1756-RM001B-EN-P, Using ControlLogix in SIL2 ... - Tuv-fs.com
1756-RM001B-EN-P, Using ControlLogix in SIL2 ... - Tuv-fs.com 1756-RM001B-EN-P, Using ControlLogix in SIL2 ... - Tuv-fs.com
1-8 SIL PolicyHardware Designs andFirmware FunctionsDiagnostic hardware designs and firmware functions designed into theControlLogix platform allow it to achieve at least SIL2 certification in asingle-controller configuration. These diagnostic features areincorporated into specific ControlLogix components, such as the:• processor• power supply• I/O modules• backplaneand are covered in subsequent sections. The ControlLogix platform’sdesigns, features and characteristics make it one of the most intelligentplatforms.Some of the ControlLogix features include:• multiple microprocessors which check themselves and eachother• I/O modules with internal microprocessors• an I/O architecture that includes modules with backplaneconnections to the main central processing unit (CPU).The backplane connections, along with configuration identities,permit a new level of I/O module diagnostics unavailable in earlierplatforms.Difference Between PFDand PFHSafety-related systems can be classified as operating in either a lowdemand mode, or in a high demand/continuous mode. IEC 61508quantifies this classification by stating that the frequency of demandsfor operation of the safety system is no greater than once per year inthe low demand mode, or greater than once per year in highdemand/continuous mode. Generally speaking however, the once peryear is expanded to ten times per year.The SIL value for a low demand safety-related system is relateddirectly to order-of-magnitude ranges of its average probability offailure to satisfactorily perform its safety function on demand or,simply, probability of failure on demand (PFD). The SIL value for ahigh demand/continuous mode safety-related system is relateddirectly to the probability of dangerous failure occurring per hour(PFH).Although PFD and PFH values are usually associated with each of thethree elements making up a safety-related system (the sensors, theactuators, the logic element), they can be associated with eachcomponent of the logic element, that is, each module of aProgrammable Controller.Publication 1756-RM001B-EN-P - October 2003
SIL Policy 1-9Table 1.3 and Table 1.4 present values of the PFDs and PFHs for thespecific ControlLogix products evaluated by TUV.The Mean Time Between Failure (MTBF) values listed in Table 1.3 andTable 1.4 are calculated from field data for each product. A minimuminstalled base must exist for at least one year before a value iscalculated. It is assumed that the products are in use 16 hours/day, 5days/week, 52 weeks/year. It can be noted that these values areupdated monthly and that the values tabulated below were currentwhen this publication was prepared. The Failure Rate (λ) column ofTable 1.3 and Table 1.4 is just the reciprocal of MTBF.For the example PFD calculations, several assumptions were made:• 50% of the failures of each product reported to RockwellAutomation are dangerous failures.• The diagnostic coverage (DC) is 90% for modules used in a 1oo1architecture.• The diagnostic coverage is 60% for modules used in a 1oo2architecture.• The fraction of detected common cause failures (β D ) is 1%.• The fraction of undetected common cause failures (β) is 2%Because Rockwell Automation does not and can not know everypotential application for each product, these very conservativeassumptions had to be made to do the calculations.For the sample calculations presented in this manual, the followingvalues were used as the two application-dependent variables:• The Mean Time to Restoration (MTTR) is ten hours.• The Proof Test Interval (T 1 ) is one year (8760 hours). (1)The equation for PFD, from IEC61508, for a 1oo1 architecture is:PFD = (λ DU + λ DD )t CE = λ D t CE = λ/2 [T 1 /2 (1 - DC) + MTTR]– where: λ DU is the undetected dangerous failure rate (perhour)λ DD is the detected dangerous failure rate (per hour)t CE is the "channel equivalent mean down time"λ D is the dangerous failure rate (per hour)λ is the overall product failure rate (per hour)(1) For PFD calculations using proof test intervals of 2 and 4 years, see Appendix E.Publication 1756-RM001B-EN-P - October 2003
- Page 1: Using ControlLogixin SIL2 Applicati
- Page 4 and 5: Summary of Changes 2Notes:Publicati
- Page 6 and 7: Preface 2Table Preface.1Section: Ti
- Page 8 and 9: Table of Contents 2ControlLogix Com
- Page 10 and 11: Table of Contents 4Additional Infor
- Page 12 and 13: 1-2 SIL PolicyThe TUV Rheinland has
- Page 14 and 15: 1-4 SIL PolicySIL2 CertificationFig
- Page 16 and 17: 1-6 SIL PolicySIL2-Certified Contro
- Page 20 and 21: 1-10 SIL PolicyCatalogNumberDescrip
- Page 22 and 23: 1-12 SIL PolicyCatalogNumberDescrip
- Page 24 and 25: 1-14 SIL PolicySIL ComplianceDistri
- Page 26 and 27: 1-16 SIL PolicyProgram Watchdog Tim
- Page 28 and 29: 2-2 The ControlLogix SystemIf an an
- Page 30 and 31: 2-4 The ControlLogix SystemData Ech
- Page 32 and 33: 2-6 The ControlLogix SystemSoftware
- Page 34 and 35: 2-8 The ControlLogix SystemNotes:Pu
- Page 36 and 37: 3-2 ControlLogix System HardwareCon
- Page 38 and 39: 3-4 ControlLogix System HardwareRec
- Page 40 and 41: 3-6 ControlLogix System HardwareNot
- Page 42 and 43: 4-2 ControlLogix ControllerRecommen
- Page 44 and 45: 5-2 ControlLogix Communications Mod
- Page 46 and 47: 5-4 ControlLogix Communications Mod
- Page 48 and 49: 6-2 ControlLogix I/O ModulesFigure
- Page 50 and 51: 6-4 ControlLogix I/O ModulesModule
- Page 52 and 53: 6-6 ControlLogix I/O ModulesWiring
- Page 54 and 55: 6-8 ControlLogix I/O ModulesGeneral
- Page 56 and 57: 6-10 ControlLogix I/O ModulesWiring
- Page 58 and 59: 6-12 ControlLogix I/O ModulesApplic
- Page 60 and 61: 6-14 ControlLogix I/O Modules• Ch
- Page 62 and 63: 6-16 ControlLogix I/O ModulesWiring
- Page 64 and 65: 6-18 ControlLogix I/O ModulesWiring
- Page 66 and 67: 6-20 ControlLogix I/O ModulesUsing
SIL Policy 1-9Table 1.3 and Table 1.4 present values of the PFDs and PFHs for thespecific <strong>ControlLogix</strong> products evaluated by TUV.The Mean Time Between Failure (MTBF) values listed <strong>in</strong> Table 1.3 andTable 1.4 are calculated from field data for each product. A m<strong>in</strong>imum<strong>in</strong>stalled base must exist for at least one year before a value iscalculated. It is assumed that the products are <strong>in</strong> use 16 hours/day, 5days/week, 52 weeks/year. It can be noted that these values areupdated monthly and that the values tabulated below were currentwhen this publication was prepared. The Failure Rate (λ) column ofTable 1.3 and Table 1.4 is just the reciprocal of MTBF.For the example PFD calculations, several assumptions were made:• 50% of the failures of each product reported to RockwellAutomation are dangerous failures.• The diagnostic coverage (DC) is 90% for modules used <strong>in</strong> a 1oo1architecture.• The diagnostic coverage is 60% for modules used <strong>in</strong> a 1oo2architecture.• The fraction of detected <strong>com</strong>mon cause failures (β D ) is 1%.• The fraction of undetected <strong>com</strong>mon cause failures (β) is 2%Because Rockwell Automation does not and can not know everypotential application for each product, these very conservativeassumptions had to be made to do the calculations.For the sample calculations presented <strong>in</strong> this manual, the follow<strong>in</strong>gvalues were used as the two application-dependent variables:• The Mean Time to Restoration (MTTR) is ten hours.• The Proof Test Interval (T 1 ) is one year (8760 hours). (1)The equation for PFD, from IEC61508, for a 1oo1 architecture is:PFD = (λ DU + λ DD )t CE = λ D t CE = λ/2 [T 1 /2 (1 - DC) + MTTR]– where: λ DU is the undetected dangerous failure rate (perhour)λ DD is the detected dangerous failure rate (per hour)t CE is the "channel equivalent mean down time"λ D is the dangerous failure rate (per hour)λ is the overall product failure rate (per hour)(1) For PFD calculations us<strong>in</strong>g proof test <strong>in</strong>tervals of 2 and 4 years, see Appendix E.Publication <strong>1756</strong>-<strong>RM001B</strong>-<strong>EN</strong>-P - October 2003
Change language