Table of Contents
Advertisement
Chapter 5
Characteristics of Safety Tags, the Safety Task, and Safety Programs
SIL 2 and SIL 3 Safety
Application Differences
40
IMPORTANT
A risk assessment determines whether a safety function requires SIL 2 or SIL 3.
For example, one machine has multiple safety functions, with the maximum
risk requiring only SIL 2. In that case, a SIL 2 capable controller is acceptable.
While another machine has multiple safety functions, with at least one risk
requiring SIL 3. In that case, a SIL 3 capable controller is required.
As discussed in this publication, a SIL 2 GuardLogix 5580 controller requires
only the primary controller, and a SIL 3 GuardLogix 5580 controller requires
both the primary controller and the safety partner.
IMPORTANT If operating above 55 °C (131 °F) in a SIL 2 application, modules greater than
6.2 W must not be installed in slots that are next to the controller.
Regardless of whether you are using the SIL 2 or SIL 3 solution, a safety
signature is required for either safety integrity level. See
Signature on page 52
for additional information.
IMPORTANT The safety task can contain a number of safety functions. For a particular
function to be SIL 3, the entire chain of devices and programming from the
sensor to the actuator must be SIL 3. Be careful that you do not use a SIL 2
input signal for a safety function that requires SIL 3.
Safety I/O Modules
A difference between the safety integrity levels is that single-channel I/O
devices are possible for SIL 2, and dual-channel I/O devices are typically
required for SIL 3.
Rockwell Automation Publication 1756-RM012B-EN-P - April 2018
While safety-unlocked and without a safety signature, the
controller helps prevent simultaneous write access to safety
memory from the safety task and communication commands. As a
result, the safety task can be held off until a communication update
completes. The time that is required for the update varies by tag
size. Therefore, safety connection and safety watchdog timeouts
could occur. (For example, if you make online edits when the safety
task rate is set to 1 ms, a safety watchdog timeout could occur.)
To compensate for the hold-off time due to a communication
update, the safety watchdog time must be lengthened.
Depending on the edit, the safety task may not have enough time to
complete the operation and a watchdog timeout occurs.
When the controller is safety-locked or a safety signature exists, the
situation that is described in this note cannot occur.
Generate the Safety
Hide quick links:
Advertisement
Table of Contents
