Allen-Bradley 1756-L7 Series Reference Manual
  1. Manuals
  2. Brands
  3. Allen-Bradley Manuals
  4. Control Unit
  5. 1756-L7 Series
  6. Reference manual
Allen-Bradley 1756-L7 Series Reference Manual

Allen-Bradley 1756-L7 Series Reference Manual

Using controllogix in sil 2 applications
Hide thumbs
Table of Contents

Quick Links

Safety Reference Manual
Using ControlLogix in SIL 2 Applications
Catalog Numbers 1756-L6x, 1756-L7x
Allen-Bradley Motors
Table of Contents
loading

Related Manuals for Allen-Bradley 1756-L7 Series

Summary of Contents for Allen-Bradley 1756-L7 Series

  • Page 1 Safety Reference Manual Using ControlLogix in SIL 2 Applications Catalog Numbers 1756-L6x, 1756-L7x Allen-Bradley Motors...
  • Page 2 IMPORTANT Identifies information that is critical for successful application and understanding of the product. Allen-Bradley, Rockwell Software, Rockwell Automation, TechConnect, ControlLogix, ControlLogix-XT, GuardLogix, FLEX, RSLogix, Logix5000, RSNetWorx, FactoryTalk, Data Highway Plus, and SynchLink are trademarks of Rockwell Automation, Inc. Trademarks not belonging to Rockwell Automation are property of their respective companies.
  • Page 3 Added information on the restrictions and requirements for changing parameters via an HMI Updated reaction time example calculations Appendix A Updated and moved the list of SIL 2 certified components Appendix B Allen-Bradley Motors This list now includes FLEX I/O modules Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 4 Summary of Changes Change Page Updated publication links in the components appendix Appendix B Updated Probability of Failure on Demand (PFD) calculations, including data for 1794 Appendix C FLEX I/O modules, are now in the appendix. All checklists are now in an appendix Appendix D Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 5: Table Of Contents

    Redundant Power Supplies ........33 Recommendations for Using Power Supplies....34 Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 6 Table of Contents Chapter 4 ControlLogix Communication Introduction to Communication Modules ......35 ControlNet Modules and Components ......36 Modules ControlNet Cabling .
  • Page 7 Reading Parameters in Safety-related Systems ....91 Changing Safety-related Parameters in SIL-rated Systems ..92 Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 8 Table of Contents Appendix A Reaction Times of the ControlLogix Local Chassis Configuration ........95 Remote Chassis Configuration .

  • Page 9: Preface

    The probability of a system to have a dangerous failure occur per hour. Hour Safety Integrity Level A discrete level for specifying the safety integrity requirements of the safety functions allocated to the electrical/electronic/ programmable electronic (E/E/PE) part of the safety system. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 10: Additional Resources

    In addition to the manuals listed, you may want to reference installation instructions listed in Appendix You can view or download publications at http:/www.rockwellautomation.com/literature/. To order paper copies of technical documentation, contact your local Allen-Bradley® distributor or Rockwell Automation sales representative. Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 11: Introduction To Safety Integrity Level (Sil)

    All of the examples related to I/O included in this manual are based on achieving de-energization as the safe state for typical Emergency Shutdown (ESD) Systems. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 12: Programming And Debugging Tool (Padt)

    Chapter 1 SIL Policy Programming and Debugging Tool (PADT) For support in creation of programs, the PADT (Programming and Debugging Tool) is required. The PADT for ControlLogix is RSLogix 5000, per IEC 61131-3, and this Safety Reference Manual. For more information about programming a system by using pre-developed subroutines or Add-On Instructions, see these publications: •...
  • Page 13 • Any time a fault is detected, the system must annunciate the fault to an operator by some means (for example, an alarm light). Figure 1 - Manual Override Circuit Manual Override Actuator L2 or Ground 43379 Fault Alarm to Operator Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 14: Boiler And Combustion Considerations

    Chapter 1 SIL Policy Boiler and Combustion Considerations If your SIL 2-certified ControlLogix system is used in combustion-related applications, you are responsible for meeting National Fire Protection Association (NFPA) standard NFPA 85 or NFPA 86. A few failures in ControlLogix SIL2 may take up to eight hours to detect, therefore eight hours is the worst case reaction time.

  • Page 15: Typical Sil 2 Configurations

    The SIL 2 portion of the certified system excludes the development tools and display/human machine interface (HMI) devices; these tools and devices must not be part of the safety loop. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 16: Simplex Configuration

    Chapter 1 SIL Policy Simplex Configuration In a simplex configuration, the hardware used in the safety loop is programmed to fail to safe. The failure to safe is typically an emergency shutdown (ESD) where outputs are de-energized. Figure Figure 4, and Figure 5 show a typical simplex SIL loop.
  • Page 17 ControlNet To other safety related ControlLogix or FLEX I/O remote I/O chassis. Allen-Bradley Motors Note 1: Multiple 1756-CNB or -CNBR modules can be installed into the chassis as needed. Other configurations are possible as long as they are SIL2 approved.

  • Page 18: Duplex Logic Solver Configurations

    Chapter 1 SIL Policy Duplex Logic Solver Configurations In duplex configurations, redundant system components are used to increase the availability of the control system. The modules in the redundant controller chassis include redundancy modules and network communication modules for redundant communication, as well as the ControlLogix controllers. SIL 2 I/O modules in the safety loop must meet the requirements specified in Chapter ControlLogix I/O...

  • Page 19: Duplex (Fault-Tolerant) System Configuration

    11121314 15 11121314 15 11121314 15 DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC Analog Input Digital Input Digital Output Termination Termination Termination Board Board Board Field Device Field Device Field Device Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 20: Proof Tests

    Chapter 1 SIL Policy Figure 8 - Duplex System ControlNet Configuration SIL 2-certified ControlLogix Safety Loop Secondary Chassis Primary Chassis ControlNet I/O Chassis A I/O Chassis B DC OUTPUT DC INTPUT ANALOG INTPUT DC OUTPUT ANALOG INTPUT DC INTPUT DC INTPUT ANALOG INTPUT ANALOG INTPUT DC INTPUT...

  • Page 21: Proof Testing With Redundancy Systems

    For more information on switchovers in ControlLogix redundancy systems and ControlLogix redundancy systems in general, see these redundancy system manuals: • ControlLogix Standard Redundancy System User Manual, publication 1756-UM523 • ControlLogix Enhanced Redundancy System User Manual, publication 1756-UM535 Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 22: Reaction Times

    Chapter 1 SIL Policy Reaction Times The response time of the system is defined as the amount of time it takes for a change in an input condition to be recognized and processed by the controller’s logic program, and then to initiate the appropriate output signal to an actuator. The system response time is the sum of the following: •...

  • Page 23: Safety Watchdog

    SIL certification. If a product has achieved agency certification, it is marked on the product label. To view additional safety certifications for products, go to http://www.ab.com and click the Product Certifications link. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 24 Chapter 1 SIL Policy Notes: Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 25: Module Fault Reporting

    For example, the system can be programmed to retrieve the fault code of the failed module and make a determination, based on the type of fault, Allen-Bradley Motors as to whether to continue operating. Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 26: Data Echo Communication Check

    Chapter 2 Features of the ControlLogix SIL 2 System This ability of the controller to monitor the health of I/O modules in the system and take appropriate action based on the severity of a fault condition gives the user complete control of the application’s behavior. It is your responsibility to establish the course of action appropriate to your safety application.

  • Page 27: Pulse Test

    – remove the controller key from the keyswitch. • Authorized personnel may change an application program, but only by using one of the processes described in Changing Your Application Program on page Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 28: Communication

    Chapter 2 Features of the ControlLogix SIL 2 System Communication Several communication options are available for connecting with the ControlLogix SIL 2 system and for the exchange of data within the SIL 2 system. Communication Ports A built-in serial port is available on 1756-L6x controllers for download or visualization purposes only.

  • Page 29: Ethernet/Ip Network

    For more information about electronic keying, see the ControlLogix Digital I/O Modules User Manual, publication 1756-UM058. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 30 Chapter 2 Features of the ControlLogix SIL 2 System Notes: Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 31: Controllogix Controllers

    The ControlLogix controller consists of a central processor, I/O interface, and memory. Operating Modes The controller performs power-up and run-time functional tests. The tests are used with user-supplied application programs to verify proper controller operation. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 32: Requirements For Use

    Chapter 3 ControlLogix Controllers, Chassis, and Power Supplies A three-position keyswitch on the front of the controller governs ControlLogix system operational modes. The following modes are available: • Run • Program • Remote - This software-enabled mode can be Program or Run. Figure 10 - Keyswitch in Run Mode Logix557x FORCE SD...

  • Page 33: Controllogix Chassis

    1756-Px75R power supplies, in that chassis. In this case, we recommend that you use the Series B version of the nonredundant power supplies, that is, the 1756-Px75/B power supplies. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 34: Recommendations For Using Power Supplies

    Chapter 3 ControlLogix Controllers, Chassis, and Power Supplies Recommendations for Using Power Supplies When using SIL 2-certified ControlLogix power supplies: • follow the information provided in the product’s installation instructions. • a power supply can be used if it meets the user-defined PFD criteria. •...

  • Page 35: Introduction To Communication Modules

    (1) Not for use in safety functions. ControlLogix communication modules can be used in peer-to-peer communication between ControlLogix devices. The communication modules can also be used for expansion of I/O to additional ControlLogix remote I/O chassis. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 36: Controlnet Modules And Components

    Chapter 4 ControlLogix Communication Modules ControlNet Modules and The ControlNet bridge modules (catalog numbers 1756-CNB, 1756-CNBR, 1756-CN2, 1756-CN2R, and 1756-CN2RXT) provide communication Components between any nodes properly scheduled on the ControlNet network. ControlNet Cabling For remote racks, a single RG6 coax cable is required for ControlNet communication.

  • Page 37: Devicenet Scanner Module

    • Non-SIL 2 devices should not write data to SIL 2 controllers. The only exception to this is the use of HMI devices. For more information on how to use HMI in the safety loop, see Chapter Use of Human-to-Machine Interfaces on page Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 38: Peer-To-Peer Communication Requirements

    Chapter 4 ControlLogix Communication Modules Peer-to-Peer Communication Peer-to-peer communication via a ControlNet or EtherNet/IP network is permitted when these requirements are met: Requirements • Non-SIL 2 controllers can read data from SIL 2 controllers by directly reading the data or by consuming data from a SIL 2 controller that is configured to produce data.

  • Page 39: Overview Of Controllogix I/O Modules

    SIL 2-certified ControlLogix I/O modules. This figure shows the SIL 2-certified ControlLogix I/O modules. Each type, digital or analog, is described in greater detail throughout the rest of this chapter. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 40: Using 1756 Digital Input Modules

    Chapter 5 ControlLogix I/O Modules Figure 11 - Types of SIL 2-certified I/O Modules SIL 2-Certified ControlLogix I/O Modules 1756 Digital I/O Modules 1756 Analog I/O Modules Diagnostic Digital Standard Digital Modules Modules Input Modules, Output Modules, including: including: Input Modules, Output Modules, Input Modules, Output Modules,...

  • Page 41: Module

    + Power Optional Relay contact to switch supply voltage for periodic Input A1 Input B1 automated testing. One-sensor Wiring Example Sensor Input A2 Input B2 Sensor Two-sensor Wiring Example Sensor Allen-Bradley Motors 43366 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 42: Using 1756 Digital Output Modules

    Chapter 5 ControlLogix I/O Modules Application logic is used to compare input values for concurrence. Figure 13 - Logic Comparing Input Values or States Input A Input B No Faults Actuator The user program must also contain rungs to annunciate a fault in the event of a sustained miscompare between two points.

  • Page 43: Modules

    Output Timer Done Fault Fault Alarm to Operator The control, diagnostics and alarming functions must be performed in sequence. For more information on faults, see Chapter Faults in the ControlLogix System. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 44: Wiring Controllogix Digital Output Modules

    Chapter 5 ControlLogix I/O Modules • Use of external relays to disconnect module power if output de-energized state is critical. To verify that outputs will de-energize, users must wire an external relay or other measure, that can remove power from the output module if a short or other fault is detected.
  • Page 45 • Write logic to test the output’s ability to turn ON and OFF at powerup. • At the proof test interval, force the output ON and OFF and use a voltmeter to verify output performance. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 46 Chapter 5 ControlLogix I/O Modules Automatic testing of output modules (that is, the user turns the outputs ON and OFF to verify proper operation) should be made at intervals that are an order of magnitude less than the safety demand rate. For example, output testing should be scheduled at least twice a year for a low demand system.

  • Page 47: Using Analog Input Modules

    Field signal levels should be varied over the full operating range to make sure that the corresponding channel data varies accordingly. For more information, see Proof Tests on page Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 48: Calibrate Inputs

    Chapter 5 ControlLogix I/O Modules Calibrate Inputs Analog input modules should be calibrated periodically, as their use and application requires. ControlLogix I/O modules ship from the factory with a highly accurate level of calibration. However, because each application is different, you are responsible for making sure your ControlLogix I/O modules are properly calibrated for your specific application.

  • Page 49: Configure Modules

    When using identical modules, configure the modules identically, that is, by using the same RPI, filter values, and so on. When using different modules for improved diversity, make sure the module’s scaling of data does not introduce error or fault conditions. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 50: Specify The Same Controller As The Owner

    Chapter 5 ControlLogix I/O Modules Specify the Same Controller as the Owner The same controller must own both analog input modules. You must use Analog Inputs Faulted as a safety status/permissive in respective safety-related outputs. Wiring ControlLogix Analog Input Modules In general, good design practice dictates that each of the two transmitters must be wired to input terminals on separate modules such that the channel values may be validated by comparing the two within an acceptable range.
  • Page 51 Use the same channel on each module to make sure of consistent temperature readings. Figure 24 on page 52 shows how to wire the 1756-IT6I module. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 52 Chapter 5 ControlLogix I/O Modules Figure 24 - ControlLogix Analog Thermocouple Module Wiring Ch0 + Ch0 + Thermocouple A Thermocouple B 43370 Wiring the RTD Input Module Make sure you: • review the considerations in Using Analog Input Modules on page •...

  • Page 53: Using Hart Analog Input Modules

    • use the correct documentation (listed in Additional Resources on page to wire the module. Figure 26 - HART Input Analog Module Wiring Ch0 + Ch0 + Sensor Ch0 - Ch0 - Sensor Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 54: Using Analog Output Modules

    Chapter 5 ControlLogix I/O Modules Using Analog Output There are a number of general application considerations that you must make when using analog output modules in a SIL 2 application. Modules A single analog output module, along with an analog input module for monitoring is required to achieve SIL 2.
  • Page 55 If the monitoring input value and the Output Echo miscompare for longer than the preset value, a fault is registered with a corresponding alarm. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 56 Chapter 5 ControlLogix I/O Modules Figure 27 - Monitoring an Analog Output with an Analog Input Outputs OK Timer MULT Range Delta Delta Tolerance% Monitoring input Monitoring input Delta High Limit Low Limit Low Limit Outputs OK Output Echo High Limit Fault Secondary Output...

  • Page 57: Wiring Controllogix Analog Output Modules

    (each module output is 250 Ω). Figure 29 on page 58 shows how to wire the 1756-OF8 module for use in Current mode. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 58: Using Hart Analog Output Modules

    Chapter 5 ControlLogix I/O Modules Figure 29 - ControlLogix Analog Output Module Wiring in Current Mode This normally-open relay is controlled by the status of the rest of the ControlLogix Analog Output Module Analog Input Module system. If a short-circuit or fault occurs on the module, the relay can disconnect power to the module.

  • Page 59: Wiring The Hart Analog Output Modules

    • use the correct documentation (listed in Appendix B) as a reference when wiring the module. Figure 30 - HART Output Analog Module Wiring Actuator Ch0 + Ch0 + Ch0 - Ch0 - Actuator Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 60 Chapter 5 ControlLogix I/O Modules Notes: Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 61: Overview Of Flex I/O Modules

    • Wire sensors to separate input points on two separate modules that are on different network nodes. • Configuration parameters (for example, RPI, filter values) must be Allen-Bradley Motors identical between the two modules. Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 62: Wiring Flex I/O Digital Input Modules

    Chapter 6 FLEX I/O Modules • The same controller must own both modules. • Monitor the network status bits for the associated module and ensure that appropriate action is invoked via the application logic by these status bits. Wiring FLEX I/O Digital Input Modules The wiring diagrams in Figure 31 show two methods of wiring the digital input...

  • Page 63: Using Flex I/O Digital Output Module

    • Wire sensors to separate input points on two separate modules that are on different network nodes. • Monitor the network status bits for the associated module and make sure that appropriate action is invoked via the application logic by these status bits. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 64: Wiring Flex I/O Digital Output Modules

    Chapter 6 FLEX I/O Modules Wiring FLEX I/O Digital Output Modules When using standard output modules, you must wire an output to an actuator and then back to an input to monitor the output’s performance. Figure 35 - FLEX I/O Standard Output Module Wiring Standard Digital Output Module Wire output point to input Standard Digital Input Module...

  • Page 65: Using Analog Input Modules

    Validation test must be performed. Manually, or automatically, test inputs to make sure that all inputs are operational. Field signal levels should be varied over the full operating range to make sure that the corresponding channel data varies accordingly. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 66 Chapter 6 FLEX I/O Modules • Calibrate inputs periodically, as necessary. FLEX I/O modules ship from the factory with a highly accurate level of calibration. However, because each application is different, you are responsible for making sure their FLEX I/O modules are properly calibrated for their specific application.
  • Page 67 • Monitor the network status bits for the associated module and make sure that appropriate action is invoked via the application logic by these status bits. • Wire sensors to separate input channels on two separate modules that are on different network nodes. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 68: Wiring Flex I/O Analog Input Modules

    Chapter 6 FLEX I/O Modules Wiring FLEX I/O Analog Input Modules The wiring diagrams in this section show two methods of wiring the analog input module. In either case, you must determine whether the use of 1 or 2 sensors is appropriate to fulfill SIL2 requirements.
  • Page 69 Figure 40 - FLEX I/O Analog Input Wiring in Current Mode 1794-IE8 Analog Input Analog Input 1794-IE8 1794-IE8 1794-TB3 1794-TB3 Current Current Source A Source B Analog Input Analog Input 1794-IF4I 1794-IF4I 1794-TB3 1794-TB3 Current Current Source B Source A Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 70 Chapter 6 FLEX I/O Modules Wiring the Thermocouple Input Module In addition to following the Requirements When Using FLEX I/O Analog Input Modules on page 65 and before wiring the module, consider the following application guideline: • Wire to the same input channel on both modules. When wiring thermocouples, wire two in parallel to two modules.

  • Page 71: Using Analog Output Modules

    ESD command and are therefore not recommended for use ESD output modules. The use of digital output modules and actuators to achieve the ESD de-energized state is recommended. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 72: Requirements When Using Flex I/O Analog Output Modules

    Chapter 6 FLEX I/O Modules Requirements When Using FLEX I/O Analog Output Modules Follow these general application considerations when applying the analog output modules in a SIL2 application: • Proof tests - Periodically (for example, once every several years) a System Validation test must be performed.
  • Page 73 They must not share the same FLEX adapter. • Monitor the network status bits for the associated module and make sure that appropriate action is invoked via the application logic by these status bits. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 74: Wiring Flex I/O Analog Output Modules

    Chapter 6 FLEX I/O Modules Wiring FLEX I/O Analog Output Modules In general, good design practice dictates that each analog output must be wired to a separate input terminal to make sure that the output is functioning properly. Wiring the Analog Output Module in Voltage Mode You must wire analog outputs to an actuator and then back to an analog input to monitor the output performance.
  • Page 75 Figure 45 - Analog Output Wiring Example 1794-OE4 1794-IE8 Analog Input Analog Output Module Module 1794-TB3 1794-TB3 Actuator 1794-OF4I 1794-IF4I Isolated Analog Isolated Analog Output Module Input Module 1794-TB3 1794-TB3 Actuator Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 76 Chapter 6 FLEX I/O Modules Notes: Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 77: Software For Sil 2-Related Systems

    • user application code (user program) uses common and good design practices. • a test plan is documented and adhered to, including well-understood proof test requirements and procedures. • a well-designed validation process is defined and implemented. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 78: Programming Languages

    Chapter 7 Requirements for Application Development For the initial start-up of a safety-related ControlLogix system, the entire system must be checked by a complete functional test. After a modification of the application program, the modified program or logic must be checked. For more information on how users should handle changes to their application program, see Changing Your Application Program on page...

  • Page 79: Security

    The requirements of the safety and application standards regarding the protection against manipulations must be observed. The authorization of employees and the necessary protection measures are the responsibility of the individuals starting and maintaining the SIL 2 safety system. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 80: Basics Of Application Program Development And Testing

    Chapter 7 Requirements for Application Development Basics of Application The application program is intended to be developed by the system integrator and/or user. The developer must consider general procedures for programming Program Development and ControlLogix SIL 2 applications listed below (this does not require independent Testing third party review).

  • Page 81: Sensors (Digital Or Analog)

    Logic and Instructions The logic and instructions used in programming the application must be: • easy to understand. • easy to trace. • easy to change. • easy to test. • well-documented. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 82: Program Language

    Chapter 7 Requirements for Application Development Program Language You must implement simple, easy to understand: • ladder. • other IEC 61131-3-compliant language. • function blocks with specified characteristics. We use ladder, for example, because it is easier to visualize and make partial program changes with this format.

  • Page 83: Checking The Application Program

    6. Save the compare results as part of the verification process. 7. Delete the upload file. 8. Rename the original project file (change back) to the original project name to maintain project documentation. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 84: Commissioning Life Cycle

    Chapter 7 Requirements for Application Development Figure 47 shows the steps required during application program development, Commissioning Life Cycle debugging and commissioning. Figure 47 - Application Development Life Cycle Generate Functional Specification Create Flow Diagram Create Timing Diagrams Establish Sequence of Operations Develop Project Develop Project...

  • Page 85: Changing Your Application Program

    (controller is in Run mode), you cannot make online edits. • You can edit the relay ladder logic portion of the safety program using one of the following methods described in Table Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 86 Chapter 7 Requirements for Application Development Table 3 - Methods of Changing Your Application Program in RSLogix 5000 Software Method Required Steps Controller Key Points to this Method Keyswitch Position Offline Perform the tasks described in the flow chart in Figure 47 on page PROG You must re-validate the entire application...

  • Page 87: Faults In The Controllogix System

    To help handle faults, make sure you have completed the input (see Checklist for SIL Inputs on page 122) and output (see Checklist for SIL Outputs on Allen-Bradley Motors page 124) checklists for their application. Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 88: Module

    Chapter 8 Faults in the ControlLogix System Module Fault Reporting for You must verify that all components in the system are operating properly. This can be accomplished in ladder logic through the use of the Get System Value Any ControlLogix or FLEX I/O instruction (GSV) and an examination of the MODULE Object’s Entry Status’...

  • Page 89: Examining An 1756 Analog Input Module's High Alarm

    High Alarm, the alarm bit is set and a fault is declared. It is your responsibility to determine appropriate behavior when a fault is present. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 90: Additional Resources

    Chapter 8 Faults in the ControlLogix System Additional Resources The ControlLogix architecture provides the user many ways of detecting and reacting to faults in the system. Various device objects can be interrogated to determine the current operating status. Additionally, modules provide run-time status of their operation and of the process.

  • Page 91: Use Of Human-To-Machine Interfaces

    To avoid safety-related nuisance trips, use good communication practices to limit the impact of communication processing on the controller. Do not set read rates to the fastest rate possible. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 92: Changing Safety-Related Parameters In Sil-Rated Systems

    Chapter 9 Use of Human-to-Machine Interfaces Changing Safety-related Parameters in SIL-rated Systems A parameter change in a safety-related loop via an external (that is, outside the safety loop) device (for example, an HMI) is allowed only with the following restrictions: •...
  • Page 93 HMI and limits access to required data points only. • Similar to the controller program, the HMI software needs to be secured and maintained for SIL-level compliance after the system has been validated and tested. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 94 Chapter 9 Use of Human-to-Machine Interfaces Notes: Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 95: Local Chassis Configuration

    • The output module processes data from the controller and turns the output device on or off. Figure 51 - Local Chassis Configuration of Digital or Analog Modules Input Module Controller Output Module Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 96: Remote Chassis Configuration

    Appendix A Reaction Times of the ControlLogix System Remote Chassis Figure 52 shows an example system where the following occurs: • Input data changes on the input module. Configuration • The data is transmitted to the controller via the network communication modules.
  • Page 97 • If the safe state in your application is high, use the Off -> On Input Filter Time. Figure 53 - Digital Module Configuration Module RPI is configurable via the Connection tab. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 98: For Analog Modules

    Appendix A Reaction Times of the ControlLogix System For Analog Modules Use this formula to determine worst-case reaction time for analog modules in local or remote configurations: Worst-Case Reaction Time with no faults or errors = (Real Time Sample (RTS) Rate) + (Input Module RPI x 4/8/16…...
  • Page 99 (2) Existing systems that use the 1756-PSCA and 1756-PSCA2 are SIL 2-certified. However, when implementing new SIL 2-certified systems or upgrading existing systems, we recommend that you use the 1756-PSCA2 module if possible. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 100 Appendix B SIL 2-certified ControlLogix System Components Table 6 - SIL 2-certified ControlLogix Components - 1756 Nonredundant Controllers, I/O, and Communication Modules Related Cat. No. Description Documentation 1756-L61 ControlLogix 2 MB controller 1756-L62 ControlLogix 4 MB controller 1756-L63 ControlLogix 8 MB controller 1756-L71 ControlLogix 2 MB controller 1756-UM001...
  • Page 101 (6) The 1756-SYNCH module is included in this table because this module can be used to propagate time between chassis and to record events that occur in each chassis. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 102 Appendix B SIL 2-certified ControlLogix System Components Table 7 - SIL 2-certified ControlLogix Components - 1756 Redundancy System Components Related Cat. No. Description Documentation 1756-L61 ControlLogix 2 Mb Controller 1756-L62 ControlLogix 4 Mb Controller 1756-L63 ControlLogix 8 Mb Controller 1756-L71 ControlLogix 2 MB Controller 1756-UM001 1756-L72...
  • Page 103 FLEX I/O 10 Input/6 Output Module 1794-IN083 1794-IB10XOB6XT FLEX I/O-XT 10 Input/6 Output Combo Module 1794-IN124 1794-OB16 FLEX I/O 16 Source Output Module 1794-IN094 Allen-Bradley Motors 1794-OB16P FLEX I/O 16 Protected Output Module 1794-IN094 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 104 Appendix B SIL 2-certified ControlLogix System Components Table 9 - FLEX I/O Components For Use in the SIL 2 System Cat. No. Description Related Documentation 1794-OB16PXT FLEX I/O-XT 16 Protected Output Module 1794-IN124 1794-OB8EP FLEX I/O 8 Protected Output Module 1794-IN094 1794-OB8EPXT FLEX I/O-XT 8 Protected Output Module...
  • Page 105 (1) Certain catalog numbers have a K suffix. This indicates a conformally coated version of the product. These K versions have the same SIL2 certification as the non-K versions. (2) These publications are available from Rockwell Automation by visiting http://literature.rockwellautomation.com. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 106 Appendix B SIL 2-certified ControlLogix System Components Notes: Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 107: About Probability Of Failure On Demand (Pfd) Calculations

    The PFD values in this manual are calculated with formulas explained in IEC 61508, Part 6, Annex B. Refer to IEC 61508, Part 6, for more information about calculating PFD values for your system. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 108: Determine Which Pfd Values To Use

    Appendix C PFD Calculations for a SIL 2 System Determine Which PFD Values To Use You are responsible for determining which PFD values provided are IMPORTANT appropriate for your SIL 2-certified system. Determine which values to use based on the modules used your system and the system configuration. Each of the PFD calculated values provided in this manual is based on the configuration that the module can be used in, that is 1oo1 or 1oo2.
  • Page 109 1756-IF16H ControlLogix HART analog input module 442,914 2.258E-06 — 1.44312E-07 1756-IF6CIS ControlLogix isolated sourcing analog input module 2,654,080 3.768E-07 — 1.39912E-07 Allen-Bradley Motors 1756-IF6I ControlLogix isolated analog input module 4,176,185 2.395E-07 — 1.39626E-07 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 110 Appendix C PFD Calculations for a SIL 2 System Table 10 - PFD Calculations - 1-year for ControlLogix Component Calculated PFD 61508 Mean Time Between (10) λ (1) (2) Cat. No. Description 1oo1 1oo2 (2010) Failure (MTBF) Architecture Architecture 1756-IH16ISOE ControlLogix sequence of events module 2,150,720 4.650E-07...
  • Page 111 (8) Calculations for the redundant power supply are completed with the presumption that both power supplies fail simultaneously. (9) MTBF measured in hours. The values used here represent values available in January 2012. (10) λ = Failure Rate = 1/MTBF. Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 112: 2-Year Pfd Calculations

    Appendix C PFD Calculations for a SIL 2 System 2-Year PFD Calculations The PFD calculations in Table 11 are calculated for a 2-year proof test interval and are specific to ControlLogix system components. Table 11 - PFD Calculations - 2-year for ControlLogix Component Calculated PFD 61508 Mean Time Between...
  • Page 113 7.133E-08 — 1.4727E-07 1756-OX8I ControlLogix contact output module 60,59,635 1.650E-07 — 1.4765E-07 1756-OW16I ControlLogix isolated relay output module 13,695,899 7.301E-08 — 1.47277E-07 Allen-Bradley Motors 1756-OF8 ControlLogix analog output module 10,629,795 9.408E-08 — 1.47362E-07 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 114 Appendix C PFD Calculations for a SIL 2 System Table 11 - PFD Calculations - 2-year for ControlLogix Component Calculated PFD 61508 Mean Time Between (10) λ (1) (2) Cat. No. Description 1oo1 1oo2 (2010) Failure (MTBF) Architecture Architecture 1756-OF6CI ControlLogix isolated analog output module 8,354,667 1.197E-07...

  • Page 115: 5-Year Pfd Calculations

    6.379E-08 6.9886E-05 — 1756-PB75R ControlLogix DC redundant power supply 1,736,020 5.760E-07 6.3104E-04 — 1756-PAXT ControlLogix-XT AC power supply 18,693,044 5.350E-08 4.0122E-08 — Allen-Bradley Motors 1756-PBXT/B ControlLogix-XT DC power supply 1,855,360 5.390E-07 5.9045E-04 — Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 116 Appendix C PFD Calculations for a SIL 2 System Table 12 - PFD Calculations - 5-year for ControlLogix Component Calculated PFD: 61508 Mean Time Between (10) λ (1) (2) Cat. No. Description 1oo1 1oo2 (2010) Failure (MTBF) Architecture Architecture 1756-PC75/B ControlLogix DC power supply 5,894,836 1.696E-07...
  • Page 117 — 1.71740E-07 1794-AENT/B FLEX I/O EtherNet/IP adapter 1,779,827 5.6185E-07 — 1.76321E-07 1794-AENTR FLEX I/O EtherNet/IP redundant adapter 1,268,070 7.886E-07 — 1.78776E-07 1794-AENTRXT FLEX I/O-XT EtherNet/IP redundant adapter 1,268,070 7.886E-07 — 1.78776E-07 Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 118 Appendix C PFD Calculations for a SIL 2 System Table 12 - PFD Calculations - 5-year for ControlLogix Component Calculated PFD: 61508 Mean Time Between (10) λ (1) (2) Cat. No. Description 1oo1 1oo2 (2010) Failure (MTBF) Architecture Architecture 1794-IB16 FLEX I/O 16 sink input module 179,506,158 5.57084E-09...

  • Page 119: Using Component Values To Calculate System Pfd

    ControlLogix 2 MB controller 1,000,053 2.1949E-04 1756-OB16D DC output module 8,884,374 1.39367-07 1756-IB16D DC diagnostic input module 30,228,640 1.39206E-07 Allen-Bradley Motors Total PFD calculation for a safety loop consisting of these products: 2.2946E-04 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 120 Appendix C PFD Calculations for a SIL 2 System Notes: Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 121: Checklist For The Controllogix System

    Have you taken into consideration the checklists for using SIL inputs and outputs listed on pages and 124. (1) For more information on the specific tasks in this checklist, see the previous sections in the chapter or Chapter SIL Policy on page Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 122: Checklist For Sil Inputs

    Appendix D Checklists Checklist for SIL Inputs The following checklist is required for planning, programming and start up of SIL inputs. It may be used as a planning guide as well as during proof testing. If used as a planning guide, the checklist can be saved as a record of the plan. For programming or start-up, an individual checklist can be filled in for every single SIL input channel in a system.
  • Page 123 When wiring thermocouple modules in parallel, have you wired to the same channel on each module as shown in Figure 24 on page When wiring two RTD modules, are two sensors used, as shown in Figure 25 on page Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...

  • Page 124: Checklist For Sil Outputs

    Appendix D Checklists Checklist for SIL Outputs The following checklist is required for planning, programming and start up of SIL outputs. It may be used as a planning guide as well as during proof testing. If used as a planning guide, the checklist can be saved as a record of the plan. For programming or start-up, an individual requirement checklist must be filled in for every single SIL output channel in a system.

  • Page 125: Checklist For The Creation Of An Application Program

    Was all force information reset before safety operation? Has it been verified that the system is operating properly? Have the appropriate security routines and functions been installed? Is the controller keyswitch in Run mode and the key removed? Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 126 Appendix D Checklists Notes: Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 127 1- year PFD values 108 5-year PFD values 115 2- year PFD values 112 redundant 33 5-year PFD values 115 chassis adapter 33 1-year PFD values 108 Allen-Bradley Motors 2-year PFD values 112 5-year PFD values 116 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 128 Index chassis adapter 1-year PFD values 108 data echo 26 2-year PFD values 112 Data Highway Plus - Remote I/O 35 5-year PFD values 116 controller 1- year PFD values 109 1-year PFD values 109 2- year PFD values 113 2-year PFD values 112 5-year PFD values 116 5-year PFD values 116...
  • Page 129 5-year PFD values 117 1756 digital input modules 41 module fault reporting 62 1756 digital output modules 43 1794 analog output modules 72 1794 digital input modules 61 1794 digital output modules 63 Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 130 Index wiring 1756 analog input modules 50 operating modes 31 1756 analog output modules 57 output data echo 1756 digital input modules 41 1756 digital output modules 44 digital outputs and 43 1756 RTD input modules 52 ownership 1756 thermocouple input modules 51 1756 analog input modules 50 1794 analog input modules 68 1756 analog output modules 56...
  • Page 131 38 1794 digital output modules 64 SIL task 82 worst-case reaction time 22 simplex configurations 15 analog modules 98 digital modules 96 safety loop 16 SIS. See safety instrumentation system (SIS). Allen-Bradley Motors Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 132 Index XT components 103 ControlLogix 103 FLEX I/O 103 Rockwell Automation Publication 1756-RM001I-EN-P - May 2012...
  • Page 133 Allen-Bradley Motors...
  • Page 134 Rockwell Automation Support Rockwell Automation provides technical information on the Web to assist you in using its products. At http://www.rockwellautomation.com/support/, you can find technical manuals, a knowledge base of FAQs, technical and application notes, sample code and links to software service packs, and a MySupport feature that you can customize to make the best use of these tools.

This manual is also suitable for:

1756-l6 series

Table of Contents