Rockwell Automation GuardLogix 5580, GuardLogix 5380 Reference Manual
GuardLogix 5580 and
Compact GuardLogix 5380
Controller Systems
Bulletin 1756 and 5069
Safety Reference Manual |
Original Instructions |
GuardLogix 5580 and Compact GuardLogix 5380 Controller Systems Safety Reference Manual
Important User Information
Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT Identifies information that is critical for successful application and understanding of the product.
Labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).
2 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
|
|
Table of Contents |
|
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . . . .7 |
|
Summary of Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . . . 7 |
|
Catalog Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . . 7 |
|
Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . . 8 |
|
Chapter 1 |
|
Safety Integrity Level (SIL) |
SIL Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . . 9 |
Concept |
Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 10 |
|
GuardLogix Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 11 |
|
Controller Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 13 |
|
System Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 13 |
|
Safety Task Reaction Time . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 13 |
|
Safety Task Period and Safety Task Watchdog . . . |
. . . . . . . . . . . . 14 |
|
Contact Information If Device Failure Occurs. . . . . . . |
. . . . . . . . . . . . 14 |
|
Chapter 2 |
|
GuardLogix Controller System |
GuardLogix 5580 Controller Hardware. . . . . . . . . . . . . |
. . . . . . . . . . . . 15 |
|
Primary Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 16 |
|
Safety Partner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 16 |
|
Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 16 |
|
Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 16 |
|
Compact GuardLogix 5380 Controller Hardware . . . |
. . . . . . . . . . . . 17 |
|
Compact GuardLogix 5380 SIL3 Controllers . . . . |
. . . . . . . . . . . . 18 |
|
Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 18 |
|
Network Communication . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 19 |
|
EtherNet/IP Network . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 19 |
|
DeviceNet Safety Network . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 22 |
|
Programming Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . . . 23 |
Safety I/O for the GuardLogix Control System
Chapter 3
Typical Safety Functions of Safety I/O Devices . . . . . . . . . . . . . . . . . . 25 Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Status Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Status Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 On-delay or Off-delay Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Safety Considerations for Safety I/O Devices . . . . . . . . . . . . . . . . . . . . 27 Ownership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Safety I/O Configuration Signature . . . . . . . . . . . . . . . . . . . . . . . . . 27
Safety I/O Device Replacement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
3 |
Table of Contents
CIP Safety Systems and Safety
Network Numbers
Chapter 4
Unique Node Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Safety Network Numbers (SNN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Routable CIP Safety System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Considerations for Assigning SNNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
How SNNs Get to Safety Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
SNN Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Time-based SNN Format and Assignment. . . . . . . . . . . . . . . . . . . 35
Manual SNN Format and Assignment . . . . . . . . . . . . . . . . . . . . . . 36
SNNs for Out-of-box Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Characteristics of Safety Tags,
the Safety Task, and Safety
Programs
Chapter 5
Differentiate Between Standard and Safety . . . . . . . . . . . . . . . . . . . . . . 39
The Safety Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Safety Task Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Safety Task Execution Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
SIL 2 and SIL 3 Safety Application Differences . . . . . . . . . . . . . . . . . . 42
Safety I/O Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Use of Human Machine Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Access to Safety-related Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Safety Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Safety Routines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Safety Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Standard Tags in Safety Routines (Tag Mapping) . . . . . . . . . . . . 49
|
Chapter 6 |
|
Safety Application |
Safety Concept Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
51 |
Development |
Basics of Application Development and Testing . . . . . . . . . . . . . . . . . |
52 |
|
Commissioning Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
54 |
|
Specification of the Safety Function . . . . . . . . . . . . . . . . . . . . . . . . . |
55 |
|
Create the Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
56 |
|
Test the Application Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
56 |
|
Generate the Safety Signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
56 |
|
Validate the Project. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
57 |
|
Confirm the Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
58 |
|
Safety Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
59 |
|
Lock the Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
59 |
|
Download the Safety Application Program . . . . . . . . . . . . . . . . . . . . . . |
60 |
|
Upload the Safety Application Program . . . . . . . . . . . . . . . . . . . . . . . . . |
61 |
|
Store and Load a Project from a Memory Card. . . . . . . . . . . . . . . . . . . |
61 |
|
Force Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
61 |
|
Inhibit a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
62 |
|
Online Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
62 |
4 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
Table of Contents
Monitor Status and Handle
Faults
Editing Your Safety Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Performing Offline Edits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Performing Online Edits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Modification Impact Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Chapter 7
Status Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Monitoring System Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
CONNECTION_STATUS Data. . . . . . . . . . . . . . . . . . . . . . . . . . 67
Input and Output Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 I/O Device Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
De-energize to Trip System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Get System Value (GSV) and Set System Value (SSV) Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Safety Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Nonrecoverable Controller Faults . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Nonrecoverable Safety Faults in the Safety Application . . . . . . . 70
Recoverable Safety Faults in the Safety Application . . . . . . . . . . . 71
View Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Fault Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
1756-L8SP Safety Partner Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
|
Appendix A |
|
Safety Instructions |
Safety Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
73 |
|
Appendix B |
|
Create and Use a Safety Add-On Create an Add-On Instruction Test Project . . . . . . . . . . . . . . . . . . . . . |
79 |
|
Instruction |
Create a Safety Add-On Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
79 |
|
Generate the Instruction Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
79 |
|
The Safety Instruction Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
80 |
|
SIL 2 or SIL 3 Add-On Instruction Qualification Test . . . . . . . . . . . |
80 |
|
Safety Validate Add-On Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . |
80 |
|
Create Signature History Entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
80 |
|
Export and Import the Safety Add-On Instruction. . . . . . . . . . . . . . . |
80 |
|
Verify Safety Add-On Instruction Signatures . . . . . . . . . . . . . . . . . . . . |
81 |
|
Test the Application Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
81 |
|
Project Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
81 |
|
Safety Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
81 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
5 |
Table of Contents
Reaction Times
Checklists for GuardLogix Safety Applications
Appendix C
Connection Reaction Time Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Specify the Requested Packet Interval (RPI) . . . . . . . . . . . . . . . . . 84
View the Maximum Observed Network Delay . . . . . . . . . . . . . . . 84 System Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Logix System Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Simple Input-logic-output Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Logic Chain Using Produced/Consumed Safety Tags. . . . . . . . . 86
Factors That Affect Logix Reaction-time Components . . . . . . . . . . . 87
Configure Guard I/O Input Module Delay Time Settings . . . . 88 Configure or View the Input and Output Safety Connection
Reaction Time Limits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Configure the Safety Task Period and Watchdog. . . . . . . . . . . . . 90 Access Produced/Consumed Tag Data . . . . . . . . . . . . . . . . . . . . . . 90
Appendix D
Checklist for GuardLogix Controller System . . . . . . . . . . . . . . . . . . . . 94 Checklist for Safety Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Checklist for Safety Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Checklist to Develop a Safety Application Program . . . . . . . . . . . . . . 97
|
Appendix E |
|
GuardLogix Systems Safety |
Useful Life. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. 99 |
Data |
Safety Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
99 |
|
Product Failure Rates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
100 |
|
Appendix F |
|
Studio 5000 Logix Designer |
De-energize to Trip System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
101 |
Application, Version 31 or |
Use Connection Status Data to Initiate a Fault Programmatically 101 |
|
Later, Safetyapplication |
|
|
|
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
107 |
Instructions |
|
|
|
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
113 |
6 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
Preface
Summary of Changes
Catalog Numbers
Topic |
Page |
|
|
Summary of Changes |
7 |
|
|
Catalog Numbers |
7 |
|
|
Terminology |
8 |
|
|
This manual describes the GuardLogix® 5580 and Compact GuardLogix 5380 controller systems, which are type-approved and certified for use in safety applications as detailed in SIL Certification on page 9.
Use this manual for the development, operation, and maintenance of a GuardLogix 5580 or Compact GuardLogix 5380 controller-based safety system that uses the Studio 5000 Logix Designer® application. Read and understand the safety concepts and the requirements that are presented in this manual and familiarize yourself with applicable standards (for example IEC 61508,
IEC 62061, IEC 61511, and ISO 13849-1) before operating a
GuardLogix 5580 or Compact GuardLogix 5380 controller-based safety system.
This manual contains new and updated information as indicated in the following table.
Topic |
Page |
|
|
Clarified safety signature information |
56, 65 |
|
|
Added safety signature ID definition |
110 |
|
|
This publication is applicable to these controllers:
GuardLogix 5580: 1756-L81ES, 1756-L81ESK,1756-L82ES, 1756-L82ESK,1756-L83ES, 1756-L83ESK, 1756-L84ES, 1756-L84ESK,
1756-L8SP, 1756-L8SPK
Compact GuardLogix 5380 SIL 2: 5069-L306ERS2, 5069-L306ERMS2, 5069-L310ERS2, 5069-L310ERMS2, 5069-L320ERS2, 5069-L320ERS2K, 5069-L320ERMS2, 5069-L320ERMS2K, 5069-L330ERS2, 5069-L330ERS2K, 5069-L330ERMS2, 5069-L330ERMS2K, 5069-L340ERS2, 5069-L340ERMS2, 5069-L350ERS2, 5069-L350ERS2K, 5069-L350ERMS2, 5069-L350ERMS2K, 5069-L380ERS2, 5069-L380ERMS2, 5069-L3100ERS2, 5069-L3100ERMS2
Compact GuardLogix 5380 SIL 3: 5069-L306ERMS3, 5069-L310ERMS3, 5069-L320ERMS3, 5069-L320ERMS3K, 5069-L330ERMS3, 5069-L330ERMS3K, 5069-L340ERMS3, 5069-L350ERMS3, 5069-L350ERMS3K, 5069-L380ERMS3, 5069-L3100ERMS3
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
7 |
Preface
Terminology
In this publication, the terms ‘GuardLogix controller’ or ‘GuardLogix system’ apply to both GuardLogix 5580 and Compact GuardLogix 5380 controllers unless otherwise noted.
Also, the term ‘SIL 2’ represents SIL 2, SIL CL2, and PLd, and ‘SIL 3’ represents SIL 3, SIL CL3, and PLe.
For common abbreviations and other definitions, see the Glossary on page 107.
8 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
Chapter 1
Safety Integrity Level (SIL) Concept
SIL Certification
Topic |
Page |
|
|
SIL Certification |
9 |
|
|
Proof Tests |
10 |
|
|
GuardLogix Architecture |
11 |
|
|
Controller Specifications |
13 |
|
|
System Reaction Time |
13 |
|
|
Contact Information If Device Failure Occurs |
14 |
|
|
This section provides the SIL certifications and Performance Level for the controllers.
Table 1 - Safety Ratings for Safety Controllers
Controller System |
IEC 61508 |
IEC 62061 |
ISO 13849-1 |
|
|
|
|
|
Type-approved and |
Suitable for use in |
Suitable for use in safety |
|
certified for use in |
safety applications up |
applications up to and including: |
|
safety applications up |
to and including: |
|
|
to and including: |
|
|
|
|
|
|
GuardLogix® 5580 |
SIL 2(2) |
SIL CL2(2) |
Performance Level PLd (Cat. 3)(2) |
controller systems |
SIL 3(3) |
SIL CL3(3) |
Performance Level PLe (Cat. 4)(3) |
Compact GuardLogix 5380 |
SIL 2 |
SIL CL2 |
Performance Level PLd (Cat. 3) |
controller systems (1) |
SIL 3 |
SIL CL3 |
Performance Level PLe (Cat. 4) |
(1)SIL 2 Compact GuardLogix 5380 controller catalog numbers end with a 2 (example: 5069-L3xxxxxS2). SIL 3 Compact GuardLogix 5380 controller catalog numbers end with a 3 (example: 5069-L3xxxxxS3).
(2)Primary controller that is used without a safety partner.
(3)Primary controller that is used with a safety partner.
IMPORTANT In the remainder of this publication:
•SIL 2 represents SIL 2, SIL CL2, and PLd
•SIL 3 represents SIL 3, SIL CL3, and PLe
TÜV Rheinland has approved GuardLogix 5580 and Compact GuardLogix 5380 controller systems for use in safety-related applications where the de-energized state is considered to be the safe state.
All I/O examples in this manual are based on achieving de-energization as the safe state for typical machine safety and emergency shutdown (ESD) systems.
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
9 |
Chapter 1 Safety Integrity Level (SIL) Concept
Proof Tests
IMPORTANT As the system user, you are responsible for these items:
•The setup, SIL rating, and validation of any sensors or actuators that are connected to the GuardLogix system
•Project management and functional test
•Access control to the safety system, including password handling
•Programming the application and the device configurations in accordance with the information in this safety reference manual and these publications:
-ControlLogix® 5580 and GuardLogix 5580 Controllers User Manual, publication 1756-UM543
-CompactLogix™ 5380 and Compact GuardLogix 5380 User Manual, publication 5069-UM001
When applying Functional Safety, restrict access to qualified, authorized personnel who are trained and experienced.
Use the Studio 5000 Logix Designer® application to create programs for GuardLogix 5580 and Compact GuardLogix 5380 controllers. Only the safety task, not standard tasks, can be used for safety functions.
IEC 61508 requires you to perform various proof tests of the equipment that is used in the system. Proof tests are performed at user-defined times. For example, proof tests can be once a year, once every 15 years, or whatever time frame is appropriate.
GuardLogix 5580 and Compact GuardLogix 5380 controllers have a useful life of 20 years, no proof test required. Other components of the system, such as safety I/O devices, sensors, and actuators can have different useful life times.
IMPORTANT Your specific applications determine the time frame for the useful life.
10 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
Safety Integrity Level (SIL) Concept |
Chapter 1 |
|
|
GuardLogix Architecture
This section provides examples of SIL 3 and SIL 2 systems, including:
•The overall safety function
•The GuardLogix portion of the overall safety function
•How other devices (for example, HMI) are connected, while operating outside the function
Figure 1 - Example SIL 3 System
-
Programming Software |
HMI Display |
To Plant-wide Ethernet Network
Safety System
Stratix® 5400 Switch |
Safety I/O Module on Ethernet Network
|
|
Safety |
GuardLogix 5580 Controller With |
|
|
|
|
|
|
|
|
|
|
Safety Partner |
|
|
|
|
|
|
|
|
|
|
|
Controller |
or |
|
|
|
|
|
|
|
Actuator |
|
|
|
|
|
|
|
|||||
|
|
|
Compact GuardLogix 5380 SIL 3 |
|
|
|
|
|
|
|
|
|
|
|
Controller |
|
|
|
|
|
|
|
Sensor |
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Safety I/O Module on
Ethernet Network
EtherNet/IP™ Adapter
I/O Modules Actuator
Safety I/O Modules
Sensor
= Safety Network
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
11 |
Chapter 1 Safety Integrity Level (SIL) Concept
Figure 2 - Example SIL 2 System
Programming Software |
HMI Display |
To plant-wide Ethernet Network
Safety System
Safety
Controller
Stratix 5400 Switch
Compact GuardLogix 5380 SIL 2 Controller, or GuardLogix 5580 Controller, with local safety I/O and standard I/O modules
EtherNet/IP Adapter
I/O Modules
Safety I/O Modules
= Safety Network
Actuator
Sensor
12 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
Safety Integrity Level (SIL) Concept |
Chapter 1 |
|
|
Controller Specifications
System Reaction Time
These publications list the specifications and the agency certifications for the products:
•ControlLogix Controllers Technical Data, publication 1756-TD001
•CompactLogix 5380 Controllers Specifications Technical Data, publication 5069-TD002
Agency certifications are also marked on the product labels.
See http://www.rockwellautomation.com/global/certification/overview.page for Declarations of Conformity, Certificates, and other certification details.
The system reaction time is the worst-case time from a safety-related event as input to the system or as a fault within the system, until the time that the system is in the safe state.
This worst-case definition includes the effects of asynchronous communications, and multiple potential faults, occurring within the system. Actual reaction times may be faster.
Sensor Reaction |
|
Input Reaction |
|
Safety Task |
|
Output Reaction |
|
Actuator |
Time |
|
Time |
|
Reaction Time |
|
Time |
|
Reaction Time |
|
|
|
|
|
|
|
|
|
Each of the reaction times is dependent on factors such as the type of I/O device and instructions that are used in the program.
IMPORTANT For more information on reaction time calculation, see Appendix C on page 83.
Safety Task Reaction Time
The safety task reaction time is the worst-case delay from any input change that is presented to the controller until the output producer sets the processed output. Use this equation to determine the safety task reaction time:
Safety task reaction time = (safety task period + safety task watchdog) × 1.01
The multiplier is for potential clock drift.
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
13 |
Chapter 1 Safety Integrity Level (SIL) Concept
Contact Information If Device
Failure Occurs
Safety Task Period and Safety Task Watchdog
The safety task period is the interval at which the safety task executes.
The safety task watchdog time is the maximum permissible time for safety task processing. If the time to process a safety task exceeds the safety task watchdog time, a nonrecoverable safety fault occurs in the controller, which results in a transition to the safe state (off ).
You define the safety task watchdog time, which must be less than or equal to the safety task period.
The safety task watchdog time is set in the task properties window of the Studio 5000 Logix Designer application. This value can be modified online, regardless of controller mode, but it cannot be changed when the controller is safety-locked or once a safety signature is created.
If you experience a failure with any safety device, contact Rockwell Automation Technical Support: https://rockwellautomation.custhelp.com/
Your local Rockwell Automation sales office or Allen-Bradley distributor can also initiate the following actions:
•Return the device to us so the failure is logged for the catalog number that is affected, and a record is made of the failure.
•Request a failure analysis (if necessary) to try to determine the cause of the failure.
14 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
Chapter 2
GuardLogix Controller System
GuardLogix 5580 Controller
Hardware
Topic |
Page |
|
|
GuardLogix 5580 Controller Hardware |
15 |
|
|
Compact GuardLogix 5380 Controller Hardware |
17 |
|
|
Network Communication |
19 |
|
|
Programming Overview |
23 |
|
|
For safety certificate information, see http://www.rockwellautomation.com/ global/certification/safety.page. Use the filters to search for your products.
See Additional Resources on page 8 to find installation information for GuardLogix® 5580 and Compact GuardLogix 5380 controllers.
The GuardLogix controller consists of a primary controller (1756-L8xES), which can be used alone in SIL 2 applications, and a safety partner
(1756L8SP), which is added to create the SIL 3-capable controller.
Both the primary controller and safety partner perform power-up and runtime functional-diagnostic tests of all safety-related components in the controller.
•Primary controller that is used without a safety partner is up to SIL 2.
•Primary controller that is used with a safety partner is up to SIL 3.
Controller |
Cat. No. |
|
|
GuardLogix 5580 controller |
1756-L81ES, 1756-L82ES, 1756-L83ES, 1756-L84ES, 1756-L8SP, 1756-L81ESK, |
|
1756-L82ESK, 1756-L83ESK, 1756-L84ESK, 1756-L8SPK |
|
|
For the most current list of GuardLogix controller and safety I/O devices certified series and firmware revisions, see the safety certificates at http://www.rockwellautomation.com/global/certification/safety.page.
Firmware revisions are available from the Rockwell Automation Product Compatibility and Download Center (PCDC) support website at http://www.rockwellautomation.com/global/support/pcdc.page.
You can fill slots of a SIL 2 or SIL 3 system chassis that are not used by the GuardLogix SIL 2 or SIL 3 system with other ControlLogix® (1756) modules that are certified to the Low Voltage and EMC Directives.
To find certificates for the controllers and I/O modules, see http://www.rockwellautomation.com/global/certification/overview.page.
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
15 |
Chapter 2 GuardLogix Controller System
Primary Controller
The primary controller is the processor that performs standard and safety control functions and communicates with the safety partner for safety-related functions in the GuardLogix control system. The primary controller consists of a central processor, I/O interface, and memory.
Safety Partner
To satisfy SIL 3 requirements, you must install a 1756-L8SP safety partner in the slot immediately to the right of the primary controller. The safety partner is a co-processor that provides 1oo2 architecture for safety-related functions in the system. The 1oo2 system does not run degraded. If the two processors disagree, or cannot communicate with each other, the result is a major nonrecoverable controller fault. For information on how to respond to this situation, see Knowledgebase Article GuardLogix and CompactGuardLogix Safety error codes.
For SIL 2 requirements, do not install a safety partner.
The primary controller configures the safety partner. Only one download of the user program to the primary controller is required. The primary controller controls the operating mode of the safety partner.
Chassis
The chassis provides the physical connections between modules and the 1756 GuardLogix system. Any failure, though unlikely, would be detected as a failure by one or more of the active components of the system. Therefore, the chassis is not relevant to the safety discussion.
Power Supply
No extra configuration or wiring is required for SIL 2 or SIL 3 operation of the ControlLogix power supplies. Any failure would be detected as a failure by one or more of the active components of the GuardLogix system. Therefore, the power supply is not relevant to the safety discussion.
16 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
GuardLogix Controller System |
Chapter 2 |
|
|
Compact GuardLogix 5380
Controller Hardware
The Compact GuardLogix 5380 controller is a SIL 2 or SIL 3 capable controller that performs standard and safety control functions for safetyrelated functions in the Compact GuardLogix control system.
Controller |
SIL Rating |
Cat. No. |
Compact |
SIL 2 |
5069-L306ERMS2, 5069-L306ERS2, 5069-L310ERMS2, 5069-L310ERS2, |
GuardLogix |
|
5069-L320ERMS2, 5069-L320ERS2, 5069-L320ERS2K, 5069-L320ERMS2K, |
5380 |
|
5069-L330ERMS2, 5069-L330ERS2, 5069-L330ERS2K, 5069-L330ERMS2K, |
|
|
5069-L340ERMS2, 5069-L340ERS2, 5069-L350ERMS2, 5069-L350ERS2, |
|
|
5069-L350ERS2K, 5069-L350ERMS2K, 5069-L380ERMS2, 5069-L380ERS2, |
|
|
5069-L3100ERMS2, 5069-L3100ERS2 |
|
|
|
|
SIL 3 |
5069-L306ERMS3, 5069-L310ERMS3, 5069-L320ERMS3, 5069-L330ERMS3, |
|
|
5069-L340ERMS3, 5069-L350ERMS3, 5069-L380ERMS3, 5069-L3100ERMS3, |
|
|
5069-L320ERMS3K, 5069-L330ERMS3K, 5069-L350ERMS3K |
|
|
|
IMPORTANT This equipment is supplied as open-type equipment for indoor use. It must be mounted within an enclosure that is suitably designed for those specific environmental conditions that are present and appropriately designed to prevent personal injury resulting from accessibility to live parts.
The enclosure must have suitable flame-retardant properties to prevent or minimize the spread of flame, complying with a flame spread rating of 5VA or be approved for the application if nonmetallic. The interior of the enclosure must be accessible only by the use of a tool.
For more information regarding specific enclosure type ratings that are required to comply with certain product safety certifications, see:
•Compact GuardLogix 5380 SIL 2 Controllers Installation Instructions, publication 5069-IN014
•Compact GuardLogix 5380 SIL 3 Controllers Installation Instructions, publication 5069-IN023
For the most current list of GuardLogix controller and safety I/O devices certified series and firmware revisions, see the safety certificates at http://www.rockwellautomation.com/global/certification/safety.page.
Firmware revisions are available from the Rockwell Automation Product Compatibility and Download Center (PCDC) support website at http://www.rockwellautomation.com/global/support/pcdc.page.
Expansion slots of the system bus can be populated with Compact 5000™ I/O expansion modules that are certified to the Low Voltage and EMC Directives and populated per the instructions that are listed under Power Supply.
To find certificates for the controllers and I/O modules, see http://www.rockwellautomation.com/global/certification/overview.page.
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
17 |
Chapter 2 GuardLogix Controller System
Compact GuardLogix 5380 SIL3 Controllers
For SIL 3/PLe safety applications, the Compact GuardLogix 5380 SIL 3 controller system consists of a primary controller with an internal safety partner, that function together in a 1oo2 architecture.
The primary controller configures the safety partner. Only one download of the user program to the primary controller is required. The primary controller controls the operating mode of the safety partner.
Power Supply
For Functional Safety applications, SELV/PELV-listed power supplies are required for both module power (MOD) and sensor/actuator (SA) power.
Consider the following when you choose a power supply:
•The MOD power of the Compact GuardLogix 5380 controller must be powered by a 24V DC SELV/PELV-listed power supply.
•All local 24V DC safety I/O must be powered by a SELV/PELVlisted power supply.
•If the SA power connector of the Compact GuardLogix 5380 controller is used, it must be powered by a 24V DC SELV/PELV-listed power supply.
•If local 120/240V AC I/O are used in the Compact GuardLogix 5380 chassis, their 120/240V AC I/O SA power must be connected to a catalog number 5069-FPD module.
•If any standard I/O are used that are not powered by a SELV/PELVlisted power supply, their I/O power must be connected to a catalog number 5069-FPD module.
IMPORTANT For more information on how to power the 5069 platform when a CompactLogix™ or Compact GuardLogix Controller is present, see the CompactLogix 5380 and Compact GuardLogix 5380 User Manual, publication 5069-UM001.
18 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
|
GuardLogix Controller System Chapter 2 |
|
|
Network Communication |
This section provides examples of network communication configurations. |
|
EtherNet/IP Network |
|
The GuardLogix 5580 controller connects directly to an EtherNet/IP network |
|
through the onboard Ethernet port and supports 10/100/1000 Mbps network |
|
speeds. A separate Ethernet communication module is not required, but can be |
|
used in the local chassis. |
|
Contact your local Rockwell Automation sales office or Allen-Bradley |
|
distributor for other communication interface modules are available for use in |
|
the GuardLogix 5580 system. |
|
Peer-to-peer safety communication between GuardLogix controllers is possible |
|
via the EtherNet/IP network. GuardLogix controllers can control and |
|
exchange safety data with safety I/O devices on an EtherNet/IP network, via |
|
the onboard Ethernet ports or EtherNet/IP bridges. |
|
|
|
IMPORTANT A remote GuardLogix or Compact GuardLogix controller that has firmware |
|
earlier that revision 28 cannot consume data from a GuardLogix 5580 or |
|
Compact GuardLogix 5380 controller |
|
Older consumer controllers must be updated to at least to firmware revision |
|
28, or use a dedicated, separate EtherNet/IP module in the same rack as the |
|
5580 GuardLogix, making a connection for produced/consumed tags that |
|
bridges through the Logix backplane. |
|
See Knowledgebase Article Safety Tags produced by a GuardLogix 5580 |
|
controller consumed by an older GuardLogix 5570 controllers. |
|
|
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
19 |
Chapter 2 GuardLogix Controller System
Figure 3 - GuardLogix 5580 Peer-to-peer Communication Via the EtherNet/IP Network
|
Stratix® 5410 Switch |
|
GuardLogix 5580 Controller |
GuardLogix 5580 Controller |
|
GuardLogix 1756-L8SP Safety Partner |
||
GuardLogix 1756-L8SP Safety Partner |
||
1756 ControlLogix Digital Safety I/O |
||
1756 ControlLogix Digital Safety I/O |
||
|
||
Controller A |
Controller B |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EtherNet/IP Adapter |
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
EtherNet/IP™ Adapter |
|
|
|
|
|
|
|
|
I/O Modules |
|
||||||||||||
I/O Modules |
|
|
|
|
|
|
|
|
Safety I/O Modules |
|
||||||||||||
|
|
|
|
|
|
|
|
|
||||||||||||||
Safety I/O Modules |
|
|
|
|
1734 POINT I/O™ Adapter |
|
||||||||||||||||
|
|
|
|
1734 POINT Guard I/O™ Modules |
|
|||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1734 POINT I/O Modules |
|
|||||||
1732ES ArmorBlock® |
PowerFlex® 527 Drive |
Kinetix® 5700 Drives |
Guard I/O™ Module |
(CIP Safety™ enabled) |
(with Safe Monitor Functions) |
TIP Peer-to-peer safety communication between two GuardLogix 5580 controllers in the same chassis is also possible via the backplane.
1756-L82ES |
1756-L81ES |
|
1756-L8SP |
||
|
Logix5584ES™ |
Logix55L8SP™ |
DC INPUT |
DC INPUT |
Logix5584ES™ |
||
|
NET |
|
|
|
|
NET |
|
LINK |
|
|
|
|
LINK |
RUN FORCE SD |
OK |
OK |
|
|
RUN FORCE SD |
OK |
REM |
|
|
|
|
REM |
|
RUN |
PROG |
|
|
|
RUN |
PROG |
Backplane
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SIL 3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SIL 2 |
|||||||
20 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
GuardLogix Controller System |
Chapter 2 |
|
|
Compact GuardLogix 5380 controllers connect directly to the EtherNet/IP network through the onboard Ethernet ports. They also support 10/100/1000 Mbps network speeds. A local Ethernet communication module is not used.
Figure 4 - Compact GuardLogix 5380 Peer-to-peer Communication Via the EtherNet/IP
Network
Stratix 5410 Switch
Controller A |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Controller B |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Compact GuardLogix 5380 Controller |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Compact GuardLogix 5380 Controller |
||
Compact 5000 I/O Safety Modules |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Compact 5000 I/O Safety Modules |
||
Compact 5000 I/O Modules |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Compact 5000 I/O Modules |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EtherNet/IP Adapter |
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||
EtherNet/IP Adapter |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Compact I/O™ |
|||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
I/O Modules |
|||||||||||||||
I/O Modules |
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
Safety I/O Modules |
|||||||||||||||
Safety I/O Modules |
|
|
|
|
|
|
|
|
1734 POINT I/O Adapter |
|||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1734 POINT Guard I/O Modules |
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1734 POINT I/O Modules |
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1732ESArmorBlock |
PowerFlex 527 Drive |
|||
Guard I/O Module |
(CIP Safety enabled) |
|
|
|
Kinetix 5700 Drives |
||||
|
||||
|
|
|||
|
|
(with Safe Monitor Functions) |
||
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
21 |
Chapter 2 GuardLogix Controller System
DeviceNet Safety Network
DeviceNet® bridges let the GuardLogix controller control and exchange safety data with safety I/O modules on a DeviceNet network.
Figure 5 - GuardLogix 5580 Communication Via a DeviceNet Bridge
GuardLogix 5580 Controller with
GuardLogix 1756-L8SP Safety Partner
ControlLogix DeviceNet Bridge
DeviceNet Network
|
|
|
|
|
|
|
|
|
|
|
Guard I/O™ Module |
|
Guard I/O Module |
|
|
|
|
|
|
|
Guard I/O Module |
Guard I/O Module |
Compact GuardLogix 5380 controllers can communicate with safety devices on a DeviceNet network via a 1788-EN2DNR EtherNet/IP to DeviceNet linking device.
Figure 6 - Compact GuardLogix 5380 Controller with a DeviceNet Network
Compact GuardLogix 5380 Controller with local safety I/O and standard I/O modules
EtherNet/IP Network
1788 EtherNet-to-DeviceNet
Linking Device
DeviceNet Network
|
|
|
|
|
|
|
|
|
|
|
Guard I/O Module |
|
Guard I/O Module |
|
|
|
|
|
|
|
Guard I/O Module |
Guard I/O Module |
22 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
GuardLogix Controller System |
Chapter 2 |
|
|
Programming Overview
Use the Studio 5000 Logix Designer® application to program GuardLogix safety controllers.
Use the Studio 5000 Logix Designer application to define the location, ownership, and configuration of I/O devices and controllers and create, test, and debug program logic. Only ladder diagram is supported in the GuardLogix safety task.
See Appendix A on page 73 for information on the set of logic instructions available for safety projects.
IMPORTANT When the GuardLogix controller is in Run or Program mode and you have not validated the application program, you are responsible for maintaining safe conditions.
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
23 |
Chapter 2 GuardLogix Controller System
Notes:
24 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
Chapter 3
Safety I/O for the GuardLogix Control System
Typical Safety Functions of
Safety I/O Devices
Topic |
Page |
|
|
Typical Safety Functions of Safety I/O Devices |
25 |
|
|
Reaction Time |
26 |
|
|
Safety Considerations for Safety I/O Devices |
27 |
|
|
Before you operate a GuardLogix® safety system with safety I/O devices, you must first read, understand, and follow all safety information in the product documentation for those products.
Safety I/O devices can be connected to safety input and output devices, like sensors and actuators. The GuardLogix controller monitors and controls the devices. For safety data, I/O communication is performed through safety connections by using the CIP Safety™ protocol; safety logic is processed in the GuardLogix controller.
The following is treated as the safe state by safety I/O devices:
•Safety outputs: OFF
•Safety input data to controller: OFF
Safety Network
Safety Status
|
Safety |
|
|
||
Safety Output, OFF |
Input |
|
Data |
||
|
Use safety I/O devices for applications that are in the safe state when the safety output turns OFF.
Diagnostics
Safety I/O devices perform self-diagnostics when the power is turned ON and periodically during operation. If a diagnostic failure is detected, safety input data (to the controller) and local safety outputs are set to their safe state (OFF).
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
25 |
Chapter 3 Safety I/O for the GuardLogix Control System
Status Data
In addition to safety input and output data, safety I/O devices support status data to monitor device and I/O circuit health. See the product documentation for your device for specific product capabilities.
Status Indicators
The safety I/O devices include status indicators. For details on status indicator operation, see the product documentation for your specific device.
On-delay or Off-delay Function
Reaction Time
Some safety I/O devices can support on-delay and off-delay functions for input signals. In some applications, you must include off-delay, on-delay, or both when you calculate system reaction time.
For example, the On-to-Off delay filter helps to filter out noise that affects the input logic level.
See Appendix C on page 83 for information on system reaction time.
The input reaction time is the time from when the signal changes on an input terminal to when safety data is sent to the GuardLogix controller.
The output reaction time is the time from when safety data is received from the GuardLogix controller to when the output terminal changes state.
For information on how to determine the input and output reaction times, see the product documentation for your specific safety I/O device.
See Appendix C on page 83 for information on how to calculate the system reaction time.
26 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
Safety I/O for the GuardLogix Control System |
Chapter 3 |
|
|
Safety Considerations for Safety I/O Devices
You must commission all devices with a node or IP address and communication rate, if necessary, before their installation on a safety network.
Ownership
One GuardLogix controller owns each safety I/O device in a GuardLogix system. Multiple GuardLogix controllers and multiple safety I/O devices can be used without restrictions in chassis or on networks, as needed. When a controller owns an I/O device, it stores the configuration data that you define for that device. This configuration controls how the devices operate in the system.
From a control standpoint, one controller controls safety output devices. One controller also owns each safety input device. However, safety input data can be shared (consumed) by multiple GuardLogix controllers.
Safety I/O Configuration Signature
IMPORTANT The safety I/O configuration signatures apply to individual safety modules. This is different than the controller safety signature, which applies to the entire safety portion of the controller.
The configuration signature is calculated from the configuration of the safety I/O device. The configuration signature is used to verify that the device is configured as expected by the safety application. When you use a GuardLogix controller, you do not have to monitor this signature. The GuardLogix controller automatically monitors the signature. If the configuration signature changes unexpectedly, the safety connection between the controller and I/O module is broken which causes the I/O module to enter its safe state.
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
27 |
Chapter 3 Safety I/O for the GuardLogix Control System
When using a third-party module, if you connect to a safety I/O device without a configuration signature, you must verify that a valid configuration exists in the safety I/O device.
IMPORTANT Rockwell Automation® safety I/O modules typically default to using the configuration signature; and do not allow your system to run without configuration signature.
Safety I/O Device Replacement
The replacement of safety devices requires that the replacement device is properly configured, and that the operation of the replacement device is verified.
ATTENTION: During replacement or functional testing of a device, the safety of the system must not rely on any portion of the affected device.
Two options for I/O device replacement are available on the Safety tab of the Controller Properties dialog box in the Studio 5000 Logix Designer® application:
•Configure Only When No Safety Signature Exists
•Configure Always
28 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
Safety I/O for the GuardLogix Control System |
Chapter 3 |
|
|
Figure 7 - Safety I/O Replacement Options
Configure Only When No Safety Signature Exists
This setting instructs the GuardLogix controller to configure a safety device when the safety task does not have a safety signature, and the replacement device is in an out-of-box condition with no safety network number.
If the controller has a safety signature, the GuardLogix controller automatically configures the replacement safety I/O device if all of the following are true:
•The device already has the correct safety network number.
•The device electronic keying is correct.
•The node or IP address is correct.
To set the proper safety network number (SNN) when a controller safety signature exists, a manual action is required to download the proper SNN. Go online to the GuardLogix or CompactGuardLogix controller with the Studio 5000 Logix Designer® application, then open the Module Properties dialog, General tab, and click the “…” button next to the Safety Network Number. Use the Set button to write the SNN to the module manually. After the manual action, the remainder of the configuration is automatically downloaded.
For detailed information, see the Replace a Safety I/O Device procedure in the user manual for the controller:
•ControlLogix 5580 and GuardLogix 5580 Controllers User Manual, publication 1756-UM543
•CompactLogix 5380 and Compact GuardLogix 5380 User Manual, publication 5069-UM001
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
29 |
Chapter 3 Safety I/O for the GuardLogix Control System
Configure Always
The GuardLogix controller attempts to configure a replacement safety I/O device automatically if the device is in an out-of-box condition. (When a safety network number does not exist in the replacement safety device, and the node number and I/O device keying matches the configuration of the controller.)
ATTENTION: Enable the Configure Always feature only if the entire routable Safety control system is not being relied on to maintain SIL 2 or SIL 3 behavior during the replacement and functional testing of a device. See Routable CIP Safety System on page 32.
If other parts of the Safety control system are being relied upon to maintain SIL 2 or SIL 3, make sure that the Configure Always feature of the controller is disabled.
It is your responsibility to implement a process to make sure that proper safety functionality is maintained during device replacement.
ATTENTION: To place a device in the out-of-box condition on a Safety network when the Configure Always feature is enabled, follow the device replacement procedure in the user manual:
•ControlLogix 5580 and GuardLogix 5580 Controllers User Manual, publication 1756-UM543
•CompactLogix 5380 and Compact GuardLogix 5380 User Manual, publication 5069-UM001
30 |
Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 |
Loading...