1756-RM001B-EN-P, Using ControlLogix in SIL2 ... - Tuv-fs.com
1756-RM001B-EN-P, Using ControlLogix in SIL2 ... - Tuv-fs.com 1756-RM001B-EN-P, Using ControlLogix in SIL2 ... - Tuv-fs.com
10-2 Use and Application of Human to Machine InterfacesChanging Parameters in Safety-Related SystemsA parameter change in a safety-related loop via an external (that is,outside the safety loop) device (for example, an HMI) is only allowedwith the following restrictions:• Only authorized, specially-trained personnel can change theparameters in safety-related systems via HMIs.• The user who makes changes in a safety-related system via anHMI is responsible for the effect of those changes on thesafety loop.• Users must clearly identify the variable that are to be changed asunder the control of the ControlLogix controller inside thesafety loop.• Users must use a clear, comprehensive and explicit operatorprocedure to make safety-related changes via an HMI.• Changes can only be accepted in a safety-related system if thefollowing sequence of events occurs:a. Changes are sent from the HMI to the ControlLogix controllerin the safety loop.b. The ControlLogix controller in the safety loop sends thechanges back to the HMI–before accepting the changes oracting on them.c. The user verifies that the changes are correct.In every case, the operator must confirm the validity of thechange before they are accepted and applied in the safety loop.• The software used in the HMI and the ControlLogix controller(in this case, RSLogix 5000) should be designed to verify thatchanges to the safety system are within acceptable limits and donot otherwise compromise the safety system.• The user should test all changes as part of the safety validationprocedure.Publication 1756-RM001B-EN-P - October 2003
Use and Application of Human to Machine Interfaces 10-3• Users must sufficiently document all safety-related changesmade via HMI, including:– authorization– impact analysis– execution– test information– revision information• Changes to the safety-related system, must comply with IEC61511 standard on process safety section 11.7.1 OperatorInterface requirements.Changing Parameters in Non-Safety-Related SystemsWhen the HMI device is used to change parameters in anon-safety-related system, remember the following techniques:• When the HMI is used to input parameters such as setpoints fora PID loop or drive speeds, the application program shouldinclude sound techniques used for other types of changevalidation, including:– Display the data to be changed– Acceptable ranges and limits used in the program for datachecks (in other words, checks to make sure entered data iswithin an acceptable range)– Display the new value along with the existing value– Prompt the operator to acknowledge and accept the changedvalue before allowing the change to take effect• The developer must follow the same sound developmenttechniques and procedures used for other application softwaredevelopment, including the verification and testing of theoperator interface and its access to other parts of the program.The PLC application software should set up a table that isaccessible by the HMI and limits access to required data pointsonly.• Similar to the PLC program, the HMI software needs to besecured and maintained for SIL2 compliance after the system hasbeen validated and tested.Publication 1756-RM001B-EN-P - October 2003
- Page 42 and 43: 4-2 ControlLogix ControllerRecommen
- Page 44 and 45: 5-2 ControlLogix Communications Mod
- Page 46 and 47: 5-4 ControlLogix Communications Mod
- Page 48 and 49: 6-2 ControlLogix I/O ModulesFigure
- Page 50 and 51: 6-4 ControlLogix I/O ModulesModule
- Page 52 and 53: 6-6 ControlLogix I/O ModulesWiring
- Page 54 and 55: 6-8 ControlLogix I/O ModulesGeneral
- Page 56 and 57: 6-10 ControlLogix I/O ModulesWiring
- Page 58 and 59: 6-12 ControlLogix I/O ModulesApplic
- Page 60 and 61: 6-14 ControlLogix I/O Modules• Ch
- Page 62 and 63: 6-16 ControlLogix I/O ModulesWiring
- Page 64 and 65: 6-18 ControlLogix I/O ModulesWiring
- Page 66 and 67: 6-20 ControlLogix I/O ModulesUsing
- Page 68 and 69: 6-22 ControlLogix I/O ModulesFigure
- Page 70 and 71: 6-24 ControlLogix I/O ModulesWiring
- Page 72 and 73: 6-26 ControlLogix I/O ModulesCheckl
- Page 74 and 75: 7-2 Faults in the ControlLogix Syst
- Page 76 and 77: 7-4 Faults in the ControlLogix Syst
- Page 78 and 79: 8-2 General Requirements for Applic
- Page 80 and 81: 8-4 General Requirements for Applic
- Page 82 and 83: 8-6 General Requirements for Applic
- Page 84 and 85: 9-2 Technical SIL2 Requirements for
- Page 86 and 87: 9-4 Technical SIL2 Requirements for
- Page 88 and 89: 9-6 Technical SIL2 Requirements for
- Page 90 and 91: 9-8 Technical SIL2 Requirements for
- Page 94 and 95: 10-4 Use and Application of Human t
- Page 96 and 97: A-2 Response Times in ControlLogixE
- Page 98 and 99: A-4 Response Times in ControlLogixR
- Page 100 and 101: B-2 System Self-Testing and User-Pr
- Page 102 and 103: C-2 Additional Information on Handl
- Page 104 and 105: D-2 Spurious Failure EstimatesNotes
- Page 106 and 107: E-2 Sample Probability of Failure o
- Page 108 and 109: E-4 Sample Probability of Failure o
- Page 110: 2 IndexMMean time between failures
Use and Application of Human to Mach<strong>in</strong>e Interfaces 10-3• Users must sufficiently document all safety-related changesmade via HMI, <strong>in</strong>clud<strong>in</strong>g:– authorization– impact analysis– execution– test <strong>in</strong>formation– revision <strong>in</strong>formation• Changes to the safety-related system, must <strong>com</strong>ply with IEC61511 standard on process safety section 11.7.1 OperatorInterface requirements.Chang<strong>in</strong>g Parameters <strong>in</strong> Non-Safety-Related SystemsWhen the HMI device is used to change parameters <strong>in</strong> anon-safety-related system, remember the follow<strong>in</strong>g techniques:• When the HMI is used to <strong>in</strong>put parameters such as setpo<strong>in</strong>ts fora PID loop or drive speeds, the application program should<strong>in</strong>clude sound techniques used for other types of changevalidation, <strong>in</strong>clud<strong>in</strong>g:– Display the data to be changed– Acceptable ranges and limits used <strong>in</strong> the program for datachecks (<strong>in</strong> other words, checks to make sure entered data iswith<strong>in</strong> an acceptable range)– Display the new value along with the exist<strong>in</strong>g value– Prompt the operator to acknowledge and accept the changedvalue before allow<strong>in</strong>g the change to take effect• The developer must follow the same sound developmenttechniques and procedures used for other application softwaredevelopment, <strong>in</strong>clud<strong>in</strong>g the verification and test<strong>in</strong>g of theoperator <strong>in</strong>terface and its access to other parts of the program.The PLC application software should set up a table that isaccessible by the HMI and limits access to required data po<strong>in</strong>tsonly.• Similar to the PLC program, the HMI software needs to besecured and ma<strong>in</strong>ta<strong>in</strong>ed for <strong>SIL2</strong> <strong>com</strong>pliance after the system hasbeen validated and tested.Publication <strong>1756</strong>-<strong>RM001B</strong>-<strong>EN</strong>-P - October 2003