Rockwell Automation 1756 GuardLogix Safety, 1769 GuardLogix Safety, 5069 Compact GuardLogix Safety Application Instruction Set
Reference Manual
Original Instructions
GuardLogix Safety Application Instruction Set
1756 GuardLogix Safety, 1769 GuardLogix Safety, 5069
Compact GuardLogix Safety
Publication 1756-RM095K-EN-P
GuardLogix Safety Application Instruction Set
personal injury or death, property damage, or economic loss.
IMPORTANT
for Personal Protective Equipment (PPE).
Important User Information
Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize
themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to
be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use
or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for
actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software
described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is
prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss.
Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
Identifies information that is critical for successful application and understanding of the product.
Labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous
temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash
will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and
2 Rockwell Automation Publication 1756-RM095K-EN-P - September 2020
Topic Name
Reason
updated Diagnostic Code numbers 16#4000 16384.
Test Request input, changing it from (0->1) to (1->0).
Summary of changes
This manual includes new and updated information. Use these reference
tables to locate changed information.
Global changes
The Legal noticeshave been updated.
New or enhanced features
This table contains a list of topics changed in this version, the reason for the
change, and a link to the topic that contains the changed information.
Dual Channel Input Stop with Test (DCST) In the Fault Codes and Corrective Actions table, updated
Fault Code numbers 16#4001 16385, 16#4002 16386, and
16#4003 16387.
In the Diagnostic Code and Corrective Actions table,
updated Diagnostic Code numbers 16#4000 16384 and
16#4001 16385.
Dual-channel Input Start (DCSRT) In the Fault Codes and Corrective Actions table, updated
Fault Code numbers 16#4000 16384, 16#4001 16385,
16#4002 16386, and 16#4003 16387.
In the Diagnostic Code and Corrective Actions table
Dual Channel Input Stop with Test and Lock
(DCSTL) wiring and programming example
In the programming diagram, updated Note 1 to correct
the parenthetical reference to the falling edge of the
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 3
Summary of changes
Preface
Safety Instructions
Table of Contents
GuardLogix Controller Operation ............................................................. 9
Certified Instructions ................................................................................. 9
Terminology ............................................................................................... 11
Additional resources .................................................................................. 11
Legal Notices ............................................................................................... 12
Chapter 1
Safety Instructions .................................................................................... 15
Status and Safety input and output for dual channel safety
instructions .......................................................................................... 21
Dual-channel Input Start (DCSRT) ....................................................23
Dual-channel Input Start (DCSRT) wiring and programming
example ................................................................................................ 30
Dual Channel Input Monitor (DCM) .................................................. 34
Dual Channel Input Monitor (DCM) wiring and programming
example ................................................................................................. 41
Dual Channel Input Stop (DCS) .......................................................... 45
Dual Channel Input Stop (DCS) wiring and programming example
............................................................................................................... 57
Dual Channel Input Stop with Test (DCST) ...................................... 60
Dual Channel Input Stop with Test (DCST) wiring and
programming example ........................................................................ 67
Dual Channel Input Stop with Test and Lock (DCSTL) ................... 72
Dual Channel Input Stop with Test and Lock (DCSTL) wiring and
programming example ....................................................................... 84
Dual-Channel Input Stop with Test and Mute (DCSTM) ................ 89
Dual-channel Input Stop with Test and Mute (DCSTM) wiring and
programming example ..................................................................... 100
Dual Channel Analog Input (DCA - integer version) and (DCAF -
floating point version) ....................................................................... 106
Dual Channel Analog Input (DCA - integer version) and (DCAF -
floating point version) wiring and programming example ............ 118
Safety Mat (SMAT) ............................................................................. 123
Safety Mat (SMAT) wiring and programming example ................. 132
Two Hand Run Station Enhanced (THRSe) ..................................... 136
Two Hand Run Station Enhanced (THRSe) wiring and
programming example ...................................................................... 148
Configurable Redundant Output (CROUT) ..................................... 153
Configurable Redundant Output (CROUT) wiring and
programming example ...................................................................... 160
Two Sensor Asymmetrical Muting (TSAM) ..................................... 165
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 5
Table of Contents
Metal Form Instructions
Drive Safety
Two Sensor Asymmetrical Muting (TSAM) wiring and
programming example ......................................................................180
Two-sensor Symmetrical Muting (TSSM) ........................................ 186
Two Sensor Symmetrical Muting (TSSM) wiring and programming
example ............................................................................................... 201
Four Sensor Bi-Directional Muting (FSBM) ................................... 206
Four Sensor Bi-Directional Muting (FSBM) wiring and
programming example ...................................................................... 233
Chapter 2
Metal Form Instructions ......................................................................... 239
Clutch Brake Inch Mode (CBIM) ..................................................... 240
Clutch Brake Single Stroke Mode (CBSSM) .................................... 249
Clutch Brake Continuous Mode (CBCM) ........................................ 260
Crankshaft Position Monitor (CPM) ............................................... 278
CamShaft Monitor (CSM) ................................................................ 288
Eight Position Mode Selector (EPMS) ............................................. 302
Eight Position Mode Selector (EPMS) wiring and programming
example .............................................................................................. 308
Clutch Brake Wiring and Programming Example .......................... 313
Auxiliary Valve Control (AVC) ........................................................... 321
Auxiliary Valve Control (AVC) wiring and programming example
............................................................................................................. 330
Main Valve Control (MVC) ................................................................ 335
Maintenance Valve Control (MVC) wiring and programming
example ............................................................................................... 342
Maintenance Manual Valve Control (MMVC) ................................. 346
Maintenance Manual Valve Control (MMVC) wiring and
programming example ...................................................................... 355
6 Rockwell Automation Publication 1756-RM095K-EN-P - September 2020
Chapter 3
Drive Safety Instructions ........................................................................ 361
Safe Brake Control (SBC) .................................................................. 361
Safe Direction (SDI) ........................................................................... 376
Safe Operating Stop (SOS) ................................................................ 384
Safe Stop 1 (SS1) .................................................................................. 395
Safe Stop 2 (SS2) ................................................................................ 407
Safely-Limited Position (SLP) .......................................................... 422
Safely-Limited Speed (SLS) ............................................................... 432
Safety Feedback Interface (SFX) ....................................................... 441
RSLogix 5000 Software, Version
14 and Later, Safety Application
Common Attributes for Safety
Index
Instructions
Instructions
Table of Contents
Chapter 4
Diverse Input (DIN) ................................................................................. 453
Redundant Input (RIN) ........................................................................... 461
Emergency Stop (ESTOP) ...................................................................... 470
Enable Pendant (ENPEN) ....................................................................... 478
Light Curtain (LC) ................................................................................... 486
Five Position Mode Selector (FPMS) ...................................................... 500
Redundant Output (ROUT) .................................................................... 506
Two Hand Run Station (THRS) ............................................................... 515
Execution Times for Safety Application Instructions ........................... 526
Chapter 5
Common Attributes ................................................................................. 529
Math Status Flags ..................................................................................... 529
Data Conversions ..................................................................................... 531
Elementary data types .............................................................................. 534
Floating Point Values ............................................................................... 537
Immediate values ..................................................................................... 539
Index Through Arrays ............................................................................. 540
Bit Addressing .......................................................................................... 541
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 7
Instruction
Abbreviation
Instruction Name
Certification
SBC
Safe Brake Control
TÜV
SDI
Safe Direction
TÜV
SFX
Safely Feedback Interface
TÜV
SLP
Safely-Limited Position
TÜV
SLS
Safely-Limited Speed
TÜV
SS2
Safe Stop 2
TÜV
Instruction
Instruction Name
Certification
GuardLogix Controller
Certified Instructions
Preface
This reference manual is intended to describe the Rockwell Automation
GuardLogix Safety Application Instruction Set, which is type-approved and
certified for safety-related function in applications up to and including Safety
Integrity Level (SIL) 3 according to IEC61508, and Performance Level, PLe
(Cat.4), according to ISO13849-1.
The timing diagrams that are presented in the manual are for illustrative
purposes only. The actual response times are determined by the performance
characteristics of your application.
Use this manual if you are responsible for designing, programming, or
troubleshooting safety applications that use GuardLogix controllers.
You must have a basic understanding of electrical circuitry and familiarity
with relay ladder logic. You must also be trained and experienced in the
creation, operation, programming and maintenance of safety systems.
The term Logix5000 controller refers to any controller that is based on the
Logix5000 operating system.
Operation
The GuardLogix safety controllers are part of a de-energize to trip system,
which means that all of its outputs are set to zero when a fault is detected.
The table below lists the instructions that are certified for use in GuardLogix
systems. For the latest information, see our safety certificates and revision
release lists at
http://www.rockwellautomation.com/global/certification/safety.page?
Studio 5000 Logix Designer®Software Version 31 and Later Drive
Safety Instructions
SOS Safe Operating Stop TÜV
SS1 Safe Stop 1 TÜV
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 9
RSLogix 5000 Software Version 17 and Later Metal Form and Safety
Instructions.
Abbreviation
AVC Auxiliary Valve Control TÜV
Preface
Instruction
Instruction Name
Certification
TÜV
TÜV
TÜV
TÜV
TÜV
TÜV
DCSTM
Dual Channel Input Stop with Test
TÜV
floating point version
TÜV
FSBM
Four Sensor Bidirectional Muting
TÜV
TÜV
TÜV
SMAT
Four Sensor Bidirectional Muting
TÜV
TÜV
TSSM
Four Sensor Bidirectional Muting
TÜV
Abbreviation
CBCM Clutch Brake Continuous Mode DGÜV1
TÜV
CBIM Clutch Brake Inch Mode DGÜV1
TÜV
CBSSM Clutch Brake Inch Mode DGÜV1
TÜV
CPM Crankshaft Position Monitor DGÜV1
TÜV
CROUT Configurable Redundant Output DGÜV1
TÜV
CSM Configurable Redundant Output DGÜV1
DCM Dual Channel Input Monitor DGÜV1
DCS Dual Channel Input Stop DGÜV1
DCSRT Dual Channel Input Start DGÜV1
DCST Dual Channel Input Stop with Test DGÜV1
DCSTL Dual Channel Input Stop with Test DGÜV1
DCA Dual Channel Input Stop with Test TÜV
DCAF Dual Channel Analog Input -
TÜV
EPMS Eight Position Mode Selector DGÜV1
MMVC Four Sensor Bidirectional Muting DGÜV1
MVC Four Sensor Bidirectional Muting DGÜV1
THRSe Four Sensor Bidirectional Muting DGÜV1
TSAM Four Sensor Bidirectional Muting TÜV
10 Rockwell Automation Publication 1756-RM095K-EN-P - September 2020
1
At the time of publication, these instructions are not DGUV-certified for use
with Compact GuardLogix 5370 controllers, and are certified only for
firmware versions 17...21 for GuardLogix and 1768 Compact GuardLogix
controllers.
Instruction
Abbreviation
Instruction Name
Certification
ESTOP
Emergency Stop
TÜV
ROUT
Redundant Output
TÜV
THRS
Two-hand Run Station
TÜV
Abbreviation
Description
CVT
Circuit Verification Test
Resource
Description
Logix Designer application.
controller system in a Logix Designer application.
RSLogix 5000 software.
publication 1768-IN004.
GuardLogix controllers.
publication 1768-UM002.
program the 1768 Compact GuardLogix controller.
Terminology
Additional resources
Preface
RSLogix 5000 Software Version 14 and Later Metal Form and General
Instructions.
DIN Diverse Input TÜV
ENPEN Enable Pendant TÜV
FPMS Five-position Mode Selector TÜV
LC Light Curtain TÜV
RIN Redundant Input TÜV
In this manual, ‘programming software’ refers to both the Studio 5000 Logix
Designer application and RSLogix 5000 software. The following table defines
abbreviations that are used in this manual .
AOPD Active Opto-electronic Protective Device
BCAM Brake Cam
BDDC Bottom Dead Center
DCAM Dynamic Cam
ESPE Electro-sensitive Protective Equipment
TCAM Takeover Cam
These documents contain additional information concerning related
Rockwell Automation products.
GuardLogix® 5570 Controllers User Manual,
publication 1756-UM022.
GuardLogix 5570 Controllers Reference Manual,
publication 1756-RM099.
GuardLogix 5570 Controllers User Manual,
publication 1756-UM020.
Provides information on how to install, configure,
and program the GuardLogix 5570 controllers in the
Contains detailed requirements for how to achieve
and maintain SIL 3 with the GuardLogix 5570
Provides information on how to install, configure,
and program the GuardLogix 5560 controllers in
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 11
GuardLogix Controller Systems Safety Reference
Manual, publication 1756-RM093.
CompactLogix™ Controllers Installation Instructions,
1768 Compact GuardLogix Controllers User Manual,
Contains detailed requirements for how to achieve
and maintain SIL 3 with the GuardLogix 5560
controller and the 1768 Compact GuardLogix®
system in RSLogix 5000 software.
Provides information on how to install 1768 Compact
Provides information on how to configure and
Preface
Resource
Description
1791ES-IN001.
publication 1734-UM013.
Safety modules
1756-RM001.
instructions.
UM001.
nonsafety applications.
DNET-UM004.
Legal Notices
CompactBlock, Guard I/O, DeviceNet Safety Module
Installation Instructions, publication 1791DS-IN002.
Guard I/O DeviceNet Safety Modules User Manual,
publication 1791DS-UM001.
Guard I/O EtherNet/IP Safety Modules Installation
Instructions, publication
Guard I/O EtherNet/IP Safety Modules User Manual,
publication 1791ES-UM001.
POINT Guard I/O Safety Modules User Manual,
Using ControlLogix® in SIL2 Applications Safety
Reference Manual, publication
Logix Controllers Instructions Reference Manual,
publication 1756-RM009.
Logix Common Procedures Programming Manual,
publication 1756-PM001.
ControlLogix System User Manual, publication 1756-
Provides information on how to install
CompactBlock Guard I/O™ DeviceNet Safety
modules.
Provides information on using Guard I/O DeviceNet
Safety Modules.
Provides information on how to install
CompactBlock Guard I/O EtherNet/IP Safety
modules.
Provides information on using Guard I/O Safety
modules.
Provides information on using POINT Guard I/O
Describes requirements for using ControlLogix
controllers, and GuardLogix standard tasks, in SIL2
safety control applications.
Provides information on the Logix5000™ instruction
set that includes general, motion, and process
Provides information on programming Logix5000
controllers, including how to manage project files,
organize tags, program and test routines, and
handle faults.
Provides information on using ControlLogix in
DeviceNet™ Modules in Logix5000 Control Systems
User Manual, publication
EtherNet/IP™ Modules in Logix5000 Control Systems
User Manual, publication
ENET-UM001.
ControlNet™ Modules in Logix5000 Control Systems
User Manual, publication
CNET-UM001.
Logix5000 Controllers Execution Time and Memory
Use Reference Manual, publication 1756-RM087.
Logix Import Export Reference Manual, publication
1756-RM084.
Product Certifications website,
http://ab.rockwellautomation.com.
Provides information on using the 1756-DNB module
in a Logix5000 control system
Provides information on using the 1756-ENBT
module in a Logix5000 control system.
Provides information on using the 1756-CNB module
in Logix5000 control systems.
Provides information on how to estimate the
execution time and memory use for instructions.
Provides information on using RSLogix 5000
Import/Export utility
Provides declarations of conformity, certificates,
and other certification details.
You can view or download publications at
http://www.rockwellautomation.com/literature
. To order paper copies of
technical documentation, contact your local Rockwell Automation distributor
or sales representative.
12 Rockwell Automation Publication 1756-RM095K-EN-P - September 2020
Rockwell Automation publishes legal notices, such as privacy policies, license
agreements, trademark disclosures, and other terms and conditions on the
Legal Notices
page of the Rockwell Automation website.
Preface
End User License Agreement (EULA)
You can view the Rockwell Automation End-User License Agreement ("EULA")
by opening the License.rtf file located in your product's install folder on your
hard drive.
Open Source Licenses
The software included in this product contains copyrighted software that is
licensed under one or more open source licenses. Copies of those licenses are
included with the software. Corresponding Source code for open source
packages included in this product are located at their respective web site(s).
Alternately, obtain complete Corresponding Source code by contacting
Rockwell Automation via the Contact form on the Rockwell Automation
website:
us/contact/contact.page
Please include "Open Source" as part of the request text.
http://www.rockwellautomation.com/global/about-
A full list of all open source software used in this product and their
corresponding licenses can be found in the OPENSOURCE folder. The default
installed location of these licenses is
Files\Rockwell\Help\FactoryTalk Services Platform\Release
Notes\OPENSOURCE\index.htm
C:\Program Files (x86)\Common
.
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 13
FSBM
TSAM
TSSM
FPMS
ESTOP
ROUT
RIN
ENPEN DIN
LC
THRS
DCS
DCST
DCSTL
DCSTM
DCSRT DCM
SMAT
THRSe
CROUT
DCA
If you want to
Use this instruction
five position selector switch used in SIL3/CAT4 safety applications.
safety applications.
Safety Instructions
Chapter 1
Safety Instructions
In the controller organizer, you can recognize safety programs by the red bar
that is incorporated into the icons. The red bar indicates the program will
execute in safety memory.
The buttons for instructions that function as part of a safety program, or are
supported by a safety program, have a red triangle in the right corner of
each button.
Available Instructions
Ladder Diagram
Function Block
Not available
Structured Text
Not available
Safety application instructions are intended for use within a safety system
that has a controller and I/O modules. These instructions are intended for
Safety Integrity Level (SIL) 3, PLe/Category (CAT) 4 applications.
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 15
Provide an interface from a programmable controller to a three-to-
Emulate the input functionality of a safety relay in a software
programmable environment which is intended for use in SIL3/CAT4
Emulate the output functionality of a safety relay in a software
programmable environment which is intended for use in SIL3/CAT4
safety applications.
FPMS
ESTOP
ROUT
Chapter 1 Safety Instructions
If you want to
Use this instruction
safety applications.
safety applications.
safety applications.
test of the stop device.
test of the stop device and the ability to mute the safety device.
a machine safely, for example an enable pendant.
symmetrically.
and after the light curtain’s sensing field.
output.
Control and monitor redundant outputs.
CROUT
module. (Integer version)
module. (Floating Point version)
Emulate the input functionality of a safety relay in a software
programmable environment that is intended for use in SIL3/CAT4
safety applications.
Emulate the input functionality of a safety relay in a software
programmable environment that is intended for use in SIL3/CAT4
Emulate the input functionality of a safety relay in a software
programmable environment that is intended for use in SIL3/CAT4
Provide a manual and an automatic circuit reset interface from a
programmable controller to a light curtain used in SIL3/CAT4
Provide a method to incorporate two diverse input buttons used as
a single operation start button into a software programmable
environment that is intended for use in SIL3/CAT4 safety
applications.
Monitor dual-input safety devices whose main purpose is to
provide a stop function, such as an E-stop, light curtain, or gate
switch.
Monitor dual-input safety devices whose main purpose is to
provide a stop function, such as an E-stop, light curtain, or gate
switch. It includes the added capability of initiating a functional
RIN
ENPEN
DIN
LC
THRS
DCS
DCST
Monitors dual-input safety devices whose main purpose is to stop
DCSTL
a function, such as an E-stop, light curtain, or gate switch. It
includes the added capability of initiating a functional test of the
stop device and can monitor a feedback signal from a safety
device and issue a lock request to a safety device.
Monitor dual-input safety devices whose main purpose is to
DCSTM
provide a stop function, such as an E-stop, light curtain, or gate
switch. It includes the added capability of initiating a functional
Energize dual-input safety devices whose main function is to start
DCSRT
Monitor dual-input safety devices. DCM
Indicate whether or not the safety mat is occupied. SMAT
Provide temporary, automatic disabling of the protective function
TSAM
of a light curtain, using two muting sensors arranged
asymmetrically.
Provide temporary, automatic disabling of the protective function
TSSM
of a light curtain, using two muting sensors arranged
Provide temporary, automatic disabling of the protective function
FSBM
of a light curtain, using four sensors arranged sequentially before
Monitor two diverse safety inputs, one from a right-hand push
THRSe
button and one from a left-hand push button, to control a single
16 Rockwell Automation Publication 1756-RM095K-EN-P - September 2020
Monitor two analog input channels originating from an analog input
Monitor two analog input channels originating from an analog input
DCA
DCAF
IMPORTANT
Chapter 1 Safety Instructions
The Safety controller is part of a De-Energize to Trip system. This means that
all of its outputs are set to zero when a fault is detected.
The following sections are only applicable to these instructions:
• ESTOP
• RIN
• DIN
• ENPEN
• THRS
• LC
• ROUT
•
FPMS
De-energize to Trip System
In addition, the Safety controller automatically sets any input values
associated with faulty input modules to zero. As a result, any inputs being
monitored by one of the diverse input instructions (DIN or THRS) should
have the normally closed input conditioned by logic as shown here:
The exact ladder logic depends on your specific system requirements, and the
functionality of the Safety input module. The result, however, should be the
same: to create a Safe state of one for the normally closed input of the diverse
input instructions. This example logic actually overrides the input value in the
input tag.
The normally closed input of the diverse input instruction should be placed in
a Safe state whenever the connection to the input module is lost, or the
normally closed input point is faulted.
The input value should remain intact to represent the actual state of the field
device when there is a connection and the normally closed input point is not
faulted.
Failure to implement this type of logic does not create an unsafe condition,
but it does result in the instruction latching an Inputs Inconsistent fault,
requiring a clear fault operation to be performed.
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 17
Chapter 1 Safety Instructions
IMPORTANT
IMPORTANT
IMPORTANT
System Dependencies
The safety application instructions depend on the safety I/O modules,
controller operating system, and the ladder logic to perform portions of the
safety functions.
Input and Output Line Conditioning
Safety I/O modules provide pulse test and monitoring capabilities. If the
module detects a failure, it sets the offending input or output to the Safe state
and reports the failure to the controller.
The failure indication is made via the input or output point status, and is
maintained for a configurable amount of time, or until the failure is repaired,
which ever comes last.
Ladder logic must be included in the application program to latch these I/O point
failures and ensure proper restart behavior.
For more information on Safety I/O modules, refer to the following:
• DeviceNet Safety I/O User Manual, publication 1791DS-UM001
• Guard I/O EtherNet/IP Safety modules User Manual, publication
1791ES-UM001
• POINT Guard I/O Safety Modules User Manual, publication 1734-
UM013.
I/O Module Connection Status
A CIP SafetyTM system provides connection status for each I/O device in the
safety system. If an input connection failure is detected, the operating system
sets all associated inputs to the de-energized (Safe) state, and reports the
failure to the ladder logic. If an output connection failure is detected, the
operating system can only report the failure to the ladder logic.
Ladder logic must be included in the application program to latch these I/O point
failures and ensure proper restart behavior.
How to Latch and Reset Faulted I/O
The following diagrams provide examples of the ladder logic required to latch
and reset an I/O module connection or point failure. The first image shows
the ladder logic for an input point, and the second shows the ladder logic for
an output point.
Both of these diagrams are examples, and are for illustrative purposes only. The
suitability of this logic depends upon your specific system requirements.
18 Rockwell Automation Publication 1756-RM095K-EN-P - September 2020
Chapter 1 Safety Instructions
The first rung latches an internal indication that either the module
connection or the specific input point has failed.
The second rung resets the internal indication, but only if the fault has been
repaired, and only on the rising edge of the Fault Reset signal. This prevents
the safety function from automatically restarting if the Fault Reset signal gets
stuck on.
The third rung shows the input point data used in combination with the
internal fault indication to control an output.
The output is internal data that may be used in combinational logic later to
drive an actual output. If an actual output is used directly, it may or may not
require logic similar to that shown in Figure 1.3 for latching and resetting
output connection failures.
The Fault Reset contact shown in these examples is typically activated as a
result of operator action. The Fault Reset could be derived as a result of
combinational logic or directly from an input point (in which case it may or
may not require conditioning of its own).
The ladder logic in the output example has the same latch and reset concept as
that shown in the input example.
The first rung latches an internal indication that either the module
connection or the specific output point has failed.
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 19
Chapter 1 Safety Instructions
I/O Module Point
Data
Point Status
Combined Status
… … …
IN n
moduleName:I.PtnData
moduleName:I.PtnInputStatus
The second rung resets the internal indication, but only if the fault has been
repaired, and only on the rising edge of the Fault Reset signal. This prevents
the safety function from automatically restarting if the Fault Reset signal gets
stuck on.
The third rung includes application-specific logic to drive the state of an
output point. This logic is conditioned by the output faulted internal
indicator.
False Rung State Behavior
The information provided in this manual regarding the GuardLogix Safety
application instructions depicts the "True Rung State" (Ladder Diagram Logic)
behavior of the instructions.
The "False Rung State" behavior is exactly the same (internal state machines
continue to run and change states based on the inputs) except that all outputs,
including prompts and fault indicators, are set to zero when the instructions
are disabled or on a false rung.
I/O Point Mapping
Input
The following table identifies the mapping between the Safety I/O module’s
Input points and the controller tags when the Safety I/O module’s Input
Status module definition is configured for Point Status or Combined Status.
Note that moduleName is the name you assign to the I/O module.
Controller Tag Reference
IN 0 moduleName:I.Pt00Data moduleName:I.Pt00InputStatus moduleName:I.InputStatus
IN 1 moduleName:I.Pt01Data moduleName:I.Pt01InputStatus
IN 2 moduleName:I.Pt02Data moduleName:I.Pt02InputStatus
Output
20 Rockwell Automation Publication 1756-RM095K-EN-P - September 2020
The following table identifies the mapping between the Safety I/O module’s
Output points and the controller tags when the Safety I/O module’s Input
Status module definition is configured for Point Status or Combined Status.
Note that moduleName is the name you assign to the I/O module.
I/O Module Point
OUT 0
moduleName:O.Pt00Data
moduleName:I.Pt00OutputStatus
OUT 1
moduleName:O.Pt01Data
moduleName:I.Pt01OutputStatus
OUT 2
moduleName:O.Pt02Data
moduleName:I.Pt02OutputStatus
… … …
OUT n
:O.PtnData
:I.PtnOutputStatus
Status and Safety input and
Data Point Status Combined Status
moduleName
output for dual channel
Controller Tag Reference
moduleName
Chapter 1 Safety Instructions
moduleName:I.OutputStatus
See also
Execution Times for Safety Application Instructions on page 526
The following I/O status information is relevant for all safety instructions.
safety instructions
Connection Status
Connection status (.ConnectionFaulted) is the status of the safety connection
between the safety controller and safety I/O module. When the connection is
operating properly, the bit is LO (0). When the connection is not operating
properly, the bit is HI (1). When the connection status is not operating
properly, all module defined tags are LO, and have invalid data.
Point Status
Point Status is available for safety inputs (.PtxxInputStatus) and safety
outputs (.PtxxOutputStatus). When a point status tag is HI (1), it indicates
that the individual channel is functioning and wired correctly. It also
indicates the safety connection between the safety controller and the safety
I/O module on which this channel resides is operating properly.
Combined Status
Combined Status is available for safety inputs (.CombinedInputStatus) and
safety outputs (.CombinedOutputStatus). When the combined status tag is HI
(1), it indicates that all input or output channels on the module are
functioning and wired correctly. It also indicates that the safety connection
between the safety controller and the safety I/O module on which these
channels reside is operating properly.
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 21
Whether combined status or point status is used depends on the application.
Point status provides more granular status.
The dual channel safety instructions have built-in safety I/O status
monitoring. Input and Output statuses are parameters for the safety input
and output instructions. All dual channel safety instructions have input status
Chapter 1 Safety Instructions
IMPORTANT
output channel.
for input channels A and B. The CROUT instruction has input status for
Feedbacks 1 and 2, and output status for the output channels driven by the
CROUT outputs O1 and O2. The status tags used in these instructions must be
HI (1) for the safety instruction output tag(s) with O1 for input instructions
and O1/O2 to energize the CROUT instruction.
Interrogate Safety I/O status when using instructions such as XIC and OTE. Verify
safety input channel status is HI (1) before using a safety input channel as an
interlock. Verify safety output channel status is HI (1) before energizing a safety
22 Rockwell Automation Publication 1756-RM095K-EN-P - September 2020
IMPORTANT
• Structure operands are shared by multiple instructions.
Dual-channel Input Start
(DCSRT)
Chapter 1 Safety Instructions
See also
Safety Instructions on page 15
This instruction applies to the Compact GuardLogix 5370, GuardLogix 5570,
Compact GuardLogix 5380, and GuardLogix 5580 controllers.
The Dual-channel Input Start instruction is for safety devices whose main
function is to start a machine safely, for example, an enable pendant. This
instruction energizes its output (O1) only if the Enable input is ON (1), and
both safety inputs, Channel A and Channel B, transition to the active state
within the Discrepancy Time.
Available Languages
Ladder Diagram
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 23
Function Block
This instruction is not available in function block.
Structured Text
This instruction is not available in structured text.
Operands
Unexpected operation may occur if:
• Output tag operands are overwritten.
• Members of a structure operand are overwritten.
Chapter 1 Safety Instructions
IMPORTANT
for PLd (Cat. 3) or Ple (Cat. 4) safety functions.
IMPORTANT
changes to take effect.
Operand
Data Type
Format
Description
DCSRT
DCI_START
Tag
DCSRT structure
when Channel A is 1 and Channel B is 0.
The valid range is 5...3000 ms.
Make sure safety input points are configured as single, not Equivalent or
Complementary. These instructions provide all dual channel functionality necessary
If changing instruction operands while in Run mode, accept the pending edits and
cycle the controller mode from Program to Run for the changes to take effect.
ATTENTION: If changing instruction operands while in Run mode, accept the
pending edits and cycle the controller mode from Program to Run for the
The following table provides the operand used to configure the instruction.
This operand cannot be changed at runtime.
Safety Function DINT list item This operand provides a text name for how this
instruction is being used. Choices include enable
pendant (20), start button (21), and user-defined
(100).
This operand does not affect instruction behavior.
It is for information/documentation purposes only.
Input Type DINT list item This operand selects input channel behavior.
Equivalent - Active High (0): Inputs are in the
active state when Channel A and Channel B inputs
are 1.
Complementary (2): Inputs are in the active state
Discrepancy Time (ms) DINT immediate The amount of time that the inputs can be in an
inconsistent state before an instruction fault is
generated. The inconsistent state depends on the
Input Type.
Equivalent: Inconsistent state is when either is
true:
Channel A = 0 and Channel B =1
Channel A =1 and Channel B =0
Complementary: Inconsistent state is when either
is true:
Channel A = 0 and Channel B =0r
Channel A =1 and Channel B =1
The following table explains instruction inputs. The inputs may be field device
signals from input devices or derived from user logic.
24 Rockwell Automation Publication 1756-RM095K-EN-P - September 2020
Operand
Data Type
Format
Description
OFF (0): The instruction is disabled. Output 1 is not energized.
Channel A1
BOOL
tag
This input is one of the two safety inputs to the instruction.
are reset.
Operand
Data Type
Description
OFF (0): This instruction is operating normally.
not safety-related.
codes. This operand is not safety-related.
Enable BOOL tag This input enables or disables the instruction.
ON (1): The instruction is enabled. Output 1 is energized when
Channel A and Channel B transition to the active state within
the Discrepancy Time.
Channel B1 BOOL tag This input is one of the two safety inputs to the instruction.
Input Status BOOL immediate
tag
Reset2 BOOL tag This input clears the instruction faults provided the fault
1
If the input is from a Guard I/O input module, make sure that the input is
If instruction inputs are from a safety I/O module, this is the
status from the I/O module (Connection Status or Combined
Status). If instruction inputs are derived from internal logic, it
is the application programmer’s responsibility to determine
the conditions.
ON (1): The inputs to this instruction are valid.
OFF (0): The inputs to this instruction are invalid.
condition is not present.
OFF (0) -> ON (1): The FP (Fault Present) and Fault Code outputs
Chapter 1 Safety Instructions
configured as single, not Equivalent or Complementary.
2
ISO 13849-1 stipulates instruction reset functions must occur on falling edge
signals. To comply with ISO 13849-1 requirements, add this logic immediately
before this instruction. Rename the Reset_Signal tag in this example to the
reset signal tag name. Then use the OSF instruction Output Bit tag as the
reset source of the instruction.
The following table explains instruction outputs. The outputs can be used to
drive external tags (safety output modules) or internal tags for use in other
logic routines.
Output 1 (01) BOOL This output is energized when the input conditions have been
satisfied.
The output becomes de-energized when:
• Either Channel A or Channel B transitions to the safe state.
• The Input Status input is OFF(0).
• The Enable input turns OFF(0)
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 25
Fault Present (FP) BOOL ON (1): A fault is present in the instruction.
Fault Code DINT This output indicates the type of fault that occurred. See the
Fault Codes section for a list of fault codes. This operand is
Diagnostic Code DINT This output indicates the diagnostic status of the instruction.
See the Diagnostic Codes section below for a list of diagnostic
Chapter 1 Safety Instructions
IMPORTANT
Condition/State
Action Taken
Prescan
Same as Rung-condition-in is false.
Rung-condition-in is false
The .O1 and .FP are cleared to false.
Rung-condition-in is true
The instruction executes as described in the Normal operation section.
Postscan
Same as Rung-condition-in is false.
Do not write to any instruction output tag under any circumstances.
Affects Math Status Flags
No
Major/Minor Faults
None specific to this instruction. See Index Through Arrays for arrayindexing faults.
Execution
Operation
Normal
The timing diagram illustrates the normal operation for a start device, for
example, an enable pendant. At (A), Output 1 is not energized because the
Enable input is OFF (0). At (B), Output 1 is not energized because the
transition of the Enable signal ON (1) can never enable Output 1. At (C),
Output 1 is energized 50 ms after the safety inputs transition through the safe
state and to the active state with the Enable input ON (1). At (D), Output 1 is
de-energized when either one of the safety inputs transition to the safe state.
At (E), Output 1 is energized 50 ms after the safety inputs return to the active
state. At (F), Output 1 is de-energized because the Enable input has
transitioned to OFF (0).
26 Rockwell Automation Publication 1756-RM095K-EN-P - September 2020
Chapter 1 Safety Instructions
Normal (Equivalent Inputs)
This diagram demonstrates the same behavior as in the previous timing
diagram except that the Input Type is Complementary.
Normal (Complementary Inputs)
Input Status Fault Operation
The timing diagram illustrates fault behavior when the Input Status becomes
invalid. At (A), Output 1 is not energized because the Input Status has not
become active for the first time. At (B), with the Input Status active, and after
a 50 ms delay, Output 1 is energized because the safety inputs have
transitioned through the safe state to the active state. At (C), the Input Status
becomes invalid, which immediately de-energizes Output 1 and generates a
fault. At (D), the fault cannot be reset because the Input Status is still inactive.
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 27
Chapter 1 Safety Instructions
At (E), the fault is reset because the Input Status is now active and a reset is
triggered. At (F), Output 1 is active.
Discrepancy Fault Operation
The timing diagram illustrates a discrepancy fault occurring when Channel A
and Channel B are in an inconsistent state for longer than the Discrepancy
Time configuration operand. At (A), a fault is generated when the safety
inputs are in an inconsistent state for longer than the Discrepancy Time, for
example, 250 ms. At (B), the fault is cleared because both safety inputs are
inactive and the reset went active. At (C), Output 1 is energized 50 ms after
both safety inputs transition to the active state together within the
Discrepancy Time. At (D), Output 1 is de-energized when Channel B
transitions to the safe state. At (E), a fault is generated because the safety
inputs are again in an inconsistent state for longer than the Discrepancy
28 Rockwell Automation Publication 1756-RM095K-EN-P - September 2020
Fault Code
Description
Corrective Action
• Reset the fault.
was in the active state.
Chapter 1 Safety Instructions
Time. At (F), the fault is cleared, but Output 1 is not energized until both safety
inputs transition to the active state together.
False Rung State Behavior
When the instruction is executed on a false rung, all instruction outputs are
de-energized.
Fault Codes and Corrective Alarms
The fault codes are listed in hexadecimal format followed by decimal format.
0 No fault. None.
16#20
32
16#4000
16384
16#4001
16385
The Input Status input
transitioned from ON (1) to OFF
(0) while the instruction was
executing.
Channel A and Channel B were in
an inconsistent state for longer
than the Discrepancy Time. At
the time of the fault, Channel A
was in the active state. Channel
B was in the safe state.
Channel A and Channel B were in
an inconsistent state for longer
than the Discrepancy Time. At
the time of the fault, Channel A
was in the safe state. Channel B
• Check the I/O module connection or
the internal logic used to source
input status.
• Check the wiring.
• Perform a functional test of the
device (put Channel A and Channel B
in a safe state).
• Reset the fault.
Rockwell Automation Publication 1756-RM095K-EN-P - September 2020 29
Chapter 1 Safety Instructions
Fault Code
Description
Corrective Action
while Channel A remained active.
0
No fault.
None.
Dual-channel Input Start
16#4002
16386
16#4003
16387
Channel A went to the safe state
and back to the active state
while Channel B remained active.
Channel B went to the safe state
and back to the active state
Diagnostic Codes and Corrective Actions
The fault codes are listed in hexadecimal format followed by decimal format.
Diagnostic Code Description Corrective Action
16#20
32
16#4000
16384
16#4060
16480
The Input Status was OFF(0)
when the instruction started.
The device is not in a safe state
at start-up.
The device is not enabled. Enable the device (set Enable to 1).
Check the I/O module connection or the
internal logic used to source input
status.
Release the start device (put Channel A
and Channel B in a safe state).
(DCSRT) wiring and
programming example
See also
Dual-channel Input Start (DCSRT) wiring and programming example
on page 30
Index Through Arrays on page 540
Status and Safety input and output for dual channel safety
instructions on page 21
This topic demonstrates how to wire the Guard I/O module and program the
instruction in the safety control portion of an application
This application example complies with ISO 13849-1, Category 4 operation.
Tip: The standard control portion of the application is not shown in the following diagram.
30 Rockwell Automation Publication 1756-RM095K-EN-P - September 2020
Loading...