Rockwell Automation GuardLogix 5580, GuardLogix 5380 Reference Manual

GuardLogix 5580 and Compact GuardLogix 5380 Controller Systems

Bulletin 1756 and 5069

Safety Reference Manual

Original Instructions

GuardLogix 5580 and Compact GuardLogix 5380 Controller Systems Safety Reference Manual

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize
themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to
be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use
or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for
actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software
described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is
prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may
lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or
economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT

Identifies information that is critical for successful application and understanding of the product.

Labels may also be on or inside the equipment to provide specific precautions.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may
be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach
dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc
Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements
for safe work practices and for Personal Protective Equipment (PPE).

2 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

Table of Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Summary of Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Catalog Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 1
Safety Integrity Level (SIL)
Concept

SIL Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

GuardLogix Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Controller Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

System Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Safety Task Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Safety Task Period and Safety Task Watchdog . . . . . . . . . . . . . . . 14

Contact Information If Device Failure Occurs. . . . . . . . . . . . . . . . . . . 14

Chapter 2

GuardLogix Controller System GuardLogix 5580 Controller Hardware. . . . . . . . . . . . . . . . . . . . . . . . . 15

Primary Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Safety Partner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Compact GuardLogix 5380 Controller Hardware . . . . . . . . . . . . . . . 17

Compact GuardLogix 5380 SIL3 Controllers. . . . . . . . . . . . . . . . 18

Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Network Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

EtherNet/IP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

DeviceNet Safety Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Programming Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Safety I/O for the GuardLogix
Control System

Chapter 3

Typical Safety Functions of Safety I/O Devices . . . . . . . . . . . . . . . . . . 25

Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Status Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Status Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

On-delay or Off-delay Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Safety Considerations for Safety I/O Devices . . . . . . . . . . . . . . . . . . . . 27

Ownership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Safety I/O Configuration Signature. . . . . . . . . . . . . . . . . . . . . . . . . 27

Safety I/O Device Replacement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 3

Table of Contents

Chapter 4

CIP Safety Systems and Safety
Network Numbers

Characteristics of Safety Tags,
the Safety Task, and Safety
Programs

Unique Node Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Safety Network Numbers (SNN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Routable CIP Safety System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Considerations for Assigning SNNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

How SNNs Get to Safety Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

SNN Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Time-based SNN Format and Assignment. . . . . . . . . . . . . . . . . . . 35

Manual SNN Format and Assignment . . . . . . . . . . . . . . . . . . . . . . 36

SNNs for Out-of-box Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Chapter 5

Differentiate Between Standard and Safety . . . . . . . . . . . . . . . . . . . . . . 39

The Safety Task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Safety Task Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Safety Task Execution Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

SIL 2 and SIL 3 Safety Application Differences . . . . . . . . . . . . . . . . . . 42

Safety I/O Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Use of Human Machine Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Access to Safety-related Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Safety Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Safety Routines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Safety Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Standard Tags in Safety Routines (Tag Mapping) . . . . . . . . . . . . 49

Safety Application
Development

Chapter 6

Safety Concept Assumptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Basics of Application Development and Testing . . . . . . . . . . . . . . . . . 52

Commissioning Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Specification of the Safety Function. . . . . . . . . . . . . . . . . . . . . . . . . 55

Create the Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Test the Application Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Generate the Safety Signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Validate the Project. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Confirm the Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Safety Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Lock the Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Download the Safety Application Program . . . . . . . . . . . . . . . . . . . . . . 60

Upload the Safety Application Program. . . . . . . . . . . . . . . . . . . . . . . . . 61

Store and Load a Project from a Memory Card. . . . . . . . . . . . . . . . . . . 61

Force Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Inhibit a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Online Editing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

4 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

Monitor Status and Handle
Faults

Table of Contents

Editing Your Safety Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Performing Offline Edits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Performing Online Edits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Modification Impact Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Chapter 7

Status Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Monitoring System Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

CONNECTION_STATUS Data. . . . . . . . . . . . . . . . . . . . . . . . . . 67

Input and Output Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

I/O Device Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

De-energize to Trip System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Get System Value (GSV) and Set System Value (SSV)

Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Safety Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Nonrecoverable Controller Faults . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Nonrecoverable Safety Faults in the Safety Application . . . . . . . 70

Recoverable Safety Faults in the Safety Application. . . . . . . . . . . 71

View Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Fault Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

1756-L8SP Safety Partner Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Appendix A

Safety Instructions Safety Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Appendix B

Create and Use a Safety Add-On
Instruction

Create an Add-On Instruction Test Project . . . . . . . . . . . . . . . . . . . . . 79

Create a Safety Add-On Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Generate the Instruction Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

The Safety Instruction Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

SIL 2 or SIL 3 Add-On Instruction Qualification Test . . . . . . . . . . . 80

Safety Validate Add-On Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Create Signature History Entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Export and Import the Safety Add-On Instruction. . . . . . . . . . . . . . . 80

Verify Safety Add-On Instruction Signatures . . . . . . . . . . . . . . . . . . . . 81

Test the Application Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Project Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Safety Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 5

Table of Contents

Appendix C

Reaction Times Connection Reaction Time Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Specify the Requested Packet Interval (RPI) . . . . . . . . . . . . . . . . . 84

View the Maximum Observed Network Delay . . . . . . . . . . . . . . . 84

System Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Logix System Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Simple Input-logic-output Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Logic Chain Using Produced/Consumed Safety Tags. . . . . . . . . 86

Factors That Affect Logix Reaction-time Components . . . . . . . . . . . 87

Configure Guard I/O Input Module Delay Time Settings . . . . 88

Configure or View the Input and Output Safety Connection

Reaction Time Limits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Configure the Safety Task Period and Watchdog. . . . . . . . . . . . . 90

Access Produced/Consumed Tag Data . . . . . . . . . . . . . . . . . . . . . . 90

Appendix D

Checklists for GuardLogix
Safety Applications

Checklist for GuardLogix Controller System . . . . . . . . . . . . . . . . . . . . 94

Checklist for Safety Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Checklist for Safety Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Checklist to Develop a Safety Application Program . . . . . . . . . . . . . . 97

GuardLogix Systems Safety
Data

Studio 5000 Logix Designer
Application, Version 31 or
Later, Safetyapplication
Instructions

Appendix E

Useful Life. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Safety Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Product Failure Rates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Appendix F

De-energize to Trip System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Use Connection Status Data to Initiate a Fault Programmatically 101

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

6 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

Preface

Top ic Pag e

Summary of Changes 7

Catalog Numbers 7

Terminology 8

This manual describes the GuardLogix® 5580 and Compact GuardLogix 5380
controller systems, which are type-approved and certified for use in safety
applications as detailed in SIL Certification

Use this manual for the development, operation, and maintenance of a
GuardLogix 5580 or Compact GuardLogix 5380 controller-based safety system
that uses the Studio 5000 Logix Designer® application. Read and understand the
safety concepts and the requirements that are presented in this manual and
familiarize yourself with applicable standards (for example IEC 61508,
IEC 62061, IEC 61511, and ISO 13849-1) before operating a
GuardLogix 5580 or Compact GuardLogix 5380 controller-based safety system.

on page 9.

Summary of Changes

Catalog Numbers

GuardLogix 5580: 1756-L81ES, 1756-L81ESK,1756-L82ES, 1756-L82ESK,1756-L83ES, 1756-L83ESK, 1756-L84ES, 1756-L84ESK,

Compact GuardLogix 5380 SIL 2: 5069-L306ERS2, 5069-L306ERMS2, 5069-L310ERS2, 5069-L310ERMS2, 5069-L320ERS2, 5069-L320ERS2K,

Compact GuardLogix 5380 SIL 3: 5069-L306ERMS3, 5069-L310ERMS3, 5069-L320ERMS3, 5069-L320ERMS3K, 5069-L330ERMS3,

This manual contains new and updated information as indicated in the following
table.

Top ic Pag e

Clarified safety signature information 56, 65

Added safety signature ID definition 110

This publication is applicable to these controllers:

1756-L8SP, 1756-L8SPK

5069-L320ERMS2, 5069-L320ERMS2K, 5069-L330ERS2, 5069-L330ERS2K, 5069-L330ERMS2, 5069-L330ERMS2K,
5069-L340ERS2, 5069-L340ERMS2, 5069-L350ERS2, 5069-L350ERS2K, 5069-L350ERMS2, 5069-L350ERMS2K,
5069-L380ERS2, 5069-L380ERMS2, 5069-L3100ERS2, 5069-L3100ERMS2

5069-L330ERMS3K, 5069-L340ERMS3, 5069-L350ERMS3, 5069-L350ERMS3K, 5069-L380ERMS3,
5069-L3100ERMS3

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 7

Preface

Terminology

In this publication, the terms ‘GuardLogix controller’ or ‘GuardLogix system’
apply to both GuardLogix 5580 and Compact GuardLogix 5380 controllers
unless otherwise noted.

Also, the term ‘SIL 2’ represents SIL 2, SIL CL2, and PLd, and ‘SIL 3’ represents
SIL 3, SIL CL3, and PLe.

For common abbreviations and other definitions, see the Glossary on page 107

.

8 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

Safety Integrity Level (SIL) Concept

Top ic Pa ge

SIL Certification 9
Proof Tests 10
GuardLogix Architecture 11
Controller Specifications 13
System Reaction Time 13
Contact Information If Device Failure Occurs 14

Chapter 1

SIL Certification

This section provides the SIL certifications and Performance Level for the
controllers.

Table 1 - Safety Ratings for Safety Controllers

Controller System IEC 61508 IEC 62061 ISO 13849-1

Type-approved and
certified for use in
safety applications up
to and including:

GuardLogix® 5580
controller systems

Compact GuardLogix 5380
controller systems

(1) SIL 2 Compact GuardLogix 5380 controller catalog numbers end with a 2 (example: 5069-L3 xxxxxS2).

SIL 3 Compact GuardLogix 5380 controller catalog numbers end with a 3 (example: 5 069-L3xxxxxS3).
(2) Primary controller that is used without a safety partner.
(3) Primary controller that is used with a safety partner.

(1)

SIL 2
SIL 3

SIL 2
SIL 3

(2)
(3)

Suitable for use in
safety applications up
to and including:

(2)

SIL CL2

(3)

SIL CL3

SIL CL2
SIL CL3

Suitable for use in safety
applications up to and including:

Performance Level PLd (Cat. 3)
Performance Level PLe (Cat. 4)

Performance Level PLd (Cat. 3)
Performance Level PLe (Cat. 4)

IMPORTANT In the remainder of this publication:

• SIL 2 represents SIL 2, SIL CL2, and PLd

• SIL 3 represents SIL 3, SIL CL3, and PLe

(2)
(3)

TÜV Rheinland has approved GuardLogix 5580 and Compact GuardLogix
5380 controller systems for use in safety-related applications where the
de-energized state is considered to be the safe state.

All I/O examples in this manual are based on achieving de-energization as the
safe state for typical machine safety and emergency shutdown (ESD) systems.

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 9

Chapter 1 Safety Integrity Level (SIL) Concept

IMPORTANT As the system user, you are responsible for these items:

• The setup, SIL rating, and validation of any sensors or actuators that are
connected to the GuardLogix system

• Project management and functional test

• Access control to the safety system, including password handling

• Programming the application and the device configurations in
accordance with the information in this safety reference manual and
these publications:

- ControlLogix® 5580 and GuardLogix 5580 Controllers User Manual,

publication 1756-UM543

- CompactLogix™ 5380 and Compact GuardLogix 5380 User Manual,

publication 5069-UM001

When applying Functional Safety, restrict access to qualified, authorized
personnel who are trained and experienced.

Use the Studio 5000 Logix Designer® application to create programs for
GuardLogix 5580 and Compact GuardLogix 5380 controllers. Only the safety
task, not standard tasks, can be used for safety functions.

Proof Tests

IEC 61508 requires you to perform various proof tests of the equipment that is
used in the system. Proof tests are performed at user-defined times. For
example, proof tests can be once a year, once every 15 years, or whatever time
frame is appropriate.

GuardLogix 5580 and Compact GuardLogix 5380 controllers have a useful life
of 20 years, no proof test required. Other components of the system, such as
safety I/O devices, sensors, and actuators can have different useful life times.

IMPORTANT Your specific applications determine the time frame for the useful life.

10 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

Safety Integrity Level (SIL) Concept Chapter 1

Safety

Controller

Sensor

Actuator

HMI Display

Stratix® 5400 Switch

Programming Software

To Plant-wide Ethernet Network

Actuator

Sensor

Safety I/O Module on
Ethernet Network

Safety System

GuardLogix 5580 Controller With
Safety Partner
or
Compact GuardLogix 5380 SIL 3
Control ler

EtherNet/IP™ Adapter
I/O Modules
Safety I/O Modul es

Safety I/O Module on
Ethernet Network

= Safety Network

GuardLogix Architecture

This section provides examples of SIL 3 and SIL 2 systems, including:

• The overall safety function

• The GuardLogix portion of the overall safety function

• How other devices (for example, HMI) are connected, while operating

Figure 1 - Example SIL 3 System

-

outside the function

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 11

Chapter 1 Safety Integrity Level (SIL) Concept

Actuator

Sensor

EtherNet/IP Adap ter
I/O Modules
Safety I/O Modules

Compact GuardLogix 5380 SIL 2 Controller,
or GuardLogix 5580 Controller, with local
safety I/O and standard I/O modules

HMI Display

Stratix 5400 Switch

Programming Software

To plant-wide Ethernet Network

Safety System

= Safety Network

Figure 2 - Example SIL 2 System

Safety

Controller

12 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

Safety Integrity Level (SIL) Concept Chapter 1

Sensor Reaction

Time

Input Reaction

Time

Safety Task

Reaction Time

Output Reaction

Time

Actuator

Reaction Time

Controller Specifications

System Reaction Time

These publications list the specifications and the agency certifications for the
products:

• ControlLogix Controllers Technical Data, publication 1756-TD001

• CompactLogix 5380 Controllers Specifications Technical Data,
publication 5069-TD002

Agency certifications are also marked on the product labels.

See http://www.rockwellautomation.com/global/certification/overview.page
for Declarations of Conformity, Certificates, and other certification details.

The system reaction time is the worst-case time from a safety-related event as
input to the system or as a fault within the system, until the time that the
system is in the safe state.

This worst-case definition includes the effects of asynchronous
communications, and multiple potential faults, occurring within the system.
Actual reaction times may be faster.

Each of the reaction times is dependent on factors such as the type of I/O
device and instructions that are used in the program.

IMPORTANT For more information on reaction time calculation, see Appendix C

page 83

.

on

Safety Task Reaction Time

The safety task reaction time is the worst-case delay from any input change that
is presented to the controller until the output producer sets the processed
output. Use this equation to determine the safety task reaction time:

Safety task reaction time = (safety task period + safety task watchdog) × 1.01

The multiplier is for potential clock drift.

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 13

Chapter 1 Safety Integrity Level (SIL) Concept

Safety Task Period and Safety Task Watchdog

The safety task period is the interval at which the safety task executes.

The safety task watchdog time is the maximum permissible time for safety task
processing. If the time to process a safety task exceeds the safety task watchdog
time, a nonrecoverable safety fault occurs in the controller, which results in a
transition to the safe state (off).

You define the safety task watchdog time, which must be less than or equal to
the safety task period.

The safety task watchdog time is set in the task properties window of the
Studio 5000 Logix Designer application. This value can be modified online,
regardless of controller mode, but it cannot be changed when the controller is
safety-locked or once a safety signature is created.

Contact Information If Device Failure Occurs

If you experience a failure with any safety device, contact Rockwell
Automation Technical Support: https://rockwellautomation.custhelp.com/

Your local Rockwell Automation sales office or Allen-Bradley distributor can
also initiate the following actions:

• Return the device to us so the failure is logged for the catalog number
that is affected, and a record is made of the failure.

• Request a failure analysis (if necessary) to try to determine the cause of
the failure.

14 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

Chapter 2

GuardLogix Controller System

Top ic Pag e

GuardLogix 5580 Controller Hard ware 15

Compac t GuardLogix 5380 Cont roller Hardware 17

Network Communication 19

Programming Overview 23

For safety certificate information, see http://www.rockwellautomation.com/

global/certification/safety.page. Use the filters to search for your products.

GuardLogix 5580 Controller Hardware

See Additional Resources on page 8
GuardLogix® 5580 and Compact GuardLogix 5380 controllers.

The GuardLogix controller consists of a primary controller (1756-L8xES),
which can be used alone in SIL 2 applications, and a safety partner
(1756- L8SP), which is added

Both the primary controller and safety partner perform power-up and runtime
functional-diagnostic tests of all safety-related components in the controller.

• Primary controller that is used without a safety partner is up to SIL 2.

• Primary controller that is used with a safety partner is up to SIL 3.

Controller Cat. No.

GuardLogix 5580 controller 1756-L81ES, 1756-L82ES, 1756-L83ES, 1756-L84ES, 1756-L8SP, 1756-L81ESK,

1756-L82ESK, 1756-L83ESK, 1756-L84ESK, 1756-L8SPK

For the most current list of GuardLogix controller and safety I/O devices
certified series and firmware revisions, see the safety certificates at

http://www.rockwellautomation.com/global/certification/safety.page

Firmware revisions are available from the Rockwell Automation Product
Compatibility and Download Center (PCDC) support website at

http://www.rockwellautomation.com/global/support/pcdc.page

to find installation information for

to create the SIL 3-capable controller.

.

.

You can fill slots of a SIL 2 or SIL 3 system chassis that are not used by the
GuardLogix SIL 2 or SIL 3 system with other ControlLogix® (1756) modules
that are certified to the Low Voltage and EMC Directives.

To find certificates for the controllers and I/O modules, see

http://www.rockwellautomation.com/global/certification/overview.page

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 15

.

Chapter 2 GuardLogix Controller System

Primary Controller

The primary controller is the processor that performs standard and safety
control functions and communicates with the safety partner for safety-related
functions in the GuardLogix control system. The primary controller consists of
a central processor, I/O interface, and memory.

Safety Partner

To satisfy SIL 3 requirements, you must install a 1756-L8SP safety partner in
the slot immediately to the right of the primary controller. The safety partner is
a co-processor that provides 1oo2 architecture for safety-related functions in
the system. The 1oo2 system does not run degraded. If the two processors
disagree, or cannot communicate with each other, the result is a major non­recoverable controller fault. For information on how to respond to this
situation, see Knowledgebase Article GuardLogix and CompactGuardLogix

Safety error codes.

For SIL 2 requirements, do not install a safety partner.

The primary controller configures the safety partner. Only one download of
the user program to the primary controller is required. The primary controller
controls the operating mode of the safety partner.

Chassis

The chassis provides the physical connections between modules and the 1756
GuardLogix system. Any failure, though unlikely, would be detected as a failure
by one or more of the active components of the system. Therefore, the chassis is
not relevant to the safety discussion.

Power Supply

No extra configuration or wiring is required for SIL 2 or SIL 3 operation of the
ControlLogix power supplies. Any failure would be detected as a failure by one
or more of the active components of the GuardLogix system. Therefore, the
power supply is not relevant to the safety discussion.

16 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

GuardLogix Controller System Chapter 2

Compact GuardLogix 5380 Controller Hardware

The Compact GuardLogix 5380 controller is a SIL 2 or SIL 3 capable
controller that performs standard and safety control functions for safety­related functions in the Compact GuardLogix control system.

Controller SIL Rating Cat. No.

Compac t
GuardLogix
5380

SIL 2 5069-L306ERMS2, 5069-L306ERS2, 5069-L310ERMS2, 5069-L310ERS2,

5069-L320ERMS2, 5069-L320ERS2, 5069-L320ERS2K, 5069-L320ERMS2K,
5069-L330ERMS2, 5069-L330ERS2, 5069-L330ERS2K, 5069-L330ERMS2K,
5069-L340ERMS2, 5069-L340ERS2, 5069-L350ERMS2, 5069-L350ERS2,
5069-L350ERS2K, 5069-L350ERMS2K, 5069-L380ERMS2, 5069-L380ERS2,
5069-L3100ERMS2, 5069-L3100ERS2

SIL 3 5069-L306ERMS3, 5069-L310ERMS3, 5069-L320ERMS3, 5069-L330ERMS3,

5069-L340ERMS3, 5069-L350ERMS3, 5069-L380ERMS3, 5069-L3100ERMS3,
5069-L320ERMS3K, 5069-L330ERMS3K, 5069-L350ERMS3K

IMPORTANT This equipment is supplied as open-type equipment for indoor use. It must

be mounted within an enclosure that is suitably designed for those specific
environmental conditions that are present and appropriately designed to
prevent personal injury resulting from accessibility to live parts.

The enclosure must have suitable flame-retardant properties to prevent or
minimize the spread of flame, complying with a flame spread rating of 5VA
or be approved for the application if nonmetallic. The interior of the
enclosure must be accessible only by the use of a tool.

For more information regarding specific enclosure type ratings that are
required to comply with certain product safety certifications, see:

• Compact GuardLogix 5380 SIL 2 Controllers Installation Instructions,
publication 5069-IN014

• Compact GuardLogix 5380 SIL 3 Controllers Installation Instructions,
publication 5069-IN023

For the most current list of GuardLogix controller and safety I/O devices
certified series and firmware revisions, see the safety certificates at

http://www.rockwellautomation.com/global/certification/safety.page

.

Firmware revisions are available from the Rockwell Automation Product
Compatibility and Download Center (PCDC) support website at

http://www.rockwellautomation.com/global/support/pcdc.page

.

Expansion slots of the system bus can be populated with Compact 5000™ I/O
expansion modules that are certified to the Low Voltage and EMC Directives
and populated per the instructions that are listed under Power Supply

.

To find certificates for the controllers and I/O modules, see

http://www.rockwellautomation.com/global/certification/overview.page

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 17

.

Chapter 2 GuardLogix Controller System

Compact GuardLogix 5380 SIL3 Controllers

For SIL 3/PLe safety applications, the Compact GuardLogix 5380 SIL 3
controller system consists of a primary controller with an internal safety
partner, that function together in a 1oo2 architecture.

The primary controller configures the safety partner. Only one download of
the user program to the primary controller is required. The primary controller
controls the operating mode of the safety partner.

Power Supply

For Functional Safety applications, SELV/PELV-listed power supplies are
required for both module power (MOD) and sensor/actuator (SA) power.

Consider the following when you choose a power supply:

• The MOD power of the Compact GuardLogix 5380 controller must be
powered by a 24V DC SELV/PELV-listed power supply.

• All local 24V DC safety I/O must be powered by a SELV/PELVlisted
power supply.

• If the SA power connector of the Compact GuardLogix 5380
controller is used, it must be powered by a 24V DC SELV/PELV-listed
power supply.

• If local 120/240V AC I/O are used in the Compact GuardLogix 5380
chassis, their 120/240V AC I/O SA power must be connected to a
catalog number 5069-FPD module.

• If any standard I/O are used that are not powered by a SELV/PELV­listed power supply, their I/O power must be connected to a catalog
number 5069-FPD module.

IMPORTANT For more information on how to power the 5069 platform when a

CompactLogix™ or Compact GuardLogix Controller is present, see the
CompactLogix 5380 and Compact GuardLogix 5380 User Manual, publication

5069-UM001

18 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

.

GuardLogix Controller System Chapter 2

Network Communication

This section provides examples of network communication configurations.

EtherNet/IP Network

The GuardLogix 5580 controller connects directly to an EtherNet/IP network
through the onboard Ethernet port and supports 10/100/1000 Mbps network
speeds. A separate Ethernet communication module is not required, but can be
used in the local chassis.

Contact your local Rockwell Automation sales office or Allen-Bradley
distributor for other communication interface modules are available for use in
the GuardLogix 5580 system.

Peer-to-peer safety communication between GuardLogix controllers is possible
via the EtherNet/IP network. GuardLogix controllers can control and
exchange safety data with safety I/O devices on an EtherNet/IP network, via
the onboard Ethernet ports or EtherNet/IP bridges.

IMPORTANT A remote GuardLogix or Compact GuardLogix controller that has firmware

earlier that revision 28 cannot consume data from a GuardLogix 5580 or
Compact GuardLogix 5380 controller

Older consumer controllers must be updated to at least to firmware revision
28, or use a dedicated, separate EtherNet/IP module in the same rack as the
5580 GuardLogix, making a connection for produced/consumed tags that
bridges through the Logix backplane.

See Knowledgebase Article Safety Tags produced by a GuardLogix 5580

controller consumed by an older GuardLogix 5570 controllers.

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 19

Chapter 2 GuardLogix Controller System

EtherNet/IP™ Adapter
I/O Modules
Safety I/O Modul es

Stratix® 5410 Switch

PowerFlex® 527 Drive
(CIP Safety™ enabled)

Kinetix® 5700 Drives

(with Safe Monitor Functions)

1732ES ArmorBlock®

Guard I/O™ Module

1734 POINT I/O™ Adapter
1734 POINT Guard I/O™ Modules
1734 POINT I/O Modules

GuardLogix 5580 Controller
GuardLogix 1756-L8SP Safety Partner
1756 ControlLogix Digital Safety I/O

EtherNet/IP Adapter
I/O Modules
Safety I/O Modules

Controller A

Controller B

GuardLogix 5580 Controller
GuardLogix 1756-L8SP Safety Partner
1756 ControlLogix Digital Safety I/O

Backplane

1756-L81ES

SIL 2SIL 3

1756-L82ES

1756-L8SP

Figure 3 - GuardLogix 5580 Peer-to-peer Communication Via the EtherNet/IP Network

Compact I/O™

TIP Peer-to-peer safety communication between two GuardLogix 5580 controllers in the same

chassis is also possible via the backplane.

DC INPUT

Logix5584ES™

RUN

FORCE SD OK

RUN

NET

LINK

REM

PROG

Logix5584ES™

Logix55L8SP™

NET

LINK

RUN

FORCE SD OK

RUN

OK

REM

PROG

DC INPUT

20 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

GuardLogix Controller System Chapter 2

Compact I/O™

EtherNet/IP Adapter
I/O Modules
Safety I/O Modules

Stratix 5410 Switch

PowerFlex 527 Drive
(CIP Safety enabled)

Kinetix 5700 Drives

(with Safe Monitor Functions)

1732ES ArmorBlock

Guard I/O Module

1734 POINT I/O Adapter
1734 POINT Guard I/O Modules
1734 POINT I/O Modules

Compact GuardLogix 5380 Controller
Compact 5000 I/O Safety Modules
Compact 5000 I/O Modules

Compact GuardLogix 5380 Controller
Compact 5000 I/O Safety Modules
Compact 5000 I/O Modules

EtherNet/IP Adapter
I/O Modules
Safety I/O Modules

Controller A Controller B

Compact GuardLogix 5380 controllers connect directly to the EtherNet/IP
network through the onboard Ethernet ports. They also support 10/100/1000
Mbps network speeds. A local Ethernet communication module is not used.

Figure 4 - Compact GuardLogix 5380 Peer-to-peer Communication Via the EtherNet/IP
Network

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 21

Chapter 2 GuardLogix Controller System

Guard I/O™ Module

DeviceNet Network

Guard I/O Module Guard I/O Module

Guard I/O Module

GuardLogix 5580 Controller with
GuardLogix 1756-L8SP Safety Partner
ControlLogix DeviceNet Bridge

Guard I/O Module

DeviceNet Network

EtherNet/IP Network

1788 EtherNet-to-DeviceNet
Linking Device

Guard I/O Module Guard I/O Module

Guard I/O Module

Compact GuardLogix 5380 Controller
with local safety I/O and standard I/O
modules

DeviceNet Safety Network

DeviceNet® bridges let the GuardLogix controller control and exchange safety
data with safety I/O modules on a DeviceNet network.

Figure 5 - GuardLogix 5580 Communication Via a DeviceNet Bridge

Compact GuardLogix 5380 controllers can communicate with safety devices
on a DeviceNet network via a 1788-EN2DNR EtherNet/IP to DeviceNet
linking device.

Figure 6 - Compact GuardLogix 5380 Controller with a DeviceNet Network

22 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

GuardLogix Controller System Chapter 2

Programming Overview

Use the Studio 5000 Logix Designer® application to program GuardLogix
safety controllers.

Use the Studio 5000 Logix Designer application to define the location,
ownership, and configuration of I/O devices and controllers and create, test,
and debug program logic. Only ladder diagram is supported in the GuardLogix
safety task.

See Appendix
available for safety projects.

IMPORTANT When the GuardLogix controller is in Run or Program mode and you have

A on page 73 for information on the set of logic instructions

not validated the application program, you are responsible for maintaining
safe conditions.

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 23

Chapter 2 GuardLogix Controller System

Notes:

24 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

Chapter 3

Safety Network

Safety Status

Safety Output, OFF

Safety

Input

Data

Safety I/O for the GuardLogix Control System

Top ic Pag e

Typical Safety Functions of Safety I/O Devices 25

Reaction Time 26

Safety Considerations for Safety I/O Devices 27

Before you operate a GuardLogix® safety system with safety I/O devices, you
must first read, understand, and follow all safety information in the product
documentation for those products.

Safety I/O devices can be connected to safety input and output devices, like
sensors and actuators. The GuardLogix controller monitors and controls the
devices. For safety data, I/O communication is performed through safety
connections by using the CIP Safety™ protocol; safety logic is processed in the
GuardLogix controller.

Typical Safety Functions of Safety I/O Devices

The following is treated as the safe state by safety I/O devices:

•Safety outputs: OFF

• Safety input data to controller: OFF

Use safety I/O devices for applications that are in the safe state when the safety
output turns OFF.

Diagnostics

Safety I/O devices perform self-diagnostics when the power is turned ON and
periodically during operation. If a diagnostic failure is detected, safety input
data (to the controller) and local safety outputs are set to their safe state (OFF).

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 25

Chapter 3 Safety I/O for the GuardLogix Control System

Status Data

In addition to safety input and output data, safety I/O devices support status
data to monitor device and I/O circuit health. See the product documentation
for your device for specific product capabilities.

Status Indicators

The safety I/O devices include status indicators. For details on status indicator
operation, see the product documentation for your specific device.

On-delay or Off-delay Function

Some safety I/O devices can support on-delay and off-delay functions for input
signals. In some applications, you must include off-delay, on-delay, or both
when you calculate system reaction time.

Reaction Time

For example, the On-to-Off delay filter helps to filter out noise that affects the
input logic level.

See Appendix

The input reaction time is the time from when the signal changes on an input
terminal to when safety data is sent to the GuardLogix controller.

The output reaction time is the time from when safety data is received from the
GuardLogix controller to when the output terminal changes state.

For information on how to determine the input and output reaction times, see
the product documentation for your specific safety I/O device.

See Appendix
reaction time.

C on page 83 for information on system reaction time.

C on page 83 for information on how to calculate the system

26 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

Safety I/O for the GuardLogix Control System Chapter 3

Safety Considerations for Safety I/O Devices

You must commission all devices with a node or IP address and communication
rate, if necessary, before their installation on a safety network.

Ownership

One GuardLogix controller owns each safety I/O device in a GuardLogix
system. Multiple GuardLogix controllers and multiple safety I/O devices can
be used without restrictions in chassis or on networks, as needed. When a
controller owns an I/O device, it stores the configuration data that you define
for that device. This configuration controls how the devices operate in the
system.

From a control standpoint, one controller controls safety output devices. One
controller also owns each safety input device. However, safety input data can be
shared (consumed) by multiple GuardLogix controllers.

Safety I/O Configuration Signature

IMPORTANT The safety I/O configuration signatures apply to individual safety modules.

This is different than the controller safety signature, which applies to the
entire safety portion of the controller.

The configuration signature is calculated from the configuration of the safety
I/O device. The configuration signature is used to verify that the device is
configured as expected by the safety application. When you use a GuardLogix
controller, you do not have to monitor this signature. The GuardLogix
controller automatically monitors the signature. If the configuration signature
changes unexpectedly, the safety connection between the controller and I/O
module is broken which causes the I/O module to enter its safe state.

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 27

Chapter 3 Safety I/O for the GuardLogix Control System

When using a third-party module, if you connect to a safety I/O device
without a configuration signature, you must verify that a valid configuration
exists in the safety I/O device.

IMPORTANT Rockwell Automation® safety I/O modules typically default to using the

configuration signature; and do not allow your system to run without
configuration signature.

Safety I/O Device Replacement

The replacement of safety devices requires that the replacement device is
properly configured, and that the operation of the replacement device is
verified.

ATTENTION: During replacement or functional testing of a device, the safety
of the system must not rely on any portion of the affected device.

Two options for I/O device replacement are available on the Safety tab of the
Controller Properties dialog box in the Studio 5000 Logix Designer®
application:

• Configure Only When No Safety Signature Exists

•Configure Always

28 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020

Safety I/O for the GuardLogix Control System Chapter 3

Figure 7 - Safety I/O Replacement Options

Configure Only When No Safety Signature Exists

This setting instructs the GuardLogix controller to configure a safety device
when the safety task does not have a safety signature, and the replacement
device is in an out-of-box condition with no safety network number.

If the controller has a safety signature, the GuardLogix controller automatically
configures the replacement safety I/O device if all of the following are true:

• The device already has the correct safety network number.

• The device electronic keying is correct.

• The node or IP address is correct.

To set the proper safety network number (SNN) when a controller safety
signature exists, a manual action is required to download the proper SNN. Go
online to the GuardLogix or CompactGuardLogix controller with the Studio
5000 Logix Designer® application, then open the Module Properties dialog,
General tab, and click the “…” button next to the Safety Network Number. Use
the Set button to write the SNN to the module manually. After the manual
action, the remainder of the configuration is automatically downloaded.

For detailed information, see the Replace a Safety I/O Device procedure in the
user manual for the controller:

• ControlLogix 5580 and GuardLogix 5580 Controllers User Manual,
publication 1756-UM543

• CompactLogix 5380 and Compact GuardLogix 5380 User Manual,
publication 5069-UM001

Rockwell Automation Publication 1756-RM012D-EN-P - August 2020 29

Chapter 3 Safety I/O for the GuardLogix Control System

Configure Always

The GuardLogix controller attempts to configure a replacement safety I/O
device automatically if the device is in an out-of-box condition. (When a safety
network number does not exist in the replacement safety device, and the node
number and I/O device keying matches the configuration of the controller.)

ATTENTION: Enable the Configure Always feature only if the entire routable
Safety control system is not being relied on to maintain SIL 2 or SIL 3 behavior
during the replacement and functional testing of a device. See Routable

Safety System on page 32.

If other parts of the Safety control system are being relied upon to maintain SIL 2
or SIL 3, make sure that the Configure Always feature of the controller is
disabled.

It is your responsibility to implement a process to make sure that proper safety
functionality is maintained during device replacement.

CIP

ATTENTION: To place a device in the out-of-box condition on a Safety
network when the Configure Always feature is enabled, follow the device
replacement procedure in the user manual:

• ControlLogix 5580 and GuardLogix 5580 Controllers User Manual,
publication 1756-UM543

• CompactLogix 5380 and Compact GuardLogix 5380 User Manual,
publication 5069-UM001

30 Rockwell Automation Publication 1756-RM012D-EN-P - August 2020