Allen-Bradley 1756-L7 Series Reference guide

Brand: Allen-Bradley

Model: 1756-L7 Series

Type: Reference guide

This manual is also suitable for

1756-L6 Series

Using ControlLogix in SIL 2 Applications

Catalog Numbers 1756-L6x, 1756-L7x

Safety Reference Manual

Allen-Bradley Motors

Important User Information

Solid-state equipment has operational characteristics differing from those of electromechanical equipment. Safety

Guidelines for the Application, Installation and Maintenance of Solid State Controls (publication SGI-1.1

available from

your local Rockwell Automation® sales office or online at http://www.rockwellautomation.com/literature/

) describes some

important differences between solid-state equipment and hard-wired electromechanical devices. Because of this difference,

and also because of the wide variety of uses for solid-state equipment, all persons responsible for applying this equipment

must satisfy themselves that each intended application of this equipment is acceptable.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the

use or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and

requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or

liability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or

software described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation,

Inc., is prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

Allen-Bradley, Rockwell Software, Rockwell Automation, TechConnect, ControlLogix, ControlLogix-XT, GuardLogix, FLEX, RSLogix, Logix5000, RSNetWorx, FactoryTalk, Data Highway Plus, and SynchLink are

trademarks of Rockwell Automation, Inc.

Trademarks not belonging to Rockwell Automation are property of their respective companies.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment,

which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property

damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous

voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may

reach dangerous temperatures.

IMPORTANT

Identifies information that is critical for successful application and understanding of the product.

Rockwell Automation Publication 1756-RM001I-EN-P - May 2012 3

Summary of Changes

This manual has been extensively revised since the previous revision, including

updates to terminology and organization. Throughout this manual revision

change bars, as shown to the right of this paragraph, mark changes.

New and Updated

Information

This table lists the major changes made with this revision.

Change Page

All references to Probability of Failure per Hour (PFH) have been removed —

Information from FLEX I/O System With ControlLogix for SIL 2 Reference Manual,

publication 1794-RM001 has been added to this publication

—

Added to and updated the list of terms 9

For EN 50156, added a reference to the GuardLogix™ Controller Systems Safety

Reference Manual

Updated Figure 2

Typical ControlLogix SIL 2 Systems 14

Added EtherNet/IP system configuration examples 16

Added Figure 5

Fail-safe ControlLogix Configuration with FLEX I/O Modules 17

Moved self-test information from an appendix to Chapter 1 20

For a detailed listing of product certifications, go to our website at

http://www.rockwellautomation.com/products/certification

—

Combined the controller chapter with the chassis and power supplies chapter Chapter 3

Moved information on operating modes and keyswitch positions to the controller

chapter

Updated information on ControlLogix

power supplies 33…34

Added more information on verifying the correct reception of data 38

Combined the chapters on general requirements for software applications and

requirements for application development into one chapter and placed it ahead of the

chapter on faults

Chapter 7

Added a chapter on wiring FLEX™ I/O modules Chapter 8

Structured text and sequential function chart are not recommended for safety-related

functions

Updated information on security, including information on read-only and constant

value tags

Updated and consolidated information on forcing 82

Updated and consolidated information on validation 83

Moved module fault reporting information to the chapter on faults Chapter 8

Created a section on detecting and reacting to faults to consolidate information from

other chapters

Updated information on using the analog input module’s high alarm bit 89

Updated information on reading parameters via an HMI 91

Added information on the restrictions and requirements for changing parameters via

an HMI

Updated reaction time example calculations Appendix A

Updated and moved the list of SIL 2 certified components

This list now includes FLEX I/O modules

Appendix B

Allen-Bradley Motors

4 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012

Summary of Changes

Updated publication links in the components appendix Appendix B

Updated Probability of Failure on Demand (PFD) calculations, including data for 1794

FLEX I/O modules, are now in the appendix.

Appendix C

All checklists are now in an appendix Appendix D

Change Page

Rockwell Automation Publication 1756-RM001I-EN-P - May 2012 5

Table of Contents

Preface

Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 1

SIL Policy

Introduction to Safety Integrity Level (SIL) . . . . . . . . . . . . . . . . . . . . . . . . 11

Programming and Debugging Tool (PADT). . . . . . . . . . . . . . . . . . . . 12

About the ControlLogix System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Gas and Fire Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Boiler and Combustion Considerations . . . . . . . . . . . . . . . . . . . . . . . . 14

SIL Compliance Distribution and Weight. . . . . . . . . . . . . . . . . . . . . . . . . . 14

Typical SIL 2 Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Simplex Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Duplex Logic Solver Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Duplex (fault-tolerant) System Configuration . . . . . . . . . . . . . . . . . . 19

Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Proof Testing with Redundancy Systems . . . . . . . . . . . . . . . . . . . . . . . 21

Reaction Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Reaction Times in Redundancy Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Safety Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Safety Certifications and Compliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 2

Features of the ControlLogix SIL 2

System

Module Fault Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Data Echo Communication Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Pulse Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Communication Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

ControlNet Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

EtherNet/IP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Electronic Keying of Modules in SIL 2 Applications. . . . . . . . . . . . . . . . . 29

Chapter 3

ControlLogix Controllers, Chassis, and

Power Supplies

ControlLogix Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Operating Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Requirements for Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

ControlLogix Chassis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

ControlLogix Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Redundant Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Recommendations for Using Power Supplies. . . . . . . . . . . . . . . . . . . . 34

Allen-Bradley Motors

6 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012

Table of Contents

Chapter 4

ControlLogix Communication

Modules

Introduction to Communication Modules . . . . . . . . . . . . . . . . . . . . . . . . . 35

ControlNet Modules and Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

ControlNet Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

ControlNet Repeater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

ControlNet Module Diagnostic Coverage . . . . . . . . . . . . . . . . . . . . . . 36

EtherNet/IP Communication Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

DeviceNet Scanner Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Data Highway Plus - Remote I/O Module (1756-DHRIO). . . . . . . . . . 37

SynchLink Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

General Requirements for Communication Networks. . . . . . . . . . . . . . . 37

Peer-to-Peer Communication Requirements . . . . . . . . . . . . . . . . . . . . . . . 38

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 5

ControlLogix I/O Modules

Overview of ControlLogix I/O Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Using 1756 Digital Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Requirements When Using Any ControlLogix Digital Input

Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Wiring ControlLogix Digital Input Modules . . . . . . . . . . . . . . . . . . . 41

Using 1756 Digital Output Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Requirements When Using ControlLogix Digital Output

Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Wiring ControlLogix Digital Output Modules. . . . . . . . . . . . . . . . . . 44

Using Analog Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Conduct Proof Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Calibrate Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Use the Floating Point Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Program to Respond to Faults Appropriately. . . . . . . . . . . . . . . . . . . . 48

Program to Compare Analog Input Data . . . . . . . . . . . . . . . . . . . . . . . 48

Configure Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Specify the Same Controller as the Owner . . . . . . . . . . . . . . . . . . . . . . 50

Wiring ControlLogix Analog Input Modules . . . . . . . . . . . . . . . . . . . 50

Using HART Analog Input Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Wiring the HART Analog Input Modules. . . . . . . . . . . . . . . . . . . . . . 53

Using Analog Output Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Considerations for Using Analog Output Modules . . . . . . . . . . . . . . 54

Wiring ControlLogix Analog Output Modules . . . . . . . . . . . . . . . . . 57

Using HART Analog Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Wiring the HART Analog Output Modules. . . . . . . . . . . . . . . . . . . . 59

Chapter 6

FLEX I/O Modules

Overview of FLEX I/O Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Using 1794 Digital Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Requirements When Using FLEX I/O Digital Input Modules . . . 61

Wiring FLEX I/O Digital Input Modules . . . . . . . . . . . . . . . . . . . . . . 62

Rockwell Automation Publication 1756-RM001I-EN-P - May 2012 7

Table of Contents

Using FLEX I/O Digital Output Module . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Requirements When Using FLEX I/O Digital Output Modules. . 63

Wiring FLEX I/O Digital Output Modules . . . . . . . . . . . . . . . . . . . . 64

Using Analog Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Requirements When Using FLEX I/O Analog Input Modules . . . 65

Wiring FLEX I/O Analog Input Modules . . . . . . . . . . . . . . . . . . . . . . 68

Using Analog Output Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Requirements When Using FLEX I/O Analog Output Modules . 72

Wiring FLEX I/O Analog Output Modules . . . . . . . . . . . . . . . . . . . . 74

Chapter 7

Requirements for Application

Development

Software for SIL 2-Related Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

SIL 2 Programming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Programming Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Programming Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Basics of Application Program Development and Testing. . . . . . . . . . . . 80

Functional Specification Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Sensors (digital or analog) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Actuators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Creating the Application Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Logic and Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Program Language. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Program Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

SIL Task/Program Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Forcing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Checking the Application Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Verify Download and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Commissioning Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Changing Your Application Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Chapter 8

Faults in the ControlLogix System

Detecting and Reacting to Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Module Fault Reporting for Any ControlLogix or FLEX I/O

Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Checking Keyswitch Position with GSV Instruction . . . . . . . . . . . . . . . . 88

Examining an 1756 Analog Input Module’s High Alarm. . . . . . . . . . . . . 89

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Chapter 9

Use of Human-to-Machine Interfaces

Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Accessing Safety-related Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Reading Parameters in Safety-related Systems . . . . . . . . . . . . . . . . . . . 91

Changing Safety-related Parameters in SIL-rated Systems . . . . . . . . 92

Allen-Bradley Motors

8 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012

Table of Contents

Appendix A

Reaction Times of the ControlLogix

System

Local Chassis Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Remote Chassis Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Calculating Worst-case Reaction Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

For Digital Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

For Analog Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Appendix B

SIL 2-certified ControlLogix System

Components

Appendix C

PFD Calculations for a SIL 2 System

About Probability of Failure on Demand (PFD) Calculations. . . . . . . 107

About the Calculations in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Determine Which PFD Values To Use. . . . . . . . . . . . . . . . . . . . . . . . 108

1-Year PFD Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

2-Year PFD Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

5-year PFD Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Using Component Values To Calculate System PFD. . . . . . . . . . . . . . . 119

Example: 1-year PFD Calculation for a ControlLogix System . . . 119

Appendix D

Checklists

Checklist for the ControlLogix System. . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Checklist for SIL Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Checklist for SIL Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Checklist for the Creation of an Application Program. . . . . . . . . . . . . . 125

Index

Rockwell Automation Publication 1756-RM001I-EN-P - May 2012 9

Preface

This safety reference manual is intended to do the following:

• Describe the ControlLogix Control System components available from

Rockwell Automation that are suitable for use in low-demand,

safety-related control, up to and including SIL 2 applications

• Provide safety-related information specific to the use of ControlLogix

modules in SIL 2 systems - including PFD calculations that need to be

considered for SIL 2-certified systems

• Explain some possible SIL 2-certified system configurations

• Describe basic programming techniques for the implementation of

ControlLogix SIL 2-certified systems with references and links to

more-detailed programming and implementation techniques

Terminology

This table defines abbreviations used in this manual.

IMPORTANT

This manual describes typical SIL 2 implementations using certified

ControlLogix equipment. Keep in mind that the descriptions presented in this

manual do not preclude other methods of implementing a SIL 2-compliant

system by using ControlLogix equipment.

Other methods should be reviewed and approved by a recognized certifying

body, such as TÜV Rheinland Group.

Table 1 - Abbreviations Used throughout This Reference Manual

Abbreviation Full Term Definition

CIP Common Industrial

Protocol

A industrial communication protocol used by Logix5000™-based

automation systems on Ethernet, ControlNet, and Devicenet

communication networks.

CL Claim Limit The maximum level that can be achieved.

DC Diagnostic Coverage The ratio of the detected failure rate to the total failure rate.

EN European Norm. The official European Standard.

GSV Get System Value A ladder logic instruction that retrieves specified controller

information and places it in a destination tag.

MTBF Mean Time Between

Failures

Average time between failure occurrences.

MTTR Mean Time to Restoration Average time needed to restore normal operation after a failure has

occurred.

PADT Programming and

Debugging Tool

RSLogix™5000 software is used to program and debug a SIL 2-certified

ControlLogix application.

PC Personal Computer Computer used to interface with, and control, a ControlLogix system

via RSLogix 5000 programming software.

PFD Probability of Failure on

Demand

The average probability of a system to fail to perform its design

function on demand.

PFH Probability of Failure per

Hour

The probability of a system to have a dangerous failure occur per hour.

SIL Safety Integrity Level A discrete level for specifying the safety integrity requirements of the

safety functions allocated to the electrical/electronic/ programmable

electronic (E/E/PE) part of the safety system.

Allen-Bradley Motors

10 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012

Preface

Additional Resources

These resources contain more information related to the ControlLogix system.

In addition to the manuals listed, you may want to reference installation

instructions listed in Appendix

You can view or download publications at

http:/www.rockwellautomation.com/literature/

. To order paper copies of

technical documentation, contact your local Allen-Bradley® distributor or

Rockwell Automation sales representative.

Resource Description

ControlLogix SIL 2 System Configuration Using RSLogix

5000 Subroutines, publication 1756-AT010

Explains how to configure a SIL 2-certified system by

using subroutines provided by Rockwell Automation.

ControlLogix SIL 2 System Configuration Using RSLogix

5000 Subroutines, publication 1756-AT012

Explains how to configure a SIL 2-certified system by

using Add-On Instructions provided by Rockwell

Automation.

Logix5000 Controllers General Instruction Set Reference

Manual, publication 1756-RM003

Contains descriptions and use considerations of general

instructions available for Logix5000 controllers.

ControlLogix System User Manual, publication

1756-UM001

Explains how to use the ControlLogix controllers.

ControlLogix Standard Redundancy System User Manual,

publication 1756-UM523

Explains how to install, configure, and use a standard

redundancy system.

ControlLogix Enhanced Redundancy System User Manual,

publication 1756-UM535

Explains how to install, configure, and use an enhanced

redundancy system.

ControlLogix Digital I/O User Manual, publication

1756-UM058

Provides information about the use of ControlLogix digital

I/O modules.

ControlLogix Analog I/O Modules User Manual,

publication 1756-UM009

Provides information about the use of ControlLogix

analog I/O modules.

Logix5000 Controllers Execution Time and Memory Use

Reference, publication 1756-RM087

Provides estimated execution times that can be used in

worst-case scenario calculations.

Logix5000 Controllers Common Procedures Programming

Manual, publication 1756-PM001

Explains a variety of programming-related topics.

Industrial Automation Wiring and Grounding Guidelines,

publication 1770-4.1

Provides general guidelines for installing a Rockwell

Automation industrial system.

Product Certifications website, http://www.ab.com

Provides declarations of conformity, certificates, and other

certification details.

Rockwell Automation Publication 1756-RM001I-EN-P - May 2012 11

Chapter 1

SIL Policy

Introduction to Safety

Integrity Level (SIL)

Certain catalog numbers of the ControlLogix system (listed in Appendix B) are

type-approved and certified for use in SIL 2 applications according to these

standards:

• IEC 61508

• IEC 61511

Approval requirements are based on the standards current at the time of

certification.

These requirements consist of mean time between failures (MTBF), probability

of failure, failure rates, diagnostic coverage and safe failure fractions that fulfill

SIL 2 criteria. The results make the ControlLogix system suitable up to and

including SIL 2.

The TÜV Rheinland Group has approved the ControlLogix system for use in up

to, and including, SIL 2 safety-related applications in which the de-energized

state is typically considered to be the safe state. All of the examples related to I/O

included in this manual are based on achieving de-energization as the safe state

for typical Emergency Shutdown (ESD) Systems.

Topic Page

Introduction to Safety Integrity Level (SIL) 11

SIL Compliance Distribution and Weight 14

Typical SIL 2 Configurations 15

Proof Tests 20

Reaction Times 22

Reaction Times in Redundancy Systems 22

Safety Watchdog 23

Safety Certifications and Compliances 23

Allen-Bradley Motors

12 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012

Chapter 1 SIL Policy

Programming and Debugging Tool (PADT)

For support in creation of programs, the PADT (Programming and Debugging

Tool) is required. The PADT for ControlLogix is RSLogix 5000, per

IEC 61131-3, and this Safety Reference Manual.

For more information about programming a system by using pre-developed

subroutines or Add-On Instructions, see these publications:

• ControlLogix SIL 2 System Configuration Using RSLogix 5000

Subroutines, publication 1756-AT010

• ControlLogix SIL 2 System Configuration Using RSLogix 5000

Subroutines, publication 1756-AT012

About the ControlLogix System

The ControlLogix system is a modular programmable automation system with

the ability to pre-configure outputs and other responses to fault conditions. As

such, a system can be designed to meet requirements for ‘hold last state’ in the

event of a fault so that the system can be used in up to, and including, SIL 2-level

Gas and Fire and other applications that require that output signals to actuators

remain ON. By understanding the behavior of the ControlLogix system for an

emergency shutdown application, you can incorporate appropriate system design

measures to meet other application requirements. These measures relate to the

control of outputs and actuators which must remain ON to be in a safe state.

Other requirements for SIL 2 (inputs from sensors, software used, and so on)

must also be met.

Gas and Fire Considerations

Listed below are the measures and modifications related to the use of the

ControlLogix system in Gas and Fire applications.

• The use of a manual override is necessary to make sure the operator can

maintain the desired control in the event of a controller failure. This is

similar in concept to the function of the external relay or redundant

outputs required to make sure a de-energized state is achieved for an ESD

system should a failure occur (for example, a shorted output driver) that

would prevent this from normally occurring. The system knows it has a

failure, but the failure state requires an independent means to maintain

control and either remove power or provide an alternate path to maintain

power to the end actuator.

• If the application cannot tolerate an output that can fail shorted

(energized), then an external means such as a relay or other output must be

wired in series to remove power when the fail shorted condition occurs.

See Figure 1

Rockwell Automation Publication 1756-RM001I-EN-P - May 2012 13

SIL Policy Chapter 1

• If the application cannot tolerate an output that fails open (de-energized),

then an external means such as a manual override or output must be wired

in parallel. (Refer to Wiring ControlLogix Digital Output Modules

page 44 for more information). The user must supply the alternative means

and develop the application program to initiate the alternate means of

removing or continuing to supply power in the event the main output fails.

• This manual override circuit is shown in Figure 1

. It is composed of a

hard-wired set of contacts from a selector switch or push-button. One

normally-open contact provides for the bypass of power from the

controller output directly to the actuator. The other is a normally-closed

contact to remove or isolate the controller output.

• An application program needs to be generated to monitor the diagnostic

output modules for dangerous failures such as shorted or open-output

driver channels. Diagnostic output modules must be configured to hold

last state in the event of a fault.

• A diagnostic alarm must be generated to inform the operator that manual

control is required.

• The faulted module must be replaced within a reasonable time frame.

• Any time a fault is detected, the system must annunciate the fault to an

operator by some means (for example, an alarm light).

Figure 1 - Manual Override Circuit

L2 or Ground

Actuator

Manual Override

43379

Alarm to Operator

Fault

Allen-Bradley Motors

14 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012

Chapter 1 SIL Policy

Boiler and Combustion Considerations

If your SIL 2-certified ControlLogix system is used in combustion-related

applications, you are responsible for meeting National Fire Protection

Association (NFPA) standard NFPA 85 or NFPA 86. A few failures in

ControlLogix SIL2 may take up to eight hours to detect, therefore eight hours is

the worst case reaction time. You should also consider system reaction capability

as explained in Appendix

If your system must meet standard EN 50156, then you must also meet the

requirements identified in the current version of EN 50156. To use FLEX I/O or

1756-series I/O modules in SIL 2 EN50156 applications, you must use a

GuardLogix controller. Refer to the GuardLogix Safety Reference Manual,

publication 1756-RM093

SIL Compliance Distribution

and Weight

The programmable controller may conservatively be assumed to contribute 10%

of the reliability burden. A SIL 2 system may need to incorporate multiple inputs

for critical sensors and input devices, as well as dual outputs connected in series to

dual actuators dependent on SIL assessments for the safety-related system. See

Figure 2

Figure 2 - Typical ControlLogix SIL 2 Systems

IMPORTANT

When using a GuardLogix controller with SIL 2-rated 1756 or 1794 I/O, you

must also follow the requirements defined in this manual.

Actuator

Digital

Output

Module

43383

43384

Input

Module

Sensor

40% of the

PFD

10% of the PFD

50% of the PFD

10% of the PFD

Input

Module

Controller

Standard

Output

Module

Input

Module

Input

Module

Monitor-

ing

Input

Module

Sensor

40% of the

PFD

Controller

Actuator

50% of the PFD

Rockwell Automation Publication 1756-RM001I-EN-P - May 2012 15

SIL Policy Chapter 1

Typical SIL 2 Configurations

SIL 2-certified ControlLogix systems can be used in standard (simplex) or

high-availability (duplex) configurations. For the purposes of documentation, the

various levels of availability that can be achieved by using various ControlLogix

system configurations are referred to as simplex or duplex.

This table lists each system configuration and the hardware that is part of the

system’s safety loop.

Follow these implementation guidelines:

• Communication modules are SIL 2-rated.

• CIP communication is SIL 2-rated.

• Two SIL 2 I/O modules are used.

• Application logic provides diagnostics

• Two separate controller connections are used.

System Configuration Safety Loop Includes

Simplex Configuration on page 16 • Nonredundant controller

• Redundant communication modules

• Nonredundant remote I/O

Duplex Logic Solver

Configurations on page 18 • Redundant controllers

• Redundant communication modules

• Nonredundant remote I/O

Duplex (fault-tolerant) System Configuration on

page 19

• Redundant controllers

• Redundant communication modules

• Redundant remote I/O

• I/O termination boards

IMPORTANT

The system user is responsible for these tasks when any of the ControlLogix

SIL 2 system configurations are used:

• The set-up, SIL rating, and validation of any sensors or actuators

connected to the ControlLogix control system

• Project management and functional testing

• Programming the application software and the module configuration

according to the descriptions in this manual

The SIL 2 portion of the certified system excludes the development tools

and display/human machine interface (HMI) devices; these tools and

devices must not be part of the safety loop.

Allen-Bradley Motors

16 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012

Chapter 1 SIL Policy

Simplex Configuration

In a simplex configuration, the hardware used in the safety loop is programmed to

fail to safe. The failure to safe is typically an emergency shutdown (ESD) where

outputs are de-energized.

Figure 3

, Figure 4, and Figure 5 show a typical simplex SIL loop. The figures

show the following:

• Overall safety loop

• ControlLogix portion of the overall safety loop

Use two 1756-EN2TR EtherNet/IP modules for SIL 2 safety loops. Each

redundant input must be routed through separate EtherNet/IP communication

modules.The SIL 2 output and its secondary shutoff must be routed through the

separate 1756-EN2TR EtherNet/IP modules.

SIL 2 I/O modules in the safety loop must meet the requirements specified in

Chapter 5

, ControlLogix I/O Modules.

Figure 3 - Fail-safe ControlLogix Ethernet/IP DLR Configuration

SIL 2-certified ControlLogix Safety Loop

Sensor Actuator

1756-EN2T

Overall Safety Loop

I/O

Controller Chassis Remote I/O Chassis

I/O

EtherNet/IP

Remote I/O Chassis

1756-EN2TR

EtherNet/IP

Standard

Communication

1756-EN2TR

EtherNet/IP

1756-EN2TR

Rockwell Automation Publication 1756-RM001I-EN-P - May 2012 17

SIL Policy Chapter 1

Figure 4 - Fail-safe ControlLogix ControlNet Configuration

Figure 5 - Fail-safe ControlLogix Configuration with FLEX I/O Modules

SIL 2-certified ControlLogix Safety Loop

Sensor Actuator

ControlNet

Overall Safety Loop

I/O

Controller Chassis Remote I/O Chassis

1756-CNBR

Standard

Communication

Remote I/O Chassis

Plant-wide Ethernet/Serial

ControlNet

SIL2-certified ControlLogix components’ portion of the overall safety loop.

Programming Software

For SIL applications, a programming

terminal is not normally connected.

HMI

For Diagnostics and Visualization

(read-only access to controllers in the

safety loop).

To other safety related

ControlLogix or FLEX I/O remote

I/O chassis

Overall Safety Loop

Actuator

1794 FLEX I/O

Input Device

DI1

ControlNet

Input Device

To other safety related ControlLogix or FLEX I/O remote I/O chassis.

Note 1: Multiple 1756-CNB or -CNBR modules can be installed into the chassis as needed. Other configurations are possible as long as they are SIL2 approved.

Note 2: Two adapters are required for meeting SIL2 as shown in the figure. The adapters can be either ControlNet or Ethernet and must be from the list of approved products.

1756-ENBT

1756-CNBR

DO1

DI2 DO2

I/O

1756-CNBR

ControlNet

Allen-Bradley Motors

18 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012

Chapter 1 SIL Policy

Duplex Logic Solver Configurations

In duplex configurations, redundant system components are used to increase the

availability of the control system. The modules in the redundant controller

chassis include redundancy modules and network communication modules for

redundant communication, as well as the ControlLogix controllers.

SIL 2 I/O modules in the safety loop must meet the requirements specified in

Chapter 5

, ControlLogix I/O Modules.

Figure 6 - Typical SIL Loop with Controller Chassis Redundancy

Plant-wide Ethernet/Serial

ControlNet

SIL 2-certified ControlLogix components’ portion of the overall safety loop.

Programming Software

For SIL applications, a programming

terminal is not normally connected.

HMI

For Diagnostics and Visualization (read-only access to controllers in the safety

loop).

Sensor Actuator

ControlNet

IMPORTANT: You can also access a

remote I/O chassis via an EtherNet/IP

network if you use ControlLogix

Enhanced Redundancy System,

Revision 19.52 or later.

To nonsafety-related systems outside the ControlLogix portion of the SIL

2-certified loop.

To other safety

ControlLogix

and remote

I/O chassis.

Overall Safety Loop

I/O

Primary Chassis

Secondary Chassis

Remote I/O Chassis

1756-EN2T

1756-CN2

1756-RM

1756-CN2

1756-EN2T

1756-CN2

1756-RM

IMPORTANT

The redundant (duplex) ControlLogix system in Figure 6 is fault-tolerant for

the devices in the primary/secondary controller chassis.

Rockwell Automation Publication 1756-RM001I-EN-P - May 2012 19

SIL Policy Chapter 1

Figure 6 shows a typical duplex SIL loop. The figure also shows the following:

• Overall safety loop

• ControlLogix portion of the overall safety loop

• How other devices (for example, HMI) connect to the loop, while

operating outside the loop

Duplex (fault-tolerant) System Configuration

This configuration of the ControlLogix system uses fully-redundant controllers,

communication modules, and remote I/O devices to achieve enhanced

availability.

Figure 7 - Duplex System EtherNet/IP Configuration

ControlLogix Chassis

EtherNet/IP

PRI COM OK

I/O Chassis A

I/O Chassis B

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC INTPUT

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC INTPUT

ANALOG INTPUT

CAL

ANALOG INTPUT

CAL

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC OUTPUT

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC OUTPUT

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC INTPUT

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC INTPUT

ANALOG INTPUT

CAL

ANALOG INTPUT

CAL

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC OUTPUT

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC OUTPUT

Secondary Chassis

PRI COM OK

Field Device Field Device Field Device

Analog Input

Term in atio n

Board

Digital Input

Term in at io n

Board

Digital Output

Termination Board

SIL 2-certified ControlLogix Safety Loop

Allen-Bradley Motors

20 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012

Chapter 1 SIL Policy

Figure 8 - Duplex System ControlNet Configuration

The duplex system configuration uses safety and programming principles

described in this manual, as well as programming and hardware described in the

application technique manuals.

For more information about the ControlLogix SIL 2- certified fault-tolerant

system, see the application technique manual that corresponds with your

application.

Proof Tests

IEC 61508 requires the user to perform various proof tests of the equipment used

in the system. Proof tests are performed at user-defined times (for example, proof

test intervals can be once a year, once every two years or whatever time frame is

appropriate based on the SIL verification calculation) and could include some of

the following tests:

• Test all safety application fault routines to verify that process parameters

are monitored properly and the system reacts properly when a fault

condition arises.

Primary Chassis

Secondary Chassis

ControlNet

PRI COM OK

I/O Chassis A

I/O Chassis B

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC INTPUT

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC INTPUT

ANALOG INTPUT

CAL

ANALOG INTPUT

CAL

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC OUTPUT

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC OUTPUT

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC INTPUT

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC INTPUT

ANALOG INTPUT

CAL

ANALOG INTPUT

CAL

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC OUTPUT

DIAGNOSTIC

0 1 234 567

8910111213 1415

DC OUTPUT

Field Device Field Device Field Device

Analog Input

Term in atio n

Board

Digital Input

Term in at io n

Board

Digital Output

Term in at io n

Board

SIL 2-certified ControlLogix Safety Loop

If using Then reference this manual

SIL 2 Fault-tolerant I/O subroutines

(available for use with RSLogix 5000 software,

version 15 and later)

ControlLogix SIL 2 System Configuration Using RSLogix 5000

Subroutines, publication 1756-AT010

SIL 2 Fault-tolerant I/O Add-On Instructions

(available for use with RSLogix 5000 software,

version 16 and later)

ControlLogix SIL 2 System Configuration Using RSLogix 5000

Subroutines, publication 1756-AT012

Page is loading ...

Allen-Bradley 1756-L7 Series Reference guide

Brand: Allen-Bradley

Model: 1756-L7 Series

Type: Reference guide

This manual is also suitable for

1756-L6 Series

Download PDF

report

Allen-Bradley 1756-L7 Series Reference guide

This manual is also suitable for

Allen-Bradley 1756-L7 Series Reference guide

Related papers

Other documents