Rockwell Automation 1756 GuardLogix Safety, 1769 GuardLogix Safety, 5069 Compact GuardLogix Safety Application Instruction Set
GuardLogix Safety
Application Instruction Set
1756 GuardLogix Safety, 1769 GuardLogix Safety, 5069
Compact GuardLogix Safety
Publication 1756-RM095K-EN-P
Reference Manual |
Original Instructions |
GuardLogix Safety Application Instruction Set
Important User Information
Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT Identifies information that is critical for successful application and understanding of the product.
Labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).
2 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
Summary of changes
This manual includes new and updated information. Use these reference tables to locate changed information.
Global changes
The Legal noticeshave been updated.
New or enhanced features
This table contains a list of topics changed in this version, the reason for the change, and a link to the topic that contains the changed information.
Topic Name |
Reason |
|
|
Dual Channel Input Stop with Test (DCST) |
In the Fault Codes and Corrective Actions table, updated |
|
Fault Code numbers 16#4001 16385, 16#4002 16386, and |
|
16#4003 16387. |
|
In the Diagnostic Code and Corrective Actions table, |
|
updated Diagnostic Code numbers 16#4000 16384 and |
|
16#4001 16385. |
|
|
Dual-channel Input Start (DCSRT) |
In the Fault Codes and Corrective Actions table, updated |
|
Fault Code numbers 16#4000 16384, 16#4001 16385, |
|
16#4002 16386, and 16#4003 16387. |
|
In the Diagnostic Code and Corrective Actions table |
|
updated Diagnostic Code numbers 16#4000 16384. |
Dual Channel Input Stop with Test and Lock |
In the programming diagram, updated Note 1 to correct |
(DCSTL) wiring and programming example |
the parenthetical reference to the falling edge of the |
|
Test Request input, changing it from (0->1) to (1->0). |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
3 |
Table of Contents
Summary of changes Preface
Safety Instructions
GuardLogix Controller Operation ............................................................. |
9 |
Certified Instructions................................................................................. |
9 |
Terminology ............................................................................................... |
11 |
Additional resources .................................................................................. |
11 |
Legal Notices............................................................................................... |
12 |
Chapter 1 |
|
Safety Instructions .................................................................................... |
15 |
Status and Safety input and output for dual channel safety |
|
instructions .......................................................................................... |
21 |
Dual-channel Input Start (DCSRT) .................................................... |
23 |
Dual-channel Input Start (DCSRT) wiring and programming |
|
example................................................................................................ |
30 |
Dual Channel Input Monitor (DCM).................................................. |
34 |
Dual Channel Input Monitor (DCM) wiring and programming |
|
example................................................................................................. |
41 |
Dual Channel Input Stop (DCS).......................................................... |
45 |
Dual Channel Input Stop (DCS) wiring and programming example |
|
............................................................................................................... |
57 |
Dual Channel Input Stop with Test (DCST)...................................... |
60 |
Dual Channel Input Stop with Test (DCST) wiring and |
|
programming example ........................................................................ |
67 |
Dual Channel Input Stop with Test and Lock (DCSTL) ................... |
72 |
Dual Channel Input Stop with Test and Lock (DCSTL) wiring and |
|
programming example ....................................................................... |
84 |
Dual-Channel Input Stop with Test and Mute (DCSTM) ................ |
89 |
Dual-channel Input Stop with Test and Mute (DCSTM) wiring and |
|
programming example ..................................................................... |
100 |
Dual Channel Analog Input (DCA - integer version) and (DCAF - |
|
floating point version) ....................................................................... |
106 |
Dual Channel Analog Input (DCA - integer version) and (DCAF - |
|
floating point version) wiring and programming example............ |
118 |
Safety Mat (SMAT) ............................................................................. |
123 |
Safety Mat (SMAT) wiring and programming example ................. |
132 |
Two Hand Run Station Enhanced (THRSe)..................................... |
136 |
Two Hand Run Station Enhanced (THRSe) wiring and |
|
programming example ...................................................................... |
148 |
Configurable Redundant Output (CROUT) ..................................... |
153 |
Configurable Redundant Output (CROUT) wiring and |
|
programming example ...................................................................... |
160 |
Two Sensor Asymmetrical Muting (TSAM) ..................................... |
165 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
5 |
Table of Contents
Metal Form Instructions
Drive Safety
Two Sensor Asymmetrical Muting (TSAM) wiring and |
|
programming example ...................................................................... |
180 |
Two-sensor Symmetrical Muting (TSSM)........................................ |
186 |
Two Sensor Symmetrical Muting (TSSM) wiring and programming |
|
example............................................................................................... |
201 |
Four Sensor Bi-Directional Muting (FSBM) ................................... |
206 |
Four Sensor Bi-Directional Muting (FSBM) wiring and |
|
programming example ...................................................................... |
233 |
Chapter 2 |
|
Metal Form Instructions ......................................................................... |
239 |
Clutch Brake Inch Mode (CBIM) ..................................................... |
240 |
Clutch Brake Single Stroke Mode (CBSSM).................................... |
249 |
Clutch Brake Continuous Mode (CBCM) ........................................ |
260 |
Crankshaft Position Monitor (CPM) ............................................... |
278 |
CamShaft Monitor (CSM) ................................................................ |
288 |
Eight Position Mode Selector (EPMS)............................................. |
302 |
Eight Position Mode Selector (EPMS) wiring and programming |
|
example.............................................................................................. |
308 |
Clutch Brake Wiring and Programming Example .......................... |
313 |
Auxiliary Valve Control (AVC)........................................................... |
321 |
Auxiliary Valve Control (AVC) wiring and programming example |
|
............................................................................................................. |
330 |
Main Valve Control (MVC) ................................................................ |
335 |
Maintenance Valve Control (MVC) wiring and programming |
|
example............................................................................................... |
342 |
Maintenance Manual Valve Control (MMVC) ................................. |
346 |
Maintenance Manual Valve Control (MMVC) wiring and |
|
programming example ...................................................................... |
355 |
Chapter 3 |
|
Drive Safety Instructions ........................................................................ |
361 |
Safe Brake Control (SBC) .................................................................. |
361 |
Safe Direction (SDI)........................................................................... |
376 |
Safe Operating Stop (SOS) ................................................................ |
384 |
Safe Stop 1 (SS1).................................................................................. |
395 |
Safe Stop 2 (SS2)................................................................................ |
407 |
Safely-Limited Position (SLP) .......................................................... |
422 |
Safely-Limited Speed (SLS) ............................................................... |
432 |
Safety Feedback Interface (SFX)....................................................... |
441 |
6 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
Table of Contents
RSLogix 5000 Software, Version
14 and Later, Safety Application
Instructions
Chapter 4 |
|
Diverse Input (DIN)................................................................................. |
453 |
Redundant Input (RIN)........................................................................... |
461 |
Emergency Stop (ESTOP) ...................................................................... |
470 |
Enable Pendant (ENPEN) ....................................................................... |
478 |
Light Curtain (LC) ................................................................................... |
486 |
Five Position Mode Selector (FPMS)...................................................... |
500 |
Redundant Output (ROUT) .................................................................... |
506 |
Two Hand Run Station (THRS)............................................................... |
515 |
Execution Times for Safety Application Instructions ........................... |
526 |
Common Attributes for Safety Instructions
Chapter 5 |
|
Common Attributes................................................................................. |
529 |
Math Status Flags..................................................................................... |
529 |
Data Conversions..................................................................................... |
531 |
Elementary data types.............................................................................. |
534 |
Floating Point Values ............................................................................... |
537 |
Immediate values ..................................................................................... |
539 |
Index Through Arrays ............................................................................. |
540 |
Bit Addressing .......................................................................................... |
541 |
Index
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
7 |
Preface
GuardLogix Controller
Operation
Certified Instructions
This reference manual is intended to describe the Rockwell Automation GuardLogix Safety Application Instruction Set, which is type-approved and certified for safety-related function in applications up to and including Safety Integrity Level (SIL) 3 according to IEC61508, and Performance Level, PLe (Cat.4), according to ISO13849-1.
The timing diagrams that are presented in the manual are for illustrative purposes only. The actual response times are determined by the performance characteristics of your application.
Use this manual if you are responsible for designing, programming, or troubleshooting safety applications that use GuardLogix controllers.
You must have a basic understanding of electrical circuitry and familiarity with relay ladder logic. You must also be trained and experienced in the creation, operation, programming and maintenance of safety systems.
The term Logix5000 controller refers to any controller that is based on the Logix5000 operating system.
The GuardLogix safety controllers are part of a de-energize to trip system, which means that all of its outputs are set to zero when a fault is detected.
The table below lists the instructions that are certified for use in GuardLogix systems. For the latest information, see our safety certificates and revision release lists at http://www.rockwellautomation.com/global/certification/safety.page?
Studio 5000 Logix Designer®Software Version 31 and Later Drive Safety Instructions
Instruction |
Instruction Name |
Certification |
Abbreviation |
|
|
SBC |
Safe Brake Control |
TÜV |
SDI |
Safe Direction |
TÜV |
SFX |
Safely Feedback Interface |
TÜV |
SLP |
Safely-Limited Position |
TÜV |
SLS |
Safely-Limited Speed |
TÜV |
SOS |
Safe Operating Stop |
TÜV |
SS1 |
Safe Stop 1 |
TÜV |
SS2 |
Safe Stop 2 |
TÜV |
RSLogix 5000 Software Version 17 and Later Metal Form and Safety Instructions.
|
Instruction |
Instruction Name |
Certification |
|
|
Abbreviation |
|
|
|
|
AVC |
Auxiliary Valve Control |
TÜV |
|
|
|
|
|
|
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
9 |
|||
Preface
Instruction |
Instruction Name |
Certification |
Abbreviation |
|
|
CBCM |
Clutch Brake Continuous Mode |
DGÜV1 |
|
|
TÜV |
CBIM |
Clutch Brake Inch Mode |
DGÜV1 |
|
|
TÜV |
|
|
|
CBSSM |
Clutch Brake Inch Mode |
DGÜV1 |
|
|
TÜV |
CPM |
Crankshaft Position Monitor |
DGÜV1 |
|
|
TÜV |
CROUT |
Configurable Redundant Output |
DGÜV1 |
|
|
TÜV |
CSM |
Configurable Redundant Output |
DGÜV1 |
|
|
TÜV |
DCM |
Dual Channel Input Monitor |
DGÜV1 |
|
|
TÜV |
DCS |
Dual Channel Input Stop |
DGÜV1 |
|
|
TÜV |
DCSRT |
Dual Channel Input Start |
DGÜV1 |
|
|
TÜV |
DCST |
Dual Channel Input Stop with Test |
DGÜV1 |
|
|
TÜV |
DCSTL |
Dual Channel Input Stop with Test |
DGÜV1 |
|
|
TÜV |
DCSTM |
Dual Channel Input Stop with Test |
TÜV |
DCA |
Dual Channel Input Stop with Test |
TÜV |
|
|
|
DCAF |
Dual Channel Analog Input - |
TÜV |
|
floating point version |
|
EPMS |
Eight Position Mode Selector |
DGÜV1 |
|
|
TÜV |
FSBM |
Four Sensor Bidirectional Muting |
TÜV |
MMVC |
Four Sensor Bidirectional Muting |
DGÜV1 |
|
|
TÜV |
MVC |
Four Sensor Bidirectional Muting |
DGÜV1 |
|
|
TÜV |
SMAT |
Four Sensor Bidirectional Muting |
TÜV |
THRSe |
Four Sensor Bidirectional Muting |
DGÜV1 |
|
|
TÜV |
TSAM |
Four Sensor Bidirectional Muting |
TÜV |
|
|
|
TSSM |
Four Sensor Bidirectional Muting |
TÜV |
1 At the time of publication, these instructions are not DGUV-certified for use with Compact GuardLogix 5370 controllers, and are certified only for firmware versions 17...21 for GuardLogix and 1768 Compact GuardLogix controllers.
10 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
Preface
Terminology
Additional resources
RSLogix 5000 Software Version 14 and Later Metal Form and General Instructions.
Instruction |
Instruction Name |
Certification |
Abbreviation |
|
|
DIN |
Diverse Input |
TÜV |
|
|
|
ENPEN |
Enable Pendant |
TÜV |
|
|
|
ESTOP |
Emergency Stop |
TÜV |
FPMS |
Five-position Mode Selector |
TÜV |
LC |
Light Curtain |
TÜV |
RIN |
Redundant Input |
TÜV |
ROUT |
Redundant Output |
TÜV |
THRS |
Two-hand Run Station |
TÜV |
In this manual, ‘programming software’ refers to both the Studio 5000 Logix Designer application and RSLogix 5000 software. The following table defines abbreviations that are used in this manual .
Abbreviation |
Description |
|
|
AOPD |
Active Opto-electronic Protective Device |
BCAM |
Brake Cam |
BDDC |
Bottom Dead Center |
|
|
CVT |
Circuit Verification Test |
DCAM |
Dynamic Cam |
ESPE |
Electro-sensitive Protective Equipment |
TCAM |
Takeover Cam |
These documents contain additional information concerning related Rockwell Automation products.
Resource |
Description |
|
|
GuardLogix® 5570 Controllers User Manual, |
Provides information on how to install, configure, |
publication 1756-UM022. |
and program the GuardLogix 5570 controllers in the |
|
Logix Designer application. |
GuardLogix 5570 Controllers Reference Manual, |
Contains detailed requirements for how to achieve |
publication 1756-RM099. |
and maintain SIL 3 with the GuardLogix 5570 |
|
controller system in a Logix Designer application. |
GuardLogix 5570 Controllers User Manual, |
Provides information on how to install, configure, |
publication 1756-UM020. |
and program the GuardLogix 5560 controllers in |
|
RSLogix 5000 software. |
GuardLogix Controller Systems Safety Reference |
Contains detailed requirements for how to achieve |
Manual, publication 1756-RM093. |
and maintain SIL 3 with the GuardLogix 5560 |
|
controller and the 1768 Compact GuardLogix® |
|
system in RSLogix 5000 software. |
CompactLogix™ Controllers Installation Instructions, |
Provides information on how to install 1768 Compact |
publication 1768-IN004. |
GuardLogix controllers. |
1768 Compact GuardLogix Controllers User Manual, |
Provides information on how to configure and |
publication 1768-UM002. |
program the 1768 Compact GuardLogix controller. |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
11 |
Preface
Legal Notices
Resource |
Description |
|
|
CompactBlock, Guard I/O, DeviceNet Safety Module |
Provides information on how to install |
Installation Instructions, publication 1791DS-IN002. |
CompactBlock Guard I/O™ DeviceNet Safety |
|
modules. |
Guard I/O DeviceNet Safety Modules User Manual, |
Provides information on using Guard I/O DeviceNet |
publication 1791DS-UM001. |
Safety Modules. |
Guard I/O EtherNet/IP Safety Modules Installation |
Provides information on how to install |
Instructions, publication |
CompactBlock Guard I/O EtherNet/IP Safety |
1791ES-IN001. |
modules. |
Guard I/O EtherNet/IP Safety Modules User Manual, |
Provides information on using Guard I/O Safety |
publication 1791ES-UM001. |
modules. |
POINT Guard I/O Safety Modules User Manual, |
Provides information on using POINT Guard I/O |
publication 1734-UM013. |
Safety modules |
Using ControlLogix® in SIL2 Applications Safety |
Describes requirements for using ControlLogix |
Reference Manual, publication |
controllers, and GuardLogix standard tasks, in SIL2 |
1756-RM001. |
safety control applications. |
Logix Controllers Instructions Reference Manual, |
Provides information on the Logix5000™ instruction |
publication 1756-RM009. |
set that includes general, motion, and process |
|
instructions. |
Logix Common Procedures Programming Manual, |
Provides information on programming Logix5000 |
publication 1756-PM001. |
controllers, including how to manage project files, |
|
organize tags, program and test routines, and |
|
handle faults. |
|
|
ControlLogix System User Manual, publication 1756- |
Provides information on using ControlLogix in |
UM001. |
nonsafety applications. |
DeviceNet™ Modules in Logix5000 Control Systems |
Provides information on using the 1756-DNB module |
User Manual, publication |
in a Logix5000 control system |
DNET-UM004. |
|
EtherNet/IP™ Modules in Logix5000 Control Systems |
Provides information on using the 1756-ENBT |
User Manual, publication |
module in a Logix5000 control system. |
ENET-UM001. |
|
ControlNet™ Modules in Logix5000 Control Systems |
Provides information on using the 1756-CNB module |
User Manual, publication |
in Logix5000 control systems. |
CNET-UM001. |
|
Logix5000 Controllers Execution Time and Memory |
Provides information on how to estimate the |
Use Reference Manual, publication 1756-RM087. |
execution time and memory use for instructions. |
Logix Import Export Reference Manual, publication |
Provides information on using RSLogix 5000 |
1756-RM084. |
Import/Export utility |
Product Certifications website, |
Provides declarations of conformity, certificates, |
http://ab.rockwellautomation.com. |
and other certification details. |
You can view or download publications at http://www.rockwellautomation.com/literature. To order paper copies of technical documentation, contact your local Rockwell Automation distributor or sales representative.
Rockwell Automation publishes legal notices, such as privacy policies, license agreements, trademark disclosures, and other terms and conditions on the Legal Notices page of the Rockwell Automation website.
12 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
Preface
End User License Agreement (EULA)
You can view the Rockwell Automation End-User License Agreement ("EULA") by opening the License.rtf file located in your product's install folder on your hard drive.
Open Source Licenses
The software included in this product contains copyrighted software that is licensed under one or more open source licenses. Copies of those licenses are included with the software. Corresponding Source code for open source packages included in this product are located at their respective web site(s).
Alternately, obtain complete Corresponding Source code by contacting Rockwell Automation via the Contact form on the Rockwell Automation website: http://www.rockwellautomation.com/global/aboutus/contact/contact.page
Please include "Open Source" as part of the request text.
A full list of all open source software used in this product and their corresponding licenses can be found in the OPENSOURCE folder. The default
installed location of these licenses is C:\Program Files (x86)\Common Files\Rockwell\Help\FactoryTalk Services Platform\Release
Notes\OPENSOURCE\index.htm.
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
13 |
Chapter 1
Safety Instructions
Safety Instructions
In the controller organizer, you can recognize safety programs by the red bar 
that is incorporated into the icons. The red bar indicates the program will
execute in safety memory.
The buttons for instructions that function as part of a safety program, or are
supported by a safety program, have a red triangle 
in the right corner of each button.
Available Instructions
Ladder Diagram
FSBM |
TSAM |
TSSM |
FPMS |
ESTOP |
ROUT |
RIN |
ENPEN |
|
|
|
|
|
|
|
|
DIN |
LC |
THRS |
DCS |
DCST |
DCSTL |
DCSTM |
DCSRT |
|
|
|
|
|
|
|
|
DCM |
SMAT |
THRSe |
CROUT |
DCA |
|
|
|
Function Block
Not available
Structured Text
Not available
Safety application instructions are intended for use within a safety system that has a controller and I/O modules. These instructions are intended for Safety Integrity Level (SIL) 3, PLe/Category (CAT) 4 applications.
|
If you want to |
Use this instruction |
|
|
Provide an interface from a programmable controller to a three-to- |
FPMS |
|
|
five position selector switch used in SIL3/CAT4 safety applications. |
|
|
|
Emulate the input functionality of a safety relay in a software |
ESTOP |
|
|
programmable environment which is intended for use in SIL3/CAT4 |
|
|
|
safety applications. |
|
|
|
Emulate the output functionality of a safety relay in a software |
ROUT |
|
|
programmable environment which is intended for use in SIL3/CAT4 |
|
|
|
safety applications. |
|
|
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
15 |
||
Chapter 1 |
Safety Instructions |
|
|
|
|
|
|
|
|
|
|
If you want to |
Use this instruction |
|
|
|
Emulate the input functionality of a safety relay in a software |
RIN |
|
|
|
programmable environment that is intended for use in SIL3/CAT4 |
|
|
|
|
safety applications. |
|
|
|
|
Emulate the input functionality of a safety relay in a software |
ENPEN |
|
|
|
programmable environment that is intended for use in SIL3/CAT4 |
|
|
|
|
safety applications. |
|
|
|
|
Emulate the input functionality of a safety relay in a software |
DIN |
|
|
|
programmable environment that is intended for use in SIL3/CAT4 |
|
|
|
|
safety applications. |
|
|
|
|
Provide a manual and an automatic circuit reset interface from a |
LC |
|
|
|
programmable controller to a light curtain used in SIL3/CAT4 |
|
|
|
|
safety applications. |
|
|
|
|
Provide a method to incorporate two diverse input buttons used as |
THRS |
|
|
|
a single operation start button into a software programmable |
|
|
|
|
environment that is intended for use in SIL3/CAT4 safety |
|
|
|
|
applications. |
|
|
|
|
Monitor dual-input safety devices whose main purpose is to |
DCS |
|
|
|
provide a stop function, such as an E-stop, light curtain, or gate |
|
|
|
|
switch. |
|
|
|
|
Monitor dual-input safety devices whose main purpose is to |
DCST |
|
|
|
provide a stop function, such as an E-stop, light curtain, or gate |
|
|
|
|
switch. It includes the added capability of initiating a functional |
|
|
|
|
test of the stop device. |
|
|
|
|
Monitors dual-input safety devices whose main purpose is to stop |
DCSTL |
|
|
|
a function, such as an E-stop, light curtain, or gate switch. It |
|
|
|
|
includes the added capability of initiating a functional test of the |
|
|
|
|
stop device and can monitor a feedback signal from a safety |
|
|
|
|
device and issue a lock request to a safety device. |
|
|
|
|
Monitor dual-input safety devices whose main purpose is to |
DCSTM |
|
|
|
provide a stop function, such as an E-stop, light curtain, or gate |
|
|
|
|
switch. It includes the added capability of initiating a functional |
|
|
|
|
test of the stop device and the ability to mute the safety device. |
|
|
|
|
Energize dual-input safety devices whose main function is to start |
DCSRT |
|
|
|
a machine safely, for example an enable pendant. |
|
|
|
|
Monitor dual-input safety devices. |
DCM |
|
|
|
Indicate whether or not the safety mat is occupied. |
SMAT |
|
|
|
Provide temporary, automatic disabling of the protective function |
TSAM |
|
|
|
of a light curtain, using two muting sensors arranged |
|
|
|
|
asymmetrically. |
|
|
|
|
Provide temporary, automatic disabling of the protective function |
TSSM |
|
|
|
of a light curtain, using two muting sensors arranged |
|
|
|
|
symmetrically. |
|
|
|
|
Provide temporary, automatic disabling of the protective function |
FSBM |
|
|
|
of a light curtain, using four sensors arranged sequentially before |
|
|
|
|
and after the light curtain’s sensing field. |
|
|
|
|
Monitor two diverse safety inputs, one from a right-hand push |
THRSe |
|
|
|
button and one from a left-hand push button, to control a single |
|
|
|
|
output. |
|
|
|
|
Control and monitor redundant outputs. |
CROUT |
|
|
|
Monitor two analog input channels originating from an analog input |
DCA |
|
|
|
module. (Integer version) |
|
|
|
|
Monitor two analog input channels originating from an analog input |
DCAF |
|
|
|
module. (Floating Point version) |
|
|
16 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
|
|
|
Chapter 1 |
Safety Instructions |
The Safety controller is part of a De-Energize to Trip system. This means that all of its outputs are set to zero when a fault is detected.
IMPORTANT The following sections are only applicable to these instructions:
•ESTOP
•RIN
•DIN
•ENPEN
•THRS
•LC
•ROUT
•FPMS
De-energize to Trip System
In addition, the Safety controller automatically sets any input values associated with faulty input modules to zero. As a result, any inputs being monitored by one of the diverse input instructions (DIN or THRS) should have the normally closed input conditioned by logic as shown here:
The exact ladder logic depends on your specific system requirements, and the functionality of the Safety input module. The result, however, should be the same: to create a Safe state of one for the normally closed input of the diverse input instructions. This example logic actually overrides the input value in the input tag.
The normally closed input of the diverse input instruction should be placed in a Safe state whenever the connection to the input module is lost, or the normally closed input point is faulted.
The input value should remain intact to represent the actual state of the field device when there is a connection and the normally closed input point is not faulted.
Failure to implement this type of logic does not create an unsafe condition, but it does result in the instruction latching an Inputs Inconsistent fault, requiring a clear fault operation to be performed.
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
17 |
Chapter 1 |
Safety Instructions |
||
|
|
System Dependencies |
|
|
|
The safety application instructions depend on the safety I/O modules, |
|
|
|
controller operating system, and the ladder logic to perform portions of the |
|
|
|
safety functions. |
|
|
|
Input and Output Line Conditioning |
|
|
|
Safety I/O modules provide pulse test and monitoring capabilities. If the |
|
|
|
module detects a failure, it sets the offending input or output to the Safe state |
|
|
|
and reports the failure to the controller. |
|
|
|
The failure indication is made via the input or output point status, and is |
|
|
|
maintained for a configurable amount of time, or until the failure is repaired, |
|
|
|
which ever comes last. |
|
|
|
|
|
|
|
IMPORTANT Ladder logic must be included in the application program to latch these I/O point |
|
|
|
failures and ensure proper restart behavior. |
|
|
|
|
|
|
|
For more information on Safety I/O modules, refer to the following: |
|
|
|
• DeviceNet Safety I/O User Manual, publication 1791DS-UM001 |
|
|
|
• Guard I/O EtherNet/IP Safety modules User Manual, publication |
|
|
|
1791ES-UM001 |
|
|
|
• POINT Guard I/O Safety Modules User Manual, publication 1734- |
|
|
|
UM013. |
|
|
|
I/O Module Connection Status |
|
|
|
A CIP SafetyTM system provides connection status for each I/O device in the |
|
|
|
safety system. If an input connection failure is detected, the operating system |
|
|
|
sets all associated inputs to the de-energized (Safe) state, and reports the |
|
|
|
failure to the ladder logic. If an output connection failure is detected, the |
|
|
|
operating system can only report the failure to the ladder logic. |
|
|
|
|
|
|
|
IMPORTANT Ladder logic must be included in the application program to latch these I/O point |
|
|
|
failures and ensure proper restart behavior. |
|
|
|
|
|
|
|
How to Latch and Reset Faulted I/O |
|
|
|
The following diagrams provide examples of the ladder logic required to latch |
|
|
|
and reset an I/O module connection or point failure. The first image shows |
|
|
|
the ladder logic for an input point, and the second shows the ladder logic for |
|
|
|
an output point. |
|
|
|
|
|
|
|
IMPORTANT Both of these diagrams are examples, and are for illustrative purposes only. The |
|
|
|
suitability of this logic depends upon your specific system requirements. |
|
|
|
|
|
18 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
||
Chapter 1 |
Safety Instructions |
The first rung latches an internal indication that either the module connection or the specific input point has failed.
The second rung resets the internal indication, but only if the fault has been repaired, and only on the rising edge of the Fault Reset signal. This prevents the safety function from automatically restarting if the Fault Reset signal gets stuck on.
The third rung shows the input point data used in combination with the internal fault indication to control an output.
The output is internal data that may be used in combinational logic later to drive an actual output. If an actual output is used directly, it may or may not require logic similar to that shown in Figure 1.3 for latching and resetting output connection failures.
The Fault Reset contact shown in these examples is typically activated as a result of operator action. The Fault Reset could be derived as a result of combinational logic or directly from an input point (in which case it may or may not require conditioning of its own).
The ladder logic in the output example has the same latch and reset concept as that shown in the input example.
The first rung latches an internal indication that either the module connection or the specific output point has failed.
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
19 |
Chapter 1 |
Safety Instructions |
The second rung resets the internal indication, but only if the fault has been repaired, and only on the rising edge of the Fault Reset signal. This prevents the safety function from automatically restarting if the Fault Reset signal gets stuck on.
The third rung includes application-specific logic to drive the state of an output point. This logic is conditioned by the output faulted internal indicator.
False Rung State Behavior
The information provided in this manual regarding the GuardLogix Safety application instructions depicts the "True Rung State" (Ladder Diagram Logic) behavior of the instructions.
The "False Rung State" behavior is exactly the same (internal state machines continue to run and change states based on the inputs) except that all outputs, including prompts and fault indicators, are set to zero when the instructions are disabled or on a false rung.
I/O Point Mapping
Input
The following table identifies the mapping between the Safety I/O module’s
Input points and the controller tags when the Safety I/O module’s Input
Status module definition is configured for Point Status or Combined Status.
Note that moduleName is the name you assign to the I/O module.
|
|
Controller Tag Reference |
|
|
|
|
|
I/O Module Point |
Data |
Point Status |
Combined Status |
IN 0 |
moduleName:I.Pt00Data |
moduleName:I.Pt00InputStatus |
moduleName:I.InputStatus |
IN 1 |
moduleName:I.Pt01Data |
moduleName:I.Pt01InputStatus |
|
IN 2 |
moduleName:I.Pt02Data |
moduleName:I.Pt02InputStatus |
|
… |
… |
… |
|
IN n |
moduleName:I.PtnData |
moduleName:I.PtnInputStatus |
|
Output
The following table identifies the mapping between the Safety I/O module’s
Output points and the controller tags when the Safety I/O module’s Input
Status module definition is configured for Point Status or Combined Status.
Note that moduleName is the name you assign to the I/O module.
20 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
|
|
|
|
Chapter 1 |
Safety Instructions |
||
|
|
|
|
|
|
|
|
|
|
|
Controller Tag Reference |
|
|
|
|
|
|
|
|
|
|
|
|
|
I/O Module Point |
Data |
Point Status |
|
Combined Status |
|
|
|
OUT 0 |
moduleName:O.Pt00Data |
moduleName:I.Pt00OutputStatus |
|
moduleName:I.OutputStatus |
||
|
OUT 1 |
moduleName:O.Pt01Data |
moduleName:I.Pt01OutputStatus |
|
|
|
|
|
OUT 2 |
moduleName:O.Pt02Data |
moduleName:I.Pt02OutputStatus |
|
|
|
|
|
… |
… |
… |
|
|
|
|
|
OUT n |
moduleName:O.PtnData |
moduleName:I.PtnOutputStatus |
|
|
|
|
Status and Safety input and output for dual channel safety instructions
See also
Execution Times for Safety Application Instructions on page 526
The following I/O status information is relevant for all safety instructions.
Connection Status
Connection status (.ConnectionFaulted) is the status of the safety connection between the safety controller and safety I/O module. When the connection is operating properly, the bit is LO (0). When the connection is not operating properly, the bit is HI (1). When the connection status is not operating properly, all module defined tags are LO, and have invalid data.
Point Status
Point Status is available for safety inputs (.PtxxInputStatus) and safety outputs (.PtxxOutputStatus). When a point status tag is HI (1), it indicates that the individual channel is functioning and wired correctly. It also indicates the safety connection between the safety controller and the safety I/O module on which this channel resides is operating properly.
Combined Status
Combined Status is available for safety inputs (.CombinedInputStatus) and safety outputs (.CombinedOutputStatus). When the combined status tag is HI (1), it indicates that all input or output channels on the module are functioning and wired correctly. It also indicates that the safety connection between the safety controller and the safety I/O module on which these channels reside is operating properly.
Whether combined status or point status is used depends on the application. Point status provides more granular status.
The dual channel safety instructions have built-in safety I/O status monitoring. Input and Output statuses are parameters for the safety input and output instructions. All dual channel safety instructions have input status
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
21 |
Chapter 1 |
Safety Instructions |
for input channels A and B. The CROUT instruction has input status for Feedbacks 1 and 2, and output status for the output channels driven by the CROUT outputs O1 and O2. The status tags used in these instructions must be HI (1) for the safety instruction output tag(s) with O1 for input instructions and O1/O2 to energize the CROUT instruction.
IMPORTANT Interrogate Safety I/O status when using instructions such as XIC and OTE. Verify safety input channel status is HI (1) before using a safety input channel as an interlock. Verify safety output channel status is HI (1) before energizing a safety output channel.
22 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
Chapter 1 |
Safety Instructions |
Dual-channel Input Start (DCSRT)
See also
Safety Instructions on page 15
This instruction applies to the Compact GuardLogix 5370, GuardLogix 5570, Compact GuardLogix 5380, and GuardLogix 5580 controllers.
The Dual-channel Input Start instruction is for safety devices whose main function is to start a machine safely, for example, an enable pendant. This instruction energizes its output (O1) only if the Enable input is ON (1), and both safety inputs, Channel A and Channel B, transition to the active state within the Discrepancy Time.
Available Languages
Ladder Diagram
Function Block
This instruction is not available in function block.
Structured Text
This instruction is not available in structured text.
Operands
IMPORTANT Unexpected operation may occur if:
•Output tag operands are overwritten.
•Members of a structure operand are overwritten.
•Structure operands are shared by multiple instructions.
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
23 |
Chapter 1 |
Safety Instructions |
IMPORTANT |
Make sure safety input points are configured as single, not Equivalent or |
|
Complementary. These instructions provide all dual channel functionality necessary |
|
for PLd (Cat. 3) or Ple (Cat. 4) safety functions. |
|
|
IMPORTANT |
If changing instruction operands while in Run mode, accept the pending edits and |
|
cycle the controller mode from Program to Run for the changes to take effect. |
|
|
ATTENTION: If changing instruction operands while in Run mode, accept the pending edits and cycle the controller mode from Program to Run for the changes to take effect.
The following table provides the operand used to configure the instruction.
This operand cannot be changed at runtime.
Operand |
Data Type |
Format |
Description |
DCSRT |
DCI_START |
Tag |
DCSRT structure |
Safety Function |
DINT |
list item |
This operand provides a text name for how this |
|
|
|
instruction is being used. Choices include enable |
|
|
|
pendant (20), start button (21), and user-defined |
|
|
|
(100). |
|
|
|
This operand does not affect instruction behavior. |
|
|
|
It is for information/documentation purposes only. |
|
|
|
|
Input Type |
DINT |
list item |
This operand selects input channel behavior. |
|
|
|
Equivalent - Active High (0): Inputs are in the |
|
|
|
active state when Channel A and Channel B inputs |
|
|
|
are 1. |
|
|
|
Complementary (2): Inputs are in the active state |
|
|
|
when Channel A is 1 and Channel B is 0. |
Discrepancy Time (ms) |
DINT |
immediate |
The amount of time that the inputs can be in an |
|
|
|
inconsistent state before an instruction fault is |
|
|
|
generated. The inconsistent state depends on the |
|
|
|
Input Type. |
|
|
|
Equivalent: Inconsistent state is when either is |
|
|
|
true: |
|
|
|
Channel A = 0 and Channel B =1 |
|
|
|
Channel A =1 and Channel B =0 |
|
|
|
Complementary: Inconsistent state is when either |
|
|
|
is true: |
|
|
|
Channel A = 0 and Channel B =0r |
|
|
|
Channel A =1 and Channel B =1 |
|
|
|
The valid range is 5...3000 ms. |
The following table explains instruction inputs. The inputs may be field device signals from input devices or derived from user logic.
24 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
|
|
|
|
Chapter 1 |
Safety Instructions |
|
|
|
|
|
|
|
|
|
Operand |
Data Type |
Format |
Description |
|
|
|
Enable |
BOOL |
tag |
This input enables or disables the instruction. |
|
|
|
|
|
|
ON (1): The instruction is enabled. Output 1 is energized when |
|
|
|
|
|
|
Channel A and Channel B transition to the active state within |
|
|
|
|
|
|
the Discrepancy Time. |
|
|
|
|
|
|
OFF (0): The instruction is disabled. Output 1 is not energized. |
|
|
|
Channel A1 |
BOOL |
tag |
This input is one of the two safety inputs to the instruction. |
|
|
|
Channel B1 |
BOOL |
tag |
This input is one of the two safety inputs to the instruction. |
|
|
|
Input Status |
BOOL |
immediate |
If instruction inputs are from a safety I/O module, this is the |
|
|
|
|
|
tag |
status from the I/O module (Connection Status or Combined |
|
|
|
|
|
|
Status). If instruction inputs are derived from internal logic, it |
|
|
|
|
|
|
is the application programmer’s responsibility to determine |
|
|
|
|
|
|
the conditions. |
|
|
|
|
|
|
ON (1): The inputs to this instruction are valid. |
|
|
|
|
|
|
OFF (0): The inputs to this instruction are invalid. |
|
|
|
Reset2 |
BOOL |
tag |
This input clears the instruction faults provided the fault |
|
|
|
|
|
|
condition is not present. |
|
|
|
|
|
|
OFF (0) -> ON (1): The FP (Fault Present) and Fault Code outputs |
|
|
|
|
|
|
are reset. |
|
|
1If the input is from a Guard I/O input module, make sure that the input is configured as single, not Equivalent or Complementary.
2ISO 13849-1 stipulates instruction reset functions must occur on falling edge signals. To comply with ISO 13849-1 requirements, add this logic immediately before this instruction. Rename the Reset_Signal tag in this example to the reset signal tag name. Then use the OSF instruction Output Bit tag as the reset source of the instruction.
The following table explains instruction outputs. The outputs can be used to drive external tags (safety output modules) or internal tags for use in other logic routines.
Operand |
Data Type |
Description |
Output 1 (01) |
BOOL |
This output is energized when the input conditions have been |
|
|
satisfied. |
|
|
The output becomes de-energized when: |
|
|
• Either Channel A or Channel B transitions to the safe state. |
|
|
• The Input Status input is OFF(0). |
|
|
• The Enable input turns OFF(0) |
|
|
|
Fault Present (FP) |
BOOL |
ON (1): A fault is present in the instruction. |
|
|
OFF (0): This instruction is operating normally. |
Fault Code |
DINT |
This output indicates the type of fault that occurred. See the |
|
|
Fault Codes section for a list of fault codes. This operand is |
|
|
not safety-related. |
Diagnostic Code |
DINT |
This output indicates the diagnostic status of the instruction. |
|
|
See the Diagnostic Codes section below for a list of diagnostic |
|
|
codes. This operand is not safety-related. |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
25 |
Chapter 1 |
Safety Instructions |
IMPORTANT Do not write to any instruction output tag under any circumstances.
Affects Math Status Flags
No
Major/Minor Faults
None specific to this instruction. See Index Through Arrays for arrayindexing faults.
Execution
Condition/State |
Action Taken |
|
|
Prescan |
Same as Rung-condition-in is false. |
Rung-condition-in is false |
The .O1 and .FP are cleared to false. |
Rung-condition-in is true |
The instruction executes as described in the Normal operation section. |
Postscan |
Same as Rung-condition-in is false. |
Operation
Normal
The timing diagram illustrates the normal operation for a start device, for example, an enable pendant. At (A), Output 1 is not energized because the Enable input is OFF (0). At (B), Output 1 is not energized because the transition of the Enable signal ON (1) can never enable Output 1. At (C), Output 1 is energized 50 ms after the safety inputs transition through the safe state and to the active state with the Enable input ON (1). At (D), Output 1 is de-energized when either one of the safety inputs transition to the safe state. At (E), Output 1 is energized 50 ms after the safety inputs return to the active state. At (F), Output 1 is de-energized because the Enable input has transitioned to OFF (0).
26 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
Chapter 1 |
Safety Instructions |
Normal (Equivalent Inputs)
This diagram demonstrates the same behavior as in the previous timing diagram except that the Input Type is Complementary.
Normal (Complementary Inputs)
Input Status Fault Operation
The timing diagram illustrates fault behavior when the Input Status becomes invalid. At (A), Output 1 is not energized because the Input Status has not become active for the first time. At (B), with the Input Status active, and after a 50 ms delay, Output 1 is energized because the safety inputs have transitioned through the safe state to the active state. At (C), the Input Status becomes invalid, which immediately de-energizes Output 1 and generates a fault. At (D), the fault cannot be reset because the Input Status is still inactive.
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
27 |
Chapter 1 |
Safety Instructions |
At (E), the fault is reset because the Input Status is now active and a reset is triggered. At (F), Output 1 is active.
Discrepancy Fault Operation
The timing diagram illustrates a discrepancy fault occurring when Channel A and Channel B are in an inconsistent state for longer than the Discrepancy Time configuration operand. At (A), a fault is generated when the safety inputs are in an inconsistent state for longer than the Discrepancy Time, for example, 250 ms. At (B), the fault is cleared because both safety inputs are inactive and the reset went active. At (C), Output 1 is energized 50 ms after both safety inputs transition to the active state together within the Discrepancy Time. At (D), Output 1 is de-energized when Channel B transitions to the safe state. At (E), a fault is generated because the safety inputs are again in an inconsistent state for longer than the Discrepancy
28 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
Chapter 1 |
Safety Instructions |
Time. At (F), the fault is cleared, but Output 1 is not energized until both safety inputs transition to the active state together.
False Rung State Behavior
When the instruction is executed on a false rung, all instruction outputs are de-energized.
Fault Codes and Corrective Alarms
The fault codes are listed in hexadecimal format followed by decimal format.
Fault Code |
Description |
Corrective Action |
0 |
No fault. |
None. |
16#20 |
The Input Status input |
• Check the I/O module connection or |
32 |
transitioned from ON (1) to OFF |
the internal logic used to source |
|
(0) while the instruction was |
input status. |
|
executing. |
• Reset the fault. |
16#4000 |
Channel A and Channel B were in |
• Check the wiring. |
16384 |
an inconsistent state for longer |
• Perform a functional test of the |
|
than the Discrepancy Time. At |
device (put Channel A and Channel B |
|
the time of the fault, Channel A |
in a safe state). |
|
was in the active state. Channel |
• Reset the fault. |
|
B was in the safe state. |
|
16#4001 |
Channel A and Channel B were in |
|
16385 |
an inconsistent state for longer |
|
|
than the Discrepancy Time. At |
|
|
the time of the fault, Channel A |
|
|
was in the safe state. Channel B |
|
|
was in the active state. |
|
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
29 |
Chapter 1 |
Safety Instructions |
Dual-channel Input Start (DCSRT) wiring and programming example
Fault Code |
Description |
Corrective Action |
16#4002 |
Channel A went to the safe state |
|
16386 |
and back to the active state |
|
|
while Channel B remained active. |
|
16#4003 |
Channel B went to the safe state |
|
16387 |
and back to the active state |
|
|
while Channel A remained active. |
|
Diagnostic Codes and Corrective Actions
The fault codes are listed in hexadecimal format followed by decimal format.
Diagnostic Code |
Description |
Corrective Action |
0 |
No fault. |
None. |
16#20 |
The Input Status was OFF(0) |
Check the I/O module connection or the |
32 |
when the instruction started. |
internal logic used to source input |
|
|
status. |
16#4000 |
The device is not in a safe state |
Release the start device (put Channel A |
16384 |
at start-up. |
and Channel B in a safe state). |
16#4060 |
The device is not enabled. |
Enable the device (set Enable to 1). |
16480 |
|
|
See also
Dual-channel Input Start (DCSRT) wiring and programming example on page 30
Index Through Arrays on page 540
Status and Safety input and output for dual channel safety instructions on page 21
This topic demonstrates how to wire the Guard I/O module and program the instruction in the safety control portion of an application
This application example complies with ISO 13849-1, Category 4 operation.
Tip: The standard control portion of the application is not shown in the following diagram.
30 |
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 |
Loading...