Академический Документы
Профессиональный Документы
Культура Документы
Table of Contents
Safety Signature .................................................................................................................. 1
Lock/Unlock ....................................................................................................................... 2
Configuration Signature...................................................................................................... 2
Worst Case Reaction Time ................................................................................................. 2
Connection Reaction Time Limit (CRTL).......................................................................... 4
Mapping Tool / Tag support in Safety and Standard Task ................................................. 6
What makes GuardLogix Red?........................................................................................... 6
What makes CIP Safety Safe? ............................................................................................ 7
Safety Network Number (SNN).......................................................................................... 7
CIP Safety Connections / Reset Ownership........................................................................ 7
Safety I/O Module Replacement......................................................................................... 8
Download Program with Safety Signature in place.......................................................... 14
Flashing Lock LED on Safety I/O Modules ..................................................................... 14
RSLogix 5000 V16 Safety Instructions ............................................................................ 14
Single vs Dual channel configuration ............................................................................... 16
1791ES Safety Connections.............................................................................................. 17
How the V17 SMAT instruction works ............................................................................ 17
Explicit Messaging of the 1791DS modules from Logix ................................................. 18
Can I have spare Safety modules ready for plug-in? ........................................................ 26
Metal Form V17 instructions ............................................................................................ 26
Wiring Diagrams: Common Safety Devices..................................................................... 28
Safety Signature
The safety signature is a UNIQUE identifier for the safety portion of a GuardLogix
project. It combines a CRC of the program, along with a TIME and DATE stamp. So
even if you generate signatures at two different times for the same project, the signatures
will be different due to the time change.
After the safety signature is generated, you can no longer edit, force … the safety
program. The safety signature has to be deleted to edit the safety program.
The safety signature provides the ability to know that a safety program has NOT been
changed. If you certify a program, and then immediately generate a safety signature, then
as long as that signature stays the same, you know with absolute certainty that the
program has NOT been changed. And if the signature does change, then you may be
running with a non-certified safety program.
When the signature is generated, it is generated online and then sent back to the offline
project. So if the safety signature has somehow been changed, you can always download
the ‘original unedited’ offline project, and the safety signature should be back to its
original value. If the safety signature goes back to its original value, then the program is
still certified.
A secondary function of the safety signature is that it is required to run as a SIL3
controller. In other words, until the safety signature is generated, GuardLogix is a
ControlLogix controller. There are two major items turned on by the signature. The first
is a memory protection unit (MPU) that makes it impossible to write into safety memory.
The second is the cross-checking between the Controller and Partner of the memory
protected by the MPU.
Lock/Unlock
When locked, the safety signature cannot be deleted. The typical scenario is to generate a
safety signature and then lock the controller. Before any edits could be made to the
safety program, the controller would have to be unlocked (requiring a password) and then
the safety signature has to be deleted.
Configuration Signature
The Configuration Signature defines the configuration of a safety I/O module.
When a GuardLogix controller and safety I/O module establish a safety connection, and
the configuration signatures do not match, the GuardLogix downloads the complete
configuration to the safety module. When a GuardLogix and safety I/O module establish
a safety connection, if the configuration signatures are the same, then the configuration
does not need to be downloaded, because they already match.
The safety connection between the GuardLogix and safety I/O module is based on many
things, including the configuration signature. If the configuration of the safety I/O
module were to somehow change (using the RSNetworx editor, for example), then the
safety connection would be broken. When it was re-established, the module
configuration from the GuardLogix would be downloaded.
Worst Case Reaction Time
The worst case reaction time defines the maximum amount of time it can take from the
time 24Vdc is at the input terminal to the time 24Vdc is removed from the output
terminal. In other words, how long will it take for GuardLogix to do its part to stop the
machine when the light curtain is breached? The worst case time assumes that every
portion of the GuardLogix system runs right up against the watchdog/timeout but never
actually trips it out.
D
E
C – GuardLogix Delay
This delay is equal to the sum of the Period and Task Watchdog.
Since the input scan is asynchronous, we assume we just miss the input and therefore
have to wait one complete Period before we scan the logic with the input. Once we have
the input into GuardLogix, we complete the task, and then send out the output to turn the
machine off.
Obviously, by changing the Period and Task Watchdog, you can affect the maximum
GuardLogix delay.
If the worse case reaction time meets the customer’s system requirements, then nothing
need be changed. But if the worse case reaction time needs to be reduced, the options are
to reduce the following:
Safety Task Period
Safety Task Watchdog
Input CRTL
Output CRTL
Connection Reaction Time Limit (CRTL)
The CRTL is defined by three values:
RPI
Timeout Multiplier
Network Delay Multiplier
My suggestion is not to worry about what Network Delay Multiplier and Timeout
Multiplier really mean. Just think of them as TIME. By adjusting these values, you can
adjust the CRTL. Once every RPI, the safety module places its inputs on the wire.
After every safety program scan, the GuardLogix controller places its outputs on the wire.
The CRTL is essentially how long to wait for any of these messages to get thru to the
other side. If you use the Input CRTL default of 4xRPI, then you actually are allowing
any of 4 separate messages from the safety module to get thru to the controller before
timing out. If you adjust the CRTL down so that it equals the RPI, then each message
must get thru to avoid a timeout. Reducing the CRTL reduces the worse case reaction
time (good) but may also lead to nuisance trips (bad). Increasing the CRTL increases the
worse case reaction time (bad) but also reduces the possibility of nuisance trips (good).
You need to find the best compromise for your customer. But waste little time trying to
define Timeout Multiplier and Network Delay Multiplier for your customer; it will just
make your head hurt. Think of them in terms of TIME.
Every additional Timeout Multiplier adds an additional RPI to the CRTL.
Every additional 100% of Network delay adds an additional RPI to the CRTL.
These additional RPIs are just more TIME (in ms) to wait before timing out.
40 - Time Out
Mapping Tool / Tag support in Safety and Standard Task
The mapping tool exists for one reason; to make sure that someone does not
INADVERTANTLY use standard tags in the safety task. An example of a standard input
being used in a safety routine is a reset pushbutton. So we want users to be able to do this,
we just want it to be on purpose. So the mapping tool provides the mechanism to
purposely map standard tags for use in the safety task. The mapping takes place once
(and only once) prior to executing the safety task.
When you are in the safety task, only the safety tags appear in the tag pull downs.
When you are in the standard task, all tags appear in the pull downs, both safe and
standard. There is no problem using a safety tag in the standard task.
What makes GuardLogix Red?
This topic comes up primarily because the GuardLogix is an integrated controller.
Integrated meaning that it can be used simultaneously as both a standard and safety
controller. A customer may want to know what we have added to make sure that ‘issues’
on the standard side do not affect the safety side.
Here are the top 5 things that you should list:
1) Safety memory (1MB) and standard memory are logically isolated from each other,
using memory protection units (MPUs). There are two (2) MPUs, one in the primary
controller, and one in the partner.
2) Safety memory tested 3 times every day
3) Primary controller reads I/O over the safety network and transfers it (filter free)
directly to the partner. Logically, it is as if both are connected to the network.
4) The controller and partner sync up and then complete a single scan of the safety task,
then sync up again. At this point, each side sends the results of the scan to the other, and
performs a cross check on the results. If both sides agree that the results are identical,
then outputs are sent out to the safety modules.
5) This guarantees that if one (1) of the MPUs messes up, the results of the scan will not
be the same, and the system will go to the safe state.
What makes CIP Safety Safe?
1) Send the data twice; and typically within the same message.
2) Separate CRC for both data sets and an overall CRC for message
3) Data is Time stamped so that receiver knows how old data is
4) Time Synchronization messages sent 1/100 RPIs for Inputs and 1/19 for Outputs so
that time gets synched up between nodes.
5) CRTL for each safety connection. If new data not received each CRTL, outputs go to
safe state.
Safety Network Number (SNN)
The best way to describe why CIP safety uses SNN is with an example.
There are 64 node numbers on DeviceNet.
If you have 65 or more nodes in your facility, then you MUST have duplicate node
numbers, and multiple DNBs to handle this.
So if DNB#1 has a 1791DS module that is node 5, and DNB#2 also has a 1791DS
module that is node 5, then the SNN is added to the ‘identifier’ to make it unique once
again.
If the SNN of all nodes on DNB#1 is 100, and the SNN of all nodes on DNB#2 is 200,
then the node numbers of the 1791DS modules are actually; 100/5 and 200/5.
This would protect you from the following issue. If both DNBs were in side by side slots,
and the DeviceNet cables were inadvertently yanked off, and reattached incorrectly, the
CIP safety connections to those safety nodes would be broken. The GuardLogix
controller would say; I had a connection to a node 100/5 through DNB#1, and now it is
connected through DNB#2. And vice versa. So the connection does NOT get re-
established until you switch the cables so they are correct.
The good news is that if you accept the default SNNs that RSLogix 5000 provides, then
all will operate safely. RSLogix 5000 will give each safety node under a bridge the
identical SNN.
CIP Safety Connections / Reset Ownership
This section describes when you have to ‘Reset Ownership’ for a safety node.
The connection is based on many things, including:
1) Node number on DeviceNet or IP address on Ethernet
2) Safety Network Number (SNN)
3) GuardLogix Slot number
4) GuardLogix Safety Network Number (SNN)
5) Path
6) Configuration Signature
If any of these change, then the connection between GuardLogix and the safety module is
lost, the yellow yield sign in the RSLogix5000 tree appears, and you will likely have to
‘Reset Ownership’ to re-establish the connection.
Safety I/O Module Replacement
The topic of replacing a safety I/O module is slightly more complicated than ‘standard’
devices because of the Safety Network Number (SNN). The SNN is one component of a
safety node’s identifier, the other being its node number (or MacID). Safety devices
require a more complex identifier because duplicate node numbers make it difficult to
guarantee that the communications are between the correct nodes. DeviceNet only
supports 64 node numbers. So if you have 100 devices sitting on multiple DeviceNet
networks in your facility; then there are at least 36 duplicate node numbers being used in
your facility. Even though the duplicate nodes are on separate DeviceNet networks, it is
still a concern for any safety system. See the example below. DNB scanner #1 is
connected to node 5. DNB scanner #2 is connected to another node 5. If the cables get
inadvertently crossed, the scanners may now be communicating with the wrong node 5.
5 5 5 5
This is unacceptable for a safety system. So the SNN has been added to guarantee unique
identification of every safety device. In the example below, all devices connected to
DNB scanner #1 have been given an SNN of 100. All devices connected to scanner #2
have been given an SNN of 101. The safety devices are identified as 100/5 and 101/5, a
combination of the SNN and node #. If the cables are inadvertently crossed, the node
connected to DNB #1 changed from 100/5 to 101/5. The node connected to DNB #2
changed from 101/5 to 100/5. Because of this change, the safety connections are NOT
made.
5 5 5 5
SNN 100 SNN 101 SNN 100 SNN 101
Considerations when replacing an I/O module connected to GuardLogix
The Safety tab of the GuardLogix Controller has a selection called ‘When replacing
Safety I/O’. The choices are:
It is important to note that if GuardLogix is being used for SIL3, then ‘Configure Only
When No Safety Signature Exists’ is the option you must choose. This option makes sure
that if a safety signature exists (and you must have a safety signature to be SIL3), that the
SNN of the replacement DIO module must match that of the GuardLogix controller
before a connection between them can be made.
If ‘Configure Always’ is set, it is possible for any GuardLogix controller in the system
that meets the following three criteria to take ownership and make a connection to the
replacement module.
1) the node # and Module type of the replacement module is in the GuardLogix tree
2) the GuardLogix has no connection to that node #
3) the GuardLogix can bridge/route to the module
Although the chances are minimal, this allows the possibility of the wrong controller
taking ownership of the replacement module. For this reason, ‘Configure Only When No
Safety Signature Exists’ is the option required for a SIL3 system.
Configure Always
When configured for Configure Always, the GuardLogix will make a connection to any
replacement module and download the modules configuration as long as the replacement
module does not have an existing SNN that is different from the original. For modules
with different SNNs, ‘Reset Ownership’ (see picture below) can be selected from
RSLogix 5000. ‘Reset Ownership’ essentially places the module into an out-of-box
condition which, as the chart shows, requires no action for GuardLogix to take ownership
of the module.
Configure Only When No Safety Signature Exists
The chart above may seem a bit confusing, but the basic idea is that if a safety signature
exists, then SET (see picture below) is required to download the correct SNN from the
correct GuardLogix project to the replacement module. The only exception to this would
be that the SNN is already the same as the replacement module, in which case no action
is required.
If no safety signature exists, then notice how the chart becomes identical to the
‘Configure Always’ chart. In other words, this setting is for applications where SIL3 is
required and thus a safety signature has been applied to the GuardLogix Controller.
Best practices for GuardLogix
For SIL3 applications
1) Configure GuardLogix Controller properties for ‘Configure Only When No
Safety Signature Exists’. This selection is located on the Safety tab of the
Controller properties.
Flashing Lock LED on Safety I/O Modules
This LED indicates whether the 1791DS module is locked or unlocked. If locked, its
configuration cannot be changed. This LED is not associated with the LOCK/UNLOCK
feature of the GuardLogix safety signature. There is NO way to get it to stop flashing
using RSLogix5000. RSLogix5000 has no interaction with the LOCK LED at all.
The flashing LOCK LED on the safety modules is an irritation to many, but whether it is
steady or flashing has NO bearing on the safety of your I/O.
An editor that does interact with this function is RSNetworx for DeviceNet. Using the
‘Safety Device Verification Wizard’ in RSNetworx, you can LOCK/UNLOCK the
1791DS modules. Note that if the 1791DS module is locked, RSLogix5000 cannot
change the module configuration.
So if a customer was irritated by this flashing LED, I suggest the following:
1) Configure the 1791DS module using RSLogix5000
2) After program validated, generate a safety signature and LOCK the GuardLogix
controller. The 1791DS Lock LED will be flashing at this point.
3) Within RSNetworx for DeviceNet, use the ‘Safety Device Verification Wizard’ to
LOCK the 1791DS module. The Lock LED will now be steady.
4) If a module configuration change is required to the 1791DS module, use the ‘Safety
Device Verification Wizard’ to unlock the 1791DS module. Then the module
configuration can be changed.
RSLogix 5000 V16 Safety Instructions
The EStop, RIN (Redundant Input), DIN (Diverse Input), and Enable Pendant
instructions are virtually identical. They basically are used for dual channel safety inputs.
Their basic function is that is both input channels are HI, and there are NO faults, then
the output is set HI.
The only difference between a RIN and ESTOP is the name. The reason for having both
is that customers wanted an ESTOP instruction, but they did not want to use an ESTOP
instruction for other safety inputs, such as a door switch. So both the ESTOP and RIN
were needed.
The Enable Pendant is the same as the ESTOP and RIN, except for the Inputs
Inconsistent timer. It is 500ms for the ESTOP and RIN and 3 seconds for the Enable
Pendant. The reason is that the enable pendant has to be held in the middle position to
engage it, if squeezed too much or too little; then it is disengaged. This allows a greater
opportunity for the dual contacts to be in different states, and thus a greater II timer is
provided.
The DIN is identical to the ESTOP and RIN except for one obvious difference; the safe
state for the channels is A LO and B HI. This is why it is a Diverse Input instruction. It
is used for input devices that have diverse channels. Note that the ESTOP, RIN, and
Enable Pendant instructions have a safe state of LO/LO because the dual channels are
typically in the same state. This creates one issue that must be programmatically
addressed. When there is a communications fault, both channels will be set LO, which
likely will cause an inputs inconsistent fault, if your software does not force channel B HI
in this instance.
LC stands for Light Curtain. This instruction differs because it adds a mute function and
an input filter. Even though the instruction is called Light Curtain, you would likely use
this instruction whenever you are using a device that has OSSD1 and OSSD2
semiconductor outputs that are pulse tested by the safety device, not the GuardLogix. For
example, a Light Curtain pulse tests its dual outputs, OSSD1 and OSSD2. So at the input
terminal, the input is going LO during this pulse test. This LO pulse needs to be filtered
out, and this is the purpose of the input filter on the instruction.
The purpose of the Mute function is that when enabled, the input channels are basically
ignored, so that you can breach the light curtain without turning the output of the
instruction LO. Typically, devices such as light curtains and laser scanners have periods
within a machine cycle where they are muted, allowing an operator to breach the LC to
perform some function.
THRS stands for Two Hand Run Station. Typically a set of palm buttons that an
operator has to depress for the machine to cycle. Hence the term, palm up. The input
channels are diverse for the THRS. The additional input for this instruction is Active Pin.
The purpose of this feature is to activate or deactivate a run station. For example, during
first and second shift; four operators and four run stations are required to cycle the
machine. But on third shift only two operators are present. So the active pins are
disabled on the two stations that are not being used, and the machine can be cycled using
only two active stations.
FPMS stand for Five Position Mode Selector. This instruction basically ensures that a
selector switch (up to five positions) is in one and ONLY one position at all times. If no
position is enabled, then the instruction is faulted, and if 2 or more positions are enabled,
then the instruction is faulted. There are five inputs and five outputs on this instruction.
If the switch has one position enabled, the appropriate output is energized.
ROUT is the only safety output instruction. Note that all the above are for safety inputs.
ROUT stands for Redundant Output. If the input to the instruction is HI, and there are no
faults, then the dual outputs are set HI. This instruction has feedback monitoring inputs
to ensure that the outputs are operating correctly. The feedback can be set positive or
negative. Negative is typically used, because that is how virtually all relays and
contactors operate. If the output is set HI, the instruction gives the feedback 250ms to go
LO. And if the output is set LO, the feedback has 250ms to go HI.
Single vs Dual channel configuration
You can configure safety inputs for either Single or Dual (Equivalent or Complementary)
mode. This configures safety modules to view the inputs individually or in pairs. When
configured in pairs (Dual), the safety module will ALWAYS send the channel data to
GuardLogix as both LO or both HI. Obviously, this assumes the inputs are configured
equivalent. This means that the Inputs Inconsistent fault on the RSLogix 5000 instruction
will never be HI. So the question is whether you want to perform the diagnostics of the
safety input on the safety module (with LEDs and status bits) or in the RSLogix 5000
instructions. Unless you develop code to read all of the status information from the
safety modules, it may be easier to configure the inputs as single, and simply use the
RSLogix 5000 status bits for operator display. I configured the safety modules for
DUAL in the safety accelerator toolkit, because the toolkit contains AOIs to read all of
the status information directly from the modules. Note that if configured for Dual, you
will select either Complementary or Equivalent. In other words, should the input pair
always be the same or always be diverse.
1791ES Safety Connections
A 1791ES module can support a total of 4 unique safety connections (4 input, 1 output).
A unique safety connection is defined by the:
assembly requested:
and rpi:
On the IO connections webpage of the module you should see "multicast" under an
address for connections that are consumers of the multicast connection. When you
change the input assembly or RPI, this "multicast" description will go away and you will
be using up one of the unique safety connections.
How the V17 SMAT instruction works
Test Outputs are the 24Vdc sources.
Safety Inputs are the 24Vdc sinks.
The instruction controls the Test output sources, and monitors the Safety Input sinks.
When T0 is set HI; SMAT waits for IN0 to go HI.
When this occurs, SMAT resets T0 and sets T1 HI, then waits for IN1 to go HI, and it
just continues this toggle forever.
At all times (if nobody is stepping on the mat), only 1 Test Output is HI, and one Safety
Input is HI. SMAT simply makes sure the inputs are ALWAYS diverse.
When the mat is stepped on, the plates short together, and by definition, both inputs are
equivalently HI, they are no longer diverse, so SMAT turns off the instruction output.
The 1791 module detects the channel to channel short between the Test Outputs (and if
you look close you see T1 go RED when you step on the mat)
The key is that when this occurs, SMAT sets both Test Outputs LO, which sets the inputs
LO and resets the 1791 module fault.
The fault occurs again and again and again as long as you remain on the mat; but it
continues to get reset.
If you actually have a short to 24Vdc; then setting the Test Outputs LO will NOT reset
the inputs; and the instruction will actually detect and set the Fault Present output bit.
That is how the instruction works; now lets talk about how the Short Circuit Detect Delay
Time and the Input Error Latch Time affect this.
The Short Circuit Detect Delay Time (SCDDT) is how long SMAT waits before
declaring that the equivalency at the safety inputs was caused by an actual short circuit
and NOT someone stepping on the mat. For example, it normally takes just a couple ms
for SMAT to see the equivalency at the inputs and set the Test outputs LO. When the
mat is stepped on, this resets the 1791 module fault before the SCDDT timer expires.
Thus, SMAT knows someone is on the mat. But if the 1791 fault remains as the timer
expires, then there is an actual short circuit, and the fault is declared. So SCDDT simply
has to be longer than the time it takes for SMAT to attempt to reset the 1791 module fault.
The minimum for SCDDT is 5ms; and this is long enough to accomplish this task.
Now let’s discuss Input Error Latch Time (IELT). This is the time any 1791 module fault
remains before the module allows it to be reset. You know what is coming next. If IELT
is longer than the SCDDT, then by law, the 1791 fault will still be there when SCDDT
expires, and that will cause SMAT to declare a fault EVERY time someone steps on the
mat.
Explicit Messaging of the 1791DS modules from Logix
It is common for users to use the implicit I/O connection to read the combined status of
the inputs and outputs. If the combined status bit indicates an issue, then the user can
utilize explicit messaging to gather detailed status information to the point level.
The 1791DS Users Manual (1791DS-UM001x) shows the different assemblies that can
be read from the module. An example from this manual is show here:
The values of the safety inputs, safety input status, safety output status and muting lamp
status are examples of data that can be explicitly read from these modules.
The following example uses assembly 344 to explicitly read from the 1791DS-
IB8xOBV4 module.
Because assembly 836 requires 4 bytes, a single DINT tag works perfectly.
When the message is done, the data appears as shown:
Note that you have to match up the assembly to the data above. For example, bit 8 shows
the status of safety input channel 0.
A UDT can be used to easily describe the bits. The following UDT was created for
assembly 836.
A tag was created that used this UDT data type.
This new tag was placed into the Destination of the MSG instruction.
Now when the message is run, the data appears in the UDT as shown:
The tagnames are much more descriptive. Please take note of the fact that this status is
NOT safe data. Do not use the first byte in safety logic. Just use it for HMIs.
If the channel status bit goes LO; then you can use the following explicit messages to get
detailed information about the specific channel fault.
Refer to the 1791DS Users Manual for more information on data that can be read via
explicit messaging.
Can I have spare Safety modules ready for plugin?
Can I have spare 1791DS/ES safety I/O modules at the ready with the SNN preset,
and then just dial in the replacement node number ?
Short answer – NO
Many OEMs want this capability because the end user would not have to set the SNN
when replacing a module. Setting the SNN requires RSLogix5000 software.
The reason is that the node address is stored in Flash whenever the SNN is set. This
combination of node # and SNN make up the unique safety identifier for the module.
From a safety standpoint, the actual dials simply cannot be active during runtime. This
makes safety sense, because we simply cannot allow a change of the node number dials
during runtime to have any impact whatsoever on the safety system. To prevent this,
when the SNN is set, the current node number at that time is stored to generate the
identifier. The dials do need to match the identifier in Flash. If the dials are changed, the
safety connection will be broken.
Metal Form V17 instructions
These instructions control the operation of a press by controlling up to two (2) main
control valves, as well as auxiliary valves for starting (clutch) and stopping (brake).
Modes include:
‐ Inch Mode
‐ Single Stroke Mode
‐ Continuous Mode
o Immediate
o Immediate with Arming
o Half Stroke with Arming
o Stroke-and-a-Half with Arming
‐ Maintenance Mode
o Bottom Dead Center switch required
o Flywheel stopped input required
Wiring Diagrams: Common Safety Devices
EStop / Dry Contacts
CAT 2 CAT 3 CAT 4
Tongue Interlocks/ Dry Contacts
CAT2 CAT3 CAT4
Light Curtains, OSSD1 OSSD2 Devices
CAT2 CAT3 CAT4
GuardShield
CAT4
Solenoid Locking Switch / Dry Contacts
CAT2 CAT3 CAT4
Electronic Sensors
CAT2 CAT3 CAT4
N/A
Safety Contactors [OB Outputs]
CAT2 CAT3/CAT4
Safety Contactors [OBV Outputs]
CAT2 CAT3/CAT4
Kinetix 6000 Safety Drives [OB Outputs]
CAT2 CAT3 CAT4
Kinetix 6000 Safety Drives [OBV Outputs]
CAT3 CAT4
PowerFlex Safety Drives [OBV Outputs]
CAT3 CAT4
Standard Drives [OBV Outputs]
CAT2 CAT3/CAT4