SF01 - Advanced Programming Techniques for Safety Applications

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

PUBLIC INFORMATION

Advanced Programming Techniques for Machinery Safety Applications


Lets Define Safety for the Next Hour

Highest safety risk levels:

SIL 3

PLe (typically requires CAT4)


Learning about Safety

Can I wire an Emergency Stop into a Safety Input module ?

Does a monitoring circuit have to be wired to a safety input ?

Can I use wireless in a safety function ?

What is the correct answer to the following questions?


Learning about Safety

Can I wire an Emergency Stop into a Safety Input module ?



What is the correct answer to the following questions?

Answer: Well, that depends!


In My Opinion, Here are the Answers

Can I wire an Emergency Stop into a Safety Input module ? Yes




In My Opinion, Here are the Answers


Does a monitoring circuit have to be wired to a safety input ? No



In my opinion, here are the answers


Does a monitoring circuit have to be wired to a safety input ? No

Can I use wireless in a safety function ? Yes, with CIP safety


GuardLogix® Safety Controllers

Compact

GuardLogix®

1768-L4xS

GuardLogix®

1756-L6xS/LSP

GuardLogix®

1756-L7xS/L7SP

Logix Integrated Safety Controllers

Safety

Standard

Process

Motion

Integrated Architecture®


Agenda

Diagnostics

Safety Output Instructions

Safety Input Instructions

Safety I/O and supporting safety instructions

Safety Task

Protection from Unwanted Change


Agenda

Diagnostics




Safety Task



Safety and Standard task

Standard Code

Safety Code


Standard Task

Standard Task


Safety Task

Safety Task


Separation Between Safe and Standard Task/Tags

Mapping Tool – maps standard tag(s) to safety tag(s)

Allows standard tag(s) to be used within safety task


Most Standard Tags can be Mapped

Standard BOOL tags shown here


I/O Tags can be Mapped

Standard I/O Module defined tag(s) can be mapped


UDTs can be Mapped

UDT - User Defined Tag


UDT Member Used in Safety Task


Alias Tags cannot be Mapped

Alias tags cannot be used in mapping tool


Agenda

Diagnostics




Safety Task



Safety I/O (Ethernet)

Block

1791ES-IB16

24Vdc sinking inputs

1791ES-IB8xOBV4


24Vdc bipolar outputs (switch both 24V and COM)

1732ES-IB12XOBV2

12 single channel input (6 dual)+ 2 dual channel bipolar

output

1732ES-IB12XOB4

12 single channel input (6 dual)+ 2 dual channel

sourcing output

Point

1734-IB8S


1734-OB8S

24Vdc sourcing outputs

1734-IE4S

Current / voltage / tachometer analog inputs


Function Blocks

Taken from ISO-13849


Function Blocks

Rockwell Automation® provides a library of certified function blocks (instructions)


Function Blocks

Rockwell Automation® provides a library of certified function blocks (instructions)

Initial ReleaseUpdated


Agenda

Diagnostics




Safety Task



All Certified Safety Input Instructions are Dual Channel

Dual channel instructions help ensure both channels are within tolerance

If they remain out of tolerance for longer than the discrepancy time, a fault is declared


DCS Instruction

Dual Channel Input Stop - DCS is the base safety input instruction


DCS Instruction

Dual channel Input Stop

Input Type

Equivalent or Complementary

Discrepancy Time

How long can the inputs be diverse before a fault is declared

Restart Type

Is ‘Reset’ required to set O1 HI ?

AUTOMATIC – NO

MANUAL - YES

Cold Start Type

Is demand /cycle required on power-up ?

AUTOMATIC – NO

MANUAL – YES

Input Status

Is input channel data valid ?

If LO, output O1 is de-energized

Reset

Reset faults (FP)

Restarts O1 if configured for manual ‘Restart Type’


Differences Between Initial and Updated Input Instructions

RIN/DIN; replaced by ‘Input Type’ (Equivalent or Complementary)

Configurable Discrepancy Time

Restart and Cold Start separate

One Reset tag (Circuit and Fault Reset used to be separate)

Input Status added


DCST Instruction

Test Request Generates Test Command output (TC)

Test Command output Used to force functional test of device

Inputs cycled from active to safe to active state Wiring faults can be detected during test

Output (O1) de-energized during test

Dual channel input Stop with Test


DCSTL Instruction

Unlock Request & Hazard Stopped Generates unlock command (ULC) upon request if hazard stopped

Lock Feedback Monitors Lock contact(s)

Dual channel input Stop with Test and Lock


Mute Channels can go LO without affecting output (O1)

Muting Lamp (ML) HI when in muted mode

Muting Lamp Status Monitors lamp bulb (typically Test Outputs 03 / 07

have current monitoring)

Safe State (SS) shows state of input channels in muted mode

Test Type can be active for light curtains that test themselves

Manual for devices that must be tested manually

DCSTM Instruction

Dual channel input Stop with Test and Mute


DCA Instruction

Safety Analog Inputs (1734-IE4S)

Dual channel

Fault (FP) if channels out of tolerance for longer than discrepancy time

High and Low limit trip point alarms (HTP and LTP)

DCAF supports floating point (L7xS only)

Dual channel Analog


Simple Safety Interlock Code


Typically No Input Conditions on Rung

Instruction resets if scanned false; FP state lost


Agenda

Diagnostics




Safety Task



Output Function Blocks

The ROUT and CROUT are the only instructions for safety output devices



CROUT is the updated safety output instruction


CROUT Instruction

Configurable Redundant OUTput Feedback Type

Positive or Negative

Reaction Time

How long to wait for feedback to follow

outputs before a fault is declared

Actuate

No restart function

Outputs O1 and O2 simply follow actuate

if no faults

Input and Output Status (embedded interlocks)

Is feedback data valid ?

Are output channels being driven by

CROUT fault free ?

Reset

Reset feedback faults (FP)


ROUT versus CROUT Instruction

CROUT has Configurable Feedback Reaction Time

CROUT added Input and Output Status


What Instruction(s) Would be Used for Single Channel Safety Circuits/Loops ?


What Instructions Would be Used for Single Channel Safety Circuits/Loops ?

Digital / Boolean

XIC

OTE

Note even these instructions have been certified by the TUV

That is why they have the red triangle

That is why they are available in the safety task

Analog / Compare

LES

GRT


Agenda

Diagnostics




Safety Task



How to Configure Safety Input Channels

Channel Configuration / Single or Equivalent ?


Where to Detect Discrepancy Faults

chA

chB

LO

LO

HI

HI

Software Detection

Hardware

Detection

Ch B

Ch A

Discrepancy

Time

Tolerance

Discrepancy

Time


Safety Input Configuration

Safety Inputs can be configured for Single (Software discrepancy detection)

Dual (Hardware discrepancy detection)

Equivalent

Complementary


What Module Sends if Single

If channels 2 and 3 are diverse Actual data sent to controller

Diversity detected in controller software


What Module Sends if Dual/Equivalent

Even if channels 2 and 3 are

diverse

Equivalent data sent to controller

Diversity masked from controller


Most Customers do BOTH; DCS and Equivalent

If channels 0 and 1 are configured for equivalent

Actual channel data sent to controller / DCS

NO fault in module input tags

NO fault on DCS instruction

All channel status are HI (good)

No fault


When Discrepancy Fault Occurs (Equivalent)

If channels 0 and 1 are configured for equivalent 0/0 data sent to controller / DCS

Channel status are LO (faulted)

FP on DCS instruction

Fault Present

Discrepancy causesChannels to fault


When Discrepancy Fault Occurs (Single)

If channels 0 and 1 are configured for single 0/1 data sent to controller / DCS

Channel status are HI (no faults)

FP on DCS instruction

Fault Present

No channel faults


Software Based Discrepancy Detection


Hardware Based Discrepancy Detection

Code 02:Pulse Test Fault


Agenda

Diagnostics




Safety Task




Safety systems need to help protect against Offline edits to the safety program

Online changes to the safety program

Parameter changes from HMIs

Program downloads that overwrite the safety program

Malicious?

Inadvertent?



GuardLogix® uses signature and lock

Offline edits to the safety program

Safety Signature or Safety Lock

Online changes to the safety program

Safety Signature or Safety Lock

Parameter changes from HMIs

Safety Signature

Program downloads that overwrite the safety program

Safety Lock


Safety Signature With a signature in place

Offline edits cannot be made to the safety task

Online changes cannot be made to the safety task

Forcing of safety I/O is prohibited

External devices, such as HMIs or the standard portion of cGLX, are prohibited from writing into safety memory on the cGLX controller

Background memory check between the primary and partner is begun

SAFETY RUN status indicator on Partner goes solid green

Note the partner always runs the safety task, even without a signature


What Prevents Inadvertently Downloading a

Project with a Different Safety Task?

Safety Lock

www.rockwellautomationteched.com

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC INFORMATION

Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Questions?

Technology

SF01 - Advanced Programming Techniques for Safety Applications