Table of Contents
Advertisement
Chapter 6
Safety Application Development
Table 1 - Effect of Controller Modes on Safety Execution
Controller Mode
Controller Behavior
Program
• Safety input and output connections are established and maintained:
– Safety input tags are updated to reflect safety input values.
• Safety Task logic is not being scanned.
Test
• Safety input and output connections are established and maintained:
– Safety input tags are updated to reflect safety input values.
• Safety Task logic is being scanned.
Run
• Safety input and output connections are established and maintained:
– Safety input tags are updated to reflect safety input values.
– The controller sends "run" safety output packets.
• Safety Task logic is being scanned.
• All safety task process logic, cross-compare logic outputs. Logic outputs are written to safety outputs.
Table 2 - Safety Application Status
(1)
Safety Task
Safety
Status
(up to and including)
Unlocked
Only for development
purposes
No signature
Locked
Only for development
purposes
No signature
Unlocked
SIL 3/PLe/Cat. 4
With signature
Control reliable
Locked
SIL 3/PLe/Cat. 4
With signature
Control reliable
(1) To achieve this level, you must adhere to the safety requirements defined in this safety reference manual.
Basics of Application
Development and Testing
48
Controller Behavior
• Safety I/O forces can be present.
• Safety I/O forces can be modified.
• Safety online editing is allowed.
• Safety memory is isolated, but is unprotected (read/write).
• Safety I/O forces are not allowed (forces of Safety I/O must be removed before locking is possible).
• Online editing of the safety task is not allowed.
• Safety memory is protected (read only).
• Safety I/O forces are not allowed. (Forces of Safety I/O must be removed before generating a signature is possible.)
• Online editing of the safety task is not allowed.
• Safety memory is protected (read only).
• Safety signature allows recovery from a Nonrecoverable Safety Fault without redownloading.
• Safety signature is unprotected and anyone who has access to the controller can delete it.
• Safety I/O forces are not allowed.
• Online editing of the safety task is not allowed.
• Safety memory is protected (read only).
• Safety signature allows recovery from a Nonrecoverable Safety Fault without redownloading.
• Safety signature is protected. You must enter the unlock password to unlock the controller before you can delete the
safety signature.
We recommend that a system integrator or a user who is trained and
experienced in safety applications develops the application program for the
intended SIL 2 or SIL 3 system. The developer must follow good design
practices:
• Use functional specifications, including flowcharts, timing diagrams,
and sequence charts.
• Perform a review of safety task logic.
• Perform application validation.
Rockwell Automation Publication 1756-RM012B-EN-P - April 2018
Hide quick links:
Advertisement
Table of Contents
