Using ControlLogix
in SIL2 Applications
1756 Series
Safety Reference Manual
Important User Information
Solid state equipment has operational characteristics differing from those of
electromechanical equipment. Safety Guidelines for the Application,
Installation and Maintenance of Solid State Controls (Publication SGI-1.1
available from your local Rockwell Automation sales office or online at
http://www.ab.com/manuals/gi) describes some important differences
between solid state equipment and hard-wired electromechanical devices.
Because of this difference, and also because of the wide variety of uses for
solid state equipment, all persons responsible for applying this equipment
must satisfy themselves that each intended application of this equipment is
acceptable.
In no event will Rockwell Automation, Inc. be responsible or liable for
indirect or consequential damages resulting from the use or application of
this equipment.
The examples and diagrams in this manual are included solely for illustrative
purposes. Because of the many variables and requirements associated with
any particular installation, Rockwell Automation, Inc. cannot assume
responsibility or liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to
use of information, circuits, equipment, or software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without
written permission of Rockwell Automation, Inc. is prohibited.
Throughout this manual, when necessary we use notes to make you aware of
safety considerations.
WARNING
IMPORTANT
ATTENTION
Identifies information about practices or circumstances
that can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property
damage, or economic loss.
Identifies information that is critical for successful
application and understanding of the product.
Identifies information about practices or circumstances
that can lead to personal injury or death, property
damage, or economic loss. Attentions help you:
• identify a hazard
• avoid a hazard
• recognize the consequence
SHOCK HAZARD
Labels may be located on or inside the equipment (e.g.,
drive or motor) to alert people that dangerous voltage may
be present.
BURN HAZARD
Labels may be located on or inside the equipment (e.g.,
drive or motor) to alert people that surfaces may be
dangerous temperatures.
Summary of Changes
New and Revised
Information
Change bars located in margins indicate updates and new information
added to this revision. Table 1 lists the most significant new and
revised information included in this release of this manual.
Table.1 New and Revised Information
Topic
Location
Components for Use in SIL2 Applications.
Table 1.1 on Page 1-8
Checklist for the ControlLogix System.
Page 2-8
Safety Certifications and Compliances
Page 1-12
Probability of Failure on Demand (PFD)
calculations.
Table 1.2 on Page 1-14
Example PFD calculations.
Table 1.4 on Page 1-19
Probability of Undetected Dangerous
Failure per Hour (PFH) calculations.
Table 1.3 on Page 1-17
Use of ControlNet repeaters in SIL2
systems.
Page 5-2
ControlLogix Diagnostic Output Module
Wiring.
Figure 6.7 on Page 6-10
ControlLogix Standard Output Wiring
Figure 6.8on Page 6-11
General Considerations for the use of
analog modules.
Page 6-20
ControlLogix Analog Module Wiring in
Current Mode.
Figure 6.18 on Page 6-24
Security considerations for programming.
Page 8-4
Spurious Failure Estimates
Page D-1
Sample Probablity of Failure on Demand
(PFD) Calculations
Page E-1
Probablity of Failure on Demand (PFD)
Calculations in a SIL1 Application
Page F-2
Probability of Undetected Dangerous
Page F-4
Failure Per Hour (PFH) Calculations in SIL1
Applications
iii
Publication 1756-RM001E-EN-P - November 2006
Summary of Changes
iv
Notes:
Publication 1756-RM001E-EN-P - November 2006
Preface
Introduction
This application manual is intended to describe the ControlLogix
Control System components available from Rockwell Automation that
are suitable for use in SIL2 applications.
IMPORTANT
This manual describes typical SIL2 implementations
using certified ControlLogix equipment. Keep in
mind that the descriptions presented in this manual
do not preclude other methods of implementing a
SIL2-compliant system using ControlLogix.
Other methods may include TUV-approved
application-certified architectures, or the use of the
FLEX I/O system as described in FLEX I/O System
with ControlLogix for SIL2 reference manual,
publication 1794-RM001.
Manual Set-Up2006
This manual is designed to make clear how the ControlLogix Control
System can be SIL2-certified. Table Preface.1 lists the information
available in each section.
Table Preface.1
If you need this information:
See this section:
Introduction to the SIL policy and how that policy relates to the ControlLogix system, including:
Chapter 1, SIL Policy
• typical SIL2 configurations–both non-redundant and redundant
• proof test descriptions
• complete list of SIL2-certified ControlLogix components
• probability of failure on demand (PFD) and probability of dangerous failure occurring per
hour (PFH) calculations for SIL2-certified components with a 1 year proof test interval
Brief overview of all the components present in the SIL2-certified ControlLogix system, including:
Chapter 2, The ControlLogix System
• fault reporting
• fault handling
• module diagnostics
• checklist for a SIL2-certified ControlLogix system
v
Description of the ControlLogix power supplies and chassis used in a SIL2-certified ControlLogix
system and recommendations on using these components.
Chapter 3, ControlLogix System
Hardware
Description of the ControlLogix controllers used in the SIL2-certified ControlLogix system,
including the 1784-CG64 CompactFlash card and recommendations on using the controllers.
Chapter 4, ControlLogix Controller
Description of the ControlLogix communications modules used in the SIL2-certified ControlLogix
system and recommendations on their use in SIL2-certified system.
Chapter 5, ControlLogix
Communications Modules
Publication 1756-RM001E-EN-P - November 2006
Preface
vi
Table Preface.1
If you need this information:
See this section:
Description of the ControlLogix I/O modules used in the SIL2-certified ControlLogix system,
including:
Chapter 6, ControlLogix I/O Modules
• use of both digital and analog I/O modules
• I/O module fault reporting
• usage considerations
• wiring diagrams
• checklist for I/O modules in a SIL2-certified ControlLogix system
Description of how the ControlLogix detects, and reacts to, faults. Specifically, this section
describes the following two example conditions that generate a fault in a SIL2-certified system:
Chapter 7, Faults in the ControlLogix
System
• keyswitch changing out of RUN mode
• high alarm condition on an analog input module
Guidelines for application development in RSLogix 5000 as they relate to SIL2-certified systems.
The guidelines include:
Chapter 8, General Requirements for
Application Software
• suggestions of good design practices
• checking the application program
• identifying the program
• forcing
• security
• checklist for the creation of an application program
Description of technical safety requirement in SIL2-certified ControlLogix applications. The
following topics are described in this section:
• general programming procedures
Chapter 9, Technical SIL2
Requirements for the Application
Program
• SIL task/program instructions
• available programming languages
• commissioning lifecycle
• method to change an application program
• forcing
Description of the precautions and techniques that should be used with HMI devices as they are
used in SIL2-certified ControlLogix applications, including:
Chapter 10, Use and Application of
Human to Machine Interfaces
• information about changing parameters in a safety-related loop
• information about changing parameters in a non-safety-related loop
Calculation methods for worst case reaction time for a given change in input or a fault condition
and the corresponding output action.
Appendix A, Response Times in
ControlLogix
Self-testing in a ControlLogix system and more information about user-programmed responses.
Appendix B, System Self-Testing and
User-Programmed Responses
Additional information on handling faults.
Appendix C, Additional Information
on Handling Faults in the
ControlLogix System
Publication 1756-RM001E-EN-P - November 2006
Preface
vii
Table Preface.1
If you need this information:
See this section:
Spurious failure rates based on field returns.
Appendix D, Spurious Failure
Estimates
Additional PFD calculations based on proof test intervals of 2 years and 4 years.
Appendix E, Sample Probability of
Failure on Demand (PFD)
Calculations
Using ControlLogix in SIL1 applications
Appendix F, Using ControlLogix in
SIL1 Applications
Understanding Terminology
The following table defines acronyms used in this manual.
Table Preface.2 List of Acronyms Used Throughout the Safety Application Manual
Acronym:
Full Term:
Definition:
CIP
Control and
Information
Protocol
A messaging protocol used by Logix5000™
systems. It is a native communications protocol
used on ControlNet™ communications networks,
among others.
DC
Diagnostic
Coverage
The ratio of the detected failure rate to the total
failure rate.
EN
European Norm.
The official European Standard
GSV
Get System Value A ladder logic output instruction that retrieves
specified controller status information and places
it in a destination tag.
MTBF
Mean Time
Average time between failure occurrences.
Between Failures
MTTR
Mean Time to
Restoration
PADT
Programming and RSLogix 5000 software used to program and
Debugging Tool
debug a SIL2-certified ControlLogix application.
PC
Personal
Computer
Computer used to interface with, and control, a
ControlLogix system via RSLogix 5000
programming software.
PFD
Probability of
Failure on
Demand
The average probability of a system to fail to
perform its design function on demand.
PFH
Probability of
Failure per Hour
The probability of a system to have a dangerous
failure occur per hour.
Average time needed to restore normal operation
after a failure has occurred.
Publication 1756-RM001E-EN-P - November 2006
Preface
viii
Notes:
Publication 1756-RM001E-EN-P - November 2006
Table of Contents
Chapter 1
SIL Policy
Introduction to SIL . . . . . . . . . . . . . . . . . . . . . . .
Typical SIL2 Configurations . . . . . . . . . . . . . . . . .
Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Prooftesting with Redundancy Systems . . . . . .
SIL2-Certified ControlLogix System Components . .
Safety Certifications and Compliances . . . . . . . . .
Hardware Designs and Firmware Functions . . . . .
Difference Between PFD and PFH . . . . . . . . . . . .
SIL Compliance Distribution and Weight . . . . . . .
Other Agency Certifications . . . . . . . . . . . . . . . . .
Response Times . . . . . . . . . . . . . . . . . . . . . . . . .
Response Times in Redundancy Systems. . . . .
Program Watchdog Time in ControlLogix System .
Contact Information When Device Failure Occurs.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1-1
1-4
1-6
1-7
1-8
1-12
1-12
1-12
1-20
1-21
1-21
1-22
1-23
1-23
Chapter 2
The ControlLogix System
General Overview of ControlLogix Platform . . .
Overview of the ControlLogix Architecture. . . .
Module Fault Reporting . . . . . . . . . . . . . . .
Fault Handling. . . . . . . . . . . . . . . . . . . . . .
Data Echo Communication Check. . . . . . . .
Pulse Test . . . . . . . . . . . . . . . . . . . . . . . . .
Software . . . . . . . . . . . . . . . . . . . . . . . . . .
Communications . . . . . . . . . . . . . . . . . . . .
Other Unique Features that Aid Diagnostics
Checklist for the ControlLogix System . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2-1
2-2
2-3
2-3
2-4
2-5
2-6
2-6
2-7
2-8
Introduction to the Hardware . . . . . . . . . . . . . .
ControlLogix Chassis . . . . . . . . . . . . . . . . . . . . .
ControlLogix Power Supplies. . . . . . . . . . . . . . .
Non-Redundant Power Supply . . . . . . . . . . .
Redundant Power Supply . . . . . . . . . . . . . . .
Recommendations for System Hardware Use . . .
Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Power Supplies . . . . . . . . . . . . . . . . . . . . . .
Related ControlLogix Hardware Documentation .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3-1
3-2
3-2
3-2
3-3
3-3
3-3
3-4
3-4
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4-1
4-1
4-2
4-2
Chapter 3
ControlLogix System Hardware
Chapter 4
ControlLogix Controller
ix
Introduction to the Controller . . . . . .
CompactFlash Card . . . . . . . . . . .
Recommendations for Controller Use .
Related Controller Documentation . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Publication 1756-RM001E-EN-P - November 2006
Table of Contents
x
Chapter 5
ControlLogix Communications
Modules
Introduction to Communication Modules . . . . . . . . . .
ControlNet Bridge Module. . . . . . . . . . . . . . . . . . . . .
ControlNet Cabling . . . . . . . . . . . . . . . . . . . . . . .
ControlNet Repeater. . . . . . . . . . . . . . . . . . . . . . .
ControlNet Module Diagnostic Coverage. . . . . . . .
Ethernet Module . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ethernet Versus ControlNet . . . . . . . . . . . . . . . . . . . .
Data Highway Plus - Remote I/O. . . . . . . . . . . . . . . .
SynchLink. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recommendations for Communications Modules Use .
Related Communications Modules Documentation . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5-1
5-2
5-2
5-2
5-2
5-3
5-3
5-4
5-4
5-4
5-5
Chapter 6
ControlLogix I/O Modules
Publication 1756-RM001E-EN-P - November 2006
Overview of ControlLogix I/O Modules . . . . . . . . . . . . . . . 6-1
Module Fault Reporting for any ControlLogix I/O Module. . 6-4
Using Digital Input Modules . . . . . . . . . . . . . . . . . . . . . . . 6-5
General Considerations when using Any ControlLogix Digital
Input Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Wiring ControlLogix Digital Input Modules. . . . . . . . . . . . . 6-6
Using Digital Output Modules . . . . . . . . . . . . . . . . . . . . . . 6-7
General Considerations when using Any ControlLogix Digital
Output Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
Wiring ControlLogix Digital Output Modules . . . . . . . . . . . 6-10
Diagnostic Digital Output Modules . . . . . . . . . . . . . . . . 6-10
Standard Digital Output Modules . . . . . . . . . . . . . . . . . 6-11
Using Analog Input Modules . . . . . . . . . . . . . . . . . . . . . . . 6-13
General Considerations when using Any ControlLogix Analog
Input Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13
Wiring ControlLogix Analog Input Modules . . . . . . . . . . . . 6-16
Wiring the Single-Ended Input Module in Voltage Mode 6-16
Wiring the Single-Ended Input Module in Current Mode 6-17
Wiring the Thermocouple Input Module . . . . . . . . . . . . 6-18
Wiring the RTD Input Module . . . . . . . . . . . . . . . . . . . 6-19
Using Analog Output Modules. . . . . . . . . . . . . . . . . . . . . . 6-20
General Considerations when using Any ControlLogix Analog
Output Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
Wiring ControlLogix Analog Output Modules . . . . . . . . . . . 6-23
Wiring the Analog Output Module in Voltage Mode . . . 6-23
Wiring the Analog Output Module in Current Mode . . . 6-24
Checklist for SIL Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25
Checklist for SIL Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26
Table of Contents
xi
Chapter 7
Faults in the ControlLogix System
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Checking Keyswitch Position with GSV Instruction . . . . . . . 7-2
Examining an Analog Input Module’s High Alarm. . . . . . . . 7-3
Chapter 8
General Requirements for
Application Software
Software for SIL2-Related Systems . . . . . . . . . . . . . . . . . . .
SIL2 Programming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Safety Concept of the ControlLogix system . . . . . . . . . .
General Guidelines for Application Software Development .
Check the Created Application Program . . . . . . . . . . . .
Possibilities of Program Identification . . . . . . . . . . . . . .
Forcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ControlLogix System Operational Modes . . . . . . . . . . . . . .
Checklist for the Creation of an Application Program . . . . .
8-1
8-2
8-2
8-2
8-3
8-3
8-4
8-4
8-5
8-6
Chapter 9
Technical SIL2 Requirements for
the Application Program
General Procedure . . . . . . . . . . . . .
Basics of Programming. . . . . . . .
Logic and Instructions 2
Program Logic 2
Specification 3
Sensors (Digital or Analog) 3
Actuators 4
SIL Task/Program Instructions . . . . .
Programming Languages . . . . . . . . .
Commissioning Life Cycle . . . . . . . .
Changing Your Application Program
Forcing . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 9-1
. . . . . . . . . . . . . . . . . 9-2
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
9-4
9-4
9-5
9-6
9-8
Using Precautions and Techniques with HMI . . . . . . . . .
Accessing Safety-Related Systems . . . . . . . . . . . . . . .
Changing Parameters in Safety-Related Systems . . . . .
Changing Parameters in Non-Safety-Related Systems .
.
.
.
.
.
.
.
.
10-1
10-1
10-2
10-3
Chapter 10
Use and Application of Human to
Machine Interfaces
Publication 1756-RM001E-EN-P - November 2006
Table of Contents
xii
Appendix A
Response Times in ControlLogix
Digital Modules. . . . . . . . . . . . . .
Local Chassis Configuration . .
Remote Chassis Configuration
Analog Modules . . . . . . . . . . . . .
Local Chassis Configuration . .
Remote Chassis Configuration
Redundancy Systems . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
A-1
A-1
A-2
A-3
A-3
A-3
A-5
Appendix B
System Self-Testing and
User-Programmed Responses
Validation Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
System Self Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
Reaction to Faults 2
Appendix C
Additional Information on
Handling Faults in the
ControlLogix System
Spurious Failure Estimates
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1
Appendix D
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1
Appendix E
Sample Probability of Failure on
Demand (PFD) Calculations
Proof Test Interval = 5 Years . . . . . . . . . . . . . . . . . . . . . . . E-1
Appendix F
Using ControlLogix in SIL1
Applications
Publication 1756-RM001E-EN-P - November 2006
Additional Considerations . . . . . . . . . . . . . . . . . . . . . . . . . F-1
Probability of Failure on Demand Calculations in a SIL1
Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-2
Probability of Undetected Dangerous Failure Per Hour
Calculations in a SIL1 Application . . . . . . . . . . . . . . . . . . . F-4
Chapter
1
SIL Policy
This chapter introduces you to the SIL policy and how the
ControlLogix system meets the requirements for SIL2 certification.
For information about:
Introduction to SIL
See page:
Introduction to SIL
1-1
Typical SIL2 Configurations
1-4
Proof Tests
1-6
SIL2-Certified ControlLogix System Components
1-8
Safety Certifications and Compliances
1-12
Hardware Designs and Firmware Functions
1-12
Difference Between PFD and PFH
1-12
ControlLogix Product Probability of Failure on
Demand (PFD) Calculations
1-14
ControlLogix Product Probability of Undetected
Dangerous Failure per Hour (PFH) Calculations
1-17
SIL Compliance Distribution and Weight
1-20
Other Agency Certifications
1-21
Response Times
1-21
Program Watchdog Time in ControlLogix System
1-23
Contact Information When Device Failure Occurs
1-23
Certain catalog numbers (listed in Table 1.1 on page 1-8) of the
ControlLogix system are type-approved and certified for use in SIL2
applications according to IEC 61508, and RC4 applications are certified
according to DIN V19250. Approval requirements are based on the
standards current at the time of certification.
These requirements consist of mean time between failures (MTBF),
probability of failure, failure rates, diagnostic coverage and safe failure
fractions that fulfill SIL2 and AK4 criteria. The results make the
ControlLogix system suitable up to, and including, SIL2 and AK4.
When the ControlLogix system is in the maintenance or programming
mode, the user is responsible for maintaining a safe state.
For support in creation of programs, the PADT (Programming and
Debugging Tool) is required. The PADT for ControlLogix is
RSLogix 5000, per IEC 61131-3, and this Safety Reference Manual.
1
Publication 1756-RM001E-EN-P - November 2006
1-2
SIL Policy
The TUV Rheinland Group has approved the ControlLogix system for
use in up to, and including, SIL 2 safety related applications in which
the de-energized state is typically considered to be the safe state. All
of the examples related to I/O included in this manual are based on
achieving de-energization as the safe state for typical Emergency
Shutdown (ESD) Systems.
ControlLogix is a modular and configurable system with the ability to
pre-configure outputs and other responses to fault conditions. As
such, a system can be designed to meet requirements for “hold last
state" in the event of a fault so that the system can be used in up to,
and including, SIL 2 level Fire and Gas and other Applications that
require that output signals to actuators remain on. By understanding
the behavior of the ControlLogix system for an emergency shutdown
application, the system design can incorporate appropriate measures
to meet other application requirements. These measures relate to the
control of outputs and actuators which must remain on to be in a safe
state. The other requirements for SIL2 regarding inputs from sensors,
software etc. must also be met. The measures and modifications
which relate to Gas and Fire are listed below.
• The use of a manual over-ride is necessary to ensure the
operator can maintain the desired control in the event of a
Controller Failure. This is similar in concept to the function of
the external relay or redundant outputs required to ensure a
de-energized state is achieved for an ESD system should a
failure occur (e.g., such as a shorted output driver) that would
prevent this from normally occurring. The system knows it has a
failure but the failure mode requires an independent means to
maintain control and either remove power or provide an
alternate path to maintain power to the end actuator.
• If the application cannot tolerate an output that can fail shorted
(energized) then an external means such as a relay or other
output must be wired in series to remove power when the fail
shorted condition occurs. (Refer to Figure 6.8 on page 6-11)
If the application cannot tolerate an output that fails open
(deenergized) then an external means such as a manual override
or output must be wired in parallel. (Refer to the manual
override Figure 1.1 on page 1-3). The user must supply the
alternative means and develop the application program to
initiate the alternate means of removing or continuing to supply
power in the event the main output fails.
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
1-3
• This manual over-ride circuit is shown in Figure 1.1. It is
composed of a hardwired set of contacts from a selector switch
or push-button. One Normally Open contact provides for the
bypass of power from the Controller output directly to the
actuator. The other is a Normally closed contact to remove or
isolate the controller output
• An application program needs to be generated to monitor the
diagnostic output modules for dangerous failures such as
shorted or open output driver channels. Diagnostic output
modules must be configured to hold last state in the event of a
fault.
• A diagnostic alarm must be generated to inform the operator
that manual control is required.
• The faulted module must be replaced within a reasonable time
frame.
• Any time a fault is detected the user must annunciate the fault to
an operator by some means (for example, an alarm light).
Figure 1.1
L1
Manual Override
Actuator
L2 or Ground
43379
Fault
Alarm to Operator
Publication 1756-RM001E-EN-P - November 2006
1-4
SIL Policy
Typical SIL2 Configurations
SIL2-certified ControlLogix systems can be used in a non-redundancy
or redundancy configuration. The most significant difference between
these configurations is that the redundancy configuration uses an
identical pair of ControlLogix chassis to keep your machine or process
running if a problem occurs with a controller.
Figure 1.2 shows a typical SIL loop that does not use
redundancy, including:
• the overall safety loop
• the ControlLogix portion of the overall safety loop
• how other devices (for example, HMI) connect to the loop,
while operating outside the loop
This loop is used for fail safe applications.
Figure 1.2 Typical SIL Loop Without Controller Redundancy
Programming Software
For SIL applications, a programming
terminal is not normally connected.
HMI
For Diagnostics and Visualization (read-only access to controllers in
the safety loop). For more information, see Chapter 10.
Plant-wide Ethernet/Serial
Overall Safety Loop
SIL2-certified ControlLogix components’ portion of the overall safety loop
E
N
B
T
Sensor
C
N
B
C
N
B
I/O
ControlNet
ControlNet
Publication 1756-RM001E-EN-P - November 2006
Actuator
C
N
B
To other
safety related
ControlLogix
and remote
I/O chassis
To non-safety related systems outside the ControlLogix portion
of the SIL2-certified loop. For more information, see Chapter 5.
SIL Policy
1-5
Figure 1.3 shows a typical SIL loop that uses redundancy, including:
• the overall safety loop
• the ControlLogix portion of the overall safety loop
• how other devices (for example, HMI) connect to the loop,
while operating outside the loop
With regard to IEC 61508, most SIL2-certified systems are
fault tolerant for the entire system. However, the
ControlLogix system is fault tolerant only for the devices in
the primary/secondary chassis and not the entire system.
This loop is used for high availability applications.
IMPORTANT
Figure 1.3 Typical SIL Loop With Controller Redundancy
Programming Software
For SIL applications, a programming
terminal is not normally connected.
HMI
For Diagnostics and Visualization (read-only access to controllers in
the safety loop). For more information, see Chapter 10.
Plant-wide Ethernet/Serial
Overall Safety Loop
SIL2-certified ControlLogix components’ portion of the overall safety loop
Primary chassis
Sensor
Remote I/O chassis
E C
N N
B B
T
C
N
B
S
R
M
I/O
C
N
B
Actuator
ControlNet
Secondary chassis
E C
N N
B B
T
ControlNet
C
N
B
S
R
M
To other
safety related
ControlLogix
and remote
I/O chassis
To non-safety related systems outside the ControlLogix portion
of the SIL2-certified loop. For more information, see Chapter 5.
Publication 1756-RM001E-EN-P - November 2006
1-6
SIL Policy
IMPORTANT
The system user is responsible for:
• the set-up, SIL rating and validation of any
sensors or actuators connected to the
ControlLogix control system.
• project management and functional testing.
• programming the application software and the
module configuration according to the
description in the following chapters.
The SIL2 portion of the certified system excludes the
development tools and display/human machine
interface (HMI) devices; these tools and devices are
not part of the run time control loop.
It is also important to note that ControlLogix SIL2
certification is only available on ControlLogix
Redundancy systems that use 1756-L55M13 and
1756-L55M16 controllers.
While you can use the 1756-L6x controllers in a
redundant ControlLogix system, this set-up has not
yet been SIL2-certified.
Proof Tests
IEC 61508 requires the user to perform various proof tests of the
equipment used in the system. Proof tests are performed at
user-defined times (for example, proof test intervals can be once a
year, once every two years or whatever timeframe is appropriate) and
include some of the following tests:
• Testing of all fault routines to verify that process parameters are
monitored properly and the system reacts properly when a fault
condition arises.
• Testing of digital input or output channels to verify that they are
not stuck in the ON or OFF state.
• Calibration of analog input and output modules to verify that
accurate data is obtained from and used on the modules.
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
IMPORTANT
1-7
Users’ specific applications will determine the
timeframe for the proof test interval.
However, keep in mind that the Probability of
Failure on Demand (PFD) calculations listed in
Table 1.2 on page 1-14 use a proof test interval of
once per year. If the proof test interval is not once
per year, the information must be recalculated.
For sample PFD calculations for proof test intervals
of 2 and 4 years, see Appendix E
Prooftesting with Redundancy Systems
A ControlLogix redundancy system uses an identical pair of
ControlLogix chassis to keep your machine or process running if a
problem occurs with those chassis. When a failure occurs in any of
the components of the primary chassis, control switches to the
secondary controller.
The switchover can be monitored so that the system notifies the user
when it has occurred. In this case (i.e., when a switchover takes
place), we recommend that you replace the failed controller with the
mean time to restoration (MTTR) for your application.
If you are using controller redundancy in a SIL2 application, you must
perform half the proof test on the primary controller and half the
proof test on the secondary controller.
TIP
If you are concerned about the availability of the
secondary controller if the primary controller fails, it
is good engineering practice to implement a
switchover periodically (e.g., once per proof test
interval).
For more information on switchovers in ControlLogix redundancy
systems and ControlLogix redundancy systems in general, see the
ControlLogix Redundancy System user manual, publication
1756-UM523.
For more information on system proof tests, see Chapter 2, The
ControlLogix System. For more information on the necessary I/O
module proof tests, see Chapter 6, ControlLogix I/O Modules.
Publication 1756-RM001E-EN-P - November 2006
1-8
SIL Policy
SIL2-Certified ControlLogix
System Components
Table 1.1 lists the components available for use in a SIL2-certified
ControlLogix system.
Table 1.1 Components For Use in the SIL 2 System
Related Documentation(9):
Device Type:
Hardware
Controllers Used
in NonRedundant
Applications
Catalog
Number:
Description:
Series:
Firmware
Revision(7),(8):
Installation
Instructions:
1756-A4, A7,
A10, A13 & A17
ControlLogix Chassis
B
NA
1756-IN080
1756-PA75
AC Power supply
A
NA
1756-5.78
1756-PB75
DC Power supply
A
NA
1756-PA75
AC Power supply
B
NA
1756-PB75
DC Power supply
B
NA
1756-PA75R
AC Redundant power supply
A
NA
1756-PB75R
DC Redundant power supply
A
NA
1756-PC75
DC Power supply
B
NA
1756-IN597
1756-PH75
DC Power supply
B
NA
1756-IN589
1756-PSCA(1)
Redundant Power Supply
Chassis Adapter Module
A
NA
1756-IN574
1756-PSCA2
Redundant Power Supply
Chassis Adapter Module
A
NA
1756-IN590
1756-L55M13
ControlLogix 1.5 Mb Controller A
15.5
13.31
11.32
10.27
1756-IN101
1756-L55M16
ControlLogix 7.5 Mb Controller A
15.5
13.31
11.32
10.27
1756-L61(2)
ControlLogix 2 Mb Controller
B
15.4
13.40
1756-L62(2)
ControlLogix 4 Mb Controller
B
15.4
13.40
1756-L63(2)
ControlLogix 8 Mb Controller
B
15.4
13.40
Publication 1756-RM001E-EN-P - November 2006
User Manual:
None available
for these
catalog
numbers
1756-IN596
1756-IN573
1756-UM001
SIL Policy
1-9
Table 1.1 Components For Use in the SIL 2 System
Related Documentation(9):
Device Type:
I/O Modules Digital
Catalog
Number:
Description:
Series:
Firmware
Revision(7),(8):
Installation
Instructions:
User Manual:
1756-IA16I
AC Isolated Input Module
A
3.2
2.2
1756-IN059
1756-UM058
1756-IA8D
AC Diagnostic Input Module
A
3.2
2.6
1756-IN055
1756-IB16D
DC Diagnostic Input Module
A
3.2
2.6
1756-IN069
1756-IB16I
DC Isolated Input Module
A
3.2
2.2
1756-IN010
1756-IB16ISOE
Sequence of Events Module
A
1.6
1.5
1756-IN591
1756-UM528
1756-IB32
DC Input Module
B
3.5
1756-IN027
1756-UM058
1756-IH16ISOE
Sequence of Events Module
A
1.6
1.5
1756-IN592
1756-UM528
1756-OA16I
AC Isolated Output Module
A
3.2
2.1
1756-IN009
1756-UM058
1756-OA8D
AC Diagnostic Input Module
A
3.3
3.2
2.5
2.4
1756-IN057
1756-OB16D
DC Diagnostic Output Module
A
3.2
2.3
1756-IN058
1756-OB16I
DC Isolated Output Module
A
3.2
2.1
1756-IN512
1756-OB32
DC Output Module
A
3.2
2.4
1756-IN026
1756-OB8EI
DC Isolated Output Module
A
3.2
2.3
1756-IN012
1756-OW16I
Isolated Relay Output Module
A
3.2
2.1
1756-IN011
1756-OX8I
Isolated Relay Output Module
A
3.2
2.1
1756-IN513
Publication 1756-RM001E-EN-P - November 2006
1-10
SIL Policy
Table 1.1 Components For Use in the SIL 2 System
Related Documentation(9):
Device Type:
I/O Modules Analog
Communication
Modules
Catalog
Number:
Description:
Series:
Firmware
Revision(7),(8):
Installation
Instructions:
User Manual:
1756-IF16
Single-ended Analog
Input Module
A
1.5
1756-IN039
1756-IF6CIS
Isolated Sourcing Analog
Input Module
A
1.12
1756-IN579
1756-IF6I
Isolated Analog Input Module
A
1.12
1.9
1756-IN034
1756-IF8
Analog Input Module
A
1.5
1756-IN040
1756-IR6I
RTD Input Module
A
1.12
1.9
1756-IN014
1756-IT6I
Thermocouple Input Module
A
1.12
1.9
1756-IN037
1756-IT6I2
Enhanced Thermocouple
Input Module
A
1.13
1.12
1.11
1756-IN586
1756-OF6CI
Isolated Analog Output
Module (Current)
A
1.12
1.9
1756-IN036
1756-OF6VI
Isolated Analog Output
Module (Voltage)
A
1.12
1.9
1756-IN035
1756-OF8
Analog Output Module
A
1.5
1756-IN015
1756-CNB(3)
ControlNet Communication
Module
D
7.12
5.45
5.38
5.27
1756-IN571
1756-CNBR
Redundant ControlNet
Communication Module
D
7.12
5.45
5.38
5.27
1756-CNB
ControlNet Communication
Communication Module
E
11.2
1756-CNBR
Redundant ControlNet
Communication Module
E
11.2
1756-DHRIO(4)
Data Highway Plus - Remote
I/O Communication Interface
Module
C
5.3
1756-IN003
1756-UM514
1756-ENBT(5)
EtherNet Communication
Module
A
4.3
3.4
1.33
1756-IN019
1756-UM050
1756-SYNCH(6)
SynchLink Module
A
2.18
1756-IN575
1756-UM521
Publication 1756-RM001E-EN-P - November 2006
1756-UM009
CNET-UM001
1756-IN604
SIL Policy
1-11
Table 1.1 Components For Use in the SIL 2 System
Related Documentation(9):
Device Type:
Redundancy
Controllers and
Modules
Catalog
Number:
Description:
Firmware
Revision(7),(8):
Series:
1756-L55M13
ControlLogix 1.5 Mb Controller A
15.57
13.53
1756-L55M16
ControlLogix 7.5 Mb Controller A
15.57
13.53
1756-L61
ControlLogix 2 Mb Controller
B
15.56
1756-L62
ControlLogix 4 Mb Controller
B
15.56
1756-L63
ControlLogix 8 Mb Controller
B
15.56
1757-SRM
System Redundancy Module
B
1756-CNB(3)
ControlNet Communication
Module
1756-CNBR
Installation
Instructions:
User Manual:
1756-IN101
1756-UM001
4.3
3.37
1757-IN092
1756-UM523
D
7.12
5.45
1756-IN571
CNET-UM001
Redundant ControlNet
Communication Module
D
7.12
5.45
1756-CNB(3)
ControlNet Communication
Module
E
11.2
1756-CNBR
Redundant ControlNet
Communication Module
E
11.2
1756-ENBT
EtherNet Communication
Module
A
4.3
3.4
1756-IN604
1756-IN019
1756-UM050
(1)
Existing systems that use the 1756-PSCA are SIL2-certified. However, when implementing new SIL2-certified systems or upgrading existing systems, we recommend that
you use the 1756-PSCA2 if possible.
(2)
Use of any 1756-L6x/B controller requires the use of the Series B versions of the 1756-Px75 power supplies.
(3)
Specified ControlNet repeaters may be used in SIL2 applications. See Chapter 5 for more information.
(4)
The 1756-DHRIO module is included in this table because this module can be used to connect the safety system to the Data Highway Plus network. However, the Data
Highway Plus network is not SIL2-certified and cannot be used as part of the SIL2-certified system. It can only be used to connect non-safety devices to the safety system.
Because the module is not part of the safety system, it is not listed in PFD and PFH calculations in Table 1.2 and Table 1.3 later in this chapter.
(5)
The 1756-ENBT module is included in this table because this module can be used to connect the safety system to the EtherNet/IP network However, the EtherNet/IP
network is not SIL2-certified and cannot be used as part of the SIL2-certified system. It can only be used to connect non-safety devices to the safety system. Because the
module is not part of the safety system, it is not listed in PFD and PFH calculations in Table 1.2 and Table 1.3 later in this chapter.
(6)
The 1756-SYNCH module is included in this table because this module can be used to propagate time between chassis and to record events that occur in each chassis.
Because this module is not used for any safety-related activities, it is not listed in PFD and PFH calculations in Table 1.2 and Table 1.3 later in this chapter.
(7)
Catalog numbers that list multiple firmware revisions have multiple revisions that are SIL2-certified. When implementing new SIL2-certified systems or upgrading existing
SIL2-certified systems, we recommend that you use the latest certified firmware revision (that is, the higher number). However, systems that continue to use the older
firmware revision remain SIL2-certified.
(8)
Users must use these series and firmware revisions for their application to be SIL2 certified. Firmware revisions are available by visiting
http://support.rockwellautomation.com/ControlFlash/
(9)
These publications are available from Rockwell Automation by visiting http://www.rockwellautomation.com/literature.
Publication 1756-RM001E-EN-P - November 2006
1-12
SIL Policy
Safety Certifications and
Compliances
ControlLogix products referenced in this manual may have safety
certifications in addition to the TUV SIL. To view addtional safety
certifications for products, go to http://www.ab.com and select the
Product Certifications link.
Hardware Designs and
Firmware Functions
Diagnostic hardware designs and firmware functions designed into the
ControlLogix platform allow it to achieve at least SIL2 certification in a
single-controller configuration. These diagnostic features are
incorporated into specific ControlLogix components, such as the:
•
•
•
•
processor
power supply
I/O modules
backplane
and are covered in subsequent sections. The ControlLogix platform’s
designs, features and characteristics make it one of the most intelligent
platforms.
Some of the ControlLogix features include:
• multiple microprocessors that check themselves and each other
• I/O modules with internal microprocessors
• an I/O architecture that includes modules with backplane
connections to the main central processing unit (CPU).
The backplane connections, along with configuration identities,
permit a new level of I/O module diagnostics unavailable in earlier
platforms.
Difference Between PFD
and PFH
Safety-related systems can be classified as operating in either a low
demand mode, or in a high demand/continuous mode. IEC 61508
quantifies this classification by stating that the frequency of demands
for operation of the safety system is no greater than once per year in
the low demand mode, or greater than once per year in high
demand/continuous mode. Generally speaking however, the once per
year is expanded to ten times per year.
• Probability of failure on demand (PFD) is the SIL value for a low
demand safety-related system as related directly to
order-of-magnitude ranges of its average probability of failure to
satisfactorily perform its safety function on demand.
• The probability of dangerous failure occurring per hour (PFH) is
directly related to the SIL value for a high demand/continuous
mode safety-related system.
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
1-13
Although PFD and PFH values are usually associated with each of the
three elements making up a safety-related system (the sensors, the
actuators, the logic element), they can be associated with each
component of the logic element, that is, each module of a
Programmable Controller.
Table 1.2 and Table 1.3 present values of the PFDs and PFHs for the
specific ControlLogix products evaluated by TUV.
The Mean Time Between Failure (MTBF) values listed in Table 1.2 and
Table 1.3 are calculated from field data for each product. A minimum
installed base must exist for at least one year before a value is
calculated. It is assumed that the products are in use 16 hours/day, 5
days/week, 52 weeks/year. The Failure Rate (λ) column of Table 1.2
and Table 1.3 is just the reciprocal of MTBF.
For the example PFD calculations, several assumptions were made:
• 50% of the failures of each product reported to Rockwell
Automation are dangerous failures.
• The diagnostic coverage (DC) is 90% for modules used in a 1oo1
architecture.
• The diagnostic coverage is 60% for modules used in a 1oo2
architecture.
• The fraction of detected common cause failures (βD) is 1%.
• The fraction of undetected common cause failures (β) is 2%
Because Rockwell Automation does not and can not know every
potential application for each product, these very conservative
assumptions had to be made to do the calculations.
For the sample calculations presented in this manual, the following
values were used as the two application-dependent variables:
• The Mean Time to Restoration (MTTR) is ten hours.
• The Proof Test Interval (T1) is one year (8760 hours).(1)
The equation for PFD, from IEC61508, for a 1oo1 architecture is:
PFD = (λ DU + λ DD)tCE = λ DtCE = λ/2 [T1/2 (1 - DC) + MTTR]
(1)
For PFD calculations using proof test intervals of 2 and 4 years, see Appendix E.
Publication 1756-RM001E-EN-P - November 2006
1-14
SIL Policy
– where: λDU is the undetected dangerous failure rate (per
hour)
λDD is the detected dangerous failure rate (per hour)
tCE is the "channel equivalent mean down time"
λD is the dangerous failure rate (per hour)
λ is the overall product failure rate (per hour)
For a 1oo2 architecture, the PFD equation is much more complex. See
IEC61508 Part 6 Annex B.
The PFD values in Table 1.2 are given for the architecture that must
be used for specific products to achieve SIL 2.
Table 1.3 includes the same MTBF and Failure Rate values as
Table 1.2 but adds calculated PFH values for high demand/continuous
mode operation.
The equation for PFH, from IEC61508, for a 1oo1 architecture is:
PFH = λDU = λ/2 (1 - DC)
For a 1oo2 architecture, see Part 6 of IEC61508. The values in
Table 1.2 are given for the architecture that must be used for specific
products to achieve SIL2.
Table 1.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations
Mean Time
Between Failure
(MTBF)(1)
λ(6)
ControlLogix Chassis
36,322,045(2)
2.75E-08
6.17E-06
4.85E-07
1756-CNB/D
ControlNet Bridge - Series D
5,595,646
1.79E-07
4.00E-05
3.18E-06
1756-CNB/E
ControlNet Bridge - Series E
2,944,988(3)
3.40E-07
7.61E-05
6.09E-06
1756-CNBR/D
Redundant ControlNet Bridge Series D
3,109,957
3.22E-07
7.20E-05
5.76E-06
1756-CNBR/E
Redundant ControlNet Bridge Series E
2,864,755(4)
3.49E-07
7.82E-05
6.26E-06
1756-IA16I
AC Isolated Input
15,262,520
6.55E-08
1.47E-05
1.16E-06
1756-IA8D
AC Diagnostic Input
10,383,360
9.63E-08
2.16E-05
1.70E-06
1756-IB16D
DC Diagnostic Input
41,300,480
2.42E-08
5.42E-06
4.26E-07
1756-IB16I
DC Isolated Input
19,862,336
5.03E-08
1.13E-05
8.88E-07
1756-IB16ISOE
Sequence of Events Module
4,959,088(5)
2.02E-07
4.52E-05
3.59E-06
1756-IB32
DC Input Module
2,468,448
4.05E-07
9.07E-05
7.29E-06
1756-IF8
Single-ended Analog Input Module 2,235,008
4.47E-07
1.00E-04
8.07E-06
1756-IF16
Isolated Sourcing Analog Input
Module
4.78E-07
1.07E-04
8.63E-06
Catalog
Number
Description
1756-Axx
Publication 1756-RM001E-EN-P - November 2006
2,094,159
Calculated PFD:
1oo1 architecture 1oo2 architecture
SIL Policy
1-15
Table 1.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations
Mean Time
Between Failure
(MTBF)(1)
λ(6)
Isolated Analog Input Module
3,065,920
3.26E-07
7.31E-05
5.84E-06
1756-IF6I
Analog Input
2,838,451
3.52E-07
7.89E-05
6.32E-06
1756-IH16ISOE
Sequence of Events Module
6,044,122(5)
1.65E-07
3.71E-05
2.94E-06
1756-IR6I
RTD Input
3,826,296
2.61E-07
5.85E-05
4.67E-06
1756-IT6I
Thermocouple Input
3,002,035
3.33E-07
7.46E-05
5.97E-06
1756-IT6I2
Enhanced Thermocouple Input
Module
991,929
1.01E-06
2.26E-04
1.88E-05
1756-L55M13
ControlLogix 1.5Mb Controller
2,228,750
4.49E-07
1.01E-04
8.09E-06
1756-L55M16
ControlLogix 7.5Mb Controller
1,644,933
6.08E-07
1.36E-04
1.11E-05
1756-L61
ControlLogix 2 Mb Controller
815,822
1.23E-06
2.75E-04
2.31E-05
1756-L62
ControlLogix 4 Mb Controller
576,992
1.73E-06
3.88E-04
3.35E-05
1756-L63
ControlLogix 8 Mb Controller
782,912
1.28E-06
2.86E-04
2.41E-05
1756-OA16I
AC Isolated Output
10,911,086
9.16E-08
2.05E-05
1.62E-06
1756-OA8D
AC Diagnostic Output
6,922,240
1.44E-07
3.24E-05
2.56E-06
1756-OB16D
DC Diagnostic Output
14,321,691
6.98E-08
1.56E-05
1.23E-06
1756-OB16I
DC Isolated Output
2,371,445
4.22E-07
9.45E-05
7.60E-06
1756-OB32
DC Output Module
1,278,125
7.82E-07
1.75E-04
1.44E-05
1756-OB8EI
DC Fused Output
5,853,120
1.71E-07
3.83E-05
3.03E-06
1756-OF6CI
Isolated Analog Output Module
(Current)
9,296,907
1.08E-07
2.41E-05
1.90E-06
1756-OF6VI
Isolated Analog Output Module
(Voltage)
13,062,400
7.66E-08
1.71E-05
1.35E-06
1756-OF8
Analog Output
5,717,675
1.75E-07
3.92E-05
3.11E-06
1756-OW16I
Isolated Relay Output Module
1,360,415(5)
7.35E-07
1.65E-04
1.35E-05
1756-OX8I
Contact Output
19,281,600
5.19E-08
1.16E-05
9.15E-07
1756-PA75/A
AC Power Supply
14,538,606
6.88E-08
1.54E-05
1.21E-06
1756-PA75/B
AC Power Supply
5,513,591(5)
1.81E-07
4.06E-05
3.22E-06
1756-PA75R
AC Redundant Power Supply
296,978(4)
3.37E-06
7.54E-04
7.06E-05
1756-PB75/A
DC Power Supply
10,157,334
9.85E-08
2.21E-05
1.74E-06
1756-PB75/B
DC Power Supply
5,884,430(5)
1.70E-07
3.81E-05
3.02E-06
1756-PB75R
DC Redundant Power Supply
1,134,848(4)
8.81E-07
1.97E-04
1.63E-05
1756-PC75
DC Power supply
5,894,836(5)
1.70E-07
3.80E-05
3.01E-06
1756-PH75
DC Power supply
5,889,628(5)
1.70E-07
3.80E-05
3.02E-06
Catalog
Number
Description
1756-IF6CIS
Calculated PFD:
1oo1 architecture 1oo2 architecture
Publication 1756-RM001E-EN-P - November 2006
1-16
SIL Policy
Table 1.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations
Mean Time
Between Failure
(MTBF)(1)
λ(6)
Power Supply Chassis Adapter
Module
45,146,727(5)
2.21E-08
4.96E-06
3.90E-07
1756-PSCA2
Redundant Power Supply Chassis
Adapter Module
45,146,727(5)
2.21E-08
4.96E-06
3.90E-07
1757-SRM
System Redundancy Module
835,357
1.20E-06
2.68E-04
2.25E-05
Catalog
Number
Description
1756-PSCA
Calculated PFD:
1oo1 architecture 1oo2 architecture
(1)
MTBF measured in hours. The values used here represent values available in September 2006.
(2)
Aggregate based on total shipments and total returns of all five chassis (1756-A4, 1756-A7, 1756-A10, 1756-A13, and 1756-A17) collectively.
(3)
Calculated using field-based values for components.
(4)
Calculated using field-based values for components.
(5)
Calculated using field-based values for components.
(6)
λ = Failure Rate = 1/MTBF.
For PFD calculations with proof test interval of 5 years, see
Appendix E.
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
1-17
Table 1.3 ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations
Catalog Number Description
Mean Time
Between
Failure
(MTBF)(1)
λ(5)
Calculated PFH:
1oo1 architecture 1oo2 architecture
1756-Axx
ControlLogix Chassis
36,322,045(2)
2.75E-08
1.38E-09
1.93E-10
1756-CNB/D
ControlNet Bridge - Series D
5,595,646
1.79E-07
8.94E-09
1.28E-09
1756-CNB/E
ControlNet Bridge - Series E
2,944,988
3.40E-07
1.70E-08
2.48E-09
1756-CNBR/D
Redundant ControlNet Bridge Series D
3,109,957
3.22E-07
1.61E-08
2.34E-09
1756-CNBR/E
Redundant ControlNet Bridge Series E
2,864,755(5)
3.49E-07
1.75E-08
2.55E-09
1756-IA16I
AC Isolated Input
15,262,520
6.55E-08
3.28E-09
4.62E-10
1756-IA8D
AC Diagnostic Input
10,383,360
9.63E-08
4.82E-09
6.82E-10
1756-IB16D
DC Diagnostic Input
41,300,480
2.42E-08
1.21E-09
1.70E-10
1756-IB16I
DC Isolated Input
19,862,336
5.03E-08
2.52E-09
3.55E-10
1756-IB16ISOE
Sequence of Events Module
4,959,088
2.02E-07
1.01E-08
1.45E-09
1756-IB32
DC Input Module
2,468,448
4.05E-07
2.03E-08
2.98E-09
1756-IF8
Single-ended Analog Input Module 2,235,008
4.47E-07
2.24E-08
3.30E-09
1756-IF16
Isolated Sourcing Analog Input
Module
2,094,159
4.78E-07
2.39E-08
3.54E-09
1756-IF6CIS
Isolated Analog Input Module
3,065,920
3.26E-07
1.63E-08
2.37E-09
1756-IF6I
Analog Input
2,838,451
3.52E-07
1.76E-08
2.57E-09
1756-IH16ISOE
Sequence of Events Module
6,044,122(5)
1.65E-07
8.27E-09
1.18E-09
1756-IR6I
RTD Input
3,826,296
2.61E-07
1.31E-08
1.89E-09
1756-IT6I
Thermocouple Input
3,002,035
3.33E-07
1.67E-08
2.43E-09
1756-IT6I2
Enhanced Thermocouple Input
Module
991,929
1.01E-06
5.04E-08
7.93E-09
1756-L55M13
ControlLogix 1.5Mb Controller
2,228,750
4.49E-07
2.24E-08
3.31E-09
1756-L55M16
ControlLogix 7.5Mb Controller
1,644,933
6.08E-07
3.04E-08
4.57E-09
1756-L61
ControlLogix 2 Mb Controller
815,822
1.23E-06
6.13E-08
9.87E-09
1756-L62
ControlLogix 4 Mb Controller
576,992
1.73E-06
8.67E-08
1.47E-08
1756-L63
ControlLogix 8 Mb Controller
782,912
1.28E-06
6.39E-08
1.03E-08
1756-OA16I
AC Isolated Output
10,911,086
9.16E-08
4.58E-09
6.49E-10
1756-OA8D
AC Diagnostic Output
6,922,240
1.44E-07
7.22E-09
1.03E-09
1756-OB16D
DC Diagnostic Output
14,321,691
6.98E-08
3.49E-09
4.93E-10
1756-OB16I
DC Isolated Output
2,371,445
4.22E-07
2.11E-08
3.10E-09
1756-OB32
DC Output Module
1,278,125
7.82E-07
3.91E-08
6.00E-09
1756-OB8EI
DC Fused Output
5,853,120
1.71E-07
8.54E-09
1.22E-09
(3)
(5)
Publication 1756-RM001E-EN-P - November 2006
1-18
SIL Policy
Table 1.3 ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations
Catalog Number Description
Mean Time
Between
Failure
(MTBF)(1)
λ(5)
Calculated PFH:
1oo1 architecture 1oo2 architecture
1756-OF6CI
Isolated Analog Output Module
(Current)
9,296,907
1.08E-07
5.38E-09
7.63E-10
1756-OF6VI
Isolated Analog Output Module
(Voltage)
13,062,400
7.66E-08
3.83E-09
5.41E-10
1756-OF8
Analog Output
5,717,675
1.75E-07
8.74E-09
1.25E-09
1756-OW16I
Isolated Relay Output Module
1,360,415
7.35E-07
3.68E-08
5.61E-09
1756-OX8I
Contact Output
19,281,600
5.19E-08
2.59E-09
3.65E-10
1756-PA75/A
AC Power Supply
14,538,606
6.88E-08
3.44E-09
4.86E-10
1756-PA75/B
AC Power Supply
5,513,591(5)
1.81E-07
9.07E-09
1.30E-09
1756-PA75R
AC Redundant Power Supply
296,978(4)
3.37E-06
1.68E-07
3.33E-08
1756-PB75/A
DC Power Supply
10,157,334
1756-PB75/B
(5)
9.85E-08
4.92E-09
6.97E-10
DC Power Supply
5,884,430
(5)
1.70E-07
8.50E-09
1.21E-09
1756-PB75R
DC Redundant Power Supply
1,134,848(4)
8.81E-07
4.41E-08
6.83E-09
1756-PC75
DC Power supply
5,894,836(5)
1.70E-07
8.48E-09
1.21E-09
1756-PH75
DC Power supply
5,889,628(5)
1.70E-07
8.49E-09
1.21E-09
1756-PSCA
Power Supply Chassis Adapter
Module
45,146,727(5)
2.21E-08
1.11E-09
1.55E-10
1756-PSCA2
Redundant Power Supply Chassis
Adapter Module
45,146,727(5)
2.21E-08
1.11E-09
1.55E-10
1757-SRM
System Redundancy Module
835,357
1.20E-06
5.99E-08
9.61E-09
(1)
MTBF measured in hours. The values used here represent values available in September 2006.
(2)
Aggregate based on total shipments and total returns of all five chassis (1756-A4, 1756-A7, 1756-A10, 1756-A13, and 1756-A17) collectively.
(3)
Calculated using field-based values for components.
(4)
Assumes that both power supplies fail simultaneously.
(5)
λ = Failure Rate = 1/MTBF
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
1-19
Table 1.4 shows an example of a PFD calculation for a fail-safe
configuration involving two DC input modules used in a 1oo2
configuration and a DC output module.The exaple calculation is
depicted in the first loop shown in Figure 1.4 on page 1-20 .
Table 1.4
Catalog Number:
Description:
MTBF:
Calculated PFD:
1756-Axx
ControlLogix
Chassis
36,322,045
6.17E-06
1756-L55M16
ControlLogix
5555 Controller
1,644,933
1.36E-04
1756-OB16D
DC Output
14,321,691
1.56E-05
1756-IB16D
DC Diagnostic
41,300,480
4.26E-07
Input
Total PFD calculation for a safety loop consisting of these products: 1.58E-04
Publication 1756-RM001E-EN-P - November 2006
1-20
SIL Policy
SIL Compliance
Distribution and Weight
The programmable controller may conservatively be assumed to
contribute 10% of the reliability burden. (See Figure 1.4.) A SIL 2
system may need to incorporate multiple inputs for critical sensors
and input devices, as well as dual outputs connected in series to dual
actuators dependent on SIL assessments for the safety related system.
(See Figure 1.4)
Figure 1.4 ControlLogix Systems or Loop
+V
10% of the PFD
40% of
the PFD
Sensor
Input
Module
Power
Controller
Supply
Diag.
Output
Module
Actuator
50% of the PFD
Sensor
Input
Module
43383
+V
10% of the PFD
40% of
the PFD
Sensor
Input
Module
Power
Controller
Supply
Standard
Output
Module
Actuator
50% of the PFD
Sensor
Input
Module
Monitoring
Input
Module
43384
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
Other Agency Certifications
1-21
User documentation shipped with ControlLogix products typically list
the agency certifications for which the products are approved. If a
product has achieved agency certification, it is marked as such on the
product labeling. Product certifications are listed in the product’s
specifications table, as shown in the example below.
Certification
UL
UL Listed Industrial Control Equipment
CSA
CSA Certified Process Control Equipment for Class I, Division
2 Group A,B,C,D Hazardous Locations
FM
FM Approved Equipment for use in Class I Division 2 Group
A,B,C,D Hazardous Locations
CE
European Union 89/336/EEC EMC Directive, compliant with:
EN 50081-2; Industrial Emissions
C-Tick
Australian Radio Communications Act, compliant with:
AS/NZS 2064; Industrial Emissions
Response Times
The response time of the system is defined as the amount of time it
takes for a change in an input condition to be recognized and
processed by the controller’s ladder logic program, and then to initiate
the appropriate output signal to an actuator. The system response time
is the sum of the following:
•
•
•
•
•
input hardware delays
input filtering
I/O and communication module RPI settings
controller program scan times
output module propagation delays
Each of the times listed above is variably dependent on factors such as
the type of I/O module and instructions used in the ladder program.
For examples of how to perform these calculations, see Appendix A,
Response Times in ControlLogix.
For more information on the available instructions and for a full
description of logic operation and execution, see the following
publications:
• Logix5000 Controllers General Instruction Set Reference Manual,
publication 1756-RM003.
• ControlLogix System User Manual, publication 1756-UM001.
Publication 1756-RM001E-EN-P - November 2006
1-22
SIL Policy
Response Times in Redundancy Systems
The response time of a system that uses redundancy is different from
a system that does not use redundancy. The redundancy system has a
longer response time because:
• The primary controller must keep the secondary up-to-date and
ready to take over control in case of a switchover. This process
of cross-loading fresh data at the end of each program scan
increases scan time.
You can plan your project effectively (e.g., minimize the use of
SINT or INT tags, use arrays and user-defined data types) to
minimize the scan time in a redundancy system. Generally, the
primary controller in a redundancy system has a 20% slower
response time than the controller in a non-redundancy system.
• The switchover between controllers slows system response. The
switchover time of a redundancy system depends on the
network update time (NUT) of the ControlNet network. To
estimate the switchover time, use the following formulas:
For this type of failure:
If the NUT is:
The switchover time is:
Example:
loss of power
<6
60 ms
For a NUT of 4 ms, the switchover
time is approximately 60 ms.
>7
5 (NUT) + MAX (2[NUT], 30)
For a NUT of 10 ms, the switchover
time is approximately 80 ms.
14 (NUT) + MAX (2[NUT], 30) + 50
For a NUT of 10 ms, the switchover
time is approximately 220 ms.
–or–
module failure
1756-CNB module cannot
communicate with any other node
For more information on response times in redundancy systems, see
the ControlLogix Redundancy System User Manual, publication
1756-UM523.
Publication 1756-RM001E-EN-P - November 2006
SIL Policy
Program Watchdog Time in
ControlLogix System
1-23
The program watchdog (also known as the software watchdog) time
is a user-defined time that is set in the controller attributes menu of
the RSLogix 5000 software. See the ControlLogix System User Manual,
publication number 1756-UM001 for more information. The
publication is available from Rockwell Automation.
The program watchdog time is the maximum permissible time
allowed for a RUN cycle (cycle time). If the cycle time exceeds the
program watchdog time, a major fault occurs on the controller. Users
must monitor the watchdog and program the system outputs to
transition to the safe state (typically the OFF state) in the event of a
major fault occurring on the controller. For more information on
faults, see Chapter 7, Faults in the ControlLogix System.
The program watchdog time must be ≥ 10 ms and must be < 50% of
the safety time required for a ControlLogix system. The safety time is
the maximum amount of time in which the process tolerates a wrong
signal.
Contact Information When
Device Failure Occurs
When users experience a failure with any SIL2-certified ControlLogix
device, they should contact their local Rockwell Automation sales
office. With this contact, the user can:
• return the device to Rockwell Automation so the failure is
appropriately logged for the catalog number affected and a
record made of the failure.
• request a failure analysis (if necessary) to determine the cause of
the failure, if possible.
Publication 1756-RM001E-EN-P - November 2006
1-24
SIL Policy
Publication 1756-RM001E-EN-P - November 2006
Chapter
2
The ControlLogix System
This chapter offers an overview of some standard features in the
ControlLogix architecture that assist in its suitability for use in SIL2
applications.
For information about:
General Overview of
ControlLogix Platform
See page:
General Overview of ControlLogix Platform
2-1
Overview of the ControlLogix Architecture
2-2
Module Fault Reporting
2-3
Fault Handling
2-3
Data Echo Communication Check
2-4
Pulse Test
2-5
Software
2-6
Communications
2-6
Other Unique Features that Aid Diagnostics
2-7
Many of the diagnostic methods and techniques used in the
ControlLogix platform are improved versions of techniques and
designs previously incorporated into Allen-Bradley PLC platforms over
the last three decades.
These are designs that have evolved to maintain the robustness and
deterministic response that our customers have come to expect as
they migrated from electromechanical to solid state technology.
The self-checking routines and diagnostics performed by
microprocessor-based systems (for example, ControlLogix) have
greatly advanced over the years. Programmable controllers such as
ControlLogix can be programmed and configured to perform checks
on the total system, including its own configuration, wiring, and
performance, as well as monitor input sensors and output devices.
1
Publication 1756-RM001E-EN-P - November 2006
2-2
The ControlLogix System
If an anomaly (other than automatic shutdown) is detected, the system
can be programmed to initiate user-defined fault handling routines.
Output modules can turn OFF selected outputs in the event of a
failure. New diagnostic I/O modules self-test to make sure that field
wiring is functioning. Output modules use pulse testing to make sure
output switching devices are not shorted. Using these internal
features, as well as application software when needed, today’s
ControlLogix customers are able to achieve highly reliable control
systems.
Overview of the
ControlLogix Architecture
Rockwell Automation’s latest generation of programmable controllers
is the ControlLogix system. Inherent in its design and implementation
are several features that surpass anything offered in previous product
architectures. The inclusion of these features represent improvements
driven by customer demand for uptime and reliability as well as
Rockwell’s long-developed design experience in producing these
types of products.
One of the most significant changes in the architecture is the
implementation of the Producer/Consumer (P/C) communication
model between controller and I/O. The P/C communication model
replaces traditional ‘polling’ of I/O modules and, consequently, has
changed the overall behavior of these components vis-a-vis their
counterparts in previous architectures. Input modules “produce” data,
controller and output modules both “produce” and “consume” data.
These changes were embraced because of the enhanced data integrity
and fault reporting capabilities they provide. I/O modules now
exchange much more than simply the ON/OFF state of the devices
they are connected to. Module identification information,
communication status, fault codes and, through the use of
specially-designed modules, field-side diagnostics can now all be
retrieved from the I/O system as part of the standard feature set of the
Producer/Consumer communication model. (See Figure 2.1).
Figure 2.1
Producer/Consumer Communication Model
Logix Controller
Input Modules
Output Modules
Commonly Shared Data
43374
Publication 1756-RM001E-EN-P - November 2006
The ControlLogix System
2-3
Module Fault Reporting
One of the key concepts in this model is Ownership. Every module in
the control system is now “owned” by at least one controller in the
architecture. When a controller “owns” an I/O module, it means that
that controller stores the module’s configuration data, defined by the
user; this data dictates how the module behaves in the system.
Inherent in this configuration and ownership is the establishment of a
“heartbeat” between the controller and module; this heartbeat is also
known as the Requested Packet Interval (RPI).
The existence of the RPI forms the basis for Module Level Fault
reporting in the ControlLogix architecture, a capability which is
inherent to all ControlLogix I/O modules.
For more information on module fault reporting in the ControlLogix
controller, specifically the GSV instructions, see Chapter 7, Faults in
the ControlLogix System.
Fault Handling
The RPI defines a minimum time interval in which the controller and
I/O module must communicate with each other. If, for any reason,
communications cannot be established or maintained (that is, the I/O
module has failed), the system can be programmed to run a special
Fault Handling routine. This routine determines whether the system
must continue functioning or whether the fault condition warrants a
shutdown of the application.
For example, the system can be programmed to retrieve the fault code
of the failed module and make a determination, based on the type of
fault, as to whether to continue operating. In addition, standard
ControlLogix output modules are also capable of reporting blown-fuse
status and loss of field power back to the controller.
This ability of the controller to monitor the health of I/O modules in
the system and take appropriate action based on the severity of a fault
condition gives the user complete control of the application’s behavior
when trouble occurs. It is the user’s responsibility to establish the
course of action appropriate to their safety application.
For more information on Fault Handling, see Chapter 7, Faults in the
ControlLogix System.
Publication 1756-RM001E-EN-P - November 2006
2-4
The ControlLogix System
Data Echo Communication Check
Another powerful by-product of the p/c communication model and
the implementation of the Control and Information Protocol (CIP)
protocol is the Output Data Echo, a communication method
employed between owner-controllers and every output module in the
system. Output Data Echo allows the user to verify that an ON/OFF
output command from the controller was actually received by the
correct output module, and that the module will attempt to execute
the command to the field device connected to it.
During normal operation, when a controller sends an output
command, the output module that is targeted for that command will
“echo” that requested state back to the system upon its receipt. This
verifies that the module has received the command and will try to
execute it. By comparing the requested state from the controller to the
Data Echo received from the module, the user can validate that the
signal has reached the correct module and that the module will
attempt to activate the appropriate field-side device. Again, it is the
user’s responsibility to establish the course of action appropriate to
their safety application.
When used with standard ControlLogix output modules, the Data
Echo validates the command up to the system-side of the module, but
not to the field-side. However, when this feature is used in tandem
with diagnostic output modules, the user can virtually verify the
output command integrity from the controller to the actuator
connected to the module.
Diagnostic output modules contain special circuitry that performs
Field Side Output Verification. Field Side Output Verification
informs the user that system-side commands received by the module
are accurately represented on the power side of the switching device.
In other words, for each output point, this feature confirms that the
output is ON when it is commanded to be ON or OFF when
commanded to be OFF.
The capability of comparing the actual state of the field-side of the
diagnostic module’s output against what the controller commands
gives the user the ability to make sure that the module is performing
what the control system is requesting, once that output command has
been issued.
Publication 1756-RM001E-EN-P - November 2006
The ControlLogix System
2-5
Figure 2.2 Output Module Behavior in the ControlLogix System
Output Commands from Controller
Standard
ControlLogix I/O
Information
Data Echo validation from system-side
Additional Field-Side
Information provided by
Diagnostic Output modules
Field-side Output Verification, Pulse
Test status plus No Load detection
Actuator
Pulse Test
A diagnostic output module feature called a Pulse Test can verify
output circuit functionality without actually changing the state of the
actuator connected to the output. Under user program control, an
extremely short-duration pulse is directed to a particular output on the
module. The output circuitry will momentarily change its current state
long enough to verify that it CAN change state when requested, but
short enough in duration (the actual pulse is measured in
milliseconds) not to effect the actuator connected to the output. This
powerful feature allows a user to perform a preemptive diagnosis of
possible future module conditions before they occur.
Publication 1756-RM001E-EN-P - November 2006
2-6
The ControlLogix System
Software
The location, ownership and configuration of I/O modules and
controllers is performed using RSLogix 5000 programming software.
The software is used for creation, testing and debugging of
application logic.
When using RSLogix 5000, users must remember the following:
• During normal SIL2-certified operation:
– we recommend the programming terminal be disconnected.
– the keyswitch must be set to the RUN position.
– the controller key must be removed from the keyswitch.
• Authorized personnel may change an application program but
only by using one of the processes described in section
Changing Your Application Program on page 9-6.
Communications
ControlNet forms the basis for I/O communications on the
ControlLogix backplane and over the network. It is an
industry-proven network that incorporates 16-bit CRC and a standard
CIP network protocol. You must use RSNetWorx for ControlNet
software to schedule the network. The correct scheduling of the
network is independently verified by the controller after the program
is downloaded; the schedule must match the RSLogix 5000 program.
The software also provides user-defined fault handing (for example,
execute fault routine) in the case of errors.
A serial port is available on the controller for download or
visualization only. It uses an industry-proven DF-1 serial link protocol
that has a selection of either 8-bit BCC checksum or 16-bit CRC. The
serial port also uses an industry standard CIP network protocol
running on the DF-1 link.
EtherNet/IP connection is also available for download, monitoring and
visualization.
Publication 1756-RM001E-EN-P - November 2006
The ControlLogix System
2-7
Other Unique Features that Aid Diagnostics
These are just a few examples of how the inherent characteristics of
the ControlLogix I/O system provides the user with an unprecedented
capability to diagnose and react to fault conditions in an application.
There are many other unique features that differentiate it from
previous iterations of programmable controllers, such as:
• Timestamping of I/O and diagnostic data
• Electronic keying based on module identification – During
module configuration, you must choose one of the following
keying options for your module:
– Exact Match
– Compatible Module
– Disable Keying
When the controller attempts to connect to and configure a
ControlLogix module (e.g., after program download), the
module compares the specific parameters, defined by the keying
option selected, before allowing the connection and
configuration to be accepted.
We recommend that you use Exact Match whenever possible.
With Exact Match, all module comparisons between the
configuration and the module physically located in the slot that
the controller is attempting to configure must be identical or the
connection is rejected.
IMPORTANT
Some I/O modules listed in Table 1.1 on page 1-8,
may not have configuration profiles for the version
of RSLogix 5000 being used. You may use Disable
Keying in these instances.
For example, the 1756-IB32/B module does not have
a profile in RSLogix 5000, version 11. In this case, the
1756-IB32/A profile can be used to configure the
series B module as long as the Disable Keying option
is selected.
However, if you use the Disable Keying option, you
must verify that the correct module is used with your
configuration in a SIL2-certified system.
For more information on these features, see the Digital I/O user
manual, publication number 1756-UM058.
Publication 1756-RM001E-EN-P - November 2006
2-8
The ControlLogix System
Checklist for the
ControlLogix System
The following checklist is required for planning, programming and
start up of a SIL2-certified ControlLogix system. It may be used as a
planning guide as well as during proof testing. If used as a planning
guide, the checklist can be saved as a record of the plan.
Check List for ControlLogix System(1)
Company:
Site:
Loop
definition:
No.
Fulfilled
Yes
1
Are you only using the SIL2-certified ControlLogix modules listed in Table 1.1 on
page 1-8, with the corresponding firmware release listed in the table, for your
safety application?
2
Have you calculated the system’s response time?
3
Does the system’s response time include both the user-defined, SIL-task program
watchdog (software watchdog) time and the SIL-task duration time?
4
Is the system response time in proper relation to the process tolerance time?
5
Have PFD values been calculated according to the system’s configuration?
6
Have you performed all appropriate proof tests?
7
Have you defined your process parameters that are monitored by fault routines?
8
Have you determined how your system will handle faults?
9
Have you taken into consideration the checklists for using SIL inputs and outputs
listed on pages 6-25 and 6-26.
(1)
For more information on the specific tasks in this checklist, see the previous sections in the chapter or Chapter 1, SIL Policy.
Publication 1756-RM001E-EN-P - November 2006
No
Comment
Chapter
3
ControlLogix System Hardware
This chapter discusses the hardware required in SIL2-certified
ControlLogix systems.
For information about:
Introduction to the
Hardware
See page:
Introduction to the Hardware
3-1
ControlLogix Chassis
3-2
ControlLogix Power Supplies
3-2
Non-Redundant Power Supply
3-2
Redundant Power Supply
3-3
Recommendations for System Hardware Use
3-3
Related ControlLogix Hardware Documentation
3-4
SIL2-certified ControlLogix systems can use the following chassis and
power supply hardware:
• ControlLogix Chassis - Including the following catalog numbers:
– 1756-A4
– 1756-A7
– 1756-A10
– 1756-A13
– 1756-A17
• ControlLogix Power Supplies - Including the following
catalog numbers:
– 1756-PA75
– 1756-PB75
– 1756-PA75R
– 1756-PB75R
– 1756-PC75
– 1756-PH75
– 1756-PSCA
– 1756-PSCA2
– 1756-CPR cables
1
Publication 1756-RM001E-EN-P - November 2006
3-2
ControlLogix System Hardware
ControlLogix Chassis
The ControlLogix 1756-Axx chassis provide the physical connections
between modules and the ControlLogix backplane. These connections
allow for P/C communications between controllers and I/O modules.
The chassis itself is passive and is not relevant to further discussion
since any physical failure would be unlikely under normal
environmental conditions and would be manifested and detected as a
failure within one or more of the active components.
ControlLogix Power
Supplies
ControlLogix power supplies are designed with noise filtering and
isolation to reduce the opportunity for induced contamination of the
supplied voltages. The power supply monitors the backplane power
and generates control signals (for example, DC_FAIL_L) to indicate if
power failure is imminent. Anomalies in the supplied voltages
immediately shut down the power supply. The power supply
monitors all power supply voltages via sense lines.
IMPORTANT
No extra configuration or wiring is required for SIL2
operation of the ControlLogix power supplies.
All ControlLogix power supplies are designed to:
• detect anomalies
• communicate to the controllers with enough stored power to
allow for an orderly and deterministic shutdown of the system,
including the controller and I/O
Non-Redundant Power Supply
ControlLogix non-redundant power supplies (i.e one power supply is
connected to a chassis) certified for use in SIL2 applications include
the following catalog numbers:
•
•
•
•
1756-PA75 - AC power supply
1756-PB75 - DC power supply
1756-PC75 - DC power supply
1756-PH75 - DC power supply
IMPORTANT
Publication 1756-RM001E-EN-P - November 2006
When non-redundant power supplies are used with
1756-L6x controllers, they must be Series B.
ControlLogix System Hardware
3-3
Redundant Power Supply
ControlLogix redundant power supplies (i.e two power supplies are
connected to the same chassis) certified for use in SIL2 applications
include the following catalog numbers:
• 1756-PA75R - AC power supply
• 1756-PB75R - DC power supply
• 1756-PSCA - Redundant power supply chassis adapter module
required with the use of redundant power supplies
• 1756-PSCA2 - Redundant power supply chassis adapter module
required with the use of redundant power supplies
• 1756-CPR cables
The power supplies share the current load required by the chassis and
an internal solid state relay that can annunciate a fault. Upon detection
of a failure in one supply, the other redundant power supply
automatically assumes the full current load required by the chassis
without disruption to devices installed.
The 1756-PSCA and 1756-PSCA2 redundant power supply chassis
adapter modules connect the redundant power supply to the chassis.
For additional ControlLogix power supply information, see the
documentation referenced in the Related ControlLogix Hardware
Documentation section on page 3-4.
Recommendations for
System Hardware Use
Users must consider the recommendations listed below when using
SIL2-certified ControlLogix hardware:
Chassis
When installing ControlLogix chassis, follow the information provided
in the product documentation listed in the Related ControlLogix
Hardware Documentation section on page 3-4.
Publication 1756-RM001E-EN-P - November 2006
3-4
ControlLogix System Hardware
Power Supplies
Users must consider these recommendations when using SIL2-certified
ControlLogix power supplies:
• When installing ControlLogix power supplies, follow the
information provided in the product documentation listed in the
Related ControlLogix Hardware Documentation section on
page 3-4.
• A non-redundant power supply can be used if it meets the
user-defined PFD criteria.
• For high availability SIL2 applications, the redundant power
supply is recommended.
• It is recommended that the solid state fault relay on each power
supply be wired from an appropriate voltage source to an input
point in ControlLogix so the user can detect and display a power
supply fault.
Related ControlLogix
Hardware Documentation
For more information on ControlLogix hardware, see the Rockwell
Automation publications listed in Table 3.1:
Table 3.1
Catalog Number:
Description:
Installation Instructions:
1756-A4, A7, A10, A13 & A17
ControlLogix Chassis
1756-IN080
1756-PA75
AC Power supply
1756-5.78
1756-PB75
DC Power supply
1756-PA75/B
AC Power supply
1756-PB75/B
DC Power supply
1756-PA75R
AC Redundant power
supply
1756-PB75R
DC Redundant power
supply
1756-PC75
DC Power supply
1756-IN597
1756-PH75
DC Power supply
1756-IN589
1756-PSCA
Redundant Power Supply
Chassis Adapter Module
1756-IN574
1756-PSCA2
Redundant Power Supply
Chassis Adapter Module
1756-IN590
1756-IN596
1756-IN573
These publications are available from Rockwell Automation at:
http://www.rockwellautomation.com/literature
Publication 1756-RM001E-EN-P - November 2006
Chapter
4
ControlLogix Controller
This chapter discusses the ControlLogix controller as used in a
SIL2-certified system.
Introduction to the
Controller
The ControlLogix controllers used in a SIL2-certified ControlLogix
system is a solid-state control system with a user-programmable
memory for storage of data to implement specific functions, such as:
•
•
•
•
•
•
•
•
I/O control
Logic
Timing
Counting
Report generation
Communications
Arithmetic
Data file manipulation
The controller consists of a central processor, I/O interface and
memory.
The controller performs power-up and run-time functional tests. The
tests are used with user-supplied application programs to verify
proper controller operation.
CompactFlash Card
A 1784-CF64 Industrial CompactFlash card provides nonvolatile
memory for the 1756-L61, 1756-L62 and 1756-L63 controllers.
However, the use of this card is NOT yet certified, and may NOT be
used in a SIL2-certified application.
1
Publication 1756-RM001E-EN-P - November 2006
4-2
ControlLogix Controller
Recommendations for
Controller Use
Users must consider the recommendations listed below when using a
SIL2-certified ControlLogix controller:
• In non-redundant applications, use only one controller in
SIL2-certified ControlLogix loop. The controller must own the
configuration information for all I/O modules associated with
the safety loop.
• When installing ControlLogix controller, follow the information
provided in the documentation listed in the Related Controller
Documentation section below.
• There are currently separate firmware revisions for redundant
and non-redundant operation. For more information on the
revisions, see Table 1.1 on page 1-8.
Related Controller
Documentation
For more information on the ControlLogix controller, see the
following Rockwell Automation publications listed in Table 4.1:
Table 4.1
Catalog
Number:
Description:
1756-L55M13
ControlLogix 1.5Mb Controller
1756-L55M16
ControlLogix 7.5Mb Controller
1756-L61
ControlLogix 2 Mb Controller
1756-L62
ControlLogix 4 Mb Controller
1756-L63
ControlLogix 8 Mb Controller
Installation
Instructions:
1756-IN101
User Manual:
1756-UM001
These publications are available from Rockwell Automation at:
http://www.rockwellautomation.com/literature
Publication 1756-RM001E-EN-P - November 2006
Chapter
5
ControlLogix Communications Modules
This chapter discusses the communication modules used in a
ControlLogix SIL2 system.
For information about:
Introduction to
Communication Modules
See page:
Introduction to Communication Modules
5-1
ControlNet Bridge Module
5-2
ControlNet Cabling
5-2
ControlNet Module Diagnostic Coverage
5-2
Ethernet Module
5-3
Ethernet Versus ControlNet
5-3
Related Communications Modules
Documentation
5-5
The communications modules in a SIL2-certified ControlLogix system
provide communication bridges from a ControlLogix chassis to other
chassis or devices via the ControlNet and Ethernet networks. The
following communications modules are available:
•
•
•
•
ControlNet modules - Catalog numbers 1756-CNB & 1756-CNBR
Ethernet modules - Catalog number 1756-ENBT
Data Highway Plus – Remote I/O - Catalog number 1756-DHRIO
SynchLink – Catalog number 1756-SYNCH
ControlLogix communications modules can be used in peer-to-peer
communications between ControlLogix devices. The communications
modules can also be used for expansion of I/O to additional
ControlLogix remote I/O chassis.
1
Publication 1756-RM001E-EN-P - November 2006
5-2
ControlLogix Communications Modules
ControlNet Bridge Module
The ControlNet bridge module (1756-CNB & 1756-CNBR) provides for
the communications between ControlLogix chassis over the
ControlNet network.
ControlNet Cabling
For remote racks, a single RG6 coax cable is required for ControlNet.
Although it is not a requirement to use redundant media with the
1756-CNBR, it does provide higher system reliability. Redundant
media is not required for SIL2 operation.
ControlNet Repeater
The following ControlNet repeater modules are approved for use in
safety applications up to and including SIL2:
•
•
•
•
1786-RPFS, Short-distance Fiber Repeater Module
1786-RPFM, Medium-distance Fiber Repeater Module
1786-RPFRL, Long-distance Fiber Repeater Module
1786-RPFRXL, Extra-long-distance Fiber Repeater Module
Use of adapter 1756-RPA is required with all of the repeater modules
listed. For more information about the use of ControlNet Repeater
modules, see Table 5.1.
Table 5.1 For More Information About Repeater Modules
Topic
Publication Title
Publication
Number
Planning for and installing
ControlNet repeater modules.
ControlNet Fiber Media
Planning and Installation Guide
CNET-IN001
Use of repeaters in safety
applications.
TUV Report 986/EZ
986/EZ 135.03.05
ControlNet Module Diagnostic Coverage
All communications over the passive ControlNet media occur via CIP,
which guarantees delivery of the data. All modules independently
verify proper transmission of the data.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix Communications Modules
Ethernet Module
5-3
The Ethernet bridge module (1756-ENBT) provides for the
communications from one ControlLogix chassis to other devices over
the Ethernet network.
The Ethernet link is based on industry-standard CIP network protocol
running on top of TCP and UDP using 32-bit CRC. Also, TCP and UDP
with 16-bit Checksums are running on top of Ethernet.
Ethernet Versus ControlNet
Although it may be acceptable to use Ethernet for specific
applications, such as program download, Ethernet requires a switch
for a “star” configuration. Rockwell Automation does not sell or
reference a SIL2/SIL3 Ethernet switch. Also Ethernet is an “active”
media whereas ControlNet uses a “passive” media (that is, very low
failure rate).
Publication 1756-RM001E-EN-P - November 2006
5-4
ControlLogix Communications Modules
Data Highway Plus Remote I/O
The Data Highway Plus - Remote I/O Communication Interface
module (1756-DHRIO) supports multiple types of communication.
However, you can only use the DH+ portion of the module’s
functionality in SIL2 applications.
SynchLink
The SynchLink module (1756-SYNCH) is used for CST time
propagation between multiple chassis for event recording. The
module cannot be used for any safety-related activity in a
SIL2-certified ControlLogix system.
Recommendations for
Communications Modules
Use
Users must consider the recommendations listed below when using
SIL2-certified communications modules:
• When installing ControlLogix communications modules, follow
the information provided in the documentation listed in the
Related Communications Modules Documentation section on
page 5-5.
• Use Ethernet for communications to Human-to-Machine
Interfaces (HMI) and programming terminals only. For more
information on using HMI, see Figure 1.2 on page 1-4 and
Chapter 10, Use and Application of Human to
Machine Interfaces.
• Use DH+ for communications to Human-to-Machine Interfaces
(HMI) and for communicating with the non-safety portion of the
system. For more information on using HMI, see Figure 1.2 on
page 1-4 and Chapter 10, Use and Application of Human to
Machine Interfaces.
• Remote I/O chassis should be connected via ControlNet only.
• Peer-to-peer communications to controllers outside the safety
loop are restricted to ControlNet only and should occur only if
the controller in the safety loop is sharing its own information
(for example, via produced tags) with other controllers outside
the loop.
• For exchanging I/O data, use listen-only connections.
• For exchanging non-I/O data, use producer/consumer tags.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix Communications Modules
5-5
• Typically, no devices must be permitted to write data to the
controller in the safety loop. The only exception to this
recommendation is the use of HMI devices. For more
information on how to use HMI in the safety loop,
see Chapter 10.
For more information on connecting remote I/O chassis and
peer-to-peer communication, see Figure 1.2 on page 1-4.
Related Communications
Modules Documentation
For more information on ControlLogix communications modules, see
the following Rockwell Automation publications listed in Table 5.2:
Table 5.2
Catalog
Number:
Installation
Instructions:
Description:
1756-CNB
ControlNet Communication
Module
1756-CNBR
Redundant ControlNet
Communication Module
1756-DHRIO
User Manual:
1756-IN571
CNET-UM001
Data Highway Plus - Remote
I/O Communication Interface
Module
1756-IN003
1756-UM514
1756-ENBT
EtherNet Communication
Module
1756-IN019
ENT-UM001
1756-SYNCH
SynchLink Module
1756-IN575
1756-UM521
These publications are available from Rockwell Automation at:
http://www.rockwellautomation.com/literature
Publication 1756-RM001E-EN-P - November 2006
5-6
ControlLogix Communications Modules
Publication 1756-RM001E-EN-P - November 2006
Chapter
6
ControlLogix I/O Modules
This chapter discusses the ControlLogix I/O modules that are SIL2
certified.
For information about:
Overview of ControlLogix
I/O Modules
See page:
Overview of ControlLogix I/O Modules
6-1
Module Fault Reporting for any ControlLogix I/O
Module
6-4
Using Digital Input Modules
6-5
Wiring ControlLogix Digital Input Modules
6-6
Using Digital Output Modules
6-7
Wiring ControlLogix Digital Output Modules
6-10
Using Analog Input Modules
6-13
Wiring ControlLogix Analog Input Modules
6-16
Checklist for SIL Inputs
6-25
Checklist for SIL Outputs
6-26
In the most basic description, there are two types of SIL2-certified
ControlLogix I/O modules:
• Digital I/O modules
• Analog I/O modules
With each type, however, there are differences between specific
modules. Because the differences propagate to varying levels in each
module type, a graphical representation can best provide an overview
of the many SIL2-certified ControlLogix I/O modules.
1
Publication 1756-RM001E-EN-P - November 2006
6-2
ControlLogix I/O Modules
Figure 6.1 shows the SIL2-certified ControlLogix I/O modules. Each
type, digital or analog, is described in greater detail throughout the
rest of this chapter.
Figure 6.1
SIL2-Certified ControlLogix I/O Modules
Digital I/O Modules
Diagnostic Digital
Modules
Analog I/O Modules
Standard Digital
Modules
Diagnostic Digital
Input Modules,
including:
Diagnostic Digital
Output Modules,
including:
Standard Digital
Input Modules,
including:
Standard Digital
Output Modules,
including:
Analog Input
Modules,
including:
Analog Output
Modules,
including:
1756-IA8D
1756-IB16D
1756-OA8D
1756-OB16D
1756-IA16I
1756-IB16I
1756-IB16ISOE
1756-IB32
1756-IH16ISOE
1756-OA16I
1756-OB16I
1756-OB32
1756-OB8EI
1756-OW16I
1756-OX8I
1756-IF16
1756-IF6CIS
1756-IF6I
1756-IF8
1756-IR6I
1756-IT6I
1756-IT6I2
1756-OF6CI
1756-OF6VI
1756-OF8
43372
ControlLogix I/O modules are designed with inherent features that
assist them in complying with the requirements of the 61508 Standard.
For example, the modules all have a common backplane interface
ASIC, execute power-up and runtime diagnostics, offer electronic
keying and offer producer-consumer communication.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
6-3
For SIL2 compliance when installing ControlLogix I/O modules,
follow the information provided in the documentation listed in
Table 6.1.
Table 6.1 lists the ControlLogix I/O modules initially submitted for
SIL2 certification and shown in Figure 6.1.
Table 6.1 Components For Use in the SIL 2 System
Related Documentation:
Module Type:
Digital
Analog
Catalog Number:
Description:
Installation
Instructions:
User Manual:
1756-IA16I
AC Isolated Input Module
1756-IN059
1756-UM058
1756-IA8D
AC Diagnostic Input Module
1756-IN055
1756-IB16D
DC Diagnostic Input Module
1756-IN069
1756-IB16I
DC Isolated Input Module
1756-IN010
1756-IB16ISOE
Sequence of Events Module
1756-IN591
1756-UM528
1756-IB32
DC Input Module
1756-IN027
1756-UM058
1756-IH16ISOE
Sequence of Events Module
1756-IN592
1756-UM528
1756-OA16I
AC Isolated Output Module
1756-IN009
1756-UM058
1756-OA8D
AC Diagnostic Input Module
1756-IN057
1756-OB16D
DC Diagnostic Output Module
1756-IN058
1756-OB16I
DC Isolated Output Module
1756-IN512
1756-OB32
DC Output Module
1756-IN026
1756-OB8EI
DC Isolated Output Module
1756-IN012
1756-OX8I
Isolated Relay Output Module
1756-IN513
1756-OW16I
Isolated Relay Output Module
1756-IN011
1756-IF16
Single-ended Analog Input Module
1756-IN039
1756-IF6CIS
Isolated Sourcing Analog Input
Module
1756-IN579
1756-IF6I
Isolated Analog Input Module
1756-IN034
1756-IF8
Analog Input Module
1756-IN040
1756-IR6I
RTD Input module
1756-IN014
1756-IT6I
Thermocouple Input module
1756-IN037
1756-IT6I2
Enhanced Thermocouple
Input Module
1756-IN586
1756-OF6CI
Isolated Analog Output Module
(Current)
1756-IN036
1756-OF6VI
Isolated Analog Output Module
(Voltage)
1756-IN035
1756-OF8
Analog Output Module
1756-IN015
1756-UM009
Publication 1756-RM001E-EN-P - November 2006
6-4
ControlLogix I/O Modules
Module Fault Reporting for
any ControlLogix I/O
Module
Users must make sure that all ControlLogix I/O modules are operating
properly in the system. If the modules are not operating properly, the
user must initiate a fault routine when a fault occurs. This can be
accomplished in ladder logic through the use of the Get System Value
instruction (GSV) and an examination of the MODULE Object’s ’Entry
Status’ attribute for a running condition.
An example of how this might be done is shown in Figure 6.2. This
method, or something similar, must be used to interrogate the health
of each I/O module in the system.
Figure 6.2 Example of Checking a Module’s Health in Ladder Logic
GSV
AND
Obtain MODULE
Object’s Entry Status
Mask Off Lower 12
Bits of Value
NEQ
Check Entry Status to
make sure module is
running
Fault
For more information on the GSV instruction and MODULE Objects,
see Chapter 7, Faults in the ControlLogix System. For more
information on creating Fault Routines, see Appendix B, System
Self-Testing and User-Programmed Responses.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
Using Digital
Input Modules
6-5
ControlLogix digital input modules are divided into two categories:
• Diagnostic input modules
• Standard input modules
These modules share many of the same inherent architectural
characteristics. However, the diagnostic input modules incorporate
features that allow diagnosing of field-side failures. These features
include broken wire (that is, wire-off) detection and, in the case of AC
Diagnostic modules, loss of line power.
General Considerations when using Any ControlLogix Digital
Input Module
Regardless of the type of ControlLogix input module used, there are a
number of general application considerations that users must follow
when applying these modules in a SIL2 application:
• Proof Tests - Periodically (for example, once every several
years) a System Validation test must be performed. Manually, or
automatically, test inputs to make sure that all inputs are
operational and not stuck in the ON or OFF state. Inputs must
be cycled from ON to OFF or OFF to ON. For additional
information on Proof Tests, see page 1-6 and Figure 9.1 on
page 9-5.
• Always use a direct connection with diagnostic input modules
located in remote chassis.
• Wire sensors to separate input points on two separate modules.
• Configuration parameters (for example, RPI, filter values) must
be identical between the two modules.
• The same controller must own both modules.
For operational state information, see Chapter 1, SIL Policy.
Publication 1756-RM001E-EN-P - November 2006
6-6
ControlLogix I/O Modules
Wiring ControlLogix Digital
Input Modules
The wiring diagrams in Figure 6.3 show two methods of wiring the
digital input Module. In either case, users must determine whether
the use of 1 or 2 sensors is appropriate to fulfill SIL2 requirements.
Figure 6.3 ControlLogix Digital Input Module Wiring
+ Line
Input A1
Optional Relay
contact to
switch line
voltage for
periodic
automated
testing
Input B1
One-Sensor Wiring Example
Sensor
Input A2
Input B2
Sensor
Two-Sensor Wiring Example
Sensor
43366
Application logic can compare input values or states for concurrence.
Figure 6.4
Input A
Input B
Actuator
The user program must also contain rungs to annunciate a fault in the
event of a sustained miscompare between two points.
Figure 6.5
Input A
Input B
Timer
Input A
Input B
Timer preset in milliseconds to
compensate for filter time and
hardware delay differences.
Timer Done
Fault
Fault
Alarm to Operator
The control, diagnostics and alarming functions must be performed in
sequence. For more information on faults, see Chapter 7, Faults in the
ControlLogix System.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
Using Digital Output
Modules
6-7
ControlLogix digital output modules are divided into two categories:
• Diagnostic output modules
• Standard output modules
These modules share many of the same inherent architectural
characteristics. However, the diagnostic output modules incorporate
features that allow diagnosing of field-side failures. These features
include reporting No-Load conditions and point-level fuse-blown. In
addition, the diagnostic modules can validate the state of the output
with the Output Verify feature and the Output Pulse test.
General Considerations when using Any ControlLogix Digital
Output Module
Wiring the two types of digital output modules differs, depending on
your application requirements (these wiring methods are explained in
detail in later sections). However, regardless of the type of
ControlLogix output module used, there are a number of general
application considerations that you must follow when applying these
modules in a SIL2 application:
• Proof Tests - Periodically (for example, once every several
years) a System Validation test must be performed. Manually, or
automatically, test outputs to make sure that all outputs are
operational and not stuck in the ON or OFF state. Outputs must
be cycled from ON to OFF or OFF to ON. For additional
information on Proof Tests, see page 1-6 and Figure 9.1 on
page 9-5.
Publication 1756-RM001E-EN-P - November 2006
6-8
ControlLogix I/O Modules
• Examination of Output Data Echo signal in Application
logic: The application logic must examine the Data Echo value
associated with each output point to make sure that the
requested On/Off command from the controller was received by
the module.
In the rungs below, a timer begins to increment for any
miscompare between the actual output bit and its associated
Data Echo bit. The timer must be preset to accommodate the
delay between setting the output bit in controller memory and
receipt of the Data Echo from the module. If a miscompare
exists for longer than that time, a fault is reported.
Figure 6.6
Application Logic
Actuator
Output Bit
Data Echo
Timer
Output Bit
Data Echo
Timer done
Fault
Fault
Alarm to Operator
The control, diagnostics and alarming functions must be
performed in sequence. For more information on faults, see
Chapter 7, Faults in the ControlLogix System.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
6-9
• Use of external Relays to disconnect Module Power if
Output De-energization is Critical: To make sure outputs will
de-energize, users must wire an external relay that can remove
power from the output module if a short or other fault is
detected. See Figure 6.7 on page 6-10 for an example method of
wiring an external relay.
• Test outputs at specific times to make sure they are
operating properly. The method and frequency of testing is
determined by the type of module–diagnostic or standard. For
more information on testing diagnostic module outputs, see
page 6-10. For more information on testing standard module
outputs, see page 6-11.
• For typical emergency shutdown (ESD) applications
outputs must be configured to De-energize: When
configuring any ControlLogix output module, each output must
be configured to de-energize in the event of a fault and in the
event of the controller going into program mode. For exceptions
to the typical ESD applications, see Chapter 1, SIL Policy.
• When wiring two digital output modules in series so that one
may break source voltage (as shown in Figure 6.10 on
page 6-12), make sure:
– Both modules use identical configuration.
– The same controller owns both modules.
Publication 1756-RM001E-EN-P - November 2006
6-10
ControlLogix I/O Modules
Wiring ControlLogix Digital Diagnostic Digital Output Modules
Output Modules
Diagnostic output modules have advanced circuitry that is not
included in standard output modules. Because of the advanced
design, users are not required to use an input module to monitor
output status, as is required with standard output modules.
Diagnostic Output modules can be used as-is in a SIL2 application (in
other words, no special wiring considerations need be employed
other than the wiring of the external relay to remove line power from
the module in the event of a fault to make sure outputs will
de-energize if shorted).
In addition to following the General Considerations when using Any
ControlLogix Digital Output Module on page 6-7, the user must
perform a Pulse Test on each output periodically to make sure that the
output is capable of changing state. Automatic diagnostic testing of
output modules should be made at intervals that are an order of
magnitude less than the demand rate. For example, pulse testing
should be scheduled at least once a month for a low demand
system and at least once hour for a high demand system.
For more information on performing the pulse test, see the
ControlLogix Digital I/O Modules User Manual, publication
1756-UM058.
Users should also make sure they always use a direct connection with
diagnostic output modules located in remote chassis.
Figure 6.7 ControlLogix Diagnostic Output Module Wiring
V-/L2
V+/L2
V+/L1
This normally-open relay is
controlled by the status of
the rest of the ControlLogix
system. If a short circuit or
fault occurs on the module,
the relay can disconnect
power to the module.
Output
Also, this relay can be wired
to disconnect power to
multiple modules.
43365
Relays may also be included as
shown in position A to interrupt
power on a per point basis.
Publication 1756-RM001E-EN-P - November 2006
Actuator
ControlLogix I/O Modules
6-11
Standard Digital Output Modules
When using standard (also known as non-diagnostic) output modules,
users must wire an output to an actuator and then back to an input to
monitor the output’s performance. The user can write the appropriate
logic to test the output’s ability to turn ON and OFF at power-up, or,
at the proof test interval (see page 1-6), the user can force the output
ON and OFF and use a voltmeter to verify output performance.
Automatic testing of output modules (i.e. the user turns the outputs
ON and OFF to verify proper operation) should be made at intervals
that are an order of magnitude less than the demand rate. For
example, output testing should be scheduled at least once a month
for a low demand system and at least once an hour for a high
demand system.
In addition to following the General Considerations when using Any
ControlLogix Digital Output Module on page 6-7, the user must wire
each standard output to a corresponding input to validate that the
output is following its commanded state.
Figure 6.8 ControlLogix Standard Output Module Wiring
Standard Isolated
Output Module
V-/L2
Standard Isolated
Input Module
Wire output point
to input point to
verify the correct
state of the output
V+/L1
V+/L1
Output
Input
Actuator
V-/L2
This normally-open relay is controlled
by another output in the ControlLogix
system. If a short circuit or fault occurs
on output modules, the relay can
disconnect power to the modules.
Also, this relay can be wired to
disconnect power to multiple modules.
43363
Publication 1756-RM001E-EN-P - November 2006
6-12
ControlLogix I/O Modules
Application logic must be written to generate a fault in the event of a
miscompare between the requested state of an output (echo) and the
actual output state monitored by an input channel.
Figure 6.9
Application Logic
Output Fault
Actuator
Data Echo
Monitoring Input
Timer must be preset
in milliseconds to
accommodate
communication times
of echo signal and
filter time of input.
Timer
Data Echo
Monitoring Input
Timer done
Fault
Fault
Alarm to Operator
The control, diagnostics and alarming functions must be performed in
sequence. For more information on faults, see Chapter 7, Faults in the
ControlLogix System.
Users can also wire two isolated standard outputs in series to critical
actuators. In the event that a failure is detected, the output from both
output modules must be set to OFF to guarantee the Output Loads
de-energize. Figure 6.10 shows how to wire two isolated standard
outputs in series to critical actuators.
Figure 6.10 ControlLogix Standard Output Module Wiring With Two Modules
Standard Isolated
Output Module #1
V-/L2
Standard Isolated
Input Module
Standard Isolated
Output Module #2
Wire output point
to input point to
verify the correct
state of the output
V+/L1
V+/L1
V+/L1
Output
Output
Input
Actuator
V-/L2
43364
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
Using Analog Input
Modules
6-13
General Considerations when using Any ControlLogix Analog
Input Module
There are a number of general application considerations that you
must follow when applying these modules in a SIL2 application:
• Proof Tests - Periodically (for example, once every several
years) a System Validation test must be performed. Manually, or
automatically, test inputs to make sure that all inputs are
operational. Field signal levels should be varied over the full
operating range to make sure that the corresponding channel
data varies accordingly. For additional information on Proof
Tests, see page 1-6 and Figure 9.1 on page 9-5.
• Calibrate Inputs Periodically, As Necessary: ControlLogix
I/O modules ship from the factory with a highly accurate level
of calibration. However, because each application is different,
users are responsible for making sure their ControlLogix I/O
modules are properly calibrated for their specific application.
Users can employ tests in application program logic to
determine when a module requires recalibration. For example,
to determine whether an input module needs to be recalibrated,
a user can determine a tolerance band of accuracy for a specific
application. The user can then measure input values on multiple
channels and compare those values to acceptable values within
the tolerance band. Based on the differences in the comparison,
the user could then determine whether recalibration is
necessary.
Calibration (and subsequent recalibration) is not a safety issue.
However, we recommend that each analog input be calibrated at
least every 3 years to verify the accuracy of the input signal and
avoid nuisance application shutdowns.
Publication 1756-RM001E-EN-P - November 2006
6-14
ControlLogix I/O Modules
• Choose Floating Point Data Format During Module
Configuration: ControlLogix analog input modules perform a
host of on-board alarm processing to validate that the input
signal is within the proper range for the application. However,
these features are only available in Floating Point mode.
• Examine the Appropriate Module Fault, Channel Fault and
Channel Status Bits to Initiate Fault Routines: Each module
will communicate the operating status of each channel to the
controller during normal operation. Application logic must
examine the appropriate bits to initiate a fault routine for a given
application. For more information on faults, see Chapter 7,
Faults in the ControlLogix System.
• Compare Analog Input Data and Annunciate Miscompares:
When wiring sensors to two inputs channels, the values from
those channels must be compared to each other for concurrence
within an acceptable range for the application before actuating
an output. Any miscompare between the two inputs outside the
programmed acceptable range must be annunciated as a fault.
In Figure 6.11, a user-defined percentage of acceptable
deviation (that is, tolerance) is applied to the configured input
range of the analog inputs (that is, range) and the result is stored
(that is, delta). This delta value is then added to and subtracted
from one of the input channels; the results define an acceptable
High and Low limit of deviation. The second input channel is
then compared to these limits to determine if the input are
working properly.
The input’s OK bit preconditions a Timer run that is preset to
accommodate an acceptable fault response time and any
communication filtering lags in the system. If the inputs
miscompare for longer than the preset value, a fault is registered
with a corresponding alarm.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
6-15
Figure 6.11
Inputs OK
Timer
MULT
Range
Tolerance %
Delta
ADD
Delta
Input 1
High Limit
SUB
Delta
Input 1
Low Limit
LIM
Low Limit
Input 2
High Limit
Inputs OK
Timer done
Inputs Faulted
Inputs Faulted
Alarm to Operator
The control, diagnostics and alarming functions must be
performed in sequence. For more information on faults, see
Chapter 7, Faults in the ControlLogix System.
• Configuration parameters (for example, RPI, filter values) must
be identical between the two modules.
• The same controller must own both modules.
Publication 1756-RM001E-EN-P - November 2006
6-16
ControlLogix I/O Modules
Wiring ControlLogix Analog
Input Modules
In general, good design practice dictates that each of the 2 transmitters
must be wired to input terminals on separate modules such that the
channel values may be validated by comparing the two within an
acceptable range. Special consideration must be given in applying this
technique, depending on the type of module being used. Those
details are shown in the following wiring diagrams.
Wiring the Single-Ended Input Module in Voltage Mode
In addition to following the General Considerations when using Any
ControlLogix Analog Input Module on page 6-13, make sure you use
the correct documentation (listed in Table 6.1 on page 6-3) to wire the
module.
When operating in Single-ended voltage mode, all (-) leads of the
transmitters must be tied together. Figure 6.12 shows how to wire the
1756-IF8 module for use in voltage mode.
Figure 6.12 ControlLogix Analog Input Module Wiring in Voltage Mode
Ch0 +
Ch0 +
(+)
(–)
Ch0 –
Voltage
Transmitter A
Ch0 –
(+)
Voltage
(–) Transmitter B
43368
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
6-17
Wiring the Single-Ended Input Module in Current Mode
In addition to following the General Considerations when using Any
ControlLogix Analog Input Module on page 6-13, before wiring the
module, consider the following application guideline:
• Placement of Other Devices in Current Loop: you can locate
other devices in an input channel’s current loop anywhere as
long as the current source can provide sufficient voltage to
accommodate all of the voltage drops (each module input is 250
ohms)
Figure 6.13 shows how to wire the 1756-IF8 module for use in current
mode.
Figure 6.13 ControlLogix Analog Input Module Wiring in Current Mode
Ch0 +
Ch0 –
Ch0 +
Ch0 –
Current
Source A
Current
Source B
43369
Publication 1756-RM001E-EN-P - November 2006
6-18
ControlLogix I/O Modules
Wiring the Thermocouple Input Module
In addition to following the General Considerations when using Any
ControlLogix Analog Input Module on page 6-13, before wiring the
module, consider the following application guideline:
• Wire to Same Input Channel on Both Modules: When wiring
thermocouples, wire two in parallel to two modules. Use the
same channel on each module to make sure of consistent
temperature readings.
Figure 6.14 shows how to wire the 1756-IT6I module.
Figure 6.14 ControlLogix Analog Thermocouple Module Wiring
Ch0 +
Ch0 +
Thermocouple A
RTN
RTN
Thermocouple B
43370
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
6-19
Wiring the RTD Input Module
In addition to following the General Considerations when using Any
ControlLogix Analog Input Module on page 6-13, before wiring the
module, consider the following application guideline:
• RTDs cannot be wired in parallel without severely affecting their
accuracy. Two sensors must be used.
Figure 6.15 shows how to wire the 1756-IR6I module.
Figure 6.15 ControlLogix Analog RTD Module Wiring
Ch0 A
Ch0 A
RTD A
Ch0 B
Ch0 B
RTN
RTN
RTD B
43371
Publication 1756-RM001E-EN-P - November 2006
6-20
ControlLogix I/O Modules
Using Analog Output
Modules
The 1756-OF8 ControlLogix analog output module is certified for use
SIL2 applications.
General Considerations when using Any ControlLogix Analog
Output Module
There are a number of general application considerations that you
must follow when applying the analog output modules in a SIL2
application:
IMPORTANT
It is strongly recommended that you do not use
analog outputs to execute the safety function that
results in a safe state. Analog output modules are
slow to respond to an ESD command and are
therefore not recommended for use ESD output
modules.
The use of digital output modules and actuators to
achieve the ESD de-energized state is recommended.
• Proof Tests - Periodically (for example, once every several
years) a System Validation test must be performed. Manually, or
automatically, test outputs to make sure that all outputs are
operational. Channel data should be varied over the full
operating range to make sure that the corresponding field signal
levels vary accordingly. For additional information on Proof
Tests, see page 1-6 and Figure 9.1 on page 9-5.
• Calibrate Outputs Periodically, As Necessary: ControlLogix
I/O modules ship from the factory with a highly accurate level
of calibration. However, because each application is different,
users are responsible for making sure their ControlLogix I/O
modules are properly calibrated for their specific application.
Users can employ tests in application program logic to
determine when a module requires recalibration. For example,
to determine whether an output module needs to be
recalibrated, a user can determine a tolerance band of accuracy
for a specific application. The user can then measure output
values on multiple channels and compare those values to
acceptable values within the tolerance band. Based on the
differences in the comparison, the user could then determine
whether recalibration is necessary.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
6-21
Calibration (and subsequent recalibration) is not a safety issue.
However, we recommend that each analog output be calibrated
at least every 3 years to verify the accuracy of the input signal
and avoid nuisance application shutdowns.
• Choose Floating Point Data Format During Module
Configuration: ControlLogix analog output modules perform a
host of on-board alarm processing to validate that the output
signal is within the proper range for the application. However,
these features are only available in Floating Point mode.
• Examine the Appropriate Module Fault, Channel Fault and
Channel Status Bits to Initiate Fault Routines: Each module
will communicate the operating status of each channel to the
controller during normal operation. Application logic must
examine the appropriate bits to initiate a fault routine for a given
application. For more information on faults, see Chapter 7,
Faults in the ControlLogix System.
• For typical emergency shutdown (ESD) applications
outputs must be configured to De-energize: When
configuring any ControlLogix output module, each output must
be configured to de-energize in the event of a fault and in the
event of the controller going into program mode. For exceptions
to the typical ESD applications, see Chapter 1, SIL Policy.
• Wire Output Back to Input and Examination of Output
Data Echo signal: Users must wire an analog output to an
actuator and then back to an analog input to monitor the
output’s performance, as shown in Figure 6.17. The application
logic must examine the Data Echo value associated with each
output point to make sure that the requested output command
from the controller was received by the module. The value must
be compared to the analog input that is monitoring the output to
make sure the value is in an acceptable range for the
application.
In the ladder diagram in Figure 6.16, a user-defined percentage
of acceptable deviation (that is, tolerance) is applied to the
configured range of the analog input and output (that is, range)
and the result is stored (that is, delta). This delta value is then
added to and subtracted from the monitoring analog input
channel; the results define an acceptable High and Low limit of
deviation. The analog Output Echo is then compared to these
limits to determine if the output are working properly.
Publication 1756-RM001E-EN-P - November 2006
6-22
ControlLogix I/O Modules
The output’s OK bit preconditions a Timer run that is preset to
accommodate an acceptable fault response time and any
communication filtering, or output, lags in the system. If the
monitoring input value and the Output Echo miscompare for
longer than the preset value, a fault is registered with a
corresponding alarm.
Figure 6.16 Monitoring an Analog Output with an Analog Input
Outputs OK
Timer
MULT
Range
Tolerance %
Delta
ADD
Delta
SUB
Delta
Monitoring input
Monitoring input
High Limit
Low Limit
LIM
Low Limit
Output Echo
High Limit
Outputs OK
Timer done
Outputs Faulted
Outputs Faulted
Alarm to Operator
The control, diagnostics and alarming functions must be
performed in sequence.
• When wiring two analog output modules in the same
application, make sure:
– Both modules use identical configuration.
– The same controller owns both modules.
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
Wiring ControlLogix Analog
Output Modules
6-23
In general, good design practice dictates that each analog output must
be wired to a separate input terminal to make sure that the output is
functioning properly.
Wiring the Analog Output Module in Voltage Mode
Figure 6.17 shows how to wire the 1756-OF8 module for use in
voltage mode.
Figure 6.17 ControlLogix Analog Output Module Wiring in Voltage Mode
Analog Output Module
This normally-open relay is
controlled by the status of
the rest of the ControlLogix
system. If a short circuit or
fault occurs on the module,
the relay can disconnect
power to the module.
Analog Input Module
(+)
(+)
(–)
(–)
Actuator
Also, this relay can be wired
to disconnect power to
multiple modules.
43377
Publication 1756-RM001E-EN-P - November 2006
6-24
ControlLogix I/O Modules
Wiring the Analog Output Module in Current Mode
In addition to following the General Considerations when using Any
ControlLogix Analog Output Module on page 6-20, consider the
following application guideline before wiring the 1756-OF8 module in
current mode:
• Placement of Other Devices in Current Loop: you can locate
other devices in an output channel’s current loop anywhere as
long as the current source can provide sufficient voltage to
accommodate all of the voltage drops (each module output is
250 ohms)
Figure 6.18 shows how to wire the 1756-OF8 module for use in
current mode.
Figure 6.18 ControlLogix Analog Output Module Wiring in Current Mode
Analog Output Module
This normally-open relay is
controlled by the status of
the rest of the ControlLogix
system. If a short circuit or
fault occurs on the module,
the relay can disconnect
power to the module.
Analog Input Module
(+)
(+)
(–)
(–)
Actuator
Also, this relay can be wired
to disconnect power to
multiple modules.
43376
Publication 1756-RM001E-EN-P - November 2006
ControlLogix I/O Modules
Checklist for SIL Inputs
6-25
The following checklist is required for planning, programming and
start up of SIL inputs. It may be used as a planning guide as well as
during proof testing. If used as a planning guide, the checklist can be
saved as a record of the plan.
For programming or start-up, an individual checklist can be filled in
for every single SIL input channel in a system. This is the only way to
make sure that the requirements were fully and clearly implemented.
This checklist can also be used as documentation on the connection
of external wiring to the application program.
Input Check List for ControlLogix System
Company:
Site:
Loop definition:
SIL input channels in the:
No.
All Input Module Requirements (apply to both digital and analog input modules)
1
Is Exact Match selected as the electronic keying option whenever possible?
2
Is the RPI value set to an appropriate value for your application?
3
Are all modules owned by the same controller?
4
Have you performed proof tests on the system and modules?
5
Have you set up the fault routines?
6
Are control, diagnostics and alarming functions performed in sequence in application logic?
No.
Additional Digital Input Module-Only Requirements
1
When two digital input modules are wired in the same application, do the following conditions exist:
• Both modules are owned by the same controller.
• Sensors are wired to separate input points.
• The operational state is ON.
• The non-operational state is. OFF.
• Configuration parameters (for example, RPI, filter values) are identical.
2
For the standard input modules, is the Communication Format set to one of the Input Data choices?
3
For the diagnostic input modules, is the Communication Format set to Full Diagnostics-Input Data?
4
For the diagnostic input modules, are all diagnostics enabled on the module?
5
For the diagnostic input modules, are enabled diagnostic bits monitored by fault routines?
6
For the diagnostic input modules, is the connection to remote modules a direct connection?
No.
Additional Analog Input Module-Only Requirements
1
Is the Communication Format set to Float Data?
2
Have you calibrated the modules as often as required by your application?
3
Are you using ladder logic to compare the analog input data on two channels to make sure there is
concurrence within an acceptable range and that redundant data is used properly?
4
Have you written application logic to examine bits for any condition that may cause a fault and
appropriate fault routines to handle the fault condition?
5
When wiring the 1756-IF8 in voltage mode, are transmitter grounds tied together?
6
When wiring the 1756-IF8 in current mode, are loop devices placed properly?
7
When wiring 1756-IT6I modules in parallel, have you wired to the same channel on each module as
shown in Figure 6.14 on page 6-18?
8
When wiring two 1756-IR6I modules, are two sensors used, as shown in Figure 6.15 on page 6-19?
Yes
No
Comment
Yes
No
Comment
Yes
No
Comment
Publication 1756-RM001E-EN-P - November 2006
6-26
ControlLogix I/O Modules
Checklist for SIL Outputs
The following checklist is required for planning, programming and
start up of SIL outputs. It may be used as a planning guide as well as
during proof testing. If used as a planning guide, the checklist can be
saved as a record of the plan.
For programming or start-up, an individual requirement checklist must
be filled in for every single SIL output channel in a system. This is the
only way to make sure that the requirements are fully and clearly
implemented. This checklist can also be used as documentation on
the connection of external wiring to the application program.
Output Check List for ControlLogix System
Company:
Site:
Loop definition:
SIL output channels in the:
No.
All Output Module Requirements (apply to both digital and analog output modules)
1
Have you performed proof tests on the modules?
2
Is Exact Match selected as the electronic keying option whenever possible?
3
Is the RPI value set to an appropriate value for your application?
4
Have you set up fault routines, including comparing output data with a corresponding input point?
5
If required, have you used external relays in your application to disconnect module power if a
short or other fault is detected on the module or isolated output in series?
6
Is the control of the external relay implemented in ladder logic?
7
Have you examined the Output Data Echo signal in application logic?
8
Are all outputs configured to deenergize in the event of a fault or the controller entering program mode?
9
Do two modules of the same type, used in the same application, use identical configurations?
10
Does one controller own both modules if two of the same type are used in an application?
11
Are control, diagnostics and alarming functions performed in sequence in application logic?
No.
Digital Output Module-Only Requirements
1
For the standard output modules, is the Communication Format set to Output Data?
2
For standard output modules, have you wired the outputs to a corresponding input to validate
that the output is following its commanded state?
3
For the diagnostic output modules, are all diagnostics enabled on the module?
4
For the diagnostic output modules, are enabled diagnostic bits monitored by fault routines?
5
For the diagnostic output modules, is the Communication Format set to Full
Diagnostics-Output Data?
6
For diagnostic output modules, have you periodically performed a Pulse Test to make sure
that the output is capable of change state?
7
For diagnostic output modules, is the connection to remote modules a direct connection?
No.
Analog Output Module-Only Requirements
1
Is the Communication Format set to Float Data?
2
Have you calibrated the modules as often as required by your application?
3
When wiring the 1756-OF8 in current mode, are loop devices placed properly?
4
Have you written application logic to examine bits for any condition that may cause a fault
and appropriate fault routines to handle the fault condition?
Publication 1756-RM001E-EN-P - November 2006
Yes
No
Comment:
Yes
No
Comment
Yes
No
Comment
Chapter
7
Faults in the ControlLogix System
Introduction
The ControlLogix architecture provides the user many ways of
detecting and reacting to faults in the system. The first way that users
can handle faults is to make sure they have completed the input and
output checklists listed on pages 6-25 and 6-26 for their application.
In addition to the checklists mentioned above, various device objects
can be interrogated to determine the current operating status.
Additionally, modules provide run-time status of their operation and
of the process. It is up to users to determine what data is most
appropriate for their application to initiate a shutdown sequence.
This chapter explains two example conditions that will generate a
fault in a SIL2-certified ControlLogix system:
• Keyswitch changing out of RUN mode
• High alarm condition on an analog input module
For more information on the analog status bits available for
examination, see the ControlLogix Analog I/O Modules User Manual,
publication 1756-UM009.
For information on System Self-Testing and
User-Programmed Responses, see Appendix B.
For more information on faults, see Appendix C, Additional
Information on Handling Faults in the ControlLogix System.
1
Publication 1756-RM001E-EN-P - November 2006
7-2
Faults in the ControlLogix System
Checking Keyswitch
Position with GSV
Instruction
The following rungs generate a fault if the keyswitch on the front of
the controller is switched from the Run mode:
Figure 7.1
GSV
Class: CONTROLLERDEVICE
Attribute: STATUS
Destination: KEYSTATE
KEYSTATE.13
Fault
Fault
Alarm to Operator
In this example, the Get System Value (GSV) instruction interrogates
the STATUS attribute of the CONTROLLERDEVICE object and stores
the result in a word called KEYSTATE, where bits 12 and 13 define the
state of the keyswitch as shown in Table 7.1.
Table 7.1
Bit 13:
Bit 12:
Description:
0
1
Keyswitch in Run position
1
0
Keyswitch in Program position
1
1
Keyswitch in Remote position
If bit 13 is ever ON, then the keyswitch is not in the RUN position.
Examining bit 13 of KEYSTATE for an ON state will generate a fault.
For more information on the accessing the CONTROLLERDEVICE
object, see the Logix5000 Controllers General Instructions Reference
Manual, publication 1756-RM003.
Publication 1756-RM001E-EN-P - November 2006
Faults in the ControlLogix System
Examining an Analog Input
Module’s High Alarm
7-3
ControlLogix analog modules perform processing and comparison of
field data values right on the module, allowing for easy examination
of status bits to initiate a fault.
For example, the 1756-IF8 module can be configured with
user-defined alarm values that, when exceeded, will set a status bit on
the module which is then sent back to the controller. The user may
then examine the state of these bits to initiate a fault as shown in
Figure 7.2:
Figure 7.2
Ch1HAlarm
Fault
Fault
Alarm to Operator
In the example above, the High Alarm bit for channel 1 (CH1HAlarm)
is being examined for an On condition to initiate a fault. During
operation, as the analog input module processes analog signals from
the field sensors, if the value for channel 1 exceeds the user-defined
value configured for Channel 1’s High Alarm, the (CH1HAlarm) bit is
set and sent to the controller and a fault is declared.
Publication 1756-RM001E-EN-P - November 2006
7-4
Faults in the ControlLogix System
Notes:
Publication 1756-RM001E-EN-P - November 2006
Chapter
8
General Requirements for
Application Software
This chapter discusses the details of the application program.
For information about:
Software for SIL2-Related
Systems
See page:
Software for SIL2-Related Systems
8-1
ControlLogix System Operational Modes
8-5
SIL2 Programming
8-2
General Guidelines for Application Software
Development
8-2
Forcing
8-4
Security
8-4
Checklist for the Creation of an Application
Program
8-6
The application software for the SIL2-related automation systems is
generated using the programming tool (RSLogix 5000) according to
IEC 61131-3.
The application program has to be created by the programming tool
RSLogix 5000 and contains the specific equipment functions that are
to be carried out by the ControlLogix system. Parameters for the
operating function are also entered into the system using
RSLogix 5000.
1
Publication 1756-RM001E-EN-P - November 2006
8-2
General Requirements for Application Software
SIL2 Programming
Safety Concept of the ControlLogix system
The safety concept of SIL2 assumes, that:
• the programming system (PS) hardware and firmware works
correctly (that is, programming system errors can be detected).
• the user applies the logic correctly, that is, user programming
errors can be detected.
For the initial start-up of a safety-related ControlLogix system, the
entire system must be checked by a complete functional test. After a
modification of the application program, the modified program or
logic must be checked.
For more information on how users should handle changes to their
application program, see the Changing Your Application Program
section on page 9-6.
General Guidelines for
Application Software
Development
The application software for the intended SIL2 systems is intended to
be developed by the system integrator and/or user. The developer
must follow good design practices including the use of:
•
•
•
•
•
•
Functional specifications
Flow charts
Timing diagrams
Sequence charts
Program review
Program validation
All logic should be reviewed and tested. To facilitate reviews and
reduce unintended responses, developers should limit the set of
instructions to basic Boolean/ladder logic (such as examine On/Off,
Timers, Counters, etc.) whenever possible. This set should include
instructions that can be used to accommodate analog variables, such
as:
• Limit tests
• Comparisons
• Math instructions
See Appendix B, System Self-Testing and
User-Programmed Responses, for details.
Publication 1756-RM001E-EN-P - November 2006
General Requirements for Application Software
8-3
Users must verify the downloading of the application program and its
proper operation. A typical validation technique is to upload the
downloaded program file and perform a compare of that file against
what is stored in the programming terminal. The upload compare can
be accomplished after an interval by saving the first one and
comparing it to the second or subsequent uploads. This approach
could also be performed through different paths (that is, over
ControlNet and via the serial port).
Safety logic and non safety-related logic should be separate.
Check the Created Application Program
To check the created application program for adherence to the
specific function, you must generate a suitable set of test cases
covering the specification. The set of test cases is filed as the test
specification.
A suitable test set must also be generated for the numeric evaluation
of formulas. Equivalent range tests are acceptable. These are tests
within the defined value ranges, at the limits, or in impermissible
value ranges. The test cases must be selected to prove the correctness
of the calculation. The necessary number of test cases depends on the
formula used and must comprise critical value pairs.
However, active simulation with sources cannot be omitted as this is
the only means of detecting correct wiring of the sensors and
actuators to the system. Furthermore, this is the only means of testing
the system configuration. Users should verify the correct programmed
functions by forcing I/O or by manual manipulation of sensors and
actuators.
Possibilities of Program Identification
The application program is clearly identified by one of the following:
•
•
•
•
Name
Date
Revision
Any other user identification information
Publication 1756-RM001E-EN-P - November 2006
8-4
General Requirements for Application Software
Forcing
Forcing must be disabled after system test and validation.
Security
The user must define what measures are to be applied for the
protection against manipulation.
In the ControlLogix system and in RSLogix 5000, protection
mechanisms are available that prevent unintentional or unauthorized
modifications to the safety system:
• The following tools may be employed for security reasons in a
SIL2-certified ControlLogix application:
– Logix CPU Security Tool
– Source Protection Tool
– RSI Security Server
Each of these tools offers different security features, including
password protection, at varying levels of granularity throughout
the application. The description of these tools is too large in
scope to list here. Users can contact their local Rockwell
Automation representative for more information.
• The controller keyswitch should be in the RUN position and the
key removed during normal operating conditions.
• Operator options are set up per user login in the ControlLogix
system.
• The online connection between RSLogix5000 and the
ControlLogix system is not permitted during normal SIL2 RUN
operation except as described in Chapter 9.
The requirements of the safety and application standards regarding
the protection against manipulations must be observed. The
authorization of employees and the necessary protection measures are
the responsibility of the individuals starting the system.
Publication 1756-RM001E-EN-P - November 2006
General Requirements for Application Software
ControlLogix System
Operational Modes
8-5
A three-position keyswitch on the front of the controller governs
ControlLogix system operational modes. The following modes are
available:
• Run
• Program
• Remote - This software-enabled mode can be program or run.
Figure 8.1 shows a controller with the keyswitch in the Run mode.
Figure 8.1
42525
When a SIL2-certified ControlLogix application is operating in the Run
mode, the controller keyswitch must be in the RUN position and the
key removed. Outputs are only enabled in this mode.
Publication 1756-RM001E-EN-P - November 2006
8-6
General Requirements for Application Software
Checklist for the Creation of
an Application Program
The following checklist is recommended to maintain safety technical
aspects when programming, before and after loading the new or
modified program.
Checklist for Creation of an Application Program
Safety Manual ControlLogix System
Company:
Site:
Project definition:
File definition / Archive number:
Notes / Checks
Yes
No
Before a Modification
Are the configuration of the ControlLogix system and the
application program created on the basis of safety aspects?
Are programming guidelines used for the creation of the
application program?
After a Modification - Before Loading
Has a review of the application program with regard to the
binding system specification been carried out by a person not
involved in the program creation?
Has the result of the review been documented and released
(date/signature)?
Was a backup of the complete program created before loading a
program in the ControlLogix system?
After a Modification - After Loading
Was a sufficient number of tests carried out for the safety
relevant logical linking (including I/O) and for all mathematical
calculations?
Was all force information reset before safety operation?
Has it been verified that the system is operating properly?
Have the appropriate security routines and functions been
installed?
Is the controller keyswitch in Run mode and the key removed?
Publication 1756-RM001E-EN-P - November 2006
Comment
Chapter
9
Technical SIL2 Requirements for the
Application Program
This chapter discusses technical safety for the application program.
For information about:
General Procedure
See page:
General Procedure
9-1
SIL Task/Program Instructions
9-4
Programming Languages
9-4
Commissioning Life Cycle
9-5
Changing Your Application Program
9-6
Forcing
9-8
The general procedure for programming the ControlLogix system SIL2
applications is listed below.
• Specification of the control function, including:
– specification
– flow and timing charts
– diagrams
– sequence charts
– program description
– program review process
• Writing the application program
• Checking by independent reviewer
• Verification and validation
Once the program is tested, the ControlLogix system can be put into
operation.
1
Publication 1756-RM001E-EN-P - November 2006
9-2
Technical SIL2 Requirements for the Application Program
Basics of Programming
The control program must be available as a specification or a
performance specification. This documentation forms the basis for the
check of correct transformation into the program. The type of
presentation of the specification depends on the task to be carried
out. This can be:
Logic and Instructions
The logic and instructions used in programming the application must
be:
•
•
•
•
easy
easy
easy
easy
to
to
to
to
understand
trace
change
test
Program Logic
User must implement simple, easy to understand:
• ladder
• other IEC 1131-compliant language
or
• function blocks with specified characteristics.
We use ladder, for example, because, it is easier to visualize and make
partial program changes with this format.
Publication 1756-RM001E-EN-P - November 2006
Technical SIL2 Requirements for the Application Program
9-3
Specification
The specification must include a detailed description that includes (if
applicable):
•
•
•
•
•
•
Sequence of operations
Flow and timing diagrams
Sequence charts
Program description
Program print out
Verbal descriptions of the steps with step conditions and
actuators to be controlled, including:
– input definitions
– output definitions
– I/O wiring diagrams and references
– theory of operation
• Matrix- or table form of stepped conditions and the actuators to
be controlled, including the sequence and timing diagrams
• Definition of marginal conditions, for example, operating
modes, EMERGENCY STOP etc.
The I/O-portion of the specification must contain the analysis of field
circuits, that is, the type of sensors and actuators:
Sensors (Digital or Analog)
• Signal in standard operation (dormant current principle for
digital sensors, sensors OFF means no signal)
• Determination of redundancies required for SIL levels
• Discrepancy monitoring and visualization, including the user’s
diagnostic logic
Publication 1756-RM001E-EN-P - November 2006
9-4
Technical SIL2 Requirements for the Application Program
Actuators
• Position and activation in standard operation (normally OFF)
• Safe reaction/positioning when switching OFF, power failure
respectively.
• Discrepancy monitoring and visualization, including the user’s
diagnostic logic
SIL Task/Program
Instructions
The user program may contain a single SIL task composed of multiple
programs and routines. This is a timed task with a user-selectable task
priority and watchdog. The SIL2 task must be the controller’s top
priority and the user-defined program watchdog (software watchdog)
must be set to accommodate the SIL2 task and any other tasks. For
more information, see Chapter 1, SIL Policy.
Safety logic and non safety-related programs must be separate.
Programming Languages
Publication 1756-RM001E-EN-P - November 2006
All programming languages (for example, ladder logic, function
block) available in the ControlLogix system will also be available for
programming the ControlLogix controller for SIL2 applications.
Technical SIL2 Requirements for the Application Program
9-5
Figure 9.1 shows the steps required during application program
development, debugging and commissioning.
Commissioning Life Cycle
Figure 9.1
Generate Functional
Specification
Create Flow
Diagram
Create Timing
Diagrams
Establish Sequence
of Operations
Develop Project
Online
Develop Project
Offline
Review Program
with Independent
Party
Download to
Controller
Develop Test Plan
Perform
Validation Testing
on all Logic
Yes
No
Verification
okay?
Make more online edits
& accept edits or make
more offline edits and
download to CTR
Begin Normal
Project Operation
Download to
Controller
Tests
Pass?
No
Make project
changes
Determine what logic
has been Changed or
Affected
Perform Validation
Testing on all Changed
or Affected Logic
Finish the
Validation Test1
Secure PADT
1
You must periodically repeat the validation test (also known as proof tests) to make sure module inputs and outputs are functioning properly and
as commanded by the application programming. For more information on proof tests for I/O modules, see Chapter 9, ControlLogix I/O Modules.
Publication 1756-RM001E-EN-P - November 2006
9-6
Technical SIL2 Requirements for the Application Program
Changing Your
Application Program
The following rules apply to changing your application program in
RSLogix 5000:
• Program edits are not recommended. However, they are
possible if necessary and should be limited. For example, minor
changes such as changing a timer preset or analog setpoint
are possible.
• Only authorized, specially-trained personnel can make program
edits. These personnel should use all supervisory methods
available, for example, using the controller keyswitch and
software password protections.
• When authorized, specially-trained personnel make program
edits, they assume the central safety responsibility while the
changes are in progress. These personnel must also maintain
safe application operation.
• Prior to making any program edits, an impact analysis must be
performed by following the specification and other lifecycle
steps described in Figure 9.1 as if the edits were an entirely
new program.
• Users must sufficiently document all program edits, including:
–
–
–
–
–
authorization
impact analysis
execution
test information
revision information
• Users cannot make program edits while the program is online if
the changes prevent the system from executing the safety
function or if alternative protection methods are not in place.
• Users cannot edit their program from multiple programming
terminals simultaneously.
• Changes to the SIS application software, in this
case--RSLogix 5000, must comply with IEC 61511 standard on
process safety section 11.7.1 Operator Interface requirements.
• Users cannot edit their program when a project is operating in
the RUN state. In other words, if an application is running and
the ControlLogix controller keyswitch is in the RUN position,
users cannot make online edits.
Publication 1756-RM001E-EN-P - November 2006
Technical SIL2 Requirements for the Application Program
9-7
• Users can edit the relay ladder logic portion of their program
using one of the following methods described in Table 9.1:
Table 9.1 Methods of Changing Your Application Program in RSLogix 5000
Method:
Required Steps:
Offline
The user performs the tasks described in the flow chart in Figure 9.1 on PROG
page 9-5.
Users must revalidate the entire
application before returning to
normal operation.
Online
REM
1. Turn the controller key to the REM position.
2. Use the Online Edit Toolbar to start, accept, test and assemble your
edits. The toolbar is shown below.
The project remains online but
operates in the remote run mode.
When edits are completed, users
are only required to validate the
changed portion of the application
program.
start
pending
rung edit
accept
pending
rung edits
Controller
Keyswitch
Position:
assemble
program
edits
test
program
edits
untest
program
edits
Key Points to this Method:
We recommend that online edits be
limited to minor program
modifications such as setpoint
changes or ladder logic rung
additions, deletions and
modifications.
a. Click the start pending rung edits button
. A copy is made
of the rung you want to edit.
b. Change your application program as needed. At this point, the
original program is still active in the controller. Your program
changes are made in the copied rungs. Changes do not affect the
outputs until you test program edits in step d.
c. Click the accept pending rung edits button
. Your
program changes are verified and downloaded to the controller.
The controller now has the changed program and the original
program. However, the controller continues to execute the
original program. You can see the state of the inputs, and
changes do not affect the outputs.
d. Click the test program edits button
.
e. Click Yes to test the edits. Changes are now executed and affect
the outputs; the original program is no longer executed. However,
if you are not satisfied with the result of testing the edits, you
can discard the new program by clicking on the untest program
IMPORTANT: This option to
change the
application program
is available for
changes to relay
ladder logic only.
Users cannot use
this method to
change function
block programming.
For more detailed
information on how
to edit ladder logic
while online, see
the Logix5000
Controllers Quick
Start, publication
1756-QS001.
edits button
if necessary. If you untest the edits, the
controller returns to the original program.
f. Click the assemble program edits button
.
g. Click Yes to assemble the edits. The changes are the only
program in the controller, and the original program is discarded.
3. Perform a partial proof test of the portion of the application affected
by the program edits.
4. Turn the controller key back to the RUN position to return the project
to Run mode. We recommend you upload the new program to your
programming terminal to ensure consistency between the
application in the controller and on the programming terminal.
5. Remove the key.
Publication 1756-RM001E-EN-P - November 2006
9-8
Technical SIL2 Requirements for the Application Program
• If online edits exist in the standard routines only, those edits are
not required to be validated before returning to normal
operation. Users must verify that changes in the standard routine
do not affect SIL routines.
IMPORTANT
If any changes are needed to the program in the
safety loop, they must be done so in accordance
with IEC 61511-1, paragraph 11.7.1.5 which states:
"The Safety Instrumentation System (SIS) operator
interface design shall be such as to prevent changes
to SIS application software. Where safety information
needs to be transmitted from the basic process
control system (BPCS) to the SIS then systems should
be used which can selectively allow writing from the
BPCS to specific SIS variables. Equipment or
procedures should be applied to confirm the proper
selection has been transmitted and received by the
SIS and does not compromise the safety function of
the SIS."
Also, for more information on changing the SIL2
application program, see Chapter 10.
Forcing
The following rules apply to forcing in an RSLogix 5000 project:
• Users must remove forces on all SIL2 tags before beginning
normal operation for the project.
• Users cannot force SIL2 tags while a project is in the Run mode.
Publication 1756-RM001E-EN-P - November 2006
Chapter
10
Use and Application of Human to
Machine Interfaces
No specific device is part of the certification because the variety of
devices is so large, ranging from simple thumb-wheel and LED
readouts to PC/CRT-based human to machine interface (HMI) devices
on a variety of networks. The range and breadth of these devices is
similar to that of sensors and actuators; it would be impractical to
impose device restrictions.
Using Precautions and
Techniques with HMI
However, users must exercise the same precautions and techniques
on HMI devices as on simple devices such as sensor and switch
inputs. The precautions include, but are not restricted to:
•
•
•
•
Limited access and security
Specifications, testing and validation
Restrictions on data and access
Limits on data and parameters
For more information on how HMI devices fits into a typical SIL loop,
see Figure 1.2 on page 1-4.
Sound techniques should be used in either the application software
within the HMI or PLC in safety-related systems and non-safety-related
systems.
Accessing Safety-Related Systems
Normally, when accessing the safety-related system, the HMI should
be restricted to read data and information such as diagnostics. The
user should use techniques to limit access to only those sections of
memory that are appropriate. For more information, see Figure 1.2 on
page 1-4.
If parameters in safety-related system require a change from an HMI,
users should follow the guidelines indicated in the next section.
1
Publication 1756-RM001E-EN-P - November 2006
10-2
Use and Application of Human to Machine Interfaces
Changing Parameters in Safety-Related Systems
A parameter change in a safety-related loop via an external (that is,
outside the safety loop) device (for example, an HMI) is only allowed
with the following restrictions:
• Only authorized, specially-trained personnel can change the
parameters in safety-related systems via HMIs.
• The user who makes changes in a safety-related system via an
HMI is responsible for the effect of those changes on the
safety loop.
• Users must clearly identify the variable that are to be changed as
under the control of the ControlLogix controller inside the
safety loop.
• Users must use a clear, comprehensive and explicit operator
procedure to make safety-related changes via an HMI.
• Changes can only be accepted in a safety-related system if the
following sequence of events occurs:
a. Changes are sent from the HMI to the ControlLogix controller
in the safety loop.
b. The ControlLogix controller in the safety loop sends the
changes back to the HMI–before accepting the changes or
acting on them.
c. The user verifies that the changes are correct.
In every case, the operator must confirm the validity of the
change before they are accepted and applied in the safety loop.
• The software used in the HMI and the ControlLogix controller
(in this case, RSLogix 5000) should be designed to verify that
changes to the safety system are within acceptable limits and do
not otherwise compromise the safety system.
• The user should test all changes as part of the safety validation
procedure.
Publication 1756-RM001E-EN-P - November 2006
Use and Application of Human to Machine Interfaces
10-3
• Users must sufficiently document all safety-related changes
made via HMI, including:
–
–
–
–
–
authorization
impact analysis
execution
test information
revision information
• Changes to the safety-related system, must comply with IEC
61511 standard on process safety section 11.7.1 Operator
Interface requirements.
Changing Parameters in Non-Safety-Related Systems
When the HMI device is used to change parameters in a
non-safety-related system, remember the following techniques:
• When the HMI is used to input parameters such as setpoints for
a PID loop or drive speeds, the application program should
include sound techniques used for other types of change
validation, including:
– Display the data to be changed
– Acceptable ranges and limits used in the program for data
checks (in other words, checks to make sure entered data is
within an acceptable range)
– Display the new value along with the existing value
– Prompt the operator to acknowledge and accept the changed
value before allowing the change to take effect
• The developer must follow the same sound development
techniques and procedures used for other application software
development, including the verification and testing of the
operator interface and its access to other parts of the program.
The PLC application software should set up a table that is
accessible by the HMI and limits access to required data points
only.
• Similar to the PLC program, the HMI software needs to be
secured and maintained for SIL2 compliance after the system has
been validated and tested.
Publication 1756-RM001E-EN-P - November 2006
10-4
Use and Application of Human to Machine Interfaces
Notes:
Publication 1756-RM001E-EN-P - November 2006
Appendix
A
Response Times in ControlLogix
The following calculation methods provide the user with the
worst-case reaction times for a given change in input or fault
condition and the corresponding output action.
Digital Modules
Local Chassis Configuration
Figure A.1 shows an example system where the following occurs:
• input data changes on the digital input module
• the data is transmitted to the controller
• the controller runs its program scan and reacts to the data
change, including sending new data to the output module
• the output module behavior changes based on the new data
received from the controller
Figure A.1
Digital Input
Module
Controller
Digital Output
Module
Use the following formula to determine worst-case reaction time:
Worst-Case Reaction Time = Input Module Filter Setting(1) + Input Module Hardware Delay(2)
+ Input Module RPI(1) + Controller Program Scan(3)
+ Output Module Hardware Delay(2)
1
(1)
This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual,
publication 1756-UM058.
(2)
Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each
catalog number. For a complete list of installation instructions, see Table 1.1 on page 1-8.
(3)
This figure is calculated by adding instruction execution times. For more information on instruction execution times in
RSLogix 5000, see the Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.
Publication 1756-RM001E-EN-P - November 2006
A-2
Response Times in ControlLogix
EXAMPLE
For example, a system may reflect the set-up used in
Figure A.1 with an 1756-IB16D and 1756-OB16D and
following settings:
• Input Module Filter Setting = 1ms
• Input Module Hardware Delay = 1ms
• Input RPI = 2ms
• Program Scan = 20ms
• Output Module Hardware Delay = 1ms
In this example, the worst-case reaction time = 25ms
Remote Chassis Configuration
Figure A.2 shows an example system where the following occurs:
• input data changes on the digital input module
• the data is transmitted to the controller via the 1756-CNB
modules
• the controller runs its program scan and reacts to the data
change, including sending new data to the output module via
the 1756-CNB modules
• the output module behavior changes based on the new data
received from the controller
Figure A.2
Controller
ControlNet
Bridge Module
ControlNet
Bridge Module
Digital Input
Module
Digital Output
Module
Use the following formula to determine worst-case reaction time:
Worst-Case Reaction Time =Input Module Filter Setting(1) + Input Module Hardware Delay(2)
+ Input Module RPI(1) + Remote 1756-CNB RPI + Controller Program Scan(3)
+ Remote 1756-CNB RPI + Output Module Hardware Delay(2)
(1)
This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.
(2)
Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number.
For a complete list of installation instructions, see Table 1.1 on page 1-8.
(3)
This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see
the Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.
Publication 1756-RM001E-EN-P - November 2006
Response Times in ControlLogix
Analog Modules
A-3
Local Chassis Configuration
Figure A.3 shows an example system where the following occurs:
• input data changes on the analog input module
• the data is transmitted to the controller
• the controller runs its program scan and reacts to the data
change, including sending new data to the output module
• the output module behavior changes based on the new data
received from the controller
Figure A.3
Analog Input
Module
Controller
Analog Output
Module
Use the following formula to determine worst-case reaction time:
Worst-Case Reaction Time =Input Module Filter Setting(1) + Input Module Real Time Sample (RTS) rate(1)
+ Controller Program Scan(2) +Output Module RPI(1)
+ Output Module Hardware Delay(3)
(1)
This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.
(2)
This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see the
Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.
(3)
Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number. For
a complete list of installation instructions, see Table 1.1 on page 1-8.
Remote Chassis Configuration
Figure A.2 shows an example system where the following occurs:
• input data changes on the analog input module
• the data is transmitted to the controller via the 1756-CNB
modules
• the controller runs its program scan and reacts to the data
change, including sending new data to the output module via
the 1756-CNB modules
Publication 1756-RM001E-EN-P - November 2006
A-4
Response Times in ControlLogix
• the output module behavior changes based on the new data
received from the controller
Figure A.4
Controller
ControlNet
Bridge Module
ControlNet
Bridge Module
Analog Input
Module
Analog Output
Module
Use the following formula to determine worst-case reaction time:
Worst-Case Reaction Time =Input Module Filter Setting(1) + Input Module Real Time Sample (RTS) rate(1)
+ Remote 1756-CNB RPI(1) + Controller Program Scan(2) + Output Module RPI(1)
+ Remote 1756-CNB RPI(1) + Output Module Hardware Delay(3)
(1)
This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.
(2)
This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see the
Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.
(3)
Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number. For a
complete list of installation instructions, see Table 1.1 on page 1-8.
Publication 1756-RM001E-EN-P - November 2006
Response Times in ControlLogix
Redundancy Systems
A-5
The response time of a system that uses redundancy is different from
a system that does not use redundancy. The redundancy system has a
longer response time because:
• The primary controller must keep the secondary up-to-date and
ready to take over control in case of a switchover. This process
of cross-loading fresh data at the end of each program scan
increases scan time.
You can plan your project effectively (e.g., minimize the use of
SINT or INT tags, use arrays and user-defined data types) to
minimize the scan time in a redundancy system. Generally, the
primary controller in a redundancy system has a 20% slower
response time than the controller in a non-redundancy system.
• The switchover between controllers slows system response. The
switchover time of a redundancy system depends on the
network update time (NUT) of the ControlNet network. To
estimate the switchover time, use the following formulas:
For this type of failure:
If the NUT is:
The switchover time is:
Example:
loss of power
<6
60 ms
For a NUT of 4 ms, the switchover
time is approximately 60 ms.
>7
5 (NUT) + MAX (2[NUT], 30)
For a NUT of 10 ms, the switchover
time is approximately 80 ms.
14 (NUT) + MAX (2[NUT], 30) + 50
For a NUT of 10 ms, the switchover
time is approximately 220 ms.
–or–
module failure
1756-CNB module cannot
communicate with any other node
For more information on response times in ControlLogix redundancy
systems and ControlLogix redundancy systems in general, see the
ControlLogix Redundancy System user manual, publication
1756-UM523.
Publication 1756-RM001E-EN-P - November 2006
A-6
Response Times in ControlLogix
Notes:
Publication 1756-RM001E-EN-P - November 2006
Appendix
B
System Self-Testing and
User-Programmed Responses
This chapter explains self-testing in a ControlLogix system and points
to more information about user-programmed responses.
Validation Tests
Validation tests are performed at every proof test interval.
• Manually Cycle Inputs to ensure that all inputs are operational
and not stuck in the ON state
• Manually Pulse Test outputs which do not support runtime Pulse
Testing. The relays in the Redundant Power Supplies must
be tested to ensure they are not stuck in the Closed state.
Users can automatically perform proof tests by switching ground
open on input modules and checking to make sure all input
points go to zero (turn OFF.).
All system components which do not have runtime diagnostics must
be tested as part of the System Initialization Tests.
System Self Tests
The SIL2-certified ControlLogix system is designed to automatically
shut down in the event of a failure or fault. The following information
provides details on how to program and configure routines to monitor
diagnostic and system status.
1
Publication 1756-RM001E-EN-P - November 2006
B-2
System Self-Testing and User-Programmed Responses
Reaction to Faults
For more information on how to configure a ControlLogix system to
identify and handle faults, including such tasks as:
•
•
•
•
Developing a Fault Routine
Creating a User-Defined Major Fault
Monitoring Minor Faults
Developing a Power-Up Routine
see the Logix5000 Controllers Common Procedures Programming
Manual, publication 1756-PM001.
Publication 1756-RM001E-EN-P - November 2006
Appendix
C
Additional Information on Handling Faults in
the ControlLogix System
This appendix describes the ways that faults are reported to the
controller.
Introduction
The ControlLogix architecture provides the user many ways of
detecting and reacting to faults in the system. Various device objects
can be interrogated to determine the current operating status.
Additionally, modules provide run-time status of their operation and
of the process.
• For information on how to use specific instructions to get and
set controller system data stored in device objects, see the
Logix5000 Controllers General Instructions Reference Manual,
publication 1756-RM003.
• For information on controller fault codes, including major and
minor codes, see the Logix5000 Controllers Common Procedures
Programming Manual, publication 1756-PM001.
• For information on accessing modules’ run-time operational and
process status, see the ControlLogix Analog I/O Modules User
Manual, publication 1756-UM009, and the ControlLogix Digital
I/O Modules User Manual, publication 1756-UM058.
1
Publication 1756-RM001E-EN-P - November 2006
C-2
Additional Information on Handling Faults in the ControlLogix System
Notes:
Publication 1756-RM001E-EN-P - November 2006
Appendix
D
Spurious Failure Estimates
Introduction
Table D.1 lists the spurious failure estimates for the ControlLogix
products included in this manual. These rates are based on field
return data. Therefore, new products are not included.
Table D.1 Spurious Failure Estimates for ControlLogix Products
1
Catalog Number:
Description:
MTBF (Spurious):(1) λ (Spurious):(2)
1756-Axx
ControlLogix Chassis
3,606,181 (Average)
2.77E-07
1756-CNB/D
ControlNet Bridge
1,237,510
8.08E-07
1756-CNB/E
ControlNet Bridge
NA
NA
1756-CNBR/D
Redundant ControlNet Bridge
518,555
1.93E-06
1756-CNBR/E
Redundant ControlNet Bridge
NA
NA
1756-DHRIO
Data Highway Plus - Remote I/O
Communication Interface Module
2,217,577
4.51E-07
1756-ENBT
EtherNet Bridge
595,693
1.68E-06
1756-IA16I
Isolated AC Input
5,327,736
1.88E-07
1756-IA8D
AC Diagnostic Input
8,008,000
1.25E-07
1756-IB16D
DC Diagnostic Input
7,666,418
1.30E-07
1756-IB16I
DC Isolated Input
5,988,800
1.67E-07
1756-IB16ISOE
Sequence of Events Module
NA
NA
1756-IB32
DC Input Module
655,718
1.53E-06
1756-IF16
Single-ended Analog Input Module
817,519
1.22E-06
1756-IF6CIS
Isolated Sourcing Analog Input
Module
NA
NA
1756-IF6I
Isolated Analog Input Module
1,196,579
8.36E-07
1756-IF8
Analog Input
799,305
1.25E-06
1756-IH16ISOE
Sequence of Events Module
NA
NA
1756-IR6I
RTD Input
929,356
1.08E-06
1756-IT6I
Thermocouple Input
447,577
2.23E-06
1756-IT6I2
Enhanced Thermocouple Input
Module
133,328
7.50E-06
1756-L55M13
ControlLogix 1.5Mb Controller
747,397
1.34E-06
1756-L55M16
L55 Controller w 7.5Mb Memory
717,600
1.39E-06
1756-L61
ControlLogix 2 Mb Controller
NA
NA
1756-L62
ControlLogix 4 Mb Controller
NA
NA
Publication 1756-RM001E-EN-P - November 2006
D-2
Spurious Failure Estimates
Table D.1 Spurious Failure Estimates for ControlLogix Products
Catalog Number:
Description:
MTBF (Spurious):(1) λ (Spurious):(2)
1756-L63
ControlLogix 8 Mb Controller
NA
NA
1756-OA16I
AC Isolated Input
2,985,566
3.35E-07
1756-OA8D
AC Diagnostic Input
6,269,120
1.60E-07
1756-OB16D
DC Diagnostic Output
3,910,004
2.56E-07
1756-OB16I
DC Isolated Output
1,283,270
7.79E-07
1756-OB32
DC Output Module
653,788
1.53E-06
1756-OB8EI
DC Fused Output
4,804,800
2.08E-07
1756-OF6CI
Isolated Analog Output Module
(Current)
2,593,882
3.86E-07
1756-OF6VI
Isolated Analog Output Module
(Voltage)
4,461,184
2.24E-07
1756-OF8
Analog Output
2,600,446
3.85E-07
1756-OW16I
Isolated Relay Output Module
1,728,990
5.78E-07
1756-OX8I
Contact Output
3,672,760
2.72E-07
1756-PA75/A
AC Power Supply
3,061,337
3.27E-07
1756-PA75/B
AC Power Supply
NA
NA
1756-PA75R
AC Redundant PS
180,528
5.54E-06
1756-PB75/A
DC Power Supply
1,984,000
5.04E-07
1756-PB75/B
DC Power Supply
NA
NA
1756-PB75R
DC Redundant PS
818,688
1.22E-06
1756-PC75
DC Power supply
NA
NA
1756-PH75
DC Power supply
NA
NA
1756-PSCA
Power Sup Chassis Adapter
7,425,600
1.35E-07
1756-PSCA2
Redundant Power Supply Chassis
Adapter Module
4,534,400
2.21E-07
1756-SYNCH
SynchLink Module
2,816,320
3.55E-07
1757-SRM
System Redundancy Module
315,817
3.17E-06
(1)
MTBF (Spurious) = (Installed base one year ago X 4160) / Number of "No Problem Found" failures in the past 12 months (in hours)
NOTE: If no "No Problem Found" failures are recorded, one (1) is assumed.
(2)
λ (Spurious) = 1 / MTBF (Spurious)
NA - Sufficient field data is not available
Publication 1756-RM001E-EN-P - November 2006
Appendix
E
Sample Probability of Failure on
Demand (PFD) Calculations
Proof Test Interval = 5 Years
Table E.1 shows PFD calculations for a proof test interval of 5 years.
Table E.1 ControlLogix Product Probability of Failure on Demand Calculations – Proof Test Interval of 5 Years
1
Mean Time
Between Failure
(MTBF)(1)
λ(5)
ControlLogix Chassis
36,322,045(2)
(aggregate)
2.75E-08
3.03E-05
2.43E-06
1756-CNB/D
ControlNet Bridge - Series D
5,595,646
1.79E-07
1.97E-04
1.65E-05
1756-CNB/E
ControlNet Bridge - Series E
2,944,988(3)
3.40E-07
3.74E-04
3.26E-05
1756-CNBR/D
Redundant ControlNet Br idge Series D
3,109,957
3.22E-07
3.54E-04
3.08E-05
1756-CNBR/E
Redundant ControlNet Br idge Series E
2,864,755(3)
3.49E-07
3.84E-04
3.36E-05
1756-IA16I
Isolated AC Input
15,262,520
6.55E-08
7.21E-05
5.85E-06
1756-IA8D
AC Diagnostic Input
10,383,360
9.63E-08
1.06E-04
8.67E-06
1756-IB16D
DC Diagnostic Input
41,300,480
2.42E-08
2.66E-05
2.14E-06
1756-IB16I
DC Isolated Input
19,862,336
5.03E-08
5.54E-05
4.48E-06
1756-IB16ISOE
Sequence of Events
4,959,088(3)
2.02E-07
2.22E-04
1.87E-05
1756-IB32
DC Input Module
2,468,448
4.05E-07
4.46E-04
3.96E-05
1756-IF8
Analog Input
2,235,008
4.47E-07
4.92E-04
4.42E-05
1756-IF16
Isolated Analog Input
2,094,159
4.78E-07
5.25E-04
4.75E-05
1756-IF6CIS
Isolated Sourcing Analog Input
3,065,920
3.26E-07
3.59E-04
3.12E-05
1756-IF6I
Isolated Analog Input
2,838,451
3.52E-07
3.88E-04
3.40E-05
1756-IH16ISOE Sequence of Events
6,044,122
1.65E-07
1.82E-04
1.52E-05
1756-IR6I
RTD Input
3,826,296
2.61E-07
2.87E-04
2.46E-05
1756-IT6I
Thermocouple Input
3,002,035
3.33E-07
3.66E-04
3.20E-05
1756-IT6I2
Enhanced thermocouple Input
991,929
1.01E-06
1.11E-03
1.14E-04
1756-L55M13
L55 Controller w 1.5Mb Mem
2,228,750
4.49E-07
4.94E-04
4.43E-05
1756-L55M16
L55 Controller w 7.5Mb Mem
1,644,933
6.08E-07
6.69E-04
6.25E-05
1756-L61
ControlLogix 2 Mb Controller
815,822
1.23E-06
1.35E-03
1.45E-04
1756-L62
ControlLogix 4 Mb Controller
576,992
1.73E-06
1.91E-03
2.27E-04
1756-L63
ControlLogix 8 Mb Controller
782,912
1.28E-06
1.41E-03
1.53E-04
Catalog
Number
Description
1756-Axx
Calculated PFD:
1oo1 architecture 1oo2 architecture
Publication 1756-RM001E-EN-P - November 2006
E-2
Sample Probability of Failure on Demand (PFD) Calculations
Table E.1 ControlLogix Product Probability of Failure on Demand Calculations – Proof Test Interval of 5 Years
Mean Time
Between Failure
(MTBF)(1)
λ(5)
AC Isolated Input
10,911,086
9.16E-08
1.01E-04
8.24E-06
1756-OA8D
AC Diagnostic Input
6,922,240
1.44E-07
1.59E-04
1.32E-05
1756-OB16D
DC Diagnostic Output
14,321,691
6.98E-08
7.68E-05
6.24E-06
1756-OB16I
DC Isolated Output
2,371,445
4.22E-07
4.64E-04
4.14E-05
1756-OB32
DC Output Module
1,278,125
7.82E-07
8.61E-04
8.38E-05
1756-OB8EI
DC Fused Output
5,853,120
1.71E-07
1.88E-04
1.57E-05
1756-OF6CI
Isolated analog input
9,296,907
1.08E-07
1.18E-04
9.72E-06
1756-OF6VI
Isolated Analog Output
13,062,400
7.66E-08
8.42E-05
6.86E-06
1756-OF8
Analog Output
5,717,675
1.75E-07
1.92E-04
1.61E-05
1756-OW16I
Isolated Relay Output Module
1,360,415(3)
7.35E-07
8.09E-04
7.79E-05
1756-OX8I
Contact Output
19,281,600
5.19E-08
5.70E-05
4.61E-06
1756-PA75/A
AC Power Supply
14,538,606
6.88E-08
7.57E-05
6.15E-06
1756-PA75/B
AC Power Supply
5,513,591(3)
1.81E-07
2.00E-04
1.67E-05
1756-PA75R
AC Redundant Power Supply
296,978(4)
3.37E-06
3.70E-03
5.77E-04
1756-PB75/A
DC Power Supply
10,157,334
9.85E-08
1.08E-04
8.87E-06
1756-PB75/B
DC Power Supply
5,884,430(3)
1.70E-07
1.87E-04
1.56E-05
1756-PB75R
DC Redundant Power Supply
1,134,848(4)
8.81E-07
9.69E-04
9.66E-05
1756-PC75
DC Power Supply
5,894,836
1.70E-07
1.87E-04
1.56E-05
1756-PH75
DC Power Supply
5,889,628(3)
1.70E-07
1.87E-04
1.56E-05
1756-PSCA
Power Supply Chassis Adapter
45,146,727(3)
2.21E-08
2.44E-05
1.95E-06
1756-PSCA2
Redundant Power supply adapter
45,146,727(3)
2.21E-08
2.44E-05
1.95E-06
1757-SRM
System Redundancy Module
835,357
1.20E-06
1.32E-03
1.41E-04
Catalog
Number
Description
1756-OA16I
Calculated PFD:
1oo1 architecture 1oo2 architecture
(1)
MTBF measured in hours. The values used here represent values available in September 2006.
(2)
Aggregate based on total shipments and total returns of all five chassis (1756-A4, 1756-A7, 1756-A10, 1756-A13, and 1756-A17) collectively.
(3)
Calculated using field-based values for components.
(4)
Assumes that both power supplies fail simultaneously.
(5)
λ = Failure Rate = 1/MTBF
Publication 1756-RM001E-EN-P - November 2006
Sample Probability of Failure on Demand (PFD) Calculations
E-3
Table E.2 shows an example of a PFD calculation for a safety loop
involving two DC input modules used in a 1oo2 configuration and a
DC output module using a proof test interval of 5 years.
Table E.2
Catalog Number:
Description:
MTBF:
1756-Axx
ControlLogix Chassis 36,322,045
(aggregate)
3.03E-05
1756-L55M16
ControlLogix 5555
Controller
1,644,933
6.69E-04
1756-OB16D
DC Output
14,321,691
7.68E-05
1756-IB16D
DC Diagnostic Input
41,300,480
2.14E-07
Total PFD calculation for a safety loop consisting of these products:
Calculated PFD:
7.78E-04
Publication 1756-RM001E-EN-P - November 2006
E-4
Sample Probability of Failure on Demand (PFD) Calculations
Notes:
Publication 1756-RM001E-EN-P - November 2006
Appendix
F
Using ControlLogix in SIL1 Applications
When using ControlLogix products in a SIL1 application, you must use
the products as described in this manual, including following all test
guidelines listed. For example, perform pulse testing on diagnostic
output modules as described in Chapter 6.
This appendix describes changes in the system hardware
requirements for SIL1 certification.
It is assumed that the following conditions exist in SIL1 applications:
• Modules operate in a low demand applications
• Hardware Fault Tolerance (HFT) = 0
• Safe Failure Fraction (SFF) is > 60% and < 90%
• Probability of Failure on Demand (PFD) must be > 10-2 and
< 10-1
Additional Considerations
Table F.1 lists additional considerations that must be made with
various ControlLogix modules in a SIL1 application.
Table F.1
Module type:
Additional considerations:
Controllers
None. Use the controller exactly as described previously in this manual.
ControlNet modules
None. Use the modules exactly as described previously in this manual.
Data Highway Plus and
Ethernet modules
None. Use the modules exactly as described previously in this manual.
Digital output modules(1)
Diagnostic output modules are recommended in a SIL1 application. Implement a secondary shutdown path
if the SIL1 application requires a fail-safe OFF in the event of a shorted output.
Digital input modules(2)
Only 1 module is required in a SIL1 application. Periodic tests of the inputs should be performed as
described previously in this manual.
Analog output modules(1)
Analog output modules should be wired as described previously in this manual.
Analog input modules(2)
Only 1 module is required in a SIL1 application. Periodic tests of the inputs should be performed as
described previously in this manual.
(1)
The user should be alerted to any detected output failures.
(2)
The test interval of module inputs must be specified according to application-dependent standards. For example, according to EN50156, the time for fault detection and
tripping must be less than or equal to the fault tolerance time.
1
Publication 1756-RM001E-EN-P - November 2006
F-2
Using ControlLogix in SIL1 Applications
Probability of Failure on
Demand Calculations in a
SIL1 Application
Table F.2 lists the PFD calculations for ControlLogix products in a
SIL1-certified system. These calculations use a Proof Test Interval =
1 year.
Table F.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations
Catalog Number Description
Mean Time Between λ(5)
Failure (MTBF)(1)
1756-Axx
ControlLogix Chassis
36,322,045(2)
(aggregate)
2.75E-08
6.17E-06
1756-CNB/D
ControlNet Bridge - Series D
5,595,646
1.79E-07
4.00E-05
1756-CNB/E
ControlNet Bridge Series E
2,944,988(3)
3.40E-07
7.61E-05
1756-CNBR/D
Redundant ControlNet Bridge - Series D
3,109,957
3.22E-07
7.20E-05
756-CNBR/E
Redundant ControlNet Bridge - Series E
2,864,755(3)
3.49E-07
7.82E-05
1756-IA16I
AC Isolated Input
15,262,520
6.55E-08
1.47E-05
1756-IA8D
AC Diagnostic Input
10,383,360
9.63E-08
2.16E-05
1756-IB16D
DC Diagnostic Input
41,300,480
2.42E-08
5.42E-06
1756-IB16I
DC Isolated Input
19,862,336
5.03E-08
1.13E-05
1756-IB16ISOE
Sequence of Events Module
4,959,088(3)
2.02E-07
4.52E-05
1756-IB32
DC Input Module
2,468,448
4.05E-07
9.07E-05
1756-IF16
Single-ended Analog Input Module
2,094,159
4.78E-07
1.07E-04
1756-IF6CIS
Isolated Sourcing Analog Input Module
3,065,920
3.26E-07
7.31E-05
1756-IF6I
Isolated Analog Input Module
2,838,451
3.52E-07
7.89E-05
1756-IF8
Analog Input
2,235,008
4.47E-07
1.00E-04
1756-IH16ISOE
Sequence of Events Module
6,044,122
1.65E-07
3.71E-05
1756-IR6I
RTD Input
3,826,296
2.61E-07
5.85E-05
1756-IT6I
Thermocouple Input
3,002,035
3.33E-07
7.46E-05
1756-IT6I2
Enhanced Thermocouple Input Module
991,929
1.01E-06
2.26E-04
1756-L55M13
ControlLogix 1.5Mb Controller
2,228,750
4.49E-07
1.01E-04
1756-L55M16
ControlLogix 7.5Mb Controller
1,644,933
6.08E-07
1.36E-04
1756-L61
ControlLogix 2 Mb Controller
815,822
1.23E-06
2.75E-04
1756-L62
ControlLogix 4 Mb Controller
576,992
1.73E-06
3.88E-04
1756-L63
ControlLogix 8 Mb Controller
782,912
1.28E-06
2.86E-04
1756-OA16I
AC Isolated Output
10,911,086
9.16E-08
2.05E-05
1756-OA8D
AC Diagnostic Output
6,922,240
1.44E-07
3.24E-05
1756-OB16D
DC Diagnostic Output
14,321,691
6.98E-08
1.56E-05
1756-OB16I
DC Isolated Output
2,371,445
4.22E-07
9.45E-05
1756-OB32
DC Output Module
1,278,125
7.82E-07
1.75E-04
1756-OB8EI
DC Fused Output
5,853,120
1.71E-07
3.83E-05
Publication 1756-RM001E-EN-P - November 2006
(3)
Calculated PFD in a
1oo1 architecture:
Using ControlLogix in SIL1 Applications
F-3
Table F.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations
Catalog Number Description
Mean Time Between λ(5)
Failure (MTBF)(1)
Calculated PFD in a
1oo1 architecture:
1756-OF6CI
Isolated Analog Output Module (Current)
9,296,907
1.08E-07
2.41E-05
1756-OF6VI
Isolated Analog Output Module (Voltage)
13,062,400
7.66E-08
1.71E-05
1756-OF8
Analog Output
5,717,675
1.75E-07
3.92E-05
1756-OW16I
Isolated Relay Output Module
1,360,415
7.35E-07
1.65E-04
1756-OX8I
Contact Output
19,281,600
5.19E-08
1.16E-05
1756-PA75/A
AC Power Supply
14,538,606
6.88E-08
1.54E-05
1756-PA75/B
AC Power Supply
5,513,591(3)
1.81E-07
4.06E-05
1756-PA75R
AC Redundant Power Supply
296,978(4)
3.37E-06
7.54E-04
1756-PB75/A
DC Power Supply
10,157,334
9.85E-08
7.30E-05
1756-PB75/B
DC Power Supply
5,884,430(3)
1.70E-07
3.81E-05
1756-PB75R
DC Redundant Power Supply
1,134,848(4)
8.81E-07
1.97E-04
1756-PC75
DC Power supply
5,894,836(3)
1.70E-07
3.80E-05
1756-PH75
DC Power supply
5,889,628(3)
1.70E-07
3.80E-05
1756-PSCA
Power Sup Chassis Adapter Module
45,146,727(3)
2.21E-08
4.96E-06
1756-PSCA2
Redundant Power Supply Chassis Adapter
Module
45,146,727(3)
2.21E-08
4.96E-06
1757-SRM
System Redundancy Module
835,357
1.20E-06
2.68E-04
(1)
MTBF measured in hours. The values used here represent values available in September 2006.
(2)
Aggregate based on total shipments and total returns of all five chassis (1756-A4, 1756-A7, 1756-A10, 1756-A13, and 1756-A17) collectively.
(3)
Calculated using field-based values for components.
(4)
Assumes that both power supplies fail simultaneously.
(5)
λ = Failure Rate = 1/MTBF
Publication 1756-RM001E-EN-P - November 2006
F-4
Using ControlLogix in SIL1 Applications
Probability of Undetected
Dangerous Failure Per Hour
Calculations in a
SIL1 Application
Table F.3 lists the PFH calculations for ControlLogix products in a
SIL1-certified system. These calculations use a Proof Test Interval =
1 year.
Table F.3 ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations
Catalog Number Description
Mean Time Between λ(5)
Failure (MTBF)(1)
Calculated PFH:
1oo1 architecture
1756-Axx
ControlLogix Chassis
36,322,045
(aggregate)
2.75E-08
1.38E-09
1756-CNB/D
ControlNet Bridge - Series D
5,595,646
1.79E-07
8.94E-09
1756-CNB/E
ControlNet Bridge - Series E
2,944,988(3)
3.40E-07
1.70E-08
1756-CNBR /D
Redundant ControlNet Bridge - Series D
3,109,957
3.22E-07
1.61E-08
1756-CBNBR/E
Redundant ControlNet Bridge - Series E
2,864,755(3)
3.49E-07
1.75E-08
1756-IA16I
AC Isolated Input
15,262,520
6.55E-08
3.28E-09
1756-IA8D
AC Diagnostic Input
10,383,360
9.63E-08
4.82E-09
1756-IB16D
DC Diagnostic Input
41,300,480
2.42E-08
1.21E-09
1756-IB16I
DC Isolated Input
19,862,336
5.03E-08
2.52E-09
1756-IB16ISOE
Sequence of Events Module
4,959,088(3)
2.02E-07
1.01E-08
1756-IB32
DC Input Module
2,468,448
4.05E-07
2.03E-08
1756-IF16
Single-ended Analog Input Module
2,235,008
4.47E-07
2.24E-08
1756-IF6CIS
Isolated Sourcing Analog Input Module
2,094,159
4.78E-07
2.39E-08
1756-IF6I
Isolated Analog Input Module
3,065,920
3.26E-07
1.63E-08
1756-IF8
Analog Input
2,838,451
3.52E-07
1.76E-08
1756-IH16ISOE
Sequence of Events Module
6,044,122(3)
1.65E-07
8.27E-09
1756-IR6I
RTD Input
3,826,296
2.61E-07
1.31E-08
1756-IT6I
Thermocouple Input
3,002,035
3.33E-07
1.67E-08
1756-IT6I2
Enhanced Thermocouple Input Module
991,929
1.01E-06
5.04E-08
1756-L55M13
ControlLogix 1.5Mb Controller
2,228,750
4.49E-07
2.24E-08
1756-L55M16
ControlLogix 5555 Processor
1,644,933
6.08E-07
3.04E-08
1756-L61
ControlLogix 2 Mb Controller
815,822
1.23E-06
6.13E-08
1756-L62
ControlLogix 4 Mb Controller
576,992
1.73E-06
8.67E-08
1756-L63
ControlLogix 8 Mb Controller
782,912
1.28E-06
6.39E-08
1756-OA16I
AC Isolated Output
10,911,086
9.16E-08
4.58E-09
1756-OA8D
AC Diagnostic Output
6,922,240
1.44E-07
7.22E-09
1756-OB16D
DC Diagnostic Output
14,321,691
6.98E-08
3.49E-09
1756-OB16I
DC Isolated Output
2,371,445
4.22E-07
2.11E-08
1756-OB32
DC Output Module
1,278,125
7.82E-07
3.91E-08
Publication 1756-RM001E-EN-P - November 2006
(2)
Using ControlLogix in SIL1 Applications
F-5
Table F.3 ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations
Catalog Number Description
Mean Time Between λ(5)
Failure (MTBF)(1)
1oo1 architecture
Calculated PFH:
1756-OB8EI
DC Fused Output
5,853,120
1.71E-07
8.54E-09
1756-OF6CI
Isolated Analog Output Module (Current)
9,296,907
1.08E-07
5.38E-09
1756-OF6VI
Isolated Analog Output Module (Voltage)
13,062,400
7.66E-08
3.83E-09
1756-OF8
Analog Output
5,717,675
1.75E-07
8.74E-09
1756-OW16I
Isolated Relay Output Module
1,360,415(3)
7.35E-07
3.68E-08
1756-OX8I
Contact Output
19,281,600
5.19E-08
2.59E-09
1756-PA75/A
AC Power Supply
14,538,606
6.88E-08
3.44E-09
1756-PA75/B
AC Power Supply
5,513,591(3)
1.81E-07
9.07E-09
1756-PA75R
AC Redundant Power Supply
296,978(4)
3.37E-06
1.68E-07
1756-PB75/A
DC Power Supply
10,157,334
9.85E-08
4.92E-09
1756-PB75/B
DC Power Supply
5,884,430(3)
1.70E-07
8.50E-09
1756-PB75R
DC Redundant Power Supply
1,134,848(4)
8.81E-07
4.41E-08
1756-PC75
DC Power supply
5,894,836(3)
1.70E-07
8.48E-09
1756-PH75
DC Power supply
5,889,628(3)
1.70E-07
8.49E-09
1756-PSCA
Power Supply Chassis Adapter
45,146,727(3)
2.21E-08
1.11E-09
1756-PSCA2
Redundant Power Supply Chassis Adapter
Module
45,146,727(3)
2.21E-08
1.11E-09
1757-SRM
System Redundancy Module
835,357
1.20E-06
5.99E-08
(1)
MTBF measured in hours. The values used here represent those values available in September 2006.
(2)
Aggregate based on total shipments and total returns of all five chassis (1756-A4, 1756-A7, 1756-A10, 1756-A13, and 1756-A17) collectively.
(3)
Calculated using field-based values for components.
(4)
Assumes that both power supplies fail simultaneously.
(5)
λ = Failure Rate = 1/MTBF
Publication 1756-RM001E-EN-P - November 2006
F-6
Using ControlLogix in SIL1 Applications
Notes:
Publication 1756-RM001E-EN-P - November 2006
Index
A
Agency certifications 1-21
Analog input modules 6-13–6-19
Analog output modules 6-20–6-24
Application program
Programming languages 9-4
SIL task/program instructions 9-4
Technical SIL2 requirements 9-1–9-8
Architecture
Overview of ControlLogix architecture
2-2
C
Calibration 6-13, 6-20
Chassis 3-2
Commissioning life cycle 9-5
Communication
ControlNet 2-6, 5-2
Ethernet 5-3
Field side output verification 2-4
Output data echo 2-4, 6-8
Producer/consumer model 2-2
Communications modules 5-1–5-5
ControlNet module 5-2
Documentation 5-5
Ethernet module 5-3
Usage recommendations 5-4
Control and information protocol
Definition Preface-vii
Controller 4-1–4-2
Documentation 4-2
Usage recommendations 4-2
ControlLogix architecture 2-2
ControlNet module 5-2
D
Diagnostic coverage
Definition Preface-vii
Documenation
Controller 4-2
Documentation
Communications modules 5-5
Hardware 3-4
E
Ethernet module 5-3
European norm.
Definition Preface-vii
F
Fault handling 2-3, 7-1–7-3, B-1, C-1
Fault reporting 2-3, 6-4, 7-1–7-3, B-1,
C-1
Analog input modules 6-14
Analog output modules 6-21
Digital input modules 6-6
Digital output modules 6-8, 6-12
Field side output verification 2-4
Forcing via software 8-4
G
Get system value (GSV)
Defintion Preface-vii
H
Hardware 3-1–3-4
Chassis 3-2
Documentation 3-4
Power supplies 3-2–3-3
Usage recommendations 3-3
Human to machine interfaces
Use and application 10-1–10-3
I
I/O modules 6-1–6-26
Analog input modules 6-13–6-19
Analog output modules 6-20–6-24
Calibration 6-13, 6-20
Digital input modules 6-5–6-6
Digital output modules 6-7–6-12
Fault reporting 6-4, 6-6, 6-8, 6-12,
6-14, 6-21
Proof tests 6-5, 6-7, 6-13, 6-20
Response times A-1–A-4
Wiring analog input modules 6-16–
6-19
Wiring analog output modules 6-23–
6-24
Wiring digital input modules 6-6
Wiring digital output modules 6-10–
6-12
Interface
HMI use and application 10-1–10-3
Publication 1756-RM001E-EN-P - November 2006
2
Index
M
S
Mean time between failures (MTBF)
Definition Preface-vii
Mean time to restoration
Definition Preface-vii
O
Operational modes 8-5
Output data echo 2-4, 6-8
P
Power supplies 3-2–3-3
Non-redundant 3-2
Redundant 3-3
Probability of failure on demand (PFD)
1-12–1-19
Calculation equation 1-13
Calculations for each catalog number
1-14, E-1, F-2
Definition Preface-vii
Probability of failure per hour (PFH)
1-12–1-19
Calculation equation 1-14
Calculations for each catalog number
1-17, F-4
Definition Preface-vii
Producer/consumer communication
model 2-2
Programming languages 9-4
Proof tests 1-6, 6-5, 6-7, 6-13, 6-20
Pulse test 2-5
R
Response times A-1–A-4
RSLogix 5000 Preface-vii, 2-6
Changing your application program 9-6
Commissioning life cycle 9-5
Forcing 8-4
General requirements 8-1–8-6
Programming languages 9-4
Security 8-4
SIL task/program instructions 9-4
SIL2 programming 8-2
Publication 1756-RM001E-EN-P - November 2006
Safety certifications and compliances
For ControlLogix catalog numbers 1-12
Security via software 8-4
SIL compliance
Distribution and weight 1-20
SIL loop example 1-4, 1-5
SIL policy 1-1–1-23
SIL2 requirements
For the application program 9-1–9-8
SIL2-certified components
Complete list of ControlLogix catalog
numbers 1-8
Software
Changing your application program 9-6
Commissioning life cycle 9-5
Forcing 8-4
General requirements 8-1–8-6
Programming languages 9-4
RSLogix 5000 Preface-vii, 2-6
Security 8-4
SIL task/program instructions 9-4
SIL2 programming 8-2
Software watchdog 1-23
Spurious failure estimates D-1
System hardware 3-1–3-4
Chassis 3-2
Documentation 3-4
Power supplies 3-2–3-3
Usage recommendations 3-3
T
Terminology
Used throughout manual Preface-vii
W
Watchdog 1-23
Wiring I/O modules
Analog input modules 6-16–6-19
Analog output modules 6-23–6-24
Digital input modules 6-6
Digital output modules 6-10–6-12
How Are We Doing?
Your comments on our technical publications will help us serve you better in the future.
Thank you for taking the time to provide us feedback.
You can complete this form and mail (or fax) it back to us or email us at
RADocumentComments@ra.rockwell.com
Pub. Title/Type Using ControlLogix in SIL2 Applications
Cat. No.
1756 Series
Pub. No.
1756-RM001E-EN-P
Pub. Date November 2006
Part No.
953014-96
Please complete the sections below. Where applicable, rank the feature (1=needs improvement, 2=satisfactory, and 3=outstanding).
Overall Usefulness
Completeness
(all necessary information
is provided)
Technical Accuracy
(all provided information
is correct)
1
2
3
How can we make this publication more useful for you?
1
2
3
Can we add more information to help you?
1
Clarity
1
(all provided information is
easy to understand)
2
3
procedure/step
illustration
feature
example
guideline
other
explanation
definition
Can we be more accurate?
text
2
Other Comments
3
illustration
How can we make things clearer?
You can add additional comments on the back of this form.
Your Name
Your Title/Function
Location/Phone
Would you like us to contact you regarding your comments?
___No, there is no need to contact me
___Yes, please call me
___Yes, please email me at _______________________
___Yes, please contact me via _____________________
Return this form to:
Rockwell Automation Technical Communications, 1 Allen-Bradley Dr., Mayfield Hts., OH 44124-9705
Fax: 440-646-3525
Publication CIG-CO521C-EN-P- May 2003
Email: RADocumentComments@ra.rockwell.com
PN953014-96957782-91
PLEASE FASTEN HERE (DO NOT STAPLE)
PLEASE FOLD HERE
NO POSTAGE
NECESSARY
IF MAILED
IN THE
UNITED STATES
BUSINESS REPLY MAIL
FIRST-CLASS MAIL PERMIT NO. 18235 CLEVELAND OH
POSTAGE WILL BE PAID BY THE ADDRESSEE
1 ALLEN-BRADLEY DR
MAYFIELD HEIGHTS OH 44124-9705
PLEASE REMOVE
Other Comments
Rockwell Automation
Support
Rockwell Automation provides technical information on the Web to assist
you in using its products. At http://support.rockwellautomation.com, you can
find technical manuals, a knowledge base of FAQs, technical and application
notes, sample code and links to software service packs, and a MySupport
feature that you can customize to make the best use of these tools.
For an additional level of technical phone support for installation,
configuration, and troubleshooting, we offer TechConnect Support programs.
For more information, contact your local distributor or Rockwell Automation
representative, or visit http://support.rockwellautomation.com.
Installation Assistance
If you experience a problem with a hardware module within the first 24
hours of installation, please review the information that's contained in this
manual. You can also contact a special Customer Support number for initial
help in getting your module up and running.
United States
1.440.646.3223
Monday – Friday, 8am – 5pm EST
Outside United
States
Please contact your local Rockwell Automation representative for any
technical support issues.
New Product Satisfaction Return
Rockwell tests all of its products to ensure that they are fully operational
when shipped from the manufacturing facility. However, if your product is
not functioning, it may need to be returned.
Publication 1756-RM001E-EN-P - November 2006 2
Supersedes Publication 1756-RM001D-EN-P - January 2005
United States
Contact your distributor. You must provide a Customer Support case
number (see phone number above to obtain one) to your distributor in
order to complete the return process.
Outside United
States
Please contact your local Rockwell Automation representative for
return procedure.
PN 953014-96
Copyright © 2006 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.