1756-RM001B-EN-P, Using ControlLogix in SIL2 ... - Tuv-fs.com
1756-RM001B-EN-P, Using ControlLogix in SIL2 ... - Tuv-fs.com 1756-RM001B-EN-P, Using ControlLogix in SIL2 ... - Tuv-fs.com
1-2 SIL PolicyThe TUV Rheinland has approved the ControlLogix system for use inup to SIL 2 safety related applications in which the de-energized stateis considered to be the safe state. All of the examples related to I/Oincluded in this manual are based on achieving de-energization as thesafe state for typical Emergency Shutdown (ESD) Systems.The ControlLogix is a modular and configurable system with theability to pre-configure outputs and other responses to faultconditions. As such, a system can be designed to meet requirementsfor “hold last state" in the event of a fault so that the system can beused in up to SIL 2 level Fire and Gas and other Applications thatrequire that output signals to actuators remain on. By understandingthe behavior of the ControlLogix system for an emergency shutdownapplication, the system design can incorporate appropriate measuresto meet other application requirements. These measures relate to thecontrol of outputs and actuators which must remain on to be in a safestate. The other requirements for SIL2 regarding inputs from sensors,software etc. must also be met. The measures and modificationswhich relate to Gas and Fire are listed below.• The use of a manual over-ride is necessary to ensure theoperator can maintain the desired control in the event of aController Failure. This is similar in concept to the function ofthe external relay or redundant outputs required to ensure ade-energized state is achieved for an ESD system should afailure occur that would prevent this from normally occurringsuch as a shorted output driver. The system knows it has afailure but the failure mode requires an independent means tomaintain control and either remove power or provide analternate path to maintain power to the end actuator.• If the application cannot tolerate an output that can fail shorted(energized) then an external means such as a relay or otheroutput must be wired in series to remove power when the failshorted condition occurs. (Refer to Figure 6.8 on page 6-11)If the application cannot tolerate an output that fails open(deenergized) then an external means such as a manual overrideor output must be wired in parallel. (Refer to the manualoverride Figure 1.1 on page 1-3). The user must supply thealternative means and develop the application program toinitiate the alternate means of removing or continuing to supplypower in the event the main output fails.Publication 1756-RM001B-EN-P - October 2003
SIL Policy 1-3• This manual over-ride circuit is shown in Figure 1.1. It iscomposed of a hardwired set of contacts from a selector switchor push-button. One Normally Open contact provides for thebypass of power from the Controller output directly to theactuator. The other is a Normally closed contact to remove orisolate the controller output• An application program needs to be generated to monitor thediagnostic output modules for dangerous failures such asshorted or open output driver channels. Diagnostic outputmodules must be configured to hold last state in the event of afault.• A diagnostic alarm must be generated to inform the operatorthat manual control is required.• The faulted module must be replaced within a reasonable timeframe.• Any time a fault is detected the user must annunciate the fault toan operator by some means (for example, an alarm light).Figure 1.1L1Manual OverrideActuatorL2 or Ground43379FaultAlarm to OperatorPublication 1756-RM001B-EN-P - October 2003
- Page 1: Using ControlLogixin SIL2 Applicati
- Page 4 and 5: Summary of Changes 2Notes:Publicati
- Page 6 and 7: Preface 2Table Preface.1Section: Ti
- Page 8 and 9: Table of Contents 2ControlLogix Com
- Page 10 and 11: Table of Contents 4Additional Infor
- Page 14 and 15: 1-4 SIL PolicySIL2 CertificationFig
- Page 16 and 17: 1-6 SIL PolicySIL2-Certified Contro
- Page 18 and 19: 1-8 SIL PolicyHardware Designs andF
- Page 20 and 21: 1-10 SIL PolicyCatalogNumberDescrip
- Page 22 and 23: 1-12 SIL PolicyCatalogNumberDescrip
- Page 24 and 25: 1-14 SIL PolicySIL ComplianceDistri
- Page 26 and 27: 1-16 SIL PolicyProgram Watchdog Tim
- Page 28 and 29: 2-2 The ControlLogix SystemIf an an
- Page 30 and 31: 2-4 The ControlLogix SystemData Ech
- Page 32 and 33: 2-6 The ControlLogix SystemSoftware
- Page 34 and 35: 2-8 The ControlLogix SystemNotes:Pu
- Page 36 and 37: 3-2 ControlLogix System HardwareCon
- Page 38 and 39: 3-4 ControlLogix System HardwareRec
- Page 40 and 41: 3-6 ControlLogix System HardwareNot
- Page 42 and 43: 4-2 ControlLogix ControllerRecommen
- Page 44 and 45: 5-2 ControlLogix Communications Mod
- Page 46 and 47: 5-4 ControlLogix Communications Mod
- Page 48 and 49: 6-2 ControlLogix I/O ModulesFigure
- Page 50 and 51: 6-4 ControlLogix I/O ModulesModule
- Page 52 and 53: 6-6 ControlLogix I/O ModulesWiring
- Page 54 and 55: 6-8 ControlLogix I/O ModulesGeneral
- Page 56 and 57: 6-10 ControlLogix I/O ModulesWiring
- Page 58 and 59: 6-12 ControlLogix I/O ModulesApplic
- Page 60 and 61: 6-14 ControlLogix I/O Modules• Ch
1-2 SIL PolicyThe TUV Rhe<strong>in</strong>land has approved the <strong>ControlLogix</strong> system for use <strong>in</strong>up to SIL 2 safety related applications <strong>in</strong> which the de-energized stateis considered to be the safe state. All of the examples related to I/O<strong>in</strong>cluded <strong>in</strong> this manual are based on achiev<strong>in</strong>g de-energization as thesafe state for typical Emergency Shutdown (ESD) Systems.The <strong>ControlLogix</strong> is a modular and configurable system with theability to pre-configure outputs and other responses to faultconditions. As such, a system can be designed to meet requirementsfor “hold last state" <strong>in</strong> the event of a fault so that the system can beused <strong>in</strong> up to SIL 2 level Fire and Gas and other Applications thatrequire that output signals to actuators rema<strong>in</strong> on. By understand<strong>in</strong>gthe behavior of the <strong>ControlLogix</strong> system for an emergency shutdownapplication, the system design can <strong>in</strong>corporate appropriate measuresto meet other application requirements. These measures relate to thecontrol of outputs and actuators which must rema<strong>in</strong> on to be <strong>in</strong> a safestate. The other requirements for <strong>SIL2</strong> regard<strong>in</strong>g <strong>in</strong>puts from sensors,software etc. must also be met. The measures and modificationswhich relate to Gas and Fire are listed below.• The use of a manual over-ride is necessary to ensure theoperator can ma<strong>in</strong>ta<strong>in</strong> the desired control <strong>in</strong> the event of aController Failure. This is similar <strong>in</strong> concept to the function ofthe external relay or redundant outputs required to ensure ade-energized state is achieved for an ESD system should afailure occur that would prevent this from normally occurr<strong>in</strong>gsuch as a shorted output driver. The system knows it has afailure but the failure mode requires an <strong>in</strong>dependent means toma<strong>in</strong>ta<strong>in</strong> control and either remove power or provide analternate path to ma<strong>in</strong>ta<strong>in</strong> power to the end actuator.• If the application cannot tolerate an output that can fail shorted(energized) then an external means such as a relay or otheroutput must be wired <strong>in</strong> series to remove power when the failshorted condition occurs. (Refer to Figure 6.8 on page 6-11)If the application cannot tolerate an output that fails open(deenergized) then an external means such as a manual overrideor output must be wired <strong>in</strong> parallel. (Refer to the manualoverride Figure 1.1 on page 1-3). The user must supply thealternative means and develop the application program to<strong>in</strong>itiate the alternate means of remov<strong>in</strong>g or cont<strong>in</strong>u<strong>in</strong>g to supplypower <strong>in</strong> the event the ma<strong>in</strong> output fails.Publication <strong>1756</strong>-<strong>RM001B</strong>-<strong>EN</strong>-P - October 2003
Change language