Page 1
Safety Reference Manual Original Instructions GuardLogix Controller Systems Catalog Numbers 1756-L61S, 1756-L62S, 1756-L63S, 1768-L43S,1768-L45S, RSLogix 5000 Version 20 and earlier...
Page 2
Important User Information Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.
Preface Topic Page Summary of Changes Understanding Terminology Additional Resources Summary of Changes This publication contains new and updated information as indicated in the following table. Topic Page Updated the definition of Safety Partner. Removed 5570 controllers, which are covered by the GuardLogix 5570 and Compact Throughout GuardLogix 5370 Controller Systems Safety Reference Manual, publication 1756-RM099.
Preface Table 1 - Terms and Definitions (continued) Abbreviation Full Term Definition Get System Value A ladder logic instruction that retrieves specified controller status information and places it in a destination tag. Personal Computer Computer used to interface with, and control, a Logix-based system via RSLogix 5000® programming software.
Page 9
Provides declarations of conformity, certificates, and other certification details global/certification/overview.page You can view or download publications at http://www.rockwellautomation.com/literature/. To order paper copies of technical documentation, contact your local Allen-Bradley distributor or Rockwell Automation sales representative. Rockwell Automation Publication 1756-RM093J-EN-P - April 2018...
Chapter Safety Integrity Level (SIL) Concept Topic Page SIL 3 Certification Functional Verification Tests GuardLogix Architecture for SIL 3 Applications GuardLogix System Components GuardLogix Certifications GuardLogix PFD and PFH Specifications Safety Integrity Level (SIL) Compliance Distribution and Weight System Reaction Time Safety Task Period and Safety Task Watchdog Contact Information if Device Failure Occurs SIL 3 Certification...
Chapter 1 Safety Integrity Level (SIL) Concept The TÜV Rheinland has approved GuardLogix controller systems for use in safety-related applications up to SIL CL 3, in which the de-energized state is considered to be the safe state. All of the examples related to I/O included in this manual are based on achieving de-energization as the safe state for typical Machine Safety and Emergency Shutdown (ESD) Systems.
Safety Integrity Level (SIL) Concept Chapter 1 GuardLogix Architecture for The following illustration shows a typical SIL function, including: • the overall safety function. SIL 3 Applications • the GuardLogix portion of the overall safety function. • how other devices (for example, HMI) are connected, while operating outside the function.
Chapter 1 Safety Integrity Level (SIL) Concept Table 4 - Components Suitable for Use With 1768 Compact GuardLogix Controller Safety Systems Related Documentation Installation User Manual Device Type Cat. No. Description Series Revision Instructions 1768-PA3 Power supply, AC Power supply 1768-IN001 1768-PB3 Power supply, DC...
Safety Integrity Level (SIL) Concept Chapter 1 PFD and PFH values are associated with each of the three primary elements making up a safety-related system (the sensors, the logic element, and the actuators). Within the logic element you also have input, processor, and output elements.
Chapter 1 Safety Integrity Level (SIL) Concept Figure 3 - Reliability Burden 10% of the PFD Sensor 40% of the Actuator Controller Output Input Module Module Sensor Actuator 50% of the PFD The system reaction time is the amount of time from a safety-related event as an System Reaction Time input to the system until the system sets corresponding outputs to their safe state.
Safety Integrity Level (SIL) Concept Chapter 1 Safety Task Period and Safety Task Watchdog The safety task period is the interval at which the safety task executes. The safety task watchdog time is the maximum permissible time for safety task processing.
Chapter GuardLogix Controller System Topic Page 1756 GuardLogix Controller Hardware 1768 Compact GuardLogix Controller Hardware CIP Safety Protocol Safety I/O Communication Bridges Programming Overview For a brief listing of components suitable for use in Safety Integrity Level (SIL) 3 applications, see the table on page 14. For more detailed and up-to-date information see http://www.rockwellautomation.com/products/certification/ safety/.
Chapter 2 GuardLogix Controller System Primary Controller The primary controller is the processor that performs standard and safety control functions and communicates with the safety partner for safety-related functions in the GuardLogix control system. The primary controller consists of a central processor, I/O interface, and memory.
GuardLogix Controller System Chapter 2 1768 Compact GuardLogix The 1768 Compact GuardLogix controllers combine the primary and safety partner controllers in a single controller hardware package to form a SIL 3 Controller Hardware capable controller. Compact GuardLogix controllers feature a 1768 backplane and a 1769 backplane to support standard 1769 I/O modules.
Chapter 2 GuardLogix Controller System Communication Bridges Table 7 lists the communication interface modules available to facilitate communication over EtherNet/IP™, DeviceNet, and ControlNet networks via the CIP Safety protocol. Table 7 - Communication Interface Modules by System GuardLogix System Communication Modules 1756 •...
Page 25
GuardLogix Controller System Chapter 2 DeviceNet Safety Network DeviceNet bridge modules let the 1756 GuardLogix controller control and exchange safety data with CIP Safety I/O modules on a DeviceNet network. Figure 5 - Communication via a DeviceNet Bridge Module CIP Safety I/O Module DeviceNet Network CIP Safety I/O Module...
Chapter 2 GuardLogix Controller System Programming Overview The programming software for the GuardLogix controller is RSLogix 5000® software. RSLogix 5000 software is used to define the location, ownership, and configuration of I/O modules and controllers. The software is also used to create, test, and debug application logic.
Chapter CIP Safety I/O for the GuardLogix Control System Topic Page Overview Typical Safety Functions of CIP Safety I/O Modules Reaction Time Safety Considerations for CIP Safety I/O Modules Overview Before operating a GuardLogix® safety system containing CIP Safety I/O modules, you must read, understand, and follow the installation, operation, and safety information provided in the publications listed in the SIL 3-certified...
Chapter 3 CIP Safety I/O for the GuardLogix Control System Diagnostics CIP Safety I/O modules perform self-diagnostics when the power is turned ON and periodically during operation. If a diagnostic failure is detected, safety input data (to the controller) and local safety outputs are set to their safe state (OFF). Status Data In addition to safety input and output data, CIP Safety I/O modules support status data to monitor module and I/O circuit health.
CIP Safety I/O for the GuardLogix Control System Chapter 3 Safety Considerations for CIP You must commission all devices with a node or IP address and communication rate, if necessary, before their installation on a safety network. Safety I/O Modules Ownership Each CIP Safety I/O module in a GuardLogix system is owned by one GuardLogix controller.
Page 30
Chapter 3 CIP Safety I/O for the GuardLogix Control System Two options for I/O module replacement are available on the Safety tab of the Controller Properties dialog box in RSLogix 5000 software: • Configure Only When No Safety Signature Exists •...
Page 31
CIP Safety I/O for the GuardLogix Control System Chapter 3 To set the proper SNN when a safety signature exists, a manual action (typically SET), is required to download the proper SNN, after which the remainder of the configuration is automatically downloaded. Configure Always The GuardLogix controller will always attempt to automatically configure a replacement CIP Safety I/O module if the module is in an out-of-box condition,...
Page 32
Chapter 3 CIP Safety I/O for the GuardLogix Control System Notes: Rockwell Automation Publication 1756-RM093J-EN-P - April 2018...
Chapter CIP Safety and the Safety Network Number Topic Page Routable CIP Safety Control System Considerations for Assigning the Safety Network Number (SNN) Routable CIP Safety Control To understand the safety requirements of a CIP Safety control system, including the safety network number (SNN), you must first understand how System communication is routable in CIP control systems.
Chapter 4 CIP Safety and the Safety Network Number Unique Node Reference The CIP Safety protocol is an end-node to end-node safety protocol. The CIP Safety protocol allows the routing of CIP Safety messages to and from CIP Safety devices through non-certified bridges, switches, and routers. To prevent errors in non-certified bridges, switches, or routers from becoming dangerous, each end node within a routable CIP Safety control system must have a unique node reference.
CIP Safety and the Safety Network Number Chapter 4 based format is selected, the SNN represents a localized date and time. When the manual format is selected, the SNN represents a network type and a decimal value from 1…9999. Figure 10 - SNN Formats The assignment of a time-based SNN is automatic when creating a new GuardLogix safety controller project and adding new Safety I/O modules.
Chapter 4 CIP Safety and the Safety Network Number Safety Network Number (SNN) for Out-of-box Modules Out-of-box CIP Safety I/O modules do not have an SNN. The SNN is set when a configuration is sent to the module by the GuardLogix® controller that owns the module.
Chapter Characteristics of Safety Tags, the Safety Task, and Safety Programs Topic Page Differentiate Between Standard and Safety SIL 2 Safety Applications SIL 3 Safety–the Safety Task Use of Human-to-machine Interfaces Safety Programs Safety Routines Safety Tags Additional Resources Because it is a Logix-series controller, both standard (non-safety-related) and Differentiate Between safety-related components can be used in the GuardLogix®...
Chapter 5 Characteristics of Safety Tags, the Safety Task, and Safety Programs SIL 2 Safety Applications You can perform SIL 2 safety control by using the 1756 or 1768 GuardLogix controller’s safety task. Because 1756 GuardLogix controllers are part of the ControlLogix series of processors, you can perform SIL 2 safety control with a 1756 GuardLogix controller by using standard tasks or the safety task.
Page 39
Characteristics of Safety Tags, the Safety Task, and Safety Programs Chapter 5 For SIL 2-only safety, a safety task signature is not required. However, if any SIL 3 safety functions are used within the safety task, a safety task signature is required.
Page 40
Chapter 5 Characteristics of Safety Tags, the Safety Task, and Safety Programs For Cat 1, Cat 2, and SIL 2 safety functions, the Guard I/O safety modules need specific configurations within the GuardLogix project. In this example, inputs 0, 1, 6, 7, 8, 9, 10, and 11 are part of a CAT 1, 2 or SIL 2 safety function, because they are configured as Single.
Characteristics of Safety Tags, the Safety Task, and Safety Programs Chapter 5 SIL 2 Safety Control in Standard Tasks (1756 GuardLogix controllers only) Because of the quality and amount of diagnostics built into the 1756 ControlLogix series of controllers, you can perform SIL 2 safety functions from within standard tasks.
Page 42
Chapter 5 Characteristics of Safety Tags, the Safety Task, and Safety Programs The safety task period is limited to a maximum of 500 ms and cannot be modified online. Make sure that the safety task has enough time to finish before it is triggered again.
Characteristics of Safety Tags, the Safety Task, and Safety Programs Chapter 5 Safety Task Execution Details The safety task executes in the same manner as standard periodic tasks, with the following exceptions: • The safety task does not begin executing until the primary controller and safety partner have established their control partnership and the coordinated system time (CST) is synchronized.
Chapter 5 Characteristics of Safety Tags, the Safety Task, and Safety Programs • The safety task responds to mode changes (for example, Run to Program or Program to Run) at timed intervals. As a result, the safety task may take more than one task period, but always less than two, to make a mode transition.
Characteristics of Safety Tags, the Safety Task, and Safety Programs Chapter 5 Accessing Safety-related Systems HMI- related functions consist of two primary activities: reading and writing data. Reading Parameters in Safety-related Systems Reading data is unrestricted because reading doesn’t affect the behavior of the safety system.
Chapter 5 Characteristics of Safety Tags, the Safety Task, and Safety Programs • Sufficiently document all safety-related changes made via the HMI, including the following: – Authorization – Impact analysis – Execution – Test information – Revision information • Changes to the safety-related system must comply with IEC 61511 standard on process safety, section 11.7.1 Operator Interface requirements.
Characteristics of Safety Tags, the Safety Task, and Safety Programs Chapter 5 Safety Tags The GuardLogix control system supports the use of both standard and safety tags in the same project. However, the programming software operationally differentiates standard tags from safety tags. Safety tags have all the attributes of standard tags with the addition of mechanisms to provide SIL 3 data integrity.
Chapter 5 Characteristics of Safety Tags, the Safety Task, and Safety Programs Tags classified as safety tags are either controller-scoped or program-scoped. Controller-scoped safety tags can be read by either standard or safety logic or other communication devices, but can only be written to by safety logic or another GuardLogix safety controller.
Characteristics of Safety Tags, the Safety Task, and Safety Programs Chapter 5 Additional Resources These documents contain addition information about GuardLogix controllers. Resource Description Logix5000 Controllers Design Considerations Reference Provides information on managing tasks and the effects Manual, publication 1756-RM094 of task execution and timing on user data GuardLogix Controllers User Manual, publication 1756-...
Page 50
Chapter 5 Characteristics of Safety Tags, the Safety Task, and Safety Programs Notes: Rockwell Automation Publication 1756-RM093J-EN-P - April 2018...
Chapter Safety Application Development Topic Page Safety Concept Assumptions Basics of Application Development and Testing Commissioning Life Cycle Downloading the Safety Application Program Uploading the Safety Application Program Online Editing Storing and Loading a Project from Nonvolatile Memory Force Data Inhibit a Module Editing Your Safety Application Safety Concept Assumptions...
Chapter 6 Safety Application Development Table 9 - Controller Modes Controller Safety Task Status Safety Comments Mode (up to and including) (A valid program has been downloaded to the controller.) Program Unlocked • I/O connections established No signature • Safety Task logic is not being scanned. Unlocked (Development purposes •...
Safety Application Development Chapter 6 The flowchart below shows the steps required for commissioning a GuardLogix® Commissioning Life Cycle system. The items in bold text are explained in the following sections. Figure 15 - Commission the System Specify the Control Function Create Project Create Project Online...
Chapter 6 Safety Application Development Specification of the Control Function You must create a specification for your control function. Use this specification to verify that program logic correctly and fully addresses your application’s functional and safety control requirements. The specification may be presented in a variety of formats, depending on your application.
Safety Application Development Chapter 6 Create the Project The logic and instructions used in programming the application must be the following: • Easy to understand • Easy to trace • Easy to change • Easy to test All logic should be reviewed and tested. Keep safety-related logic and standard logic separate.
Chapter 6 Safety Application Development Once application program testing is complete, you must generate the safety task signature. The programming software automatically uploads the safety task signature after it is generated. To verify the integrity of every download, you must manually record the IMPORTANT safety task signature after initial creation and check the safety task signature after every download to make sure that it matches the original.
Safety Application Development Chapter 6 moved to another application, you must also perform start-up and functional verification testing on the controller in the context of its new application. Functional Verification Tests on page for more information. Confirm the Project You must print or view the project, and compare the uploaded safety I/O and controller configurations, safety data, and safety task program logic to make sure that the correct safety components were downloaded, tested, and retained in the safety application program.
Chapter 6 Safety Application Development 9. Use the RSLogix 5000 Program Compare utility to perform these comparisons: • Compare all of the properties of the GuardLogix controller and CIP Safety I/O modules. • Compare all of the properties of the safety task, safety programs and safety routines.
Safety Application Development Chapter 6 For information on using the safety-lock feature, refer to the GuardLogix Controllers User Manual, publication 1756-UM020, or the 1768 Compact GuardLogix Controllers User Manual, publication 1768-UM002. Downloading the Safety Upon download, application testing is required unless a safety task signature exists.
Chapter 6 Safety Application Development Storing and Loading a In revision 18 or later, GuardLogix controllers support firmware upgrades and user program storage and retrieval by using a memory card. In a 1756 Project from Nonvolatile GuardLogix system, only the primary controller uses a memory card for Memory nonvolatile memory.
Safety Application Development Chapter 6 3. Check Inhibit Connection and click Apply. The module is inhibited whenever the checkbox is checked. If a communication module is inhibited, all downstream modules are also inhibited. Editing Your Safety The following rules apply to changing your safety application in RSLogix 5000 software: Application •...
Chapter 6 Safety Application Development Performing Offline Edits When offline edits are made to only standard program elements, and the safety task signature matches following a download, you can resume operation. When offline edits affect the safety program, you must revalidate all affected elements of the application, as determined by the impact analysis, before resuming operation.
Page 63
Safety Application Development Chapter 6 Figure 16 - Online and Offline Edit Process Online Edit Offline Edit Open Project Attach to Controller Make Desired Any Safety Any Safety Modifications to Standard Changes? Changes? Logic Unlock the Controller Unlock the Controller Make Desired Delete Safety Modifications to Standard...
Page 64
Chapter 6 Safety Application Development Notes: Rockwell Automation Publication 1756-RM093J-EN-P - April 2018...
Chapter Monitor Status and Handle Faults Topic Page Monitoring System Status GuardLogix System Faults The GuardLogix® architecture provides you with many ways of detecting and reacting to faults in the system. The first way that you can handle faults is to make sure you have completed the checklists for your application (see Appendix Monitoring System Status...
Chapter 7 Monitor Status and Handle Faults The first two bits of the CONNECTION_STATUS data type contain a device’s RunMode and ConnectionFaulted status bits. The following table describes the combinations of the RunMode and ConnectionFaulted states. Table 10 - Safety Connection Status RunMode ConnectionFaulted Safety Connection Operation...
Monitor Status and Handle Faults Chapter 7 De-energize to Trip System GuardLogix controllers are part of a de-energize to trip system, which means that zero is the safe state. Some, but not all, safety module faults cause all module inputs or outputs to be set to zero (safe state). Faults associated to a specific input channel result in that specific channel being set to zero;...
Chapter 7 Monitor Status and Handle Faults GuardLogix System Faults Faults in the GuardLogix system fall into these three categories: • Nonrecoverable controller faults • Nonrecoverable safety faults • Recoverable faults For information on handling faults, refer to the GuardLogix Controllers User Manual, publication 1756-UM020, or the 1768 Compact GuardLogix Controllers User Manual, publication 1768-UM002.
Monitor Status and Handle Faults Chapter 7 Recoverable Faults Controller faults caused by user programming errors in a safety program trigger the controller to process the logic contained in the project’s safety program fault handler. The safety program fault handler provides the application with the opportunity to resolve the fault condition and then recover.
Page 70
Chapter 7 Monitor Status and Handle Faults Notes: Rockwell Automation Publication 1756-RM093J-EN-P - April 2018...
Appendix A Safety Instructions Table 12 - RSLogix 5000 Software, Version 17 and Later, Safety Application Instructions Mnemonic Name Purpose SMAT Safety Mat Indicates whether or not the safety mat is occupied. THRSe Two-Hand Run Station – Enhanced Monitors two diverse safety inputs, one from a right-hand push button and one from a left-hand push button, to control a single output.
Safety Instructions Appendix A Safety Instructions Routines in the safety task may use these ladder logic safety instructions. Table 13 - Ladder Logic Safety Instructions Type Mnemonic Name Purpose RSLogix 5000 Version Examine If Closed Enable outputs when a bit is set Examine If Open Enable outputs when a bit is cleared Output Energize...
Appendix A Safety Instructions Table 13 - Ladder Logic Safety Instructions Type Mnemonic Name Purpose RSLogix 5000 Version Add two values Subtract Subtract two values Multiply Multiply two values Divide Divide two values Math/ Compute Modulo Determine the remainder after one value is divided by a second value Square Root Calculate the square root of a value Negate...
Appendix Safety Add-On Instructions Topic Page Creating and Using a Safety Add-On Instruction Additional Resources With RSLogix 5000® software, version 18 and later, you can create safety Add- On Instructions. Safety Add-On Instructions let you encapsulate commonly- used safety logic into a single instruction, making it modular and easier to reuse. Safety Add-On Instructions use the instruction signature of high-integrity Add- On Instructions and also a SIL 3 safety instruction signature for use in safety- related functions up to and including SIL 3.
Page 76
Appendix B Safety Add-On Instructions Figure 18 - Flowchart for Creating and Using Safety Add-On Instructions To Use a Safety Add-On Instruction To Create a Safety Add-On Instruction To Modify a Safety Add- Create or Open a Project On Instruction Create Add-On Instruction Test Project (off-line) Import Safety Add-On Instruction...
Safety Add-On Instructions Appendix B Create Add-On Instruction Test Project You need to create a unique test project, specifically for creating and testing the safety Add-On Instruction. This must be a separate and dedicated project to minimize any unexpected influences. Follow the guidelines for projects described in Create the Project on page Create a Safety Add-On Instruction...
Appendix B Safety Add-On Instructions Download and Generate Safety Instruction Signature When a sealed safety Add-On Instruction is downloaded for the first time, a SIL 3 safety instruction signature is automatically generated. The safety instruction signature is an ID number that identifies the execution characteristics of the safety Add-On Instruction.
Safety Add-On Instructions Appendix B Create Signature History Entry The signature history provides a record for future reference. A signature history entry consists of the instruction signature, the name of the user, the timestamp value, and a user-defined description. Up to six history entries may be stored. You must be offline to create a signature history entry.
Appendix B Safety Add-On Instructions Project Verification Test Perform an engineering test of the application, including the safety system. Functional Verification Tests on page 12 Project Verification Test on page 56 for more information on requirements. Safety Validate Project An independent, third-party review of the safety system may be required before the system is approved for operation.
Appendix Reaction Times Topic Page System Reaction Time Logix System Reaction Time System Reaction Time To determine the system reaction time of any control chain, you must add up the reaction times of all of components of the safety chain. System Reaction Time = Sensor Reaction Time + Logix System Reaction Time + Actuator Reaction Time Figure 19 - System Reaction Time...
Reaction Times Appendix C Logic Chain Using Produced/Consumed Safety Tags Figure 21 - Logix System Reaction Time for Input to Controller A Logic to Controller B Logic to Output Chain 4. P/C Safety Connection Reaction Time Limit Ethernet Ethernet Ethernet Switch Network Network...
Appendix C Reaction Times Factors Affecting Logix The Logix Reaction Time components described in the previous sections can be influenced by a number of factors. Reaction-time Components Table 14 - Factors Affecting Logix System Reaction-time These reaction time components Are influenced by the following factors Input module delay Input module reaction time Each input channels On-Off and Off-On delay settings...
Reaction Times Appendix C 3. Adjust the input delay time as required for your application. Accessing Input and Output Safety Connection Reaction Time Limit The Connection Reaction Time Limit is defined by these three values: Value Description Requested Packet Interval (RPI) This is how often the input and output packets are placed on the wire (network).
Appendix C Reaction Times 3. Click Advanced to open the Advanced Connection Reaction Time Limit dialog box. Configuring the Safety Task Period and Watchdog The safety task is a periodic timed task. You select the task priority and watchdog time via the Task Properties - Safety Task dialog box in your RSLogix 5000® project.
Reaction Times Appendix C Accessing Produced/Consumed Tag Data To view or configure safety tag connection data, follow these steps. 1. In the configuration tree, right-click Controller Tags and choose Edit tags. 2. In the Tag Editor, right-click the name of the tag and choose Edit Properties.
Appendix C Reaction Times 5. Click Advanced to view or edit the current settings. Additional Resources Refer to these publications for more information. Also, consult the product documentation for your specific module for reaction times associated with CIP Safety I/O modules. Resource Description GuardLogix Controllers User Manual, publication...
Appendix Checklists for GuardLogix Safety Applications Topic Page Checklist for GuardLogix Controller System Checklist for Safety Inputs Checklist for Safety Outputs Checklist for Developing a Safety Application Program The checklists in this appendix are required for planning, programming, and startup of a SIL 3-certified GuardLogix® application. They may be used as planning guides as well as during functional verification testing.
Page 90
Appendix D Checklists for GuardLogix Safety Applications Checklist for GuardLogix Controller System Checklist for GuardLogix System Company Site Safety Function Definition Fulfilled Comment Number System Requirements Are you using only the components listed in SIL 3-certified GuardLogix Components on page and on the http://www.rockwellautomation.com/ products/certification/safety/...
Checklists for GuardLogix Safety Applications Appendix D Checklist for Safety Inputs For programming or startup, an individual checklist can be filled in for every single SIL input channel in a system. This is the only way to make sure that the requirements are fully and clearly implemented.
Appendix D Checklists for GuardLogix Safety Applications Checklist for Safety Outputs For programming or startup, an individual requirement checklist must be filled in for every single SIL output channel in a system. This is the only way to make sure that the requirements are fully and clearly implemented.
Checklists for GuardLogix Safety Applications Appendix D Checklist for Developing a Use the following checklist to help maintain safety when creating or modifying a safety application program. Safety Application Program Checklist for GuardLogix Application Program Development Company Site Project Definition Fulfilled Number Application Program Requirements...
Page 94
Appendix D Checklists for GuardLogix Safety Applications Notes: Rockwell Automation Publication 1756-RM093J-EN-P - April 2018...
Appendix GuardLogix Systems Safety Data Topic Page PFD Values PFH Values The following examples show probability of failure on demand (PFD) and probability of failure per hour (PFH) values for GuardLogix® 1oo2 SIL 3 systems. Mission time for GuardLogix controllers is 20 years. For safety data, including PFD and PFH values for Guard I/O™...
Appendix E GuardLogix Systems Safety Data PFH Values The data in Table 16 applies to proof test intervals up to and including 20 years. Table 16 - PFH Calculations Cat. No. Description PFH (1/Hour) 1756-L6xS and 1756-LSP GuardLogix controller 2.0E-10 1768-L43S and 1768-L45S Compact GuardLogix controller 2.0E-10...
Appendix RSLogix 5000 Software, Version 14 and Later, Safety Application Instructions Topic Page De-energize to Trip System Use Connection Status Data to Initiate a Fault Programmatically When using RSLogix 5000™ software, version 14 safety application instructions, De-energize to Trip System all inputs and outputs are set to zero when a fault is detected.
Appendix F RSLogix 5000 Software, Version 14 and Later, Safety Application Instructions Figure 22 - Input Fault Latch and Reset Flow Chart Start Does this safety function require operator intervention after a safety input failure? Are the inputs used to drive safety application instructions? Make sure you select Manual Reset for the safety...
RSLogix 5000 Software, Version 14 and Later, Safety Application Instructions Appendix F Figure 23 - Ladder Logic Example 1 Node 30 is an 8-point input/8-point output combination module. Node 31 is a 12-point input module. If the input status is not OK, then latch the inputs faulted indication. Node30:I.InputStatus Node30InputsFaulted Node31:I.CombinedStatus...
Appendix F RSLogix 5000 Software, Version 14 and Later, Safety Application Instructions Figure 24 - Ladder Logic Example 2 Node 30 is an 8-point input/8-point output combination module. Node 31 is a 12-point input module. If the input status is not OK, then latch the inputs faulted indication. Node30:I.InputStatus Node30InputsFaulted Node31:I.CombinedStatus...
RSLogix 5000 Software, Version 14 and Later, Safety Application Instructions Appendix F Figure 25 - Output Fault Latch and Reset Flowchart Start Does this safety function require operator intervention after a safety output failure? Write logic to latch output failure. Is output fault information required for (Example Rung 0) diagnostic purposes?
Appendix F RSLogix 5000 Software, Version 14 and Later, Safety Application Instructions Notes: Rockwell Automation Publication 1756-RM093J-EN-P - April 2018...
Appendix Using 1794 FLEX™ I/O Modules and 1756 SIL 2 Inputs and Outputs with 1756 GuardLogix Controllers to Comply with EN 50156 Topic Page SIL 2 Dual-channel Inputs (standard side of 1756 GuardLogix controllers) SIL 2 Outputs Using SIL 3 Guard I/O Output Modules SIL 2 Outputs Using 1756 or 1794 SIL 2 Output Modules Safety Functions within the 1756 GuardLogix Safety Task Dual-channel configuration is required for compliance in certain safety-related...
Page 104
Appendix G Using 1794 FLEX™ I/O Modules and 1756 SIL 2 Inputs and Outputs with 1756 GuardLogix Controllers to Comply with EN 50156 SIL 2 Input Data Keep channel A and channel B input data separate at all times. This example illustrates one method for separating channel A and channel B...
Using 1794 FLEX™ I/O Modules and 1756 SIL 2 Inputs and Outputs with 1756 GuardLogix Controllers to Comply with EN 50156 Appendix G SIL 2 Outputs Using SIL 3 Follow these guidelines for SIL 2 outputs: Guard I/O Output Modules •...
Appendix G Using 1794 FLEX™ I/O Modules and 1756 SIL 2 Inputs and Outputs with 1756 GuardLogix Controllers to Comply with EN 50156 Safety Functions within the Follow these guidelines for using SIL 2 and SIL 3 safety functions within the safety task: 1756 GuardLogix Safety Task •...
Glossary The following terms and abbreviations are used throughout this manual. For definitions of terms not listed here, refer to the Allen-Bradley Industrial Automation Glossary, publication AG-7.1. Add-On Instruction An instruction that you create as an add-on to the Logix instruction set. Once defined, an Add-On Instruction can be used like any other Logix instruction and can be used across various projects.
Page 108
Glossary Periodic Task A task that is triggered by the operating system at a repetitive period of time. Whenever the time expires, the task is triggered and its programs are executed. Data and outputs established by the programs in the task retain their values until the next execution of the task or until they are manipulated by another task.
Page 109
Glossary Safety Program A safety program has all the attributes of a standard program, except that it can be scheduled only in a safety task. The safety program consists of zero or more safety routines. It cannot contain standard routines or standard tags. Safety Routine A safety routine has all the attributes of a standard routine except that it is valid only in a safety program and that it consists of one or more instructions suitable for safety applications.
Page 110
Glossary Task A scheduling mechanism for executing a program. A task provides scheduling and priority information for a set of one or more programs that execute based on a certain criteria. Once a task is triggered (activated), all of the programs assigned (scheduled) to the task execute in the order in which they are displayed in the controller organizer.
Page 111
Index Numerics checklist GuardLogix controller system 26 1734-AENT 15 program development 91 1734-AENTR 16 SIL 3 inputs 89 1756-A10 15 SIL 3 outputs 90 CIP Safety protocol 1756-A13 15 definition 105 1756-A17 15 overview 23 1756-A4 15 routable system 33 1756-A5XT 15 commissioning life cycle 51 1756-A7 15...
Page 112
Index output delay time 28 overlap get system value (GSV) definition 105 defintion 9 ownership 29 GSV instructions 65 Guard I/O modules SIL 2 applications 103 partnership definition 105 peer-to-peer communication 24 hard faults pending edits 57 recovery 66 Performance Level human-to-machine interfaces definition 9 use and application 43...
Page 113
Index safety-locking 56 default 56 safety application instructions 69 passwords 56 definition 106 restricted operations 56 safety certifications and compliances 16 Secure Digital (SD) card 15 safety concept set system variable (SSV) instruction 65 assumptions 49 signature history 77 safety consumed tags SIL 2 safety network number 35 EN50156 101...
Page 114
Index Notes: Rockwell Automation Publication 1756-RM093J-EN-P - April 2018...
Page 116
Rockwell Automation maintains current product environmental information on its website at http://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page. Allen-Bradley, ArmorBlock, CompactBlock Guard I/O, CompactLogix, ControlBus, ControlFLASH, ControlLogix, ControlLogix-XT, DCM, FactoryTalk Security, FLEX I/O, Guard I/O, GuardLogix, GuardLogix-XT, Logix5000, POINT Guard I/O, POINT I/O, RSLogix 5000, Rockwell Automation, Rockwell Software, SLC, and SmartGuard are trademarks of Rockwell Automation, Inc.