Using ControlLogix in SIL2 Applications - e-applied.com.t ControlL… · Using ControlLogix in SIL2 Applications ... Sample Probability of ... ControlLogix system via RSLogix 5000

Using ControlLogix in SIL2 Applications1756 Series

Safety Reference Manual

Important User Information Solid state equipment has operational characteristics differing from those of electromechanical equipment. Safety Guidelines for the Application, Installation and Maintenance of Solid State Controls (Publication SGI-1.1 available from your local Rockwell Automation sales office or online at http://www.ab.com/manuals/gi) describes some important differences between solid state equipment and hard-wired electromechanical devices. Because of this difference, and also because of the wide variety of uses for solid state equipment, all persons responsible for applying this equipment must satisfy themselves that each intended application of this equipment is acceptable.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc. is prohibited.

Throughout this manual, when necessary we use notes to make you aware of safety considerations.

WARNINGIdentifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.

IMPORTANT Identifies information that is critical for successful application and understanding of the product.

ATTENTION Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you:

• identify a hazard

• avoid a hazard

• recognize the consequence

SHOCK HAZARD Labels may be located on or inside the equipment (e.g., drive or motor) to alert people that dangerous voltage may be present.

BURN HAZARD Labels may be located on or inside the equipment (e.g., drive or motor) to alert people that surfaces may be dangerous temperatures.

Summary of Changes

New and Revised Information

Change bars located in margins indicate updates and new information added to this revision. Table 1 lists the most significant new and revised information included in this release of this manual.

Table.1 New and Revised Information

Topic Location

Components for Use in SIL2 Applications. Table 1.1 on Page 1-8

Checklist for the ControlLogix System. Page 2-8

Safety Certifications and Compliances Page 1-12

Probability of Failure on Demand (PFD) calculations.

Table 1.2 on Page 1-14

Example PFD calculations. Table 1.4 on Page 1-19

Probability of Undetected Dangerous Failure per Hour (PFH) calculations.

Table 1.3 on Page 1-17

Use of ControlNet repeaters in SIL2 systems.

Page 5-2

ControlLogix Diagnostic Output Module Wiring.

Figure 6.7 on Page 6-10

ControlLogix Standard Output Wiring Figure 6.8on Page 6-11

General Considerations for the use of analog modules.

Page 6-20

ControlLogix Analog Module Wiring in Current Mode.

Figure 6.18 on Page 6-24

Security considerations for programming. Page 8-4

Spurious Failure Estimates Page D-1

Sample Probablity of Failure on Demand (PFD) Calculations

Page E-1

Probablity of Failure on Demand (PFD) Calculations in a SIL1 Application

Page F-2

Probability of Undetected Dangerous Failure Per Hour (PFH) Calculations in SIL1 Applications

Page F-4

iii Publication 1756-RM001E-EN-P - November 2006

Summary of Changes iv

Notes:

Publication 1756-RM001E-EN-P - November 2006

Preface

Introduction This application manual is intended to describe the ControlLogix Control System components available from Rockwell Automation that are suitable for use in SIL2 applications.

Manual Set-Up2006 This manual is designed to make clear how the ControlLogix Control System can be SIL2-certified. Table Preface.1 lists the information available in each section.

IMPORTANT This manual describes typical SIL2 implementations using certified ControlLogix equipment. Keep in mind that the descriptions presented in this manual do not preclude other methods of implementing a SIL2-compliant system using ControlLogix.

Other methods may include TUV-approved application-certified architectures, or the use of the FLEX I/O system as described in FLEX I/O System with ControlLogix for SIL2 reference manual, publication 1794-RM001.

Table Preface.1

If you need this information: See this section:

Introduction to the SIL policy and how that policy relates to the ControlLogix system, including:

• typical SIL2 configurations–both non-redundant and redundant

• proof test descriptions

• complete list of SIL2-certified ControlLogix components

• probability of failure on demand (PFD) and probability of dangerous failure occurring per hour (PFH) calculations for SIL2-certified components with a 1 year proof test interval

Chapter 1, SIL Policy

Brief overview of all the components present in the SIL2-certified ControlLogix system, including:

• fault reporting

• fault handling

• module diagnostics

• checklist for a SIL2-certified ControlLogix system

Chapter 2, The ControlLogix System

Description of the ControlLogix power supplies and chassis used in a SIL2-certified ControlLogix system and recommendations on using these components.

Chapter 3, ControlLogix System Hardware

Description of the ControlLogix controllers used in the SIL2-certified ControlLogix system, including the 1784-CG64 CompactFlash card and recommendations on using the controllers.

Chapter 4, ControlLogix Controller

Description of the ControlLogix communications modules used in the SIL2-certified ControlLogix system and recommendations on their use in SIL2-certified system.

Chapter 5, ControlLogix Communications Modules

v Publication 1756-RM001E-EN-P - November 2006

Preface vi

Description of the ControlLogix I/O modules used in the SIL2-certified ControlLogix system, including:

• use of both digital and analog I/O modules

• I/O module fault reporting

• usage considerations

• wiring diagrams

• checklist for I/O modules in a SIL2-certified ControlLogix system

Chapter 6, ControlLogix I/O Modules

Description of how the ControlLogix detects, and reacts to, faults. Specifically, this section describes the following two example conditions that generate a fault in a SIL2-certified system:

• keyswitch changing out of RUN mode

• high alarm condition on an analog input module

Chapter 7, Faults in the ControlLogix System

Guidelines for application development in RSLogix 5000 as they relate to SIL2-certified systems. The guidelines include:

• suggestions of good design practices

• checking the application program

• identifying the program

• forcing

• security

• checklist for the creation of an application program

Chapter 8, General Requirements for Application Software

Description of technical safety requirement in SIL2-certified ControlLogix applications. The following topics are described in this section:

• general programming procedures

• SIL task/program instructions

• available programming languages

• commissioning lifecycle

• method to change an application program

• forcing

Chapter 9, Technical SIL2 Requirements for the Application Program

Description of the precautions and techniques that should be used with HMI devices as they are used in SIL2-certified ControlLogix applications, including:

• information about changing parameters in a safety-related loop

• information about changing parameters in a non-safety-related loop

Chapter 10, Use and Application of Human to Machine Interfaces

Calculation methods for worst case reaction time for a given change in input or a fault condition and the corresponding output action.

Appendix A, Response Times in ControlLogix

Self-testing in a ControlLogix system and more information about user-programmed responses. Appendix B, System Self-Testing and User-Programmed Responses

Additional information on handling faults. Appendix C, Additional Information on Handling Faults in the ControlLogix System

Table Preface.1



Preface vii

Understanding Terminology The following table defines acronyms used in this manual.

Spurious failure rates based on field returns. Appendix D, Spurious Failure Estimates

Additional PFD calculations based on proof test intervals of 2 years and 4 years. Appendix E, Sample Probability of Failure on Demand (PFD) Calculations

Using ControlLogix in SIL1 applications Appendix F, Using ControlLogix in SIL1 Applications

Table Preface.1


Table Preface.2 List of Acronyms Used Throughout the Safety Application Manual

Acronym: Full Term: Definition:

CIP Control and Information Protocol

A messaging protocol used by Logix5000™ systems. It is a native communications protocol used on ControlNet™ communications networks, among others.

DC Diagnostic Coverage

The ratio of the detected failure rate to the total failure rate.

EN European Norm. The official European Standard

GSV Get System Value A ladder logic output instruction that retrieves specified controller status information and places it in a destination tag.

MTBF Mean Time Between Failures

Average time between failure occurrences.

MTTR Mean Time to Restoration

Average time needed to restore normal operation after a failure has occurred.

PADT Programming and Debugging Tool

RSLogix 5000 software used to program and debug a SIL2-certified ControlLogix application.

PC Personal Computer

Computer used to interface with, and control, a ControlLogix system via RSLogix 5000 programming software.

PFD Probability of Failure on Demand

The average probability of a system to fail to perform its design function on demand.

PFH Probability of Failure per Hour

The probability of a system to have a dangerous failure occur per hour.


Preface viii

Notes:


Table of ContentsChapter 1

SIL Policy Introduction to SIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1Typical SIL2 Configurations . . . . . . . . . . . . . . . . . . . . . . . . 1-4Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Prooftesting with Redundancy Systems . . . . . . . . . . . . . 1-7SIL2-Certified ControlLogix System Components . . . . . . . . . 1-8Safety Certifications and Compliances . . . . . . . . . . . . . . . . 1-12Hardware Designs and Firmware Functions . . . . . . . . . . . . 1-12Difference Between PFD and PFH . . . . . . . . . . . . . . . . . . . 1-12SIL Compliance Distribution and Weight . . . . . . . . . . . . . . 1-20Other Agency Certifications . . . . . . . . . . . . . . . . . . . . . . . . 1-21Response Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21

Response Times in Redundancy Systems. . . . . . . . . . . . 1-22Program Watchdog Time in ControlLogix System . . . . . . . . 1-23Contact Information When Device Failure Occurs. . . . . . . . 1-23

Chapter 2The ControlLogix System General Overview of ControlLogix Platform . . . . . . . . . . . . 2-1

Overview of the ControlLogix Architecture. . . . . . . . . . . . . 2-2Module Fault Reporting . . . . . . . . . . . . . . . . . . . . . . . . 2-3Fault Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3Data Echo Communication Check. . . . . . . . . . . . . . . . . 2-4Pulse Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6Other Unique Features that Aid Diagnostics . . . . . . . . . 2-7

Checklist for the ControlLogix System . . . . . . . . . . . . . . . . 2-8

Chapter 3ControlLogix System Hardware Introduction to the Hardware . . . . . . . . . . . . . . . . . . . . . . 3-1

ControlLogix Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2ControlLogix Power Supplies. . . . . . . . . . . . . . . . . . . . . . . 3-2

Non-Redundant Power Supply . . . . . . . . . . . . . . . . . . . 3-2Redundant Power Supply . . . . . . . . . . . . . . . . . . . . . . . 3-3

Recommendations for System Hardware Use . . . . . . . . . . . 3-3Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Related ControlLogix Hardware Documentation . . . . . . . . . 3-4

Chapter 4ControlLogix Controller Introduction to the Controller . . . . . . . . . . . . . . . . . . . . . . 4-1

CompactFlash Card . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1Recommendations for Controller Use . . . . . . . . . . . . . . . . . 4-2Related Controller Documentation . . . . . . . . . . . . . . . . . . . 4-2

ix Publication 1756-RM001E-EN-P - November 2006

Table of Contents x

Chapter 5ControlLogix Communications Modules

Introduction to Communication Modules . . . . . . . . . . . . . . 5-1ControlNet Bridge Module. . . . . . . . . . . . . . . . . . . . . . . . . 5-2

ControlNet Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2ControlNet Repeater. . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2ControlNet Module Diagnostic Coverage. . . . . . . . . . . . 5-2

Ethernet Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3Ethernet Versus ControlNet . . . . . . . . . . . . . . . . . . . . . . . . 5-3Data Highway Plus - Remote I/O. . . . . . . . . . . . . . . . . . . . 5-4SynchLink. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4Recommendations for Communications Modules Use . . . . . 5-4Related Communications Modules Documentation . . . . . . . 5-5

Chapter 6ControlLogix I/O Modules Overview of ControlLogix I/O Modules . . . . . . . . . . . . . . . 6-1

Module Fault Reporting for any ControlLogix I/O Module. . 6-4Using Digital Input Modules . . . . . . . . . . . . . . . . . . . . . . . 6-5

General Considerations when using Any ControlLogix Digital Input Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Wiring ControlLogix Digital Input Modules. . . . . . . . . . . . . 6-6Using Digital Output Modules . . . . . . . . . . . . . . . . . . . . . . 6-7

General Considerations when using Any ControlLogix Digital Output Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

Wiring ControlLogix Digital Output Modules . . . . . . . . . . . 6-10Diagnostic Digital Output Modules . . . . . . . . . . . . . . . . 6-10Standard Digital Output Modules . . . . . . . . . . . . . . . . . 6-11

Using Analog Input Modules . . . . . . . . . . . . . . . . . . . . . . . 6-13General Considerations when using Any ControlLogix Analog Input Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

Wiring ControlLogix Analog Input Modules . . . . . . . . . . . . 6-16Wiring the Single-Ended Input Module in Voltage Mode 6-16Wiring the Single-Ended Input Module in Current Mode 6-17Wiring the Thermocouple Input Module . . . . . . . . . . . . 6-18Wiring the RTD Input Module . . . . . . . . . . . . . . . . . . . 6-19

Using Analog Output Modules. . . . . . . . . . . . . . . . . . . . . . 6-20General Considerations when using Any ControlLogix Analog Output Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20

Wiring ControlLogix Analog Output Modules . . . . . . . . . . . 6-23Wiring the Analog Output Module in Voltage Mode . . . 6-23Wiring the Analog Output Module in Current Mode . . . 6-24

Checklist for SIL Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25Checklist for SIL Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26


Table of Contents xi

Chapter 7Faults in the ControlLogix System Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

Checking Keyswitch Position with GSV Instruction. . . . . . . 7-2Examining an Analog Input Module’s High Alarm. . . . . . . . 7-3

Chapter 8General Requirements forApplication Software

Software for SIL2-Related Systems . . . . . . . . . . . . . . . . . . . 8-1SIL2 Programming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

Safety Concept of the ControlLogix system . . . . . . . . . . 8-2General Guidelines for Application Software Development . 8-2

Check the Created Application Program . . . . . . . . . . . . 8-3Possibilities of Program Identification . . . . . . . . . . . . . . 8-3

Forcing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4ControlLogix System Operational Modes . . . . . . . . . . . . . . 8-5Checklist for the Creation of an Application Program . . . . . 8-6

Chapter 9Technical SIL2 Requirements for the Application Program

General Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1Basics of Programming. . . . . . . . . . . . . . . . . . . . . . . . . 9-2

Logic and Instructions 2Program Logic 2Specification 3Sensors (Digital or Analog) 3Actuators 4SIL Task/Program Instructions . . . . . . . . . . . . . . . . . . . . . . 9-4Programming Languages . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4Commissioning Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . 9-5Changing Your Application Program . . . . . . . . . . . . . . . . . 9-6Forcing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8

Chapter 10Use and Application of Human to Machine Interfaces

Using Precautions and Techniques with HMI . . . . . . . . . . . 10-1Accessing Safety-Related Systems . . . . . . . . . . . . . . . . . 10-1Changing Parameters in Safety-Related Systems. . . . . . . 10-2Changing Parameters in Non-Safety-Related Systems . . . 10-3


Table of Contents xii

Appendix AResponse Times in ControlLogix Digital Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

Local Chassis Configuration . . . . . . . . . . . . . . . . . . . . . A-1Remote Chassis Configuration . . . . . . . . . . . . . . . . . . . A-2

Analog Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3Local Chassis Configuration . . . . . . . . . . . . . . . . . . . . . A-3Remote Chassis Configuration . . . . . . . . . . . . . . . . . . . A-3

Redundancy Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5

Appendix BSystem Self-Testing and User-Programmed Responses

Validation Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1System Self Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

Reaction to Faults 2

Appendix CAdditional Information on Handling Faults in the ControlLogix System

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1

Appendix DSpurious Failure Estimates Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1

Appendix ESample Probability of Failure on Demand (PFD) Calculations

Proof Test Interval = 5 Years . . . . . . . . . . . . . . . . . . . . . . . E-1

Appendix FUsing ControlLogix in SIL1 Applications

Additional Considerations . . . . . . . . . . . . . . . . . . . . . . . . . F-1Probability of Failure on Demand Calculations in a SIL1 Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-2Probability of Undetected Dangerous Failure Per Hour Calculations in a SIL1 Application . . . . . . . . . . . . . . . . . . . F-4


Chapter 1

SIL Policy

This chapter introduces you to the SIL policy and how the ControlLogix system meets the requirements for SIL2 certification.

Introduction to SIL Certain catalog numbers (listed in Table 1.1 on page 1-8) of the ControlLogix system are type-approved and certified for use in SIL2 applications according to IEC 61508, and RC4 applications are certified according to DIN V19250. Approval requirements are based on the standards current at the time of certification.

These requirements consist of mean time between failures (MTBF), probability of failure, failure rates, diagnostic coverage and safe failure fractions that fulfill SIL2 and AK4 criteria. The results make the ControlLogix system suitable up to, and including, SIL2 and AK4. When the ControlLogix system is in the maintenance or programming mode, the user is responsible for maintaining a safe state.

For support in creation of programs, the PADT (Programming and Debugging Tool) is required. The PADT for ControlLogix is RSLogix 5000, per IEC 61131-3, and this Safety Reference Manual.

For information about: See page:

Introduction to SIL 1-1

Typical SIL2 Configurations 1-4

Proof Tests 1-6

SIL2-Certified ControlLogix System Components 1-8

Safety Certifications and Compliances 1-12

Hardware Designs and Firmware Functions 1-12

Difference Between PFD and PFH 1-12

ControlLogix Product Probability of Failure on Demand (PFD) Calculations

1-14

ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations

1-17

SIL Compliance Distribution and Weight 1-20

Other Agency Certifications 1-21

Response Times 1-21

Program Watchdog Time in ControlLogix System 1-23

Contact Information When Device Failure Occurs 1-23

1 Publication 1756-RM001E-EN-P - November 2006

1-2 SIL Policy

The TUV Rheinland Group has approved the ControlLogix system for use in up to, and including, SIL 2 safety related applications in which the de-energized state is typically considered to be the safe state. All of the examples related to I/O included in this manual are based on achieving de-energization as the safe state for typical Emergency Shutdown (ESD) Systems.

ControlLogix is a modular and configurable system with the ability to pre-configure outputs and other responses to fault conditions. As such, a system can be designed to meet requirements for “hold last state" in the event of a fault so that the system can be used in up to, and including, SIL 2 level Fire and Gas and other Applications that require that output signals to actuators remain on. By understanding the behavior of the ControlLogix system for an emergency shutdown application, the system design can incorporate appropriate measures to meet other application requirements. These measures relate to the control of outputs and actuators which must remain on to be in a safe state. The other requirements for SIL2 regarding inputs from sensors, software etc. must also be met. The measures and modifications which relate to Gas and Fire are listed below.

• The use of a manual over-ride is necessary to ensure the operator can maintain the desired control in the event of a Controller Failure. This is similar in concept to the function of the external relay or redundant outputs required to ensure a de-energized state is achieved for an ESD system should a failure occur (e.g., such as a shorted output driver) that would prevent this from normally occurring. The system knows it has a failure but the failure mode requires an independent means to maintain control and either remove power or provide an alternate path to maintain power to the end actuator.

• If the application cannot tolerate an output that can fail shorted (energized) then an external means such as a relay or other output must be wired in series to remove power when the fail shorted condition occurs. (Refer to Figure 6.8 on page 6-11)

If the application cannot tolerate an output that fails open (deenergized) then an external means such as a manual override or output must be wired in parallel. (Refer to the manual override Figure 1.1 on page 1-3). The user must supply the alternative means and develop the application program to initiate the alternate means of removing or continuing to supply power in the event the main output fails.


SIL Policy 1-3

• This manual over-ride circuit is shown in Figure 1.1. It is composed of a hardwired set of contacts from a selector switch or push-button. One Normally Open contact provides for the bypass of power from the Controller output directly to the actuator. The other is a Normally closed contact to remove or isolate the controller output

• An application program needs to be generated to monitor the diagnostic output modules for dangerous failures such as shorted or open output driver channels. Diagnostic output modules must be configured to hold last state in the event of a fault.

• A diagnostic alarm must be generated to inform the operator that manual control is required.

• The faulted module must be replaced within a reasonable time frame.

• Any time a fault is detected the user must annunciate the fault to an operator by some means (for example, an alarm light).

Figure 1.1

L1

L2 or Ground

Actuator

Manual Override

43379

Alarm to Operator

Fault


1-4 SIL Policy

Typical SIL2 Configurations SIL2-certified ControlLogix systems can be used in a non-redundancy or redundancy configuration. The most significant difference between these configurations is that the redundancy configuration uses an identical pair of ControlLogix chassis to keep your machine or process running if a problem occurs with a controller.

Figure 1.2 shows a typical SIL loop that does not use redundancy, including:

• the overall safety loop

• the ControlLogix portion of the overall safety loop

• how other devices (for example, HMI) connect to the loop, while operating outside the loop

This loop is used for fail safe applications.

Figure 1.2 Typical SIL Loop Without Controller Redundancy

Plant-wide Ethernet/Serial

ControlNet

SIL2-certified ControlLogix components’ portion of the overall safety loop

Programming SoftwareFor SIL applications, a programming terminal is not normally connected.

HMIFor Diagnostics and Visualization (read-only access to controllers in

the safety loop). For more information, see Chapter 10.

Sensor ActuatorENBT

CNB

CNB

CNB

ControlNet To non-safety related systems outside the ControlLogix portion of the SIL2-certified loop. For more information, see Chapter 5.

To other safety related ControlLogix and remote I/O chassis

Overall Safety Loop

I/O


SIL Policy 1-5

Figure 1.3 shows a typical SIL loop that uses redundancy, including:

• the overall safety loop

• the ControlLogix portion of the overall safety loop

• how other devices (for example, HMI) connect to the loop, while operating outside the loop

Figure 1.3 Typical SIL Loop With Controller Redundancy

IMPORTANT With regard to IEC 61508, most SIL2-certified systems are fault tolerant for the entire system. However, the ControlLogix system is fault tolerant only for the devices in the primary/secondary chassis and not the entire system. This loop is used for high availability applications.

Plant-wide Ethernet/Serial

ControlNet

SIL2-certified ControlLogix components’ portion of the overall safety loop

Programming SoftwareFor SIL applications, a programming terminal is not normally connected.

HMIFor Diagnostics and Visualization (read-only access to controllers in

the safety loop). For more information, see Chapter 10.

Sensor ActuatorENBT

CNB

ControlNet

To non-safety related systems outside the ControlLogix portion of the SIL2-certified loop. For more information, see Chapter 5.

To other safety related ControlLogix and remote I/O chassis

Overall Safety Loop

CNB

CNB

ENBT

CNB

CNB

I/O

Primary chassis

Secondary chassis

SRM

SRM

Remote I/O chassis


1-6 SIL Policy

Proof Tests IEC 61508 requires the user to perform various proof tests of the equipment used in the system. Proof tests are performed at user-defined times (for example, proof test intervals can be once a year, once every two years or whatever timeframe is appropriate) and include some of the following tests:

• Testing of all fault routines to verify that process parameters are monitored properly and the system reacts properly when a fault condition arises.

• Testing of digital input or output channels to verify that they are not stuck in the ON or OFF state.

• Calibration of analog input and output modules to verify that accurate data is obtained from and used on the modules.

IMPORTANT The system user is responsible for:

• the set-up, SIL rating and validation of any sensors or actuators connected to the ControlLogix control system.

• project management and functional testing.

• programming the application software and the module configuration according to the description in the following chapters.

The SIL2 portion of the certified system excludes the development tools and display/human machine interface (HMI) devices; these tools and devices are not part of the run time control loop.

It is also important to note that ControlLogix SIL2 certification is only available on ControlLogix Redundancy systems that use 1756-L55M13 and 1756-L55M16 controllers.

While you can use the 1756-L6x controllers in a redundant ControlLogix system, this set-up has not yet been SIL2-certified.


SIL Policy 1-7

Prooftesting with Redundancy Systems

A ControlLogix redundancy system uses an identical pair of ControlLogix chassis to keep your machine or process running if a problem occurs with those chassis. When a failure occurs in any of the components of the primary chassis, control switches to the secondary controller.

The switchover can be monitored so that the system notifies the user when it has occurred. In this case (i.e., when a switchover takes place), we recommend that you replace the failed controller with the mean time to restoration (MTTR) for your application.

If you are using controller redundancy in a SIL2 application, you must perform half the proof test on the primary controller and half the proof test on the secondary controller.

For more information on switchovers in ControlLogix redundancy systems and ControlLogix redundancy systems in general, see the ControlLogix Redundancy System user manual, publication 1756-UM523.

For more information on system proof tests, see Chapter 2, The ControlLogix System. For more information on the necessary I/O module proof tests, see Chapter 6, ControlLogix I/O Modules.

IMPORTANT Users’ specific applications will determine the timeframe for the proof test interval.

However, keep in mind that the Probability of Failure on Demand (PFD) calculations listed in Table 1.2 on page 1-14 use a proof test interval of once per year. If the proof test interval is not once per year, the information must be recalculated.

For sample PFD calculations for proof test intervals of 2 and 4 years, see Appendix E

TIP If you are concerned about the availability of the secondary controller if the primary controller fails, it is good engineering practice to implement a switchover periodically (e.g., once per proof test interval).


1-8 SIL Policy

SIL2-Certified ControlLogix System Components

Table 1.1 lists the components available for use in a SIL2-certified ControlLogix system.

Table 1.1 Components For Use in the SIL 2 System

Device Type:Catalog Number: Description:

Related Documentation(9):

Series:Firmware

Revision(7),(8):Installation

Instructions:User Manual:

Hardware 1756-A4, A7, A10, A13 & A17

ControlLogix Chassis B NA 1756-IN080 None available for these catalog numbers1756-PA75 AC Power supply A NA 1756-5.78

1756-PB75 DC Power supply A NA

1756-PA75 AC Power supply B NA 1756-IN596

1756-PB75 DC Power supply B NA

1756-PA75R AC Redundant power supply A NA 1756-IN573

1756-PB75R DC Redundant power supply A NA

1756-PC75 DC Power supply B NA 1756-IN597

1756-PH75 DC Power supply B NA 1756-IN589

1756-PSCA(1) Redundant Power Supply Chassis Adapter Module

A NA 1756-IN574

1756-PSCA2 Redundant Power Supply Chassis Adapter Module

A NA 1756-IN590

Controllers Used in Non- Redundant Applications

1756-L55M13 ControlLogix 1.5 Mb Controller A 15.513.3111.3210.27

1756-IN101 1756-UM001

1756-L55M16 ControlLogix 7.5 Mb Controller A 15.513.3111.3210.27

1756-L61(2) ControlLogix 2 Mb Controller B 15.413.40




SIL Policy 1-9

I/O Modules - Digital

1756-IA16I AC Isolated Input Module A 3.22.2

1756-IN059 1756-UM058

1756-IA8D AC Diagnostic Input Module A 3.22.6

1756-IN055

1756-IB16D DC Diagnostic Input Module A 3.22.6

1756-IN069

1756-IB16I DC Isolated Input Module A 3.22.2

1756-IN010

1756-IB16ISOE Sequence of Events Module A 1.61.5

1756-IN591 1756-UM528

1756-IB32 DC Input Module B 3.5 1756-IN027 1756-UM058

1756-IH16ISOE Sequence of Events Module A 1.61.5

1756-IN592 1756-UM528

1756-OA16I AC Isolated Output Module A 3.22.1

1756-IN009 1756-UM058

1756-OA8D AC Diagnostic Input Module A 3.33.22.52.4

1756-IN057

1756-OB16D DC Diagnostic Output Module A 3.22.3

1756-IN058

1756-OB16I DC Isolated Output Module A 3.22.1

1756-IN512

1756-OB32 DC Output Module A 3.22.4

1756-IN026

1756-OB8EI DC Isolated Output Module A 3.22.3

1756-IN012

1756-OW16I Isolated Relay Output Module A 3.22.1

1756-IN011

1756-OX8I Isolated Relay Output Module A 3.22.1

1756-IN513




Series:Firmware




1-10 SIL Policy

I/O Modules - Analog

1756-IF16 Single-ended Analog Input Module

A 1.5 1756-IN039 1756-UM009

1756-IF6CIS Isolated Sourcing Analog Input Module

A 1.12 1756-IN579

1756-IF6I Isolated Analog Input Module A 1.121.9

1756-IN034

1756-IF8 Analog Input Module A 1.5 1756-IN040

1756-IR6I RTD Input Module A 1.121.9

1756-IN014

1756-IT6I Thermocouple Input Module A 1.121.9

1756-IN037

1756-IT6I2 Enhanced Thermocouple Input Module

A 1.131.121.11

1756-IN586

1756-OF6CI Isolated Analog Output Module (Current)

A 1.121.9

1756-IN036

1756-OF6VI Isolated Analog Output Module (Voltage)

A 1.121.9

1756-IN035

1756-OF8 Analog Output Module A 1.5 1756-IN015

Communication Modules

1756-CNB(3) ControlNet Communication Module

D 7.125.455.385.27

1756-IN571 CNET-UM001

1756-CNBR Redundant ControlNet Communication Module

D 7.125.455.385.27

1756-CNB ControlNet Communication Communication Module

E 11.2 1756-IN604


E 11.2

1756-DHRIO(4) Data Highway Plus - Remote I/O Communication Interface Module

C 5.3 1756-IN003 1756-UM514

1756-ENBT(5) EtherNet Communication Module

A 4.33.41.33

1756-IN019 1756-UM050

1756-SYNCH(6) SynchLink Module A 2.18 1756-IN575 1756-UM521




Series:Firmware




SIL Policy 1-11

Redundancy Controllers and Modules

1756-L55M13 ControlLogix 1.5 Mb Controller A 15.5713.53

1756-IN101 1756-UM001

1756-L55M16 ControlLogix 7.5 Mb Controller A 15.5713.53

1756-L61 ControlLogix 2 Mb Controller B 15.56



1757-SRM System Redundancy Module B 4.33.37

1757-IN092 1756-UM523


D 7.125.45

1756-IN571 CNET-UM001


D 7.125.45


E 11.2 1756-IN604


E 11.2

1756-ENBT EtherNet Communication Module

A 4.33.4

1756-IN019 1756-UM050

(1) Existing systems that use the 1756-PSCA are SIL2-certified. However, when implementing new SIL2-certified systems or upgrading existing systems, we recommend that you use the 1756-PSCA2 if possible.

(2) Use of any 1756-L6x/B controller requires the use of the Series B versions of the 1756-Px75 power supplies.

(3) Specified ControlNet repeaters may be used in SIL2 applications. See Chapter 5 for more information.

(4) The 1756-DHRIO module is included in this table because this module can be used to connect the safety system to the Data Highway Plus network. However, the Data Highway Plus network is not SIL2-certified and cannot be used as part of the SIL2-certified system. It can only be used to connect non-safety devices to the safety system. Because the module is not part of the safety system, it is not listed in PFD and PFH calculations in Table 1.2 and Table 1.3 later in this chapter.

(5) The 1756-ENBT module is included in this table because this module can be used to connect the safety system to the EtherNet/IP network However, the EtherNet/IP network is not SIL2-certified and cannot be used as part of the SIL2-certified system. It can only be used to connect non-safety devices to the safety system. Because the module is not part of the safety system, it is not listed in PFD and PFH calculations in Table 1.2 and Table 1.3 later in this chapter.

(6) The 1756-SYNCH module is included in this table because this module can be used to propagate time between chassis and to record events that occur in each chassis. Because this module is not used for any safety-related activities, it is not listed in PFD and PFH calculations in Table 1.2 and Table 1.3 later in this chapter.

(7) Catalog numbers that list multiple firmware revisions have multiple revisions that are SIL2-certified. When implementing new SIL2-certified systems or upgrading existing SIL2-certified systems, we recommend that you use the latest certified firmware revision (that is, the higher number). However, systems that continue to use the older firmware revision remain SIL2-certified.

(8) Users must use these series and firmware revisions for their application to be SIL2 certified. Firmware revisions are available by visiting http://support.rockwellautomation.com/ControlFlash/

(9) These publications are available from Rockwell Automation by visiting http://www.rockwellautomation.com/literature.




Series:Firmware




1-12 SIL Policy

Safety Certifications and Compliances

ControlLogix products referenced in this manual may have safety certifications in addition to the TUV SIL. To view addtional safety certifications for products, go to http://www.ab.com and select the Product Certifications link.

Hardware Designs and Firmware Functions

Diagnostic hardware designs and firmware functions designed into the ControlLogix platform allow it to achieve at least SIL2 certification in a single-controller configuration. These diagnostic features are incorporated into specific ControlLogix components, such as the:

• processor

• power supply

• I/O modules

• backplane

and are covered in subsequent sections. The ControlLogix platform’s designs, features and characteristics make it one of the most intelligent platforms.

Some of the ControlLogix features include:

• multiple microprocessors that check themselves and each other

• I/O modules with internal microprocessors

• an I/O architecture that includes modules with backplane connections to the main central processing unit (CPU).

The backplane connections, along with configuration identities, permit a new level of I/O module diagnostics unavailable in earlier platforms.

Difference Between PFD and PFH

Safety-related systems can be classified as operating in either a low demand mode, or in a high demand/continuous mode. IEC 61508 quantifies this classification by stating that the frequency of demands for operation of the safety system is no greater than once per year in the low demand mode, or greater than once per year in high demand/continuous mode. Generally speaking however, the once per year is expanded to ten times per year.

• Probability of failure on demand (PFD) is the SIL value for a low demand safety-related system as related directly to order-of-magnitude ranges of its average probability of failure to satisfactorily perform its safety function on demand.

• The probability of dangerous failure occurring per hour (PFH) is directly related to the SIL value for a high demand/continuous mode safety-related system.


http://www.ab.com

http://www.ab.com

SIL Policy 1-13

Although PFD and PFH values are usually associated with each of the three elements making up a safety-related system (the sensors, the actuators, the logic element), they can be associated with each component of the logic element, that is, each module of a Programmable Controller.

Table 1.2 and Table 1.3 present values of the PFDs and PFHs for the specific ControlLogix products evaluated by TUV.

The Mean Time Between Failure (MTBF) values listed in Table 1.2 and Table 1.3 are calculated from field data for each product. A minimum installed base must exist for at least one year before a value is calculated. It is assumed that the products are in use 16 hours/day, 5 days/week, 52 weeks/year. The Failure Rate (λ) column of Table 1.2 and Table 1.3 is just the reciprocal of MTBF.

For the example PFD calculations, several assumptions were made:

• 50% of the failures of each product reported to Rockwell Automation are dangerous failures.

• The diagnostic coverage (DC) is 90% for modules used in a 1oo1 architecture.

• The diagnostic coverage is 60% for modules used in a 1oo2 architecture.

• The fraction of detected common cause failures (βD) is 1%.

• The fraction of undetected common cause failures (β) is 2%

Because Rockwell Automation does not and can not know every potential application for each product, these very conservative assumptions had to be made to do the calculations.

For the sample calculations presented in this manual, the following values were used as the two application-dependent variables:

• The Mean Time to Restoration (MTTR) is ten hours.

• The Proof Test Interval (T1) is one year (8760 hours).(1)

The equation for PFD, from IEC61508, for a 1oo1 architecture is:

PFD = (λDU + λDD)tCE = λDtCE = λ/2 [T1/2 (1 - DC) + MTTR]

(1) For PFD calculations using proof test intervals of 2 and 4 years, see Appendix E.


1-14 SIL Policy

– where: λDU is the undetected dangerous failure rate (per

hour)λDD is the detected dangerous failure rate (per hour)

tCE is the "channel equivalent mean down time"

λD is the dangerous failure rate (per hour)

λ is the overall product failure rate (per hour)

For a 1oo2 architecture, the PFD equation is much more complex. See IEC61508 Part 6 Annex B.

The PFD values in Table 1.2 are given for the architecture that must be used for specific products to achieve SIL 2.

Table 1.3 includes the same MTBF and Failure Rate values as Table 1.2 but adds calculated PFH values for high demand/continuous mode operation.

The equation for PFH, from IEC61508, for a 1oo1 architecture is:

PFH = λDU = λ/2 (1 - DC)

For a 1oo2 architecture, see Part 6 of IEC61508. The values in Table 1.2 are given for the architecture that must be used for specific products to achieve SIL2.

Table 1.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations

Catalog Number

Description Mean Time Between Failure (MTBF)(1)

λ(6) Calculated PFD:

1oo1 architecture 1oo2 architecture

1756-Axx ControlLogix Chassis 36,322,045(2) 2.75E-08 6.17E-06 4.85E-07

1756-CNB/D ControlNet Bridge - Series D 5,595,646 1.79E-07 4.00E-05 3.18E-06

1756-CNB/E ControlNet Bridge - Series E 2,944,988(3) 3.40E-07 7.61E-05 6.09E-06

1756-CNBR/D Redundant ControlNet Bridge - Series D

3,109,957 3.22E-07 7.20E-05 5.76E-06

1756-CNBR/E Redundant ControlNet Bridge - Series E

2,864,755(4) 3.49E-07 7.82E-05 6.26E-06

1756-IA16I AC Isolated Input 15,262,520 6.55E-08 1.47E-05 1.16E-06

1756-IA8D AC Diagnostic Input 10,383,360 9.63E-08 2.16E-05 1.70E-06

1756-IB16D DC Diagnostic Input 41,300,480 2.42E-08 5.42E-06 4.26E-07

1756-IB16I DC Isolated Input 19,862,336 5.03E-08 1.13E-05 8.88E-07

1756-IB16ISOE Sequence of Events Module 4,959,088(5) 2.02E-07 4.52E-05 3.59E-06

1756-IB32 DC Input Module 2,468,448 4.05E-07 9.07E-05 7.29E-06

1756-IF8 Single-ended Analog Input Module 2,235,008 4.47E-07 1.00E-04 8.07E-06

1756-IF16 Isolated Sourcing Analog Input Module

2,094,159 4.78E-07 1.07E-04 8.63E-06


SIL Policy 1-15

1756-IF6CIS Isolated Analog Input Module 3,065,920 3.26E-07 7.31E-05 5.84E-06

1756-IF6I Analog Input 2,838,451 3.52E-07 7.89E-05 6.32E-06

1756-IH16ISOE Sequence of Events Module 6,044,122(5) 1.65E-07 3.71E-05 2.94E-06

1756-IR6I RTD Input 3,826,296 2.61E-07 5.85E-05 4.67E-06

1756-IT6I Thermocouple Input 3,002,035 3.33E-07 7.46E-05 5.97E-06


991,929 1.01E-06 2.26E-04 1.88E-05

1756-L55M13 ControlLogix 1.5Mb Controller 2,228,750 4.49E-07 1.01E-04 8.09E-06


1756-L61 ControlLogix 2 Mb Controller 815,822 1.23E-06 2.75E-04 2.31E-05



1756-OA16I AC Isolated Output 10,911,086 9.16E-08 2.05E-05 1.62E-06

1756-OA8D AC Diagnostic Output 6,922,240 1.44E-07 3.24E-05 2.56E-06

1756-OB16D DC Diagnostic Output 14,321,691 6.98E-08 1.56E-05 1.23E-06

1756-OB16I DC Isolated Output 2,371,445 4.22E-07 9.45E-05 7.60E-06

1756-OB32 DC Output Module 1,278,125 7.82E-07 1.75E-04 1.44E-05

1756-OB8EI DC Fused Output 5,853,120 1.71E-07 3.83E-05 3.03E-06


9,296,907 1.08E-07 2.41E-05 1.90E-06


13,062,400 7.66E-08 1.71E-05 1.35E-06

1756-OF8 Analog Output 5,717,675 1.75E-07 3.92E-05 3.11E-06

1756-OW16I Isolated Relay Output Module 1,360,415(5) 7.35E-07 1.65E-04 1.35E-05

1756-OX8I Contact Output 19,281,600 5.19E-08 1.16E-05 9.15E-07

1756-PA75/A AC Power Supply 14,538,606 6.88E-08 1.54E-05 1.21E-06

1756-PA75/B AC Power Supply 5,513,591(5) 1.81E-07 4.06E-05 3.22E-06

1756-PA75R AC Redundant Power Supply 296,978(4) 3.37E-06 7.54E-04 7.06E-05

1756-PB75/A DC Power Supply 10,157,334 9.85E-08 2.21E-05 1.74E-06

1756-PB75/B DC Power Supply 5,884,430(5) 1.70E-07 3.81E-05 3.02E-06

1756-PB75R DC Redundant Power Supply 1,134,848(4) 8.81E-07 1.97E-04 1.63E-05

1756-PC75 DC Power supply 5,894,836(5) 1.70E-07 3.80E-05 3.01E-06

1756-PH75 DC Power supply 5,889,628(5) 1.70E-07 3.80E-05 3.02E-06


Catalog Number





1-16 SIL Policy

For PFD calculations with proof test interval of 5 years, see Appendix E.

1756-PSCA Power Supply Chassis Adapter Module

45,146,727(5) 2.21E-08 4.96E-06 3.90E-07


45,146,727(5) 2.21E-08 4.96E-06 3.90E-07

1757-SRM System Redundancy Module 835,357 1.20E-06 2.68E-04 2.25E-05

(1) MTBF measured in hours. The values used here represent values available in September 2006.

(2) Aggregate based on total shipments and total returns of all five chassis (1756-A4, 1756-A7, 1756-A10, 1756-A13, and 1756-A17) collectively.

(3) Calculated using field-based values for components.



(6) λ = Failure Rate = 1/MTBF.


Catalog Number





SIL Policy 1-17

Table 1.3 ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations

Catalog Number Description Mean Time Between Failure (MTBF)(1)

λ(5) Calculated PFH:


1756-Axx ControlLogix Chassis 36,322,045(2) 2.75E-08 1.38E-09 1.93E-10



1756-CNBR/D Redundant ControlNet Bridge - Series D

3,109,957 3.22E-07 1.61E-08 2.34E-09

1756-CNBR/E Redundant ControlNet Bridge - Series E

2,864,755(5) 3.49E-07 1.75E-08 2.55E-09

1756-IA16I AC Isolated Input 15,262,520 6.55E-08 3.28E-09 4.62E-10




1756-IB16ISOE Sequence of Events Module 4,959,088(5) 2.02E-07 1.01E-08 1.45E-09


1756-IF8 Single-ended Analog Input Module 2,235,008 4.47E-07 2.24E-08 3.30E-09

1756-IF16 Isolated Sourcing Analog Input Module

2,094,159 4.78E-07 2.39E-08 3.54E-09

1756-IF6CIS Isolated Analog Input Module 3,065,920 3.26E-07 1.63E-08 2.37E-09

1756-IF6I Analog Input 2,838,451 3.52E-07 1.76E-08 2.57E-09

1756-IH16ISOE Sequence of Events Module 6,044,122(5) 1.65E-07 8.27E-09 1.18E-09

1756-IR6I RTD Input 3,826,296 2.61E-07 1.31E-08 1.89E-09



991,929 1.01E-06 5.04E-08 7.93E-09






1756-OA16I AC Isolated Output 10,911,086 9.16E-08 4.58E-09 6.49E-10

1756-OA8D AC Diagnostic Output 6,922,240 1.44E-07 7.22E-09 1.03E-09






1-18 SIL Policy


9,296,907 1.08E-07 5.38E-09 7.63E-10


13,062,400 7.66E-08 3.83E-09 5.41E-10










1756-PC75 DC Power supply 5,894,836(5) 1.70E-07 8.48E-09 1.21E-09

1756-PH75 DC Power supply 5,889,628(5) 1.70E-07 8.49E-09 1.21E-09

1756-PSCA Power Supply Chassis Adapter Module

45,146,727(5) 2.21E-08 1.11E-09 1.55E-10


45,146,727(5) 2.21E-08 1.11E-09 1.55E-10





(4) Assumes that both power supplies fail simultaneously.

(5) λ = Failure Rate = 1/MTBF

Table 1.3 ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations





SIL Policy 1-19

Table 1.4 shows an example of a PFD calculation for a fail-safe configuration involving two DC input modules used in a 1oo2 configuration and a DC output module.The exaple calculation is depicted in the first loop shown in Figure 1.4 on page 1-20 .

Table 1.4

Catalog Number: Description: MTBF: Calculated PFD:

1756-Axx ControlLogix Chassis

36,322,045 6.17E-06

1756-L55M16 ControlLogix 5555 Controller

1,644,933 1.36E-04

1756-OB16D DC Output 14,321,691 1.56E-05

1756-IB16D DC Diagnostic Input

41,300,480 4.26E-07

Total PFD calculation for a safety loop consisting of these products: 1.58E-04


1-20 SIL Policy

SIL Compliance Distribution and Weight

The programmable controller may conservatively be assumed to contribute 10% of the reliability burden. (See Figure 1.4.) A SIL 2 system may need to incorporate multiple inputs for critical sensors and input devices, as well as dual outputs connected in series to dual actuators dependent on SIL assessments for the safety related system. (See Figure 1.4)

Figure 1.4 ControlLogix Systems or Loop

ActuatorControllerDiag.

Output Module

+V

43383

43384

Power Supply

Input Module

Sensor

Sensor

40% of the PFD

10% of the PFD

50% of the PFD

Actuator

+V

10% of the PFD

50% of the PFD

Input Module

ControllerStandard Output Module

Power Supply

Input Module

Input Module

Monitoring Input

Module

Sensor

Sensor

40% of the PFD


SIL Policy 1-21

Other Agency Certifications User documentation shipped with ControlLogix products typically list the agency certifications for which the products are approved. If a product has achieved agency certification, it is marked as such on the product labeling. Product certifications are listed in the product’s specifications table, as shown in the example below.

Response Times The response time of the system is defined as the amount of time it takes for a change in an input condition to be recognized and processed by the controller’s ladder logic program, and then to initiate the appropriate output signal to an actuator. The system response time is the sum of the following:

• input hardware delays

• input filtering

• I/O and communication module RPI settings

• controller program scan times

• output module propagation delays

Each of the times listed above is variably dependent on factors such as the type of I/O module and instructions used in the ladder program. For examples of how to perform these calculations, see Appendix A, Response Times in ControlLogix.

For more information on the available instructions and for a full description of logic operation and execution, see the following publications:

• Logix5000 Controllers General Instruction Set Reference Manual, publication 1756-RM003.

• ControlLogix System User Manual, publication 1756-UM001.

Certification UL UL Listed Industrial Control Equipment

CSA CSA Certified Process Control Equipment for Class I, Division 2 Group A,B,C,D Hazardous Locations

FM FM Approved Equipment for use in Class I Division 2 Group A,B,C,D Hazardous Locations

CE European Union 89/336/EEC EMC Directive, compliant with:

EN 50081-2; Industrial Emissions

C-Tick Australian Radio Communications Act, compliant with:

AS/NZS 2064; Industrial Emissions


1-22 SIL Policy

Response Times in Redundancy Systems

The response time of a system that uses redundancy is different from a system that does not use redundancy. The redundancy system has a longer response time because:

• The primary controller must keep the secondary up-to-date and ready to take over control in case of a switchover. This process of cross-loading fresh data at the end of each program scan increases scan time.

You can plan your project effectively (e.g., minimize the use of SINT or INT tags, use arrays and user-defined data types) to minimize the scan time in a redundancy system. Generally, the primary controller in a redundancy system has a 20% slower response time than the controller in a non-redundancy system.

• The switchover between controllers slows system response. The switchover time of a redundancy system depends on the network update time (NUT) of the ControlNet network. To estimate the switchover time, use the following formulas:

For more information on response times in redundancy systems, see the ControlLogix Redundancy System User Manual, publication 1756-UM523.

For this type of failure: If the NUT is: The switchover time is: Example:

loss of power

–or–

module failure

< 6 60 ms For a NUT of 4 ms, the switchover time is approximately 60 ms.

> 7 5 (NUT) + MAX (2[NUT], 30) For a NUT of 10 ms, the switchover time is approximately 80 ms.

1756-CNB module cannot communicate with any other node

14 (NUT) + MAX (2[NUT], 30) + 50 For a NUT of 10 ms, the switchover time is approximately 220 ms.


SIL Policy 1-23

Program Watchdog Time in ControlLogix System

The program watchdog (also known as the software watchdog) time is a user-defined time that is set in the controller attributes menu of the RSLogix 5000 software. See the ControlLogix System User Manual, publication number 1756-UM001 for more information. The publication is available from Rockwell Automation.

The program watchdog time is the maximum permissible time allowed for a RUN cycle (cycle time). If the cycle time exceeds the program watchdog time, a major fault occurs on the controller. Users must monitor the watchdog and program the system outputs to transition to the safe state (typically the OFF state) in the event of a major fault occurring on the controller. For more information on faults, see Chapter 7, Faults in the ControlLogix System.

The program watchdog time must be ≥ 10 ms and must be < 50% of the safety time required for a ControlLogix system. The safety time is the maximum amount of time in which the process tolerates a wrong signal.

Contact Information When Device Failure Occurs

When users experience a failure with any SIL2-certified ControlLogix device, they should contact their local Rockwell Automation sales office. With this contact, the user can:

• return the device to Rockwell Automation so the failure is appropriately logged for the catalog number affected and a record made of the failure.

• request a failure analysis (if necessary) to determine the cause of the failure, if possible.


1-24 SIL Policy


Chapter 2

The ControlLogix System

This chapter offers an overview of some standard features in the ControlLogix architecture that assist in its suitability for use in SIL2 applications.

General Overview of ControlLogix Platform

Many of the diagnostic methods and techniques used in the ControlLogix platform are improved versions of techniques and designs previously incorporated into Allen-Bradley PLC platforms over the last three decades.

These are designs that have evolved to maintain the robustness and deterministic response that our customers have come to expect as they migrated from electromechanical to solid state technology.

The self-checking routines and diagnostics performed by microprocessor-based systems (for example, ControlLogix) have greatly advanced over the years. Programmable controllers such as ControlLogix can be programmed and configured to perform checks on the total system, including its own configuration, wiring, and performance, as well as monitor input sensors and output devices.


General Overview of ControlLogix Platform 2-1

Overview of the ControlLogix Architecture 2-2

Module Fault Reporting 2-3

Fault Handling 2-3

Data Echo Communication Check 2-4

Pulse Test 2-5

Software 2-6

Communications 2-6

Other Unique Features that Aid Diagnostics 2-7


2-2 The ControlLogix System

If an anomaly (other than automatic shutdown) is detected, the system can be programmed to initiate user-defined fault handling routines. Output modules can turn OFF selected outputs in the event of a failure. New diagnostic I/O modules self-test to make sure that field wiring is functioning. Output modules use pulse testing to make sure output switching devices are not shorted. Using these internal features, as well as application software when needed, today’s ControlLogix customers are able to achieve highly reliable control systems.

Overview of the ControlLogix Architecture

Rockwell Automation’s latest generation of programmable controllers is the ControlLogix system. Inherent in its design and implementation are several features that surpass anything offered in previous product architectures. The inclusion of these features represent improvements driven by customer demand for uptime and reliability as well as Rockwell’s long-developed design experience in producing these types of products.

One of the most significant changes in the architecture is the implementation of the Producer/Consumer (P/C) communication model between controller and I/O. The P/C communication model replaces traditional ‘polling’ of I/O modules and, consequently, has changed the overall behavior of these components vis-a-vis their counterparts in previous architectures. Input modules “produce” data, controller and output modules both “produce” and “consume” data.

These changes were embraced because of the enhanced data integrity and fault reporting capabilities they provide. I/O modules now exchange much more than simply the ON/OFF state of the devices they are connected to. Module identification information, communication status, fault codes and, through the use of specially-designed modules, field-side diagnostics can now all be retrieved from the I/O system as part of the standard feature set of the Producer/Consumer communication model. (See Figure 2.1).

Figure 2.1

43374

Producer/Consumer Communication Model

Logix Controller

Input Modules Output Modules

Commonly Shared Data


The ControlLogix System 2-3

Module Fault Reporting

One of the key concepts in this model is Ownership. Every module in the control system is now “owned” by at least one controller in the architecture. When a controller “owns” an I/O module, it means that that controller stores the module’s configuration data, defined by the user; this data dictates how the module behaves in the system. Inherent in this configuration and ownership is the establishment of a “heartbeat” between the controller and module; this heartbeat is also known as the Requested Packet Interval (RPI).

The existence of the RPI forms the basis for Module Level Fault reporting in the ControlLogix architecture, a capability which is inherent to all ControlLogix I/O modules.

For more information on module fault reporting in the ControlLogix controller, specifically the GSV instructions, see Chapter 7, Faults in the ControlLogix System.

Fault Handling

The RPI defines a minimum time interval in which the controller and I/O module must communicate with each other. If, for any reason, communications cannot be established or maintained (that is, the I/O module has failed), the system can be programmed to run a special Fault Handling routine. This routine determines whether the system must continue functioning or whether the fault condition warrants a shutdown of the application.

For example, the system can be programmed to retrieve the fault code of the failed module and make a determination, based on the type of fault, as to whether to continue operating. In addition, standard ControlLogix output modules are also capable of reporting blown-fuse status and loss of field power back to the controller.

This ability of the controller to monitor the health of I/O modules in the system and take appropriate action based on the severity of a fault condition gives the user complete control of the application’s behavior when trouble occurs. It is the user’s responsibility to establish the course of action appropriate to their safety application.

For more information on Fault Handling, see Chapter 7, Faults in the ControlLogix System.



Data Echo Communication Check

Another powerful by-product of the p/c communication model and the implementation of the Control and Information Protocol (CIP) protocol is the Output Data Echo, a communication method employed between owner-controllers and every output module in the system. Output Data Echo allows the user to verify that an ON/OFF output command from the controller was actually received by the correct output module, and that the module will attempt to execute the command to the field device connected to it.

During normal operation, when a controller sends an output command, the output module that is targeted for that command will “echo” that requested state back to the system upon its receipt. This verifies that the module has received the command and will try to execute it. By comparing the requested state from the controller to the Data Echo received from the module, the user can validate that the signal has reached the correct module and that the module will attempt to activate the appropriate field-side device. Again, it is the user’s responsibility to establish the course of action appropriate to their safety application.

When used with standard ControlLogix output modules, the Data Echo validates the command up to the system-side of the module, but not to the field-side. However, when this feature is used in tandem with diagnostic output modules, the user can virtually verify the output command integrity from the controller to the actuator connected to the module.

Diagnostic output modules contain special circuitry that performs Field Side Output Verification. Field Side Output Verification informs the user that system-side commands received by the module are accurately represented on the power side of the switching device. In other words, for each output point, this feature confirms that the output is ON when it is commanded to be ON or OFF when commanded to be OFF.

The capability of comparing the actual state of the field-side of the diagnostic module’s output against what the controller commands gives the user the ability to make sure that the module is performing what the control system is requesting, once that output command has been issued.



Figure 2.2 Output Module Behavior in the ControlLogix System

Pulse Test

A diagnostic output module feature called a Pulse Test can verify output circuit functionality without actually changing the state of the actuator connected to the output. Under user program control, an extremely short-duration pulse is directed to a particular output on the module. The output circuitry will momentarily change its current state long enough to verify that it CAN change state when requested, but short enough in duration (the actual pulse is measured in milliseconds) not to effect the actuator connected to the output. This powerful feature allows a user to perform a preemptive diagnosis of possible future module conditions before they occur.

Standard ControlLogix I/O

Information

Additional Field-Side Information provided by

Diagnostic Output modules

Output Commands from Controller

Data Echo validation from system-side

Field-side Output Verification, Pulse Test status plus No Load detection

Actuator



Software

The location, ownership and configuration of I/O modules and controllers is performed using RSLogix 5000 programming software. The software is used for creation, testing and debugging of application logic.

When using RSLogix 5000, users must remember the following:

• During normal SIL2-certified operation:

– we recommend the programming terminal be disconnected.

– the keyswitch must be set to the RUN position.

– the controller key must be removed from the keyswitch.

• Authorized personnel may change an application program but only by using one of the processes described in section Changing Your Application Program on page 9-6.

Communications

ControlNet forms the basis for I/O communications on the ControlLogix backplane and over the network. It is an industry-proven network that incorporates 16-bit CRC and a standard CIP network protocol. You must use RSNetWorx for ControlNet software to schedule the network. The correct scheduling of the network is independently verified by the controller after the program is downloaded; the schedule must match the RSLogix 5000 program. The software also provides user-defined fault handing (for example, execute fault routine) in the case of errors.

A serial port is available on the controller for download or visualization only. It uses an industry-proven DF-1 serial link protocol that has a selection of either 8-bit BCC checksum or 16-bit CRC. The serial port also uses an industry standard CIP network protocol running on the DF-1 link.

EtherNet/IP connection is also available for download, monitoring and visualization.



Other Unique Features that Aid Diagnostics

These are just a few examples of how the inherent characteristics of the ControlLogix I/O system provides the user with an unprecedented capability to diagnose and react to fault conditions in an application. There are many other unique features that differentiate it from previous iterations of programmable controllers, such as:

• Timestamping of I/O and diagnostic data

• Electronic keying based on module identification – During module configuration, you must choose one of the following keying options for your module:

– Exact Match

– Compatible Module

– Disable Keying

When the controller attempts to connect to and configure a ControlLogix module (e.g., after program download), the module compares the specific parameters, defined by the keying option selected, before allowing the connection and configuration to be accepted.

We recommend that you use Exact Match whenever possible. With Exact Match, all module comparisons between the configuration and the module physically located in the slot that the controller is attempting to configure must be identical or the connection is rejected.

For more information on these features, see the Digital I/O user manual, publication number 1756-UM058.

IMPORTANT Some I/O modules listed in Table 1.1 on page 1-8, may not have configuration profiles for the version of RSLogix 5000 being used. You may use Disable Keying in these instances.

For example, the 1756-IB32/B module does not have a profile in RSLogix 5000, version 11. In this case, the 1756-IB32/A profile can be used to configure the series B module as long as the Disable Keying option is selected.

However, if you use the Disable Keying option, you must verify that the correct module is used with your configuration in a SIL2-certified system.



Checklist for the ControlLogix System

The following checklist is required for planning, programming and start up of a SIL2-certified ControlLogix system. It may be used as a planning guide as well as during proof testing. If used as a planning guide, the checklist can be saved as a record of the plan.

Check List for ControlLogix System(1)

Company:

Site:

Loop definition:

No. Fulfilled Comment

Yes No

1 Are you only using the SIL2-certified ControlLogix modules listed in Table 1.1 on page 1-8, with the corresponding firmware release listed in the table, for your safety application?

2 Have you calculated the system’s response time?

3 Does the system’s response time include both the user-defined, SIL-task program watchdog (software watchdog) time and the SIL-task duration time?

4 Is the system response time in proper relation to the process tolerance time?

5 Have PFD values been calculated according to the system’s configuration?

6 Have you performed all appropriate proof tests?

7 Have you defined your process parameters that are monitored by fault routines?

8 Have you determined how your system will handle faults?

9 Have you taken into consideration the checklists for using SIL inputs and outputs listed on pages 6-25 and 6-26.

(1) For more information on the specific tasks in this checklist, see the previous sections in the chapter or Chapter 1, SIL Policy.


Chapter 3

ControlLogix System Hardware

This chapter discusses the hardware required in SIL2-certified ControlLogix systems.

Introduction to the Hardware

SIL2-certified ControlLogix systems can use the following chassis and power supply hardware:

• ControlLogix Chassis - Including the following catalog numbers:

– 1756-A4

– 1756-A7

– 1756-A10

– 1756-A13

– 1756-A17

• ControlLogix Power Supplies - Including the following catalog numbers:

– 1756-PA75

– 1756-PB75

– 1756-PA75R

– 1756-PB75R

– 1756-PC75

– 1756-PH75

– 1756-PSCA

– 1756-PSCA2

– 1756-CPR cables


Introduction to the Hardware 3-1

ControlLogix Chassis 3-2

ControlLogix Power Supplies 3-2

Non-Redundant Power Supply 3-2

Redundant Power Supply 3-3

Recommendations for System Hardware Use 3-3

Related ControlLogix Hardware Documentation 3-4


3-2 ControlLogix System Hardware

ControlLogix Chassis The ControlLogix 1756-Axx chassis provide the physical connections between modules and the ControlLogix backplane. These connections allow for P/C communications between controllers and I/O modules. The chassis itself is passive and is not relevant to further discussion since any physical failure would be unlikely under normal environmental conditions and would be manifested and detected as a failure within one or more of the active components.

ControlLogix Power Supplies

ControlLogix power supplies are designed with noise filtering and isolation to reduce the opportunity for induced contamination of the supplied voltages. The power supply monitors the backplane power and generates control signals (for example, DC_FAIL_L) to indicate if power failure is imminent. Anomalies in the supplied voltages immediately shut down the power supply. The power supply monitors all power supply voltages via sense lines.

All ControlLogix power supplies are designed to:

• detect anomalies

• communicate to the controllers with enough stored power to allow for an orderly and deterministic shutdown of the system, including the controller and I/O

Non-Redundant Power Supply

ControlLogix non-redundant power supplies (i.e one power supply is connected to a chassis) certified for use in SIL2 applications include the following catalog numbers:

• 1756-PA75 - AC power supply

• 1756-PB75 - DC power supply

• 1756-PC75 - DC power supply

• 1756-PH75 - DC power supply

IMPORTANT No extra configuration or wiring is required for SIL2 operation of the ControlLogix power supplies.

IMPORTANT When non-redundant power supplies are used with 1756-L6x controllers, they must be Series B.


ControlLogix System Hardware 3-3

Redundant Power Supply

ControlLogix redundant power supplies (i.e two power supplies are connected to the same chassis) certified for use in SIL2 applications include the following catalog numbers:

• 1756-PA75R - AC power supply

• 1756-PB75R - DC power supply

• 1756-PSCA - Redundant power supply chassis adapter module required with the use of redundant power supplies

• 1756-PSCA2 - Redundant power supply chassis adapter module required with the use of redundant power supplies

• 1756-CPR cables

The power supplies share the current load required by the chassis and an internal solid state relay that can annunciate a fault. Upon detection of a failure in one supply, the other redundant power supply automatically assumes the full current load required by the chassis without disruption to devices installed.

The 1756-PSCA and 1756-PSCA2 redundant power supply chassis adapter modules connect the redundant power supply to the chassis.

For additional ControlLogix power supply information, see the documentation referenced in the Related ControlLogix Hardware Documentation section on page 3-4.

Recommendations for System Hardware Use

Users must consider the recommendations listed below when using SIL2-certified ControlLogix hardware:

Chassis

When installing ControlLogix chassis, follow the information provided in the product documentation listed in the Related ControlLogix Hardware Documentation section on page 3-4.


3-4 ControlLogix System Hardware

Power Supplies

Users must consider these recommendations when using SIL2-certified ControlLogix power supplies:

• When installing ControlLogix power supplies, follow the information provided in the product documentation listed in the Related ControlLogix Hardware Documentation section on page 3-4.

• A non-redundant power supply can be used if it meets the user-defined PFD criteria.

• For high availability SIL2 applications, the redundant power supply is recommended.

• It is recommended that the solid state fault relay on each power supply be wired from an appropriate voltage source to an input point in ControlLogix so the user can detect and display a power supply fault.

Related ControlLogix Hardware Documentation

For more information on ControlLogix hardware, see the Rockwell Automation publications listed in Table 3.1:

These publications are available from Rockwell Automation at:

http://www.rockwellautomation.com/literature

Table 3.1

Catalog Number: Description: Installation Instructions:

1756-A4, A7, A10, A13 & A17 ControlLogix Chassis 1756-IN080

1756-PA75 AC Power supply 1756-5.78

1756-PB75 DC Power supply

1756-PA75/B AC Power supply 1756-IN596

1756-PB75/B DC Power supply

1756-PA75R AC Redundant power supply

1756-IN573

1756-PB75R DC Redundant power supply

1756-PC75 DC Power supply 1756-IN597

1756-PH75 DC Power supply 1756-IN589

1756-PSCA Redundant Power Supply Chassis Adapter Module

1756-IN574


1756-IN590


Chapter 4

ControlLogix Controller

This chapter discusses the ControlLogix controller as used in a SIL2-certified system.

Introduction to the Controller

The ControlLogix controllers used in a SIL2-certified ControlLogix system is a solid-state control system with a user-programmable memory for storage of data to implement specific functions, such as:

• I/O control

• Logic

• Timing

• Counting

• Report generation

• Communications

• Arithmetic

• Data file manipulation

The controller consists of a central processor, I/O interface and memory.

The controller performs power-up and run-time functional tests. The tests are used with user-supplied application programs to verify proper controller operation.

CompactFlash Card

A 1784-CF64 Industrial CompactFlash card provides nonvolatile memory for the 1756-L61, 1756-L62 and 1756-L63 controllers. However, the use of this card is NOT yet certified, and may NOT be used in a SIL2-certified application.


4-2 ControlLogix Controller

Recommendations for Controller Use

Users must consider the recommendations listed below when using a SIL2-certified ControlLogix controller:

• In non-redundant applications, use only one controller in SIL2-certified ControlLogix loop. The controller must own the configuration information for all I/O modules associated with the safety loop.

• When installing ControlLogix controller, follow the information provided in the documentation listed in the Related Controller Documentation section below.

• There are currently separate firmware revisions for redundant and non-redundant operation. For more information on the revisions, see Table 1.1 on page 1-8.

Related Controller Documentation

For more information on the ControlLogix controller, see the following Rockwell Automation publications listed in Table 4.1:



Table 4.1

Catalog Number: Description:

Installation Instructions:

User Manual:

1756-L55M13 ControlLogix 1.5Mb Controller 1756-IN101 1756-UM001

1756-L55M16 ControlLogix 7.5Mb Controller

1756-L61 ControlLogix 2 Mb Controller




Chapter 5

ControlLogix Communications Modules

This chapter discusses the communication modules used in a ControlLogix SIL2 system.

Introduction to Communication Modules

The communications modules in a SIL2-certified ControlLogix system provide communication bridges from a ControlLogix chassis to other chassis or devices via the ControlNet and Ethernet networks. The following communications modules are available:

• ControlNet modules - Catalog numbers 1756-CNB & 1756-CNBR

• Ethernet modules - Catalog number 1756-ENBT

• Data Highway Plus – Remote I/O - Catalog number 1756-DHRIO

• SynchLink – Catalog number 1756-SYNCH

ControlLogix communications modules can be used in peer-to-peer communications between ControlLogix devices. The communications modules can also be used for expansion of I/O to additional ControlLogix remote I/O chassis.


Introduction to Communication Modules 5-1

ControlNet Bridge Module 5-2

ControlNet Cabling 5-2

ControlNet Module Diagnostic Coverage 5-2

Ethernet Module 5-3

Ethernet Versus ControlNet 5-3

Related Communications Modules Documentation

5-5


5-2 ControlLogix Communications Modules

ControlNet Bridge Module The ControlNet bridge module (1756-CNB & 1756-CNBR) provides for the communications between ControlLogix chassis over the ControlNet network.

ControlNet Cabling

For remote racks, a single RG6 coax cable is required for ControlNet. Although it is not a requirement to use redundant media with the 1756-CNBR, it does provide higher system reliability. Redundant media is not required for SIL2 operation.

ControlNet Repeater

The following ControlNet repeater modules are approved for use in safety applications up to and including SIL2:

• 1786-RPFS, Short-distance Fiber Repeater Module

• 1786-RPFM, Medium-distance Fiber Repeater Module

• 1786-RPFRL, Long-distance Fiber Repeater Module

• 1786-RPFRXL, Extra-long-distance Fiber Repeater Module

Use of adapter 1756-RPA is required with all of the repeater modules listed. For more information about the use of ControlNet Repeater modules, see Table 5.1.

ControlNet Module Diagnostic Coverage

All communications over the passive ControlNet media occur via CIP, which guarantees delivery of the data. All modules independently verify proper transmission of the data.

Table 5.1 For More Information About Repeater Modules

Topic Publication Title Publication Number

Planning for and installing ControlNet repeater modules.

ControlNet Fiber Media Planning and Installation Guide

CNET-IN001

Use of repeaters in safety applications.

TUV Report 986/EZ 986/EZ 135.03.05


ControlLogix Communications Modules 5-3

Ethernet Module The Ethernet bridge module (1756-ENBT) provides for the communications from one ControlLogix chassis to other devices over the Ethernet network.

The Ethernet link is based on industry-standard CIP network protocol running on top of TCP and UDP using 32-bit CRC. Also, TCP and UDP with 16-bit Checksums are running on top of Ethernet.

Ethernet Versus ControlNet Although it may be acceptable to use Ethernet for specific applications, such as program download, Ethernet requires a switch for a “star” configuration. Rockwell Automation does not sell or reference a SIL2/SIL3 Ethernet switch. Also Ethernet is an “active” media whereas ControlNet uses a “passive” media (that is, very low failure rate).



Data Highway Plus - Remote I/O

The Data Highway Plus - Remote I/O Communication Interface module (1756-DHRIO) supports multiple types of communication. However, you can only use the DH+ portion of the module’s functionality in SIL2 applications.

SynchLink The SynchLink module (1756-SYNCH) is used for CST time propagation between multiple chassis for event recording. The module cannot be used for any safety-related activity in a SIL2-certified ControlLogix system.

Recommendations for Communications Modules Use

Users must consider the recommendations listed below when using SIL2-certified communications modules:

• When installing ControlLogix communications modules, follow the information provided in the documentation listed in the Related Communications Modules Documentation section on page 5-5.

• Use Ethernet for communications to Human-to-Machine Interfaces (HMI) and programming terminals only. For more information on using HMI, see Figure 1.2 on page 1-4 and Chapter 10, Use and Application of Human to Machine Interfaces.

• Use DH+ for communications to Human-to-Machine Interfaces (HMI) and for communicating with the non-safety portion of the system. For more information on using HMI, see Figure 1.2 on page 1-4 and Chapter 10, Use and Application of Human to Machine Interfaces.

• Remote I/O chassis should be connected via ControlNet only.

• Peer-to-peer communications to controllers outside the safety loop are restricted to ControlNet only and should occur only if the controller in the safety loop is sharing its own information (for example, via produced tags) with other controllers outside the loop.

• For exchanging I/O data, use listen-only connections.

• For exchanging non-I/O data, use producer/consumer tags.


ControlLogix Communications Modules 5-5

• Typically, no devices must be permitted to write data to the controller in the safety loop. The only exception to this recommendation is the use of HMI devices. For more information on how to use HMI in the safety loop,see Chapter 10.

For more information on connecting remote I/O chassis and peer-to-peer communication, see Figure 1.2 on page 1-4.

Related Communications Modules Documentation

For more information on ControlLogix communications modules, see the following Rockwell Automation publications listed in Table 5.2:



Table 5.2

Catalog Number: Description:


User Manual:

1756-CNB ControlNet Communication Module

1756-IN571 CNET-UM001


1756-DHRIO Data Highway Plus - Remote I/O Communication Interface Module

1756-IN003 1756-UM514

1756-ENBT EtherNet Communication Module

1756-IN019 ENT-UM001

1756-SYNCH SynchLink Module 1756-IN575 1756-UM521




Chapter 6

ControlLogix I/O Modules

This chapter discusses the ControlLogix I/O modules that are SIL2 certified.

Overview of ControlLogix I/O Modules

In the most basic description, there are two types of SIL2-certified ControlLogix I/O modules:

• Digital I/O modules

• Analog I/O modules

With each type, however, there are differences between specific modules. Because the differences propagate to varying levels in each module type, a graphical representation can best provide an overview of the many SIL2-certified ControlLogix I/O modules.


Overview of ControlLogix I/O Modules 6-1

Module Fault Reporting for any ControlLogix I/O Module

6-4

Using Digital Input Modules 6-5

Wiring ControlLogix Digital Input Modules 6-6

Using Digital Output Modules 6-7

Wiring ControlLogix Digital Output Modules 6-10

Using Analog Input Modules 6-13

Wiring ControlLogix Analog Input Modules 6-16

Checklist for SIL Inputs 6-25

Checklist for SIL Outputs 6-26


6-2 ControlLogix I/O Modules

Figure 6.1 shows the SIL2-certified ControlLogix I/O modules. Each type, digital or analog, is described in greater detail throughout the rest of this chapter.

Figure 6.1

ControlLogix I/O modules are designed with inherent features that assist them in complying with the requirements of the 61508 Standard. For example, the modules all have a common backplane interface ASIC, execute power-up and runtime diagnostics, offer electronic keying and offer producer-consumer communication.

43372

SIL2-Certified ControlLogix I/O Modules

Digital I/O Modules Analog I/O Modules

Diagnostic Digital Modules

Standard Digital Modules

Diagnostic Digital Input Modules,

including:

1756-IA8D1756-IB16D

Diagnostic Digital Output Modules,

including:

1756-OA8D1756-OB16D

Standard Digital Input Modules,

including:

1756-IA16I1756-IB16I

1756-IB16ISOE1756-IB32

1756-IH16ISOE

Standard Digital Output Modules,

including:

1756-OA16I1756-OB16I1756-OB321756-OB8EI1756-OW16I1756-OX8I

Analog Input Modules, including:

1756-IF161756-IF6CIS

1756-IF6I1756-IF81756-IR6I1756-IT6I1756-IT6I2

Analog Output Modules, including:

1756-OF6CI1756-OF6VI1756-OF8


ControlLogix I/O Modules 6-3

For SIL2 compliance when installing ControlLogix I/O modules, follow the information provided in the documentation listed in Table 6.1.

Table 6.1 lists the ControlLogix I/O modules initially submitted for SIL2 certification and shown in Figure 6.1.


Module Type: Catalog Number: Description:

Related Documentation:


User Manual:

Digital 1756-IA16I AC Isolated Input Module 1756-IN059 1756-UM058

1756-IA8D AC Diagnostic Input Module 1756-IN055

1756-IB16D DC Diagnostic Input Module 1756-IN069

1756-IB16I DC Isolated Input Module 1756-IN010

1756-IB16ISOE Sequence of Events Module 1756-IN591 1756-UM528

1756-IB32 DC Input Module 1756-IN027 1756-UM058

1756-IH16ISOE Sequence of Events Module 1756-IN592 1756-UM528

1756-OA16I AC Isolated Output Module 1756-IN009 1756-UM058

1756-OA8D AC Diagnostic Input Module 1756-IN057

1756-OB16D DC Diagnostic Output Module 1756-IN058

1756-OB16I DC Isolated Output Module 1756-IN512

1756-OB32 DC Output Module 1756-IN026

1756-OB8EI DC Isolated Output Module 1756-IN012

1756-OX8I Isolated Relay Output Module 1756-IN513

1756-OW16I Isolated Relay Output Module 1756-IN011

Analog 1756-IF16 Single-ended Analog Input Module 1756-IN039 1756-UM009


1756-IN579

1756-IF6I Isolated Analog Input Module 1756-IN034

1756-IF8 Analog Input Module 1756-IN040

1756-IR6I RTD Input module 1756-IN014

1756-IT6I Thermocouple Input module 1756-IN037


1756-IN586


1756-IN036


1756-IN035

1756-OF8 Analog Output Module 1756-IN015



Module Fault Reporting for any ControlLogix I/O Module

Users must make sure that all ControlLogix I/O modules are operating properly in the system. If the modules are not operating properly, the user must initiate a fault routine when a fault occurs. This can be accomplished in ladder logic through the use of the Get System Value instruction (GSV) and an examination of the MODULE Object’s ’Entry Status’ attribute for a running condition.

An example of how this might be done is shown in Figure 6.2. This method, or something similar, must be used to interrogate the health of each I/O module in the system.

Figure 6.2 Example of Checking a Module’s Health in Ladder Logic

For more information on the GSV instruction and MODULE Objects, see Chapter 7, Faults in the ControlLogix System. For more information on creating Fault Routines, see Appendix B, System Self-Testing and User-Programmed Responses.

GSV

Obtain MODULE Object’s Entry Status

AND

Mask Off Lower 12 Bits of Value

NEQ

Check Entry Status to make sure module is running

Fault



Using Digital Input Modules

ControlLogix digital input modules are divided into two categories:

• Diagnostic input modules

• Standard input modules

These modules share many of the same inherent architectural characteristics. However, the diagnostic input modules incorporate features that allow diagnosing of field-side failures. These features include broken wire (that is, wire-off) detection and, in the case of AC Diagnostic modules, loss of line power.

General Considerations when using Any ControlLogix Digital Input Module

Regardless of the type of ControlLogix input module used, there are a number of general application considerations that users must follow when applying these modules in a SIL2 application:

• Proof Tests - Periodically (for example, once every several years) a System Validation test must be performed. Manually, or automatically, test inputs to make sure that all inputs are operational and not stuck in the ON or OFF state. Inputs must be cycled from ON to OFF or OFF to ON. For additional information on Proof Tests, see page 1-6 and Figure 9.1 on page 9-5.

• Always use a direct connection with diagnostic input modules located in remote chassis.

• Wire sensors to separate input points on two separate modules.

• Configuration parameters (for example, RPI, filter values) must be identical between the two modules.

• The same controller must own both modules.

For operational state information, see Chapter 1, SIL Policy.



Wiring ControlLogix Digital Input Modules

The wiring diagrams in Figure 6.3 show two methods of wiring the digital input Module. In either case, users must determine whether the use of 1 or 2 sensors is appropriate to fulfill SIL2 requirements.

Figure 6.3 ControlLogix Digital Input Module Wiring

Application logic can compare input values or states for concurrence.

Figure 6.4

The user program must also contain rungs to annunciate a fault in the event of a sustained miscompare between two points.

Figure 6.5

The control, diagnostics and alarming functions must be performed in sequence. For more information on faults, see Chapter 7, Faults in the ControlLogix System.

Optional Relay contact to switch line voltage for periodic automated testing

+ Line

Input B1Input A1

43366

Input B2Input A2

Sensor

Sensor

One-Sensor Wiring Example Sensor

Two-Sensor Wiring Example

Input BInput A

Actuator

Input BInput A

Input BInput A

Timer

Timer preset in milliseconds to compensate for filter time and hardware delay differences.

Fault

Timer Done

Alarm to Operator

Fault



Using Digital Output Modules

ControlLogix digital output modules are divided into two categories:

• Diagnostic output modules

• Standard output modules

These modules share many of the same inherent architectural characteristics. However, the diagnostic output modules incorporate features that allow diagnosing of field-side failures. These features include reporting No-Load conditions and point-level fuse-blown. In addition, the diagnostic modules can validate the state of the output with the Output Verify feature and the Output Pulse test.

General Considerations when using Any ControlLogix Digital Output Module

Wiring the two types of digital output modules differs, depending on your application requirements (these wiring methods are explained in detail in later sections). However, regardless of the type of ControlLogix output module used, there are a number of general application considerations that you must follow when applying these modules in a SIL2 application:

• Proof Tests - Periodically (for example, once every several years) a System Validation test must be performed. Manually, or automatically, test outputs to make sure that all outputs are operational and not stuck in the ON or OFF state. Outputs must be cycled from ON to OFF or OFF to ON. For additional information on Proof Tests, see page 1-6 and Figure 9.1 on page 9-5.



• Examination of Output Data Echo signal in Application logic: The application logic must examine the Data Echo value associated with each output point to make sure that the requested On/Off command from the controller was received by the module.

In the rungs below, a timer begins to increment for any miscompare between the actual output bit and its associated Data Echo bit. The timer must be preset to accommodate the delay between setting the output bit in controller memory and receipt of the Data Echo from the module. If a miscompare exists for longer than that time, a fault is reported.

Figure 6.6


Timer done

Data EchoOutput Bit

Data EchoOutput Bit

Timer

Fault

Application Logic

Actuator

Alarm to Operator

Fault



• Use of external Relays to disconnect Module Power if Output De-energization is Critical: To make sure outputs will de-energize, users must wire an external relay that can remove power from the output module if a short or other fault is detected. See Figure 6.7 on page 6-10 for an example method of wiring an external relay.

• Test outputs at specific times to make sure they are operating properly. The method and frequency of testing is determined by the type of module–diagnostic or standard. For more information on testing diagnostic module outputs, see page 6-10. For more information on testing standard module outputs, see page 6-11.

• For typical emergency shutdown (ESD) applications outputs must be configured to De-energize: When configuring any ControlLogix output module, each output must be configured to de-energize in the event of a fault and in the event of the controller going into program mode. For exceptions to the typical ESD applications, see Chapter 1, SIL Policy.

• When wiring two digital output modules in series so that one may break source voltage (as shown in Figure 6.10 on page 6-12), make sure:

– Both modules use identical configuration.

– The same controller owns both modules.



Wiring ControlLogix Digital Output Modules

Diagnostic Digital Output Modules

Diagnostic output modules have advanced circuitry that is not included in standard output modules. Because of the advanced design, users are not required to use an input module to monitor output status, as is required with standard output modules.

Diagnostic Output modules can be used as-is in a SIL2 application (in other words, no special wiring considerations need be employed other than the wiring of the external relay to remove line power from the module in the event of a fault to make sure outputs will de-energize if shorted).

In addition to following the General Considerations when using Any ControlLogix Digital Output Module on page 6-7, the user must perform a Pulse Test on each output periodically to make sure that the output is capable of changing state. Automatic diagnostic testing of output modules should be made at intervals that are an order of magnitude less than the demand rate. For example, pulse testing should be scheduled at least once a month for a low demand system and at least once hour for a high demand system.

For more information on performing the pulse test, see the ControlLogix Digital I/O Modules User Manual, publication 1756-UM058.

Users should also make sure they always use a direct connection with diagnostic output modules located in remote chassis.

Figure 6.7 ControlLogix Diagnostic Output Module Wiring

43365

V-/L2

V+/L1

Output

V+/L2

This normally-open relay is controlled by the status of the rest of the ControlLogix system. If a short circuit or fault occurs on the module, the relay can disconnect power to the module.

Also, this relay can be wired to disconnect power to multiple modules.

Actuator

Relays may also be included as shown in position A to interrupt power on a per point basis.



Standard Digital Output Modules

When using standard (also known as non-diagnostic) output modules, users must wire an output to an actuator and then back to an input to monitor the output’s performance. The user can write the appropriate logic to test the output’s ability to turn ON and OFF at power-up, or, at the proof test interval (see page 1-6), the user can force the output ON and OFF and use a voltmeter to verify output performance.

Automatic testing of output modules (i.e. the user turns the outputs ON and OFF to verify proper operation) should be made at intervals that are an order of magnitude less than the demand rate. For example, output testing should be scheduled at least once a month for a low demand system and at least once an hour for a high demand system.

In addition to following the General Considerations when using Any ControlLogix Digital Output Module on page 6-7, the user must wire each standard output to a corresponding input to validate that the output is following its commanded state.

Figure 6.8 ControlLogix Standard Output Module Wiring

Wire output point to input point to verify the correct state of the output

Input

Standard Isolated Output Module

43363

V-/L2

Standard Isolated Input Module

V-/L2

V+/L1

Output

V+/L1

Actuator

This normally-open relay is controlled by another output in the ControlLogix system. If a short circuit or fault occurs on output modules, the relay can disconnect power to the modules.




Application logic must be written to generate a fault in the event of a miscompare between the requested state of an output (echo) and the actual output state monitored by an input channel.

Figure 6.9


Users can also wire two isolated standard outputs in series to critical actuators. In the event that a failure is detected, the output from both output modules must be set to OFF to guarantee the Output Loads de-energize. Figure 6.10 shows how to wire two isolated standard outputs in series to critical actuators.

Figure 6.10 ControlLogix Standard Output Module Wiring With Two Modules

Timer done

Data Echo

Data Echo

Timer

Fault

Alarm to Operator

Fault

Monitoring Input

Monitoring Input

Timer must be preset in milliseconds to accommodate communication times of echo signal and filter time of input.

Application Logic

Actuator

Output Fault

Wire output point to input point to verify the correct state of the output

Input

Standard Isolated Output Module #2

43364

Standard Isolated Input Module

V-/L2

V+/L1

Output

Standard Isolated Output Module #1

V+/L1

Output Actuator

V-/L2 V+/L1



Using Analog Input Modules

General Considerations when using Any ControlLogix Analog Input Module

There are a number of general application considerations that you must follow when applying these modules in a SIL2 application:

• Proof Tests - Periodically (for example, once every several years) a System Validation test must be performed. Manually, or automatically, test inputs to make sure that all inputs are operational. Field signal levels should be varied over the full operating range to make sure that the corresponding channel data varies accordingly. For additional information on Proof Tests, see page 1-6 and Figure 9.1 on page 9-5.

• Calibrate Inputs Periodically, As Necessary: ControlLogix I/O modules ship from the factory with a highly accurate level of calibration. However, because each application is different, users are responsible for making sure their ControlLogix I/O modules are properly calibrated for their specific application.

Users can employ tests in application program logic to determine when a module requires recalibration. For example, to determine whether an input module needs to be recalibrated, a user can determine a tolerance band of accuracy for a specific application. The user can then measure input values on multiple channels and compare those values to acceptable values within the tolerance band. Based on the differences in the comparison, the user could then determine whether recalibration is necessary.

Calibration (and subsequent recalibration) is not a safety issue. However, we recommend that each analog input be calibrated at least every 3 years to verify the accuracy of the input signal and avoid nuisance application shutdowns.



• Choose Floating Point Data Format During Module Configuration: ControlLogix analog input modules perform a host of on-board alarm processing to validate that the input signal is within the proper range for the application. However, these features are only available in Floating Point mode.

• Examine the Appropriate Module Fault, Channel Fault and Channel Status Bits to Initiate Fault Routines: Each module will communicate the operating status of each channel to the controller during normal operation. Application logic must examine the appropriate bits to initiate a fault routine for a given application. For more information on faults, see Chapter 7, Faults in the ControlLogix System.

• Compare Analog Input Data and Annunciate Miscompares: When wiring sensors to two inputs channels, the values from those channels must be compared to each other for concurrence within an acceptable range for the application before actuating an output. Any miscompare between the two inputs outside the programmed acceptable range must be annunciated as a fault.

In Figure 6.11, a user-defined percentage of acceptable deviation (that is, tolerance) is applied to the configured input range of the analog inputs (that is, range) and the result is stored (that is, delta). This delta value is then added to and subtracted from one of the input channels; the results define an acceptable High and Low limit of deviation. The second input channel is then compared to these limits to determine if the input are working properly.

The input’s OK bit preconditions a Timer run that is preset to accommodate an acceptable fault response time and any communication filtering lags in the system. If the inputs miscompare for longer than the preset value, a fault is registered with a corresponding alarm.



Figure 6.11


• Configuration parameters (for example, RPI, filter values) must be identical between the two modules.

• The same controller must own both modules.

Timer done

Timer

Inputs Faulted

Alarm to Operator

Inputs OK

SUBDeltaInput 1Low Limit

ADDDeltaInput 1High Limit

MULTRangeTolerance %Delta

Inputs Faulted

LIMLow LimitInput 2High Limit

Inputs OK



Wiring ControlLogix Analog Input Modules

In general, good design practice dictates that each of the 2 transmitters must be wired to input terminals on separate modules such that the channel values may be validated by comparing the two within an acceptable range. Special consideration must be given in applying this technique, depending on the type of module being used. Those details are shown in the following wiring diagrams.

Wiring the Single-Ended Input Module in Voltage Mode

In addition to following the General Considerations when using Any ControlLogix Analog Input Module on page 6-13, make sure you use the correct documentation (listed in Table 6.1 on page 6-3) to wire the module.

When operating in Single-ended voltage mode, all (-) leads of the transmitters must be tied together. Figure 6.12 shows how to wire the 1756-IF8 module for use in voltage mode.

Figure 6.12 ControlLogix Analog Input Module Wiring in Voltage Mode

Voltage Transmitter A

Ch0 +

43368

Ch0 +

Ch0 – Ch0 –

(+)

(–)

Voltage Transmitter B

(+)

(–)



Wiring the Single-Ended Input Module in Current Mode

In addition to following the General Considerations when using Any ControlLogix Analog Input Module on page 6-13, before wiring the module, consider the following application guideline:

• Placement of Other Devices in Current Loop: you can locate other devices in an input channel’s current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops (each module input is 250 ohms)

Figure 6.13 shows how to wire the 1756-IF8 module for use in current mode.

Figure 6.13 ControlLogix Analog Input Module Wiring in Current Mode

Current Source A

Ch0 +

43369

Ch0 +

Ch0 – Ch0 –

Current Source B



Wiring the Thermocouple Input Module


• Wire to Same Input Channel on Both Modules: When wiring thermocouples, wire two in parallel to two modules. Use the same channel on each module to make sure of consistent temperature readings.

Figure 6.14 shows how to wire the 1756-IT6I module.

Figure 6.14 ControlLogix Analog Thermocouple Module Wiring

Thermocouple A

Ch0 +

43370

Ch0 +

RTN RTN

Thermocouple B



Wiring the RTD Input Module


• RTDs cannot be wired in parallel without severely affecting their accuracy. Two sensors must be used.

Figure 6.15 shows how to wire the 1756-IR6I module.

Figure 6.15 ControlLogix Analog RTD Module Wiring

RTD A

Ch0 A

43371

Ch0 A

RTN RTN

Ch0 B Ch0 B

RTD B



Using Analog Output Modules

The 1756-OF8 ControlLogix analog output module is certified for use SIL2 applications.

General Considerations when using Any ControlLogix Analog Output Module

There are a number of general application considerations that you must follow when applying the analog output modules in a SIL2 application:

• Proof Tests - Periodically (for example, once every several years) a System Validation test must be performed. Manually, or automatically, test outputs to make sure that all outputs are operational. Channel data should be varied over the full operating range to make sure that the corresponding field signal levels vary accordingly. For additional information on Proof Tests, see page 1-6 and Figure 9.1 on page 9-5.

• Calibrate Outputs Periodically, As Necessary: ControlLogix I/O modules ship from the factory with a highly accurate level of calibration. However, because each application is different, users are responsible for making sure their ControlLogix I/O modules are properly calibrated for their specific application.

Users can employ tests in application program logic to determine when a module requires recalibration. For example, to determine whether an output module needs to be recalibrated, a user can determine a tolerance band of accuracy for a specific application. The user can then measure output values on multiple channels and compare those values to acceptable values within the tolerance band. Based on the differences in the comparison, the user could then determine whether recalibration is necessary.

IMPORTANT It is strongly recommended that you do not use analog outputs to execute the safety function that results in a safe state. Analog output modules are slow to respond to an ESD command and are therefore not recommended for use ESD output modules.

The use of digital output modules and actuators to achieve the ESD de-energized state is recommended.



Calibration (and subsequent recalibration) is not a safety issue. However, we recommend that each analog output be calibrated at least every 3 years to verify the accuracy of the input signal and avoid nuisance application shutdowns.

• Choose Floating Point Data Format During Module Configuration: ControlLogix analog output modules perform a host of on-board alarm processing to validate that the output signal is within the proper range for the application. However, these features are only available in Floating Point mode.

• Examine the Appropriate Module Fault, Channel Fault and Channel Status Bits to Initiate Fault Routines: Each module will communicate the operating status of each channel to the controller during normal operation. Application logic must examine the appropriate bits to initiate a fault routine for a given application. For more information on faults, see Chapter 7, Faults in the ControlLogix System.

• For typical emergency shutdown (ESD) applications outputs must be configured to De-energize: When configuring any ControlLogix output module, each output must be configured to de-energize in the event of a fault and in the event of the controller going into program mode. For exceptions to the typical ESD applications, see Chapter 1, SIL Policy.

• Wire Output Back to Input and Examination of Output Data Echo signal: Users must wire an analog output to an actuator and then back to an analog input to monitor the output’s performance, as shown in Figure 6.17. The application logic must examine the Data Echo value associated with each output point to make sure that the requested output command from the controller was received by the module. The value must be compared to the analog input that is monitoring the output to make sure the value is in an acceptable range for the application.

In the ladder diagram in Figure 6.16, a user-defined percentage of acceptable deviation (that is, tolerance) is applied to the configured range of the analog input and output (that is, range) and the result is stored (that is, delta). This delta value is then added to and subtracted from the monitoring analog input channel; the results define an acceptable High and Low limit of deviation. The analog Output Echo is then compared to these limits to determine if the output are working properly.



The output’s OK bit preconditions a Timer run that is preset to accommodate an acceptable fault response time and any communication filtering, or output, lags in the system. If the monitoring input value and the Output Echo miscompare for longer than the preset value, a fault is registered with a corresponding alarm.

Figure 6.16 Monitoring an Analog Output with an Analog Input

The control, diagnostics and alarming functions must be performed in sequence.

• When wiring two analog output modules in the same application, make sure:

– Both modules use identical configuration.

– The same controller owns both modules.

Timer done

Timer

Outputs Faulted

Alarm to Operator

Outputs OK

ADDDeltaMonitoring inputHigh Limit

MULTRangeTolerance %Delta

Outputs Faulted

LIMLow LimitOutput EchoHigh Limit

Outputs OK

SUBDeltaMonitoring inputLow Limit



Wiring ControlLogix Analog Output Modules

In general, good design practice dictates that each analog output must be wired to a separate input terminal to make sure that the output is functioning properly.

Wiring the Analog Output Module in Voltage Mode

Figure 6.17 shows how to wire the 1756-OF8 module for use in voltage mode.

Figure 6.17 ControlLogix Analog Output Module Wiring in Voltage Mode

Actuator

43377

(+)

(–)

(+)

(–)

Analog Output Module Analog Input Module

This normally-open relay is controlled by the status of the rest of the ControlLogix system. If a short circuit or fault occurs on the module, the relay can disconnect power to the module.




Wiring the Analog Output Module in Current Mode

In addition to following the General Considerations when using Any ControlLogix Analog Output Module on page 6-20, consider the following application guideline before wiring the 1756-OF8 module in current mode:

• Placement of Other Devices in Current Loop: you can locate other devices in an output channel’s current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops (each module output is 250 ohms)

Figure 6.18 shows how to wire the 1756-OF8 module for use in current mode.

Figure 6.18 ControlLogix Analog Output Module Wiring in Current Mode

Actuator

43376

(+)

(–)

(+)

(–)

Analog Output Module Analog Input ModuleThis normally-open relay is controlled by the status of the rest of the ControlLogix system. If a short circuit or fault occurs on the module, the relay can disconnect power to the module.




Checklist for SIL Inputs The following checklist is required for planning, programming and start up of SIL inputs. It may be used as a planning guide as well as during proof testing. If used as a planning guide, the checklist can be saved as a record of the plan.

For programming or start-up, an individual checklist can be filled in for every single SIL input channel in a system. This is the only way to make sure that the requirements were fully and clearly implemented. This checklist can also be used as documentation on the connection of external wiring to the application program.

Input Check List for ControlLogix System

Company:

Site:

Loop definition:

SIL input channels in the:

No. All Input Module Requirements (apply to both digital and analog input modules) Yes No Comment

1 Is Exact Match selected as the electronic keying option whenever possible?

2 Is the RPI value set to an appropriate value for your application?

3 Are all modules owned by the same controller?

4 Have you performed proof tests on the system and modules?

5 Have you set up the fault routines?

6 Are control, diagnostics and alarming functions performed in sequence in application logic?

No. Additional Digital Input Module-Only Requirements Yes No Comment

1 When two digital input modules are wired in the same application, do the following conditions exist:• Both modules are owned by the same controller.• Sensors are wired to separate input points.• The operational state is ON.• The non-operational state is. OFF.• Configuration parameters (for example, RPI, filter values) are identical.

2 For the standard input modules, is the Communication Format set to one of the Input Data choices?

3 For the diagnostic input modules, is the Communication Format set to Full Diagnostics-Input Data?

4 For the diagnostic input modules, are all diagnostics enabled on the module?

5 For the diagnostic input modules, are enabled diagnostic bits monitored by fault routines?

6 For the diagnostic input modules, is the connection to remote modules a direct connection?

No. Additional Analog Input Module-Only Requirements Yes No Comment

1 Is the Communication Format set to Float Data?

2 Have you calibrated the modules as often as required by your application?

3 Are you using ladder logic to compare the analog input data on two channels to make sure there is concurrence within an acceptable range and that redundant data is used properly?

4 Have you written application logic to examine bits for any condition that may cause a fault and appropriate fault routines to handle the fault condition?

5 When wiring the 1756-IF8 in voltage mode, are transmitter grounds tied together?

6 When wiring the 1756-IF8 in current mode, are loop devices placed properly?

7 When wiring 1756-IT6I modules in parallel, have you wired to the same channel on each module as shown in Figure 6.14 on page 6-18?

8 When wiring two 1756-IR6I modules, are two sensors used, as shown in Figure 6.15 on page 6-19?



Checklist for SIL Outputs The following checklist is required for planning, programming and start up of SIL outputs. It may be used as a planning guide as well as during proof testing. If used as a planning guide, the checklist can be saved as a record of the plan.

For programming or start-up, an individual requirement checklist must be filled in for every single SIL output channel in a system. This is the only way to make sure that the requirements are fully and clearly implemented. This checklist can also be used as documentation on the connection of external wiring to the application program.

Output Check List for ControlLogix System

Company:

Site:

Loop definition:

SIL output channels in the:

No. All Output Module Requirements (apply to both digital and analog output modules) Yes No Comment:

1 Have you performed proof tests on the modules?

2 Is Exact Match selected as the electronic keying option whenever possible?

3 Is the RPI value set to an appropriate value for your application?

4 Have you set up fault routines, including comparing output data with a corresponding input point?

5 If required, have you used external relays in your application to disconnect module power if a short or other fault is detected on the module or isolated output in series?

6 Is the control of the external relay implemented in ladder logic?

7 Have you examined the Output Data Echo signal in application logic?

8 Are all outputs configured to deenergize in the event of a fault or the controller entering program mode?

9 Do two modules of the same type, used in the same application, use identical configurations?

10 Does one controller own both modules if two of the same type are used in an application?

11 Are control, diagnostics and alarming functions performed in sequence in application logic?

No. Digital Output Module-Only Requirements Yes No Comment

1 For the standard output modules, is the Communication Format set to Output Data?

2 For standard output modules, have you wired the outputs to a corresponding input to validate that the output is following its commanded state?

3 For the diagnostic output modules, are all diagnostics enabled on the module?

4 For the diagnostic output modules, are enabled diagnostic bits monitored by fault routines?

5 For the diagnostic output modules, is the Communication Format set to Full Diagnostics-Output Data?

6 For diagnostic output modules, have you periodically performed a Pulse Test to make sure that the output is capable of change state?

7 For diagnostic output modules, is the connection to remote modules a direct connection?

No. Analog Output Module-Only Requirements Yes No Comment

1 Is the Communication Format set to Float Data?

2 Have you calibrated the modules as often as required by your application?

3 When wiring the 1756-OF8 in current mode, are loop devices placed properly?

4 Have you written application logic to examine bits for any condition that may cause a fault and appropriate fault routines to handle the fault condition?


Chapter 7

Faults in the ControlLogix System

Introduction The ControlLogix architecture provides the user many ways of detecting and reacting to faults in the system. The first way that users can handle faults is to make sure they have completed the input and output checklists listed on pages 6-25 and 6-26 for their application.

In addition to the checklists mentioned above, various device objects can be interrogated to determine the current operating status. Additionally, modules provide run-time status of their operation and of the process. It is up to users to determine what data is most appropriate for their application to initiate a shutdown sequence.

This chapter explains two example conditions that will generate a fault in a SIL2-certified ControlLogix system:

• Keyswitch changing out of RUN mode

• High alarm condition on an analog input module

For more information on the analog status bits available for examination, see the ControlLogix Analog I/O Modules User Manual, publication 1756-UM009.

For information on System Self-Testing and User-Programmed Responses, see Appendix B.

For more information on faults, see Appendix C, Additional Information on Handling Faults in the ControlLogix System.


7-2 Faults in the ControlLogix System

Checking Keyswitch Position with GSV Instruction

The following rungs generate a fault if the keyswitch on the front of the controller is switched from the Run mode:

Figure 7.1

In this example, the Get System Value (GSV) instruction interrogates the STATUS attribute of the CONTROLLERDEVICE object and stores the result in a word called KEYSTATE, where bits 12 and 13 define the state of the keyswitch as shown in Table 7.1.

If bit 13 is ever ON, then the keyswitch is not in the RUN position. Examining bit 13 of KEYSTATE for an ON state will generate a fault.

For more information on the accessing the CONTROLLERDEVICE object, see the Logix5000 Controllers General Instructions Reference Manual, publication 1756-RM003.

Table 7.1

Bit 13: Bit 12: Description:

0 1 Keyswitch in Run position

1 0 Keyswitch in Program position

1 1 Keyswitch in Remote position

Alarm to Operator

KEYSTATE.13

GSV

Class: CONTROLLERDEVICE

Attribute: STATUS

Destination: KEYSTATE

Fault

Fault


Faults in the ControlLogix System 7-3

Examining an Analog Input Module’s High Alarm

ControlLogix analog modules perform processing and comparison of field data values right on the module, allowing for easy examination of status bits to initiate a fault.

For example, the 1756-IF8 module can be configured with user-defined alarm values that, when exceeded, will set a status bit on the module which is then sent back to the controller. The user may then examine the state of these bits to initiate a fault as shown in Figure 7.2:

Figure 7.2

In the example above, the High Alarm bit for channel 1 (CH1HAlarm) is being examined for an On condition to initiate a fault. During operation, as the analog input module processes analog signals from the field sensors, if the value for channel 1 exceeds the user-defined value configured for Channel 1’s High Alarm, the (CH1HAlarm) bit is set and sent to the controller and a fault is declared.

Alarm to Operator

Ch1HAlarm

Fault

Fault


7-4 Faults in the ControlLogix System

Notes:


Chapter 8

General Requirements forApplication Software

This chapter discusses the details of the application program.

Software for SIL2-Related Systems

The application software for the SIL2-related automation systems is generated using the programming tool (RSLogix 5000) according to IEC 61131-3.

The application program has to be created by the programming tool RSLogix 5000 and contains the specific equipment functions that are to be carried out by the ControlLogix system. Parameters for the operating function are also entered into the system using RSLogix 5000.


Software for SIL2-Related Systems 8-1

ControlLogix System Operational Modes 8-5

SIL2 Programming 8-2

General Guidelines for Application Software Development

8-2

Forcing 8-4

Security 8-4

Checklist for the Creation of an Application Program

8-6


8-2 General Requirements for Application Software

SIL2 Programming Safety Concept of the ControlLogix system

The safety concept of SIL2 assumes, that:

• the programming system (PS) hardware and firmware works correctly (that is, programming system errors can be detected).

• the user applies the logic correctly, that is, user programming errors can be detected.

For the initial start-up of a safety-related ControlLogix system, the entire system must be checked by a complete functional test. After a modification of the application program, the modified program or logic must be checked.

For more information on how users should handle changes to their application program, see the Changing Your Application Program section on page 9-6.

General Guidelines for Application Software Development

The application software for the intended SIL2 systems is intended to be developed by the system integrator and/or user. The developer must follow good design practices including the use of:

• Functional specifications

• Flow charts

• Timing diagrams

• Sequence charts

• Program review

• Program validation

All logic should be reviewed and tested. To facilitate reviews and reduce unintended responses, developers should limit the set of instructions to basic Boolean/ladder logic (such as examine On/Off, Timers, Counters, etc.) whenever possible. This set should include instructions that can be used to accommodate analog variables, such as:

• Limit tests

• Comparisons

• Math instructions

See Appendix B, System Self-Testing and User-Programmed Responses, for details.


General Requirements for Application Software 8-3

Users must verify the downloading of the application program and its proper operation. A typical validation technique is to upload the downloaded program file and perform a compare of that file against what is stored in the programming terminal. The upload compare can be accomplished after an interval by saving the first one and comparing it to the second or subsequent uploads. This approach could also be performed through different paths (that is, over ControlNet and via the serial port).

Safety logic and non safety-related logic should be separate.

Check the Created Application Program

To check the created application program for adherence to the specific function, you must generate a suitable set of test cases covering the specification. The set of test cases is filed as the test specification.

A suitable test set must also be generated for the numeric evaluation of formulas. Equivalent range tests are acceptable. These are tests within the defined value ranges, at the limits, or in impermissible value ranges. The test cases must be selected to prove the correctness of the calculation. The necessary number of test cases depends on the formula used and must comprise critical value pairs.

However, active simulation with sources cannot be omitted as this is the only means of detecting correct wiring of the sensors and actuators to the system. Furthermore, this is the only means of testing the system configuration. Users should verify the correct programmed functions by forcing I/O or by manual manipulation of sensors and actuators.

Possibilities of Program Identification

The application program is clearly identified by one of the following:

• Name

• Date

• Revision

• Any other user identification information



Forcing Forcing must be disabled after system test and validation.

Security The user must define what measures are to be applied for the protection against manipulation.

In the ControlLogix system and in RSLogix 5000, protection mechanisms are available that prevent unintentional or unauthorized modifications to the safety system:

• The following tools may be employed for security reasons in a SIL2-certified ControlLogix application:

– Logix CPU Security Tool

– Source Protection Tool

– RSI Security Server

Each of these tools offers different security features, including password protection, at varying levels of granularity throughout the application. The description of these tools is too large in scope to list here. Users can contact their local Rockwell Automation representative for more information.

• The controller keyswitch should be in the RUN position and the key removed during normal operating conditions.

• Operator options are set up per user login in the ControlLogix system.

• The online connection between RSLogix5000 and the ControlLogix system is not permitted during normal SIL2 RUN operation except as described in Chapter 9.

The requirements of the safety and application standards regarding the protection against manipulations must be observed. The authorization of employees and the necessary protection measures are the responsibility of the individuals starting the system.


General Requirements for Application Software 8-5

ControlLogix System Operational Modes

A three-position keyswitch on the front of the controller governs ControlLogix system operational modes. The following modes are available:

• Run

• Program

• Remote - This software-enabled mode can be program or run.

Figure 8.1 shows a controller with the keyswitch in the Run mode.

Figure 8.1

When a SIL2-certified ControlLogix application is operating in the Run mode, the controller keyswitch must be in the RUN position and the key removed. Outputs are only enabled in this mode.

42525



Checklist for the Creation of an Application Program

The following checklist is recommended to maintain safety technical aspects when programming, before and after loading the new or modified program.

Checklist for Creation of an Application Program Safety Manual ControlLogix System

Company:

Site:

Project definition:

File definition / Archive number:

Notes / Checks Yes No Comment

Before a Modification

Are the configuration of the ControlLogix system and the application program created on the basis of safety aspects?

Are programming guidelines used for the creation of the application program?

After a Modification - Before Loading

Has a review of the application program with regard to the binding system specification been carried out by a person not involved in the program creation?

Has the result of the review been documented and released (date/signature)?

Was a backup of the complete program created before loading a program in the ControlLogix system?

After a Modification - After Loading

Was a sufficient number of tests carried out for the safety relevant logical linking (including I/O) and for all mathematical calculations?

Was all force information reset before safety operation?

Has it been verified that the system is operating properly?

Have the appropriate security routines and functions been installed?

Is the controller keyswitch in Run mode and the key removed?


Chapter 9

Technical SIL2 Requirements for the Application Program

This chapter discusses technical safety for the application program.

General Procedure The general procedure for programming the ControlLogix system SIL2 applications is listed below.

• Specification of the control function, including:

– specification

– flow and timing charts

– diagrams

– sequence charts

– program description

– program review process

• Writing the application program

• Checking by independent reviewer

• Verification and validation

Once the program is tested, the ControlLogix system can be put into operation.


General Procedure 9-1

SIL Task/Program Instructions 9-4

Programming Languages 9-4

Commissioning Life Cycle 9-5

Changing Your Application Program 9-6

Forcing 9-8


9-2 Technical SIL2 Requirements for the Application Program

Basics of Programming

The control program must be available as a specification or a performance specification. This documentation forms the basis for the check of correct transformation into the program. The type of presentation of the specification depends on the task to be carried out. This can be:

Logic and Instructions

The logic and instructions used in programming the application must be:

• easy to understand

• easy to trace

• easy to change

• easy to test

Program Logic

User must implement simple, easy to understand:

• ladder

• other IEC 1131-compliant language

or

• function blocks with specified characteristics.

We use ladder, for example, because, it is easier to visualize and make partial program changes with this format.


Technical SIL2 Requirements for the Application Program 9-3

Specification

The specification must include a detailed description that includes (if applicable):

• Sequence of operations

• Flow and timing diagrams

• Sequence charts

• Program description

• Program print out

• Verbal descriptions of the steps with step conditions and actuators to be controlled, including:

– input definitions

– output definitions

– I/O wiring diagrams and references

– theory of operation

• Matrix- or table form of stepped conditions and the actuators to be controlled, including the sequence and timing diagrams

• Definition of marginal conditions, for example, operating modes, EMERGENCY STOP etc.

The I/O-portion of the specification must contain the analysis of field circuits, that is, the type of sensors and actuators:

Sensors (Digital or Analog)

• Signal in standard operation (dormant current principle for digital sensors, sensors OFF means no signal)

• Determination of redundancies required for SIL levels

• Discrepancy monitoring and visualization, including the user’s diagnostic logic



Actuators

• Position and activation in standard operation (normally OFF)

• Safe reaction/positioning when switching OFF, power failure respectively.

• Discrepancy monitoring and visualization, including the user’s diagnostic logic

SIL Task/Program Instructions

The user program may contain a single SIL task composed of multiple programs and routines. This is a timed task with a user-selectable task priority and watchdog. The SIL2 task must be the controller’s top priority and the user-defined program watchdog (software watchdog) must be set to accommodate the SIL2 task and any other tasks. For more information, see Chapter 1, SIL Policy.

Safety logic and non safety-related programs must be separate.

Programming Languages All programming languages (for example, ladder logic, function block) available in the ControlLogix system will also be available for programming the ControlLogix controller for SIL2 applications.



Commissioning Life Cycle Figure 9.1 shows the steps required during application program development, debugging and commissioning.

Figure 9.1

Generate Functional Specification

Create Flow Diagram

Create Timing Diagrams

Establish Sequence of Operations

Develop Project Online

Develop Project Offline

Download to Controller

Perform Validation Testing

on all Logic

Tests Pass?

Begin Normal Project Operation

Make project changes

Download to Controller

Determine what logic has been Changed or

Affected

Perform Validation Testing on all Changed

or Affected Logic

Yes

No

NoVerification okay? Make more online edits

& accept edits or make more offline edits and

download to CTR

Develop Test Plan

Review Program with Independent

Party

Finish the Validation Test1

Secure PADT1 You must periodically repeat the validation test (also known as proof tests) to make sure module inputs and outputs are functioning properly and

as commanded by the application programming. For more information on proof tests for I/O modules, see Chapter 9, ControlLogix I/O Modules.



Changing Your Application Program

The following rules apply to changing your application program in RSLogix 5000:

• Program edits are not recommended. However, they are possible if necessary and should be limited. For example, minor changes such as changing a timer preset or analog setpoint are possible.

• Only authorized, specially-trained personnel can make program edits. These personnel should use all supervisory methods available, for example, using the controller keyswitch and software password protections.

• When authorized, specially-trained personnel make program edits, they assume the central safety responsibility while the changes are in progress. These personnel must also maintain safe application operation.

• Prior to making any program edits, an impact analysis must be performed by following the specification and other lifecycle steps described in Figure 9.1 as if the edits were an entirely new program.

• Users must sufficiently document all program edits, including:

– authorization

– impact analysis

– execution

– test information

– revision information

• Users cannot make program edits while the program is online if the changes prevent the system from executing the safety function or if alternative protection methods are not in place.

• Users cannot edit their program from multiple programming terminals simultaneously.

• Changes to the SIS application software, in this case--RSLogix 5000, must comply with IEC 61511 standard on process safety section 11.7.1 Operator Interface requirements.

• Users cannot edit their program when a project is operating in the RUN state. In other words, if an application is running and the ControlLogix controller keyswitch is in the RUN position, users cannot make online edits.



• Users can edit the relay ladder logic portion of their program using one of the following methods described in Table 9.1:

Table 9.1 Methods of Changing Your Application Program in RSLogix 5000

Method: Required Steps: Controller Keyswitch Position:

Key Points to this Method:

Offline The user performs the tasks described in the flow chart in Figure 9.1 on page 9-5.

PROG Users must revalidate the entire application before returning to normal operation.

Online 1. Turn the controller key to the REM position.2. Use the Online Edit Toolbar to start, accept, test and assemble your

edits. The toolbar is shown below.

a. Click the start pending rung edits button . A copy is made of the rung you want to edit.

b. Change your application program as needed. At this point, the original program is still active in the controller. Your program changes are made in the copied rungs. Changes do not affect the outputs until you test program edits in step d.

c. Click the accept pending rung edits button . Your program changes are verified and downloaded to the controller. The controller now has the changed program and the original program. However, the controller continues to execute the original program. You can see the state of the inputs, and changes do not affect the outputs.

d. Click the test program edits button .e. Click Yes to test the edits. Changes are now executed and affect

the outputs; the original program is no longer executed. However, if you are not satisfied with the result of testing the edits, you can discard the new program by clicking on the untest program

edits button if necessary. If you untest the edits, the controller returns to the original program.

f. Click the assemble program edits button .g. Click Yes to assemble the edits. The changes are the only

program in the controller, and the original program is discarded.3. Perform a partial proof test of the portion of the application affected

by the program edits.4. Turn the controller key back to the RUN position to return the project

to Run mode. We recommend you upload the new program to your programming terminal to ensure consistency between the application in the controller and on the programming terminal.

5. Remove the key.

REM The project remains online but operates in the remote run mode. When edits are completed, users are only required to validate the changed portion of the application program.

We recommend that online edits be limited to minor program modifications such as setpoint changes or ladder logic rung additions, deletions and modifications.

IMPORTANT: This option to change the application program is available for changes to relay ladder logic only. Users cannot use this method to change function block programming.

For more detailed information on how to edit ladder logic while online, see the Logix5000 Controllers Quick Start, publication 1756-QS001.

start pending rung edit

accept pending rung edits

test program edits

assemble program edits

untest program edits



• If online edits exist in the standard routines only, those edits are not required to be validated before returning to normal operation. Users must verify that changes in the standard routine do not affect SIL routines.

Forcing The following rules apply to forcing in an RSLogix 5000 project:

• Users must remove forces on all SIL2 tags before beginning normal operation for the project.

• Users cannot force SIL2 tags while a project is in the Run mode.

IMPORTANT If any changes are needed to the program in the safety loop, they must be done so in accordance with IEC 61511-1, paragraph 11.7.1.5 which states:

"The Safety Instrumentation System (SIS) operator interface design shall be such as to prevent changes to SIS application software. Where safety information needs to be transmitted from the basic process control system (BPCS) to the SIS then systems should be used which can selectively allow writing from the BPCS to specific SIS variables. Equipment or procedures should be applied to confirm the proper selection has been transmitted and received by the SIS and does not compromise the safety function of the SIS."

Also, for more information on changing the SIL2 application program, see Chapter 10.


Chapter 10

Use and Application of Human to Machine Interfaces

No specific device is part of the certification because the variety of devices is so large, ranging from simple thumb-wheel and LED readouts to PC/CRT-based human to machine interface (HMI) devices on a variety of networks. The range and breadth of these devices is similar to that of sensors and actuators; it would be impractical to impose device restrictions.

Using Precautions and Techniques with HMI

However, users must exercise the same precautions and techniques on HMI devices as on simple devices such as sensor and switch inputs. The precautions include, but are not restricted to:

• Limited access and security

• Specifications, testing and validation

• Restrictions on data and access

• Limits on data and parameters

For more information on how HMI devices fits into a typical SIL loop, see Figure 1.2 on page 1-4.

Sound techniques should be used in either the application software within the HMI or PLC in safety-related systems and non-safety-related systems.

Accessing Safety-Related Systems

Normally, when accessing the safety-related system, the HMI should be restricted to read data and information such as diagnostics. The user should use techniques to limit access to only those sections of memory that are appropriate. For more information, see Figure 1.2 on page 1-4.

If parameters in safety-related system require a change from an HMI, users should follow the guidelines indicated in the next section.


10-2 Use and Application of Human to Machine Interfaces

Changing Parameters in Safety-Related Systems

A parameter change in a safety-related loop via an external (that is, outside the safety loop) device (for example, an HMI) is only allowed with the following restrictions:

• Only authorized, specially-trained personnel can change the parameters in safety-related systems via HMIs.

• The user who makes changes in a safety-related system via an HMI is responsible for the effect of those changes on the safety loop.

• Users must clearly identify the variable that are to be changed as under the control of the ControlLogix controller inside the safety loop.

• Users must use a clear, comprehensive and explicit operator procedure to make safety-related changes via an HMI.

• Changes can only be accepted in a safety-related system if the following sequence of events occurs:

a. Changes are sent from the HMI to the ControlLogix controller in the safety loop.

b. The ControlLogix controller in the safety loop sends the changes back to the HMI–before accepting the changes or acting on them.

c. The user verifies that the changes are correct.

In every case, the operator must confirm the validity of the change before they are accepted and applied in the safety loop.

• The software used in the HMI and the ControlLogix controller (in this case, RSLogix 5000) should be designed to verify that changes to the safety system are within acceptable limits and do not otherwise compromise the safety system.

• The user should test all changes as part of the safety validation procedure.


Use and Application of Human to Machine Interfaces 10-3

• Users must sufficiently document all safety-related changes made via HMI, including:

– authorization

– impact analysis

– execution

– test information

– revision information

• Changes to the safety-related system, must comply with IEC 61511 standard on process safety section 11.7.1 Operator Interface requirements.

Changing Parameters in Non-Safety-Related Systems

When the HMI device is used to change parameters in a non-safety-related system, remember the following techniques:

• When the HMI is used to input parameters such as setpoints for a PID loop or drive speeds, the application program should include sound techniques used for other types of change validation, including:

– Display the data to be changed

– Acceptable ranges and limits used in the program for data checks (in other words, checks to make sure entered data is within an acceptable range)

– Display the new value along with the existing value

– Prompt the operator to acknowledge and accept the changed value before allowing the change to take effect

• The developer must follow the same sound development techniques and procedures used for other application software development, including the verification and testing of the operator interface and its access to other parts of the program. The PLC application software should set up a table that is accessible by the HMI and limits access to required data points only.

• Similar to the PLC program, the HMI software needs to be secured and maintained for SIL2 compliance after the system has been validated and tested.


10-4 Use and Application of Human to Machine Interfaces

Notes:


Appendix A

Response Times in ControlLogix

The following calculation methods provide the user with the worst-case reaction times for a given change in input or fault condition and the corresponding output action.

Digital Modules Local Chassis Configuration

Figure A.1 shows an example system where the following occurs:

• input data changes on the digital input module

• the data is transmitted to the controller

• the controller runs its program scan and reacts to the data change, including sending new data to the output module

• the output module behavior changes based on the new data received from the controller

Figure A.1

Use the following formula to determine worst-case reaction time:

ControllerDigital Input Module

Digital Output Module

Worst-Case Reaction Time = Input Module Filter Setting(1) + Input Module Hardware Delay(2) + Input Module RPI(1) + Controller Program Scan(3)

+ Output Module Hardware Delay(2)

(1) This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.

(2) Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number. For a complete list of installation instructions, see Table 1.1 on page 1-8.

(3) This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see the Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.


A-2 Response Times in ControlLogix

Remote Chassis Configuration


• input data changes on the digital input module

• the data is transmitted to the controller via the 1756-CNB modules

• the controller runs its program scan and reacts to the data change, including sending new data to the output module via the 1756-CNB modules


Figure A.2


EXAMPLE For example, a system may reflect the set-up used in Figure A.1 with an 1756-IB16D and 1756-OB16D and following settings:

• Input Module Filter Setting = 1ms

• Input Module Hardware Delay = 1ms

• Input RPI = 2ms

• Program Scan = 20ms

• Output Module Hardware Delay = 1ms

In this example, the worst-case reaction time = 25ms

ControlNet Bridge Module

Digital Input Module

Digital Output Module

Controller ControlNet Bridge Module

Worst-Case Reaction Time =Input Module Filter Setting(1) + Input Module Hardware Delay(2)

+ Input Module RPI(1) + Remote 1756-CNB RPI + Controller Program Scan(3) + Remote 1756-CNB RPI + Output Module Hardware Delay(2)

(1) This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.(2) Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number.

For a complete list of installation instructions, see Table 1.1 on page 1-8.(3) This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see

the Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.


Response Times in ControlLogix A-3

Analog Modules Local Chassis Configuration


• input data changes on the analog input module

• the data is transmitted to the controller

• the controller runs its program scan and reacts to the data change, including sending new data to the output module


Figure A.3


Remote Chassis Configuration


• input data changes on the analog input module

• the data is transmitted to the controller via the 1756-CNB modules

• the controller runs its program scan and reacts to the data change, including sending new data to the output module via the 1756-CNB modules

ControllerAnalog Input Module

Analog Output Module

Worst-Case Reaction Time =Input Module Filter Setting(1) + Input Module Real Time Sample (RTS) rate(1)

+ Controller Program Scan(2) +Output Module RPI(1)

+ Output Module Hardware Delay(3)

(1) This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.(2) This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see the

Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.(3) Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number. For

a complete list of installation instructions, see Table 1.1 on page 1-8.




Figure A.4


ControlNet Bridge Module

Analog Input Module

Analog Output Module

Controller ControlNet Bridge Module

Worst-Case Reaction Time =Input Module Filter Setting(1) + Input Module Real Time Sample (RTS) rate(1)

+ Remote 1756-CNB RPI(1) + Controller Program Scan(2) + Output Module RPI(1)

+ Remote 1756-CNB RPI(1) + Output Module Hardware Delay(3)

(1) This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.(2) This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see the

Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.(3) Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number. For a

complete list of installation instructions, see Table 1.1 on page 1-8.


Response Times in ControlLogix A-5

Redundancy Systems The response time of a system that uses redundancy is different from a system that does not use redundancy. The redundancy system has a longer response time because:

• The primary controller must keep the secondary up-to-date and ready to take over control in case of a switchover. This process of cross-loading fresh data at the end of each program scan increases scan time.

You can plan your project effectively (e.g., minimize the use of SINT or INT tags, use arrays and user-defined data types) to minimize the scan time in a redundancy system. Generally, the primary controller in a redundancy system has a 20% slower response time than the controller in a non-redundancy system.

• The switchover between controllers slows system response. The switchover time of a redundancy system depends on the network update time (NUT) of the ControlNet network. To estimate the switchover time, use the following formulas:

For more information on response times in ControlLogix redundancy systems and ControlLogix redundancy systems in general, see the ControlLogix Redundancy System user manual, publication 1756-UM523.

For this type of failure: If the NUT is: The switchover time is: Example:

loss of power

–or–

module failure

< 6 60 ms For a NUT of 4 ms, the switchover time is approximately 60 ms.

> 7 5 (NUT) + MAX (2[NUT], 30) For a NUT of 10 ms, the switchover time is approximately 80 ms.

1756-CNB module cannot communicate with any other node

14 (NUT) + MAX (2[NUT], 30) + 50 For a NUT of 10 ms, the switchover time is approximately 220 ms.



Notes:


Appendix B

System Self-Testing and User-Programmed Responses

This chapter explains self-testing in a ControlLogix system and points to more information about user-programmed responses.

Validation Tests Validation tests are performed at every proof test interval.

• Manually Cycle Inputs to ensure that all inputs are operational and not stuck in the ON state

• Manually Pulse Test outputs which do not support runtime Pulse Testing. The relays in the Redundant Power Supplies must be tested to ensure they are not stuck in the Closed state.

Users can automatically perform proof tests by switching ground open on input modules and checking to make sure all input points go to zero (turn OFF.).

All system components which do not have runtime diagnostics must be tested as part of the System Initialization Tests.

System Self Tests

The SIL2-certified ControlLogix system is designed to automatically shut down in the event of a failure or fault. The following information provides details on how to program and configure routines to monitor diagnostic and system status.


B-2 System Self-Testing and User-Programmed Responses

Reaction to Faults

For more information on how to configure a ControlLogix system to identify and handle faults, including such tasks as:

• Developing a Fault Routine

• Creating a User-Defined Major Fault

• Monitoring Minor Faults

• Developing a Power-Up Routine

see the Logix5000 Controllers Common Procedures Programming Manual, publication 1756-PM001.


Appendix C

Additional Information on Handling Faults in the ControlLogix System

This appendix describes the ways that faults are reported to the controller.

Introduction The ControlLogix architecture provides the user many ways of detecting and reacting to faults in the system. Various device objects can be interrogated to determine the current operating status. Additionally, modules provide run-time status of their operation and of the process.

• For information on how to use specific instructions to get and set controller system data stored in device objects, see the Logix5000 Controllers General Instructions Reference Manual, publication 1756-RM003.

• For information on controller fault codes, including major and minor codes, see the Logix5000 Controllers Common Procedures Programming Manual, publication 1756-PM001.

• For information on accessing modules’ run-time operational and process status, see the ControlLogix Analog I/O Modules User Manual, publication 1756-UM009, and the ControlLogix Digital I/O Modules User Manual, publication 1756-UM058.


C-2 Additional Information on Handling Faults in the ControlLogix System

Notes:


Appendix D

Spurious Failure Estimates

Introduction Table D.1 lists the spurious failure estimates for the ControlLogix products included in this manual. These rates are based on field return data. Therefore, new products are not included.

Table D.1 Spurious Failure Estimates for ControlLogix Products

Catalog Number: Description: MTBF (Spurious):(1) λ (Spurious):(2)

1756-Axx ControlLogix Chassis 3,606,181 (Average) 2.77E-07

1756-CNB/D ControlNet Bridge 1,237,510 8.08E-07

1756-CNB/E ControlNet Bridge NA NA

1756-CNBR/D Redundant ControlNet Bridge 518,555 1.93E-06

1756-CNBR/E Redundant ControlNet Bridge NA NA

1756-DHRIO Data Highway Plus - Remote I/O Communication Interface Module

2,217,577 4.51E-07

1756-ENBT EtherNet Bridge 595,693 1.68E-06

1756-IA16I Isolated AC Input 5,327,736 1.88E-07

1756-IA8D AC Diagnostic Input 8,008,000 1.25E-07

1756-IB16D DC Diagnostic Input 7,666,418 1.30E-07

1756-IB16I DC Isolated Input 5,988,800 1.67E-07

1756-IB16ISOE Sequence of Events Module NA NA

1756-IB32 DC Input Module 655,718 1.53E-06

1756-IF16 Single-ended Analog Input Module 817,519 1.22E-06


NA NA

1756-IF6I Isolated Analog Input Module 1,196,579 8.36E-07

1756-IF8 Analog Input 799,305 1.25E-06

1756-IH16ISOE Sequence of Events Module NA NA

1756-IR6I RTD Input 929,356 1.08E-06

1756-IT6I Thermocouple Input 447,577 2.23E-06


133,328 7.50E-06

1756-L55M13 ControlLogix 1.5Mb Controller 747,397 1.34E-06

1756-L55M16 L55 Controller w 7.5Mb Memory 717,600 1.39E-06

1756-L61 ControlLogix 2 Mb Controller NA NA



D-2 Spurious Failure Estimates


1756-OA16I AC Isolated Input 2,985,566 3.35E-07

1756-OA8D AC Diagnostic Input 6,269,120 1.60E-07

1756-OB16D DC Diagnostic Output 3,910,004 2.56E-07

1756-OB16I DC Isolated Output 1,283,270 7.79E-07

1756-OB32 DC Output Module 653,788 1.53E-06

1756-OB8EI DC Fused Output 4,804,800 2.08E-07


2,593,882 3.86E-07


4,461,184 2.24E-07

1756-OF8 Analog Output 2,600,446 3.85E-07

1756-OW16I Isolated Relay Output Module 1,728,990 5.78E-07

1756-OX8I Contact Output 3,672,760 2.72E-07

1756-PA75/A AC Power Supply 3,061,337 3.27E-07

1756-PA75/B AC Power Supply NA NA

1756-PA75R AC Redundant PS 180,528 5.54E-06

1756-PB75/A DC Power Supply 1,984,000 5.04E-07

1756-PB75/B DC Power Supply NA NA

1756-PB75R DC Redundant PS 818,688 1.22E-06

1756-PC75 DC Power supply NA NA

1756-PH75 DC Power supply NA NA

1756-PSCA Power Sup Chassis Adapter 7,425,600 1.35E-07


4,534,400 2.21E-07

1756-SYNCH SynchLink Module 2,816,320 3.55E-07

1757-SRM System Redundancy Module 315,817 3.17E-06

(1) MTBF (Spurious) = (Installed base one year ago X 4160) / Number of "No Problem Found" failures in the past 12 months (in hours)NOTE: If no "No Problem Found" failures are recorded, one (1) is assumed.

(2) λ (Spurious) = 1 / MTBF (Spurious)NA - Sufficient field data is not available

Table D.1 Spurious Failure Estimates for ControlLogix Products

Catalog Number: Description: MTBF (Spurious):(1) λ (Spurious):(2)


Appendix E

Sample Probability of Failure on Demand (PFD) Calculations

Proof Test Interval = 5 Years Table E.1 shows PFD calculations for a proof test interval of 5 years.

Table E.1 ControlLogix Product Probability of Failure on Demand Calculations – Proof Test Interval of 5 Years

Catalog Number




1756-Axx ControlLogix Chassis 36,322,045(2)

(aggregate) 2.75E-08 3.03E-05 2.43E-06



1756-CNBR/D Redundant ControlNet Br idge - Series D

3,109,957 3.22E-07 3.54E-04 3.08E-05

1756-CNBR/E Redundant ControlNet Br idge - Series E

2,864,755(3) 3.49E-07 3.84E-04 3.36E-05

1756-IA16I Isolated AC Input 15,262,520 6.55E-08 7.21E-05 5.85E-06




1756-IB16ISOE Sequence of Events 4,959,088(3) 2.02E-07 2.22E-04 1.87E-05


1756-IF8 Analog Input 2,235,008 4.47E-07 4.92E-04 4.42E-05

1756-IF16 Isolated Analog Input 2,094,159 4.78E-07 5.25E-04 4.75E-05

1756-IF6CIS Isolated Sourcing Analog Input 3,065,920 3.26E-07 3.59E-04 3.12E-05

1756-IF6I Isolated Analog Input 2,838,451 3.52E-07 3.88E-04 3.40E-05

1756-IH16ISOE Sequence of Events 6,044,122 1.65E-07 1.82E-04 1.52E-05

1756-IR6I RTD Input 3,826,296 2.61E-07 2.87E-04 2.46E-05


1756-IT6I2 Enhanced thermocouple Input 991,929 1.01E-06 1.11E-03 1.14E-04

1756-L55M13 L55 Controller w 1.5Mb Mem 2,228,750 4.49E-07 4.94E-04 4.43E-05

1756-L55M16 L55 Controller w 7.5Mb Mem 1,644,933 6.08E-07 6.69E-04 6.25E-05





E-2 Sample Probability of Failure on Demand (PFD) Calculations

1756-OA16I AC Isolated Input 10,911,086 9.16E-08 1.01E-04 8.24E-06

1756-OA8D AC Diagnostic Input 6,922,240 1.44E-07 1.59E-04 1.32E-05





1756-OF6CI Isolated analog input 9,296,907 1.08E-07 1.18E-04 9.72E-06

1756-OF6VI Isolated Analog Output 13,062,400 7.66E-08 8.42E-05 6.86E-06










1756-PC75 DC Power Supply 5,894,836 1.70E-07 1.87E-04 1.56E-05

1756-PH75 DC Power Supply 5,889,628(3) 1.70E-07 1.87E-04 1.56E-05

1756-PSCA Power Supply Chassis Adapter 45,146,727(3) 2.21E-08 2.44E-05 1.95E-06

1756-PSCA2 Redundant Power supply adapter 45,146,727(3) 2.21E-08 2.44E-05 1.95E-06







Table E.1 ControlLogix Product Probability of Failure on Demand Calculations – Proof Test Interval of 5 Years

Catalog Number





Sample Probability of Failure on Demand (PFD) Calculations E-3

Table E.2 shows an example of a PFD calculation for a safety loop involving two DC input modules used in a 1oo2 configuration and a DC output module using a proof test interval of 5 years.

Table E.2

Catalog Number: Description: MTBF: Calculated PFD:

1756-Axx ControlLogix Chassis 36,322,045 (aggregate)

3.03E-05

1756-L55M16 ControlLogix 5555 Controller

1,644,933 6.69E-04

1756-OB16D DC Output 14,321,691 7.68E-05

1756-IB16D DC Diagnostic Input 41,300,480 2.14E-07

Total PFD calculation for a safety loop consisting of these products: 7.78E-04


E-4 Sample Probability of Failure on Demand (PFD) Calculations

Notes:


Appendix F

Using ControlLogix in SIL1 Applications

When using ControlLogix products in a SIL1 application, you must use the products as described in this manual, including following all test guidelines listed. For example, perform pulse testing on diagnostic output modules as described in Chapter 6.

This appendix describes changes in the system hardware requirements for SIL1 certification.

It is assumed that the following conditions exist in SIL1 applications:

• Modules operate in a low demand applications

• Hardware Fault Tolerance (HFT) = 0

• Safe Failure Fraction (SFF) is > 60% and < 90%

• Probability of Failure on Demand (PFD) must be > 10-2 and

< 10-1

Additional Considerations Table F.1 lists additional considerations that must be made with various ControlLogix modules in a SIL1 application.

Table F.1

Module type: Additional considerations:

Controllers None. Use the controller exactly as described previously in this manual.

ControlNet modules None. Use the modules exactly as described previously in this manual.

Data Highway Plus and Ethernet modules

None. Use the modules exactly as described previously in this manual.

Digital output modules(1) Diagnostic output modules are recommended in a SIL1 application. Implement a secondary shutdown path if the SIL1 application requires a fail-safe OFF in the event of a shorted output.

Digital input modules(2) Only 1 module is required in a SIL1 application. Periodic tests of the inputs should be performed as described previously in this manual.

Analog output modules(1) Analog output modules should be wired as described previously in this manual.

Analog input modules(2) Only 1 module is required in a SIL1 application. Periodic tests of the inputs should be performed as described previously in this manual.

(1) The user should be alerted to any detected output failures.

(2) The test interval of module inputs must be specified according to application-dependent standards. For example, according to EN50156, the time for fault detection and tripping must be less than or equal to the fault tolerance time.


F-2 Using ControlLogix in SIL1 Applications

Probability of Failure on Demand Calculations in a SIL1 Application

Table F.2 lists the PFD calculations for ControlLogix products in a SIL1-certified system. These calculations use a Proof Test Interval = 1 year.

Table F.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations


λ(5) Calculated PFD in a 1oo1 architecture:

1756-Axx ControlLogix Chassis 36,322,045(2) (aggregate)

2.75E-08 6.17E-06

1756-CNB/D ControlNet Bridge - Series D 5,595,646 1.79E-07 4.00E-05

1756-CNB/E ControlNet Bridge Series E 2,944,988(3) 3.40E-07 7.61E-05

1756-CNBR/D Redundant ControlNet Bridge - Series D 3,109,957 3.22E-07 7.20E-05

756-CNBR/E Redundant ControlNet Bridge - Series E 2,864,755(3) 3.49E-07 7.82E-05

1756-IA16I AC Isolated Input 15,262,520 6.55E-08 1.47E-05

1756-IA8D AC Diagnostic Input 10,383,360 9.63E-08 2.16E-05

1756-IB16D DC Diagnostic Input 41,300,480 2.42E-08 5.42E-06

1756-IB16I DC Isolated Input 19,862,336 5.03E-08 1.13E-05

1756-IB16ISOE Sequence of Events Module 4,959,088(3) 2.02E-07 4.52E-05

1756-IB32 DC Input Module 2,468,448 4.05E-07 9.07E-05

1756-IF16 Single-ended Analog Input Module 2,094,159 4.78E-07 1.07E-04

1756-IF6CIS Isolated Sourcing Analog Input Module 3,065,920 3.26E-07 7.31E-05

1756-IF6I Isolated Analog Input Module 2,838,451 3.52E-07 7.89E-05

1756-IF8 Analog Input 2,235,008 4.47E-07 1.00E-04

1756-IH16ISOE Sequence of Events Module 6,044,122(3) 1.65E-07 3.71E-05

1756-IR6I RTD Input 3,826,296 2.61E-07 5.85E-05

1756-IT6I Thermocouple Input 3,002,035 3.33E-07 7.46E-05

1756-IT6I2 Enhanced Thermocouple Input Module 991,929 1.01E-06 2.26E-04

1756-L55M13 ControlLogix 1.5Mb Controller 2,228,750 4.49E-07 1.01E-04


1756-L61 ControlLogix 2 Mb Controller 815,822 1.23E-06 2.75E-04



1756-OA16I AC Isolated Output 10,911,086 9.16E-08 2.05E-05

1756-OA8D AC Diagnostic Output 6,922,240 1.44E-07 3.24E-05

1756-OB16D DC Diagnostic Output 14,321,691 6.98E-08 1.56E-05

1756-OB16I DC Isolated Output 2,371,445 4.22E-07 9.45E-05

1756-OB32 DC Output Module 1,278,125 7.82E-07 1.75E-04

1756-OB8EI DC Fused Output 5,853,120 1.71E-07 3.83E-05


Using ControlLogix in SIL1 Applications F-3

1756-OF6CI Isolated Analog Output Module (Current) 9,296,907 1.08E-07 2.41E-05

1756-OF6VI Isolated Analog Output Module (Voltage) 13,062,400 7.66E-08 1.71E-05

1756-OF8 Analog Output 5,717,675 1.75E-07 3.92E-05

1756-OW16I Isolated Relay Output Module 1,360,415 7.35E-07 1.65E-04

1756-OX8I Contact Output 19,281,600 5.19E-08 1.16E-05

1756-PA75/A AC Power Supply 14,538,606 6.88E-08 1.54E-05

1756-PA75/B AC Power Supply 5,513,591(3) 1.81E-07 4.06E-05

1756-PA75R AC Redundant Power Supply 296,978(4) 3.37E-06 7.54E-04

1756-PB75/A DC Power Supply 10,157,334 9.85E-08 7.30E-05

1756-PB75/B DC Power Supply 5,884,430(3) 1.70E-07 3.81E-05

1756-PB75R DC Redundant Power Supply 1,134,848(4) 8.81E-07 1.97E-04

1756-PC75 DC Power supply 5,894,836(3) 1.70E-07 3.80E-05

1756-PH75 DC Power supply 5,889,628(3) 1.70E-07 3.80E-05

1756-PSCA Power Sup Chassis Adapter Module 45,146,727(3) 2.21E-08 4.96E-06


45,146,727(3) 2.21E-08 4.96E-06

1757-SRM System Redundancy Module 835,357 1.20E-06 2.68E-04






Table F.2 ControlLogix Product Probability of Failure on Demand (PFD) Calculations


λ(5) Calculated PFD in a 1oo1 architecture:



Probability of Undetected Dangerous Failure Per Hour Calculations in a SIL1 Application

Table F.3 lists the PFH calculations for ControlLogix products in a SIL1-certified system. These calculations use a Proof Test Interval = 1 year.

Table F.3 ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations



1oo1 architecture

1756-Axx ControlLogix Chassis 36,322,045(2)

(aggregate)2.75E-08 1.38E-09

1756-CNB/D ControlNet Bridge - Series D 5,595,646 1.79E-07 8.94E-09

1756-CNB/E ControlNet Bridge - Series E 2,944,988(3) 3.40E-07 1.70E-08

1756-CNBR /D Redundant ControlNet Bridge - Series D 3,109,957 3.22E-07 1.61E-08

1756-CBNBR/E Redundant ControlNet Bridge - Series E 2,864,755(3) 3.49E-07 1.75E-08

1756-IA16I AC Isolated Input 15,262,520 6.55E-08 3.28E-09

1756-IA8D AC Diagnostic Input 10,383,360 9.63E-08 4.82E-09

1756-IB16D DC Diagnostic Input 41,300,480 2.42E-08 1.21E-09

1756-IB16I DC Isolated Input 19,862,336 5.03E-08 2.52E-09

1756-IB16ISOE Sequence of Events Module 4,959,088(3) 2.02E-07 1.01E-08

1756-IB32 DC Input Module 2,468,448 4.05E-07 2.03E-08

1756-IF16 Single-ended Analog Input Module 2,235,008 4.47E-07 2.24E-08

1756-IF6CIS Isolated Sourcing Analog Input Module 2,094,159 4.78E-07 2.39E-08

1756-IF6I Isolated Analog Input Module 3,065,920 3.26E-07 1.63E-08

1756-IF8 Analog Input 2,838,451 3.52E-07 1.76E-08

1756-IH16ISOE Sequence of Events Module 6,044,122(3) 1.65E-07 8.27E-09

1756-IR6I RTD Input 3,826,296 2.61E-07 1.31E-08

1756-IT6I Thermocouple Input 3,002,035 3.33E-07 1.67E-08

1756-IT6I2 Enhanced Thermocouple Input Module 991,929 1.01E-06 5.04E-08


1756-L55M16 ControlLogix 5555 Processor 1,644,933 6.08E-07 3.04E-08




1756-OA16I AC Isolated Output 10,911,086 9.16E-08 4.58E-09

1756-OA8D AC Diagnostic Output 6,922,240 1.44E-07 7.22E-09

1756-OB16D DC Diagnostic Output 14,321,691 6.98E-08 3.49E-09

1756-OB16I DC Isolated Output 2,371,445 4.22E-07 2.11E-08

1756-OB32 DC Output Module 1,278,125 7.82E-07 3.91E-08


Using ControlLogix in SIL1 Applications F-5

1756-OB8EI DC Fused Output 5,853,120 1.71E-07 8.54E-09

1756-OF6CI Isolated Analog Output Module (Current) 9,296,907 1.08E-07 5.38E-09

1756-OF6VI Isolated Analog Output Module (Voltage) 13,062,400 7.66E-08 3.83E-09

1756-OF8 Analog Output 5,717,675 1.75E-07 8.74E-09

1756-OW16I Isolated Relay Output Module 1,360,415(3) 7.35E-07 3.68E-08

1756-OX8I Contact Output 19,281,600 5.19E-08 2.59E-09

1756-PA75/A AC Power Supply 14,538,606 6.88E-08 3.44E-09

1756-PA75/B AC Power Supply 5,513,591(3) 1.81E-07 9.07E-09

1756-PA75R AC Redundant Power Supply 296,978(4) 3.37E-06 1.68E-07

1756-PB75/A DC Power Supply 10,157,334 9.85E-08 4.92E-09

1756-PB75/B DC Power Supply 5,884,430(3) 1.70E-07 8.50E-09

1756-PB75R DC Redundant Power Supply 1,134,848(4) 8.81E-07 4.41E-08

1756-PC75 DC Power supply 5,894,836(3) 1.70E-07 8.48E-09

1756-PH75 DC Power supply 5,889,628(3) 1.70E-07 8.49E-09

1756-PSCA Power Supply Chassis Adapter 45,146,727(3) 2.21E-08 1.11E-09


45,146,727(3) 2.21E-08 1.11E-09

1757-SRM System Redundancy Module 835,357 1.20E-06 5.99E-08

(1) MTBF measured in hours. The values used here represent those values available in September 2006.





Table F.3 ControlLogix Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations



1oo1 architecture



Notes:


Index

AAgency certifications 1-21Analog input modules 6-13–6-19Analog output modules 6-20–6-24Application program

Programming languages 9-4SIL task/program instructions 9-4Technical SIL2 requirements 9-1–9-8

ArchitectureOverview of ControlLogix architecture

2-2

CCalibration 6-13, 6-20Chassis 3-2Commissioning life cycle 9-5Communication

ControlNet 2-6, 5-2Ethernet 5-3Field side output verification 2-4Output data echo 2-4, 6-8Producer/consumer model 2-2

Communications modules 5-1–5-5ControlNet module 5-2Documentation 5-5Ethernet module 5-3Usage recommendations 5-4

Control and information protocolDefinition Preface-vii

Controller 4-1–4-2Documentation 4-2Usage recommendations 4-2

ControlLogix architecture 2-2ControlNet module 5-2

DDiagnostic coverage

Definition Preface-viiDocumenation

Controller 4-2Documentation

Communications modules 5-5Hardware 3-4

EEthernet module 5-3

European norm.Definition Preface-vii

FFault handling 2-3, 7-1–7-3, B-1, C-1Fault reporting 2-3, 6-4, 7-1–7-3, B-1,

C-1Analog input modules 6-14Analog output modules 6-21Digital input modules 6-6Digital output modules 6-8, 6-12

Field side output verification 2-4Forcing via software 8-4

GGet system value (GSV)

Defintion Preface-vii

HHardware 3-1–3-4

Chassis 3-2Documentation 3-4Power supplies 3-2–3-3Usage recommendations 3-3

Human to machine interfacesUse and application 10-1–10-3

II/O modules 6-1–6-26

Analog input modules 6-13–6-19Analog output modules 6-20–6-24Calibration 6-13, 6-20Digital input modules 6-5–6-6Digital output modules 6-7–6-12Fault reporting 6-4, 6-6, 6-8, 6-12,

6-14, 6-21Proof tests 6-5, 6-7, 6-13, 6-20Response times A-1–A-4Wiring analog input modules 6-16–

6-19Wiring analog output modules 6-23–

6-24Wiring digital input modules 6-6Wiring digital output modules 6-10–

6-12Interface

HMI use and application 10-1–10-3


2 Index

MMean time between failures (MTBF)

Definition Preface-viiMean time to restoration

Definition Preface-vii

OOperational modes 8-5Output data echo 2-4, 6-8

PPower supplies 3-2–3-3

Non-redundant 3-2Redundant 3-3

Probability of failure on demand (PFD) 1-12–1-19

Calculation equation 1-13Calculations for each catalog number

1-14, E-1, F-2Definition Preface-vii

Probability of failure per hour (PFH) 1-12–1-19

Calculation equation 1-14Calculations for each catalog number

1-17, F-4Definition Preface-vii

Producer/consumer communication model 2-2

Programming languages 9-4Proof tests 1-6, 6-5, 6-7, 6-13, 6-20Pulse test 2-5

RResponse times A-1–A-4RSLogix 5000 Preface-vii, 2-6

Changing your application program 9-6Commissioning life cycle 9-5Forcing 8-4General requirements 8-1–8-6Programming languages 9-4Security 8-4SIL task/program instructions 9-4SIL2 programming 8-2

SSafety certifications and compliances

For ControlLogix catalog numbers 1-12Security via software 8-4SIL compliance

Distribution and weight 1-20SIL loop example 1-4, 1-5SIL policy 1-1–1-23SIL2 requirements

For the application program 9-1–9-8SIL2-certified components

Complete list of ControlLogix catalog numbers 1-8

SoftwareChanging your application program 9-6Commissioning life cycle 9-5Forcing 8-4General requirements 8-1–8-6Programming languages 9-4RSLogix 5000 Preface-vii, 2-6Security 8-4SIL task/program instructions 9-4SIL2 programming 8-2

Software watchdog 1-23Spurious failure estimates D-1System hardware 3-1–3-4

Chassis 3-2Documentation 3-4Power supplies 3-2–3-3Usage recommendations 3-3

TTerminology

Used throughout manual Preface-vii

WWatchdog 1-23Wiring I/O modules

Analog input modules 6-16–6-19Analog output modules 6-23–6-24Digital input modules 6-6Digital output modules 6-10–6-12


How Are We Doing?Your comments on our technical publications will help us serve you better in the future.Thank you for taking the time to provide us feedback.

You can complete this form and mail (or fax) it back to us or email us at
[email protected]
Please complete the sections below. Where applicable, rank the feature (1=needs improvement, 2=satisfactory, and 3=outstanding).

Pub. Title/Type Using ControlLogix in SIL2 Applications

Cat. No. 1756 Series Pub. No. 1756-RM001E-EN-P Pub. Date November 2006 Part No. 953014-96

Overall Usefulness 1 2 3 How can we make this publication more useful for you?

Completeness(all necessary information

is provided)

1 2 3 Can we add more information to help you?

procedure/step illustration feature

example guideline other

explanation definition

Technical Accuracy(all provided information

is correct)

1 2 3 Can we be more accurate?

text illustration

Clarity(all provided information is

easy to understand)

1 2 3 How can we make things clearer?

Other Comments You can add additional comments on the back of this form.

Your Name

Your Title/Function Would you like us to contact you regarding your comments?

Location/Phone ___No, there is no need to contact me

___Yes, please call me

___Yes, please email me at _______________________

___Yes, please contact me via _____________________

Return this form to: Rockwell Automation Technical Communications, 1 Allen-Bradley Dr., Mayfield Hts., OH 44124-9705

Fax: 440-646-3525 Email: [email protected]

Publication CIG-CO521C-EN-P- May 2003 PN953014-96957782-91

Other Comments

PLEASE FOLD HERE

NO POSTAGE NECESSARY IF MAILED

IN THE UNITED STATES

BUSINESS REPLY MAILFIRST-CLASS MAIL PERMIT NO. 18235 CLEVELAND OH

POSTAGE WILL BE PAID BY THE ADDRESSEE

1 ALLEN-BRADLEY DRMAYFIELD HEIGHTS OH 44124-9705

PLEASE FASTEN HERE (DO NOT STAPLE)

PLEA

SE R

EMOV

E

Publication 1756-RM001E-EN-P - November 2006 2 PN 953014-96Supersedes Publication 1756-RM001D-EN-P - January 2005 Copyright © 2006 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.

Rockwell Automation Support

Rockwell Automation provides technical information on the Web to assist you in using its products. At http://support.rockwellautomation.com, you can find technical manuals, a knowledge base of FAQs, technical and application notes, sample code and links to software service packs, and a MySupport feature that you can customize to make the best use of these tools.

For an additional level of technical phone support for installation, configuration, and troubleshooting, we offer TechConnect Support programs. For more information, contact your local distributor or Rockwell Automation representative, or visit http://support.rockwellautomation.com.

Installation Assistance

If you experience a problem with a hardware module within the first 24 hours of installation, please review the information that's contained in this manual. You can also contact a special Customer Support number for initial help in getting your module up and running.

New Product Satisfaction Return

Rockwell tests all of its products to ensure that they are fully operational when shipped from the manufacturing facility. However, if your product is not functioning, it may need to be returned.

United States 1.440.646.3223Monday – Friday, 8am – 5pm EST

Outside United States

Please contact your local Rockwell Automation representative for any technical support issues.

United States Contact your distributor. You must provide a Customer Support case number (see phone number above to obtain one) to your distributor in order to complete the return process.

Outside United States

Please contact your local Rockwell Automation representative for return procedure.

http://support.rockwellautomation.com

http://support.rockwellautomation.com

Documents

Using ControlLogix in SIL2 Applications - e-applied.com.t ControlL… · Using ControlLogix in SIL2 Applications ... Sample Probability of ... ControlLogix system via RSLogix 5000