Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
PUBLIC INFORMATION
Advanced Programming Techniques for Machinery Safety Applications
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Lets Define Safety for the Next Hour
Highest safety risk levels:
SIL 3
PLe (typically requires CAT4)
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Learning about Safety
Can I wire an Emergency Stop into a Safety Input module ?
Does a monitoring circuit have to be wired to a safety input ?
Can I use wireless in a safety function ?
What is the correct answer to the following questions?
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Learning about Safety
Can I wire an Emergency Stop into a Safety Input module ?
Does a monitoring circuit have to be wired to a safety input ?
Can I use wireless in a safety function ?
What is the correct answer to the following questions?
Answer: Well, that depends!
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
In My Opinion, Here are the Answers
Can I wire an Emergency Stop into a Safety Input module ? Yes
Does a monitoring circuit have to be wired to a safety input ?
Can I use wireless in a safety function ?
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
In My Opinion, Here are the Answers
Can I wire an Emergency Stop into a Safety Input module ? Yes
Does a monitoring circuit have to be wired to a safety input ? No
Can I use wireless in a safety function ?
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
In my opinion, here are the answers
Can I wire an Emergency Stop into a Safety Input module ? Yes
Does a monitoring circuit have to be wired to a safety input ? No
Can I use wireless in a safety function ? Yes, with CIP safety
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
GuardLogix® Safety Controllers
Compact
GuardLogix®
1768-L4xS
GuardLogix®
1756-L6xS/LSP
GuardLogix®
1756-L7xS/L7SP
Logix Integrated Safety Controllers
Safety
Standard
Process
Motion
Integrated Architecture®
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Agenda
Diagnostics
Safety Output Instructions
Safety Input Instructions
Safety I/O and supporting safety instructions
Safety Task
Protection from Unwanted Change
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Agenda
Diagnostics
Safety Output Instructions
Safety Input Instructions
Safety I/O and supporting safety instructions
Safety Task
Protection from Unwanted Change
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Safety and Standard task
Standard Code
Safety Code
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Standard Task
Standard Task
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Safety Task
Safety Task
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Separation Between Safe and Standard Task/Tags
Mapping Tool – maps standard tag(s) to safety tag(s)
Allows standard tag(s) to be used within safety task
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Most Standard Tags can be Mapped
Standard BOOL tags shown here
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
I/O Tags can be Mapped
Standard I/O Module defined tag(s) can be mapped
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
UDTs can be Mapped
UDT - User Defined Tag
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
UDT Member Used in Safety Task
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Alias Tags cannot be Mapped
Alias tags cannot be used in mapping tool
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Agenda
Diagnostics
Safety Output Instructions
Safety Input Instructions
Safety I/O and supporting safety instructions
Safety Task
Protection from Unwanted Change
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Safety I/O (Ethernet)
Block
1791ES-IB16
24Vdc sinking inputs
1791ES-IB8xOBV4
24Vdc sinking inputs
24Vdc bipolar outputs (switch both 24V and COM)
1732ES-IB12XOBV2
12 single channel input (6 dual)+ 2 dual channel bipolar
output
1732ES-IB12XOB4
12 single channel input (6 dual)+ 2 dual channel
sourcing output
Point
1734-IB8S
24Vdc sinking inputs
1734-OB8S
24Vdc sourcing outputs
1734-IE4S
Current / voltage / tachometer analog inputs
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Function Blocks
Taken from ISO-13849
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Function Blocks
Rockwell Automation® provides a library of certified function blocks (instructions)
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Function Blocks
Rockwell Automation® provides a library of certified function blocks (instructions)
Initial ReleaseUpdated
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Agenda
Diagnostics
Safety Output Instructions
Safety Input Instructions
Safety I/O and supporting safety instructions
Safety Task
Protection from Unwanted Change
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
All Certified Safety Input Instructions are Dual Channel
Dual channel instructions help ensure both channels are within tolerance
If they remain out of tolerance for longer than the discrepancy time, a fault is declared
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
DCS Instruction
Dual Channel Input Stop - DCS is the base safety input instruction
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
DCS Instruction
Dual channel Input Stop
Input Type
Equivalent or Complementary
Discrepancy Time
How long can the inputs be diverse before a fault is declared
Restart Type
Is ‘Reset’ required to set O1 HI ?
AUTOMATIC – NO
MANUAL - YES
Cold Start Type
Is demand /cycle required on power-up ?
AUTOMATIC – NO
MANUAL – YES
Input Status
Is input channel data valid ?
If LO, output O1 is de-energized
Reset
Reset faults (FP)
Restarts O1 if configured for manual ‘Restart Type’
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Differences Between Initial and Updated Input Instructions
RIN/DIN; replaced by ‘Input Type’ (Equivalent or Complementary)
Configurable Discrepancy Time
Restart and Cold Start separate
One Reset tag (Circuit and Fault Reset used to be separate)
Input Status added
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
DCST Instruction
Test Request Generates Test Command output (TC)
Test Command output Used to force functional test of device
Inputs cycled from active to safe to active state Wiring faults can be detected during test
Output (O1) de-energized during test
Dual channel input Stop with Test
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
DCSTL Instruction
Unlock Request & Hazard Stopped Generates unlock command (ULC) upon request if hazard stopped
Lock Feedback Monitors Lock contact(s)
Dual channel input Stop with Test and Lock
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Mute Channels can go LO without affecting output (O1)
Muting Lamp (ML) HI when in muted mode
Muting Lamp Status Monitors lamp bulb (typically Test Outputs 03 / 07
have current monitoring)
Safe State (SS) shows state of input channels in muted mode
Test Type can be active for light curtains that test themselves
Manual for devices that must be tested manually
DCSTM Instruction
Dual channel input Stop with Test and Mute
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
DCA Instruction
Safety Analog Inputs (1734-IE4S)
Dual channel
Fault (FP) if channels out of tolerance for longer than discrepancy time
High and Low limit trip point alarms (HTP and LTP)
DCAF supports floating point (L7xS only)
Dual channel Analog
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Simple Safety Interlock Code
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Typically No Input Conditions on Rung
Instruction resets if scanned false; FP state lost
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Agenda
Diagnostics
Safety Output Instructions
Safety Input Instructions
Safety I/O and supporting safety instructions
Safety Task
Protection from Unwanted Change
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Output Function Blocks
The ROUT and CROUT are the only instructions for safety output devices
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Safety Output Instructions
CROUT is the updated safety output instruction
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
CROUT Instruction
Configurable Redundant OUTput Feedback Type
Positive or Negative
Reaction Time
How long to wait for feedback to follow
outputs before a fault is declared
Actuate
No restart function
Outputs O1 and O2 simply follow actuate
if no faults
Input and Output Status (embedded interlocks)
Is feedback data valid ?
Are output channels being driven by
CROUT fault free ?
Reset
Reset feedback faults (FP)
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
ROUT versus CROUT Instruction
CROUT has Configurable Feedback Reaction Time
CROUT added Input and Output Status
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
What Instruction(s) Would be Used for Single Channel Safety Circuits/Loops ?
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
What Instructions Would be Used for Single Channel Safety Circuits/Loops ?
Digital / Boolean
XIC
OTE
Note even these instructions have been certified by the TUV
That is why they have the red triangle
That is why they are available in the safety task
Analog / Compare
LES
GRT
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Agenda
Diagnostics
Safety Output Instructions
Safety Input Instructions
Safety I/O and supporting safety instructions
Safety Task
Protection from Unwanted Change
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
How to Configure Safety Input Channels
Channel Configuration / Single or Equivalent ?
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Where to Detect Discrepancy Faults
chA
chB
LO
LO
HI
HI
Software Detection
Hardware
Detection
Ch B
Ch A
Discrepancy
Time
Tolerance
Discrepancy
Time
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Safety Input Configuration
Safety Inputs can be configured for Single (Software discrepancy detection)
Dual (Hardware discrepancy detection)
Equivalent
Complementary
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
What Module Sends if Single
If channels 2 and 3 are diverse Actual data sent to controller
Diversity detected in controller software
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
What Module Sends if Dual/Equivalent
Even if channels 2 and 3 are
diverse
Equivalent data sent to controller
Diversity masked from controller
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Most Customers do BOTH; DCS and Equivalent
If channels 0 and 1 are configured for equivalent
Actual channel data sent to controller / DCS
NO fault in module input tags
NO fault on DCS instruction
All channel status are HI (good)
No fault
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
When Discrepancy Fault Occurs (Equivalent)
If channels 0 and 1 are configured for equivalent 0/0 data sent to controller / DCS
Channel status are LO (faulted)
FP on DCS instruction
Fault Present
Discrepancy causesChannels to fault
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
When Discrepancy Fault Occurs (Single)
If channels 0 and 1 are configured for single 0/1 data sent to controller / DCS
Channel status are HI (no faults)
FP on DCS instruction
Fault Present
No channel faults
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Software Based Discrepancy Detection
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Hardware Based Discrepancy Detection
Code 02:Pulse Test Fault
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Agenda
Diagnostics
Safety Output Instructions
Safety Input Instructions
Safety I/O and supporting safety instructions
Safety Task
Protection from Unwanted Change
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Protection from Unwanted Change
Safety systems need to help protect against Offline edits to the safety program
Online changes to the safety program
Parameter changes from HMIs
Program downloads that overwrite the safety program
Malicious?
Inadvertent?
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Protection from Unwanted Change
GuardLogix® uses signature and lock
Offline edits to the safety program
Safety Signature or Safety Lock
Online changes to the safety program
Safety Signature or Safety Lock
Parameter changes from HMIs
Safety Signature
Program downloads that overwrite the safety program
Safety Lock
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Safety Signature With a signature in place
Offline edits cannot be made to the safety task
Online changes cannot be made to the safety task
Forcing of safety I/O is prohibited
External devices, such as HMIs or the standard portion of cGLX, are prohibited from writing into safety memory on the cGLX controller
Background memory check between the primary and partner is begun
SAFETY RUN status indicator on Partner goes solid green
Note the partner always runs the safety task, even without a signature
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
What Prevents Inadvertently Downloading a
Project with a Different Safety Task?
Safety Lock
www.rockwellautomationteched.com
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC INFORMATION
Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Questions?