1756-RM001B-EN-P, Using ControlLogix in SIL2 ... - Tuv-fs.com
1756-RM001B-EN-P, Using ControlLogix in SIL2 ... - Tuv-fs.com 1756-RM001B-EN-P, Using ControlLogix in SIL2 ... - Tuv-fs.com
8-2 General Requirements for Application SoftwareSIL2 ProgrammingSafety Concept of the ControlLogix systemThe safety concept of SIL2 assumes, that:• the programming system (PS) hardware and firmware workscorrectly (that is, programming system errors can be detected).• the user applies the logic correctly, that is, user programmingerrors can be detected.For the initial start-up of a safety-related ControlLogix system, theentire system must be checked by a complete functional test. After amodification of the application program, the modified program orlogic must be checked.For more information on how users should handle changes to theirapplication program, see the Changing Your Application Programsection on page 9-6.General Guidelines forApplication SoftwareDevelopmentThe application software for the intended SIL2 systems is intended tobe developed by the system integrator and/or user. The developermust follow good design practices including the use of:• Functional specifications• Flow charts• Timing diagrams• Sequence charts• Program review• Program validationAll logic should be reviewed and tested. To facilitate reviews andreduce unintended responses, developers should limit the set ofinstructions to basic Boolean/ladder logic (such as examine On/Off,Timers, Counters, etc.) whenever possible. This set should includeinstructions that can be used to accommodate analog variables, suchas:• Limit tests• Comparisons• Math instructionsSee Appendix B, System Self-Testing andUser-Programmed Responses, for details.Publication 1756-RM001B-EN-P - October 2003
General Requirements for Application Software 8-3Users must verify the downloading of the application program and itsproper operation. A typical validation technique is to upload thedownloaded program file and perform a compare of that file againstwhat is stored in the programming terminal. The upload compare canbe accomplished after an interval by saving the first one andcomparing it to the second or subsequent uploads. This approachcould also be performed through different paths (that is, overControlNet and via the serial port).Safety logic and non safety-related logic should be separate.Check the Created Application ProgramTo check the created application program for adherence to thespecific function, you must generate a suitable set of test casescovering the specification. The set of test cases is filed as the testspecification.A suitable test set must also be generated for the numeric evaluationof formulas. Equivalent range tests are acceptable. These are testswithin the defined value ranges, at the limits, or in impermissiblevalue ranges. The test cases must be selected to prove the correctnessof the calculation. The necessary number of test cases depends on theformula used and must comprise critical value pairs.However, active simulation with sources cannot be omitted as this isthe only means of detecting correct wiring of the sensors andactuators to the system. Furthermore, this is the only means of testingthe system configuration. Users should verify the correct programmedfunctions by forcing I/O or by manual manipulation of sensors andactuators.Possibilities of Program IdentificationThe application program is clearly identified by one of the following:• Name• Date• Revision• Any other user identification informationPublication 1756-RM001B-EN-P - October 2003
- Page 28 and 29: 2-2 The ControlLogix SystemIf an an
- Page 30 and 31: 2-4 The ControlLogix SystemData Ech
- Page 32 and 33: 2-6 The ControlLogix SystemSoftware
- Page 34 and 35: 2-8 The ControlLogix SystemNotes:Pu
- Page 36 and 37: 3-2 ControlLogix System HardwareCon
- Page 38 and 39: 3-4 ControlLogix System HardwareRec
- Page 40 and 41: 3-6 ControlLogix System HardwareNot
- Page 42 and 43: 4-2 ControlLogix ControllerRecommen
- Page 44 and 45: 5-2 ControlLogix Communications Mod
- Page 46 and 47: 5-4 ControlLogix Communications Mod
- Page 48 and 49: 6-2 ControlLogix I/O ModulesFigure
- Page 50 and 51: 6-4 ControlLogix I/O ModulesModule
- Page 52 and 53: 6-6 ControlLogix I/O ModulesWiring
- Page 54 and 55: 6-8 ControlLogix I/O ModulesGeneral
- Page 56 and 57: 6-10 ControlLogix I/O ModulesWiring
- Page 58 and 59: 6-12 ControlLogix I/O ModulesApplic
- Page 60 and 61: 6-14 ControlLogix I/O Modules• Ch
- Page 62 and 63: 6-16 ControlLogix I/O ModulesWiring
- Page 64 and 65: 6-18 ControlLogix I/O ModulesWiring
- Page 66 and 67: 6-20 ControlLogix I/O ModulesUsing
- Page 68 and 69: 6-22 ControlLogix I/O ModulesFigure
- Page 70 and 71: 6-24 ControlLogix I/O ModulesWiring
- Page 72 and 73: 6-26 ControlLogix I/O ModulesCheckl
- Page 74 and 75: 7-2 Faults in the ControlLogix Syst
- Page 76 and 77: 7-4 Faults in the ControlLogix Syst
- Page 80 and 81: 8-4 General Requirements for Applic
- Page 82 and 83: 8-6 General Requirements for Applic
- Page 84 and 85: 9-2 Technical SIL2 Requirements for
- Page 86 and 87: 9-4 Technical SIL2 Requirements for
- Page 88 and 89: 9-6 Technical SIL2 Requirements for
- Page 90 and 91: 9-8 Technical SIL2 Requirements for
- Page 92 and 93: 10-2 Use and Application of Human t
- Page 94 and 95: 10-4 Use and Application of Human t
- Page 96 and 97: A-2 Response Times in ControlLogixE
- Page 98 and 99: A-4 Response Times in ControlLogixR
- Page 100 and 101: B-2 System Self-Testing and User-Pr
- Page 102 and 103: C-2 Additional Information on Handl
- Page 104 and 105: D-2 Spurious Failure EstimatesNotes
- Page 106 and 107: E-2 Sample Probability of Failure o
- Page 108 and 109: E-4 Sample Probability of Failure o
- Page 110: 2 IndexMMean time between failures
8-2 General Requirements for Application Software<strong>SIL2</strong> Programm<strong>in</strong>gSafety Concept of the <strong>ControlLogix</strong> systemThe safety concept of <strong>SIL2</strong> assumes, that:• the programm<strong>in</strong>g system (PS) hardware and firmware workscorrectly (that is, programm<strong>in</strong>g system errors can be detected).• the user applies the logic correctly, that is, user programm<strong>in</strong>gerrors can be detected.For the <strong>in</strong>itial start-up of a safety-related <strong>ControlLogix</strong> system, theentire system must be checked by a <strong>com</strong>plete functional test. After amodification of the application program, the modified program orlogic must be checked.For more <strong>in</strong>formation on how users should handle changes to theirapplication program, see the Chang<strong>in</strong>g Your Application Programsection on page 9-6.General Guidel<strong>in</strong>es forApplication SoftwareDevelopmentThe application software for the <strong>in</strong>tended <strong>SIL2</strong> systems is <strong>in</strong>tended tobe developed by the system <strong>in</strong>tegrator and/or user. The developermust follow good design practices <strong>in</strong>clud<strong>in</strong>g the use of:• Functional specifications• Flow charts• Tim<strong>in</strong>g diagrams• Sequence charts• Program review• Program validationAll logic should be reviewed and tested. To facilitate reviews andreduce un<strong>in</strong>tended responses, developers should limit the set of<strong>in</strong>structions to basic Boolean/ladder logic (such as exam<strong>in</strong>e On/Off,Timers, Counters, etc.) whenever possible. This set should <strong>in</strong>clude<strong>in</strong>structions that can be used to ac<strong>com</strong>modate analog variables, suchas:• Limit tests• Comparisons• Math <strong>in</strong>structionsSee Appendix B, System Self-Test<strong>in</strong>g andUser-Programmed Responses, for details.Publication <strong>1756</strong>-<strong>RM001B</strong>-<strong>EN</strong>-P - October 2003