . . . . . . . . Possibilities of Program Identification . . . . . . . . . . . . . . Forcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ControlLogix System Operational Modes . . . . . . . . . . . . . . Checklist for the Creation of an Application Program . . . . .
8-1 8-2 8-2 8-2 8-3 8-3 8-4 8-4 8-5 8-6
Chapter 9 Technical SIL2 Requirements for the Application Program
General Procedure . . . . . . . . . . . . . Basics of Programming. . . . . . . . Logic and Instructions 2 Program Logic 2 Specification 3 Sensors (Digital or Analog) 3 Actuators 4 SIL Task/Program Instructions . . . . . Programming Languages . . . . . . . . . Commissioning Life Cycle . . . . . . . . Changing Your Application Program Forcing . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 9-1 . . . . . . . . . . . . . . . . . 9-2
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
9-4 9-4 9-5 9-6 9-8
Using Precautions and Techniques with HMI . . . . . . . . . Accessing Safety-Related Systems . . . . . . . . . . . . . . . Changing Parameters in Safety-Related Systems . . . . . Changing Parameters in Non-Safety-Related Systems .
. . . .
. . . .
10-1 10-1 10-2 10-3
Chapter 10 Use and Application of Human to Machine Interfaces
Publication 1756-RM001E-EN-P - November 2006
Table of Contents
xii
Appendix A Response Times in ControlLogix
Digital Modules. . . . . . . . . . . . . . Local Chassis Configuration . . Remote Chassis Configuration Analog Modules . . . . . . . . . . . . . Local Chassis Configuration . . Remote Chassis Configuration Redundancy Systems . . . . . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
A-1 A-1 A-2 A-3 A-3 A-3 A-5
Appendix B System Self-Testing and User-Programmed Responses
Validation Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 System Self Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 Reaction to Faults 2
Appendix C Additional Information on Handling Faults in the ControlLogix System Spurious Failure Estimates
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1
Appendix D Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1
Appendix E Sample Probability of Failure on Demand (PFD) Calculations
Proof Test Interval = 5 Years . . . . . . . . . . . . . . . . . . . . . . . E-1
Appendix F Using ControlLogix in SIL1 Applications
Publication 1756-RM001E-EN-P - November 2006
Additional Considerations . . . . . . . . . . . . . . . . . . . . . . . . . F-1 Probability of Failure on Demand Calculations in a SIL1 Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-2 Probability of Undetected Dangerous Failure Per Hour Calculations in a SIL1 Application . . . . . . . . . . . . . . . . . . . F-4
Chapter
1
SIL Policy
This chapter introduces you to the SIL policy and how the ControlLogix system meets the requirements for SIL2 certification. For information about:
Introduction to SIL
See page:
Introduction to SIL
1-1
Typical SIL2 Configurations
1-4
Proof Tests
1-6
SIL2-Certified ControlLogix System Components
1-8
Safety Certifications and Compliances
1-12
Hardware Designs and Firmware Functions
1-12
Difference Between PFD and PFH
1-12
ControlLogix Product Probability of Failure on Demand (PFD) Calculations
1-14
ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations
1-17
SIL Compliance Distribution and Weight
1-20
Other Agency Certifications
1-21
Response Times
1-21
Program Watchdog Time in ControlLogix System
1-23
Contact Information When Device Failure Occurs
1-23
Certain catalog numbers (listed in Table 1.1 on page 1-8) of the ControlLogix system are type-approved and certified for use in SIL2 applications according to IEC 61508, and RC4 applications are certified according to DIN V19250. Approval requirements are based on the standards current at the time of certification. These requirements consist of mean time between failures (MTBF), probability of failure, failure rates, diagnostic coverage and safe failure fractions that fulfill SIL2 and AK4 criteria. The results make the ControlLogix system suitable up to, and including, SIL2 and AK4. When the ControlLogix system is in the maintenance or programming mode, the user is responsible for maintaining a safe state. For support in creation of programs, the PADT (Programming and Debugging Tool) is required. The PADT for ControlLogix is RSLogix 5000, per IEC 61131-3, and this Safety Reference Manual.
1
Publication 1756-RM001E-EN-P - November 2006
1-2
SIL Policy
The TUV Rheinland Group has approved the ControlLogix system for use in up to, and including, SIL 2 safety related applications in which the de-energized state is typically considered to be the safe state. All of the examples related to I/O included in this manual are based on achieving de-energization as the safe state for typical Emergency Shutdown (ESD) Systems. ControlLogix is a modular and configurable system with the ability to pre-configure outputs and other responses to fault conditions. As such, a system can be designed to meet requirements for “hold last state" in the event of a fault so that the system can be used in up to, and including, SIL 2 level Fire and Gas and other Applications that require that output signals to actuators remain on. By understanding the behavior of the ControlLogix system for an emergency shutdown application, the system design can incorporate appropriate measures to meet other application requirements. These measures relate to the control of outputs and actuators which must remain on to be in a safe state. The other requirements for SIL2 regarding inputs from sensors, software etc. must also be met. The measures and modifications which relate to Gas and Fire are listed below. • The use of a manual over-ride is necessary to ensure the operator can maintain the desired control in the event of a Controller Failure. This is similar in concept to the function of the external relay or redundant outputs required to ensure a de-energized state is achieved for an ESD system should a failure occur (e.g., such as a shorted output driver) that would prevent this from normally occurring. The system knows it has a failure but the failure mode requires an independent means to maintain control and either remove power or provide an alternate path to maintain power to the end actuator. • If the application cannot tolerate an output that can fail shorted (energized) then an external means such as a relay or other output must be wired in series to remove power when the fail shorted condition occurs. (Refer to Figure 6.8 on page 6-11) If the application cannot tolerate an output that fails open (deenergized) then an external means such as a manual override or output must be wired in parallel. (Refer to the manual override Figure 1.1 on page 1-3). The user must supply the alternative means and develop the application program to initiate the alternate means of removing or continuing to supply power in the event the main output fails.
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
1-3
• This manual over-ride circuit is shown in Figure 1.1. It is composed of a hardwired set of contacts from a selector switch or push-button. One Normally Open contact provides for the bypass of power from the Controller output directly to the actuator. The other is a Normally closed contact to remove or isolate the controller output • An application program needs to be generated to monitor the diagnostic output modules for dangerous failures such as shorted or open output driver channels. Diagnostic output modules must be configured to hold last state in the event of a fault. • A diagnostic alarm must be generated to inform the operator that manual control is required. • The faulted module must be replaced within a reasonable time frame. • Any time a fault is detected the user must annunciate the fault to an operator by some means (for example, an alarm light). Figure 1.1 L1
Manual Override
Actuator
L2 or Ground 43379
Fault Alarm to Operator
Publication 1756-RM001E-EN-P - November 2006
1-4
SIL Policy
Typical SIL2 Configurations
SIL2-certified ControlLogix systems can be used in a non-redundancy or redundancy configuration. The most significant difference between these configurations is that the redundancy configuration uses an identical pair of ControlLogix chassis to keep your machine or process running if a problem occurs with a controller. Figure 1.2 shows a typical SIL loop that does not use redundancy, including: • the overall safety loop • the ControlLogix portion of the overall safety loop • how other devices (for example, HMI) connect to the loop, while operating outside the loop This loop is used for fail safe applications. Figure 1.2 Typical SIL Loop Without Controller Redundancy
Programming Software For SIL applications, a programming terminal is not normally connected.
HMI For Diagnostics and Visualization (read-only access to controllers in the safety loop). For more information, see Chapter 10.
Plant-wide Ethernet/Serial Overall Safety Loop SIL2-certified ControlLogix components’ portion of the overall safety loop
E N B T
Sensor
C N B
C N B
I/O
ControlNet
ControlNet
Publication 1756-RM001E-EN-P - November 2006
Actuator
C N B
To other safety related ControlLogix and remote I/O chassis
To non-safety related systems outside the ControlLogix portion of the SIL2-certified loop. For more information, see Chapter 5.
SIL Policy
1-5
Figure 1.3 shows a typical SIL loop that uses redundancy, including: • the overall safety loop • the ControlLogix portion of the overall safety loop • how other devices (for example, HMI) connect to the loop, while operating outside the loop With regard to IEC 61508, most SIL2-certified systems are fault tolerant for the entire system. However, the ControlLogix system is fault tolerant only for the devices in the primary/secondary chassis and not the entire system. This loop is used for high availability applications.
IMPORTANT
Figure 1.3 Typical SIL Loop With Controller Redundancy Programming Software For SIL applications, a programming terminal is not normally connected.
HMI For Diagnostics and Visualization (read-only access to controllers in the safety loop). For more information, see Chapter 10.
Plant-wide Ethernet/Serial Overall Safety Loop
SIL2-certified ControlLogix components’ portion of the overall safety loop
Primary chassis Sensor
Remote I/O chassis E C N N B B T
C N B
S R M
I/O
C N B
Actuator
ControlNet
Secondary chassis E C N N B B T
ControlNet
C N B
S R M
To other safety related ControlLogix and remote I/O chassis
To non-safety related systems outside the ControlLogix portion of the SIL2-certified loop. For more information, see Chapter 5.
Publication 1756-RM001E-EN-P - November 2006
1-6
SIL Policy
IMPORTANT
The system user is responsible for: • the set-up, SIL rating and validation of any sensors or actuators connected to the ControlLogix control system. • project management and functional testing. • programming the application software and the module configuration according to the description in the following chapters. The SIL2 portion of the certified system excludes the development tools and display/human machine interface (HMI) devices; these tools and devices are not part of the run time control loop. It is also important to note that ControlLogix SIL2 certification is only available on ControlLogix Redundancy systems that use 1756-L55M13 and 1756-L55M16 controllers. While you can use the 1756-L6x controllers in a redundant ControlLogix system, this set-up has not yet been SIL2-certified.
Proof Tests
IEC 61508 requires the user to perform various proof tests of the equipment used in the system. Proof tests are performed at user-defined times (for example, proof test intervals can be once a year, once every two years or whatever timeframe is appropriate) and include some of the following tests: • Testing of all fault routines to verify that process parameters are monitored properly and the system reacts properly when a fault condition arises. • Testing of digital input or output channels to verify that they are not stuck in the ON or OFF state. • Calibration of analog input and output modules to verify that accurate data is obtained from and used on the modules.
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
IMPORTANT
1-7
Users’ specific applications will determine the timeframe for the proof test interval. However, keep in mind that the Probability of Failure on Demand (PFD) calculations listed in Table 1.2 on page 1-14 use a proof test interval of once per year. If the proof test interval is not once per year, the information must be recalculated. For sample PFD calculations for proof test intervals of 2 and 4 years, see Appendix E
Prooftesting with Redundancy Systems A ControlLogix redundancy system uses an identical pair of ControlLogix chassis to keep your machine or process running if a problem occurs with those chassis. When a failure occurs in any of the components of the primary chassis, control switches to the secondary controller. The switchover can be monitored so that the system notifies the user when it has occurred. In this case (i.e., when a switchover takes place), we recommend that you replace the failed controller with the mean time to restoration (MTTR) for your application. If you are using controller redundancy in a SIL2 application, you must perform half the proof test on the primary controller and half the proof test on the secondary controller. TIP
If you are concerned about the availability of the secondary controller if the primary controller fails, it is good engineering practice to implement a switchover periodically (e.g., once per proof test interval).
For more information on switchovers in ControlLogix redundancy systems and ControlLogix redundancy systems in general, see the ControlLogix Redundancy System user manual, publication 1756-UM523. For more information on system proof tests, see Chapter 2, The ControlLogix System. For more information on the necessary I/O module proof tests, see Chapter 6, ControlLogix I/O Modules.
Publication 1756-RM001E-EN-P - November 2006
1-8
SIL Policy
SIL2-Certified ControlLogix System Components
Table 1.1 lists the components available for use in a SIL2-certified ControlLogix system.
Table 1.1 Components For Use in the SIL 2 System Related Documentation(9): Device Type: Hardware
Controllers Used in NonRedundant Applications
Catalog Number:
Description:
Series:
Firmware Revision(7),(8):
Installation Instructions:
1756-A4, A7, A10, A13 & A17
ControlLogix Chassis
B
NA
1756-IN080
1756-PA75
AC Power supply
A
NA
1756-5.78
1756-PB75
DC Power supply
A
NA
1756-PA75
AC Power supply
B
NA
1756-PB75
DC Power supply
B
NA
1756-PA75R
AC Redundant power supply
A
NA
1756-PB75R
DC Redundant power supply
A
NA
1756-PC75
DC Power supply
B
NA
1756-IN597
1756-PH75
DC Power supply
B
NA
1756-IN589
1756-PSCA(1)
Redundant Power Supply Chassis Adapter Module
A
NA
1756-IN574
1756-PSCA2
Redundant Power Supply Chassis Adapter Module
A
NA
1756-IN590
1756-L55M13
ControlLogix 1.5 Mb Controller A
15.5 13.31 11.32 10.27
1756-IN101
1756-L55M16
ControlLogix 7.5 Mb Controller A
15.5 13.31 11.32 10.27
1756-L61(2)
ControlLogix 2 Mb Controller
B
15.4 13.40
1756-L62(2)
ControlLogix 4 Mb Controller
B
15.4 13.40
1756-L63(2)
ControlLogix 8 Mb Controller
B
15.4 13.40
Publication 1756-RM001E-EN-P - November 2006
User Manual: None available for these catalog numbers
1756-IN596 1756-IN573
1756-UM001
SIL Policy
1-9
Table 1.1 Components For Use in the SIL 2 System Related Documentation(9): Device Type: I/O Modules Digital
Catalog Number:
Description:
Series:
Firmware Revision(7),(8):
Installation Instructions:
User Manual:
1756-IA16I
AC Isolated Input Module
A
3.2 2.2
1756-IN059
1756-UM058
1756-IA8D
AC Diagnostic Input Module
A
3.2 2.6
1756-IN055
1756-IB16D
DC Diagnostic Input Module
A
3.2 2.6
1756-IN069
1756-IB16I
DC Isolated Input Module
A
3.2 2.2
1756-IN010
1756-IB16ISOE
Sequence of Events Module
A
1.6 1.5
1756-IN591
1756-UM528
1756-IB32
DC Input Module
B
3.5
1756-IN027
1756-UM058
1756-IH16ISOE
Sequence of Events Module
A
1.6 1.5
1756-IN592
1756-UM528
1756-OA16I
AC Isolated Output Module
A
3.2 2.1
1756-IN009
1756-UM058
1756-OA8D
AC Diagnostic Input Module
A
3.3 3.2 2.5 2.4
1756-IN057
1756-OB16D
DC Diagnostic Output Module
A
3.2 2.3
1756-IN058
1756-OB16I
DC Isolated Output Module
A
3.2 2.1
1756-IN512
1756-OB32
DC Output Module
A
3.2 2.4
1756-IN026
1756-OB8EI
DC Isolated Output Module
A
3.2 2.3
1756-IN012
1756-OW16I
Isolated Relay Output Module
A
3.2 2.1
1756-IN011
1756-OX8I
Isolated Relay Output Module
A
3.2 2.1
1756-IN513
Publication 1756-RM001E-EN-P - November 2006
1-10
SIL Policy
Table 1.1 Components For Use in the SIL 2 System Related Documentation(9): Device Type: I/O Modules Analog
Communication Modules
Catalog Number:
Description:
Series:
Firmware Revision(7),(8):
Installation Instructions:
User Manual:
1756-IF16
Single-ended Analog Input Module
A
1.5
1756-IN039
1756-IF6CIS
Isolated Sourcing Analog Input Module
A
1.12
1756-IN579
1756-IF6I
Isolated Analog Input Module
A
1.12 1.9
1756-IN034
1756-IF8
Analog Input Module
A
1.5
1756-IN040
1756-IR6I
RTD Input Module
A
1.12 1.9
1756-IN014
1756-IT6I
Thermocouple Input Module
A
1.12 1.9
1756-IN037
1756-IT6I2
Enhanced Thermocouple Input Module
A
1.13 1.12 1.11
1756-IN586
1756-OF6CI
Isolated Analog Output Module (Current)
A
1.12 1.9
1756-IN036
1756-OF6VI
Isolated Analog Output Module (Voltage)
A
1.12 1.9
1756-IN035
1756-OF8
Analog Output Module
A
1.5
1756-IN015
1756-CNB(3)
ControlNet Communication Module
D
7.12 5.45 5.38 5.27
1756-IN571
1756-CNBR
Redundant ControlNet Communication Module
D
7.12 5.45 5.38 5.27
1756-CNB
ControlNet Communication Communication Module
E
11.2
1756-CNBR
Redundant ControlNet Communication Module
E
11.2
1756-DHRIO(4)
Data Highway Plus - Remote I/O Communication Interface Module
C
5.3
1756-IN003
1756-UM514
1756-ENBT(5)
EtherNet Communication Module
A
4.3 3.4 1.33
1756-IN019
1756-UM050
1756-SYNCH(6)
SynchLink Module
A
2.18
1756-IN575
1756-UM521
Publication 1756-RM001E-EN-P - November 2006
1756-UM009
CNET-UM001
1756-IN604
SIL Policy
1-11
Table 1.1 Components For Use in the SIL 2 System Related Documentation(9): Device Type: Redundancy Controllers and Modules
Catalog Number:
Description:
Firmware Revision(7),(8):
Series:
1756-L55M13
ControlLogix 1.5 Mb Controller A
15.57 13.53
1756-L55M16
ControlLogix 7.5 Mb Controller A
15.57 13.53
1756-L61
ControlLogix 2 Mb Controller
B
15.56
1756-L62
ControlLogix 4 Mb Controller
B
15.56
1756-L63
ControlLogix 8 Mb Controller
B
15.56
1757-SRM
System Redundancy Module
B
1756-CNB(3)
ControlNet Communication Module
1756-CNBR
Installation Instructions:
User Manual:
1756-IN101
1756-UM001
4.3 3.37
1757-IN092
1756-UM523
D
7.12 5.45
1756-IN571
CNET-UM001
Redundant ControlNet Communication Module
D
7.12 5.45
1756-CNB(3)
ControlNet Communication Module
E
11.2
1756-CNBR
Redundant ControlNet Communication Module
E
11.2
1756-ENBT
EtherNet Communication Module
A
4.3 3.4
1756-IN604
1756-IN019
1756-UM050
(1)
Existing systems that use the 1756-PSCA are SIL2-certified. However, when implementing new SIL2-certified systems or upgrading existing systems, we recommend that you use the 1756-PSCA2 if possible.
(2)
Use of any 1756-L6x/B controller requires the use of the Series B versions of the 1756-Px75 power supplies.
(3)
Specified ControlNet repeaters may be used in SIL2 applications. See Chapter 5 for more information.
(4)
The 1756-DHRIO module is included in this table because this module can be used to connect the safety system to the Data Highway Plus network. However, the Data Highway Plus network is not SIL2-certified and cannot be used as part of the SIL2-certified system. It can only be used to connect non-safety devices to the safety system. Because the module is not part of the safety system, it is not listed in PFD and PFH calculations in Table 1.2 and Table 1.3 later in this chapter.
(5)
The 1756-ENBT module is included in this table because this module can be used to connect the safety system to the EtherNet/IP network However, the EtherNet/IP network is not SIL2-certified and cannot be used as part of the SIL2-certified system. It can only be used to connect non-safety devices to the safety system. Because the module is not part of the safety system, it is not listed in PFD and PFH calculations in Table 1.2 and Table 1.3 later in this chapter.
(6)
The 1756-SYNCH module is included in this table because this module can be used to propagate time between chassis and to record events that occur in each chassis. Because this module is not used for any safety-related activities, it is not listed in PFD and PFH calculations in Table 1.2 and Table 1.3 later in this chapter.
(7)
Catalog numbers that list multiple firmware revisions have multiple revisions that are SIL2-certified. When implementing new SIL2-certified systems or upgrading existing SIL2-certified systems, we recommend that you use the latest certified firmware revision (that is, the higher number). However, systems that continue to use the older firmware revision remain SIL2-certified.
(8)
Users must use these series and firmware revisions for their application to be SIL2 certified. Firmware revisions are available by visiting http://support.rockwellautomation.com/ControlFlash/
(9)
These publications are available from Rockwell Automation by visiting http://www.rockwellautomation.com/literature.
Publication 1756-RM001E-EN-P - November 2006
1-12
SIL Policy
Safety Certifications and Compliances
ControlLogix products referenced in this manual may have safety certifications in addition to the TUV SIL. To view addtional safety certifications for products, go to http://www.ab.com and select the Product Certifications link.
Hardware Designs and Firmware Functions
Diagnostic hardware designs and firmware functions designed into the ControlLogix platform allow it to achieve at least SIL2 certification in a single-controller configuration. These diagnostic features are incorporated into specific ControlLogix components, such as the: • • • •
processor power supply I/O modules backplane
and are covered in subsequent sections. The ControlLogix platform’s designs, features and characteristics make it one of the most intelligent platforms. Some of the ControlLogix features include: • multiple microprocessors that check themselves and each other • I/O modules with internal microprocessors • an I/O architecture that includes modules with backplane connections to the main central processing unit (CPU). The backplane connections, along with configuration identities, permit a new level of I/O module diagnostics unavailable in earlier platforms.
Difference Between PFD and PFH
Safety-related systems can be classified as operating in either a low demand mode, or in a high demand/continuous mode. IEC 61508 quantifies this classification by stating that the frequency of demands for operation of the safety system is no greater than once per year in the low demand mode, or greater than once per year in high demand/continuous mode. Generally speaking however, the once per year is expanded to ten times per year. • Probability of failure on demand (PFD) is the SIL value for a low demand safety-related system as related directly to order-of-magnitude ranges of its average probability of failure to satisfactorily perform its safety function on demand. • The probability of dangerous failure occurring per hour (PFH) is directly related to the SIL value for a high demand/continuous mode safety-related system.
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
1-13
Although PFD and PFH values are usually associated with each of the three elements making up a safety-related system (the sensors, the actuators, the logic element), they can be associated with each component of the logic element, that is, each module of a Programmable Controller. Table 1.2 and Table 1.3 present values of the PFDs and PFHs for the specific ControlLogix products evaluated by TUV. The Mean Time Between Failure (MTBF) values listed in Table 1.2 and Table 1.3 are calculated from field data for each product. A minimum installed base must exist for at least one year before a value is calculated. It is assumed that the products are in use 16 hours/day, 5 days/week, 52 weeks/year. The Failure Rate (λ) column of Table 1.2 and Table 1.3 is just the reciprocal of MTBF. For the example PFD calculations, several assumptions were made: • 50% of the failures of each product reported to Rockwell Automation are dangerous failures. • The diagnostic coverage (DC) is 90% for modules used in a 1oo1 architecture. • The diagnostic coverage is 60% for modules used in a 1oo2 architecture. • The fraction of detected common cause failures (βD) is 1%. • The fraction of undetected common cause failures (β) is 2% Because Rockwell Automation does not and can not know every potential application for each product, these very conservative assumptions had to be made to do the calculations. For the sample calculations presented in this manual, the following values were used as the two application-dependent variables: • The Mean Time to Restoration (MTTR) is ten hours. • The Proof Test Interval (T1) is one year (8760 hours).(1) The equation for PFD, from IEC61508, for a 1oo1 architecture is: PFD = (λ DU + λ DD)tCE = λ DtCE = λ/2 [T1/2 (1 - DC) + MTTR]
(1)
For PFD calculations using proof test intervals of 2 and 4 years, see Appendix E.
Publication 1756-RM001E-EN-P - November 2006
1-14
SIL Policy
– where: λDU is the undetected dangerous failure rate (per hour) λDD is the detected dangerous failure rate (per hour) tCE is the "channel equivalent mean down time" λD is the dangerous failure rate (per hour) λ is the overall product failure rate (per hour) For a 1oo2 architecture, the PFD equation is much more complex. See IEC61508 Part 6 Annex B. The PFD values in Table 1.2 are given for the architecture that must be used for specific products to achieve SIL 2. Table 1.3 includes the same MTBF and Failure Rate values as Table 1.2 but adds calculated PFH values for high demand/continuous mode operation. The equation for PFH, from IEC61508, for a 1oo1 architecture is: PFH = λDU = λ/2 (1 - DC) For a 1oo2 architecture, see Part 6 of IEC61508. The values in Table 1.2 are given for the architecture that must be used for specific products to achieve SIL2. Table 1.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations Mean Time Between Failure (MTBF)(1)
λ(6)
ControlLogix Chassis
36,322,045(2)
2.75E-08
6.17E-06
4.85E-07
1756-CNB/D
ControlNet Bridge - Series D
5,595,646
1.79E-07
4.00E-05
3.18E-06
1756-CNB/E
ControlNet Bridge - Series E
2,944,988(3)
3.40E-07
7.61E-05
6.09E-06
1756-CNBR/D
Redundant ControlNet Bridge Series D
3,109,957
3.22E-07
7.20E-05
5.76E-06
1756-CNBR/E
Redundant ControlNet Bridge Series E
2,864,755(4)
3.49E-07
7.82E-05
6.26E-06
1756-IA16I
AC Isolated Input
15,262,520
6.55E-08
1.47E-05
1.16E-06
1756-IA8D
AC Diagnostic Input
10,383,360
9.63E-08
2.16E-05
1.70E-06
1756-IB16D
DC Diagnostic Input
41,300,480
2.42E-08
5.42E-06
4.26E-07
1756-IB16I
DC Isolated Input
19,862,336
5.03E-08
1.13E-05
8.88E-07
1756-IB16ISOE
Sequence of Events Module
4,959,088(5)
2.02E-07
4.52E-05
3.59E-06
1756-IB32
DC Input Module
2,468,448
4.05E-07
9.07E-05
7.29E-06
1756-IF8
Single-ended Analog Input Module 2,235,008
4.47E-07
1.00E-04
8.07E-06
1756-IF16
Isolated Sourcing Analog Input Module
4.78E-07
1.07E-04
8.63E-06
Catalog Number
Description
1756-Axx
Publication 1756-RM001E-EN-P - November 2006
2,094,159
Calculated PFD: 1oo1 architecture 1oo2 architecture
SIL Policy
1-15
Table 1.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations Mean Time Between Failure (MTBF)(1)
λ(6)
Isolated Analog Input Module
3,065,920
3.26E-07
7.31E-05
5.84E-06
1756-IF6I
Analog Input
2,838,451
3.52E-07
7.89E-05
6.32E-06
1756-IH16ISOE
Sequence of Events Module
6,044,122(5)
1.65E-07
3.71E-05
2.94E-06
1756-IR6I
RTD Input
3,826,296
2.61E-07
5.85E-05
4.67E-06
1756-IT6I
Thermocouple Input
3,002,035
3.33E-07
7.46E-05
5.97E-06
1756-IT6I2
Enhanced Thermocouple Input Module
991,929
1.01E-06
2.26E-04
1.88E-05
1756-L55M13
ControlLogix 1.5Mb Controller
2,228,750
4.49E-07
1.01E-04
8.09E-06
1756-L55M16
ControlLogix 7.5Mb Controller
1,644,933
6.08E-07
1.36E-04
1.11E-05
1756-L61
ControlLogix 2 Mb Controller
815,822
1.23E-06
2.75E-04
2.31E-05
1756-L62
ControlLogix 4 Mb Controller
576,992
1.73E-06
3.88E-04
3.35E-05
1756-L63
ControlLogix 8 Mb Controller
782,912
1.28E-06
2.86E-04
2.41E-05
1756-OA16I
AC Isolated Output
10,911,086
9.16E-08
2.05E-05
1.62E-06
1756-OA8D
AC Diagnostic Output
6,922,240
1.44E-07
3.24E-05
2.56E-06
1756-OB16D
DC Diagnostic Output
14,321,691
6.98E-08
1.56E-05
1.23E-06
1756-OB16I
DC Isolated Output
2,371,445
4.22E-07
9.45E-05
7.60E-06
1756-OB32
DC Output Module
1,278,125
7.82E-07
1.75E-04
1.44E-05
1756-OB8EI
DC Fused Output
5,853,120
1.71E-07
3.83E-05
3.03E-06
1756-OF6CI
Isolated Analog Output Module (Current)
9,296,907
1.08E-07
2.41E-05
1.90E-06
1756-OF6VI
Isolated Analog Output Module (Voltage)
13,062,400
7.66E-08
1.71E-05
1.35E-06
1756-OF8
Analog Output
5,717,675
1.75E-07
3.92E-05
3.11E-06
1756-OW16I
Isolated Relay Output Module
1,360,415(5)
7.35E-07
1.65E-04
1.35E-05
1756-OX8I
Contact Output
19,281,600
5.19E-08
1.16E-05
9.15E-07
1756-PA75/A
AC Power Supply
14,538,606
6.88E-08
1.54E-05
1.21E-06
1756-PA75/B
AC Power Supply
5,513,591(5)
1.81E-07
4.06E-05
3.22E-06
1756-PA75R
AC Redundant Power Supply
296,978(4)
3.37E-06
7.54E-04
7.06E-05
1756-PB75/A
DC Power Supply
10,157,334
9.85E-08
2.21E-05
1.74E-06
1756-PB75/B
DC Power Supply
5,884,430(5)
1.70E-07
3.81E-05
3.02E-06
1756-PB75R
DC Redundant Power Supply
1,134,848(4)
8.81E-07
1.97E-04
1.63E-05
1756-PC75
DC Power supply
5,894,836(5)
1.70E-07
3.80E-05
3.01E-06
1756-PH75
DC Power supply
5,889,628(5)
1.70E-07
3.80E-05
3.02E-06
Catalog Number
Description
1756-IF6CIS
Calculated PFD: 1oo1 architecture 1oo2 architecture
Publication 1756-RM001E-EN-P - November 2006
1-16
SIL Policy
Table 1.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations Mean Time Between Failure (MTBF)(1)
λ(6)
Power Supply Chassis Adapter Module
45,146,727(5)
2.21E-08
4.96E-06
3.90E-07
1756-PSCA2
Redundant Power Supply Chassis Adapter Module
45,146,727(5)
2.21E-08
4.96E-06
3.90E-07
1757-SRM
System Redundancy Module
835,357
1.20E-06
2.68E-04
2.25E-05
Catalog Number
Description
1756-PSCA
Calculated PFD: 1oo1 architecture 1oo2 architecture
(1)
MTBF measured in hours. The values used here represent values available in September 2006.
(2)
Aggregate based on total shipments and total returns of all five chassis (1756-A4, 1756-A7, 1756-A10, 1756-A13, and 1756-A17) collectively.
(3)
Calculated using field-based values for components.
(4)
Calculated using field-based values for components.
(5)
Calculated using field-based values for components.
(6)
λ = Failure Rate = 1/MTBF.
For PFD calculations with proof test interval of 5 years, see Appendix E.
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
1-17
Table 1.3 ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations Catalog Number Description
Mean Time Between Failure (MTBF)(1)
λ(5)
Calculated PFH: 1oo1 architecture 1oo2 architecture
1756-Axx
ControlLogix Chassis
36,322,045(2)
2.75E-08
1.38E-09
1.93E-10
1756-CNB/D
ControlNet Bridge - Series D
5,595,646
1.79E-07
8.94E-09
1.28E-09
1756-CNB/E
ControlNet Bridge - Series E
2,944,988
3.40E-07
1.70E-08
2.48E-09
1756-CNBR/D
Redundant ControlNet Bridge Series D
3,109,957
3.22E-07
1.61E-08
2.34E-09
1756-CNBR/E
Redundant ControlNet Bridge Series E
2,864,755(5)
3.49E-07
1.75E-08
2.55E-09
1756-IA16I
AC Isolated Input
15,262,520
6.55E-08
3.28E-09
4.62E-10
1756-IA8D
AC Diagnostic Input
10,383,360
9.63E-08
4.82E-09
6.82E-10
1756-IB16D
DC Diagnostic Input
41,300,480
2.42E-08
1.21E-09
1.70E-10
1756-IB16I
DC Isolated Input
19,862,336
5.03E-08
2.52E-09
3.55E-10
1756-IB16ISOE
Sequence of Events Module
4,959,088
2.02E-07
1.01E-08
1.45E-09
1756-IB32
DC Input Module
2,468,448
4.05E-07
2.03E-08
2.98E-09
1756-IF8
Single-ended Analog Input Module 2,235,008
4.47E-07
2.24E-08
3.30E-09
1756-IF16
Isolated Sourcing Analog Input Module
2,094,159
4.78E-07
2.39E-08
3.54E-09
1756-IF6CIS
Isolated Analog Input Module
3,065,920
3.26E-07
1.63E-08
2.37E-09
1756-IF6I
Analog Input
2,838,451
3.52E-07
1.76E-08
2.57E-09
1756-IH16ISOE
Sequence of Events Module
6,044,122(5)
1.65E-07
8.27E-09
1.18E-09
1756-IR6I
RTD Input
3,826,296
2.61E-07
1.31E-08
1.89E-09
1756-IT6I
Thermocouple Input
3,002,035
3.33E-07
1.67E-08
2.43E-09
1756-IT6I2
Enhanced Thermocouple Input Module
991,929
1.01E-06
5.04E-08
7.93E-09
1756-L55M13
ControlLogix 1.5Mb Controller
2,228,750
4.49E-07
2.24E-08
3.31E-09
1756-L55M16
ControlLogix 7.5Mb Controller
1,644,933
6.08E-07
3.04E-08
4.57E-09
1756-L61
ControlLogix 2 Mb Controller
815,822
1.23E-06
6.13E-08
9.87E-09
1756-L62
ControlLogix 4 Mb Controller
576,992
1.73E-06
8.67E-08
1.47E-08
1756-L63
ControlLogix 8 Mb Controller
782,912
1.28E-06
6.39E-08
1.03E-08
1756-OA16I
AC Isolated Output
10,911,086
9.16E-08
4.58E-09
6.49E-10
1756-OA8D
AC Diagnostic Output
6,922,240
1.44E-07
7.22E-09
1.03E-09
1756-OB16D
DC Diagnostic Output
14,321,691
6.98E-08
3.49E-09
4.93E-10
1756-OB16I
DC Isolated Output
2,371,445
4.22E-07
2.11E-08
3.10E-09
1756-OB32
DC Output Module
1,278,125
7.82E-07
3.91E-08
6.00E-09
1756-OB8EI
DC Fused Output
5,853,120
1.71E-07
8.54E-09
1.22E-09
(3)
(5)
Publication 1756-RM001E-EN-P - November 2006
1-18
SIL Policy
Table 1.3 ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations Catalog Number Description
Mean Time Between Failure (MTBF)(1)
λ(5)
Calculated PFH: 1oo1 architecture 1oo2 architecture
1756-OF6CI
Isolated Analog Output Module (Current)
9,296,907
1.08E-07
5.38E-09
7.63E-10
1756-OF6VI
Isolated Analog Output Module (Voltage)
13,062,400
7.66E-08
3.83E-09
5.41E-10
1756-OF8
Analog Output
5,717,675
1.75E-07
8.74E-09
1.25E-09
1756-OW16I
Isolated Relay Output Module
1,360,415
7.35E-07
3.68E-08
5.61E-09
1756-OX8I
Contact Output
19,281,600
5.19E-08
2.59E-09
3.65E-10
1756-PA75/A
AC Power Supply
14,538,606
6.88E-08
3.44E-09
4.86E-10
1756-PA75/B
AC Power Supply
5,513,591(5)
1.81E-07
9.07E-09
1.30E-09
1756-PA75R
AC Redundant Power Supply
296,978(4)
3.37E-06
1.68E-07
3.33E-08
1756-PB75/A
DC Power Supply
10,157,334
1756-PB75/B
(5)
9.85E-08
4.92E-09
6.97E-10
DC Power Supply
5,884,430
(5)
1.70E-07
8.50E-09
1.21E-09
1756-PB75R
DC Redundant Power Supply
1,134,848(4)
8.81E-07
4.41E-08
6.83E-09
1756-PC75
DC Power supply
5,894,836(5)
1.70E-07
8.48E-09
1.21E-09
1756-PH75
DC Power supply
5,889,628(5)
1.70E-07
8.49E-09
1.21E-09
1756-PSCA
Power Supply Chassis Adapter Module
45,146,727(5)
2.21E-08
1.11E-09
1.55E-10
1756-PSCA2
Redundant Power Supply Chassis Adapter Module
45,146,727(5)
2.21E-08
1.11E-09
1.55E-10
1757-SRM
System Redundancy Module
835,357
1.20E-06
5.99E-08
9.61E-09
(1)
MTBF measured in hours. The values used here represent values available in September 2006.
(2)
Aggregate based on total shipments and total returns of all five chassis (1756-A4, 1756-A7, 1756-A10, 1756-A13, and 1756-A17) collectively.
(3)
Calculated using field-based values for components.
(4)
Assumes that both power supplies fail simultaneously.
(5)
λ = Failure Rate = 1/MTBF
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
1-19
Table 1.4 shows an example of a PFD calculation for a fail-safe configuration involving two DC input modules used in a 1oo2 configuration and a DC output module.The exaple calculation is depicted in the first loop shown in Figure 1.4 on page 1-20 . Table 1.4 Catalog Number:
Description:
MTBF:
Calculated PFD:
1756-Axx
ControlLogix Chassis
36,322,045
6.17E-06
1756-L55M16
ControlLogix 5555 Controller
1,644,933
1.36E-04
1756-OB16D
DC Output
14,321,691
1.56E-05
1756-IB16D
DC Diagnostic 41,300,480 4.26E-07 Input Total PFD calculation for a safety loop consisting of these products: 1.58E-04
Publication 1756-RM001E-EN-P - November 2006
1-20
SIL Policy
SIL Compliance Distribution and Weight
The programmable controller may conservatively be assumed to contribute 10% of the reliability burden. (See Figure 1.4.) A SIL 2 system may need to incorporate multiple inputs for critical sensors and input devices, as well as dual outputs connected in series to dual actuators dependent on SIL assessments for the safety related system. (See Figure 1.4) Figure 1.4 ControlLogix Systems or Loop +V 10% of the PFD
40% of the PFD
Sensor
Input Module
Power Controller Supply
Diag. Output Module
Actuator
50% of the PFD
Sensor
Input Module
43383
+V 10% of the PFD
40% of the PFD
Sensor
Input Module
Power Controller Supply
Standard Output Module
Actuator
50% of the PFD
Sensor
Input Module
Monitoring Input Module
43384
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
Other Agency Certifications
1-21
User documentation shipped with ControlLogix products typically list the agency certifications for which the products are approved. If a product has achieved agency certification, it is marked as such on the product labeling. Product certifications are listed in the product’s specifications table, as shown in the example below. Certification
UL
UL Listed Industrial Control Equipment
CSA
CSA Certified Process Control Equipment for Class I, Division 2 Group A,B,C,D Hazardous Locations
FM
FM Approved Equipment for use in Class I Division 2 Group A,B,C,D Hazardous Locations
CE
European Union 89/336/EEC EMC Directive, compliant with: EN 50081-2; Industrial Emissions
C-Tick
Australian Radio Communications Act, compliant with: AS/NZS 2064; Industrial Emissions
Response Times
The response time of the system is defined as the amount of time it takes for a change in an input condition to be recognized and processed by the controller’s ladder logic program, and then to initiate the appropriate output signal to an actuator. The system response time is the sum of the following: • • • • •
input hardware delays input filtering I/O and communication module RPI settings controller program scan times output module propagation delays
Each of the times listed above is variably dependent on factors such as the type of I/O module and instructions used in the ladder program. For examples of how to perform these calculations, see Appendix A, Response Times in ControlLogix. For more information on the available instructions and for a full description of logic operation and execution, see the following publications: • Logix5000 Controllers General Instruction Set Reference Manual, publication 1756-RM003. • ControlLogix System User Manual, publication 1756-UM001.
Publication 1756-RM001E-EN-P - November 2006
1-22
SIL Policy
Response Times in Redundancy Systems The response time of a system that uses redundancy is different from a system that does not use redundancy. The redundancy system has a longer response time because: • The primary controller must keep the secondary up-to-date and ready to take over control in case of a switchover. This process of cross-loading fresh data at the end of each program scan increases scan time. You can plan your project effectively (e.g., minimize the use of SINT or INT tags, use arrays and user-defined data types) to minimize the scan time in a redundancy system. Generally, the primary controller in a redundancy system has a 20% slower response time than the controller in a non-redundancy system. • The switchover between controllers slows system response. The switchover time of a redundancy system depends on the network update time (NUT) of the ControlNet network. To estimate the switchover time, use the following formulas: For this type of failure:
If the NUT is:
The switchover time is:
Example:
loss of power
<6
60 ms
For a NUT of 4 ms, the switchover time is approximately 60 ms.
>7
5 (NUT) + MAX (2[NUT], 30)
For a NUT of 10 ms, the switchover time is approximately 80 ms.
14 (NUT) + MAX (2[NUT], 30) + 50
For a NUT of 10 ms, the switchover time is approximately 220 ms.
–or– module failure 1756-CNB module cannot communicate with any other node
For more information on response times in redundancy systems, see the ControlLogix Redundancy System User Manual, publication 1756-UM523.
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
Program Watchdog Time in ControlLogix System
1-23
The program watchdog (also known as the software watchdog) time is a user-defined time that is set in the controller attributes menu of the RSLogix 5000 software. See the ControlLogix System User Manual, publication number 1756-UM001 for more information. The publication is available from Rockwell Automation. The program watchdog time is the maximum permissible time allowed for a RUN cycle (cycle time). If the cycle time exceeds the program watchdog time, a major fault occurs on the controller. Users must monitor the watchdog and program the system outputs to transition to the safe state (typically the OFF state) in the event of a major fault occurring on the controller. For more information on faults, see Chapter 7, Faults in the ControlLogix System. The program watchdog time must be ≥ 10 ms and must be < 50% of the safety time required for a ControlLogix system. The safety time is the maximum amount of time in which the process tolerates a wrong signal.
Contact Information When Device Failure Occurs
When users experience a failure with any SIL2-certified ControlLogix device, they should contact their local Rockwell Automation sales office. With this contact, the user can: • return the device to Rockwell Automation so the failure is appropriately logged for the catalog number affected and a record made of the failure. • request a failure analysis (if necessary) to determine the cause of the failure, if possible.
Publication 1756-RM001E-EN-P - November 2006
1-24
SIL Policy
Publication 1756-RM001E-EN-P - November 2006
Chapter
2
The ControlLogix System
This chapter offers an overview of some standard features in the ControlLogix architecture that assist in its suitability for use in SIL2 applications. For information about:
General Overview of ControlLogix Platform
See page:
General Overview of ControlLogix Platform
2-1
Overview of the ControlLogix Architecture
2-2
Module Fault Reporting
2-3
Fault Handling
2-3
Data Echo Communication Check
2-4
Pulse Test
2-5
Software
2-6
Communications
2-6
Other Unique Features that Aid Diagnostics
2-7
Many of the diagnostic methods and techniques used in the ControlLogix platform are improved versions of techniques and designs previously incorporated into Allen-Bradley PLC platforms over the last three decades. These are designs that have evolved to maintain the robustness and deterministic response that our customers have come to expect as they migrated from electromechanical to solid state technology. The self-checking routines and diagnostics performed by microprocessor-based systems (for example, ControlLogix) have greatly advanced over the years. Programmable controllers such as ControlLogix can be programmed and configured to perform checks on the total system, including its own configuration, wiring, and performance, as well as monitor input sensors and output devices.
1
Publication 1756-RM001E-EN-P - November 2006
2-2
The ControlLogix System
If an anomaly (other than automatic shutdown) is detected, the system can be programmed to initiate user-defined fault handling routines. Output modules can turn OFF selected outputs in the event of a failure. New diagnostic I/O modules self-test to make sure that field wiring is functioning. Output modules use pulse testing to make sure output switching devices are not shorted. Using these internal features, as well as application software when needed, today’s ControlLogix customers are able to achieve highly reliable control systems.
Overview of the ControlLogix Architecture
Rockwell Automation’s latest generation of programmable controllers is the ControlLogix system. Inherent in its design and implementation are several features that surpass anything offered in previous product architectures. The inclusion of these features represent improvements driven by customer demand for uptime and reliability as well as Rockwell’s long-developed design experience in producing these types of products. One of the most significant changes in the architecture is the implementation of the Producer/Consumer (P/C) communication model between controller and I/O. The P/C communication model replaces traditional ‘polling’ of I/O modules and, consequently, has changed the overall behavior of these components vis-a-vis their counterparts in previous architectures. Input modules “produce” data, controller and output modules both “produce” and “consume” data. These changes were embraced because of the enhanced data integrity and fault reporting capabilities they provide. I/O modules now exchange much more than simply the ON/OFF state of the devices they are connected to. Module identification information, communication status, fault codes and, through the use of specially-designed modules, field-side diagnostics can now all be retrieved from the I/O system as part of the standard feature set of the Producer/Consumer communication model. (See Figure 2.1). Figure 2.1 Producer/Consumer Communication Model Logix Controller
Input Modules
Output Modules
Commonly Shared Data 43374
Publication 1756-RM001E-EN-P - November 2006
The ControlLogix System
2-3
Module Fault Reporting One of the key concepts in this model is Ownership. Every module in the control system is now “owned” by at least one controller in the architecture. When a controller “owns” an I/O module, it means that that controller stores the module’s configuration data, defined by the user; this data dictates how the module behaves in the system. Inherent in this configuration and ownership is the establishment of a “heartbeat” between the controller and module; this heartbeat is also known as the Requested Packet Interval (RPI). The existence of the RPI forms the basis for Module Level Fault reporting in the ControlLogix architecture, a capability which is inherent to all ControlLogix I/O modules. For more information on module fault reporting in the ControlLogix controller, specifically the GSV instructions, see Chapter 7, Faults in the ControlLogix System.
Fault Handling The RPI defines a minimum time interval in which the controller and I/O module must communicate with each other. If, for any reason, communications cannot be established or maintained (that is, the I/O module has failed), the system can be programmed to run a special Fault Handling routine. This routine determines whether the system must continue functioning or whether the fault condition warrants a shutdown of the application. For example, the system can be programmed to retrieve the fault code of the failed module and make a determination, based on the type of fault, as to whether to continue operating. In addition, standard ControlLogix output modules are also capable of reporting blown-fuse status and loss of field power back to the controller. This ability of the controller to monitor the health of I/O modules in the system and take appropriate action based on the severity of a fault condition gives the user complete control of the application’s behavior when trouble occurs. It is the user’s responsibility to establish the course of action appropriate to their safety application. For more information on Fault Handling, see Chapter 7, Faults in the ControlLogix System.
Publication 1756-RM001E-EN-P - November 2006
2-4
The ControlLogix System
Data Echo Communication Check Another powerful by-product of the p/c communication model and the implementation of the Control and Information Protocol (CIP) protocol is the Output Data Echo, a communication method employed between owner-controllers and every output module in the system. Output Data Echo allows the user to verify that an ON/OFF output command from the controller was actually received by the correct output module, and that the module will attempt to execute the command to the field device connected to it. During normal operation, when a controller sends an output command, the output module that is targeted for that command will “echo” that requested state back to the system upon its receipt. This verifies that the module has received the command and will try to execute it. By comparing the requested state from the controller to the Data Echo received from the module, the user can validate that the signal has reached the correct module and that the module will attempt to activate the appropriate field-side device. Again, it is the user’s responsibility to establish the course of action appropriate to their safety application. When used with standard ControlLogix output modules, the Data Echo validates the command up to the system-side of the module, but not to the field-side. However, when this feature is used in tandem with diagnostic output modules, the user can virtually verify the output command integrity from the controller to the actuator connected to the module. Diagnostic output modules contain special circuitry that performs Field Side Output Verification. Field Side Output Verification informs the user that system-side commands received by the module are accurately represented on the power side of the switching device. In other words, for each output point, this feature confirms that the output is ON when it is commanded to be ON or OFF when commanded to be OFF. The capability of comparing the actual state of the field-side of the diagnostic module’s output against what the controller commands gives the user the ability to make sure that the module is performing what the control system is requesting, once that output command has been issued.
Publication 1756-RM001E-EN-P - November 2006
The ControlLogix System
2-5
Figure 2.2 Output Module Behavior in the ControlLogix System Output Commands from Controller Standard ControlLogix I/O Information
Data Echo validation from system-side
Additional Field-Side Information provided by Diagnostic Output modules
Field-side Output Verification, Pulse Test status plus No Load detection
Actuator
Pulse Test A diagnostic output module feature called a Pulse Test can verify output circuit functionality without actually changing the state of the actuator connected to the output. Under user program control, an extremely short-duration pulse is directed to a particular output on the module. The output circuitry will momentarily change its current state long enough to verify that it CAN change state when requested, but short enough in duration (the actual pulse is measured in milliseconds) not to effect the actuator connected to the output. This powerful feature allows a user to perform a preemptive diagnosis of possible future module conditions before they occur.
Publication 1756-RM001E-EN-P - November 2006
2-6
The ControlLogix System
Software The location, ownership and configuration of I/O modules and controllers is performed using RSLogix 5000 programming software. The software is used for creation, testing and debugging of application logic. When using RSLogix 5000, users must remember the following: • During normal SIL2-certified operation: – we recommend the programming terminal be disconnected. – the keyswitch must be set to the RUN position. – the controller key must be removed from the keyswitch. • Authorized personnel may change an application program but only by using one of the processes described in section Changing Your Application Program on page 9-6.
Communications ControlNet forms the basis for I/O communications on the ControlLogix backplane and over the network. It is an industry-proven network that incorporates 16-bit CRC and a standard CIP network protocol. You must use RSNetWorx for ControlNet software to schedule the network. The correct scheduling of the network is independently verified by the controller after the program is downloaded; the schedule must match the RSLogix 5000 program. The software also provides user-defined fault handing (for example, execute fault routine) in the case of errors. A serial port is available on the controller for download or visualization only. It uses an industry-proven DF-1 serial link protocol that has a selection of either 8-bit BCC checksum or 16-bit CRC. The serial port also uses an industry standard CIP network protocol running on the DF-1 link. EtherNet/IP connection is also available for download, monitoring and visualization.
Publication 1756-RM001E-EN-P - November 2006
The ControlLogix System
2-7
Other Unique Features that Aid Diagnostics These are just a few examples of how the inherent characteristics of the ControlLogix I/O system provides the user with an unprecedented capability to diagnose and react to fault conditions in an application. There are many other unique features that differentiate it from previous iterations of programmable controllers, such as: • Timestamping of I/O and diagnostic data • Electronic keying based on module identification – During module configuration, you must choose one of the following keying options for your module: – Exact Match – Compatible Module – Disable Keying When the controller attempts to connect to and configure a ControlLogix module (e.g., after program download), the module compares the specific parameters, defined by the keying option selected, before allowing the connection and configuration to be accepted. We recommend that you use Exact Match whenever possible. With Exact Match, all module comparisons between the configuration and the module physically located in the slot that the controller is attempting to configure must be identical or the connection is rejected. IMPORTANT
Some I/O modules listed in Table 1.1 on page 1-8, may not have configuration profiles for the version of RSLogix 5000 being used. You may use Disable Keying in these instances. For example, the 1756-IB32/B module does not have a profile in RSLogix 5000, version 11. In this case, the 1756-IB32/A profile can be used to configure the series B module as long as the Disable Keying option is selected. However, if you use the Disable Keying option, you must verify that the correct module is used with your configuration in a SIL2-certified system.
For more information on these features, see the Digital I/O user manual, publication number 1756-UM058.
Publication 1756-RM001E-EN-P - November 2006
2-8
The ControlLogix System
Checklist for the ControlLogix System
The following checklist is required for planning, programming and start up of a SIL2-certified ControlLogix system. It may be used as a planning guide as well as during proof testing. If used as a planning guide, the checklist can be saved as a record of the plan. Check List for ControlLogix System(1)
Company: Site: Loop definition: No.
Fulfilled Yes
1
Are you only using the SIL2-certified ControlLogix modules listed in Table 1.1 on page 1-8, with the corresponding firmware release listed in the table, for your safety application?
2
Have you calculated the system’s response time?
3
Does the system’s response time include both the user-defined, SIL-task program watchdog (software watchdog) time and the SIL-task duration time?
4
Is the system response time in proper relation to the process tolerance time?
5
Have PFD values been calculated according to the system’s configuration?
6
Have you performed all appropriate proof tests?
7
Have you defined your process parameters that are monitored by fault routines?
8
Have you determined how your system will handle faults?
9
Have you taken into consideration the checklists for using SIL inputs and outputs listed on pages 6-25 and 6-26.
(1)
For more information on the specific tasks in this checklist, see the previous sections in the chapter or Chapter 1, SIL Policy.
Publication 1756-RM001E-EN-P - November 2006
No
Comment
Chapter
3
ControlLogix System Hardware
This chapter discusses the hardware required in SIL2-certified ControlLogix systems. For information about:
Introduction to the Hardware
See page:
Introduction to the Hardware
3-1
ControlLogix Chassis
3-2
ControlLogix Power Supplies
3-2
Non-Redundant Power Supply
3-2
Redundant Power Supply
3-3
Recommendations for System Hardware Use
3-3
Related ControlLogix Hardware Documentation
3-4
SIL2-certified ControlLogix systems can use the following chassis and power supply hardware: • ControlLogix Chassis - Including the following catalog numbers: – 1756-A4 – 1756-A7 – 1756-A10 – 1756-A13 – 1756-A17 • ControlLogix Power Supplies - Including the following catalog numbers: – 1756-PA75 – 1756-PB75 – 1756-PA75R – 1756-PB75R – 1756-PC75 – 1756-PH75 – 1756-PSCA – 1756-PSCA2 – 1756-CPR cables
1
Publication 1756-RM001E-EN-P - November 2006
3-2
ControlLogix System Hardware
ControlLogix Chassis
The ControlLogix 1756-Axx chassis provide the physical connections between modules and the ControlLogix backplane. These connections allow for P/C communications between controllers and I/O modules. The chassis itself is passive and is not relevant to further discussion since any physical failure would be unlikely under normal environmental conditions and would be manifested and detected as a failure within one or more of the active components.
ControlLogix Power Supplies
ControlLogix power supplies are designed with noise filtering and isolation to reduce the opportunity for induced contamination of the supplied voltages. The power supply monitors the backplane power and generates control signals (for example, DC_FAIL_L) to indicate if power failure is imminent. Anomalies in the supplied voltages immediately shut down the power supply. The power supply monitors all power supply voltages via sense lines. IMPORTANT
No extra configuration or wiring is required for SIL2 operation of the ControlLogix power supplies.
All ControlLogix power supplies are designed to: • detect anomalies • communicate to the controllers with enough stored power to allow for an orderly and deterministic shutdown of the system, including the controller and I/O
Non-Redundant Power Supply ControlLogix non-redundant power supplies (i.e one power supply is connected to a chassis) certified for use in SIL2 applications include the following catalog numbers: • • • •
1756-PA75 - AC power supply 1756-PB75 - DC power supply 1756-PC75 - DC power supply 1756-PH75 - DC power supply
IMPORTANT
Publication 1756-RM001E-EN-P - November 2006
When non-redundant power supplies are used with 1756-L6x controllers, they must be Series B.
ControlLogix System Hardware
3-3
Redundant Power Supply ControlLogix redundant power supplies (i.e two power supplies are connected to the same chassis) certified for use in SIL2 applications include the following catalog numbers: • 1756-PA75R - AC power supply • 1756-PB75R - DC power supply • 1756-PSCA - Redundant power supply chassis adapter module required with the use of redundant power supplies • 1756-PSCA2 - Redundant power supply chassis adapter module required with the use of redundant power supplies • 1756-CPR cables The power supplies share the current load required by the chassis and an internal solid state relay that can annunciate a fault. Upon detection of a failure in one supply, the other redundant power supply automatically assumes the full current load required by the chassis without disruption to devices installed. The 1756-PSCA and 1756-PSCA2 redundant power supply chassis adapter modules connect the redundant power supply to the chassis. For additional ControlLogix power supply information, see the documentation referenced in the Related ControlLogix Hardware Documentation section on page 3-4.
Recommendations for System Hardware Use
Users must consider the recommendations listed below when using SIL2-certified ControlLogix hardware:
Chassis When installing ControlLogix chassis, follow the information provided in the product documentation listed in the Related ControlLogix Hardware Documentation section on page 3-4.
Publication 1756-RM001E-EN-P - November 2006
3-4
ControlLogix System Hardware
Power Supplies Users must consider these recommendations when using SIL2-certified ControlLogix power supplies: • When installing ControlLogix power supplies, follow the information provided in the product documentation listed in the Related ControlLogix Hardware Documentation section on page 3-4. • A non-redundant power supply can be used if it meets the user-defined PFD criteria. • For high availability SIL2 applications, the redundant power supply is recommended. • It is recommended that the solid state fault relay on each power supply be wired from an appropriate voltage source to an input point in ControlLogix so the user can detect and display a power supply fault.
Related ControlLogix Hardware Documentation
For more information on ControlLogix hardware, see the Rockwell Automation publications listed in Table 3.1: Table 3.1 Catalog Number:
Description:
Installation Instructions:
1756-A4, A7, A10, A13 & A17
ControlLogix Chassis
1756-IN080
1756-PA75
AC Power supply
1756-5.78
1756-PB75
DC Power supply
1756-PA75/B
AC Power supply
1756-PB75/B
DC Power supply
1756-PA75R
AC Redundant power supply
1756-PB75R
DC Redundant power supply
1756-PC75
DC Power supply
1756-IN597
1756-PH75
DC Power supply
1756-IN589
1756-PSCA
Redundant Power Supply Chassis Adapter Module
1756-IN574
1756-PSCA2
Redundant Power Supply Chassis Adapter Module
1756-IN590
1756-IN596 1756-IN573
These publications are available from Rockwell Automation at: http://www.rockwellautomation.com/literature
Publication 1756-RM001E-EN-P - November 2006
Chapter
4
ControlLogix Controller
This chapter discusses the ControlLogix controller as used in a SIL2-certified system.
Introduction to the Controller
The ControlLogix controllers used in a SIL2-certified ControlLogix system is a solid-state control system with a user-programmable memory for storage of data to implement specific functions, such as: • • • • • • • •
I/O control Logic Timing Counting Report generation Communications Arithmetic Data file manipulation
The controller consists of a central processor, I/O interface and memory. The controller performs power-up and run-time functional tests. The tests are used with user-supplied application programs to verify proper controller operation.
CompactFlash Card A 1784-CF64 Industrial CompactFlash card provides nonvolatile memory for the 1756-L61, 1756-L62 and 1756-L63 controllers. However, the use of this card is NOT yet certified, and may NOT be used in a SIL2-certified application.
1
Publication 1756-RM001E-EN-P - November 2006
4-2
ControlLogix Controller
Recommendations for Controller Use
Users must consider the recommendations listed below when using a SIL2-certified ControlLogix controller: • In non-redundant applications, use only one controller in SIL2-certified ControlLogix loop. The controller must own the configuration information for all I/O modules associated with the safety loop. • When installing ControlLogix controller, follow the information provided in the documentation listed in the Related Controller Documentation section below. • There are currently separate firmware revisions for redundant and non-redundant operation. For more information on the revisions, see Table 1.1 on page 1-8.
Related Controller Documentation
For more information on the ControlLogix controller, see the following Rockwell Automation publications listed in Table 4.1: Table 4.1 Catalog Number:
Description:
1756-L55M13
ControlLogix 1.5Mb Controller
1756-L55M16
ControlLogix 7.5Mb Controller
1756-L61
ControlLogix 2 Mb Controller
1756-L62
ControlLogix 4 Mb Controller
1756-L63
ControlLogix 8 Mb Controller
Installation Instructions: 1756-IN101
User Manual: 1756-UM001
These publications are available from Rockwell Automation at: http://www.rockwellautomation.com/literature
Publication 1756-RM001E-EN-P - November 2006
Chapter
5
ControlLogix Communications Modules
This chapter discusses the communication modules used in a ControlLogix SIL2 system. For information about:
Introduction to Communication Modules
See page:
Introduction to Communication Modules
5-1
ControlNet Bridge Module
5-2
ControlNet Cabling
5-2
ControlNet Module Diagnostic Coverage
5-2
Ethernet Module
5-3
Ethernet Versus ControlNet
5-3
Related Communications Modules Documentation
5-5
The communications modules in a SIL2-certified ControlLogix system provide communication bridges from a ControlLogix chassis to other chassis or devices via the ControlNet and Ethernet networks. The following communications modules are available: • • • •
ControlNet modules - Catalog numbers 1756-CNB & 1756-CNBR Ethernet modules - Catalog number 1756-ENBT Data Highway Plus – Remote I/O - Catalog number 1756-DHRIO SynchLink – Catalog number 1756-SYNCH
ControlLogix communications modules can be used in peer-to-peer communications between ControlLogix devices. The communications modules can also be used for expansion of I/O to additional ControlLogix remote I/O chassis.
1
Publication 1756-RM001E-EN-P - November 2006
5-2
ControlLogix Communications Modules
ControlNet Bridge Module
The ControlNet bridge module (1756-CNB & 1756-CNBR) provides for the communications between ControlLogix chassis over the ControlNet network.
ControlNet Cabling For remote racks, a single RG6 coax cable is required for ControlNet. Although it is not a requirement to use redundant media with the 1756-CNBR, it does provide higher system reliability. Redundant media is not required for SIL2 operation.
ControlNet Repeater The following ControlNet repeater modules are approved for use in safety applications up to and including SIL2: • • • •
1786-RPFS, Short-distance Fiber Repeater Module 1786-RPFM, Medium-distance Fiber Repeater Module 1786-RPFRL, Long-distance Fiber Repeater Module 1786-RPFRXL, Extra-long-distance Fiber Repeater Module
Use of adapter 1756-RPA is required with all of the repeater modules listed. For more information about the use of ControlNet Repeater modules, see Table 5.1. Table 5.1 For More Information About Repeater Modules Topic
Publication Title
Publication Number
Planning for and installing ControlNet repeater modules.
ControlNet Fiber Media Planning and Installation Guide
CNET-IN001
Use of repeaters in safety applications.
TUV Report 986/EZ
986/EZ 135.03.05
ControlNet Module Diagnostic Coverage All communications over the passive ControlNet media occur via CIP, which guarantees delivery of the data. All modules independently verify proper transmission of the data.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix Communications Modules
Ethernet Module
5-3
The Ethernet bridge module (1756-ENBT) provides for the communications from one ControlLogix chassis to other devices over the Ethernet network. The Ethernet link is based on industry-standard CIP network protocol running on top of TCP and UDP using 32-bit CRC. Also, TCP and UDP with 16-bit Checksums are running on top of Ethernet.
Ethernet Versus ControlNet
Although it may be acceptable to use Ethernet for specific applications, such as program download, Ethernet requires a switch for a “star” configuration. Rockwell Automation does not sell or reference a SIL2/SIL3 Ethernet switch. Also Ethernet is an “active” media whereas ControlNet uses a “passive” media (that is, very low failure rate).
Publication 1756-RM001E-EN-P - November 2006
5-4
ControlLogix Communications Modules
Data Highway Plus Remote I/O
The Data Highway Plus - Remote I/O Communication Interface module (1756-DHRIO) supports multiple types of communication. However, you can only use the DH+ portion of the module’s functionality in SIL2 applications.
SynchLink
The SynchLink module (1756-SYNCH) is used for CST time propagation between multiple chassis for event recording. The module cannot be used for any safety-related activity in a SIL2-certified ControlLogix system.
Recommendations for Communications Modules Use
Users must consider the recommendations listed below when using SIL2-certified communications modules: • When installing ControlLogix communications modules, follow the information provided in the documentation listed in the Related Communications Modules Documentation section on page 5-5. • Use Ethernet for communications to Human-to-Machine Interfaces (HMI) and programming terminals only. For more information on using HMI, see Figure 1.2 on page 1-4 and Chapter 10, Use and Application of Human to Machine Interfaces. • Use DH+ for communications to Human-to-Machine Interfaces (HMI) and for communicating with the non-safety portion of the system. For more information on using HMI, see Figure 1.2 on page 1-4 and Chapter 10, Use and Application of Human to Machine Interfaces. • Remote I/O chassis should be connected via ControlNet only. • Peer-to-peer communications to controllers outside the safety loop are restricted to ControlNet only and should occur only if the controller in the safety loop is sharing its own information (for example, via produced tags) with other controllers outside the loop. • For exchanging I/O data, use listen-only connections. • For exchanging non-I/O data, use producer/consumer tags.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix Communications Modules
5-5
• Typically, no devices must be permitted to write data to the controller in the safety loop. The only exception to this recommendation is the use of HMI devices. For more information on how to use HMI in the safety loop, see Chapter 10. For more information on connecting remote I/O chassis and peer-to-peer communication, see Figure 1.2 on page 1-4.
Related Communications Modules Documentation
For more information on ControlLogix communications modules, see the following Rockwell Automation publications listed in Table 5.2: Table 5.2 Catalog Number:
Installation Instructions:
Description:
1756-CNB
ControlNet Communication Module
1756-CNBR
Redundant ControlNet Communication Module
1756-DHRIO
User Manual:
1756-IN571
CNET-UM001
Data Highway Plus - Remote I/O Communication Interface Module
1756-IN003
1756-UM514
1756-ENBT
EtherNet Communication Module
1756-IN019
ENT-UM001
1756-SYNCH
SynchLink Module
1756-IN575
1756-UM521
These publications are available from Rockwell Automation at: http://www.rockwellautomation.com/literature
Publication 1756-RM001E-EN-P - November 2006
5-6
ControlLogix Communications Modules
Publication 1756-RM001E-EN-P - November 2006
Chapter
6
ControlLogix I/O Modules
This chapter discusses the ControlLogix I/O modules that are SIL2 certified. For information about:
Overview of ControlLogix I/O Modules
See page:
Overview of ControlLogix I/O Modules
6-1
Module Fault Reporting for any ControlLogix I/O Module
6-4
Using Digital Input Modules
6-5
Wiring ControlLogix Digital Input Modules
6-6
Using Digital Output Modules
6-7
Wiring ControlLogix Digital Output Modules
6-10
Using Analog Input Modules
6-13
Wiring ControlLogix Analog Input Modules
6-16
Checklist for SIL Inputs
6-25
Checklist for SIL Outputs
6-26
In the most basic description, there are two types of SIL2-certified ControlLogix I/O modules: • Digital I/O modules • Analog I/O modules With each type, however, there are differences between specific modules. Because the differences propagate to varying levels in each module type, a graphical representation can best provide an overview of the many SIL2-certified ControlLogix I/O modules.
1
Publication 1756-RM001E-EN-P - November 2006
6-2
ControlLogix I/O Modules
Figure 6.1 shows the SIL2-certified ControlLogix I/O modules. Each type, digital or analog, is described in greater detail throughout the rest of this chapter. Figure 6.1
SIL2-Certified ControlLogix I/O Modules
Digital I/O Modules
Diagnostic Digital Modules
Analog I/O Modules
Standard Digital Modules
Diagnostic Digital Input Modules, including:
Diagnostic Digital Output Modules, including:
Standard Digital Input Modules, including:
Standard Digital Output Modules, including:
Analog Input Modules, including:
Analog Output Modules, including:
1756-IA8D 1756-IB16D
1756-OA8D 1756-OB16D
1756-IA16I 1756-IB16I 1756-IB16ISOE 1756-IB32 1756-IH16ISOE
1756-OA16I 1756-OB16I 1756-OB32 1756-OB8EI 1756-OW16I 1756-OX8I
1756-IF16 1756-IF6CIS 1756-IF6I 1756-IF8 1756-IR6I 1756-IT6I 1756-IT6I2
1756-OF6CI 1756-OF6VI 1756-OF8
43372
ControlLogix I/O modules are designed with inherent features that assist them in complying with the requirements of the 61508 Standard. For example, the modules all have a common backplane interface ASIC, execute power-up and runtime diagnostics, offer electronic keying and offer producer-consumer communication.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
6-3
For SIL2 compliance when installing ControlLogix I/O modules, follow the information provided in the documentation listed in Table 6.1. Table 6.1 lists the ControlLogix I/O modules initially submitted for SIL2 certification and shown in Figure 6.1. Table 6.1 Components For Use in the SIL 2 System Related Documentation: Module Type: Digital
Analog
Catalog Number:
Description:
Installation Instructions:
User Manual:
1756-IA16I
AC Isolated Input Module
1756-IN059
1756-UM058
1756-IA8D
AC Diagnostic Input Module
1756-IN055
1756-IB16D
DC Diagnostic Input Module
1756-IN069
1756-IB16I
DC Isolated Input Module
1756-IN010
1756-IB16ISOE
Sequence of Events Module
1756-IN591
1756-UM528
1756-IB32
DC Input Module
1756-IN027
1756-UM058
1756-IH16ISOE
Sequence of Events Module
1756-IN592
1756-UM528
1756-OA16I
AC Isolated Output Module
1756-IN009
1756-UM058
1756-OA8D
AC Diagnostic Input Module
1756-IN057
1756-OB16D
DC Diagnostic Output Module
1756-IN058
1756-OB16I
DC Isolated Output Module
1756-IN512
1756-OB32
DC Output Module
1756-IN026
1756-OB8EI
DC Isolated Output Module
1756-IN012
1756-OX8I
Isolated Relay Output Module
1756-IN513
1756-OW16I
Isolated Relay Output Module
1756-IN011
1756-IF16
Single-ended Analog Input Module
1756-IN039
1756-IF6CIS
Isolated Sourcing Analog Input Module
1756-IN579
1756-IF6I
Isolated Analog Input Module
1756-IN034
1756-IF8
Analog Input Module
1756-IN040
1756-IR6I
RTD Input module
1756-IN014
1756-IT6I
Thermocouple Input module
1756-IN037
1756-IT6I2
Enhanced Thermocouple Input Module
1756-IN586
1756-OF6CI
Isolated Analog Output Module (Current)
1756-IN036
1756-OF6VI
Isolated Analog Output Module (Voltage)
1756-IN035
1756-OF8
Analog Output Module
1756-IN015
1756-UM009
Publication 1756-RM001E-EN-P - November 2006
6-4
ControlLogix I/O Modules
Module Fault Reporting for any ControlLogix I/O Module
Users must make sure that all ControlLogix I/O modules are operating properly in the system. If the modules are not operating properly, the user must initiate a fault routine when a fault occurs. This can be accomplished in ladder logic through the use of the Get System Value instruction (GSV) and an examination of the MODULE Object’s ’Entry Status’ attribute for a running condition. An example of how this might be done is shown in Figure 6.2. This method, or something similar, must be used to interrogate the health of each I/O module in the system. Figure 6.2 Example of Checking a Module’s Health in Ladder Logic GSV
AND
Obtain MODULE Object’s Entry Status
Mask Off Lower 12 Bits of Value
NEQ Check Entry Status to make sure module is running
Fault
For more information on the GSV instruction and MODULE Objects, see Chapter 7, Faults in the ControlLogix System. For more information on creating Fault Routines, see Appendix B, System Self-Testing and User-Programmed Responses.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
Using Digital Input Modules
6-5
ControlLogix digital input modules are divided into two categories: • Diagnostic input modules • Standard input modules These modules share many of the same inherent architectural characteristics. However, the diagnostic input modules incorporate features that allow diagnosing of field-side failures. These features include broken wire (that is, wire-off) detection and, in the case of AC Diagnostic modules, loss of line power.
General Considerations when using Any ControlLogix Digital Input Module Regardless of the type of ControlLogix input module used, there are a number of general application considerations that users must follow when applying these modules in a SIL2 application: • Proof Tests - Periodically (for example, once every several years) a System Validation test must be performed. Manually, or automatically, test inputs to make sure that all inputs are operational and not stuck in the ON or OFF state. Inputs must be cycled from ON to OFF or OFF to ON. For additional information on Proof Tests, see page 1-6 and Figure 9.1 on page 9-5. • Always use a direct connection with diagnostic input modules located in remote chassis. • Wire sensors to separate input points on two separate modules. • Configuration parameters (for example, RPI, filter values) must be identical between the two modules. • The same controller must own both modules. For operational state information, see Chapter 1, SIL Policy.
Publication 1756-RM001E-EN-P - November 2006
6-6
ControlLogix I/O Modules
Wiring ControlLogix Digital Input Modules
The wiring diagrams in Figure 6.3 show two methods of wiring the digital input Module. In either case, users must determine whether the use of 1 or 2 sensors is appropriate to fulfill SIL2 requirements. Figure 6.3 ControlLogix Digital Input Module Wiring + Line
Input A1
Optional Relay contact to switch line voltage for periodic automated testing
Input B1
One-Sensor Wiring Example
Sensor
Input A2
Input B2 Sensor
Two-Sensor Wiring Example
Sensor 43366
Application logic can compare input values or states for concurrence. Figure 6.4 Input A
Input B Actuator
The user program must also contain rungs to annunciate a fault in the event of a sustained miscompare between two points. Figure 6.5 Input A
Input B Timer
Input A
Input B
Timer preset in milliseconds to compensate for filter time and hardware delay differences.
Timer Done Fault Fault Alarm to Operator
The control, diagnostics and alarming functions must be performed in sequence. For more information on faults, see Chapter 7, Faults in the ControlLogix System.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
Using Digital Output Modules
6-7
ControlLogix digital output modules are divided into two categories: • Diagnostic output modules • Standard output modules These modules share many of the same inherent architectural characteristics. However, the diagnostic output modules incorporate features that allow diagnosing of field-side failures. These features include reporting No-Load conditions and point-level fuse-blown. In addition, the diagnostic modules can validate the state of the output with the Output Verify feature and the Output Pulse test.
General Considerations when using Any ControlLogix Digital Output Module Wiring the two types of digital output modules differs, depending on your application requirements (these wiring methods are explained in detail in later sections). However, regardless of the type of ControlLogix output module used, there are a number of general application considerations that you must follow when applying these modules in a SIL2 application: • Proof Tests - Periodically (for example, once every several years) a System Validation test must be performed. Manually, or automatically, test outputs to make sure that all outputs are operational and not stuck in the ON or OFF state. Outputs must be cycled from ON to OFF or OFF to ON. For additional information on Proof Tests, see page 1-6 and Figure 9.1 on page 9-5.
Publication 1756-RM001E-EN-P - November 2006
6-8
ControlLogix I/O Modules
• Examination of Output Data Echo signal in Application logic: The application logic must examine the Data Echo value associated with each output point to make sure that the requested On/Off command from the controller was received by the module. In the rungs below, a timer begins to increment for any miscompare between the actual output bit and its associated Data Echo bit. The timer must be preset to accommodate the delay between setting the output bit in controller memory and receipt of the Data Echo from the module. If a miscompare exists for longer than that time, a fault is reported. Figure 6.6 Application Logic Actuator
Output Bit
Data Echo Timer
Output Bit
Data Echo
Timer done Fault Fault Alarm to Operator
The control, diagnostics and alarming functions must be performed in sequence. For more information on faults, see Chapter 7, Faults in the ControlLogix System.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
6-9
• Use of external Relays to disconnect Module Power if Output De-energization is Critical: To make sure outputs will de-energize, users must wire an external relay that can remove power from the output module if a short or other fault is detected. See Figure 6.7 on page 6-10 for an example method of wiring an external relay. • Test outputs at specific times to make sure they are operating properly. The method and frequency of testing is determined by the type of module–diagnostic or standard. For more information on testing diagnostic module outputs, see page 6-10. For more information on testing standard module outputs, see page 6-11. • For typical emergency shutdown (ESD) applications outputs must be configured to De-energize: When configuring any ControlLogix output module, each output must be configured to de-energize in the event of a fault and in the event of the controller going into program mode. For exceptions to the typical ESD applications, see Chapter 1, SIL Policy. • When wiring two digital output modules in series so that one may break source voltage (as shown in Figure 6.10 on page 6-12), make sure: – Both modules use identical configuration. – The same controller owns both modules.
Publication 1756-RM001E-EN-P - November 2006
6-10
ControlLogix I/O Modules
Wiring ControlLogix Digital Diagnostic Digital Output Modules Output Modules Diagnostic output modules have advanced circuitry that is not included in standard output modules. Because of the advanced design, users are not required to use an input module to monitor output status, as is required with standard output modules. Diagnostic Output modules can be used as-is in a SIL2 application (in other words, no special wiring considerations need be employed other than the wiring of the external relay to remove line power from the module in the event of a fault to make sure outputs will de-energize if shorted). In addition to following the General Considerations when using Any ControlLogix Digital Output Module on page 6-7, the user must perform a Pulse Test on each output periodically to make sure that the output is capable of changing state. Automatic diagnostic testing of output modules should be made at intervals that are an order of magnitude less than the demand rate. For example, pulse testing should be scheduled at least once a month for a low demand system and at least once hour for a high demand system. For more information on performing the pulse test, see the ControlLogix Digital I/O Modules User Manual, publication 1756-UM058. Users should also make sure they always use a direct connection with diagnostic output modules located in remote chassis. Figure 6.7 ControlLogix Diagnostic Output Module Wiring
V-/L2
V+/L2
V+/L1 This normally-open relay is controlled by the status of the rest of the ControlLogix system. If a short circuit or fault occurs on the module, the relay can disconnect power to the module.
Output
Also, this relay can be wired to disconnect power to multiple modules.
43365
Relays may also be included as shown in position A to interrupt power on a per point basis. Publication 1756-RM001E-EN-P - November 2006
Actuator
ControlLogix I/O Modules
6-11
Standard Digital Output Modules When using standard (also known as non-diagnostic) output modules, users must wire an output to an actuator and then back to an input to monitor the output’s performance. The user can write the appropriate logic to test the output’s ability to turn ON and OFF at power-up, or, at the proof test interval (see page 1-6), the user can force the output ON and OFF and use a voltmeter to verify output performance. Automatic testing of output modules (i.e. the user turns the outputs ON and OFF to verify proper operation) should be made at intervals that are an order of magnitude less than the demand rate. For example, output testing should be scheduled at least once a month for a low demand system and at least once an hour for a high demand system. In addition to following the General Considerations when using Any ControlLogix Digital Output Module on page 6-7, the user must wire each standard output to a corresponding input to validate that the output is following its commanded state. Figure 6.8 ControlLogix Standard Output Module Wiring Standard Isolated Output Module
V-/L2
Standard Isolated Input Module
Wire output point to input point to verify the correct state of the output
V+/L1 V+/L1
Output
Input
Actuator
V-/L2
This normally-open relay is controlled by another output in the ControlLogix system. If a short circuit or fault occurs on output modules, the relay can disconnect power to the modules. Also, this relay can be wired to disconnect power to multiple modules. 43363
Publication 1756-RM001E-EN-P - November 2006
6-12
ControlLogix I/O Modules
Application logic must be written to generate a fault in the event of a miscompare between the requested state of an output (echo) and the actual output state monitored by an input channel. Figure 6.9 Application Logic
Output Fault Actuator
Data Echo
Monitoring Input
Timer must be preset in milliseconds to accommodate communication times of echo signal and filter time of input.
Timer Data Echo
Monitoring Input
Timer done Fault Fault Alarm to Operator
The control, diagnostics and alarming functions must be performed in sequence. For more information on faults, see Chapter 7, Faults in the ControlLogix System. Users can also wire two isolated standard outputs in series to critical actuators. In the event that a failure is detected, the output from both output modules must be set to OFF to guarantee the Output Loads de-energize. Figure 6.10 shows how to wire two isolated standard outputs in series to critical actuators. Figure 6.10 ControlLogix Standard Output Module Wiring With Two Modules Standard Isolated Output Module #1
V-/L2
Standard Isolated Input Module
Standard Isolated Output Module #2 Wire output point to input point to verify the correct state of the output
V+/L1 V+/L1
V+/L1
Output
Output
Input
Actuator
V-/L2
43364
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
Using Analog Input Modules
6-13
General Considerations when using Any ControlLogix Analog Input Module There are a number of general application considerations that you must follow when applying these modules in a SIL2 application: • Proof Tests - Periodically (for example, once every several years) a System Validation test must be performed. Manually, or automatically, test inputs to make sure that all inputs are operational. Field signal levels should be varied over the full operating range to make sure that the corresponding channel data varies accordingly. For additional information on Proof Tests, see page 1-6 and Figure 9.1 on page 9-5. • Calibrate Inputs Periodically, As Necessary: ControlLogix I/O modules ship from the factory with a highly accurate level of calibration. However, because each application is different, users are responsible for making sure their ControlLogix I/O modules are properly calibrated for their specific application. Users can employ tests in application program logic to determine when a module requires recalibration. For example, to determine whether an input module needs to be recalibrated, a user can determine a tolerance band of accuracy for a specific application. The user can then measure input values on multiple channels and compare those values to acceptable values within the tolerance band. Based on the differences in the comparison, the user could then determine whether recalibration is necessary. Calibration (and subsequent recalibration) is not a safety issue. However, we recommend that each analog input be calibrated at least every 3 years to verify the accuracy of the input signal and avoid nuisance application shutdowns.
Publication 1756-RM001E-EN-P - November 2006
6-14
ControlLogix I/O Modules
• Choose Floating Point Data Format During Module Configuration: ControlLogix analog input modules perform a host of on-board alarm processing to validate that the input signal is within the proper range for the application. However, these features are only available in Floating Point mode. • Examine the Appropriate Module Fault, Channel Fault and Channel Status Bits to Initiate Fault Routines: Each module will communicate the operating status of each channel to the controller during normal operation. Application logic must examine the appropriate bits to initiate a fault routine for a given application. For more information on faults, see Chapter 7, Faults in the ControlLogix System. • Compare Analog Input Data and Annunciate Miscompares: When wiring sensors to two inputs channels, the values from those channels must be compared to each other for concurrence within an acceptable range for the application before actuating an output. Any miscompare between the two inputs outside the programmed acceptable range must be annunciated as a fault. In Figure 6.11, a user-defined percentage of acceptable deviation (that is, tolerance) is applied to the configured input range of the analog inputs (that is, range) and the result is stored (that is, delta). This delta value is then added to and subtracted from one of the input channels; the results define an acceptable High and Low limit of deviation. The second input channel is then compared to these limits to determine if the input are working properly. The input’s OK bit preconditions a Timer run that is preset to accommodate an acceptable fault response time and any communication filtering lags in the system. If the inputs miscompare for longer than the preset value, a fault is registered with a corresponding alarm.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
6-15
Figure 6.11 Inputs OK Timer
MULT Range Tolerance % Delta
ADD Delta Input 1 High Limit
SUB Delta Input 1 Low Limit
LIM Low Limit Input 2 High Limit
Inputs OK
Timer done Inputs Faulted Inputs Faulted Alarm to Operator
The control, diagnostics and alarming functions must be performed in sequence. For more information on faults, see Chapter 7, Faults in the ControlLogix System. • Configuration parameters (for example, RPI, filter values) must be identical between the two modules. • The same controller must own both modules.
Publication 1756-RM001E-EN-P - November 2006
6-16
ControlLogix I/O Modules
Wiring ControlLogix Analog Input Modules
In general, good design practice dictates that each of the 2 transmitters must be wired to input terminals on separate modules such that the channel values may be validated by comparing the two within an acceptable range. Special consideration must be given in applying this technique, depending on the type of module being used. Those details are shown in the following wiring diagrams.
Wiring the Single-Ended Input Module in Voltage Mode In addition to following the General Considerations when using Any ControlLogix Analog Input Module on page 6-13, make sure you use the correct documentation (listed in Table 6.1 on page 6-3) to wire the module. When operating in Single-ended voltage mode, all (-) leads of the transmitters must be tied together. Figure 6.12 shows how to wire the 1756-IF8 module for use in voltage mode. Figure 6.12 ControlLogix Analog Input Module Wiring in Voltage Mode
Ch0 +
Ch0 +
(+) (–)
Ch0 –
Voltage Transmitter A
Ch0 – (+) Voltage (–) Transmitter B 43368
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
6-17
Wiring the Single-Ended Input Module in Current Mode In addition to following the General Considerations when using Any ControlLogix Analog Input Module on page 6-13, before wiring the module, consider the following application guideline: • Placement of Other Devices in Current Loop: you can locate other devices in an input channel’s current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops (each module input is 250 ohms) Figure 6.13 shows how to wire the 1756-IF8 module for use in current mode. Figure 6.13 ControlLogix Analog Input Module Wiring in Current Mode
Ch0 +
Ch0 –
Ch0 +
Ch0 –
Current Source A
Current Source B
43369
Publication 1756-RM001E-EN-P - November 2006
6-18
ControlLogix I/O Modules
Wiring the Thermocouple Input Module In addition to following the General Considerations when using Any ControlLogix Analog Input Module on page 6-13, before wiring the module, consider the following application guideline: • Wire to Same Input Channel on Both Modules: When wiring thermocouples, wire two in parallel to two modules. Use the same channel on each module to make sure of consistent temperature readings. Figure 6.14 shows how to wire the 1756-IT6I module. Figure 6.14 ControlLogix Analog Thermocouple Module Wiring
Ch0 +
Ch0 + Thermocouple A
RTN
RTN
Thermocouple B
43370
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
6-19
Wiring the RTD Input Module In addition to following the General Considerations when using Any ControlLogix Analog Input Module on page 6-13, before wiring the module, consider the following application guideline: • RTDs cannot be wired in parallel without severely affecting their accuracy. Two sensors must be used. Figure 6.15 shows how to wire the 1756-IR6I module. Figure 6.15 ControlLogix Analog RTD Module Wiring
Ch0 A
Ch0 A RTD A
Ch0 B
Ch0 B
RTN
RTN
RTD B
43371
Publication 1756-RM001E-EN-P - November 2006
6-20
ControlLogix I/O Modules
Using Analog Output Modules
The 1756-OF8 ControlLogix analog output module is certified for use SIL2 applications.
General Considerations when using Any ControlLogix Analog Output Module There are a number of general application considerations that you must follow when applying the analog output modules in a SIL2 application: IMPORTANT
It is strongly recommended that you do not use analog outputs to execute the safety function that results in a safe state. Analog output modules are slow to respond to an ESD command and are therefore not recommended for use ESD output modules. The use of digital output modules and actuators to achieve the ESD de-energized state is recommended.
• Proof Tests - Periodically (for example, once every several years) a System Validation test must be performed. Manually, or automatically, test outputs to make sure that all outputs are operational. Channel data should be varied over the full operating range to make sure that the corresponding field signal levels vary accordingly. For additional information on Proof Tests, see page 1-6 and Figure 9.1 on page 9-5. • Calibrate Outputs Periodically, As Necessary: ControlLogix I/O modules ship from the factory with a highly accurate level of calibration. However, because each application is different, users are responsible for making sure their ControlLogix I/O modules are properly calibrated for their specific application. Users can employ tests in application program logic to determine when a module requires recalibration. For example, to determine whether an output module needs to be recalibrated, a user can determine a tolerance band of accuracy for a specific application. The user can then measure output values on multiple channels and compare those values to acceptable values within the tolerance band. Based on the differences in the comparison, the user could then determine whether recalibration is necessary.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
6-21
Calibration (and subsequent recalibration) is not a safety issue. However, we recommend that each analog output be calibrated at least every 3 years to verify the accuracy of the input signal and avoid nuisance application shutdowns. • Choose Floating Point Data Format During Module Configuration: ControlLogix analog output modules perform a host of on-board alarm processing to validate that the output signal is within the proper range for the application. However, these features are only available in Floating Point mode. • Examine the Appropriate Module Fault, Channel Fault and Channel Status Bits to Initiate Fault Routines: Each module will communicate the operating status of each channel to the controller during normal operation. Application logic must examine the appropriate bits to initiate a fault routine for a given application. For more information on faults, see Chapter 7, Faults in the ControlLogix System. • For typical emergency shutdown (ESD) applications outputs must be configured to De-energize: When configuring any ControlLogix output module, each output must be configured to de-energize in the event of a fault and in the event of the controller going into program mode. For exceptions to the typical ESD applications, see Chapter 1, SIL Policy. • Wire Output Back to Input and Examination of Output Data Echo signal: Users must wire an analog output to an actuator and then back to an analog input to monitor the output’s performance, as shown in Figure 6.17. The application logic must examine the Data Echo value associated with each output point to make sure that the requested output command from the controller was received by the module. The value must be compared to the analog input that is monitoring the output to make sure the value is in an acceptable range for the application. In the ladder diagram in Figure 6.16, a user-defined percentage of acceptable deviation (that is, tolerance) is applied to the configured range of the analog input and output (that is, range) and the result is stored (that is, delta). This delta value is then added to and subtracted from the monitoring analog input channel; the results define an acceptable High and Low limit of deviation. The analog Output Echo is then compared to these limits to determine if the output are working properly.
Publication 1756-RM001E-EN-P - November 2006
6-22
ControlLogix I/O Modules
The output’s OK bit preconditions a Timer run that is preset to accommodate an acceptable fault response time and any communication filtering, or output, lags in the system. If the monitoring input value and the Output Echo miscompare for longer than the preset value, a fault is registered with a corresponding alarm. Figure 6.16 Monitoring an Analog Output with an Analog Input Outputs OK Timer
MULT Range Tolerance % Delta
ADD Delta
SUB Delta
Monitoring input
Monitoring input
High Limit
Low Limit
LIM Low Limit Output Echo High Limit
Outputs OK
Timer done Outputs Faulted Outputs Faulted Alarm to Operator
The control, diagnostics and alarming functions must be performed in sequence. • When wiring two analog output modules in the same application, make sure: – Both modules use identical configuration. – The same controller owns both modules.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
Wiring ControlLogix Analog Output Modules
6-23
In general, good design practice dictates that each analog output must be wired to a separate input terminal to make sure that the output is functioning properly.
Wiring the Analog Output Module in Voltage Mode Figure 6.17 shows how to wire the 1756-OF8 module for use in voltage mode. Figure 6.17 ControlLogix Analog Output Module Wiring in Voltage Mode
Analog Output Module
This normally-open relay is controlled by the status of the rest of the ControlLogix system. If a short circuit or fault occurs on the module, the relay can disconnect power to the module.
Analog Input Module
(+)
(+)
(–)
(–)
Actuator
Also, this relay can be wired to disconnect power to multiple modules.
43377
Publication 1756-RM001E-EN-P - November 2006
6-24
ControlLogix I/O Modules
Wiring the Analog Output Module in Current Mode In addition to following the General Considerations when using Any ControlLogix Analog Output Module on page 6-20, consider the following application guideline before wiring the 1756-OF8 module in current mode: • Placement of Other Devices in Current Loop: you can locate other devices in an output channel’s current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops (each module output is 250 ohms) Figure 6.18 shows how to wire the 1756-OF8 module for use in current mode. Figure 6.18 ControlLogix Analog Output Module Wiring in Current Mode Analog Output Module
This normally-open relay is controlled by the status of the rest of the ControlLogix system. If a short circuit or fault occurs on the module, the relay can disconnect power to the module.
Analog Input Module
(+)
(+)
(–)
(–)
Actuator
Also, this relay can be wired to disconnect power to multiple modules.
43376
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
Checklist for SIL Inputs
6-25
The following checklist is required for planning, programming and start up of SIL inputs. It may be used as a planning guide as well as during proof testing. If used as a planning guide, the checklist can be saved as a record of the plan. For programming or start-up, an individual checklist can be filled in for every single SIL input channel in a system. This is the only way to make sure that the requirements were fully and clearly implemented. This checklist can also be used as documentation on the connection of external wiring to the application program. Input Check List for ControlLogix System
Company: Site: Loop definition: SIL input channels in the: No.
All Input Module Requirements (apply to both digital and analog input modules)
1
Is Exact Match selected as the electronic keying option whenever possible?
2
Is the RPI value set to an appropriate value for your application?
3
Are all modules owned by the same controller?
4
Have you performed proof tests on the system and modules?
5
Have you set up the fault routines?
6
Are control, diagnostics and alarming functions performed in sequence in application logic?
No.
Additional Digital Input Module-Only Requirements
1
When two digital input modules are wired in the same application, do the following conditions exist: • Both modules are owned by the same controller. • Sensors are wired to separate input points. • The operational state is ON. • The non-operational state is. OFF. • Configuration parameters (for example, RPI, filter values) are identical.
2
For the standard input modules, is the Communication Format set to one of the Input Data choices?
3
For the diagnostic input modules, is the Communication Format set to Full Diagnostics-Input Data?
4
For the diagnostic input modules, are all diagnostics enabled on the module?
5
For the diagnostic input modules, are enabled diagnostic bits monitored by fault routines?
6
For the diagnostic input modules, is the connection to remote modules a direct connection?
No.
Additional Analog Input Module-Only Requirements
1
Is the Communication Format set to Float Data?
2
Have you calibrated the modules as often as required by your application?
3
Are you using ladder logic to compare the analog input data on two channels to make sure there is concurrence within an acceptable range and that redundant data is used properly?
4
Have you written application logic to examine bits for any condition that may cause a fault and appropriate fault routines to handle the fault condition?
5
When wiring the 1756-IF8 in voltage mode, are transmitter grounds tied together?
6
When wiring the 1756-IF8 in current mode, are loop devices placed properly?
7
When wiring 1756-IT6I modules in parallel, have you wired to the same channel on each module as shown in Figure 6.14 on page 6-18?
8
When wiring two 1756-IR6I modules, are two sensors used, as shown in Figure 6.15 on page 6-19?
Yes
No
Comment
Yes
No
Comment
Yes
No
Comment
Publication 1756-RM001E-EN-P - November 2006
6-26
ControlLogix I/O Modules
Checklist for SIL Outputs
The following checklist is required for planning, programming and start up of SIL outputs. It may be used as a planning guide as well as during proof testing. If used as a planning guide, the checklist can be saved as a record of the plan. For programming or start-up, an individual requirement checklist must be filled in for every single SIL output channel in a system. This is the only way to make sure that the requirements are fully and clearly implemented. This checklist can also be used as documentation on the connection of external wiring to the application program. Output Check List for ControlLogix System
Company: Site: Loop definition: SIL output channels in the: No.
All Output Module Requirements (apply to both digital and analog output modules)
1
Have you performed proof tests on the modules?
2
Is Exact Match selected as the electronic keying option whenever possible?
3
Is the RPI value set to an appropriate value for your application?
4
Have you set up fault routines, including comparing output data with a corresponding input point?
5
If required, have you used external relays in your application to disconnect module power if a short or other fault is detected on the module or isolated output in series?
6
Is the control of the external relay implemented in ladder logic?
7
Have you examined the Output Data Echo signal in application logic?
8
Are all outputs configured to deenergize in the event of a fault or the controller entering program mode?
9
Do two modules of the same type, used in the same application, use identical configurations?
10
Does one controller own both modules if two of the same type are used in an application?
11
Are control, diagnostics and alarming functions performed in sequence in application logic?
No.
Digital Output Module-Only Requirements
1
For the standard output modules, is the Communication Format set to Output Data?
2
For standard output modules, have you wired the outputs to a corresponding input to validate that the output is following its commanded state?
3
For the diagnostic output modules, are all diagnostics enabled on the module?
4
For the diagnostic output modules, are enabled diagnostic bits monitored by fault routines?
5
For the diagnostic output modules, is the Communication Format set to Full Diagnostics-Output Data?
6
For diagnostic output modules, have you periodically performed a Pulse Test to make sure that the output is capable of change state?
7
For diagnostic output modules, is the connection to remote modules a direct connection?
No.
Analog Output Module-Only Requirements
1
Is the Communication Format set to Float Data?
2
Have you calibrated the modules as often as required by your application?
3
When wiring the 1756-OF8 in current mode, are loop devices placed properly?
4
Have you written application logic to examine bits for any condition that may cause a fault and appropriate fault routines to handle the fault condition?
Publication 1756-RM001E-EN-P - November 2006
Yes
No
Comment:
Yes
No
Comment
Yes
No
Comment
Chapter
7
Faults in the ControlLogix System
Introduction
The ControlLogix architecture provides the user many ways of detecting and reacting to faults in the system. The first way that users can handle faults is to make sure they have completed the input and output checklists listed on pages 6-25 and 6-26 for their application. In addition to the checklists mentioned above, various device objects can be interrogated to determine the current operating status. Additionally, modules provide run-time status of their operation and of the process. It is up to users to determine what data is most appropriate for their application to initiate a shutdown sequence. This chapter explains two example conditions that will generate a fault in a SIL2-certified ControlLogix system: • Keyswitch changing out of RUN mode • High alarm condition on an analog input module For more information on the analog status bits available for examination, see the ControlLogix Analog I/O Modules User Manual, publication 1756-UM009. For information on System Self-Testing and User-Programmed Responses, see Appendix B. For more information on faults, see Appendix C, Additional Information on Handling Faults in the ControlLogix System.
1
Publication 1756-RM001E-EN-P - November 2006
7-2
Faults in the ControlLogix System
Checking Keyswitch Position with GSV Instruction
The following rungs generate a fault if the keyswitch on the front of the controller is switched from the Run mode: Figure 7.1 GSV Class: CONTROLLERDEVICE Attribute: STATUS Destination: KEYSTATE
KEYSTATE.13
Fault
Fault Alarm to Operator
In this example, the Get System Value (GSV) instruction interrogates the STATUS attribute of the CONTROLLERDEVICE object and stores the result in a word called KEYSTATE, where bits 12 and 13 define the state of the keyswitch as shown in Table 7.1. Table 7.1 Bit 13:
Bit 12:
Description:
0
1
Keyswitch in Run position
1
0
Keyswitch in Program position
1
1
Keyswitch in Remote position
If bit 13 is ever ON, then the keyswitch is not in the RUN position. Examining bit 13 of KEYSTATE for an ON state will generate a fault. For more information on the accessing the CONTROLLERDEVICE object, see the Logix5000 Controllers General Instructions Reference Manual, publication 1756-RM003.
Publication 1756-RM001E-EN-P - November 2006
Faults in the ControlLogix System
Examining an Analog Input Module’s High Alarm
7-3
ControlLogix analog modules perform processing and comparison of field data values right on the module, allowing for easy examination of status bits to initiate a fault. For example, the 1756-IF8 module can be configured with user-defined alarm values that, when exceeded, will set a status bit on the module which is then sent back to the controller. The user may then examine the state of these bits to initiate a fault as shown in Figure 7.2: Figure 7.2 Ch1HAlarm
Fault
Fault Alarm to Operator
In the example above, the High Alarm bit for channel 1 (CH1HAlarm) is being examined for an On condition to initiate a fault. During operation, as the analog input module processes analog signals from the field sensors, if the value for channel 1 exceeds the user-defined value configured for Channel 1’s High Alarm, the (CH1HAlarm) bit is set and sent to the controller and a fault is declared.
Publication 1756-RM001E-EN-P - November 2006
7-4
Faults in the ControlLogix System
Notes:
Publication 1756-RM001E-EN-P - November 2006
Chapter
8
General Requirements for Application Software
This chapter discusses the details of the application program. For information about:
Software for SIL2-Related Systems
See page:
Software for SIL2-Related Systems
8-1
ControlLogix System Operational Modes
8-5
SIL2 Programming
8-2
General Guidelines for Application Software Development
8-2
Forcing
8-4
Security
8-4
Checklist for the Creation of an Application Program
8-6
The application software for the SIL2-related automation systems is generated using the programming tool (RSLogix 5000) according to IEC 61131-3. The application program has to be created by the programming tool RSLogix 5000 and contains the specific equipment functions that are to be carried out by the ControlLogix system. Parameters for the operating function are also entered into the system using RSLogix 5000.
1
Publication 1756-RM001E-EN-P - November 2006
8-2
General Requirements for Application Software
SIL2 Programming
Safety Concept of the ControlLogix system The safety concept of SIL2 assumes, that: • the programming system (PS) hardware and firmware works correctly (that is, programming system errors can be detected). • the user applies the logic correctly, that is, user programming errors can be detected. For the initial start-up of a safety-related ControlLogix system, the entire system must be checked by a complete functional test. After a modification of the application program, the modified program or logic must be checked. For more information on how users should handle changes to their application program, see the Changing Your Application Program section on page 9-6.
General Guidelines for Application Software Development
The application software for the intended SIL2 systems is intended to be developed by the system integrator and/or user. The developer must follow good design practices including the use of: • • • • • •
Functional specifications Flow charts Timing diagrams Sequence charts Program review Program validation
All logic should be reviewed and tested. To facilitate reviews and reduce unintended responses, developers should limit the set of instructions to basic Boolean/ladder logic (such as examine On/Off, Timers, Counters, etc.) whenever possible. This set should include instructions that can be used to accommodate analog variables, such as: • Limit tests • Comparisons • Math instructions See Appendix B, System Self-Testing and User-Programmed Responses, for details.
Publication 1756-RM001E-EN-P - November 2006
General Requirements for Application Software
8-3
Users must verify the downloading of the application program and its proper operation. A typical validation technique is to upload the downloaded program file and perform a compare of that file against what is stored in the programming terminal. The upload compare can be accomplished after an interval by saving the first one and comparing it to the second or subsequent uploads. This approach could also be performed through different paths (that is, over ControlNet and via the serial port). Safety logic and non safety-related logic should be separate.
Check the Created Application Program To check the created application program for adherence to the specific function, you must generate a suitable set of test cases covering the specification. The set of test cases is filed as the test specification. A suitable test set must also be generated for the numeric evaluation of formulas. Equivalent range tests are acceptable. These are tests within the defined value ranges, at the limits, or in impermissible value ranges. The test cases must be selected to prove the correctness of the calculation. The necessary number of test cases depends on the formula used and must comprise critical value pairs. However, active simulation with sources cannot be omitted as this is the only means of detecting correct wiring of the sensors and actuators to the system. Furthermore, this is the only means of testing the system configuration. Users should verify the correct programmed functions by forcing I/O or by manual manipulation of sensors and actuators.
Possibilities of Program Identification The application program is clearly identified by one of the following: • • • •
Name Date Revision Any other user identification information
Publication 1756-RM001E-EN-P - November 2006
8-4
General Requirements for Application Software
Forcing
Forcing must be disabled after system test and validation.
Security
The user must define what measures are to be applied for the protection against manipulation. In the ControlLogix system and in RSLogix 5000, protection mechanisms are available that prevent unintentional or unauthorized modifications to the safety system: • The following tools may be employed for security reasons in a SIL2-certified ControlLogix application: – Logix CPU Security Tool – Source Protection Tool – RSI Security Server Each of these tools offers different security features, including password protection, at varying levels of granularity throughout the application. The description of these tools is too large in scope to list here. Users can contact their local Rockwell Automation representative for more information. • The controller keyswitch should be in the RUN position and the key removed during normal operating conditions. • Operator options are set up per user login in the ControlLogix system. • The online connection between RSLogix5000 and the ControlLogix system is not permitted during normal SIL2 RUN operation except as described in Chapter 9. The requirements of the safety and application standards regarding the protection against manipulations must be observed. The authorization of employees and the necessary protection measures are the responsibility of the individuals starting the system.
Publication 1756-RM001E-EN-P - November 2006
General Requirements for Application Software
ControlLogix System Operational Modes
8-5
A three-position keyswitch on the front of the controller governs ControlLogix system operational modes. The following modes are available: • Run • Program • Remote - This software-enabled mode can be program or run. Figure 8.1 shows a controller with the keyswitch in the Run mode. Figure 8.1
42525
When a SIL2-certified ControlLogix application is operating in the Run mode, the controller keyswitch must be in the RUN position and the key removed. Outputs are only enabled in this mode.
Publication 1756-RM001E-EN-P - November 2006
8-6
General Requirements for Application Software
Checklist for the Creation of an Application Program
The following checklist is recommended to maintain safety technical aspects when programming, before and after loading the new or modified program. Checklist for Creation of an Application Program Safety Manual ControlLogix System
Company:
Site:
Project definition:
File definition / Archive number: Notes / Checks
Yes
No
Before a Modification Are the configuration of the ControlLogix system and the application program created on the basis of safety aspects? Are programming guidelines used for the creation of the application program? After a Modification - Before Loading Has a review of the application program with regard to the binding system specification been carried out by a person not involved in the program creation? Has the result of the review been documented and released (date/signature)? Was a backup of the complete program created before loading a program in the ControlLogix system? After a Modification - After Loading Was a sufficient number of tests carried out for the safety relevant logical linking (including I/O) and for all mathematical calculations? Was all force information reset before safety operation? Has it been verified that the system is operating properly? Have the appropriate security routines and functions been installed? Is the controller keyswitch in Run mode and the key removed?
Publication 1756-RM001E-EN-P - November 2006
Comment
Chapter
9
Technical SIL2 Requirements for the Application Program
This chapter discusses technical safety for the application program. For information about:
General Procedure
See page:
General Procedure
9-1
SIL Task/Program Instructions
9-4
Programming Languages
9-4
Commissioning Life Cycle
9-5
Changing Your Application Program
9-6
Forcing
9-8
The general procedure for programming the ControlLogix system SIL2 applications is listed below. • Specification of the control function, including: – specification – flow and timing charts – diagrams – sequence charts – program description – program review process • Writing the application program • Checking by independent reviewer • Verification and validation Once the program is tested, the ControlLogix system can be put into operation.
1
Publication 1756-RM001E-EN-P - November 2006
9-2
Technical SIL2 Requirements for the Application Program
Basics of Programming The control program must be available as a specification or a performance specification. This documentation forms the basis for the check of correct transformation into the program. The type of presentation of the specification depends on the task to be carried out. This can be:
Logic and Instructions The logic and instructions used in programming the application must be: • • • •
easy easy easy easy
to to to to
understand trace change test
Program Logic User must implement simple, easy to understand: • ladder • other IEC 1131-compliant language or • function blocks with specified characteristics. We use ladder, for example, because, it is easier to visualize and make partial program changes with this format.
Publication 1756-RM001E-EN-P - November 2006
Technical SIL2 Requirements for the Application Program
9-3
Specification The specification must include a detailed description that includes (if applicable): • • • • • •
Sequence of operations Flow and timing diagrams Sequence charts Program description Program print out Verbal descriptions of the steps with step conditions and actuators to be controlled, including: – input definitions – output definitions – I/O wiring diagrams and references – theory of operation
• Matrix- or table form of stepped conditions and the actuators to be controlled, including the sequence and timing diagrams • Definition of marginal conditions, for example, operating modes, EMERGENCY STOP etc. The I/O-portion of the specification must contain the analysis of field circuits, that is, the type of sensors and actuators:
Sensors (Digital or Analog) • Signal in standard operation (dormant current principle for digital sensors, sensors OFF means no signal) • Determination of redundancies required for SIL levels • Discrepancy monitoring and visualization, including the user’s diagnostic logic
Publication 1756-RM001E-EN-P - November 2006
9-4
Technical SIL2 Requirements for the Application Program
Actuators • Position and activation in standard operation (normally OFF) • Safe reaction/positioning when switching OFF, power failure respectively. • Discrepancy monitoring and visualization, including the user’s diagnostic logic
SIL Task/Program Instructions
The user program may contain a single SIL task composed of multiple programs and routines. This is a timed task with a user-selectable task priority and watchdog. The SIL2 task must be the controller’s top priority and the user-defined program watchdog (software watchdog) must be set to accommodate the SIL2 task and any other tasks. For more information, see Chapter 1, SIL Policy. Safety logic and non safety-related programs must be separate.
Programming Languages
Publication 1756-RM001E-EN-P - November 2006
All programming languages (for example, ladder logic, function block) available in the ControlLogix system will also be available for programming the ControlLogix controller for SIL2 applications.
Technical SIL2 Requirements for the Application Program
9-5
Figure 9.1 shows the steps required during application program development, debugging and commissioning.
Commissioning Life Cycle
Figure 9.1 Generate Functional Specification
Create Flow Diagram Create Timing Diagrams
Establish Sequence of Operations
Develop Project Online
Develop Project Offline Review Program with Independent Party
Download to Controller
Develop Test Plan Perform Validation Testing on all Logic
Yes
No
Verification okay?
Make more online edits & accept edits or make more offline edits and download to CTR
Begin Normal Project Operation
Download to Controller
Tests Pass?
No
Make project changes
Determine what logic has been Changed or Affected Perform Validation Testing on all Changed or Affected Logic
Finish the Validation Test1
Secure PADT 1
You must periodically repeat the validation test (also known as proof tests) to make sure module inputs and outputs are functioning properly and as commanded by the application programming. For more information on proof tests for I/O modules, see Chapter 9, ControlLogix I/O Modules.
Publication 1756-RM001E-EN-P - November 2006
9-6
Technical SIL2 Requirements for the Application Program
Changing Your Application Program
The following rules apply to changing your application program in RSLogix 5000: • Program edits are not recommended. However, they are possible if necessary and should be limited. For example, minor changes such as changing a timer preset or analog setpoint are possible. • Only authorized, specially-trained personnel can make program edits. These personnel should use all supervisory methods available, for example, using the controller keyswitch and software password protections. • When authorized, specially-trained personnel make program edits, they assume the central safety responsibility while the changes are in progress. These personnel must also maintain safe application operation. • Prior to making any program edits, an impact analysis must be performed by following the specification and other lifecycle steps described in Figure 9.1 as if the edits were an entirely new program. • Users must sufficiently document all program edits, including: – – – – –
authorization impact analysis execution test information revision information
• Users cannot make program edits while the program is online if the changes prevent the system from executing the safety function or if alternative protection methods are not in place. • Users cannot edit their program from multiple programming terminals simultaneously. • Changes to the SIS application software, in this case--RSLogix 5000, must comply with IEC 61511 standard on process safety section 11.7.1 Operator Interface requirements. • Users cannot edit their program when a project is operating in the RUN state. In other words, if an application is running and the ControlLogix controller keyswitch is in the RUN position, users cannot make online edits.
Publication 1756-RM001E-EN-P - November 2006
Technical SIL2 Requirements for the Application Program
9-7
• Users can edit the relay ladder logic portion of their program using one of the following methods described in Table 9.1: Table 9.1 Methods of Changing Your Application Program in RSLogix 5000 Method:
Required Steps:
Offline
The user performs the tasks described in the flow chart in Figure 9.1 on PROG page 9-5.
Users must revalidate the entire application before returning to normal operation.
Online
REM 1. Turn the controller key to the REM position. 2. Use the Online Edit Toolbar to start, accept, test and assemble your edits. The toolbar is shown below.
The project remains online but operates in the remote run mode. When edits are completed, users are only required to validate the changed portion of the application program.
start pending rung edit
accept pending rung edits
Controller Keyswitch Position:
assemble program edits
test program edits
untest program edits
Key Points to this Method:
We recommend that online edits be limited to minor program modifications such as setpoint changes or ladder logic rung additions, deletions and modifications. a. Click the start pending rung edits button . A copy is made of the rung you want to edit. b. Change your application program as needed. At this point, the original program is still active in the controller. Your program changes are made in the copied rungs. Changes do not affect the outputs until you test program edits in step d. c. Click the accept pending rung edits button . Your program changes are verified and downloaded to the controller. The controller now has the changed program and the original program. However, the controller continues to execute the original program. You can see the state of the inputs, and changes do not affect the outputs. d. Click the test program edits button . e. Click Yes to test the edits. Changes are now executed and affect the outputs; the original program is no longer executed. However, if you are not satisfied with the result of testing the edits, you can discard the new program by clicking on the untest program
IMPORTANT: This option to change the application program is available for changes to relay ladder logic only. Users cannot use this method to change function block programming. For more detailed information on how to edit ladder logic while online, see the Logix5000 Controllers Quick Start, publication 1756-QS001.
edits button if necessary. If you untest the edits, the controller returns to the original program. f. Click the assemble program edits button . g. Click Yes to assemble the edits. The changes are the only program in the controller, and the original program is discarded. 3. Perform a partial proof test of the portion of the application affected by the program edits. 4. Turn the controller key back to the RUN position to return the project to Run mode. We recommend you upload the new program to your programming terminal to ensure consistency between the application in the controller and on the programming terminal. 5. Remove the key.
Publication 1756-RM001E-EN-P - November 2006
9-8
Technical SIL2 Requirements for the Application Program
• If online edits exist in the standard routines only, those edits are not required to be validated before returning to normal operation. Users must verify that changes in the standard routine do not affect SIL routines. IMPORTANT
If any changes are needed to the program in the safety loop, they must be done so in accordance with IEC 61511-1, paragraph 11.7.1.5 which states: "The Safety Instrumentation System (SIS) operator interface design shall be such as to prevent changes to SIS application software. Where safety information needs to be transmitted from the basic process control system (BPCS) to the SIS then systems should be used which can selectively allow writing from the BPCS to specific SIS variables. Equipment or procedures should be applied to confirm the proper selection has been transmitted and received by the SIS and does not compromise the safety function of the SIS." Also, for more information on changing the SIL2 application program, see Chapter 10.
Forcing
The following rules apply to forcing in an RSLogix 5000 project: • Users must remove forces on all SIL2 tags before beginning normal operation for the project. • Users cannot force SIL2 tags while a project is in the Run mode.
Publication 1756-RM001E-EN-P - November 2006
Chapter
10
Use and Application of Human to Machine Interfaces
No specific device is part of the certification because the variety of devices is so large, ranging from simple thumb-wheel and LED readouts to PC/CRT-based human to machine interface (HMI) devices on a variety of networks. The range and breadth of these devices is similar to that of sensors and actuators; it would be impractical to impose device restrictions.
Using Precautions and Techniques with HMI
However, users must exercise the same precautions and techniques on HMI devices as on simple devices such as sensor and switch inputs. The precautions include, but are not restricted to: • • • •
Limited access and security Specifications, testing and validation Restrictions on data and access Limits on data and parameters
For more information on how HMI devices fits into a typical SIL loop, see Figure 1.2 on page 1-4. Sound techniques should be used in either the application software within the HMI or PLC in safety-related systems and non-safety-related systems.
Accessing Safety-Related Systems Normally, when accessing the safety-related system, the HMI should be restricted to read data and information such as diagnostics. The user should use techniques to limit access to only those sections of memory that are appropriate. For more information, see Figure 1.2 on page 1-4. If parameters in safety-related system require a change from an HMI, users should follow the guidelines indicated in the next section.
1
Publication 1756-RM001E-EN-P - November 2006
10-2
Use and Application of Human to Machine Interfaces
Changing Parameters in Safety-Related Systems A parameter change in a safety-related loop via an external (that is, outside the safety loop) device (for example, an HMI) is only allowed with the following restrictions: • Only authorized, specially-trained personnel can change the parameters in safety-related systems via HMIs. • The user who makes changes in a safety-related system via an HMI is responsible for the effect of those changes on the safety loop. • Users must clearly identify the variable that are to be changed as under the control of the ControlLogix controller inside the safety loop. • Users must use a clear, comprehensive and explicit operator procedure to make safety-related changes via an HMI. • Changes can only be accepted in a safety-related system if the following sequence of events occurs: a. Changes are sent from the HMI to the ControlLogix controller in the safety loop. b. The ControlLogix controller in the safety loop sends the changes back to the HMI–before accepting the changes or acting on them. c. The user verifies that the changes are correct. In every case, the operator must confirm the validity of the change before they are accepted and applied in the safety loop. • The software used in the HMI and the ControlLogix controller (in this case, RSLogix 5000) should be designed to verify that changes to the safety system are within acceptable limits and do not otherwise compromise the safety system. • The user should test all changes as part of the safety validation procedure.
Publication 1756-RM001E-EN-P - November 2006
Use and Application of Human to Machine Interfaces
10-3
• Users must sufficiently document all safety-related changes made via HMI, including: – – – – –
authorization impact analysis execution test information revision information
• Changes to the safety-related system, must comply with IEC 61511 standard on process safety section 11.7.1 Operator Interface requirements.
Changing Parameters in Non-Safety-Related Systems When the HMI device is used to change parameters in a non-safety-related system, remember the following techniques: • When the HMI is used to input parameters such as setpoints for a PID loop or drive speeds, the application program should include sound techniques used for other types of change validation, including: – Display the data to be changed – Acceptable ranges and limits used in the program for data checks (in other words, checks to make sure entered data is within an acceptable range) – Display the new value along with the existing value – Prompt the operator to acknowledge and accept the changed value before allowing the change to take effect • The developer must follow the same sound development techniques and procedures used for other application software development, including the verification and testing of the operator interface and its access to other parts of the program. The PLC application software should set up a table that is accessible by the HMI and limits access to required data points only. • Similar to the PLC program, the HMI software needs to be secured and maintained for SIL2 compliance after the system has been validated and tested.
Publication 1756-RM001E-EN-P - November 2006
10-4
Use and Application of Human to Machine Interfaces
Notes:
Publication 1756-RM001E-EN-P - November 2006
Appendix
A
Response Times in ControlLogix
The following calculation methods provide the user with the worst-case reaction times for a given change in input or fault condition and the corresponding output action.
Digital Modules
Local Chassis Configuration Figure A.1 shows an example system where the following occurs: • input data changes on the digital input module • the data is transmitted to the controller • the controller runs its program scan and reacts to the data change, including sending new data to the output module • the output module behavior changes based on the new data received from the controller Figure A.1 Digital Input Module
Controller
Digital Output Module
Use the following formula to determine worst-case reaction time: Worst-Case Reaction Time = Input Module Filter Setting(1) + Input Module Hardware Delay(2) + Input Module RPI(1) + Controller Program Scan(3) + Output Module Hardware Delay(2)
1
(1)
This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.
(2)
Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number. For a complete list of installation instructions, see Table 1.1 on page 1-8.
(3)
This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see the Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.
Publication 1756-RM001E-EN-P - November 2006
A-2
Response Times in ControlLogix
EXAMPLE
For example, a system may reflect the set-up used in Figure A.1 with an 1756-IB16D and 1756-OB16D and following settings: • Input Module Filter Setting = 1ms • Input Module Hardware Delay = 1ms • Input RPI = 2ms • Program Scan = 20ms • Output Module Hardware Delay = 1ms In this example, the worst-case reaction time = 25ms
Remote Chassis Configuration Figure A.2 shows an example system where the following occurs: • input data changes on the digital input module • the data is transmitted to the controller via the 1756-CNB modules • the controller runs its program scan and reacts to the data change, including sending new data to the output module via the 1756-CNB modules • the output module behavior changes based on the new data received from the controller Figure A.2 Controller
ControlNet Bridge Module
ControlNet Bridge Module
Digital Input Module
Digital Output Module
Use the following formula to determine worst-case reaction time: Worst-Case Reaction Time =Input Module Filter Setting(1) + Input Module Hardware Delay(2) + Input Module RPI(1) + Remote 1756-CNB RPI + Controller Program Scan(3) + Remote 1756-CNB RPI + Output Module Hardware Delay(2) (1)
This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.
(2)
Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number. For a complete list of installation instructions, see Table 1.1 on page 1-8.
(3)
This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see the Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.
Publication 1756-RM001E-EN-P - November 2006
Response Times in ControlLogix
Analog Modules
A-3
Local Chassis Configuration Figure A.3 shows an example system where the following occurs: • input data changes on the analog input module • the data is transmitted to the controller • the controller runs its program scan and reacts to the data change, including sending new data to the output module • the output module behavior changes based on the new data received from the controller Figure A.3 Analog Input Module
Controller
Analog Output Module
Use the following formula to determine worst-case reaction time: Worst-Case Reaction Time =Input Module Filter Setting(1) + Input Module Real Time Sample (RTS) rate(1) + Controller Program Scan(2) +Output Module RPI(1) + Output Module Hardware Delay(3)
(1)
This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.
(2)
This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see the Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.
(3)
Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number. For a complete list of installation instructions, see Table 1.1 on page 1-8.
Remote Chassis Configuration Figure A.2 shows an example system where the following occurs: • input data changes on the analog input module • the data is transmitted to the controller via the 1756-CNB modules • the controller runs its program scan and reacts to the data change, including sending new data to the output module via the 1756-CNB modules
Publication 1756-RM001E-EN-P - November 2006
A-4
Response Times in ControlLogix
• the output module behavior changes based on the new data received from the controller Figure A.4 Controller
ControlNet Bridge Module
ControlNet Bridge Module
Analog Input Module
Analog Output Module
Use the following formula to determine worst-case reaction time: Worst-Case Reaction Time =Input Module Filter Setting(1) + Input Module Real Time Sample (RTS) rate(1) + Remote 1756-CNB RPI(1) + Controller Program Scan(2) + Output Module RPI(1) + Remote 1756-CNB RPI(1) + Output Module Hardware Delay(3)
(1)
This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.
(2)
This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see the Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.
(3)
Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number. For a complete list of installation instructions, see Table 1.1 on page 1-8.
Publication 1756-RM001E-EN-P - November 2006
Response Times in ControlLogix
Redundancy Systems
A-5
The response time of a system that uses redundancy is different from a system that does not use redundancy. The redundancy system has a longer response time because: • The primary controller must keep the secondary up-to-date and ready to take over control in case of a switchover. This process of cross-loading fresh data at the end of each program scan increases scan time. You can plan your project effectively (e.g., minimize the use of SINT or INT tags, use arrays and user-defined data types) to minimize the scan time in a redundancy system. Generally, the primary controller in a redundancy system has a 20% slower response time than the controller in a non-redundancy system. • The switchover between controllers slows system response. The switchover time of a redundancy system depends on the network update time (NUT) of the ControlNet network. To estimate the switchover time, use the following formulas:
For this type of failure:
If the NUT is:
The switchover time is:
Example:
loss of power
<6
60 ms
For a NUT of 4 ms, the switchover time is approximately 60 ms.
>7
5 (NUT) + MAX (2[NUT], 30)
For a NUT of 10 ms, the switchover time is approximately 80 ms.
14 (NUT) + MAX (2[NUT], 30) + 50
For a NUT of 10 ms, the switchover time is approximately 220 ms.
–or– module failure 1756-CNB module cannot communicate with any other node
For more information on response times in ControlLogix redundancy systems and ControlLogix redundancy systems in general, see the ControlLogix Redundancy System user manual, publication 1756-UM523.
Publication 1756-RM001E-EN-P - November 2006
A-6
Response Times in ControlLogix
Notes:
Publication 1756-RM001E-EN-P - November 2006
Appendix
B
System Self-Testing and User-Programmed Responses
This chapter explains self-testing in a ControlLogix system and points to more information about user-programmed responses.
Validation Tests
Validation tests are performed at every proof test interval. • Manually Cycle Inputs to ensure that all inputs are operational and not stuck in the ON state • Manually Pulse Test outputs which do not support runtime Pulse Testing. The relays in the Redundant Power Supplies must be tested to ensure they are not stuck in the Closed state. Users can automatically perform proof tests by switching ground open on input modules and checking to make sure all input points go to zero (turn OFF.). All system components which do not have runtime diagnostics must be tested as part of the System Initialization Tests.
System Self Tests The SIL2-certified ControlLogix system is designed to automatically shut down in the event of a failure or fault. The following information provides details on how to program and configure routines to monitor diagnostic and system status.
1
Publication 1756-RM001E-EN-P - November 2006
B-2
System Self-Testing and User-Programmed Responses
Reaction to Faults For more information on how to configure a ControlLogix system to identify and handle faults, including such tasks as: • • • •
Developing a Fault Routine Creating a User-Defined Major Fault Monitoring Minor Faults Developing a Power-Up Routine
see the Logix5000 Controllers Common Procedures Programming Manual, publication 1756-PM001.
Publication 1756-RM001E-EN-P - November 2006
Appendix
C
Additional Information on Handling Faults in the ControlLogix System
This appendix describes the ways that faults are reported to the controller.
Introduction
The ControlLogix architecture provides the user many ways of detecting and reacting to faults in the system. Various device objects can be interrogated to determine the current operating status. Additionally, modules provide run-time status of their operation and of the process. • For information on how to use specific instructions to get and set controller system data stored in device objects, see the Logix5000 Controllers General Instructions Reference Manual, publication 1756-RM003. • For information on controller fault codes, including major and minor codes, see the Logix5000 Controllers Common Procedures Programming Manual, publication 1756-PM001. • For information on accessing modules’ run-time operational and process status, see the ControlLogix Analog I/O Modules User Manual, publication 1756-UM009, and the ControlLogix Digital I/O Modules User Manual, publication 1756-UM058.
1
Publication 1756-RM001E-EN-P - November 2006
C-2
Additional Information on Handling Faults in the ControlLogix System
Notes:
Publication 1756-RM001E-EN-P - November 2006
Appendix
D
Spurious Failure Estimates
Introduction
Table D.1 lists the spurious failure estimates for the ControlLogix products included in this manual. These rates are based on field return data. Therefore, new products are not included. Table D.1 Spurious Failure Estimates for ControlLogix Products
1
Catalog Number:
Description:
MTBF (Spurious):(1) λ (Spurious):(2)
1756-Axx
ControlLogix Chassis
3,606,181 (Average)
2.77E-07
1756-CNB/D
ControlNet Bridge
1,237,510
8.08E-07
1756-CNB/E
ControlNet Bridge
NA
NA
1756-CNBR/D
Redundant ControlNet Bridge
518,555
1.93E-06
1756-CNBR/E
Redundant ControlNet Bridge
NA
NA
1756-DHRIO
Data Highway Plus - Remote I/O Communication Interface Module
2,217,577
4.51E-07
1756-ENBT
EtherNet Bridge
595,693
1.68E-06
1756-IA16I
Isolated AC Input
5,327,736
1.88E-07
1756-IA8D
AC Diagnostic Input
8,008,000
1.25E-07
1756-IB16D
DC Diagnostic Input
7,666,418
1.30E-07
1756-IB16I
DC Isolated Input
5,988,800
1.67E-07
1756-IB16ISOE
Sequence of Events Module
NA
NA
1756-IB32
DC Input Module
655,718
1.53E-06
1756-IF16
Single-ended Analog Input Module
817,519
1.22E-06
1756-IF6CIS
Isolated Sourcing Analog Input Module
NA
NA
1756-IF6I
Isolated Analog Input Module
1,196,579
8.36E-07
1756-IF8
Analog Input
799,305
1.25E-06
1756-IH16ISOE
Sequence of Events Module
NA
NA
1756-IR6I
RTD Input
929,356
1.08E-06
1756-IT6I
Thermocouple Input
447,577
2.23E-06
1756-IT6I2
Enhanced Thermocouple Input Module
133,328
7.50E-06
1756-L55M13
ControlLogix 1.5Mb Controller
747,397
1.34E-06
1756-L55M16
L55 Controller w 7.5Mb Memory
717,600
1.39E-06
1756-L61
ControlLogix 2 Mb Controller
NA
NA
1756-L62
ControlLogix 4 Mb Controller
NA
NA
Publication 1756-RM001E-EN-P - November 2006
D-2
Spurious Failure Estimates
Table D.1 Spurious Failure Estimates for ControlLogix Products Catalog Number:
Description:
MTBF (Spurious):(1) λ (Spurious):(2)
1756-L63
ControlLogix 8 Mb Controller
NA
NA
1756-OA16I
AC Isolated Input
2,985,566
3.35E-07
1756-OA8D
AC Diagnostic Input
6,269,120
1.60E-07
1756-OB16D
DC Diagnostic Output
3,910,004
2.56E-07
1756-OB16I
DC Isolated Output
1,283,270
7.79E-07
1756-OB32
DC Output Module
653,788
1.53E-06
1756-OB8EI
DC Fused Output
4,804,800
2.08E-07
1756-OF6CI
Isolated Analog Output Module (Current)
2,593,882
3.86E-07
1756-OF6VI
Isolated Analog Output Module (Voltage)
4,461,184
2.24E-07
1756-OF8
Analog Output
2,600,446
3.85E-07
1756-OW16I
Isolated Relay Output Module
1,728,990
5.78E-07
1756-OX8I
Contact Output
3,672,760
2.72E-07
1756-PA75/A
AC Power Supply
3,061,337
3.27E-07
1756-PA75/B
AC Power Supply
NA
NA
1756-PA75R
AC Redundant PS
180,528
5.54E-06
1756-PB75/A
DC Power Supply
1,984,000
5.04E-07
1756-PB75/B
DC Power Supply
NA
NA
1756-PB75R
DC Redundant PS
818,688
1.22E-06
1756-PC75
DC Power supply
NA
NA
1756-PH75
DC Power supply
NA
NA
1756-PSCA
Power Sup Chassis Adapter
7,425,600
1.35E-07
1756-PSCA2
Redundant Power Supply Chassis Adapter Module
4,534,400
2.21E-07
1756-SYNCH
SynchLink Module
2,816,320
3.55E-07
1757-SRM
System Redundancy Module
315,817
3.17E-06
(1)
MTBF (Spurious) = (Installed base one year ago X 4160) / Number of "No Problem Found" failures in the past 12 months (in hours) NOTE: If no "No Problem Found" failures are recorded, one (1) is assumed.
(2)
λ (Spurious) = 1 / MTBF (Spurious) NA - Sufficient field data is not available
Publication 1756-RM001E-EN-P - November 2006
Appendix
E
Sample Probability of Failure on Demand (PFD) Calculations
Proof Test Interval = 5 Years
Table E.1 shows PFD calculations for a proof test interval of 5 years.
Table E.1 ControlLogix Product Probability of Failure on Demand Calculations – Proof Test Interval of 5 Years
1
Mean Time Between Failure (MTBF)(1)
λ(5)
ControlLogix Chassis
36,322,045(2) (aggregate)
2.75E-08
3.03E-05
2.43E-06
1756-CNB/D
ControlNet Bridge - Series D
5,595,646
1.79E-07
1.97E-04
1.65E-05
1756-CNB/E
ControlNet Bridge - Series E
2,944,988(3)
3.40E-07
3.74E-04
3.26E-05
1756-CNBR/D
Redundant ControlNet Br idge Series D
3,109,957
3.22E-07
3.54E-04
3.08E-05
1756-CNBR/E
Redundant ControlNet Br idge Series E
2,864,755(3)
3.49E-07
3.84E-04
3.36E-05
1756-IA16I
Isolated AC Input
15,262,520
6.55E-08
7.21E-05
5.85E-06
1756-IA8D
AC Diagnostic Input
10,383,360
9.63E-08
1.06E-04
8.67E-06
1756-IB16D
DC Diagnostic Input
41,300,480
2.42E-08
2.66E-05
2.14E-06
1756-IB16I
DC Isolated Input
19,862,336
5.03E-08
5.54E-05
4.48E-06
1756-IB16ISOE
Sequence of Events
4,959,088(3)
2.02E-07
2.22E-04
1.87E-05
1756-IB32
DC Input Module
2,468,448
4.05E-07
4.46E-04
3.96E-05
1756-IF8
Analog Input
2,235,008
4.47E-07
4.92E-04
4.42E-05
1756-IF16
Isolated Analog Input
2,094,159
4.78E-07
5.25E-04
4.75E-05
1756-IF6CIS
Isolated Sourcing Analog Input
3,065,920
3.26E-07
3.59E-04
3.12E-05
1756-IF6I
Isolated Analog Input
2,838,451
3.52E-07
3.88E-04
3.40E-05
1756-IH16ISOE Sequence of Events
6,044,122
1.65E-07
1.82E-04
1.52E-05
1756-IR6I
RTD Input
3,826,296
2.61E-07
2.87E-04
2.46E-05
1756-IT6I
Thermocouple Input
3,002,035
3.33E-07
3.66E-04
3.20E-05
1756-IT6I2
Enhanced thermocouple Input
991,929
1.01E-06
1.11E-03
1.14E-04
1756-L55M13
L55 Controller w 1.5Mb Mem
2,228,750
4.49E-07
4.94E-04
4.43E-05
1756-L55M16
L55 Controller w 7.5Mb Mem
1,644,933
6.08E-07
6.69E-04
6.25E-05
1756-L61
ControlLogix 2 Mb Controller
815,822
1.23E-06
1.35E-03
1.45E-04
1756-L62
ControlLogix 4 Mb Controller
576,992
1.73E-06
1.91E-03
2.27E-04
1756-L63
ControlLogix 8 Mb Controller
782,912
1.28E-06
1.41E-03
1.53E-04
Catalog Number
Description
1756-Axx
Calculated PFD: 1oo1 architecture 1oo2 architecture
Publication 1756-RM001E-EN-P - November 2006
E-2
Sample Probability of Failure on Demand (PFD) Calculations
Table E.1 ControlLogix Product Probability of Failure on Demand Calculations – Proof Test Interval of 5 Years Mean Time Between Failure (MTBF)(1)
λ(5)
AC Isolated Input
10,911,086
9.16E-08
1.01E-04
8.24E-06
1756-OA8D
AC Diagnostic Input
6,922,240
1.44E-07
1.59E-04
1.32E-05
1756-OB16D
DC Diagnostic Output
14,321,691
6.98E-08
7.68E-05
6.24E-06
1756-OB16I
DC Isolated Output
2,371,445
4.22E-07
4.64E-04
4.14E-05
1756-OB32
DC Output Module
1,278,125
7.82E-07
8.61E-04
8.38E-05
1756-OB8EI
DC Fused Output
5,853,120
1.71E-07
1.88E-04
1.57E-05
1756-OF6CI
Isolated analog input
9,296,907
1.08E-07
1.18E-04
9.72E-06
1756-OF6VI
Isolated Analog Output
13,062,400
7.66E-08
8.42E-05
6.86E-06
1756-OF8
Analog Output
5,717,675
1.75E-07
1.92E-04
1.61E-05
1756-OW16I
Isolated Relay Output Module
1,360,415(3)
7.35E-07
8.09E-04
7.79E-05
1756-OX8I
Contact Output
19,281,600
5.19E-08
5.70E-05
4.61E-06
1756-PA75/A
AC Power Supply
14,538,606
6.88E-08
7.57E-05
6.15E-06
1756-PA75/B
AC Power Supply
5,513,591(3)
1.81E-07
2.00E-04
1.67E-05
1756-PA75R
AC Redundant Power Supply
296,978(4)
3.37E-06
3.70E-03
5.77E-04
1756-PB75/A
DC Power Supply
10,157,334
9.85E-08
1.08E-04
8.87E-06
1756-PB75/B
DC Power Supply
5,884,430(3)
1.70E-07
1.87E-04
1.56E-05
1756-PB75R
DC Redundant Power Supply
1,134,848(4)
8.81E-07
9.69E-04
9.66E-05
1756-PC75
DC Power Supply
5,894,836
1.70E-07
1.87E-04
1.56E-05
1756-PH75
DC Power Supply
5,889,628(3)
1.70E-07
1.87E-04
1.56E-05
1756-PSCA
Power Supply Chassis Adapter
45,146,727(3)
2.21E-08
2.44E-05
1.95E-06
1756-PSCA2
Redundant Power supply adapter
45,146,727(3)
2.21E-08
2.44E-05
1.95E-06
1757-SRM
System Redundancy Module
835,357
1.20E-06
1.32E-03
1.41E-04
Catalog Number
Description
1756-OA16I
Calculated PFD: 1oo1 architecture 1oo2 architecture
(1)
MTBF measured in hours. The values used here represent values available in September 2006.
(2)
Aggregate based on total shipments and total returns of all five chassis (1756-A4, 1756-A7, 1756-A10, 1756-A13, and 1756-A17) collectively.
(3)
Calculated using field-based values for components.
(4)
Assumes that both power supplies fail simultaneously.
(5)
λ = Failure Rate = 1/MTBF
Publication 1756-RM001E-EN-P - November 2006
Sample Probability of Failure on Demand (PFD) Calculations
E-3
Table E.2 shows an example of a PFD calculation for a safety loop involving two DC input modules used in a 1oo2 configuration and a DC output module using a proof test interval of 5 years. Table E.2 Catalog Number:
Description:
MTBF:
1756-Axx
ControlLogix Chassis 36,322,045 (aggregate)
3.03E-05
1756-L55M16
ControlLogix 5555 Controller
1,644,933
6.69E-04
1756-OB16D
DC Output
14,321,691
7.68E-05
1756-IB16D
DC Diagnostic Input
41,300,480
2.14E-07
Total PFD calculation for a safety loop consisting of these products:
Calculated PFD:
7.78E-04
Publication 1756-RM001E-EN-P - November 2006
E-4
Sample Probability of Failure on Demand (PFD) Calculations
Notes:
Publication 1756-RM001E-EN-P - November 2006
Appendix
F
Using ControlLogix in SIL1 Applications
When using ControlLogix products in a SIL1 application, you must use the products as described in this manual, including following all test guidelines listed. For example, perform pulse testing on diagnostic output modules as described in Chapter 6. This appendix describes changes in the system hardware requirements for SIL1 certification. It is assumed that the following conditions exist in SIL1 applications: • Modules operate in a low demand applications • Hardware Fault Tolerance (HFT) = 0 • Safe Failure Fraction (SFF) is > 60% and < 90% • Probability of Failure on Demand (PFD) must be > 10-2 and < 10-1
Additional Considerations
Table F.1 lists additional considerations that must be made with various ControlLogix modules in a SIL1 application.
Table F.1 Module type:
Additional considerations:
Controllers
None. Use the controller exactly as described previously in this manual.
ControlNet modules
None. Use the modules exactly as described previously in this manual.
Data Highway Plus and Ethernet modules
None. Use the modules exactly as described previously in this manual.
Digital output modules(1)
Diagnostic output modules are recommended in a SIL1 application. Implement a secondary shutdown path if the SIL1 application requires a fail-safe OFF in the event of a shorted output.
Digital input modules(2)
Only 1 module is required in a SIL1 application. Periodic tests of the inputs should be performed as described previously in this manual.
Analog output modules(1)
Analog output modules should be wired as described previously in this manual.
Analog input modules(2)
Only 1 module is required in a SIL1 application. Periodic tests of the inputs should be performed as described previously in this manual.
(1)
The user should be alerted to any detected output failures.
(2)
The test interval of module inputs must be specified according to application-dependent standards. For example, according to EN50156, the time for fault detection and tripping must be less than or equal to the fault tolerance time.
1
Publication 1756-RM001E-EN-P - November 2006
F-2
Using ControlLogix in SIL1 Applications
Probability of Failure on Demand Calculations in a SIL1 Application
Table F.2 lists the PFD calculations for ControlLogix products in a SIL1-certified system. These calculations use a Proof Test Interval = 1 year.
Table F.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations Catalog Number Description
Mean Time Between λ(5) Failure (MTBF)(1)
1756-Axx
ControlLogix Chassis
36,322,045(2) (aggregate)
2.75E-08
6.17E-06
1756-CNB/D
ControlNet Bridge - Series D
5,595,646
1.79E-07
4.00E-05
1756-CNB/E
ControlNet Bridge Series E
2,944,988(3)
3.40E-07
7.61E-05
1756-CNBR/D
Redundant ControlNet Bridge - Series D
3,109,957
3.22E-07
7.20E-05
756-CNBR/E
Redundant ControlNet Bridge - Series E
2,864,755(3)
3.49E-07
7.82E-05
1756-IA16I
AC Isolated Input
15,262,520
6.55E-08
1.47E-05
1756-IA8D
AC Diagnostic Input
10,383,360
9.63E-08
2.16E-05
1756-IB16D
DC Diagnostic Input
41,300,480
2.42E-08
5.42E-06
1756-IB16I
DC Isolated Input
19,862,336
5.03E-08
1.13E-05
1756-IB16ISOE
Sequence of Events Module
4,959,088(3)
2.02E-07
4.52E-05
1756-IB32
DC Input Module
2,468,448
4.05E-07
9.07E-05
1756-IF16
Single-ended Analog Input Module
2,094,159
4.78E-07
1.07E-04
1756-IF6CIS
Isolated Sourcing Analog Input Module
3,065,920
3.26E-07
7.31E-05
1756-IF6I
Isolated Analog Input Module
2,838,451
3.52E-07
7.89E-05
1756-IF8
Analog Input
2,235,008
4.47E-07
1.00E-04
1756-IH16ISOE
Sequence of Events Module
6,044,122
1.65E-07
3.71E-05
1756-IR6I
RTD Input
3,826,296
2.61E-07
5.85E-05
1756-IT6I
Thermocouple Input
3,002,035
3.33E-07
7.46E-05
1756-IT6I2
Enhanced Thermocouple Input Module
991,929
1.01E-06
2.26E-04
1756-L55M13
ControlLogix 1.5Mb Controller
2,228,750
4.49E-07
1.01E-04
1756-L55M16
ControlLogix 7.5Mb Controller
1,644,933
6.08E-07
1.36E-04
1756-L61
ControlLogix 2 Mb Controller
815,822
1.23E-06
2.75E-04
1756-L62
ControlLogix 4 Mb Controller
576,992
1.73E-06
3.88E-04
1756-L63
ControlLogix 8 Mb Controller
782,912
1.28E-06
2.86E-04
1756-OA16I
AC Isolated Output
10,911,086
9.16E-08
2.05E-05
1756-OA8D
AC Diagnostic Output
6,922,240
1.44E-07
3.24E-05
1756-OB16D
DC Diagnostic Output
14,321,691
6.98E-08
1.56E-05
1756-OB16I
DC Isolated Output
2,371,445
4.22E-07
9.45E-05
1756-OB32
DC Output Module
1,278,125
7.82E-07
1.75E-04
1756-OB8EI
DC Fused Output
5,853,120
1.71E-07
3.83E-05
Publication 1756-RM001E-EN-P - November 2006
(3)
Calculated PFD in a 1oo1 architecture:
Using ControlLogix in SIL1 Applications
F-3
Table F.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations Catalog Number Description
Mean Time Between λ(5) Failure (MTBF)(1)
Calculated PFD in a 1oo1 architecture:
1756-OF6CI
Isolated Analog Output Module (Current)
9,296,907
1.08E-07
2.41E-05
1756-OF6VI
Isolated Analog Output Module (Voltage)
13,062,400
7.66E-08
1.71E-05
1756-OF8
Analog Output
5,717,675
1.75E-07
3.92E-05
1756-OW16I
Isolated Relay Output Module
1,360,415
7.35E-07
1.65E-04
1756-OX8I
Contact Output
19,281,600
5.19E-08
1.16E-05
1756-PA75/A
AC Power Supply
14,538,606
6.88E-08
1.54E-05
1756-PA75/B
AC Power Supply
5,513,591(3)
1.81E-07
4.06E-05
1756-PA75R
AC Redundant Power Supply
296,978(4)
3.37E-06
7.54E-04
1756-PB75/A
DC Power Supply
10,157,334
9.85E-08
7.30E-05
1756-PB75/B
DC Power Supply
5,884,430(3)
1.70E-07
3.81E-05
1756-PB75R
DC Redundant Power Supply
1,134,848(4)
8.81E-07
1.97E-04
1756-PC75
DC Power supply
5,894,836(3)
1.70E-07
3.80E-05
1756-PH75
DC Power supply
5,889,628(3)
1.70E-07
3.80E-05
1756-PSCA
Power Sup Chassis Adapter Module
45,146,727(3)
2.21E-08
4.96E-06
1756-PSCA2
Redundant Power Supply Chassis Adapter Module
45,146,727(3)
2.21E-08
4.96E-06
1757-SRM
System Redundancy Module
835,357
1.20E-06
2.68E-04
(1)
MTBF measured in hours. The values used here represent values available in September 2006.
(2)
Aggregate based on total shipments and total returns of all five chassis (1756-A4, 1756-A7, 1756-A10, 1756-A13, and 1756-A17) collectively.
(3)
Calculated using field-based values for components.
(4)
Assumes that both power supplies fail simultaneously.
(5)
λ = Failure Rate = 1/MTBF
Publication 1756-RM001E-EN-P - November 2006
F-4
Using ControlLogix in SIL1 Applications
Probability of Undetected Dangerous Failure Per Hour Calculations in a SIL1 Application
Table F.3 lists the PFH calculations for ControlLogix products in a SIL1-certified system. These calculations use a Proof Test Interval = 1 year.
Table F.3 ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations Catalog Number Description
Mean Time Between λ(5) Failure (MTBF)(1)
Calculated PFH: 1oo1 architecture
1756-Axx
ControlLogix Chassis
36,322,045 (aggregate)
2.75E-08
1.38E-09
1756-CNB/D
ControlNet Bridge - Series D
5,595,646
1.79E-07
8.94E-09
1756-CNB/E
ControlNet Bridge - Series E
2,944,988(3)
3.40E-07
1.70E-08
1756-CNBR /D
Redundant ControlNet Bridge - Series D
3,109,957
3.22E-07
1.61E-08
1756-CBNBR/E
Redundant ControlNet Bridge - Series E
2,864,755(3)
3.49E-07
1.75E-08
1756-IA16I
AC Isolated Input
15,262,520
6.55E-08
3.28E-09
1756-IA8D
AC Diagnostic Input
10,383,360
9.63E-08
4.82E-09
1756-IB16D
DC Diagnostic Input
41,300,480
2.42E-08
1.21E-09
1756-IB16I
DC Isolated Input
19,862,336
5.03E-08
2.52E-09
1756-IB16ISOE
Sequence of Events Module
4,959,088(3)
2.02E-07
1.01E-08
1756-IB32
DC Input Module
2,468,448
4.05E-07
2.03E-08
1756-IF16
Single-ended Analog Input Module
2,235,008
4.47E-07
2.24E-08
1756-IF6CIS
Isolated Sourcing Analog Input Module
2,094,159
4.78E-07
2.39E-08
1756-IF6I
Isolated Analog Input Module
3,065,920
3.26E-07
1.63E-08
1756-IF8
Analog Input
2,838,451
3.52E-07
1.76E-08
1756-IH16ISOE
Sequence of Events Module
6,044,122(3)
1.65E-07
8.27E-09
1756-IR6I
RTD Input
3,826,296
2.61E-07
1.31E-08
1756-IT6I
Thermocouple Input
3,002,035
3.33E-07
1.67E-08
1756-IT6I2
Enhanced Thermocouple Input Module
991,929
1.01E-06
5.04E-08
1756-L55M13
ControlLogix 1.5Mb Controller
2,228,750
4.49E-07
2.24E-08
1756-L55M16
ControlLogix 5555 Processor
1,644,933
6.08E-07
3.04E-08
1756-L61
ControlLogix 2 Mb Controller
815,822
1.23E-06
6.13E-08
1756-L62
ControlLogix 4 Mb Controller
576,992
1.73E-06
8.67E-08
1756-L63
ControlLogix 8 Mb Controller
782,912
1.28E-06
6.39E-08
1756-OA16I
AC Isolated Output
10,911,086
9.16E-08
4.58E-09
1756-OA8D
AC Diagnostic Output
6,922,240
1.44E-07
7.22E-09
1756-OB16D
DC Diagnostic Output
14,321,691
6.98E-08
3.49E-09
1756-OB16I
DC Isolated Output
2,371,445
4.22E-07
2.11E-08
1756-OB32
DC Output Module
1,278,125
7.82E-07
3.91E-08
Publication 1756-RM001E-EN-P - November 2006
(2)
Using ControlLogix in SIL1 Applications
F-5
Table F.3 ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations Catalog Number Description
Mean Time Between λ(5) Failure (MTBF)(1)
1oo1 architecture
Calculated PFH:
1756-OB8EI
DC Fused Output
5,853,120
1.71E-07
8.54E-09
1756-OF6CI
Isolated Analog Output Module (Current)
9,296,907
1.08E-07
5.38E-09
1756-OF6VI
Isolated Analog Output Module (Voltage)
13,062,400
7.66E-08
3.83E-09
1756-OF8
Analog Output
5,717,675
1.75E-07
8.74E-09
1756-OW16I
Isolated Relay Output Module
1,360,415(3)
7.35E-07
3.68E-08
1756-OX8I
Contact Output
19,281,600
5.19E-08
2.59E-09
1756-PA75/A
AC Power Supply
14,538,606
6.88E-08
3.44E-09
1756-PA75/B
AC Power Supply
5,513,591(3)
1.81E-07
9.07E-09
1756-PA75R
AC Redundant Power Supply
296,978(4)
3.37E-06
1.68E-07
1756-PB75/A
DC Power Supply
10,157,334
9.85E-08
4.92E-09
1756-PB75/B
DC Power Supply
5,884,430(3)
1.70E-07
8.50E-09
1756-PB75R
DC Redundant Power Supply
1,134,848(4)
8.81E-07
4.41E-08
1756-PC75
DC Power supply
5,894,836(3)
1.70E-07
8.48E-09
1756-PH75
DC Power supply
5,889,628(3)
1.70E-07
8.49E-09
1756-PSCA
Power Supply Chassis Adapter
45,146,727(3)
2.21E-08
1.11E-09
1756-PSCA2
Redundant Power Supply Chassis Adapter Module
45,146,727(3)
2.21E-08
1.11E-09
1757-SRM
System Redundancy Module
835,357
1.20E-06
5.99E-08
(1)
MTBF measured in hours. The values used here represent those values available in September 2006.
(2)
Aggregate based on total shipments and total returns of all five chassis (1756-A4, 1756-A7, 1756-A10, 1756-A13, and 1756-A17) collectively.
(3)
Calculated using field-based values for components.
(4)
Assumes that both power supplies fail simultaneously.
(5)
λ = Failure Rate = 1/MTBF
Publication 1756-RM001E-EN-P - November 2006
F-6
Using ControlLogix in SIL1 Applications
Notes:
Publication 1756-RM001E-EN-P - November 2006
Index A Agency certifications 1-21 Analog input modules 6-13–6-19 Analog output modules 6-20–6-24 Application program Programming languages 9-4 SIL task/program instructions 9-4 Technical SIL2 requirements 9-1–9-8 Architecture Overview of ControlLogix architecture
2-2
C Calibration 6-13, 6-20 Chassis 3-2 Commissioning life cycle 9-5 Communication ControlNet 2-6, 5-2 Ethernet 5-3 Field side output verification 2-4 Output data echo 2-4, 6-8 Producer/consumer model 2-2 Communications modules 5-1–5-5 ControlNet module 5-2 Documentation 5-5 Ethernet module 5-3 Usage recommendations 5-4 Control and information protocol Definition Preface-vii Controller 4-1–4-2 Documentation 4-2 Usage recommendations 4-2 ControlLogix architecture 2-2 ControlNet module 5-2
D Diagnostic coverage Definition Preface-vii Documenation Controller 4-2 Documentation Communications modules 5-5 Hardware 3-4
E Ethernet module 5-3
European norm. Definition Preface-vii
F Fault handling 2-3, 7-1–7-3, B-1, C-1 Fault reporting 2-3, 6-4, 7-1–7-3, B-1,
C-1 Analog input modules 6-14 Analog output modules 6-21 Digital input modules 6-6 Digital output modules 6-8, 6-12 Field side output verification 2-4 Forcing via software 8-4
G Get system value (GSV) Defintion Preface-vii
H Hardware 3-1–3-4 Chassis 3-2 Documentation 3-4 Power supplies 3-2–3-3 Usage recommendations 3-3 Human to machine interfaces Use and application 10-1–10-3
I I/O modules 6-1–6-26 Analog input modules 6-13–6-19 Analog output modules 6-20–6-24 Calibration 6-13, 6-20 Digital input modules 6-5–6-6 Digital output modules 6-7–6-12 Fault reporting 6-4, 6-6, 6-8, 6-12,
6-14, 6-21 Proof tests 6-5, 6-7, 6-13, 6-20 Response times A-1–A-4 Wiring analog input modules 6-16–
6-19 Wiring analog output modules 6-23–
6-24 Wiring digital input modules 6-6 Wiring digital output modules 6-10–
6-12 Interface HMI use and application 10-1–10-3
Publication 1756-RM001E-EN-P - November 2006
2
Index
M
S
Mean time between failures (MTBF) Definition Preface-vii Mean time to restoration Definition Preface-vii
O Operational modes 8-5 Output data echo 2-4, 6-8
P Power supplies 3-2–3-3 Non-redundant 3-2 Redundant 3-3 Probability of failure on demand (PFD)
1-12–1-19 Calculation equation 1-13 Calculations for each catalog number
1-14, E-1, F-2 Definition Preface-vii Probability of failure per hour (PFH)
1-12–1-19 Calculation equation 1-14 Calculations for each catalog number
1-17, F-4 Definition Preface-vii Producer/consumer communication model 2-2 Programming languages 9-4 Proof tests 1-6, 6-5, 6-7, 6-13, 6-20 Pulse test 2-5
R Response times A-1–A-4 RSLogix 5000 Preface-vii, 2-6 Changing your application program 9-6 Commissioning life cycle 9-5 Forcing 8-4 General requirements 8-1–8-6 Programming languages 9-4 Security 8-4 SIL task/program instructions 9-4 SIL2 programming 8-2
Publication 1756-RM001E-EN-P - November 2006
Safety certifications and compliances For ControlLogix catalog numbers 1-12 Security via software 8-4 SIL compliance Distribution and weight 1-20 SIL loop example 1-4, 1-5 SIL policy 1-1–1-23 SIL2 requirements For the application program 9-1–9-8 SIL2-certified components Complete list of ControlLogix catalog numbers 1-8 Software Changing your application program 9-6 Commissioning life cycle 9-5 Forcing 8-4 General requirements 8-1–8-6 Programming languages 9-4 RSLogix 5000 Preface-vii, 2-6 Security 8-4 SIL task/program instructions 9-4 SIL2 programming 8-2 Software watchdog 1-23 Spurious failure estimates D-1 System hardware 3-1–3-4 Chassis 3-2 Documentation 3-4 Power supplies 3-2–3-3 Usage recommendations 3-3
T Terminology Used throughout manual Preface-vii
W Watchdog 1-23 Wiring I/O modules Analog input modules 6-16–6-19 Analog output modules 6-23–6-24 Digital input modules 6-6 Digital output modules 6-10–6-12
How Are We Doing? Your comments on our technical publications will help us serve you better in the future. Thank you for taking the time to provide us feedback. You can complete this form and mail (or fax) it back to us or email us at
[email protected] Pub. Title/Type Using ControlLogix in SIL2 Applications Cat. No.
1756 Series
Pub. No.
1756-RM001E-EN-P
Pub. Date November 2006
Part No.
953014-96
Please complete the sections below. Where applicable, rank the feature (1=needs improvement, 2=satisfactory, and 3=outstanding). Overall Usefulness
Completeness (all necessary information is provided)
Technical Accuracy (all provided information is correct)
1
2
3
How can we make this publication more useful for you?
1
2
3
Can we add more information to help you?
1
Clarity 1 (all provided information is easy to understand)
2
3
procedure/step
illustration
feature
example
guideline
other
explanation
definition
Can we be more accurate? text
2
Other Comments
3
illustration
How can we make things clearer?
You can add additional comments on the back of this form.
Your Name Your Title/Function Location/Phone
Would you like us to contact you regarding your comments? ___No, there is no need to contact me ___Yes, please call me ___Yes, please email me at _______________________ ___Yes, please contact me via _____________________
Return this form to:
Rockwell Automation Technical Communications, 1 Allen-Bradley Dr., Mayfield Hts., OH 44124-9705 Fax: 440-646-3525
Publication CIG-CO521C-EN-P- May 2003
Email:
[email protected]
PN953014-96957782-91
PLEASE FASTEN HERE (DO NOT STAPLE)
PLEASE FOLD HERE
NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES
BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO. 18235 CLEVELAND OH POSTAGE WILL BE PAID BY THE ADDRESSEE
1 ALLEN-BRADLEY DR MAYFIELD HEIGHTS OH 44124-9705
PLEASE REMOVE
Other Comments
Rockwell Automation Support
Rockwell Automation provides technical information on the Web to assist you in using its products. At http://support.rockwellautomation.com, you can find technical manuals, a knowledge base of FAQs, technical and application notes, sample code and links to software service packs, and a MySupport feature that you can customize to make the best use of these tools. For an additional level of technical phone support for installation, configuration, and troubleshooting, we offer TechConnect Support programs. For more information, contact your local distributor or Rockwell Automation representative, or visit http://support.rockwellautomation.com.
Installation Assistance If you experience a problem with a hardware module within the first 24 hours of installation, please review the information that's contained in this manual. You can also contact a special Customer Support number for initial help in getting your module up and running. United States
1.440.646.3223 Monday – Friday, 8am – 5pm EST
Outside United States
Please contact your local Rockwell Automation representative for any technical support issues.
New Product Satisfaction Return Rockwell tests all of its products to ensure that they are fully operational when shipped from the manufacturing facility. However, if your product is not functioning, it may need to be returned.
Publication 1756-RM001E-EN-P - November 2006 2 Supersedes Publication 1756-RM001D-EN-P - January 2005
United States
Contact your distributor. You must provide a Customer Support case number (see phone number above to obtain one) to your distributor in order to complete the return process.
Outside United States
Please contact your local Rockwell Automation representative for return procedure.
PN 953014-96 Copyright © 2006 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.