Rockwell Automation ControlLogix SIL2 Application Technique
  1. Manuals
  2. Brands
  3. Rockwell Automation Manuals
  4. Industrial Equipment
  5. Allen-Bradley ControlLogix SIL 2
  6. Application technique
Rockwell Automation ControlLogix SIL2 Application Technique

Rockwell Automation ControlLogix SIL2 Application Technique

System configuration. using rslogix 5000 subroutines
Hide thumbs Also See for ControlLogix SIL2:
Table of Contents

Advertisement

Quick Links

Download this manual
ControlLogix SIL2 System
Configuration
Using RSLogix 5000 Subroutines
Application Technique
(Catalog Numbers 1756 and 1492)

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ControlLogix SIL2 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Rockwell Automation ControlLogix SIL2

Summary of Contents for Rockwell Automation ControlLogix SIL2

  • Page 1 ControlLogix SIL2 System Configuration Using RSLogix 5000 Subroutines Application Technique (Catalog Numbers 1756 and 1492)

  • Page 2: Important User Information

    No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual. Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.

  • Page 3: Updated Information

    Summary of Changes Updated Information Revision B of this publication contains the new or updated information listed in this table. New or Updated Information in This Publication Description Chapter Pages Software and program requirements for the fault-tolerant Chapter 1 system. Enhanced descriptions of system states and added Chapter 3 52…55...
  • Page 4 Summary of Changes Publication 1756-AT010B-EN-P - October 2008...

  • Page 5: Table Of Contents

    Table of Contents Preface About This Publication ......11 Who Should Use This Publication ....11 Conventions .
  • Page 6 Table of Contents Chapter 3 Fault-tolerant Program Elements About This Chapter ....... 47 Overview of the Program Elements .
  • Page 7 Table of Contents Chapter 4 Configuring the Fault-tolerant About This Chapter ....... 65 Before You Begin .
  • Page 8 Table of Contents Chapter 5 Programming the Fault-tolerant About This Chapter ......105 Programming the Main Routine .
  • Page 9 Table of Contents Appendix A SIL2 Remote I/O Fault-tolerance About This Appendix ......131 1756-IB32 ModulePair Tags .
  • Page 10 Table of Contents Publication 1756-AT010B-EN-P - October 2008...

  • Page 11: Preface

    12 should also be consulted and used as references when configuring a ControlLogix SIL2 safety application. Who Should Use This This publication is intended for use only by individuals who have extensive knowledge of safety applications, SIL policies, Publication programmable control systems, and ControlLogix products.

  • Page 12: Additional Resources

    Preface Additional Resources The following resources should also be consulted when configuring a ControlLogix system for SIL2 certification. Resource Description Using ControlLogix in SIL2 Applications Safety This safety reference manual provides information regarding ControlLogix components Reference Manual, publication 1756-RM001 for use in SIL2 applications. Topics include hardware, software, and programming components.

  • Page 13: The Fault-Tolerant System Configuration

    Chapter The Fault-tolerant System Configuration About This Chapter This chapter explains how the fault-tolerant configuration differs from the fail-safe and high-availability configurations and provides a brief overview of the fault-tolerant configuration and application. Topic Page Fault Tolerance and ControlLogix ControlLogix System SIL2 Configurations About Fault-tolerant Systems Fault-tolerant Compared to Other SIL2 Configurations Fault-tolerant System Configuration...

  • Page 14: About Fault-Tolerant Systems

    While not completely fault tolerant, the ControlLogix SIL2 system is described as fault tolerant because it is able to tolerate a majority of faults that may occur in the system. In the unlikely event of a fault where the safety system cannot carry-out the safety application, the system fails-to-safe.
  • Page 15 The Fault-tolerant System Configuration Chapter 1 For example, if a fault occurs in the controller of the primary chassis, the safety system can continue to operate despite the fault. However, if a fault occurs in the remote I/O chassis (on the right side of the diagram), the system fails-to-safe.

  • Page 16: Fault-Tolerant System Configuration

    Chapter 1 The Fault-tolerant System Configuration Fault-tolerant System The ControlLogix fault-tolerant system configuration uses some elements from the high-availability configuration and other elements Configuration that are specific only to the fault-tolerant configuration. In a fault-tolerant configuration, the controller and communication chassis are configured as specified for the high-availability configuration (see the left side of High-availability Configuration...
  • Page 17 The Fault-tolerant System Configuration Chapter 1 The concept of identical, duplicate remote I/O chassis is depicted in the graphic below. In this publication, the duplicate remote I/O chassis are identified by an uppercase letter. For example, Chassis A and Chassis B would indicate a duplicate remote I/O chassis pair. Identical, Duplicate Remote I/O Chassis Identical Duplicate Chassis Chassis B...
  • Page 18 Chapter 1 The Fault-tolerant System Configuration How Remote I/O Interacts with Termination Boards The specialized termination boards have several functions related to remote I/O. The following are functions that all three types of termination boards provide. • Simplified connections from field devices to like modules in both chassis of the duplicate remote I/O chassis.
  • Page 19 The Fault-tolerant System Configuration Chapter 1 Remote I/O Fault Handling In the event of a fault in a module or device in one chassis, for example, chassis A, the fault-tolerant system will continue to operate using only the module or device in the other duplicate chassis (chassis B) and the unfaulted modules in chassis A.

  • Page 20: The Complete Controllogix Fault-Tolerant System

    Chapter 1 The Fault-tolerant System Configuration The Complete ControlLogix The complete ControlLogix system is comprised of several components that help establish fault tolerance. These components are Fault-tolerant System briefly described here and further described in later chapters. Hardware A complete ControlLogix fault-tolerant system, including the redundant controller chassis, duplicate remote I/O chassis, and the specialized termination boards should be configured similar to that shown below.

  • Page 21: Software And Programming

    ControlLogix fault-tolerant system is RSLogix 5000 software, version 15 or later. Also required are specialized routines developed by Rockwell Automation. The use of these specialized routines are specific only to the fault-tolerant SIL2 configuration. A fault-tolerant system configured as described in this manual is SIL2 IMPORTANT compliant only when these components are used.

  • Page 22: Additional Resources

    This programming manual describes Add-On Instructions and their use in RSLogix 5000 publication 1756-PM010 software. You can view or download Rockwell Automation publications at http://literature.rockwellautomation.com. To order paper copies of technical documentation, contact your local Rockwell Automation distributor or sales representative.
  • Page 23 The Fault-tolerant System Configuration Chapter 1 Notes: Publication 1756-AT010B-EN-P - October 2008...
  • Page 24 Chapter 1 The Fault-tolerant System Configuration Publication 1756-AT010B-EN-P - October 2008...

  • Page 25: Fault-Tolerant System Hardware

    Chapter Fault-tolerant System Hardware About This Chapter This chapter describes the use of the remote I/O and termination boards, including their features and functions, in a ControlLogix fault-tolerant system. Topic Page Approved I/O Modules and Termination Boards About the Specialized Termination Boards 1756-IB32 DC Input Termination Board Features Normal Operation of 1756-IB32, DC Input Termination Board 1756-IB32 DC Input Termination Board and Transition Tests...

  • Page 26: About The Specialized Termination Boards

    1492-TAIFM16-F-3, and 1492-TIFM40F-24-2) are crucial to the implementation of a ControlLogix fault-tolerant system. The functionality of these boards, coupled with the application program developed by Rockwell Automation, make fault-tolerant I/O configurations possible. 1756-IB32 DC Input The specialized digital input termination boards, catalog number...

  • Page 27: Normal Operation Of 1756-Ib32, Dc Input Termination Board

    Fault-tolerant System Hardware Chapter 2 Normal Operation of 1756-IB32, DC Input Termination Board During normal operation, the digital input termination board functions as shown in the diagram below. 1492-TIFM40F-F24A-2, Digital Input Termination Board - Normal Operation Input Module A Input Module B Input X Point Value = 1 (On) Input X Point Value = 1 (On) 1492 Cable to 1756-IB32, Module A...

  • Page 28: 1756-Ib32 Dc Input Termination Board And Transition Tests

    Transition Test Intervals Transition tests are programmed in the specialized program supplied by Rockwell Automation. They occur at a user-specified intervals based upon the requirements of the SIL2 application. If there are no faults present on the 1756-IB32 module pair, the system...
  • Page 29 Fault-tolerant System Hardware Chapter 2 While this transition occurs, the specialized program continues to control the system based upon the last-known and verified data from the modules. The transition test detects only stuck-at-one conditions. IMPORTANT Any zero (or low) condition on any point of the module pair is recognized by the controller as a demand on the safety system.

  • Page 30: 1756-If16 Analog Input Termination Board

    Chapter 2 Fault-tolerant System Hardware 1756-IF16 Analog Input The specialized analog input termination boards have these hardware Termination Board features: • On-board fusing with status indicators • Easy-to-use wiring terminals • On-board reference voltages and solid-state switches for diagnostic tests •...

  • Page 31: Normal Operation Of The 1756-If16, Analog Input Termination Board

    1756-IF16 pair. Each 1756-IF16 module is configured for 0…5V operation. The application program supplied by Rockwell Automation then compares the two channel values to each other and verifies that the values are within the user-defined deadband value. The two channels’...
  • Page 32 Chapter 2 Fault-tolerant System Hardware During normal operation, the analog input termination board functions as depicted in this diagram. 1492-TAIFM16-F-3, Analog Input Termination Board - Normal Operation Analog Input Module A Analog Input Module B Input Values from Field Devices Input Values from Field Devices All configured for 0...5V operation.

  • Page 33: One-Sensor Or Two-Sensor Wiring Option

    Fault-tolerant System Hardware Chapter 2 One-sensor or Two-sensor Wiring Option The DIP switches located at the top of the analog input termination board are used to specify one- or two-sensor wiring. One-sensor wiring should be used when one field-sensor signal is being routed to the same channel on to two separate input modules of the pair.

  • Page 34: 1756-If16 Module Pair Reference Tests

    Reference Test Intervals Reference tests are programmed in the specialized program supplied by Rockwell Automation. They occur at a user-specified intervals based upon the requirements of the SIL2 application. If there are no faults present on the 1756-IF16 module pair, the system...
  • Page 35 Fault-tolerant System Hardware Chapter 2 Termination Board During Reference Tests When a reference test is initiated, the analog termination board functions as depicted below. 1492-TAIFM16-F-3, Analog Input Termination Board During Reference Test Analog Input Module B Analog Input Module A Input Values from Input Values from Termination-board Induced...
  • Page 36 Chapter 2 Fault-tolerant System Hardware As depicted, the output from the 1756-OB16D module pair triggers the analog input termination board to switch from the field device voltages to the reference voltages. Each channel has a specific reference voltage applied. This table shows each channel and corresponding reference voltage.

  • Page 37: 1756-Ob16D Diagnostic Output Termination Board Features

    Fault-tolerant System Hardware Chapter 2 1756-OB16D Diagnostic The specialized output termination boards have these hardware features: Output Termination Board Features • Easy-to-use wiring terminals • Relays to provide secondary method of power disconnect for each output module connected • Pre-wired cables for use from termination board to I/O module •...

  • Page 38: Normal Operation Of The 1756-Ob16D Diagnostic Output Termination Board

    Chapter 2 Fault-tolerant System Hardware Normal Operation of the 1756-OB16D Diagnostic Output Termination Board During normal operation, the primary function of the 1756-OB16D, output termination board is to connect the same two output points, each from one module of the pair, to a single load. The output termination board also provides isolation for each channel through the use of diodes.

  • Page 39: Diagnostic Tests And The 1756-Ob16D Output Termination Board

    Fault-tolerant System Hardware Chapter 2 Diagnostic Tests and the 1756-OB16D Output Termination Board Because the 1756-OB16D modules have on-board diagnostic features, the only interaction between the output termination board and diagnostic tests occurs if a module fails a diagnostic test. If the diagnostic tests find a module fault, power is disconnected from the faulted module by opening the normally-open relay on the output termination board.

  • Page 40: Termination Board Relay Control

    Chapter 2 Fault-tolerant System Hardware Termination Board Relay Both the input module pairs and the output module pairs require the use of output points to control some actions of the termination Control boards. Each type of module pair (input and output) has different requirements for termination board relay control.

  • Page 41: 1756-If16 Analog Input Termination Board Switch Control

    Fault-tolerant System Hardware Chapter 2 1756-IF16 Analog Input Termination Board Switch Control In order to establish high availability for the execution of reference tests, the switch on the analog input termination boards is controlled by an output from the 1756-OB16D module pair. The signal from this output is used to initiate reference tests.

  • Page 42: 1756-Ob16D Output Termination Board Relay Control

    Chapter 2 Fault-tolerant System Hardware 1756-OB16D Output Termination Board Relay Control To control relays on the 1756-OB16D termination board, use at least two SIL2-certified output modules. The SIL2-certified modules available for use are listed here. • 1756-OB16I • 1756-OB8EI • 1756-OB32 •...
  • Page 43 Fault-tolerant System Hardware Chapter 2 1756-OBxx Modules to Control 1756-OB16D Termination Board Relays Chassis A Chassis B 1756-OBxx to Control 1756-OB16D 1756-OBxx to Control 1756-OB16D Relay for Module B Module B Relay for Module A Module A Output connection from 1756-OBxx Output connection from 1756-OBxx modules to control relay.

  • Page 44: Input Module Diagnostic Test Control

    Chapter 2 Fault-tolerant System Hardware Input Module Diagnostic Control of the input diagnostic tests (that is, the transition and reference tests) is achieved through the use of 1756-OB16D outputs Test Control routed through the 1756-OB16D termination board. Because the 1756-OB16D outputs are used to control the diagnostic tests, any fault that results in the shutdown of the 1756-OB16D module pair will result in the failure of the next transition or reference tests for the input modules.

  • Page 45: Additional Resources

    1756-RM001 components for use in SIL2 applications. Topics include hardware, software, and programming components. You can view or download Rockwell Automation publications at http://literature.rockwellautomation.com. To order paper copies of technical documentation, contact your local Rockwell Automation distributor or sales representative.
  • Page 46 Chapter 2 Fault-tolerant System Hardware Publication 1756-AT010B-EN-P - October 2008...

  • Page 47: Fault-Tolerant Program Elements

    Chapter Fault-tolerant Program Elements About This Chapter This chapter describes some of the elements of the fault-tolerant program provided by Rockwell Automation. The concepts of this chapter should be understood before you configure your system. Topic Page Overview of the Program Elements...

  • Page 48: Diagnostic Subroutines

    Chapter 3 Fault-tolerant Program Elements Diagnostic Subroutines The program supplied by Rockwell Automation contains diagnostic subroutines that must be used to monitor, process, and reconcile data from the input and output module pairs. The data that the subroutines produce is used in the main routine.

  • Page 49: Call_Code Subroutines

    Fault-tolerant Program Elements Chapter 3 Diagnostic Features of Diagnostic Subroutines For the feature or test See the description at Input comparison IB32_Diagnostics Subroutine on page 55 IF16_Diagnostics Subroutine on page 57 Connection verification Tag descriptions at Appendix A on page 131 Transition tests 1756-IB32 DC Input Termination Board and Transition Tests on...

  • Page 50: Function Of The Program Elements

    Chapter 3 Fault-tolerant Program Elements Function of the Program Elements When configured and programmed properly, the program elements function as depicted here. Overview of Fault-Tolerant Program Main Routine Module Status Data IB32 Subroutine_Call_Code IB32_Diagnostics Input JSR for 1756-IB32 Subroutine Module Parameters Module Pair 1 Processes Data...

  • Page 51: Program Elements Provided

    Fault-tolerant Program Elements Chapter 3 Program Elements Provided The fault-tolerant program you receive from Rockwell Automation provides all of the elements described above. The following graphic shows how these elements will appear in the RSLogix 5000 configuration tree. Program Elements in RSLogix 5000 Configuration Tree Program the main routine according to your application.

  • Page 52: States Of The System

    Chapter 3 Fault-tolerant Program Elements States of the System To understand how the system diagnostics function, you should understand various states of the system as described in these sections: • Normal State see page 52 • Test State see page 52 •...

  • Page 53: 1Oo1 State

    Fault-tolerant Program Elements Chapter 3 1oo1 State The state when either: • A point-level or channel-level fault is present on one module of the pair. During this state, one or more points of one module of the pair are faulted. The system operates by using data from the unfaulted module and all of the unfaulted points of the module with a fault.

  • Page 54: Faulted State

    Chapter 3 Fault-tolerant Program Elements Faulted State If one or more point or channel-level faults is present on both modules of a pair, a faulted state occurs and the system shutsdown. The faulted state occurs even if the faulted points or channels between module pair are different.

  • Page 55: Ib32_Diagnostics Subroutine

    Fault-tolerant Program Elements Chapter 3 IB32_Diagnostics The 1756-IB32 diagnostic subroutine completes the following tasks when in the states identified. Subroutine Normal Operation - 1756-IB32 Module Pair When in normal operation, the IB32_Diagnostics subroutine carries-out the tasks listed in this table. System Tasks for 1756-IB32 Normal State Task Description...

  • Page 56: Test - 1756-Ib32 Module Pair

    Chapter 3 Fault-tolerant Program Elements Test - 1756-IB32 Module Pair Transition tests occur at intervals specified by the user or according to the default settings. This table identifies the transition test tags and their default values. Transition Test Interval Tags Tag Name Default Value 86400000 (24 hours)

  • Page 57: If16_Diagnostics Subroutine

    Fault-tolerant Program Elements Chapter 3 IF16_Diagnostics The 1756-IF16 diagnostic subroutines carry-out these tasks when in the states identified. Subroutine Normal Operation - 1756-IF16 Module Pair When in normal operation, the IF16_Diagnostic subroutine carries-out the tasks listed in this table. System Tasks for 1756-IF16 Normal State Task Description Connection verification...

  • Page 58: Test - 1756-If16 Module Pair

    Chapter 3 Fault-tolerant Program Elements Test - 1756-IF16 Module Pair Reference tests occur at intervals specified by the user or according to the default settings. Reference tests are also described in Chapter 2, in the section titled 1756-IF16 Module Pair Reference Tests, on page 1oo1 - 1756-IF16 Module Pair When the module pair is running in a 1oo1 configuration, at least one...

  • Page 59: If16_Refcal Subroutine

    Fault-tolerant Program Elements Chapter 3 IF16_RefCal Subroutine In addition to the diagnostic subroutine provided for the 1756-IF16 module pair, another subroutine called IF16_RefCal is also provided. The IF16_RefCal subroutine carries-out logic that completes these tasks: • Verifies that all input channels of the 1756-IF16 module pair are reading reference values properly.

  • Page 60: Ob16D_Diagnostics Subroutine

    Chapter 3 Fault-tolerant Program Elements OB16D_Diagnostics The 1756-OB16D diagnostic subroutines carry-out the following tasks when in the states identified. Subroutine Normal Operation - 1756-OB16D When in normal operation, the OB16D_Diagnostics subroutine carries-out the tasks listed in this table. System Tasks for 1756-OB16D Normal State Task Description Connection verification...

  • Page 61: 1Oo1 - 1756-Ob16D

    Fault-tolerant Program Elements Chapter 3 1oo1 - 1756-OB16D When the module pair is running in a 1oo1 configuration, one of the modules in the pair has been shut-down and the system is running on information from only the remaining (unfaulted) module. When the 1756-OB16D module pair is running in a 1oo1 configuration, the tasks listed in this table are carried-out.

  • Page 62: Data Flow Between Program Elements

    Chapter 3 Fault-tolerant Program Elements Data Flow Between It is important for you to understand how data flows in the fault-tolerant program, especially as you complete your system Program Elements configuration and programming. This graphic below provides a view of how data flows and is processed by the fault-tolerant program elements.

  • Page 63: The Fault-Tolerant Program

    Reference Manual, publication 1756-RM001 for use in SIL2 applications. Topics include hardware, software, and programming components. You can view or download Rockwell Automation publications at http://literature.rockwellautomation.com. To order paper copies of technical documentation, contact your local Rockwell Automation distributor or sales representative.
  • Page 64 Chapter 3 Fault-tolerant Program Elements Publication 1756-AT010B-EN-P - October 2008...

  • Page 65: System

    Additional Resources Before You Begin Before you begin configuring your system using the program supplied by Rockwell Automation, you should prepare your redundant controller chassis and network. For more information about how to prepare you redundant controller chassis, see the ControlLogix Redundancy System User Manual, publication 1756-UM523.

  • Page 66: Begin With The Fault-Tolerant I/O Program

    Controller Configuration in Program Supplied by Rockwell Automation Adding a CNB or CNBR to the Controller Chassis In order to configure your remote I/O chassis, you must first add a CNB or CNBR module to the chassis configuration provided.

  • Page 67: Configuring Remote I/O Chassis

    Configuring the Fault-tolerant System Chapter 4 Configuring Remote I/O To configure the remote I/O chassis, you must add the remote I/O chassis and their modules to the I/O configuration tree. Chassis Add the Remote I/O Chassis to the I/O Configuration Tree To add your chassis and remote I/O to the configuration tree, complete these steps.
  • Page 68 Chapter 4 Configuring the Fault-tolerant System When configuring your I/O modules, use naming conventions that will allow you to easily identify the chassis pair, individual chassis, and module location. For example, the I/O configuration examples in this manual use the following naming convention. Pr1_ChA_Slot1 Chassis Pair Module Location...
  • Page 69 Configuring the Fault-tolerant System Chapter 4 1756-IF16 Module Properties Property Value Comm Format Float Data -Single-Ended Mode -No Alarm Input Range 0 V...5 V for each channel (scaling is permitted) If you edit the 1756-IF16 module configuration any time after IMPORTANT your initial start up, you must press fault reset in order to implement the new configuration parameters.
  • Page 70 Chapter 4 Configuring the Fault-tolerant System 1756-OB16D Module Properties Property Value Comm Format Full Diagnostics - Output Data Enable Diag. Latching Do not enable (uncheck boxes) Once your chassis have been configured, your I/O configuration tree should be similar to the one below. Publication 1756-AT010B-EN-P - October 2008...

  • Page 71: About System-Generated Tags

    Configuring the Fault-tolerant System Chapter 4 About System-generated Tags For each module you configure, the system generates tags for the module are created. These tags are also referred to as module-defined tags. To view these tags, open the Controller Tags folder. System-generated Tags Resulting From I/O Configuration The data in these tags is sensor data from the I/O modules and is used by the diagnostic subroutines (as specified in the JSR instructions of...

  • Page 72: Specifying Diagnostic Subroutine Behavior

    Edit ModulePair Tags About ModulePair Tags Tags of type ModulePair are user-defined data types created by Rockwell Automation specifically for fault-tolerant SIL2 applications. For each module type (that is 1756-IB32, 1756-IF16, and 1756-OB16D), a ModulePair data type is available. Once each ModulePair tag is created, a group of tags that are used to specify the behavior in the module pair’s diagnostic subroutine are...

  • Page 73: Create Modulepair Tags

    Configuring the Fault-tolerant System Chapter 4 Create ModulePair Tags 1. In the Edit tab of the Controller Tags folder, add a tag for each module pair in the system. When creating your module pair tags, use naming conventions that will allow you to easily identify the chassis pair, module pair, and module type.
  • Page 74 Chapter 4 Configuring the Fault-tolerant System 2. In the Data Type column of each tag, specify the module-specific, ModulePair data type. Publication 1756-AT010B-EN-P - October 2008...
  • Page 75 Configuring the Fault-tolerant System Chapter 4 After you have created the tags using the ModulePair data type, these tags and structures result. Each ModulePair tag should correspond to one module pair in your system. O Configuration Tree Module Pair Tags Some of these tags are used when constructing the main routine, while others are used to specify diagnostic behavior within the subroutines.

  • Page 76: Edit Modulepair Tags

    Required 1756-XXXX ModulePair Tag Values. For other module pair tag values, Rockwell Automation recommends values. However, depending on your application, you may choose to use values other than those provided in this manual. These tag values are described in the Recommended 1756-XXXX Tag Values sections.

  • Page 77: Editing 1756-Ib32 Modulepair Tags

    Configuring the Fault-tolerant System Chapter 4 Editing 1756-IB32 ModulePair Tags Once the 1756-IB32_ModulePair tags have been generated, these tags specific to the 1756-IB32 module pair result. Located within this group of tags are those you must edit in order to specify system behavior for the 1756-IB32 module pair.
  • Page 78 Chapter 4 Configuring the Fault-tolerant System Required 1756-IB32 ModulePair Tag Values In this tag for the 1756-IB32 module pair, the value listed must be specified for each point. Tag Name Description Value I.Safety_Inputs_Select Any 1756-IB32 module pair inputs used in the fault-tolerant system are 1 at each point used designated as safety inputs.

  • Page 79: Editing 1756-If16 Modulepair Tags

    Configuring the Fault-tolerant System Chapter 4 Editing 1756-IF16 ModulePair Tags Once the 1756-IF16_ModulePair tags have been generated, these tags specific to the 1756-IF16 module pair result. Located within this group of tags are those you must edit in order to specify system behavior for the 1756-IF16 module pair.
  • Page 80 Chapter 4 Configuring the Fault-tolerant System Required 1756-IF16 ModulePair Tag Values In this tag for the 1756-IF16 module pair, values must be specified for each channel based upon whether the channel is used or unused. Tag Name Description Value I.Safety_Inputs_Select 1 in each channel used Enter 1 for any analog input channel being used.
  • Page 81 Configuring the Fault-tolerant System Chapter 4 Tag Name Description Value I.Miscompare_Test_Limit The number of subsequent program scans where a miscompare between points may occur before a fault is registered. The value of four is strongly recommended in order to avoid nuisance trips as well as provide a timely safety response.

  • Page 82: Editing 1756-Ob16D Modulepair Tags

    Chapter 4 Configuring the Fault-tolerant System Editing 1756-OB16D ModulePair Tags Once the 1756-OB16D_ModulePair tags have been generated, these tags specific to the 1756-OB16D module pair result. Located within this group of tags are those you must edit in order to specify system behavior for the 1756-OB16D module pair.
  • Page 83 Configuring the Fault-tolerant System Chapter 4 Required 1756-OB16D ModulePair Tag Values These values are required for 1756-OB16D module pair tags. Tag Name Description Value I.Safety_Outputs_Select For fault-tolerant I/O, all 1756-OB16D module pair outputs are designated as 1 for all points, used or safety outputs.

  • Page 84: Adding Message Tags

    Chapter 4 Configuring the Fault-tolerant System Adding MESSAGE Tags The OB16D_Call_Code subroutine uses MSG instructions to initiate the pulse tests for the module pair. The MSG instructions require the use of MESSAGE tags. Later in the configuration, you will edit the MSG instructions to use the tags you create here.

  • Page 85: Editing The 1756-Ib32 Call_Code Subroutine

    Configuring the Fault-tolerant System Chapter 4 Editing the 1756-IB32 Call_Code Subroutine This section describes how to edit the 1756-IB32 Call_Code subroutine for fault-tolerant applications To edit the 1756-IB32 Call_Code subroutine, complete these tasks. Task Page Copy and Paste a JSR Rung for Each 1756-IB32 Module Pair Edit JSR Parameters for the 1756-IB32 Module Pair Edit Other Rung Elements for the 1756-IB32 Module Pair Copy and Paste a JSR Rung for Each 1756-IB32 Module Pair...
  • Page 86 Chapter 4 Configuring the Fault-tolerant System 2. Copy the rung provided and paste it. Copied Rung Pasted Rung 3. Repeat steps 1…2 until there is a JSR instruction rung for every 1756-IB32 input module pair in the system. After you have created a JSR instruction rung for each input module pair, you must edit the JSR parameters and other elements of the rungs.

  • Page 87: Edit Jsr Parameters For The 1756-Ib32 Module Pair

    Configuring the Fault-tolerant System Chapter 4 Edit JSR Parameters for the 1756-IB32 Module Pair The JSR instruction for the 1756-IB32 diagnostic routine uses four input parameters and two return parameters. You must edit these parameters so that the tags specific to your 1756-IB32 module pair are used.

  • Page 88: Edit Other Rung Elements For The 1756-Ib32 Module Pair

    Chapter 4 Configuring the Fault-tolerant System 1756-IB32 Module Pair Tags for Use as JSR Parameters Parameter Use Tag Description Return Par ModulePairName.IO Tags that contain module pair diagnostic status data for the module pair. Return Par ModulePairName.O Tags containing the reconciled data (that is, resulting data that has been processed by the diagnostic subroutine) for the module pair.
  • Page 89 Configuring the Fault-tolerant System Chapter 4 Example of IB32_Call_Code with Completed Edits This example depicts how the completed IB32_Call_Code subroutine would appear if four 1756-IB32 module pairs were used in the fault-tolerant system. Example IB32_Call_Code Subroutine with Four Module Pairs Publication 1756-AT010B-EN-P - October 2008...

  • Page 90: Editing The 1756-If16 Call_Code Subroutine

    Chapter 4 Configuring the Fault-tolerant System Editing the 1756-IF16 Call_Code Subroutine This section describes how to edit the 1756-IF16 Call_Code subroutine for fault-tolerant applications. To edit the 1756-IF16 Call_Code subroutine, complete these tasks: Task Page Copy and Paste a JSR Rung for Each 1756-IF16 Module Pair Edit JSR Parameters for the 1756-IF16 Module Pair Edit Other Rung Elements for the 1756-IF16 Module Pair Copy and Paste a JSR Rung for Each 1756-IF16 Module Pair...
  • Page 91 Configuring the Fault-tolerant System Chapter 4 2. Copy the rung provided and paste it. Copied Rung Pasted Rung 3. Repeat steps 1…2 until there is a JSR instruction rung for every 1756-IF16 input module pair in the system. After you have created a JSR instruction rung for each input module pair, you must edit the JSR parameters and other elements of the rungs.

  • Page 92: Edit Jsr Parameters For The 1756-If16 Module Pair

    Chapter 4 Configuring the Fault-tolerant System Edit JSR Parameters for the 1756-IF16 Module Pair The JSR instruction for the 1756-IF16 diagnostic routine uses six input parameters and two return parameters. You must edit these parameters so that the tags specific to your 1756-IF16 module pairs are used.

  • Page 93: Edit Other Rung Elements For The 1756-If16 Module Pair

    Configuring the Fault-tolerant System Chapter 4 Tags for Use as 1756-IF16 JSR Parameters Parameter Use Tag Description Return Par ModulePairName.IO Tags that contain module pair diagnostic status data for the module pair. Return Par ModulePairName.O Tags containing the averaged input data (that is, resulting data that has been processed by the diagnostic subroutine) for the module pair.
  • Page 94 Chapter 4 Configuring the Fault-tolerant System Example of IF16_Call_Code with Completed Edits This example depicts how the completed IF16_Call_Code subroutine would appear if two 1756-IF16 module pairs were used in the fault-tolerant system. Example IF16_Call_Code Subroutine with Two Module Pairs Publication 1756-AT010B-EN-P - October 2008...

  • Page 95: Editing The 1756-Ob16D Call_Code Subroutine

    Configuring the Fault-tolerant System Chapter 4 Editing the 1756-OB16D Call_Code Subroutine This section describes how to edit the 1756-OB16D Call_Code subroutine for fault-tolerant applications. To edit the 1756-OB16D Call_Code subroutine, complete these tasks: Task Page Copy and Paste Rungs for Each 1756-OB16D Module Pair Edit JSR Parameters for the 1756-OB16D Module Pair Edit Elements of the 1756-OB16D Call_Code Routine Copy and Paste Rungs for Each 1756-OB16D Module Pair...
  • Page 96 Chapter 4 Configuring the Fault-tolerant System 2. Copy rungs 0…2 and paste them below rung 2. 3. Repeat step 2 until each 1756-OB16D module pair has a set of the three rungs in the Call_Code subroutine. After you have completed creating a set of rungs for each 1756-OB16D module pair, you must then edit each module pairs’...

  • Page 97: Edit Elements Of The 1756-Ob16D Call_Code Routine

    Configuring the Fault-tolerant System Chapter 4 Edit Elements of the 1756-OB16D Call_Code Routine After you have added rung sets for each module pair and entered parameters in each module pair’s JSR instruction, you must edit other elements of call_code subroutine program. Complete these steps to edit the other elements of the call_code subroutine for each 1756-OB16D output module pair.
  • Page 98 Chapter 4 Configuring the Fault-tolerant System Specify the MSG tags .DN and .ER for the Specify the MSG tags .DN and .ER for the 1756-OB16D module in chassis A. 1756-OB16D module in chassis B. Specify the ConnectionFault_Module_A tag for Specify the ConnectionFault_Module_B tag for your your 1756-OB16D module pair.
  • Page 99 Configuring the Fault-tolerant System Chapter 4 2. In the second and third rungs for the module pair, edit the instruction tags as described in this graphic. These rungs contain programming that initiates the power disconnect of a faulted 1756-OB16D module. Specify the output point that controls the termination Specify the Relay_Module_A tag for board relay for module A of your module pair.
  • Page 100 Chapter 4 Configuring the Fault-tolerant System b. Click the View Tag Configuration button located to the right of the Message Control tag. c. In the Configuration tab, specify these properties. Property Value Message Type CIP Generic Service Type Pulse Test Source Element PulseTest_Settings (a ModulePair tag) Publication 1756-AT010B-EN-P - October 2008...
  • Page 101 Configuring the Fault-tolerant System Chapter 4 d. In the Communication tab, browse to the 1756-OB16D module. e. Click Apply to accept the changes. f. Click OK to close the dialog box. You have completed edits to your MSG instruction. After you have edited the MSG instructions, they should appear as shown here.

  • Page 102: Edit Jsr Parameters For The 1756-Ob16D Module Pair

    Chapter 4 Configuring the Fault-tolerant System Edit JSR Parameters for the 1756-OB16D Module Pair The JSR instruction for the 1756-OB16D diagnostic subroutine uses six input parameters and four return parameters. You must edit these parameters so that the tags specific to your system are used. 1756-OB16D Module Pair JSR Parameters About the Data Used About the Tags Used...

  • Page 103: Next Steps

    Provides information about digital I/O modules including: features, configuration, and publication 1756-UM058 troubleshooting. You can view or download Rockwell Automation publications at http://literature.rockwellautomation.com. To order paper copies of technical documentation, contact your local Rockwell Automation distributor or sales representative. Publication 1756-AT010B-EN-P - October 2008...
  • Page 104 Chapter 4 Configuring the Fault-tolerant System Publication 1756-AT010B-EN-P - October 2008...

  • Page 105: About This Chapter

    Chapter Programming the Fault-tolerant System About This Chapter This chapter describes suggested methods for programming the fault-tolerant system. Topic Page Programming the Main Routine Basic Input/Output Programming .I and .O Data in Fault-tolerant Programming Example Input/Output Rung Module Pair Fault to Result in System Shutdown Fault Reset Programming Circuit Reset Programming Demand Made Through a 1756-IB32 Module Pair...

  • Page 106: Relationship Between Main Routine And Diagnostic Subroutines

    Chapter 5 Programming the Fault-tolerant System Relationship Between Main Routine and Diagnostic Subroutines The Main Routine is where you program the system to use data processed and provided by the diagnostic subroutines. While the diagnostic subroutines provide module pair and individual module status data, the program in the Main Routine is what assesses and causes the system response to that data.

  • Page 107: Example Input/Output Rung

    Programming the Fault-tolerant System Chapter 5 Typical Fault-tolerant Analog Input/Output Rung ModulePairName.I Data (to output module pair diagnostic subroutine) Source A ModulePairName.O Data Source B For more information about how data is processed and used in the fault-tolerant program, see Chapter 3, Fault-tolerant Program Elements.

  • Page 108: Module Pair Fault To Result In System Shutdown

    Chapter 5 Programming the Fault-tolerant System Module Pair Fault to Result Some fault-tolerant applications may require that the system shutdown in the event of a fault at any module pair. in System Shutdown For example, in your application, if both modules of 1756-IB32 module pair is faulted, the resulting safe state for the system may be a total system shutdown.

  • Page 109: Fault Reset Programming

    Programming the Fault-tolerant System Chapter 5 Fault Reset Programming In order to reset ModulePair fault bits in the program after a fault has been corrected, you must use programming to toggle the fault bit (that is, the tag) for the module pair affected. In many IO.FaultReset applications, this programming uses an input connected to a pushbutton.
  • Page 110 Chapter 5 Programming the Fault-tolerant System When the fault reset bit is toggled, these tag values are reset. 1756-IB32 ModulePair Tags Reset by the IO.FaultReset Bit • ConnectionFault_Module_A • ConnectionFault_Module_B • Chnl_OK_Module_A • Chnl_OK_Module_B • ChnlFlt_StuckAtOne_Module_A • ChnlFlt_StuckAtOne_Module_B • Module_Pair_Good •...

  • Page 111: Circuit Reset Programming

    Programming the Fault-tolerant System Chapter 5 Circuit Reset Programming In the fault-tolerant system, a circuit reset is a manual control used to restart inputs and outputs after a system shutdown has occurred. When a circuit reset occurs, the data tags for the module pair (that is, tags for each module pair) are cleared of the faulted state .I.Data data and reset to use the sensor data of the modules.
  • Page 112 Chapter 5 Programming the Fault-tolerant System Circuit Reset Programming Specify the point of a standard input module Use an OTE instruction for each module pair in your system. In each OTE, specify connected to the circuit reset button. the ModulePair tag.

  • Page 113: Programming For A Demand On The System

    Programming the Fault-tolerant System Chapter 5 Programming for a Demand You must also include programming to respond to a demand on the system. These sections provide examples and explanations of on the System programming for a demand on the system. Demand Made Through a 1756-IB32 Module Pair This example shows a method of programming for a shutdown when a demand is placed on the system through the 1756-IB32 module pair.

  • Page 114: Demand Made Through A 1756-If16 Module Pair

    Chapter 5 Programming the Fault-tolerant System Demand Made Through a 1756-IF16 Module Pair These examples show methods of programming for a shutdown when a demand is placed on the system through one channel of the 1756-IF16 module pair. Depending on your application, your programming may use different, but similar, programming than that shown here.

  • Page 115: Power-Up Sequence

    Programming the Fault-tolerant System Chapter 5 Power-up Sequence Once you have completed your system programming, you should configure your ControlNet network and download the project to the controller. After you put the controller into Run mode or you turn on a controller with a fault-tolerant program loaded, there is a sequence of power up steps that you must carry-out.

  • Page 116: Additional Resources

    Reference Manual, publication 1756-RM001 for use in SIL2 applications. Topics include hardware, software, and programming components. You can view or download Rockwell Automation publications at http://literature.rockwellautomation.com. To order paper copies of technical documentation, contact your local Rockwell Automation distributor or sales representative.

  • Page 117: About This Chapter

    Chapter Troubleshooting a Fault-tolerant System About This Chapter This chapter explains recommended procedures for troubleshooting a fault-tolerant system. It also contains examples of status information that may result when faults are present in the system. Topic Page Identifying a Faulted Module Pair Identifying a Faulted Module Example of Programming to Identify a Faulted Module Pair Identifying a Faulted Module...

  • Page 118: Identifying A Faulted Module Pair

    Chapter 6 Troubleshooting a Fault-tolerant System Identifying a Faulted In order to identify a faulted module pair, you should examine these tags. Each of these tags is created when you create the ModulePair Module Pair data type tags for any of the three module types. ModulePair Tags Used to Identify a Fault on the Module Pair Indicates O.ModulePair_Good...
  • Page 119 Troubleshooting a Fault-tolerant System Chapter 6 These are the module pair status tags as they appear in the Controller Tags list. ModulePair Status Tags for Each Module Type 1756-IB32 Module Pair Status Tags 1756-IF16 Module Pair Status Tags 1756-OB16 Module Pair Status Tags Publication 1756-AT010B-EN-P - October 2008...

  • Page 120: Example Of Programming To Identify A Faulted Module Pair

    Chapter 6 Troubleshooting a Fault-tolerant System Example of Programming to Identify a Faulted Module Pair When troubleshooting your fault-tolerant system after a fault on a module pair has occurred, you may choose to examine module status tags by going online with the controller or by programming an HMI or similar notification system to annunciate and identify the faulted module pair.

  • Page 121: Identifying A Faulted Module

    Troubleshooting a Fault-tolerant System Chapter 6 Identifying a Faulted In order to identify a faulted module, you should examine these tags. Each of these tags is created when you create the ModulePair data Module type tags for any of the three module types. ModulePair Tags Used to Identify a Faulted Module Indicates O.Module_A_Faulted...

  • Page 122: 1756-Ib32 Modulepair Tags To Identify The Type Of Module Fault

    Chapter 6 Troubleshooting a Fault-tolerant System 1756-IB32 ModulePair Tags to Identify the Type of Module Fault The ModulePair data type for the 1756-IB32 module provides tags that can help identify these types of faults: • Connection and communication faults. • Points on the module faulted (for example, a miscompare or stuck-at-one condition).

  • Page 123: 1756-If16 Modulepair Tags To Identify The Type Of Module Fault

    Troubleshooting a Fault-tolerant System Chapter 6 1756-IF16 ModulePair Tags to Identify the Type of Module Fault The ModulePair data type for the 1756-IF16 module provides tags that can help identify these types of faults: • Connection and communication faults. • Channels on the module faulted (for example, due to a miscompare or over/under range).

  • Page 124: 1756-Ob16D Modulepair Tags To Identify The Type Of Module Fault

    Chapter 6 Troubleshooting a Fault-tolerant System 1756-OB16D ModulePair Tags to Identify the Type of Module Fault The ModulePair data type for the 1756-OB16D module provides tags that can help identify these types of faults: • Connection and communication faults. • No load conditions (detects no load conditions only between the output module and termination board).

  • Page 125: Using Resets

    Troubleshooting a Fault-tolerant System Chapter 6 Using Resets After you have finished troubleshooting and repairing a faulted module condition, you must reset the system so that the faults are cleared and the system operates using the data from the repaired module.

  • Page 126: Examples Of Faults And Resulting Tag Values

    Chapter 6 Troubleshooting a Fault-tolerant System Examples of Faults and These examples show how the ModulePair tags appear before and after a certain module fault occurs. Each column of the tables Resulting Tag Values indicates what action has taken place. The tags listed in the rows of the columns indicate the tag values after the action has occurred.

  • Page 127: 1756-If16 Module Pair - One Module Faulted And Removed

    Troubleshooting a Fault-tolerant System Chapter 6 1756-IF16 Module Pair - One Module Faulted and Removed In this example, module B of the 1756-IF16 module pair has a fault caused by an internal short. The tag value changes are shown after the fault is identified by the reference test, when the module is removed for repair, and after the module has been replaced and the faults reset.

  • Page 128: 1756-If16 Module Pair - Two Modules Faulted

    Chapter 6 Troubleshooting a Fault-tolerant System 1756-IF16 Module Pair - Two Modules Faulted In this example, a fault occurs on module B of the module pair. Then, while operating 1oo1, module A faults as well. The table shows the progression of tag values through the initial fault on module B through the circuit reset.

  • Page 129: Additional Resources

    Provides information regarding ControlLogix components for use in SIL2 applications. Reference Manual, publication 1756-RM001 Topics include hardware, software, and programming components. You can view or download Rockwell Automation publications at http://literature.rockwellautomation.com. To order paper copies of technical documentation, contact your local Rockwell Automation distributor or sales representative.
  • Page 130 Chapter 6 Troubleshooting a Fault-tolerant System Notes: Publication 1756-AT010B-EN-P - October 2008...

  • Page 131: About This Appendix

    SIL2 Remote I/O Fault-tolerance Tags About This Appendix This appendix provides tag names, purposes, and values for each type of I/O module available for use in the ControlLogix SIL2 fault-tolerant system. Use this appendix as a reference when programming your SIL2 fault-tolerant system.
  • Page 132 Appendix A SIL2 Remote I/O Fault-tolerance Tags 1756-IB32 ModulePair Tags Used to Specify System Behavior Tag Name Description Value Required or Recommended I.Safety_Input_Select Use to select or deselect the inputs that are used for 1 (at each point) Required safety functions. I.Miscompare_Test_Limit Defines the number of times a miscompare between Recommended...

  • Page 133: 1756-Ib32 Module Status Tags

    SIL2 Remote I/O Fault-tolerance Tags Appendix A 1756-IB32 Module Status Tags The module status tags provide diagnostic information for the module pair. These tags are used in several ways in the fault-tolerant system. Uses include: • in the main routine to determine system behavior. •...
  • Page 134 Appendix A SIL2 Remote I/O Fault-tolerance Tags 1756-IB32 Module Status Tags Tag Name Description O.ModulePair_1oo1 Status bit that indicates the module pair is operating 1oo1. 1 = Operating 1oo1 0 = Either both modules of pair are OK or are faulted (that is, not in 1oo1 operation) O.ModulePair_Faulted Status bit indicates that both modules of the...

  • Page 135: 1756-Ib32 Modulepair Tags For Use In Programming

    SIL2 Remote I/O Fault-tolerance Tags Appendix A 1756-IB32 ModulePair Tags for Use in Programming These tags are to be used in either the main routine or in call code programs. Your program uses the data in these tags to determine system behavior.

  • Page 136: 1756-Ib32 Hidden Tags, Not For Use

    1756-IB32 Hidden Tags, Not for Use Similar to the inability to access the diagnostic subroutines, there are tags within the program provided by Rockwell Automation that cannot be accessed or altered. You cannot see these tags, however, in order to avoid potential conflicts within the program, you should not create tags with the same names.

  • Page 137: 1756-If16 Modulepair Tags

    SIL2 Remote I/O Fault-tolerance Tags Appendix A 1756-IF16 ModulePair Tags The tags provided in the following tables are used to configure, spec- ify, and monitor 1756-IF16 analog input module behavior in a Control- Logix fault-tolerant system. 1756-IF16 ModulePair Tags for System Behavior You must enter values for each these 1756-IF16 ModulePair tags.

  • Page 138: 1756-If16 Module Status Tags

    Appendix A SIL2 Remote I/O Fault-tolerance Tags 1756-IF16 ModulePair Tags Used to Specify System Behavior Tag Name Description Value Required or Recommended IO.SwitchToRefValue_Delay.PRE Amount of time, in ms, delayed to allow the Recommended inputs to transition to the reference values before checking the results of the reference test.
  • Page 139 SIL2 Remote I/O Fault-tolerance Tags Appendix A 1756-IF16 Module Status Tags Tag Name Description ConnectionFault_Module_A Indicates the status of the connection to module A. 1 = Connection lost 0 = Connection good ConnectionFault_Module_B Indicates the status of the connection to module B. 1 = Connection lost 0 = Connection good Chnl_OK_Module_A...
  • Page 140 Appendix A SIL2 Remote I/O Fault-tolerance Tags 1756-IF16 Module Status Tags Tag Name Description ModulePair_Faulted Status bit indicates that both modules of the module pair have at least one fault. The system has failed to safe. 1 = Both modules of pair faulted 0 = Both modules of pair OK Module_A_Faulted Status bit indicates that module A of the pair has at...

  • Page 141: 1756-If16 Modulepair Tags For Use In Programming

    SIL2 Remote I/O Fault-tolerance Tags Appendix A 1756-IF16 ModulePair Tags for Use in Programming These tags are to be used in either the main routine or in call code programs. Your program uses the data in these tags to determine system behavior.

  • Page 142: 1756-If16 Hidden Tags, Not For Use

    1756-IF16 Hidden Tags, Not for Use Similar to the inability to access the diagnostic subroutines, there are tags within the program provided by Rockwell Automation that cannot be accessed or altered. You cannot see these tags, however, in order to avoid potential conflicts within the program, you should not create tags with the same names.

  • Page 143: 1756-Ob16D Module Pair Tags

    SIL2 Remote I/O Fault-tolerance Tags Appendix A 1756-OB16D Module Pair The tags provided in the following tables are used to configure, spec- ify, and monitor 1756-OB16D output module behavior in a Control- Tags Logix fault-tolerant system. 1756-OB16D ModulePair Tags for System Behavior You must enter values for each these 1756-OB16D ModulePair tags.

  • Page 144: 1756-Ob16D Module Status Tags

    Appendix A SIL2 Remote I/O Fault-tolerance Tags 1756-OB16D Module Status Tags The module status tags are used in several ways. Uses include: • in the main routine to determine system behavior. • in the subroutine to detemine and report module pair status. •...
  • Page 145 SIL2 Remote I/O Fault-tolerance Tags Appendix A 1756-OB16D Module Status Tags Tag Name Description Chnl_HWFail_Module_A Status bit that indicates a hardware failure on the point of the module. 1 = Point faulted 0 = Point is not faulted Chnl_HWFail_Module_B Status bit that indicates a hardware failure on the point of the module.

  • Page 146: 1756-Ob16D Modulepair Tags For Use In Programming

    Appendix A SIL2 Remote I/O Fault-tolerance Tags 1756-OB16D ModulePair Tags for Use in Programming These tags are to be used in either the main routine or in call code programs. Your program uses the data in these tags to determine system behavior.

  • Page 147: 1756-Ob16D Hidden Tags, Not For Use

    1756-OB16D Hidden Tags, Not for Use Similar to the inability to access the diagnostic subroutines, there are tags within the program provided by Rockwell Automation that cannot be accessed or altered. You cannot see these tags, however, in order to avoid potential conflicts within the program, you should not create tags with the same names.
  • Page 148 Appendix A SIL2 Remote I/O Fault-tolerance Tags Publication 1756-AT010B-EN-P - October 2008...

  • Page 149: Appendix B About This Appendix

    Appendix SIL2 Fault-tolerant Topology About This Appendix This appendix provides considerations for use when planning your fault-tolerant I/O system. It also includes an example layout of fault-tolerant system. Topic Page Planning Considerations 1756-OB16D Module Pair Arrangement Planning Considerations Remember these considerations when planning and laying-out your fault-tolerant system.
  • Page 150 Chapter B SIL2 Fault-tolerant Topology Fault-tolerant System Planning Considerations For module type Make these considerations • 1756-OB16D module pair Use 1492-CABLEXXXZ cables connect the 1756-OB16D module pair to an output termination board. • Use two 1756-OBXX modules to control relays on the output termination board. Connect an output from a 1756-OBXX module to the termination board.
  • Page 151 SIL2 Fault-tolerant Topology Chapter B 1756-OB16D Module Pair Arrangement 1492 Cable 1492 Cable 1492 Cable 1492 Cable 1492 Cable 1492 Cable 1756-OB16D Output Termination Board Module Pair 1 1756-OB16D Output Module A Relay Module B Relay Termination Board Module Pair 2 1756-OB16D Output Module A Relay Module B Relay...
  • Page 152 Chapter B SIL2 Fault-tolerant Topology Publication 1756-AT010B-EN-P - October 2008...

  • Page 153: Appendix C About This Appendix

    Detecting System-side Versus Field-side Faults The ControlLogix fault-tolerant system can detect only system-side faults. System-side faults are those that occur within the hardware of the ControlLogix SIL2-certified fault-tolerant system. This means that any fault that occurs beyond the fault-tolerant system hardware cannot be detected.

  • Page 154: Module Pair Faults

    Appendix C Fault-tolerant System Limitations Module Pair Faults When certain faults occur on the fault-tolerant system, the system programming recognizes those faults as a faulted module pair - even if the fault is present only on one module of the pair. Depending on your application and main routine programming, these module pair faults may result in a system shutdown.

  • Page 155: Frequently Asked Questions

    Am I required to use redundant (duplicate) I/O chassis? SIL2 General Requirements No. If you are configuring any ControlLogix SIL2-compliant system, you do not have to configure your remote I/O into redundant (duplicate) chassis. To achieve SIL2-compliance, you may choose to...
  • Page 156 Appendix D Frequently Asked Questions SIL2 Diagnostic Subroutine Requirements No. You may use several different SIL2-certified configurations of your remote I/O with the diagnostic subroutines. However, the use of redundant remote-I/O chassis provides the highest level of availability compared to other SIL2 hardware configurations. You may also choose to place I/O in non-redundant chassis remote from the controller or in the same chassis as the controller.

  • Page 157: About I/O

    Frequently Asked Questions Appendix D More About SIL2 Hardware Configurations and Fault-tolerance This illustration can be used as a reference when determining how to configure your SIL2 hardware to meet the requirements for your SIL2 system’s fault-tolerance and availability. Hardware Configurations and Fault-tolerance Single chassis: Chassis 1: Chassis 1 (redundant):...
  • Page 158 Am I required to use input module pairs? SIL2 General Requirements Yes. If you are configuring a ControlLogix SIL2-compliant system without the diagnostic subroutines, you still have to use input module pairs. See the Using ControlLogix in SIL2 Applications Safety...
  • Page 159 Frequently Asked Questions Appendix D Am I required to use a standard output module to control the output relays of the 1756-OB16D termination board? SIL2 General Requirements Yes. If you are using the 1756-OB16D output termination boards, you must use a standard output module to control the relays of that board as described in Chapter 2 on page 38.

  • Page 160: About Fail-Safe And Fault-Tolerant Programs

    Appendix D Frequently Asked Questions Can I use I/O modules other than the 1756-IB32, 1756-IF16, and 1756-OB16D modules? SIL2 General Requirements Yes. If you are implementing a SIL2 system without using the diagnostic subroutines, you may use any of the I/O modules listed in the Using ControlLogix in SIL2 Applications Safety Reference Manual, publication 1756-RM001.
  • Page 161 Frequently Asked Questions Appendix D How is programming for a fail-safe system different than programming for a fault-tolerant system? The difference between fail-safe and fault-tolerant programming is in the programmed response to a fault in the system. There are multiple possibilities for system-responses to faults that may occur.
  • Page 162 Appendix D Frequently Asked Questions If I am configuring a fail-safe system, what parameters should I specify in the SIL2 Add-On Instructions for the input module pairs? Specify the same input parameters for the input module pairs as those shown in Chapter 4 (page 57) for the fault-tolerant system.

  • Page 163: Glossary

    Glossary These terms are used throughout this manual. 1oo1 state Describes the state of the system when a channel, module, or chassis of a pair within the SIL2 system is faulted and the system is operating using only data from the unfaulted channels, module of the pair, or chassis of the pair.
  • Page 164 Glossary fault tolerance The ability of a functional unit to continue to perform a required function in the presence of faults or errors. For more information, see IEC publication 61508-4. fault-tolerant configuration A ControlLogix system that is configured so that the system can continue to carry-out the safety function, even when certain faults occur.
  • Page 165 (within the deadband). required tag values ModulePair tag values provided Rockwell Automation that must be used and are not application-dependant. Where required tag values are specified, no other values may be used.
  • Page 166 Glossary stuck-at-one condition Also called stuck-at-high, this is a condition where a digital input point cannot change from the value of 1 (or high) to 0 (low). system-generated tags Tags that are created by RSLogix 5000 software when you configure your I/O configuration tree.
  • Page 167 Index Numerics 1756-IF16 modules properties 69 1756-IB32 Call_Code subroutines 1756-OB16D Call_Code subroutine edit 85–89 edit MSG instructions 99 add JSR rung 85 1756-OB16D Call_Code subroutines edit rung elements 88 edit 95–103 JSR parameters 87 add JSR rung 95 1756-IB32 DC input termination board rung elements 97 features 26 1756-OB16D diagnostic output...
  • Page 168 Index chassis pairs IF16_Diagnostics subroutine 57 1oo1 58 identical duplicates 17 normal operation 57 in fault-tolerant configurations 16 test 58 limits 16 main routine and 106 naming conventions 68 OB16D_Diagnostics subroutine 60 termination board use with 17 1oo1 61 circuit reset 111 normal operation 60 when to use 125 diagnostic tests...
  • Page 169 Index fault-tolerant IB32_Diagnostics subroutine about 14 1oo1 56 configuration 15 about 55 configuration compared to others 15 normal operation 55 configuration description 16 test 56 program identical, duplicate remote I/O chassis elements 47–51 about 17 fault-tolerant program figure of 17 start configuration 66 required 155 fault-tolerant system...
  • Page 170 Index module tags 71 about 60 normal operation 38, 60 ModulePair tags one-sensor wiring 33 1756-IF16 output module pair module status 123 1756-OB16D module status 124 chassis configuration 151 about 72 outputs and diagnostic tests 44 edit 76–83 editing 1756-IB32 tags 77 planning considerations 149 1756-IF16 tags 79 1756-OB16D tags 82...
  • Page 171 Index remote I/O modules ModulePair 72 edit for 1756-IB32 77 add to the program 67 edit for 1756-IF16 79 approved modules 25 edit for 1756-OB16D 82 chassis configuration 16 used to identify faulted modules 121 configure in program 67 ModulePair, create 73 termination boards and 18 system-generated 71 remote I/O modules, configure in the...
  • Page 172 Index Publication 1756-AT010B-EN-P - October 2008...
  • Page 173 ___No, there is no need to contact me ___Yes, please call me ___Yes, please email me at _______________________ ___Yes, please contact me via _____________________ Return this form to: Rockwell Automation Technical Communications, 1 Allen-Bradley Dr., Mayfield Hts., OH 44124-9705 Fax: 440-646-3525 Email: RADocumentComments@ra.rockwell.com Publication CIG-CO521D-EN-P- July 2007...
  • Page 174 PLEASE FASTEN HERE (DO NOT STAPLE) Other Comments PLEASE FOLD HERE NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO. 18235 CLEVELAND OH POSTAGE WILL BE PAID BY THE ADDRESSEE 1 ALLEN-BRADLEY DR MAYFIELD HEIGHTS OH 44124-9705...

  • Page 176: Rockwell Automation Support

    New Product Satisfaction Return Rockwell Automation tests all of its products to ensure that they are fully operational when shipped from the manufacturing facility. However, if your product is not functioning and needs to be returned, follow these procedures.

Table of Contents